Data Processing Addendum

This DPA is entered into between DivetIQ (the "Processor"), with registered address 2810 N Church St, STE 88941, Wilmington, DE 19802, United States, and the Customer entity that has signed an Order Form or otherwise contracted to use the DivetIQ Services (the "Controller").

The Controller determines the purposes and means of the processing of Personal Data; DivetIQ processes Personal Data only on the documented instructions of the Controller, as further described in this DPA.

"Personal Data", "processing", "data subject", "controller", "processor", and "supervisory authority" have the meanings given to them under the GDPR. "Customer Data" means data, including Personal Data, submitted by or on behalf of the Controller to the DivetIQ Services. "Sub-processor" means any third party engaged by DivetIQ to process Personal Data on behalf of the Controller.

DivetIQ will process Personal Data on behalf of the Controller solely to provide the Services described in the Agreement, including support and security incident response. The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of data subjects are described in Annex I.

DivetIQ will process Personal Data only on the documented instructions of the Controller, unless required to do otherwise by law applicable to DivetIQ. Where DivetIQ believes that an instruction infringes the GDPR or other data protection laws, it will inform the Controller without undue delay.

DivetIQ ensures that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted on a need-to-know basis.

DivetIQ implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data at rest using AES-256 and in transit using TLS 1.3.
• Information security management aligned to ISO 27001 and SOC 2 Type II.
• Role-based access control with attribute extensions for row, column, and field-level rules.
• Immutable, append-only audit logs retained per legal requirement.
• Penetration testing, vulnerability scanning, WAF, and DDoS protection.
• Business continuity, disaster recovery, and regularly tested backups.
• A documented incident response process with 24/7 on-call coverage.

A current copy of DivetIQ's technical and organisational measures is set out in Annex II and is also available from the Customer Trust Center.

The Controller provides general authorisation for DivetIQ to engage Sub-processors. DivetIQ maintains an up-to-date list of Sub-processors in the Customer Trust Center and will notify the Controller of any intended changes at least thirty (30) days before they take effect, giving the Controller the opportunity to object on reasonable data protection grounds.

DivetIQ imposes data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, and remains liable to the Controller for the performance of each Sub-processor's obligations.

DivetIQ provides operational tooling that enables the Controller to respond to data subject requests for access, rectification, erasure, restriction, portability, and objection, including support for DSARs, right to be forgotten, and consent management. Where DivetIQ receives a request directly from a data subject, it will forward the request to the Controller without undue delay and will not respond except on the Controller's instructions.

DivetIQ will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include the information reasonably required to allow the Controller to meet its own notification obligations under applicable law.

Taking into account the nature of processing and the information available to DivetIQ, DivetIQ will provide reasonable assistance to the Controller in carrying out data protection impact assessments and consulting with supervisory authorities where required by Articles 35 and 36 GDPR.

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor), the UK International Data Transfer Addendum, and equivalent mechanisms, together with supplementary technical and organisational measures.

The Customer may select EU-only data residency for the platform on request.

DivetIQ makes available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. DivetIQ provides annual third-party audit reports (including SOC 2 Type II and ISO 27001 certificates) on request, subject to confidentiality. Where required by mandatory law, the Controller may carry out an audit no more than once per year, on reasonable prior notice and during business hours, in a manner that does not unreasonably interfere with DivetIQ's operations.

On termination or expiry of the Agreement, DivetIQ will, at the choice of the Controller, return or delete all Personal Data within thirty (30) days, except where retention is required by applicable law. The Controller acknowledges that backup copies may be retained for a limited period in accordance with DivetIQ's documented retention schedule and are subject to the same protections set out in this DPA.

Customer Data is never used to train shared or third-party AI models. AI features that operate on Customer Data are either deployed within the Controller's tenant or run as stateless inference against per-tenant context that is not retained for training purposes. Where automated decision-making is used in a way that produces legal or similarly significant effects, the Controller is responsible for implementing the safeguards required by Article 22 GDPR and other applicable laws (including the EU AI Act).

Subject matter: provision of the DivetIQ headless platform and related Services.

Duration: for the term of the Agreement and any post-termination period required to return or delete Personal Data.

Nature and purpose: hosting, storage, transmission, analytics, and AI-assisted operations on Customer Data, as instructed by the Controller through configuration of the Services.

Categories of data subjects: the Controller's employees, contractors, customers, suppliers, applicants, and other individuals whose data is uploaded to or processed by the Services.

Categories of Personal Data: identifiers, contact data, employment data, financial and procurement data, customer relationship data, and other categories the Controller chooses to process via the Services.

DivetIQ implements the security measures described in Section 6 (Security measures) of this DPA. A detailed, current description is maintained in the Customer Trust Center and updated as our security posture evolves. Material reductions to these measures will be notified in advance.

Questions about this DPA can be sent to dpo@divetiq.com or by post to 2810 N Church St, STE 88941, Wilmington, DE 19802, United States.