Data Processing Agreement

• “Authorized Sub-Processor” means a third party engaged by Renidly to access Customer's Personal Data to provide the Services and listed in Exhibit B or subsequently authorized under section 4.
• “Customer Account Data” means personal data relating to Customer's relationship with Renidly — account contacts, billing details, identity-verification data, and similar information.
• “Customer Usage Data” means service usage data collected by Renidly in connection with provision of the Services, including activity logs, source/destination metadata, and data used to maintain and secure the Services.
• “Customer Input Data” means personal data Customer submits to the Services in order to enrich, verify, or look up — for example, business email addresses, domains, or profile identifiers.
• “Data Protection Laws” means the GDPR, the UK GDPR and the UK Data Protection Act 2018, the Swiss FADP, the CCPA/CPRA, and other applicable laws relating to the processing of personal data.
• “EU SCCs” means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• “UK IDTA” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office on 21 March 2022.
• The terms "controller", "processor", "data subject", "personal data", "personal data breach", "processing", and "supervisory authority" carry the meanings given in the GDPR.

With respect to Customer Input Data and any other personal data Customer instructs Renidly to process, Renidly acts as processor and Customer acts as controller (or, where applicable, as processor on behalf of its own controller). Customer is responsible for providing all notices and obtaining all consents or other lawful bases required for the processing and instructs Renidly to process Personal Data only as documented in this Agreement and the TOS.

Renidly shall not process Personal Data (i) for purposes other than those described in the TOS or Exhibit A; (ii) in a manner inconsistent with documented instructions from Customer, unless required to do so by law — in which case Renidly will inform Customer before processing, where legally permitted; or (iii) in violation of Data Protection Laws.

On completion of the Services, Renidly will delete or, at Customer's choice, return Customer Personal Data, except where further storage is required by law.

Renidly ensures that any person authorized to process Personal Data is bound by appropriate confidentiality obligations and undertakes only the processing strictly necessary to provide the Services.

Customer provides general written authorization for Renidly to engage Authorized Sub-Processors. The current list is maintained at /trust and may be updated. Renidly will give at least 14 days' notice before enabling any new sub-processor to process Personal Data. Customer may object on reasonable data-protection grounds within seven (7) days; if Renidly cannot offer a commercially reasonable alternative, Customer may terminate the affected Services on written notice.

Renidly enters into a written agreement with each sub-processor imposing data protection obligations substantially similar to those in this Agreement and remains liable to Customer for the sub-processor's performance.

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects, Renidly maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Details are set out in Exhibit C and in our Security Policy.

Where Renidly transfers Personal Data outside the EEA, the UK, or Switzerland to a country not covered by an adequacy decision, the parties rely on the EU SCCs as the lawful transfer mechanism, completed as follows:

• Module Two (Controller to Processor) where Customer is controller and Renidly is processor.
• Module Three (Processor to Sub-Processor) where Customer is processor.
• In Clause 9, Option 2 (general written authorization) applies, with the notice period set in section 4.
• In Clause 17, Option 1: the EU SCCs are governed by the law of the Member State of the Customer; failing that, the law of Ireland.
• In Clause 18(b), disputes are resolved before the courts of that Member State.
• Annex I details are set in Exhibit B; Annex II details are in Exhibit C.

For transfers from the UK, the UK IDTA applies. For transfers from Switzerland, the EU SCCs apply with references to the GDPR construed to include the Swiss FADP and the FDPIC recognized as supervisory authority.

Renidly will, to the extent legally permitted, notify Customer of any request received from a data subject in connection with the Services and assist Customer in fulfilling its obligation to respond, taking into account the nature of the processing. Customer is responsible to the extent legally permitted for any costs arising from such assistance.

Renidly will provide reasonable cooperation to Customer for the purpose of any data protection impact assessment and prior consultation with a supervisory authority where required by Data Protection Laws.

On reasonable written request and no more than once per calendar year, Renidly will either (i) make available copies of certifications or summary reports demonstrating compliance with prevailing data security standards, or (ii) where such reports are not sufficient, allow an audit by a mutually acceptable independent third party, subject to confidentiality, reasonable notice, and Customer bearing the costs.

In the event of a Personal Data Breach affecting Customer Personal Data, Renidly will notify Customer without undue delay and, in any event, within 48 hours of becoming aware, and provide the information required by Article 33(3) GDPR to the extent reasonably available, in phases where necessary. Renidly will provide reasonable assistance to enable Customer to comply with its breach notification obligations to supervisory authorities and affected data subjects.

Renidly acts as an independent controller for Customer Account Data and Customer Usage Data, processing such data for service management, billing, fraud prevention, security, identity verification, legal compliance, and other purposes described in our Privacy Policy. Renidly does not act as a joint controller with Customer for these data sets.

In the event of conflict, the order of precedence is: (1) the applicable Standard Contractual Clauses; (2) this Agreement; (3) the Terms of Service; (4) the Privacy Policy.

Without prejudice to Data Protection Laws, in the event that Renidly is in breach of its obligations under this Agreement, Customer may instruct Renidly to suspend processing until compliance is restored or the contract is terminated. Customer may terminate this Agreement insofar as it concerns the processing of Personal Data where (i) processing has been suspended for more than one month, (ii) Renidly is in substantial or persistent breach, or (iii) Renidly fails to comply with a binding decision of a competent court or supervisory authority. Following termination, Renidly will delete or return Customer Personal Data as set out in section 2.

Nature and purpose. Renidly processes Customer Personal Data as necessary to provide the Services described in the TOS — including identity enrichment, verification, look-up, analytics, and request logging — and in accordance with Customer's instructions.

Duration. For the term of the TOS and any retention period required to provide the Services or comply with applicable law.

Categories of data subjects. Customer's employees, contractors, and authorized users, and the business contacts (e.g., professional contacts) about whom Customer submits identifiers to the Services.

Categories of personal data. Names, business email addresses, domains, company affiliations, job titles, professional contact information, and other publicly-sourced business identity attributes that may be returned by the Services.

Sensitive data. Customer is prohibited from submitting sensitive personal data (special categories under Article 9 GDPR, criminal-conviction data, financial-account data, government identifiers, or children's data) to the Services.

Data Exporter. The Customer to the TOS, acting as a controller (or processor on behalf of its own controller), with the address provided in its account. By using the Services to submit Personal Data to Renidly, the Customer is deemed to have signed this Exhibit B.

Data Importer. Droven Data Strategy LLC, 30 N Gould St., Ste R, Sheridan, WY 82801, United States, contact: [email protected]. Acting as processor.

Description of transfer. Identity look-up, enrichment, verification, and dashboard analytics, on an ongoing basis throughout the term of the TOS. Recipients of Personal Data are listed on the Trust Center sub-processors page.

Competent supervisory authority. Determined in accordance with Clause 13 of the EU SCCs; for UK transfers, the UK Information Commissioner's Office.