• Kitecyber, Inc., a Delaware corporation with offices at 691 S Milpitas Blvd, Ste 217, Milpitas, CA 95035, USA(“Processor” or “Kitecyber”); and
• The Customer entity agreeing to the Agreement (“Controller” or “Customer”).

RECITALS

WHEREAS:

• Processor provides certain services to Controller pursuant to the Agreement, which may involve the Processing of Personal Data; and
• The parties seek to ensure that such Processing complies with applicable Data Protection Laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, Swiss data protection laws, and applicable US privacy laws.

NOW, THEREFORE, in consideration of the mutual obligations in this DPA, the parties agree as follows:

1. Definitions

In this DPA:

• “Data Protection Laws” means all applicable laws relating to the processing, privacy, and use of Personal Data, including the GDPR, UK GDPR, Swiss laws, and the California Consumer Privacy Act (CCPA/CPRA), as amended or replaced.
• “Standard Contractual Clauses (SCCs)” means the European Commission’s Standard Contractual Clauses for data transfers adopted under Commission Implementing Decision (EU) 2021/914, including any UK and Swiss addenda.
• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, or erasure.
• “Controller” means the entity that determines the purposes and means of Processing Personal Data.
• “Processor” means the entity that Processes Personal Data on behalf of the Controller.
• “Sub-processor” means any third party engaged by Processor to Process Personal Data on behalf of Controller.
• “Data Subject” means an identified or identifiable natural person.
• “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

Capitalized terms used but not defined shall have the meanings given in the Agreement or Data Protection Laws.

2. Scope and Role of the Parties

2.1 Roles of the Parties

• Controller determines the purposes and means of Processing Personal Data.
• Processor Processes Personal Data on Controller’s behalf, solely on documented instructions.

2.2 Purpose of Processing
Processor Processes Personal Data strictly for:

• Providing Kitecyber’s hyper-converged endpoint security services;
• Device, app, user, and network inventory;
• SaaS security posture management;
• Zero Trust Private Access services;
• Integration with Controller’s compliance vendors via APIs;
• Security monitoring, logging, and reporting;
• Technical support.

2.3 Documented Instructions
Processor shall Process Personal Data only on Controller’s documented instructions, unless required by law.

3. Confidentiality

The processor ensures personnel with access to Personal Data are bound by confidentiality obligations.

4. Security Measures

Processor implements technical and organizational security measures appropriate to the risk, including:

• Encryption in transit and at rest;
• Strict access controls and authentication;
• Network segmentation and monitoring;
• Vulnerability assessments and penetration testing;
• Incident detection and response;
• Business continuity and disaster recovery planning.

Further details are in Annex III.

5. Data Subject Rights, add the following:

Processor shall assist Controller in fulfilling Data Subjects’ rights, including:

• Access
• Rectification
• Erasure
• Data portability
• Restriction of Processing
• Objection to Processing

In the event a Data Subject wishes to exercise its data subject rights under applicable Data Protection Law, including, but not limited to, a data subject’s right of access, correction and/or erasure of its Personal Data in Kitecyber’s control, the Data Subjects can submit such request done by contacting Kitecyber’s Data Protection Officer (DPO) below. Also, for raising concerns and/or any complaints related to the Customer Personal Data that can be done by contacting the Data Protection Officer below:

Name: Srikanth Chavali
Email ID: security@kitecyber.com

6. Personal Data Breach

Processor shall notify Controller without undue delay and no later than 48 hours upon becoming aware of a Personal Data Breach, including:

• Nature of the breach;
• Categories and approximate number of affected Data Subjects;
• Likely consequences;
• Measures taken or proposed to mitigate effects.

7. Sub-Processors

7.1 Authorization
Controller authorizes Processors to use Sub-processors listed in Annex II. Processor shall notify Controller of any intended changes and provide opportunity to object on reasonable grounds.

7.2 Sub-processor Obligations
Processors shall enter into written agreements with Sub-processors imposing data protection obligations equivalent to this DPA.

7.3 Liability
The processor remains fully liable for Sub-processors’ performance.

8. International Data Transfers

Processor shall not transfer Personal Data outside the European Economic Area, United Kingdom, or Switzerland unless:

• Adequacy decisions under Art. 45 GDPR apply; or
• Appropriate safeguards under Art. 46 GDPR (such as Standard Contractual Clauses) are implemented; or
• Derogations under Art. 49 GDPR apply.

Standard SCC Text:

“To the extent required for compliance with Data Protection Laws, the parties agree that the Standard Contractual Clauses (Controller-to-Processor Module Two), as adopted by the European Commission on 4 June 2021 (Decision (EU) 2021/914), including any required UK or Swiss addenda or modifications, shall apply to any transfers of Personal Data from the EEA, UK, or Switzerland to the Processor outside those regions. The governing law for the SCCs shall be the law of Ireland, and disputes shall be subject to the jurisdiction of the courts of Ireland, unless otherwise specified under the SCCs or applicable addenda.”

9. Audit and Compliance

Processor shall make available all information necessary to demonstrate compliance with this DPA and allow audits by Controller or its designated auditor, subject to reasonable notice and confidentiality requirements.

10. Return or Deletion of Personal Data

Upon termination of the Agreement, Processor shall, at Controller’s choice:

• Return all Personal Data; or
• Delete all Personal Data,

unless retention is required by law.

11. Liability

Liability under this DPA is subject to the limitations in the Agreement unless prohibited under Data Protection Laws.

12. Governing Law

This DPA shall be governed by the laws of the State of Delaware, USA, except where Data Protection Laws require otherwise.