DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Agreement (as specified in the Terms of Service) between Customer and Strand Solutions Inc. (“Processor”) and applies to the Processing of Personal Data by Processor on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR.

2. Roles of the Parties

For the purposes of this DPA:

3. Subject Matter and Duration

Processor shall Process Personal Data for the purpose of providing the Services to Customer for the duration of the Agreement, unless otherwise agreed in writing.

4. Nature and Purpose of Processing

Nature of Processing

Processing may include:

Purpose of Processing

Processing is conducted solely to provide, operate, and improve the Services in accordance with Customer’s documented instructions.

4. Nature and Purpose of Processing

Nature of Processing

Processing may include:

Purpose of Processing

Processing is conducted solely to provide, operate, and improve the Services in accordance with Customer’s documented instructions.

5. Types of Personal Data and Data Subjects

Types of Personal Data

Personal Data may include, without limitation:

Categories of Data Subjects

6. Processor Obligations

Processor shall:

7. Sub-processors

Customer authorizes Processor to engage sub-processors as necessary to provide the Services.

Processor shall:

8. International Data Transfers

Where Personal Data is transferred outside the EEA or the United Kingdom, Processor shall ensure such transfers are made in compliance with applicable data protection laws, including through the use of Standard Contractual Clauses or other valid transfer mechanisms.

9. Security Measures

Processor shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

10. Data Subject Requests

Processor shall:

11. Personal Data Breach

Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach and shall provide information reasonably necessary for Customer to meet its legal obligations.

12. Deletion or Return of Personal Data

Upon termination of the Agreement, Processor shall, at Customer’s choice, delete or return Personal Data within a reasonable period, unless retention is required by applicable law.

13. Audits and Compliance

Processor shall make available information reasonably necessary to demonstrate compliance with this DPA. Audits shall be limited to written assessments, certifications, or third-party reports, unless otherwise required by law or mutually agreed.

14. Liability

The liability of each party under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

15. Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall govern with respect to data protection matters.

16. Governing Law

This DPA shall be governed by the same law and jurisdiction as the Terms of Service.

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Agreement (as specified in the Terms of Service) between Customer and Strand Solutions Inc. (“Processor”) and applies to the Processing of Personal Data by Processor on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR.

2. Roles of the Parties

For the purposes of this DPA:

Customer is the Controller of Personal Data.

Processor acts as a Processor on behalf of Customer.

3. Subject Matter and Duration

Processor shall Process Personal Data for the purpose of providing the Services to Customer for the duration of the Agreement, unless otherwise agreed in writing.

4. Nature and Purpose of Processing

Nature of Processing

Processing may include:

Collection

Storage

Organization

Analysis

Aggregation

Visualization

AI-assisted summarization and insights

Purpose of Processing

Processing is conducted solely to provide, operate, and improve the Services in accordance with Customer’s documented instructions.

4. Nature and Purpose of Processing

Nature of Processing

Processing may include:

Collection

Storage

Organization

Analysis

Aggregation

Visualization

AI-assisted summarization and insights

Purpose of Processing

Processing is conducted solely to provide, operate, and improve the Services in accordance with Customer’s documented instructions.

5. Types of Personal Data and Data Subjects

Types of Personal Data

Personal Data may include, without limitation:

Contact information (e.g. name, email address)

User identifiers

CRM and sales data

Product usage and event data

Metadata associated with customer systems

Categories of Data Subjects

Customer employees and contractors

Customer end users

Prospects and leads

6. Processor Obligations

Processor shall:

Process Personal Data only on documented instructions from Customer.

Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations.

Implement appropriate technical and organizational measures to protect Personal Data.

Not use Personal Data for purposes unrelated to the Services, including advertising or resale.

7. Sub-processors

Customer authorizes Processor to engage sub-processors as necessary to provide the Services.

Processor shall:

Ensure sub-processors are bound by data protection obligations no less protective than this DPA.

Remain responsible for the performance of its sub-processors.

Maintain an up-to-date list of sub-processors available upon request or published online. Available at usestrand.app/privacy-policy

8. International Data Transfers

Where Personal Data is transferred outside the EEA or the United Kingdom, Processor shall ensure such transfers are made in compliance with applicable data protection laws, including through the use of Standard Contractual Clauses or other valid transfer mechanisms.

9. Security Measures

Processor shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

10. Data Subject Requests

Processor shall:

Promptly notify Customer if it receives a request from a data subject relating to Personal Data.

Provide reasonable assistance to Customer in responding to such requests, as required by applicable law.

11. Personal Data Breach

Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach and shall provide information reasonably necessary for Customer to meet its legal obligations.

12. Deletion or Return of Personal Data

Upon termination of the Agreement, Processor shall, at Customer’s choice, delete or return Personal Data within a reasonable period, unless retention is required by applicable law.

13. Audits and Compliance

Processor shall make available information reasonably necessary to demonstrate compliance with this DPA. Audits shall be limited to written assessments, certifications, or third-party reports, unless otherwise required by law or mutually agreed.

14. Liability

The liability of each party under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

15. Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall govern with respect to data protection matters.

16. Governing Law

This DPA shall be governed by the same law and jurisdiction as the Terms of Service.