Data Processing Agreement

For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below:

• Controller: The Customer, as the entity that determines the purposes and means of the processing of Personal Data.
• Processor: Pactwise LLC. ("Pactwise"), as the entity that processes Personal Data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed.
• Subprocessor: A third party engaged by Pactwise to process Personal Data on behalf of the Controller.
• Security Incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

This DPA applies to all processing of Personal Data by Pactwise on behalf of the Customer in connection with the Pactwise contract and vendor management platform ("the Service"). Pactwise processes Personal Data only as necessary to provide the Service as described in the Terms of Service. The categories of Personal Data processed, the types of Data Subjects, and the nature and purpose of processing are determined by the Customer's use of the Service.

The Customer, as Controller, shall:

• Ensure there is a lawful basis for the processing of Personal Data under applicable data protection laws (e.g., consent, legitimate interest, contractual necessity).
• Provide appropriate notices to Data Subjects regarding the processing of their Personal Data through the Service.
• Comply with all applicable data protection laws, including but not limited to the GDPR, CCPA, and any other relevant jurisdiction-specific legislation.
• Ensure that Personal Data provided to Pactwise is accurate, relevant, and limited to what is necessary for the purposes of processing.
• Promptly inform Pactwise of any changes to applicable data protection requirements that may affect Pactwise's processing obligations.

Pactwise, as Processor, shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. In such a case, Pactwise shall inform the Customer of that legal requirement before processing, unless prohibited by law.
• Ensure that all personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures as described in Section 6 of this DPA.
• Assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer's obligation to respond to Data Subject requests for exercising their rights under applicable data protection laws.
• Notify the Customer without undue delay after becoming aware of a Security Incident involving Personal Data, as further described in Section 7.
• Upon termination of the Service, delete or return all Personal Data to the Customer as described in Section 11, unless retention is required by applicable law.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 10.

The Customer provides general authorization for Pactwise to engage Subprocessors. The current list of Subprocessors is as follows:

Pactwise shall notify the Customer of any intended changes to Subprocessors at least 30 days in advance. The Customer may object to the appointment of a new Subprocessor within 14 days of receiving notice. If the Customer reasonably objects and Pactwise cannot accommodate the objection, either party may terminate the affected portion of the Service.

Pactwise implements the following technical and organizational measures to protect Personal Data:

• Encryption: All data encrypted at rest and in transit using TLS 1.2 or higher.
• Row-Level Security: Database-enforced tenant isolation ensuring strict data separation between Customer accounts.
• Role-Based Access Control: 5-level permission hierarchy (viewer, user, manager, admin, owner) with principle of least privilege.
• Audit Logging: Comprehensive logging of all data access, modifications, and administrative actions.
• Rate Limiting: Protection against brute-force attacks and abuse on all API endpoints.
• Security Scanning: Regular automated vulnerability, dependency, and container scanning of the Service infrastructure.
• Encrypted Backups: Automated encrypted backups with tested restoration procedures.
• Network Isolation: Network segmentation and firewall rules restricting access to production systems.

In the event of a Security Incident involving Personal Data, Pactwise shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the incident. The notification shall include:

• A description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects concerned.
• The name and contact details of the point of contact where further information can be obtained.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.

Pactwise shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Security Incident.

Pactwise shall assist the Customer in fulfilling its obligations to respond to Data Subject requests for exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, data portability, and restriction of processing.

Pactwise shall promptly notify the Customer if it receives a request from a Data Subject directly and shall not respond to such a request without the Customer's prior written authorization, unless required by applicable law.

The Customer is responsible for the process of handling Data Subject requests. Pactwise shall provide reasonable cooperation and technical assistance to enable the Customer to fulfill such requests within the timeframes required by applicable law, including CCPA and GDPR.

Personal Data is processed in the United States. Where the Customer is located outside the United States, Pactwise shall ensure that appropriate safeguards are in place for the transfer of Personal Data in accordance with applicable data protection laws.

Standard Contractual Clauses (SCCs) as adopted by the European Commission are available upon request for international transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland.

The Customer may audit Pactwise's compliance with this DPA once per calendar year, subject to at least 30 days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Pactwise's operations.

Pactwise shall provide security documentation—such as a security overview or a completed security questionnaire—upon the Customer's reasonable request. Pactwise is not currently SOC 2 Type II certified and does not undergo independent third-party security audits at this time. If Pactwise obtains such a report in the future, it may be provided to satisfy the Customer's audit rights under this section.

Pactwise shall bear the costs of any audit that reveals material non-compliance with this DPA. In all other cases, the Customer shall bear the costs of the audit.

Upon termination or expiration of the Service agreement, the Customer shall have a 30-day window to export all Personal Data via the Service dashboard or API. Pactwise shall provide reasonable assistance with data export upon request.

After the 30-day export window, Pactwise shall delete all Personal Data in its possession and in the possession of its Subprocessors, unless retention is required by applicable law. Pactwise shall provide certification of deletion upon the Customer's written request.

Anonymized and aggregated data that cannot be used to identify any individual may be retained in accordance with the Privacy Policy.

The total aggregate liability of each party arising out of or related to this DPA shall be subject to the same limitations and exclusions of liability as set forth in the Terms of Service, including the cap equal to the fees paid by the Customer in the twelve (12) months preceding the claim.

Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or related to this DPA, regardless of the theory of liability.

This DPA shall remain in effect for the duration of the Customer's subscription to the Service and shall be co-terminous with the main subscription agreement.

The provisions of this DPA relating to data security, confidentiality, data return and deletion, and limitation of liability shall survive the termination or expiration of this DPA for as long as Pactwise retains any Personal Data on behalf of the Customer.