Data Processing Addendum

This DPA is entered into between the Client identified in the Agreement (the “Client”) and Novexa LLC (“Novexa”). To the extent there is a conflict between the Agreement and this DPA with respect to the processing of Personal Data, this DPA controls.

By entering into the Agreement, the parties are deemed to have signed this DPA. No separate signature is required, provided that the Client may request a counter-signed copy from legal@novexasoftware.com.

• “Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (2016/679) (the “GDPR”), the United Kingdom GDPR and Data Protection Act 2018 (the “UK GDPR”), the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”), and any successor laws.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in the GDPR (or analogous terms under other Applicable Data Protection Law, including “Business”, “Service Provider”, and “Personal Information” under the CCPA).
• “Sub-processor” means any third party engaged by Novexa to process Personal Data on behalf of the Client.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or superseded.
• “UK IDTA” means the International Data Transfer Addendum to the EU Commission SCCs, issued by the UK Information Commissioner.

With respect to Personal Data processed in the performance of the Services, the Client is the Controller and Novexa is the Processor. Where Novexa is acting on behalf of a third party that is the Controller, the Client is the controller of its own instructions and acts on behalf of that third party as appropriate.

For Personal Data for which Novexa determines the purposes and means of processing on its own behalf (for example, its own accounting records or business contacts), Novexa acts as a Controller and its processing is governed by the Novexa Privacy Policy.

Instructions

Novexa will process Personal Data only on documented instructions from the Client, including regarding transfers to a third country or international organization, unless required to do so by law, in which case Novexa will (where legally permitted) inform the Client of that legal requirement before processing.

Subject matter, duration, nature, and purpose

The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex A.

Confidentiality

Novexa will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Compliance and assistance

Novexa will provide reasonable assistance to the Client in meeting its obligations under Applicable Data Protection Law, including in responding to Data Subject requests (Section 7), notifying of Personal Data Breaches (Section 8), conducting data protection impact assessments, and consulting with supervisory authorities.

Novexa will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A current description of these measures is set out in Annex B.

The Client acknowledges that security is a shared responsibility and that it remains responsible for the secure configuration and use of any systems or data it provides to Novexa, including the administration of access credentials on the Client’s side.

The Client provides a general authorization for Novexa to engage Sub-processors, provided that Novexa:

• maintains an up-to-date list of Sub-processors, a current version of which is set out in Annex C;
• imposes on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA;
• remains fully liable to the Client for the performance of any Sub-processor’s obligations; and
• gives the Client at least thirty (30) days’ prior written notice of the intended addition or replacement of a Sub-processor, during which period the Client may object on reasonable data-protection grounds. If the parties cannot resolve the objection in good faith within thirty (30) days of the objection, the Client may terminate the affected portion of the Services without penalty by providing written notice.

Taking into account the nature of the processing, Novexa will provide reasonable assistance, by appropriate technical and organizational measures, to enable the Client to fulfill its obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

If Novexa receives a Data Subject request relating to Personal Data processed on behalf of the Client, Novexa will, to the extent permitted by law, promptly refer the request to the Client and will not respond to the request except on the Client’s documented instructions.

Novexa will notify the Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client.

The notification will, to the extent known at the time:

• describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
• communicate the name and contact details of the person from whom more information can be obtained;
• describe the likely consequences of the Personal Data Breach; and
• describe the measures taken or proposed to address the Personal Data Breach and mitigate its effects.

Novexa will cooperate with and support the Client’s investigation, mitigation, and any required notifications to supervisory authorities and affected Data Subjects.

To the extent the provision of Services involves the transfer of Personal Data outside the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, the parties agree that:

• the SCCs are incorporated by reference and deemed signed by the parties, with Module Two (Controller to Processor) applying when the Client is a Controller, and Module Three (Processor to Processor) applying when the Client is itself a Processor;
• the optional docking clause applies;
• Clause 7 (Docking Clause) applies;
• Clause 9 (Sub-processors) Option 2 applies (general written authorization) with the notice period set out in Section 6 of this DPA;
• Clause 11 (Redress) — the optional language does not apply;
• Clause 17 (Governing Law) — the SCCs are governed by the law of Ireland;
• Clause 18 (Choice of forum and jurisdiction) — the courts of Ireland;
• Annexes I, II, and III of the SCCs are completed by reference to Annexes A, B, and C of this DPA.

For transfers of Personal Data subject to the UK GDPR, the UK IDTA is incorporated by reference and applies as a complement to the SCCs. For transfers subject to Swiss law, references to the GDPR are interpreted as references to the Swiss Federal Act on Data Protection, and references to supervisory authorities and courts are interpreted as references to the Swiss Federal Data Protection and Information Commissioner and to the Swiss courts, respectively.

Novexa will make available to the Client all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and this DPA.

On reasonable written request, and no more than once per twelve (12) month period (unless a Personal Data Breach or regulatory requirement warrants otherwise), the Client may audit Novexa’s compliance with this DPA. Audits will be conducted during normal business hours, on reasonable prior notice, and in a manner that does not interfere with Novexa’s operations. The Client will bear its own costs and Novexa’s reasonable costs of supporting the audit. Novexa may require the Client, its auditors, and any third-party auditors to execute appropriate confidentiality agreements.

Where available, the parties agree that third-party certifications and attestations (such as SOC 2, ISO 27001, or ISO 27701 reports) may satisfy the Client’s audit rights under this Section.

On termination or expiry of the Services, Novexa will, at the Client’s choice, delete or return all Personal Data processed on behalf of the Client, and delete existing copies, unless applicable law requires continued storage. Where required by law to retain Personal Data, Novexa will protect it from further processing and continue to apply the security measures set out in Annex B.

To the extent Novexa processes Personal Information of California residents on the Client’s behalf and the CCPA applies, Novexa is a “Service Provider” (or “Contractor” as applicable) under the CCPA.

• Novexa will not “sell” or “share” Personal Information, as those terms are defined under the CCPA;
• Novexa will not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, including not using it outside the direct business relationship between the parties;
• Novexa will not combine Personal Information received from the Client with Personal Information it receives from, or on behalf of, any other person or entity, except as permitted under the CCPA;
• Novexa will comply with applicable obligations under the CCPA and provide the same level of privacy protection as required by the CCPA;
• the Client may take reasonable and appropriate steps to ensure Novexa uses Personal Information consistently with the Client’s CCPA obligations, and to remediate unauthorized use, by exercising its audit rights under Section 10.

Except as modified by this DPA, the Agreement remains in full force and effect. The limitation of liability provisions of the Agreement apply to each party’s obligations under this DPA. In the event of termination of the Agreement, this DPA terminates automatically, except for provisions that by their nature are intended to survive.

Subject matter

The provision of cloud architecture, DevOps, AI/ML integration, and technical consulting services as described in the Agreement.

Duration

The term of the Agreement, plus any post-termination period required for the return or deletion of Personal Data.

Nature and purpose of processing

Processing is performed for the purpose of delivering the Services, including consulting, design, development, configuration, testing, support, and associated activities.

Types of Personal Data

• identifiers and contact data of the Client’s personnel (name, email, role);
• authentication and access-control data related to systems in scope;
• any Personal Data contained within systems, repositories, datasets, or logs to which Novexa is granted access by the Client as necessary to perform the Services.

Categories of Data Subjects

• the Client’s employees, contractors, and representatives;
• where applicable, the Client’s end users or customers, to the extent their data is present in systems in scope.

• Access control. Role-based access control with least-privilege principles; strong authentication, including hardware-backed MFA for administrative access; periodic access reviews.
• Encryption. Encryption of Personal Data in transit using TLS 1.2 or higher; encryption at rest for stored Personal Data on managed systems, using industry-standard algorithms.
• Network security. Firewalling, network segmentation, and hardened configurations on managed infrastructure; use of corporate VPNs or zero-trust access for administrative connectivity.
• Endpoint security. Full-disk encryption on personnel devices; managed endpoint protection; automated patching.
• Secret management. Centralized secret management; prohibition on storing secrets in source control or email.
• Software development lifecycle. Code review, dependency vulnerability scanning, and security testing proportionate to risk.
• Logging and monitoring. Audit logging of administrative and sensitive actions; retention and review proportionate to risk.
• Personnel. Background checks where permitted by law; confidentiality agreements; security and privacy training on onboarding and at least annually.
• Vendor management. Security and data-protection review of Sub-processors; contractual data-protection obligations.
• Incident response. Documented incident-response procedure with defined roles, escalation, communications, and post-incident review.
• Business continuity. Redundant infrastructure for business-critical systems; regular testing of backups and recovery procedures for data under Novexa’s control.
• Physical security. Where physical offices are used, access controls and visitor management; cloud infrastructure hosted in providers that maintain industry-standard physical security certifications.

Novexa engages the following categories of Sub-processors in the provision of Services. A current list with the identity and location of each Sub-processor is available on written request to privacy@novexasoftware.com.