Data Processing Addendum

PUBLISHED ON APRIL 2, 2025

This Data Processing Addendum (“DPA” or “Addendum”) forms part of the Agreement between Customer and AutoRABIT.

Except as expressly modified in this Addendum, the terms of the Agreement remain in full force and effect. If there is a conflict between this Addendum and the Agreement, this Addendum will govern. However, if any provision of this Addendum conflicts or is inconsistent with the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Terms used in this Addendum have the meanings assigned to them in this Addendum or, if broader, as defined by Applicable Privacy Law. Capitalized terms not defined in this Addendum or by Applicable Privacy Law shall have the meanings set forth in the Agreement. If the Agreement or Applicable Privacy Law does not use the exact capitalized terms found in this Addendum, similar terms in the Agreement shall be interpreted with all necessary and conforming adjustments.

For and in consideration of the promises and mutual agreements herein, the Parties agree as follows:

1.1 “Affiliate” means an entity controlled by, under common control with, or controlling a Party, where control is denoted by having (directly or indirectly) more than fifty percent (50%) of the voting power (or equivalent) of the applicable entity.

1.2 “Agreement” means the Master Software Agreement located at www.autorabit.com/agreement, unless there is a signed agreement between the Parties, in which case the signed agreement will be the Agreement.

1.3 “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which AutoRABIT is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 including the applicable implementing legislation of each Member State (“EU GDPR”), (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, as amended (“FADP”), (e) any other applicable law with respect to any Personal Data in respect of which the AutoRABIT is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.

1.4 “Data Subject” shall mean an identified or identifiable natural person.

1.5 “Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by AutoRABIT, on behalf of Customer, in connection with AutoRABIT’s performance of the Services.

1.6 “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters.

1.7 “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

1.8 “Security Breach” means a breach of AutoRABIT’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in AutoRABIT’s possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.9 “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), and (b) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”).

1.10 “Subprocessor” means an entity engaged by AutoRABIT to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this Addendum, insofar as such an entity Processes Personal Data on behalf of AutoRABIT.

1.11 “Trust Center” means the dedicated AutoRABIT website that provides customers with comprehensive information, resources and documentation about AutoRABIT’s commitment to data privacy, security, and compliance, found https://www.autorabit.com/trust-center/.

2.1 AutoRABIT shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services, in accordance with the Agreement and Customer’s instructions, and as may subsequently be agreed between the Parties in writing. AutoRABIT shall promptly inform Customer if (a) in AutoRABIT’s opinion, an instruction from Customer violates Applicable Privacy Law; or (b) AutoRABIT is required by applicable law to otherwise Process Personal Data, unless AutoRABIT is prohibited by that law from notifying Customer under applicable law. AutoRABIT will notify Customer after making the relevant determination that it can no longer meet its obligations under Applicable Privacy Law. Customer will have the right to take reasonable and appropriate steps to (c) ensure that AutoRABIT uses Personal Data in a manner consistent with Customer’s obligations under Applicable Privacy Laws; and (d) upon reasonable notice, stop and remediate the unauthorized Processing of Personal Data by AutoRABIT. The details of processing are set forth in Section B of Exhibit A.

2.2  The Parties acknowledge that AutoRABIT has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to AutoRABIT under the Agreement relates only to AutoRABIT’s provision of the Services.  AutoRABIT shall not (a) sell or share (as such terms are defined under the CCPA) Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; (c) retain, use, or disclose Personal Data outside of the direct business relationship between the Customer and AutoRABIT; or (d) combine the Personal Data with any other personal information, except as permitted under Applicable Privacy Law. 


2.3 To the extent AutoRABIT receives deidentified data from Customer or the Services allow for the deidentification of Personal Data, AutoRABIT represents and warrants that it shall not reidentify, attempt to reidentify, or direct any other Party to reidentify any Personal Data that has been deidentified.

2.4 AutoRABIT shall ensure that persons authorized to access Personal Data commit themselves to confidentiality or are under an appropriate obligation of confidentiality.

2.5 Through the Services, AutoRABIT may Process Usage Data (as defined in the Agreement). Usage Data may include Personal Data. The Parties acknowledge and agree that with respect to Usage Data, AutoRABIT is an independent controller. AutoRABIT will process Usage Data as a controller (a) to manage the relationship with Customer; (b) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services; (c) for identity verification purposes; (d) to comply with legal or regulatory obligations; and (e) as otherwise permitted under the Agreement or applicable law.

3.1 Data Subject Requests. In the event of a Personal Data request from a Data Subject related to Customer is made directly to AutoRABIT, AutoRABIT shall inform the requestor that AutoRABIT is not authorized to directly respond to the request, and recommend the requestor submit the request directly to Customer, unless legally compelled to respond under the law applicable to such a request. Customer shall bear the responsibility for responding to all such requests. In the event Customer requires support from AutoRABIT in responding to a request from a Data Subject, it may contact AutoRABIT for assistance. To the extent legally permitted, Customer shall be responsible for any costs arising from AutoRABIT’s assistance.

3.2 Data Protection Impact Assessments. To the extent required by Applicable Privacy Laws, AutoRABIT shall, upon receipt of written request by Customer, (a) make available to Customer such information as is reasonably necessary to demonstrate Customer’s compliance with Applicable Privacy Laws to the extent applicable to the Services, and (b) reasonably assist Customer in carrying out any privacy impact assessment.

3.3 Privacy Authorities. AutoRABIT shall provide to Customer such co-operation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Customer’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority.

AutoRABIT shall maintain, during the term of the Agreement, appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in the Trust Center. AutoRABIT shall ensure the reliability of any employees who Process Personal Data. Customer is responsible for secure and appropriate use of the Services, to ensure a level of security appropriate to the risk in respect of the Personal Data.

Customer shall (a) comply with all applicable laws, including Applicable Privacy Laws, in respect of its use of the Services; (b) ensure that any instructions provided to AutoRABIT are at all times in accordance with Applicable Privacy Laws; (c) collect all Personal Data in accordance with Applicable Privacy Laws and obtain all consents and rights necessary for the Processing of Personal Data; (d) maintain at all times the accuracy, quality, and legality of Personal Data; and (e) provide to AutoRABIT the minimum amount of Personal Data necessary for the provision of the Services

6.1 As part of the provision of the Services, AutoRABIT may engage Sub-processors to Process Personal Data on Customer’s behalf. Customer hereby grants AutoRABIT a general authorization to appoint and use the Subprocessors currently listed on the “List of Subprocessors” which is available in the Trust Center. AutoRABIT shall provide Customer prior notice of any additional or replacement Subprocessors. After being notified, Customer must notify AutoRABIT within fourteen (14) business days of any reasonable objection it has to such Subprocessors. In the event Customer provides a reasonable objection, AutoRABIT will use commercially reasonable efforts to make a change in processing under the Agreement to avoid Processing of Personal Data by such Subprocessor. If AutoRABIT is unable to make available such change within a reasonable period of time, Customer may terminate the Services provided under the Agreement in respect only to those services which cannot be provided by AutoRABIT without the use of the objected-to Subprocessor, by providing written notice to AutoRABIT. The Parties agree that Customer’s non-response to a notification of any additional or replacement Subprocessors will be taken as the Customer’s approval of such additional or replacement Subprocessor.

6.2 AutoRABIT shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.

6.3 AutoRABIT will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on AutoRABIT under this Addendum.

7.1 Notification to Customer. Unless otherwise prohibited by applicable law, AutoRABIT shall notify Customer without undue delay after AutoRABIT confirms a Security Breach.  Such notification shall include, to the extent such information is available, (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned).  In addition, AutoRABIT shall communicate to Customer (d) the name and contact details of AutoRABIT’s point of contact where more information can be obtained, (e) a description of the likely consequences of the Security Breach, (f) a description of the measures taken or proposed to be taken by AutoRABIT to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Investigation. AutoRABIT shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.   

Customer may audit AutoRABIT’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Privacy Authority. AutoRABIT will contribute to such audits by providing Customer or Customer’s Privacy Authority with the information and assistance that AutoRABIT considers appropriate in the circumstances and reasonably necessary to conduct the audit. To request an audit, Customer must submit a proposed audit plan to AutoRABIT at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the Parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. AutoRABIT will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise AutoRABIT security, privacy, employment or other relevant policies). AutoRABIT will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 8 shall require AutoRABIT to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and AutoRABIT has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and AutoRABIT’s safety, security or other relevant policies, and may not unreasonably interfere with AutoRABIT business activities. Any audits are at Customer’s sole expense. Customer shall reimburse AutoRABIT for any time expended by AutoRABIT and any third parties in connection with any audits or inspections under this Section 8 at AutoRABIT’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

AutoRABIT shall return and/or delete Personal Data in accordance with the applicable provisions in the Agreement. If AutoRABIT determines that continued retention is required and/or permitted by Applicable Privacy Laws and/or mandatory applicable law, AutoRABIT shall ensure the confidentiality of such Personal Data and shall extend the protections of this Addendum to such Personal Data.

If Customer transfers Personal Data out of the EEA to AutoRABIT in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this Addendum.  In furtherance of the foregoing, the Parties agree that:

10.1 Customer will act as the data exporter and AutoRABIT will act as the data importer under the EU SCCs;

10.2 for purposes of Annex I to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A;

10.3 for purposes of Annex II to the EU SCCs, the technical and organizational measures shall be as set out in the Trust Center;

10.4 The optional docking clause in Clause 7 of the EU SCCs shall be included;

10.5 the audits described in Clause 8.9 of the EU SCCs shall be performed in accordance with Section 8 of this Addendum;

10.6 Section 6 (Subprocessors) of this Addendum shall constitute the procedures for AutoRABIT to request general authorization for Subprocessors under Clause 9(a)(Option 2) of the EU SCCs;

10.7 the optional language in Section 11(a) of the EU SCCs shall not be included;

10.8 for Clause 13, the following language shall apply: The supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR shall act as competent supervisory authority;

10.9 Option 1 of Clause 17 shall apply, and the EU SCCs will be governed by the law of the Member State of the supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR; and

10.10 For Clause 18, any dispute arising from the EU SCCs shall be resolved by the courts of the Member State of the supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR.

If Customer transfers Personal Data out of the UK to AutoRABIT in a country not deemed by the UK Government to have adequate data protection, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this Addendum. AutoRABIT shall provide a copy of the signed version of the UK SCCs to Customer upon request.  In furtherance of the foregoing, the Parties agree that Tables 1 through 4 of the UK SCCs shall be satisfied by the following information:

11.1 Table 1: Reference to Table 1 shall be satisfied by the information in Section A of Exhibit A.

11.2 Table 2: For Table 2, the version of the Approved EU SCCs shall be the EU SCCs, Controller to Processor module.

11.3 Table 3: Reference to Table 3 shall be satisfied by the information in Exhibit A and the Trust Center.

11.4 Table 4: For Table 4, the Exporter and Importer shall have the rights outlined in Section 19 of the UK SCCs.

For transfers from Switzerland, references in the EU SCCs shall be interpreted to include the following applicable terminology and statutory terms: (a) the Federal Data Protection and Information Commissioner is the competent supervisory authority; (b) Swiss law (or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the FADP shall be the applicable law for contractual claims under Clause 17 of the EU SCCs; (c) Switzerland is to be considered as a Member State within the meaning of the EU SCCs; (d) data subjects with their regular place of residence in Switzerland are allowed to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the EU SCCs; and (e) references to the GDPR are to be understood as references to the FADP.

The liability of each Party and each Party’s Affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement and shall not be modified by this Addendum. Any claims brought by a Party or its Affiliates under this Addendum, whether in contract, tort or under any other theory of liability, shall be subject to the exclusions and limitations set forth in the Agreement, as permitted by applicable law.

The Parties acknowledge and agree that, to the extent the Services contemplate the processing of Personal Data that is subject to Applicable Privacy Laws that require additional terms in this Addendum, the Parties shall enter into an amendment to this Addendum that addresses such additional terms.

Data Exporter(s):

Name:	Customer, as identified in the Agreement.
Address:	As set forth in the Agreement.
Contact person’s name, position and contact details:	As set forth in the Agreement.
Activities relevant to the data transferred under these Clauses:	Receipt of the Services under the Agreement.
Signature and Date:	The signature in the Addendum shall satisfy this signature requirement.
Role (Controller or Processor):	Controller

Data Importer(s):

Name:	AutoRABIT Holding, Inc.
Address:	548 Market Street, PMB 98272, San Francisco, CA 94104
Contact person’s name, position and contact details:	Jason Lord, Chief Information Security Officer, [email protected]
Activities relevant to the data transferred under these Clauses:	Provision of the Services under the Agreement.
Signature and Date:	The signature in the Addendum shall satisfy this signature requirement.
Role (Controller or Processor):	Processor

Categories of data subjects whose personal data is transferred	Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: Prospects, customers, business partners and vendors of Customer (who are natural persons)Employees or contact persons of Customer’s prospects, customers, business partners and vendorsEmployees, agents, advisors, freelancers of Customer (who are natural persons)Customer’s Users authorized by Customer to use the Services
Categories of personal data transferred	Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: First and last nameTitlePositionEmployerContact information (company, email, phone, physical business address)ID dataProfessional life dataPersonal life dataGeolocation data
Sensitive data transferred (if applicable)	Unless Customer is utilizing AutoRABIT’s Vault services, Restricted Information (as defined in the Agreement) shall not be provided, submitted, or disclosed to AutoRABIT. In the event Customer utilizes AutoRABIT’s Vault services, Customer may submit sensitive categories of Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion.
The frequency of the transfer (whether the data is transferred on a one-off or continuous basis)	On a continuous basis during the term of the Agreement.
Nature of the processing	As described in the Agreement.
Purpose(s) of the data transfer and further processing	As described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Duration of performance of the Services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	As described in the Agreement.

The Irish Data Protection Commission will be the competent supervisory authority.