Legal DPA

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the agreement between Orbitshift, Inc. ("Orbitshift", "Processor") and the customer identified in that agreement ("Customer", "Controller"). Capitalised terms not defined herein have the meanings given in the main agreement.

1. Definitions

In this DPA:

• "Personal Data", "Controller", "Processor", "Sub-Processor", "Data Subject", "Processing", "Supervisory Authority" have the meanings given in applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU GDPR, UK GDPR, and any implementing or supplementary legislation.
• "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Services" means the software-as-a-service products and professional services provided by Orbitshift under the agreement.

2. Scope and Roles

The parties acknowledge that, in connection with the provision of the Services, Customer acts as Controller and Orbitshift acts as Processor in respect of the Personal Data described in Schedule 1 (Annex IA). Where Orbitshift processes Personal Data for its own purposes (e.g., billing, account management), it acts as an independent Controller.

3. Orbitshift's Obligations

Orbitshift shall:

• Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law;
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement the technical and organisational security measures described in Schedule 1 (Annex II);
• Respect the conditions referred to in Clauses 9 and 10 of this DPA for engaging Sub-Processors;
• Taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling Customer's obligations to respond to Data Subject requests;
• Assist Customer in ensuring compliance with Data Protection Laws regarding security, breach notification, impact assessments, and prior consultation;
• At Customer's choice, delete or return all Personal Data to Customer after the end of the provision of Services, and delete existing copies unless EU law requires storage of the Personal Data;
• Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

4. Customer's Obligations

Customer shall:

• Ensure it has a valid legal basis for instructing Orbitshift to process Personal Data;
• Comply with its obligations as Controller under applicable Data Protection Laws;
• Provide Orbitshift with complete and accurate instructions regarding the processing of Personal Data;
• Ensure that any Personal Data provided to Orbitshift has been collected lawfully and that Data Subjects have been informed of the processing as required by applicable law.

5. Sub-Processing

Customer grants Orbitshift a general written authorisation to engage the Sub-Processors listed in Schedule 1 (Annex III). Orbitshift will:

• Inform Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving Customer the opportunity to object to such changes;
• Impose data protection obligations on Sub-Processors equivalent to those set out in this DPA;
• Remain fully liable to Customer for the performance of Sub-Processors' obligations.

6. Data Subject Rights

Orbitshift shall promptly notify Customer if it receives a request from a Data Subject exercising any right afforded by applicable Data Protection Laws. Orbitshift shall not respond to such a request except on Customer's documented instructions, unless required by applicable law. Orbitshift shall provide Customer with reasonable assistance to fulfil Customer's obligations in relation to such requests within the timeframes set out in applicable Data Protection Laws.

7. Security

Orbitshift shall implement and maintain the technical and organisational security measures set out in Schedule 1 (Annex II) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Such measures shall take into account the state of the art, costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of Data Subjects.

8. Personal Data Breaches

Orbitshift shall notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Personal Data processed on Customer's behalf. Such notification shall at a minimum:

• Describe the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
• Provide the name and contact details of the data protection officer or other contact point;
• Describe the likely consequences of the breach;
• Describe the measures taken or proposed to address the breach, including mitigation measures.

9. Data Protection Impact Assessments

Orbitshift shall provide reasonable assistance to Customer in conducting data protection impact assessments and, where required, prior consultations with Supervisory Authorities, taking into account the nature of the processing and the information available to Orbitshift.

10. International Transfers

Orbitshift shall not transfer Personal Data to a country outside the European Economic Area ("EEA") or UK unless:

• The European Commission or UK Secretary of State has issued an adequacy decision in respect of that country;
• Appropriate safeguards have been put in place in accordance with applicable Data Protection Laws (e.g., Standard Contractual Clauses);
• One of the derogations set out in Article 49 of the EU GDPR applies.

Where Standard Contractual Clauses ("SCCs") are required, the parties agree to execute and be bound by the applicable SCCs, which are incorporated by reference into this DPA.

11. Audit Rights

Orbitshift shall make available to Customer all information necessary to demonstrate compliance with this DPA. Upon Customer's written request (no more than once per calendar year unless a breach has occurred), Orbitshift shall allow for and contribute to audits and inspections conducted by Customer or an auditor mandated by Customer, provided that:

• Customer gives at least 30 days' prior written notice;
• Any auditor is bound by confidentiality obligations acceptable to Orbitshift;
• Customer bears all costs associated with the audit unless the audit reveals a material non-compliance by Orbitshift.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement. Nothing in this DPA shall limit either party's liability to Data Subjects or Supervisory Authorities as required by applicable Data Protection Laws.

13. Term and Termination

This DPA commences on the effective date of the main agreement and continues until termination of the main agreement. Upon termination, Orbitshift shall, at Customer's election, securely delete or return all Personal Data within 90 days, unless applicable law requires retention of the Personal Data. Orbitshift shall certify in writing that it has complied with this obligation upon Customer's request.

14. General

This DPA, together with the main agreement and all schedules and annexes, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements and understandings. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. This DPA shall be governed by and construed in accordance with the law governing the main agreement.

SCHEDULE 1

Details of Processing of Personal Data (as required by Article 28(3) GDPR and applicable Data Protection Laws)

ANNEX IA — LIST OF PARTIES AND DESCRIPTION OF TRANSFER

Data exporter (Controller): Customer as identified in the main agreement.

Data importer (Processor): Orbitshift, Inc., a Delaware corporation.

Subject-matter and nature of the processing: Orbitshift processes Personal Data to provide the Services, including storing and analysing sales engagement data, account intelligence, and related business information.

Duration of the processing: For the duration of the main agreement and for a further 90-day deletion/return period thereafter.

Categories of Data Subjects: Customer's employees, contractors, and end users; contacts and prospects in Customer's CRM; third-party individuals identified in account intelligence data.

Categories of Personal Data: Name, business email address, job title, employer, professional social profile data, sales engagement activity data, and any other Personal Data Customer inputs into the Services.

Sensitive data: None intended. Customer shall not submit special categories of Personal Data (Article 9 GDPR) to the Services.

Frequency of transfer: Continuous, for the duration of the agreement.

ANNEX II — TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Orbitshift has implemented the following technical and organisational security measures:

Security Management

• Information security policies reviewed and updated annually.
• Designated security function with executive sponsorship.
• Risk assessments conducted at least annually and upon material changes.
• SOC 2 Type II audit programme.

Personnel Security

• Background checks conducted for all employees with access to Personal Data.
• Security awareness training provided to all employees at onboarding and annually.
• Disciplinary process for security policy violations.

Access Controls

• Role-based access control (RBAC); least-privilege principle enforced.
• Multi-factor authentication (MFA) required for all production systems.
• Privileged access reviews conducted quarterly.
• Access provisioning and de-provisioning tied to HR lifecycle.

Data Center and Network Security

• Hosted on AWS infrastructure; physical security managed by AWS.
• Data encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
• Intrusion detection and monitoring on all production systems.

Networks and Transmission

• Firewalls and network segmentation between production and non-production environments.
• Vulnerability scanning and penetration testing at least annually.
• Security patching programme with SLA for critical vulnerabilities.

Data Storage, Retention and Disposal

• Production data stored in AWS eu-west-1 (Ireland) or us-east-1 (Virginia) as configured.
• Automated backups with encryption; tested at least quarterly.
• Secure deletion procedures applied to decommissioned storage media.

ANNEX III — SUB-PROCESSORS

The following Sub-Processors are authorised to process Personal Data in connection with the Services:

Orbitshift will provide at least 14 days' advance notice of any addition or replacement of Sub-Processors by updating this Annex and notifying Customer via email.