Data Processing Addendum

Last updated: May 1st, 2026

This DATA PROCESSING ADDENDUM ("DPA") forms part of the Terms of Service (the "Agreement") between: (i) Terra Enabling Developers, Inc., a Delaware corporation ("Vendor"), acting on its own behalf; and (ii) the customer that has accepted the Agreement ("Customer") acting on its own behalf (Vendor and Customer will together be referred to as the "Parties").This DPA shall be effective as of the date the Customer accepts the Agreement. The Parties agree that no separate signature is required for this DPA; acceptance of the Agreement constitutes execution of this DPA and, where applicable under Annex B, of the EU Standard Contractual Clauses and UK Addendum incorporated herein.The terms used in this DPA shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. In the case of conflict or ambiguity between this Addendum and the Agreement, the provision in this Addendum will prevail. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. DefinitionsIn this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1"Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.2"CCPA"means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100, et seq., and, effective January 1, 2023, as amended by the California Privacy Rights Act of 2020 ("CPRA"), and its implementing regulations.

1.3"Data Breach" means a breach of security leading to the accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed;

1.4"Data Protection Laws"means all data protection laws and regulations applicable to a Party's Processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Laws and the CCPA;

1.5"Data Subject Request" means a request made by a Data Subject in accordance with the rights granted under Data Protection Laws, including but not limited to requests to know, delete and opt-out under the CCPA and requests to access, rectify, erase, restrict Processing, data portability, object to Processing and not to be subject to automated individual decision making under EU Data Protection Laws.

1.6"End User"means any individual person, business entity, organisation, or group that actively utilises, interacts with, or benefits from a software application or digital product that has been designed, created, or developed by Customer. The term "End User" encompasses a range of potential users, which may include clients, consumers, employees, partners, or affiliates of Customer. In the majority of instances, an End User is a direct or indirect client of Vendor's Customer, who may rely on Vendor's products or services in order to access, maintain, or improve their own offerings. The relationship between the End User and the Vendor's Customer can be contractual, commercial, or otherwise.

1.7"End User Privacy Policy"means Vendor's privacy policy targeted towards Vendor's customers' End Users, available at: https://tryterra.co/end-user-privacy.

1.8"EU Data Protection Laws"means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union; and (v) in respect of Switzerland, the Federal Act on Data Protection of 19 June 1992 ("FADP");

1.9"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

1.10"EU Standard Contractual Clauses" means the contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, amended as indicated in Annex B, Section 6.6 of this DPA;

1.11"Personal Data" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or particular household;

1.12"Process" or "Processing" means any operation or set of operations which is performed on Personal Data by Vendor or its Sub-Processor, or in connection with and for the purposes of the provision of the Services, whether or not accomplished by automatic means, including but not limited to collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as defined by Data Protection Laws;

1.13"Restricted Transfer" means a transfer of Personal Data from the European Economic Area, Switzerland or the United Kingdom to a country outside those territories that is not the subject of an adequacy decision or adequacy regulation under applicable Data Protection Laws;

1.14"Sensitive Data"means (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" or "special personal information" under applicable Data Protection Laws;

1.15"Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Customer pursuant to the Agreement;

1.16"Sub-Processor"means any person appointed by or on behalf of Vendor to Process Personal Data to fulfill Vendor's obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-Processors may include third parties or Affiliates of Vendor but shall exclude employees, contractors, or consultants of Vendor or Sub-Processors.

1.17"Third-Party Claim" means any claim, demand, suit, action, or proceeding brought by a third party, including but not limited to any hardware wearable device provider, against Vendor or its representatives.

1.18"U.K. GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

1.19"UK Addendum"means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner's Office under s.119A Data Protection Act 2018, which came into force on 21 March 2022, as may be amended or replaced from time to time.

1.20"Wearable Device"means an electronic device that is designed to be worn or attached to an individual's body, either on the surface or as an implant, and is used to collect, store, analyse, or transmit data related to the individual's health, activity, fitness or other health-related metrics. These devices can include smartwatches, fitness trackers, heart rate monitors, continuous glucose monitors, and smart scales.

1.21"Wearable Device Data"means the information collected, stored, analysed, or transmitted by a Wearable Device, which includes, but is not limited to, data related to End Users' health, activity, fitness, or other health-related metrics.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Personal Data2.1 Roles of the Parties.The parties acknowledge and agree that with respect to the Processing of Personal Data under the Agreement, Customer is the Controller, and Vendor is the Processor or Service Provider. The subject matter, duration, purpose of the Processing, and types of Personal Data and categories of Data Subjects under this DPA are set forth in Annex A.2.2 Sensitive Data.Customer shall not provide (or cause to be provided) any Sensitive Data to Vendor under the Agreement in addition to the categories of Sensitive Data set out in Annex A. Vendor will have no liability whatsoever for Sensitive Data provided by Customer in addition to Sensitive Data set out in Annex A, whether in connection with a Security Incident or otherwise.2.3 Customer Obligations.Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its Processing of Personal Data and any processing instructions it issues to Vendor; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Vendor to Process Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Service.2.3.1 Customer Obligations Regarding End User Consent.Customer is solely responsible for presenting Vendor's End User Privacy Policy to Customer's End Users and obtaining the consent of Customer's End Users for Vendor to perform processing in accordance with the Services. End User consent shall be considered given only when End Users have explicitly agreed to Vendor's End User Privacy Policy, available at https://tryterra.co/end-user-privacy. By using these Services, Customer represents to Vendor that it has obtained all necessary consents from End Users. For the avoidance of doubt, Customer will hold such responsibility when Customer does not use Vendor's pre-built widget tool to authenticate Customer's End Users. Vendor shall not be liable for any costs, damages, or expenses, including reasonable attorney's fees and court costs, arising from Customer's failure to gain explicit consent of Customer's End Users to Vendor's End User Privacy Policy.2.4 Vendor's Obligations.Vendor will adhere to applicable Data Protection Laws in Processing Personal Data according to the processing instructions issued by Customer. Vendor will Process Personal Data only in accordance with Customer's documented written instructions. The Parties agree that the Agreement sets out Customer's complete and final instructions to Vendor in relation to the Processing of Personal Data, and processing outside of the scope of these instructions (if any) shall require prior written agreement of both of the Parties.2.5 Lawfulness of Customer's Instructions.Customer shall ensure that Vendor's processing of Personal Data in accordance with Customer's instructions will not cause Vendor to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.

3. Vendor's End User Data Collection Practices3.1 Data Collection from Wearable Devices.In some cases, Vendor, at the instruction of Customer, collects End User data directly from End User Wearable Devices rather than the associated API provided by the Wearable Device manufacturer. Vendor agrees that such collection will take place only in accordance with the End User Privacy Policy and only for the purpose of the processing set out in Annex A.3.2 Indemnification by Customer.Customer agrees that Vendor shall not be liable for any costs, damages, or expenses, including reasonable attorney's fees and court costs, arising out of or resulting from any Third-Party Claim to the extent that such Third Party Claim is based on or arises out of: (a) any allegation that Vendor's collection of End User data directly from Wearable Devices, as in Section 3.1, was unauthorised, exceeded the scope of any permission, rights or consent, or otherwise violated any applicable laws, regulations, or the rights of any third party; (b) any instruction by Customer directing Vendor to collect End User data from End Users; (c) Customer's failure to gain explicit consent of Customer's End Users to Vendor's End User Privacy Policy, which informs End Users of Vendor data handling practices; or (d) Customer's failure to gain explicit consent from the wearable device(s) rights owner(s). Customer represents and warrants to Vendor that it has obtained any necessary consents from the wearable device rights owner of the End User Wearable Device in order for Vendor to connect to the End User Wearable Device and obtain data therefrom.3.3 Conditions of Indemnification.The indemnification obligations set forth in Section 3.2 are conditioned upon Vendor: (a) promptly notifying Customer in writing of the Third-Party Claim; (b) allowing Customer to have sole control and authority over the defence and settlement of the Third-Party Claim; (c) providing Customer with reasonable assistance, at Customer's expense, in the defence and settlement of the Third-Party Claim; and (d) collecting, using, and sharing End User data only in accordance with Vendor's End User Privacy Policy.

4. Sub-Processing4.1 General Authorisation.Customer generally authorises the use of Sub-Processors to Process Personal Data in connection with fulfilling Vendor's obligations under the Agreement and/or this DPA. A list of current Sub-Processors can be viewed at https://www.tryterra.co/privacy/subprocessors (the "Sub-Processor List"). Customer hereby authorises Vendor to engage the Sub-Processors listed in the Sub-Processor List.4.2 New Sub-Processors.When Vendor engages a new Sub-Processor to Process Personal Data, Vendor will, at least ten (10) days before the new Sub-Processor begins Processing Personal Data, notify Customer by updating the Sub-Processor List. Customer shall be responsible for reviewing the Sub-Processor List.4.3 Communication With Sub-Processors.Customer shall not directly communicate with Vendor's Sub-Processors about the Services, unless agreed to in writing by Vendor at Vendor's sole discretion.

5. Security5.1 Vendor's Personnel.Vendor shall ensure that any person who is authorised by Vendor to process Personal Data (including its staff and agents) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).5.2 Security Measures.Vendor shall implement and maintain commercially reasonable technical and organisational measures that are designed to protect against Data Breaches involving, and unauthorised or accidental destruction, loss, alteration or damage, unauthorised disclosure of or access to, Personal Data and designed to preserve the security and confidentiality of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with the security standards described in Annex D (the "Security Measures").5.3 Updates to Security Measures.Customer acknowledges that the Security Measures are subject to technical progress and development and that Vendor may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.5.4 Customer's Obligations Regarding Security Measures.Customer is responsible for independently determining whether the Security Measures adequately meet its obligations under applicable Data Protection Laws. Customer is also responsible for its secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including securely backing up or encrypting any such Personal Data).

6. Security Breach6.1 Notification.In the event that Vendor becomes reasonably aware of any Security Breach, Vendor will notify Customer without undue delay. The notification obligations in this Section 6.1 do not apply to incidents that are caused by Customer or Customer's personnel or users or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewall or networked systems. Notification under this Section shall not be construed as an admission by Vendor of fault, liability or breach of this DPA or applicable law.6.2 Manner of Notification.Notification of a Security Breach, if any, will be delivered to one or more of Customer's business, technical or administrative contacts by any means that Vendor selects, including via electronic mail. It is Customer's sole responsibility to ensure that it maintains accurate contact information with Vendor at all times.6.3 Data Breach Management.Vendor shall make commercially reasonable efforts to identify the cause of a Data Breach and take those steps that Vendor deems necessary and reasonable to remediate the cause of such Data Breach to the extent that remediation is within Vendor's reasonable control.

7. Termination7.1 Termination.This DPA shall terminate automatically upon the termination or expiry of the Agreement, save that Sections 5 (Security), 7.2 (Return or Deletion of Data) and any provisions imposing obligations of confidentiality shall survive until Vendor has completed deletion or return of the Personal Data in accordance with Section 7.2.7.2 Return or Deletion of Data.Within ninety (90) days following termination or expiration of this DPA (or, if later, ninety (90) days following Customer's written request), Vendor shall (at Customer's election) delete or return to Customer all existing copies of Personal Data, unless Data Protection Laws require continued retention of the Personal Data. This requirement shall not apply to Personal Data that Vendor has archived on backup systems, which Personal Data shall be deleted by Vendor at such time as Vendor next restores to its active systems the backup that contains the Personal Data.

8. Data Subject Requests8.1 Data Subject Requests.In the event that a Data Subject Request is made to Vendor, Vendor shall not respond to the Data Subject Request directly, except to direct the Data Subject to contact Customer directly or as required by Data Protection Laws. If Vendor is required by Data Protection Laws to respond to the Data Subject Request, it shall notify Customer by any means that Vendor selects, including via electronic mail, unless prohibited from doing so by Data Protection Laws. For the avoidance of doubt, nothing in the Agreement or the DPA shall restrict or prevent Vendor from responding to any Data Subject Request or request or inquiry from a Data Protection Authority in relation to Personal Data for which Vendor is a Controller.8.2Vendor shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organisational measures to assist Customer in complying with Customer's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Vendor's assistance and (ii) Vendor is able to do so in accordance with all applicable laws, rules, and regulations. Any such assistance shall be provided at Vendor's then-current professional services rates, or as otherwise agreed in writing between the Parties.

9. Jurisdiction Specific Terms9.1 To the extent that Vendor Processes Personal Data subject to the GDPR, the terms of Annex B shall apply and are hereby incorporated into the DPA by this reference. To the extent that Vendor Processes Personal Data subject to the CCPA, the terms of Annex C shall apply and are hereby incorporated into the DPA by this reference.

10. Limitation of Liability10.1 Limitation of Liability.To the extent permitted by applicable Data Protection Laws, each Party's (and all of that Party's Affiliates') liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.10.2 Claims by Customer.Any claims made against Vendor or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.10.3 Exclusion.Nothing in this DPA limits any liability that cannot be limited under applicable Data Protection Laws.

11. Concluding Provisions11.1 Amendments.This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorised representatives of Vendor and Customer, which may be evidenced by Customer's electronic acceptance of an updated version of this DPA made available by Vendor.11.2 Conflict.In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Addendum; (3) the Agreement; and (4) Vendor's End User Privacy Policy. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.11.3 Severability.Should any provision of this DPA or any of the Annexes be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.11.4 Governing Law.This DPA will be governed by and construed in accordance with the laws of the jurisdiction selected in the Agreement, without regard to conflict of laws provisions, unless required otherwise by Data Protection Laws.11.5 Notice.Any notices that are required to be provided in this DPA shall be provided in accordance with any notice provision of the Agreement, unless otherwise specified.11.6 Authorisation.Customer represents that it is authorised to agree to and enter into this DPA.This DPA is deemed to be executed by the Parties as of the date the Customer accepts the Agreement. No physical or electronic signature is required; acceptance of the Agreement constitutes execution of this DPA and, where applicable under Annex B, of the EU Standard Contractual Clauses and UK Addendum.

ANNEX A TO DPADESCRIPTION OF THE PROCESSING1. Subject Matter and Details of the ProcessingThe Parties acknowledge and agree that: (a) the subject matter of the Processing under the Agreement is Vendor's provision of the Services, as set out in the Agreement; (b) the nature and purpose of the Processing is to provide Vendor's Services and fulfil purposes set out in this Addendum; (c) the duration of the Processing is from Vendor's receipt of Personal Data until the deletion of all Personal Data by Vendor in accordance with the Agreement; (d) Vendor will process Customer's Personal Data as long as required (i) to provide the Services to Customer under the Agreement, (ii) for Vendor's legitimate business needs, or (iii) by applicable law or regulation; and (e) the Personal Data are provided by Customer or its users in connection with the Services.2. Categories of Data SubjectsThe categories of Data Subjects to whom the Personal Data pertains are the individuals about whom Vendor processes Personal Data in connection with the Services, including: Customer's Personnel, Representatives; Customer's employees, agents, consultants, advisors, freelancers, contractors; and Customer's authorised end-users.3. Categories of Personal Data to Be ProcessedIdentifiers such as name, email address, phone number, job title, date of birth, IP address, cookie identifiers, and address information.Account Dataabout End User accounts with a Wearable Device or health data provider, such as account user ID, and about Customer's own accounts and usage of such accounts with Vendor.Health Data collected from End User Wearable Devices, such as physical activity and workouts, body composition, menstrual cycle, diet and food consumption, and sleep.Location Data collected from End User Wearable Devices, such as GPS device coordinates, that will only be processed with the consent of End Users.Any Personal Data provided by Customer or collected by Vendor in order to provide the Services.4. Categories of Sensitive Data to Be ProcessedCustomer is prohibited from providing sensitive Personal Data or special categories of data to Vendor, including any data which discloses the criminal history of any person, except for Sensitive Personal Data that is required for Customer to provide the Services, as in Section 3, and fulfil its obligations set out in this DPA or the Agreement.Health Data collected from Wearable Devices, such as physical activity and workouts, body composition, menstrual cycle, diet and food consumption, and sleep.Location Data collected from End User Wearable Devices and not from networks or services, such as GPS device coordinates, that will only be processed with the consent of End Users.5. Obligations and Rights of the ControllerThe obligations and rights of Customer are as set out in the Agreement and the DPA.

ANNEX B TO DPAPROVISIONS APPLICABLE TO PROCESSING OF PERSONAL DATA SUBJECT TO EU DATA PROTECTION LAWSThe provisions of this Annex B will apply to the Processing by Vendor of Personal Data under the Agreement, but only to the extent that the Processing of Personal Data is subject to EU Data Protection Laws. In the event of any conflict between the provisions of this Annex B and the DPA or the Agreement, the provisions of this Annex B shall control.1. Processing of Personal Data1.1 Roles of the Parties.When Processing Personal Data that is subject to EU Data Protection Law in accordance with Customer's instructions, the Parties acknowledge that Customer is the Controller of the Personal Data and Vendor is the Processor.1.2 Legality of Processing Instructions.Vendor shall inform Customer in writing, including by electronic mail, if it believes that an instruction of Customer relating to the Processing of Personal Data infringes on EU Data Protection Laws.2. Sub-Processors2.1 Objection to New Sub-Processors.If Customer has a reasonable objection to the addition of a new Sub-Processor to the Sub-Processor List in accordance with Section 4.2 of the DPA, Customer must notify Vendor of the objection in writing within ten (10) calendar days of the addition of the new Sub-Processor to the Sub-Processor List. If Customer does not notify Vendor in writing of an objection within ten (10) calendar days, Customer waives any objection that it may have had to the new Sub-Processor. If Customer submits an objection in accordance with this Section 2, the Parties agree to discuss Customer's concerns in good faith with a view toward achieving a commercially reasonable resolution. If no such resolution can be reached within thirty (30) calendar days, Vendor may, at its option, either (a) withdraw the objectionable Sub-Processor and either perform the Services itself, or appoint a new Sub-Processor in accordance with the terms of Section 4.2 of the DPA, or (b) permit Customer to suspend or terminate the Services and the Agreement in accordance with the termination provisions of the Agreement without liability to either party (but Customer must pay any fees incurred for Services actually performed by Vendor prior to suspension or termination in accordance with the terms of the Agreement). The parties agree that by complying with this Section 2, Vendor fulfils its obligations under Section 9 of the Standard Contractual Clauses.2.2 Sub-Processor Contractual Terms.Vendor will contractually impose data protection obligations on its Sub-Processors that are equivalent to those data protection obligations imposed on Vendor under the DPA and this Annex B.2.3 Liability for Acts/Omissions of Sub-Processors.Vendor shall remain liable for the acts and omissions of its Sub-Processors to the same extent that Vendor would be liable if it performed the services of each Sub-Processor directly under the terms of this DPA.3. Rights of Data Subjects3.1Vendor shall, to the extent permitted by law, notify customer upon receipt of a request by a data subject to exercise the data subject's right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively "Data Subject Request(s)"). If Vendor receives a Data Subject Request in relation to Customer's data, Vendor will advise the data subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Vendor, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.3.2Vendor shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organisational measures to assist Customer in complying with Customer's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Vendor's assistance and (ii) Vendor is able to do so in accordance with all applicable laws, rules, and regulations. Any such assistance shall be provided at Vendor's then-current professional services rates, or as otherwise agreed in writing between the Parties.4. Data Protection Impact AssessmentTo the extent required under applicable Data Protection Laws, Vendor shall (taking into account the nature of the processing and the information available to Vendor) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with Supervisory Authorities as required by Data Protection Laws. Vendor shall comply with the foregoing by: (i) complying with Section 5 (Audits) of this Annex B; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing subsections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Vendor's then-current professional services rates, or as otherwise agreed in writing between the Parties.5. Audits5.1 Audits Generally.Vendor will make information reasonably necessary to demonstrate compliance with this DPA available to Customer. Customer may audit Vendor's compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by applicable Data Protection Laws, including where mandated by Customer's Supervisory Authority. Any audit must be conducted during regular business hours, subject to the agreed final audit plan as set forth in Section 5.3 of this Annex B and subject to Vendor's safety, security or other relevant policies, and may not unreasonably interfere with Vendor's business activities.5.2 Third Party Auditors.If a third party is to conduct an audit under Section 5.1 of this Annex B, Vendor may object to the auditor if the auditor is, in Vendor's reasonable opinion, a competitor of Vendor. Such objection by Vendor will require Customer to appoint another auditor or conduct the audit itself. Customer will be responsible for all fees charged by any auditor appointed by Customer to execute any audit under this Section 5.5.3 Audit Plan.Aside from an audit of a Supervisory Authority, to request an audit, Customer must submit a detailed proposed audit plan to Vendor at least thirty (30) calendar days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the Parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the scope, duration and start date of the audit. Vendor will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Vendor's security, privacy, employment or other relevant policies). Vendor will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 5.3 shall require Vendor to disclose any information where such disclosure would result in a breach of any duty of confidentiality.5.4 Third Party Audit Reports.If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer's audit request and Vendor has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.5.5 Sub-Processor Information.Nothing in this Section 5 shall be construed to require Vendor to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make available to Vendor without restriction on further disclosure.5.6 Audit Reports.Customer will promptly notify Vendor of any non-compliance discovered during the course of an audit and provide Vendor any audit reports generated in connection with any audit under this Section 5 unless prohibited by applicable Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer's regulatory audit requirements and/or confirming compliance with the requirements of this DPA. If any audit reveals that Vendor is not in compliance with the provisions of this DPA and/or applicable Data Protection Laws, Vendor shall take commercially reasonable corrective actions including temporary work-arounds reasonably necessary to comply with the provisions of this DPA and/or applicable Data Protection Laws.6. Cross-Border Data Transfers6.1 Processing in United Kingdom.Customer acknowledges that, as of the date of this DPA, Vendor's primary Processing facilities are located in the United Kingdom. The parties agree that Vendor may transfer Personal Data processed under this Addendum outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Vendor's primary processing operations take place in the United Kingdom, and that the transfer of Customer's Personal Data to the United States may be necessary for the provision of the Services to Customer. The provisions of Sections 6.2 and 6.3 below apply only to the extent that a Processing activity under this DPA constitutes a Restricted Transfer. If Vendor transfers Personal Data protected under this Addendum to a jurisdiction for which the European Commission has not issued an adequacy decision, Vendor will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.6.2 EU Standard Contractual Clauses.For data transfers from the European Economic Area to a country that has not been deemed by the European Commission to provide an adequate level of protection of Personal Data pursuant to Article 45 of the GDPR, Module Two of the EU Standard Contractual Clauses (EEA controller to a non-EEA processor) will apply in the following manner:

(a)In Clause 7, the optional docking clause will not apply;

(b)In Clause 9(a), Option 2 will apply, and the time period for notice of Sub-Processor changes will be as set forth in Section 4.2 (New Sub-Processors) of the DPA;

(c)In Clause 11, the optional language will not apply;

(d)In Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Irish law;

(e)In Clause 18(b), disputes will be resolved before the courts of Ireland;

(f)In Annex I, Part A: Data Exporter: Customer and authorised affiliates of Customer; Contact Details: the contact details provided by Customer in Customer's account registration or in the Agreement; Data Exporter Role: The Data Exporter's role is defined in Section 2 of this DPA; Signature & Date: By entering into this DPA, Data Exporter is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA. Data Importer: Vendor; Contact Details: Name: Kyriakos Eleftheriou; Title: Chief Executive Officer; Address: address of Vendor as stated in the Agreement; Email: privacy@tryterra.co; Data Importer Role: The Data Importer's role is outlined in Section 2 of this DPA; Signature & Date: By entering into this DPA, Data Importer is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.

(g)In Annex I, Part B: (i) The categories of Data Subjects are described in Annex A, Section 1 to this DPA; (ii) The Sensitive Data transferred is described in Annex A, Section 3 to this DPA; (iii) The frequency of the transfer is a continuous basis for the duration of the Agreement; (iv) The nature of the processing is described in Annex A, Section 1 to this DPA; (v) The purpose of the processing is described in Annex A, Section 1 to this DPA; (vi) The duration of the processing is described in Annex A, Section 1 to this DPA; (vii) For transfers to Sub-Processors, the subject matter of the processing is Vendor's provision of the Services, as set out in the Agreement; (viii) For transfers to Sub-Processors, the nature of the processing is to provide Vendor's Services and fulfil purposes set out in this Addendum; (ix) For transfers to Sub-Processors, the duration of the processing is from Sub-Processor's receipt of Personal Data from Vendor until the deletion of all Personal Data by Vendor in accordance with the Agreement;

(h)In Annex I, Part C, the competent Supervisory Authority is Ireland;

(i)Annex D to this DPA serves as Annex II to the EU Standard Contractual Clauses.

6.3 UK Addendum.For data transfers from the United Kingdom to a country that has not been deemed to provide an adequate level of protection of Personal Data under UK Data Protection Laws, the UK Addendum is hereby incorporated into this DPA and shall apply with the following selections: (a) Table 1 (Parties) and Table 3 (Appendix Information) shall be completed by reference to the corresponding information in Section 6.2 of this Annex B and Annexes A and D to this DPA; (b) Table 2 shall be deemed completed to select the EU Standard Contractual Clauses as incorporated under Section 6.2 of this Annex B (Module Two) with the selections and amendments set out therein; (c) In Table 4, neither Party may end the UK Addendum under Section 19 of the UK Addendum.6.4 Additional Safeguards.In the event of transfer of Personal Data from the European Economic Area, Switzerland or the United Kingdom to a jurisdiction that has not been deemed to provide an adequate level of protection for Personal Data by the European Commission or the United Kingdom Information Commissioner's Office (as applicable), the Parties agree to supplement the provisions of the EU Standard Contractual Clauses and/or the UK Addendum with the following safeguards and representations, where appropriate:

(a)Vendor shall implement and maintain in accordance with good industry practice measures to protect the Personal Data from interception. This includes having in place and maintaining network protection and industry-standard encryption intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.

(b)Vendor will make commercially reasonable efforts to resist, subject to applicable Data Protection Laws and other applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the U.K. GDPR, including under Section 702 of the United States Foreign Intelligence Surveillance Act ("FISA").

(c)If Vendor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise: (i) Vendor shall inform the relevant governmental authority that Vendor is a Processor of the Personal Data and that Customer has not authorised Vendor to disclose the Personal Data to the governmental authority, and inform the relevant governmental authority that any and all requests or demands for access to Personal Data should therefore be notified to or served upon Customer in writing; (ii) If taking into account the nature, scope, context and purposes of a demand, Vendor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, Vendor shall notify Customer, as soon as practicable, following the access by the governmental authority, and provide Customer with relevant details of the same, unless and to the extent Vendor is legally prohibited from doing so.

(d)Except to the extent prohibited by law, once every 12-month period, Vendor will inform Customer, at Customer's written request, of the types of binding legal demands for Personal Data it has received.

(e)If Vendor is prohibited by law from disclosing to Customer the existence of a request for information by a law enforcement entity under Section 702 of FISA or other similar legal process, Vendor shall take all reasonable steps to attempt to have the prohibition on disclosure removed, and shall promptly notify Customer of the request as soon as legally permitted.

6.5 Conflicts.To the extent there is any conflict between the EU Standard Contractual Clauses or the UK Addendum and any other terms in this DPA, including Section 9 (Jurisdiction Specific Terms), the provisions of the EU Standard Contractual Clauses will prevail, but only to the extent that the EU Standard Contractual Clauses and/or the UK Addendum apply.6.6 Amendments to EU Standard Contractual Clauses or UK Addendum.If the European Commission, the United Kingdom Information Commissioner's Office or a Supervisory Authority amends the EU Standard Contractual Clauses or the UK Addendum, the parties shall promptly discuss the proposed amendments and negotiate in good faith with a view toward agreeing and implementing those amendments as soon as is reasonably practicable.

ANNEX C TO DPAPROVISIONS APPLICABLE TO PROCESSING OF PERSONAL DATA SUBJECT TO THE CCPAThe provisions of this Annex C will apply to the Processing by Vendor of Personal Data under the Agreement only to the extent that the Processing of Personal Data is subject to the CCPA; in which case, in the event of any conflict between the provisions of this Annex C and the DPA or the Agreement, the provisions of this Annex C shall control.1. Definitions.As used in this Annex C, the terms "Business Purpose", "Person", "Personal Information", "Sale" and "Service Provider" shall have the same meaning as in the CCPA (California Civil Code Section 1798.140), and their cognate terms shall be construed accordingly.2. Roles of the Parties.The Parties acknowledge and agree that, with regard to the Processing of Personal Data that constitutes Personal Information performed solely on behalf of Customer, Vendor is a Service Provider and receives Personal Data pursuant to the Business Purpose of providing the Services to Customer under the Agreement.3. No Sale of Personal Data to Vendor.Customer and Vendor hereby acknowledge and agree that in no event shall the transfer of Personal Data that constitutes Personal Information from Customer to Vendor pursuant to the Agreement constitute a Sale of Personal Information to Vendor, and that nothing in the Agreement shall be construed as providing for the Sale of Personal Information. The Parties acknowledge and agree that Vendor's access to Personal Data that constitutes Personal Information does not constitute part of the consideration exchanged by the Parties in respect of the Agreement.4. Limitations on Use and Disclosure.Vendor will not sell the Personal Data that constitutes Personal Information Processed under this DPA and will not retain, use or disclose the Personal Data that constitutes Personal Information for any purposes other than the specific purpose of performing the Services as provided in the Agreement, the Business Purposes specified in the Agreement, and as required under the CCPA. Vendor shall not retain, use or disclose Personal Data that constitutes Personal Information outside of the direct business relationship between Vendor and Customer. Vendor hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of the CCPA.5. Compliance With CCPA.Vendor shall comply with applicable obligations under the CCPA and to provide the same level of privacy protection to Personal Data that constitutes Personal Information as required by the CCPA. If Vendor determines that it can no longer meet its obligations under the CCPA, it shall notify Customer in writing (including by email).6. Monitoring Compliance with CCPA.Customer shall have the right to take reasonable and appropriate steps to help to ensure that Vendor uses the Personal Data that constitutes Personal Information in a manner that is consistent with Customer's obligations under the CCPA. The Parties agree that those reasonable and appropriate steps are listed in Section 5 of Annex B to this DPA.7. Combining Personal Information.Vendor shall not combine Personal Data that constitutes Personal Information that Vendor receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another Person or Persons, or collects from its own interaction with the Data Subject (except to perform a Business Purpose as defined in regulations adopted pursuant to the CCPA).

ANNEX D TO DPASECURITY MEASURESThe technical and organisational measures implemented by Vendor pursuant to Section 5.2 of the DPA shall be as follows:1. Security Staffing and Background Checks

•

Vendor's employees are subject to background checks prior to employment.

•

Vendor's employees must complete management-approved security training during onboarding and revisit such training annually throughout their tenure.

2. Audit and Risk Assessment

•

Vendor undergoes annual SOC 2 Type II audit (including the Security and Processing Integrity Trust Service Criteria).

•

Vendor undergoes annual ISO 27001 audit.

3. Technical Security MeasuresTechnical security measures include: pseudonymisation and encryption of Personal Data in transit (current industry-standard transport security, e.g., TLS 1.2 or higher) and at rest (industry-standard encryption, e.g., AES-256, via AWS transparent disk encryption); regular backups of production datastores, periodically tested in accordance with Vendor's information security and data management policies; secure access protocols including Multi-Factor Authentication and Single Sign-On, with all production access requiring two-factor authentication; monitoring of access to applications, tools, and resources that process or store Customer Data; documented change-management with automated CI/CD; Customer-determined data minimisation with self-service delete and suppress functionality; data retention and deletion in accordance with the DPA; data portability functionality; Sub-Processor Data Processing Agreements imposing substantially similar obligations; and periodic third-party vulnerability assessments including Pentesting with remediation per Vendor's risk-assessment policies.4. Organisational Security MeasuresVendor maintains strict confidentiality obligations in all Customer and Sub-Processor agreements; an ISO 27001-compliant risk-based information security governance program with administrative, organisational, technical, and physical safeguards; and accountability measures including data-protection and information-security policies, Security-Incident recording and reporting, formally assigned roles, and regular third-party audits.5. Physical and Environmental SecurityPhysical Vendor processing occurs in AWS data centres (https://aws.amazon.com/compliance/data-center/controls/). Secure areas use appropriate entry controls tied where possible to centralised systems; cameras and intrusion detection are used at facilities that store or process production data; offices are secured against theft, misuse, environmental threats and unauthorised access; workstations require password-protected screen lock after a period of inactivity consistent with industry practice; and visitor management procedures apply to external agents.6. Policy ReviewVendor's security and privacy policies are reviewed and approved annually for Vendor's business operations.

ProductsIntegrations AI Interface Authentication Mobile Development Documentation GraphAPI

DocumentationAPI SDK Quickstart

CommunityBlog Research Community Podcast Github

CompanyAbout Careers Customers Become an Integration GDPR Privacy Policy Terms of Purchase