DeploySentinel Customer Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of and is subject to the agreement, whether written or electronic, between Customer (as defined below) and DeploySentinel (as defined below) for the Services (as defined in Section 1 below) (collectively, the “Agreement”). For the purposes of this DPA, “DeploySentinel” means the entity identified as “DeploySentinel” on an Order Form or in the Agreement and “Customer” means the entity or individual identified as “Customer” on an Order Form or the entity or individual identified in the Agreement as registering to use Services.

This DPA describes the commitments of DeploySentinel and the Customer (each a “party” and together, the “parties”) concerning the processing of Personal Data in connection with the provision of one or more DeploySentinel Cloud offerings contemplated by the applicable Agreement. Capitalized terms not defined in this DPA have the meaning set forth in the Services Agreement.

1. Definitions.

   1. “Applicable Data Protection Laws” means European Data Protection Laws and the California Privacy Act of 2018, as amended by the California Privacy Rights Act (California Civil Code §§ 1798.100 et seq (“CCPA”) as the same may be amended, superseded or replaced.

   2. “Authorized Affiliate” means an Affiliate (as defined in the Agreement) of Customer who has not signed an Order Form but acts as a controller or processor for the Customer Personal Data processed by DeploySentinel pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.

   3. “Customer Personal Data" means any Personal Data processed by DeploySentinel on behalf of Customer as a service provider or processor (as applicable) in connection with any DeploySentinel software-as-a-service offering, as more particularly described in Section 3.6 of this DPA.

   4. Reserved.

   5. “EEA” means any countries that are parties to the European Economic Area and Switzerland.

   6. “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the UK GDPR, and (vi) any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy, in each case as the same may be amended, superseded or replaced.

   7. "Standard Contractual Clauses" or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https:// (opens in a new tab)commission.europa.eu/publications/standard-contractual-clauses-international- (opens in a new tab) transfers_en (opens in a new tab)

   8. Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as "personal data", "personal information" or "personally identifiable information" under Applicable Data Protection Laws.

   9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

   10. “Services” means any DeploySentinel software-as-a-service offering made available by DeploySentinel to Customer under an Agreement, and any other services provided by DeploySentinel to Customer under such Agreement, including but not limited to support and technical service.

   11. “Sub-Processor” means any processor engaged by DeploySentinel or its Affiliates to process Customer Data. Sub-processors may include third parties or DeploySentinel Affiliates.

   12. “UK Addendum” means the international data transfer addendum to the SCCs issued by the Information Commissioner for Parties making a transfer of personal data from the United Kingdom to any other country which is not deemed adequate under Article 46 of the UK GDPR.

   13. “UK GDPR” means the GDPR, as implemented by Section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 and supplemented by the Data Protection Act of 2018.

   14. The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider”, “sell” and “share” shall have the meanings given to them in the CCPA.

2. Scope and Applicability of this DPA.

This DPA applies where and only to the extent that DeploySentinel processes Customer Personal Data on behalf of Customer as a processor (or, with respect to the CCPA, as a service provider) in the course of providing the Services.

3. Roles and Scope of Processing

   1. Role of the Parties. As between DeploySentinel and Customer, DeploySentinel shall process Customer Personal Data only as a processor (or sub-processor) acting on behalf Customer and, with respect to CCPA, as a service provider, in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Customer Personal Data.

   2. Scope of Processing. DeploySentinel certifies that it will not (i) "sell" or “share” Customer Personal Data; (ii) retain, use or disclose Customer Personal Data outside of the direct business relationship between Customer and DeploySentinel or for any purpose other than as permitted under the Agreement (including this DPA) or for purposes otherwise agreed in writing or permitted by the CCPA; or (iii) combine Customer Personal Data with Personal Data that DeploySentinel collects or receives from another person. DeploySentinel and Customer acknowledge and agree that the disclosure of Customer Personal Data by Customer to DeploySentinel does not constitute a “sale.” Customer agrees that DeploySentinel may de-identify or aggregate Customer Personal Data in the course of providing the Service to Customer.

   3. Customer Instructions. DeploySentinel shall process Customer Personal Data only for the purposes described in the Agreement and in accordance with Customer's documented lawful instructions and Applicable Data Protection Laws. The parties agree that the Agreement and applicable Order Form (including this DPA) sets out the Customer's complete and final instructions to DeploySentinel in relation to the processing of Customer Personal Data. Without prejudice to Section 3.4 (Customer Responsibilities), DeploySentinel shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws or if DeploySentinel determines that it can no longer meet its obligations under Applicable Data Protection Laws. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate DeploySentinel’s unauthorized use of Customer Personal Data.

   4. Customer Responsibilities. Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the Services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for DeploySentinel to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; (iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and the transfer of such Customer Personal Data to DeploySentinel and its Sub-processors; and (iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with any third-party controllers for whom Customer acts as a processor (and DeploySentinel a sub-processor).

   5. Customer Affiliates. DeploySentinel’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:

      1. Customer shall be responsible for Authorized Affiliates’ compliance with this DPA. Any and all acts and/or omissions by an Authorized Affiliate with respect to this DPA shall be deemed the acts and/or omissions of Customer; and

      2. Authorized Affiliates shall not bring a claim directly against DeploySentinel. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against DeploySentinel (an “Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against DeploySentinel on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including damages disclaimer and any aggregate limitation of liability.

   6. Details of Processing. Details of processing by DeploySentinel are set forth below:

      1. Subject Matter of Processing. Customer Personal Data that Customer elects to transfer to DeploySentinel to be processed for the provision, receipt and/or use of the applicable Services as set forth in the Agreement.

      2. Frequency and Duration of Processing. For duration of the Services or for so long as Customer grants DeploySentinel access to process the Customer Personal Data, as applicable. Notwithstanding expiration or termination of the applicable Order Form or the Agreement, DeploySentinel shall continue to process Customer Personal Data until such Customer Personal Data is deleted or Customer removes DeploySentinel’s access to process such Customer Personal Data. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by DeploySentinel promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.

      3. Nature of Processing. Customer Personal Data that Customer elects to transfer to DeploySentinel to be processed for the provision, receipt and/or use of the applicable Services as set forth in the Agreement.

      4. Purpose of Processing. The operation, support, use or provisioning of the Services as set out in the Agreement and compliance with applicable laws.

      5. Categories of Data Subjects. Categories of data subjects is as determined by Customer. Includes natural persons whose Personal Data Customer elects to transfer to DeploySentinel for processing for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners and vendors; and/or (iii) employees, agents, advisors, freelancers of Customer (who are natural persons).

      6. Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may be set forth in the Agreement. Includes Personal Data types that are included in data that Customer transfers to DeploySentinel for processing for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) name, address, title, contact details; (ii) credit card details, account details, payment information, (iii) employer, job title, geographic location, area of responsibility; and/or (iv) IP addresses, usage data, cookie data, location data.

4. Sub-Processing.

   1. Authorized Sub-Processors. Customer provides DeploySentinel with a general authorization to engage Sub-Processors. The Sub-Processors currently engaged by DeploySentinel and authorized by Customer are available for external Sub-Processors as set forth at https://www.hyperdx.io/terms/subprocessors (opens in a new tab).

   2. Sub-Processor Obligations. DeploySentinel shall: (i) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective of Personal Data than that those required by this DPA, to the extent applicable to the nature of the service provided by the Sub-Processor; and (ii) remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause DeploySentinel to breach any of its obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, DeploySentinel shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-Processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.

   3. Changes to Sub-Processors. DeploySentinel shall notify Customer if it changes its Sub-Processors in advance to any such changes for the applicable Services. DeploySentinel’s notification shall be via updates to the webpage set forth in Section 4.1. Customer may object in writing to DeploySentinel’s appointment of a new Sub-Processor by notifying DeploySentinel promptly in writing within ten (10) calendar days of notice of the change. Customer’s notification shall explain the reasonable grounds relating to data protection for the objection. The parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties are not able to reach resolution, DeploySentinel will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer (as Customer’s sole and exclusive remedy) to suspend or terminate the affected Services in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

5. Security and Audits.

   1. DeploySentinel Security Standards. DeploySentinel shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Customer Personal Data from Personal Data Breach and to preserve the security and confidentiality of the Customer Personal Data, in each case in accordance with the DeploySentinel’s then-current security standards as set forth at https://www.hyperdx.io/terms/security (opens in a new tab) (the “DeploySentinel Security Addendum”). DeploySentinel shall ensure that any person who is authorized by DeploySentinel to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

   2. Customer Security Responsibilities. Customer shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Personal Data from a Personal Data Breach and to preserve the security and confidentiality of Customer Personal Data while in its dominion and control including, without limitation, those measures of the Service that can be selected or configured by Customer. DeploySentinel shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify whether any data transferred to DeploySentinel for processing is subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by DeploySentinel relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.

   3. Audit. DeploySentinel shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA as set forth in this Section 5.3. The exercise of any audit rights under the SCCs shall be as described in this Section 5 and Customer agrees that these rights are carried out on behalf of Customer and any third-party controller for whom Customer is acting as a processor, in each case, subject to the confidentiality restrictions in the Agreement.

      1. Third-Party Certifications and Audits. Upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, DeploySentinel shall make available to Customer or Customer’s Third-Party Auditor (as defined in Section 5.3.4) information regarding DeploySentinel’s compliance with the obligations set forth in this DPA in the form of a copy of DeploySentinel’s then most recent third-party audits or certifications, if any, (“DeploySentinel Audit Reports”) set forth in the DeploySentinel Security Addendum. Such third-party audits or certifications may also be disclosed to Customer’s competent supervisory authority on its request. Upon request, DeploySentinel shall also provide Customer with a report and/or confirmation of a report of any third-party auditors’ audits of external Sub-Processors that have been made available by those external Sub-Processors to DeploySentinel, but solely to the extent that the external Sub-processor allows DeploySentinel to disclose such reports or evidence to Customer (“External Sub-processor Audit Reports”). Customer acknowledges that (i) DeploySentinel Audit Reports shall be the Confidential Information of DeploySentinel; (ii) External Sub-processor Audit Reports shall be the Confidential Information of DeploySentinel as well as the confidential information of the external Sub-processor and (iii) certain external Sub-processors may require Customer to execute a non-disclosure agreement with them in order to view an external Sub- processor Audit Report.

      2. On-Site Audit. Customer may request an on-site audit of DeploySentinel’s applicable controls related to the processing activities under this DPA when: (i) the information provided under the Third-Party Certification and Audits section of this DPA is not sufficient to demonstrate DeploySentinel’s compliance with the obligations set out in this DPA or (ii) required by Applicable Data Protection Laws or Customer’s competent supervisory authority.

      3. Conduct of On-Site Audit. Any on-site audit described in Section 5.3.2 above will (i) be limited to processing facilities operated by DeploySentinel and its Affiliates; (ii) be conducted reasonably, in good faith and in a proportional manner, taking into account the nature and complexity of the Services; (iii) conducted no more than one time per year with at least three weeks’ notice unless an emergency justifies less notice, in which case, the parties will use good faith efforts to accommodate the shorter notice period; and (iv) conducted during DeploySentinel’s normal business hours and shall not unreasonably interfere with DeploySentinel’s day-to-day operations. Before any on-site audit, Customer and DeploySentinel shall agree upon the scope, timing and duration of the audit and the reimbursement rate to DeploySentinel for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of DeploySentinel. Customer acknowledges that DeploySentinel operates a multi-tenant cloud environment and, accordingly, DeploySentinel shall have the right to reasonably adapt the scope of any on-site audit to avoid or mitigate risks to DeploySentinel service availability and the confidentiality of other DeploySentinel customer information. Customer must promptly provide DeploySentinel with information regarding any non-compliance discovered during the course of an On-Site Audit. The results of any On-Site Audit shall be considered DeploySentinel’s Confidential Information and may be disclosed to a third party (other than a Third-Party Auditor, where applicable) only with DeploySentinel’s prior written consent.

      4. Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of DeploySentinel. An On-Site Audit can be conducted through a Third-Party Auditor if: (i) prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect DeploySentinel’s and its customers’ proprietary and confidential information; and (ii) Customer bears the costs and expenses of the Third-Party Auditor.

   4. Data Protection Impact Assessment. Upon Customer’s request, DeploySentinel shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available.

6. International Transfers.

   1. Hosting and Processing Location. DeploySentinel will host and process Customer Personal Data in the United States.

   2. Personal Data Transfers Outside of the EEA. Any transfer by Customer from the EEA and/or Switzerland to DeploySentinel in a country outside of the EEA and/or Switzerland, where such transfer is not governed by an adequacy decision made by the European Commission or the Swiss Federal Data Protection and Information Commission, as applicable, that does not ensure an adequate level of protection under the applicable European Data Protection Law (a “Restricted EEA and/or Switzerland Transfer”) shall be governed by and performed in accordance with the SCCs, which are incorporated by reference into this DPA and deemed executed concurrent with the execution of this DPA. Schedule I to this DPA sets forth the specific, additional and/or optional clauses for the SCCs.

   3. Personal Data Transfers Outside of the UK. Any transfer by Customer from the UK to DeploySentinel outside of the UK, where such transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State (a “Restricted UK Transfer” and, together with a Restricted Transfer EEA and/or Switzerland Transfer, a “Restricted Transfer”), shall be governed by and performed in accordance with the SCCs as modified to include the UK Addendum and their Annexes, which are (collectively) incorporated by reference into this DPA and deemed executed concurrent with the execution of this DPA. Schedule II to this DPA sets forth the specific, additional and/or optional information and clauses for the SCCs as modified to include the UK Addendum and their Annexes.

   4. Reserved.

   5. Alternate Transfer Mechanism. If DeploySentinel adopts an alternative transfer mechanism for Restricted Transfers (including, without limitation, any new version or successor to the SCCs) pursuant to the applicable European Data Protection Law, such alternate transfer mechanism shall automatically apply in lieu of the SCCs to the extent that such alternative transfer mechanism complies with the applicable European Data Protection Law and applies in the territories into which the Personal Data is transferred.

7. Personal Data Breach Management and Notification.

If DeploySentinel becomes aware of a Personal Data Breach, DeploySentinel shall: (i) promptly notify Customer of the discovery of the Personal Data Breach, which shall include a summary of the known circumstances of the Personal Data Breach and the corrective action taken or to be taken by DeploySentinel; (ii) conduct an investigation of the circumstances of the Personal Data Breach; (iii) use commercially reasonable efforts to mitigate the effects of the Personal Data Breach; and (iv) use commercially reasonable efforts to communicate and cooperate with Customer concerning its responses to the Personal Data Breach. Customer acknowledges that DeploySentinel personnel do not have visibility into data ingested by Customer into the Service. Accordingly, it would be unlikely that the notice provided by DeploySentinel would include information concerning the categories and approximate number of data subjects concerned and/or the categories and approximate number of personal data records concerned. DeploySentinel’s notification of a Personal Data Breach and its communication and cooperation with Customer concerning a Personal Data Breach shall not be construed as an acknowledgment of fault or liability by DeploySentinel.

8. Rights of Individuals and Cooperation.

   1. Data Subject Requests. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Service, DeploySentinel shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. If any such request is made to DeploySentinel directly, DeploySentinel shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If DeploySentinel is required to respond to such a request, DeploySentinel shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

   2. Data Impact Assessments. To the extent DeploySentinel is required under applicable European Data Protection Law, DeploySentinel shall provide reasonably requested information regarding DeploySentinel’s processing of Customer Personal Data under the Agreement to assist the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.

   3. Third Party Demands. If DeploySentinel receives a demand from a third party (including, without limitation, any governmental, regulatory or supervisory authority) to retain, disclose or transfer Customer Personal Data, DeploySentinel shall use commercially reasonable efforts to direct the demanding party to Customer and Customer authorizes DeploySentinel to disclose such information to such third party as may be reasonably necessary to direct the third party to Customer. Where DeploySentinel is unable to direct the demanding party to Customer, DeploySentinel shall, to the extent legally permitted, provide Customer notice of the demand and cooperate with Customer, at the Customer’s cost and expense, in seeking a protective order, or confidential treatment, or taking other measures to oppose or limit such demand.

9. Relationship to the Agreement; Limitation of Liability

   1. Relationship to the Agreement. Except for the changes made by this DPA as applicable to the Service, the Agreement remains unchanged and in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Laws.

   2. Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and the SCCs (including any SCCs between Authorized Affiliates and DeploySentinel), whether in contract, tort or under any other theory of liability is subject to the liability restrictions set forth in the Agreement, including the damages disclaimer and any aggregate limitation of liability.

Schedule I – Transfer Mechanisms for European Data Transfers

Pursuant to Section 6.2 of this Data Processing Addendum between DeploySentinel and Customer, the SCCs are deemed incorporated into and form part of this DPA. The following specific and/or optional clauses shall apply to the SCCs as described in more detail below; any optional clauses in the SCCs not expressly selected are not included.

1. Module Two terms apply where Customer is the controller of Customer Personal Data and Module Three terms apply where Customer is the processor of Customer Personal Data.

2. The optional docking clause in Clause 7 is incorporated with respect to Authorized Affiliates only; Authorized Affiliates may accede to the DPA and SCCs under the same terms and conditions, subject to Section 3.3 of this DPA with the agreement of parties.

3. For Clause 9, Option 2 (“General Authorization) is selected and the process and time period for additional or replacement Sub-Processors shall be as set out in Section 4.3 of this DPA.

4. For Clause 9(c), where confidentiality restrictions prohibit DeploySentinel from providing a copy of a Sub-Processor agreement to Customer, DeploySentinel shall (on a confidential basis) provide all information that it reasonably can in connection with such Sub-Processor Agreement to Customer.

5. For Clause 13 and Annex I.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to DeploySentinel on request.

6. For Clause 17, Option 1 shall apply and the Member State for purposes of governing law shall be the Netherlands.

7. For Clause 18(b), any dispute shall be resolved by the courts of the Netherlands.

8. For Annex I.A., the “data importer” shall be DeploySentinel and the “data exporter” shall be Customer and any Authorized Affiliates that have acceded to the SCCs pursuant to the DPA.

9. For Annex I.B., the description of the transfer is as described in Section 3.6 (“EEA Customers - Details of Processing”) of this DPA.

10. For Annex II, the technical and organizational measures are: (i) with respect to DeploySentinel, those measures described in Section 5.1 (“DeploySentinel Security Standards”) and (ii) with respect to Customer, those measures described in Section 5.2 (“Customer Security Standards”).

11. For Annex III, the Sub-Processors shall be as described in Section 4.1 (“Authorized Sub-Processors”).

Schedule II – Transfer Mechanisms for UK Data Transfers

Pursuant to Section 6.3 of this Data Processing Addendum between DeploySentinel and Customer, the SCCs, as supplemented by the specific and optional clauses set forth in Schedule I to this DPA (the “EEA SCCs”) and as modified to include the UK Addendum (the “UK SCCs”) are deemed incorporated into and form part of this DPA. For the avoidance of doubt, in the event of any conflict between (i) the EEA SCCs and (ii) UK SCCs, the UK SCCs shall prevail. The following information completes the UK Addendum and Annexes:

1. For Table 1 of the UK Addendum: (a) the Start Date, Parties’ Details and Key Contact are as set forth in the Order Form and Agreement and (b) the Exporter is Customer and the Importer is DeploySentinel.

2. For Table 2, the Selected SCCs, Modules and Selected Clauses are as set forth Section 6.2 of this DPA and Schedule I to this DPA.

3. Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly

4. For Annex 1A, DeploySentinel and Customer and its Authorized Affiliates are the Parties.

5. For Annex 1B, the Description of the Transfer is as set forth under Section 3.6 (“EEA and UK Customers - Details of Processing”) of this DPA.

6. For Annex II, the technical and organizational measures are: (i) with respect to DeploySentinel, those measures described in Section 5.1 (“DeploySentinel Security Standards”) and (ii) with respect to Customer, those measures described in Section 5.2 (“Customer Security Standards”).

7. For Annex III, the Sub-Processors shall be as described in Section 4.1 (“Authorized Sub-Processors”).