Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Plutobee Terms of Service or the master agreement between you ("Customer") and Plutobee, Inc. ("Plutobee") (the "Agreement") and reflects the parties' agreement on the processing of Personal Data carried out by Plutobee on behalf of Customer in connection with the Services. In the event of conflict, this DPA prevails over the Agreement with respect to data-protection matters.

1. Definitions

Capitalised terms have the meaning given in the Agreement. Additional terms:

• "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU GDPR, UK GDPR, Swiss FADP, California CCPA/CPRA, and Brazilian LGPD.
• "Personal Data" means Customer Content that is "personal data" or "personal information" under Data Protection Laws and that Plutobee processes on Customer's behalf.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and where applicable the United Kingdom International Data Transfer Addendum.
• "Sub-processor" means any entity engaged by Plutobee to process Personal Data on behalf of Customer.

2. Roles and subject matter

The parties acknowledge that Customer is the controller and Plutobee is the processor (or "service provider" under CCPA) of Personal Data processed under this DPA. The subject matter, nature, purpose and duration of processing are described in Annex I.

3. Customer instructions

Plutobee will process Personal Data only on documented instructions from Customer, including the Agreement and this DPA. Plutobee will inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Customer is responsible for ensuring its instructions and use of the Services comply with Data Protection Laws.

4. Processing details

The categories of data subjects, categories of Personal Data, nature of processing, purposes and duration are set out in Annex I. Plutobee will not retain, use, disclose or otherwise process Personal Data for any purpose other than the specific business purpose described.

5. Sub-processors

Customer grants Plutobee general authorisation to engage Sub-processors. A current list of Sub-processors is published at Annex III and updated periodically. Plutobee will notify Customer (by email to the address designated by Customer or by an update to the published list) of any intended change at least thirty (30) days before the change takes effect. If Customer reasonably objects, the parties will work in good faith to find a solution; if none is found, Customer may terminate the affected Service on written notice and receive a pro-rata refund of pre-paid unused fees. Plutobee remains liable for the acts and omissions of its Sub-processors as for its own.

6. Security

Plutobee implements and maintains the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk. Measures are reviewed periodically and updated to reflect evolving risks. Plutobee maintains an information security programme aligned with SOC 2 and ISO/IEC 27001 and provides up-to-date reports under NDA on request.

Plutobee ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and receive security and data-protection training.

7. International transfers

Where Personal Data originating in the EEA, the United Kingdom or Switzerland is transferred to a country not subject to an adequacy decision, the parties agree that the Standard Contractual Clauses (Module 2: Controller to Processor; or Module 3: Processor to Processor, as applicable) apply and are deemed incorporated into this DPA. Customer is the data exporter, Plutobee is the data importer. The clauses are subject to the choices set out in Annex I. For UK transfers, the UK International Data Transfer Addendum applies. For Swiss transfers, references in the SCCs to the GDPR are deemed to include the Swiss FADP and the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.

Plutobee will conduct transfer impact assessments where required and implement supplementary measures (e.g., encryption, contractual safeguards) as appropriate.

8. Personal data breaches

Plutobee will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data breach, providing all information reasonably required to enable Customer to fulfil its own notification obligations, including (a) the nature of the breach, (b) the categories and approximate number of data subjects and records affected, (c) the likely consequences and (d) the measures taken or proposed to mitigate. Plutobee will cooperate with Customer's investigation and remediation. Notifications do not constitute an acknowledgement of fault.

9. Audits

Plutobee will make available to Customer the information necessary to demonstrate compliance with this DPA and Data Protection Laws, including audit reports (SOC 2, ISO 27001) under NDA. Where required by Data Protection Laws, Customer (or an independent auditor jointly agreed) may conduct an audit no more than once per twelve (12) months, on reasonable advance notice of at least thirty (30) days, during business hours, at Customer's cost, and subject to confidentiality and security restrictions. Audits will be designed not to disrupt operations or compromise the security of other customers.

10. Data subject rights

Plutobee will assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests under Data Protection Laws. Plutobee will forward to Customer any data-subject request it receives in respect of Customer Personal Data and will not respond except on Customer's instructions or as required by law.

11. Return and deletion

Upon termination or expiration of the Agreement, Plutobee will, at Customer's choice, return or delete Personal Data within ninety (90) days, unless retention is required by law. Customer may export Customer Content using available tools during a thirty (30) day window following termination. Following deletion, Plutobee will certify deletion on written request.

12. Liability and miscellaneous

Each party's liability under this DPA is subject to the limitations of liability in the Agreement. Nothing in this DPA limits the rights of data subjects under Data Protection Laws. If a provision of this DPA is held unenforceable, it will be modified to the minimum extent necessary and the remainder remains in effect. The Agreement (excluding this DPA) governs all other matters. Disputes are resolved in accordance with the Agreement.

13. Annexes

Annex I · Processing details

• Data exporter: Customer (controller).
• Data importer: Plutobee, Inc., a Delaware corporation, processing on behalf of Customer.
• Categories of data subjects: Customer's employees, contractors, end users, applicants and other persons whose Personal Data is processed in connection with the Services.
• Categories of Personal Data: identification and contact details, professional details, account credentials, content, usage data, technical identifiers and any Personal Data Customer chooses to include in Customer Content.
• Sensitive data: not intended to be processed; if Customer chooses to upload sensitive data, Customer is responsible for additional safeguards.
• Frequency: continuous, on a need basis to provide the Services.
• Nature of processing: hosting, storage, access, transmission, analysis, support.
• Purpose: to provide and improve the Services.
• Duration: the term of the Agreement plus the retention periods set out in the Privacy Policy.
• Competent supervisory authority: the supervisory authority of the EU member state in which the Customer is established; for UK transfers, the UK ICO; for Swiss transfers, the FDPIC.
• SCC selections: Clause 7 (docking) included; Option 2 of Clause 9(a); Clause 11 (independent dispute resolution) excluded; Clause 17 governing law: Ireland; Clause 18 forum: Ireland.

Annex II · Technical and organisational measures

• Information security policy reviewed at least annually, approved by senior management.
• Risk assessment and treatment processes consistent with ISO 27005.
• Access controls: unique user IDs, multi-factor authentication for production, least-privilege role-based access, periodic access reviews.
• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest; envelope encryption for secrets; HSM-backed keys where appropriate.
• Network security: segmented production networks, default-deny firewalls, intrusion detection, DDoS mitigation at the edge.
• Application security: secure SDLC, peer code review, static and dynamic analysis, dependency scanning, regular penetration testing.
• Logging and monitoring: centralised, tamper-evident, retained for a minimum of thirteen (13) months, with 24/7 alerting on critical events.
• Backup and disaster recovery: regular backups, geographically diverse, tested restoration, documented RTO/RPO.
• Vulnerability management: defined SLAs for remediation by severity; coordinated disclosure programme.
• Incident response: documented procedures, on-call rotation, tabletop exercises, post-incident reviews.
• Vendor management: security and privacy due diligence before onboarding; contractual safeguards; periodic review.
• Personnel: background checks where lawful, signed confidentiality undertakings, mandatory security and privacy training annually.
• Physical security: hosting in audited data centres (SOC 2 Type II), badge access, CCTV, environmental controls.
• Business continuity: documented and tested plan with defined RTO/RPO.
• Change management: approved changes, peer review, automated deployment, rollback procedures.
• Asset and configuration management: inventory, hardening baselines, regular reconciliation.

Annex III · Authorised Sub-processors

The current list of authorised Sub-processors is available on request from privacy@plutobee.com and is updated as Sub-processors are added or removed.