Data Privacy Agreement

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with another entity. For purposes of this definition, "control" means direct or indirect ownership or control of more than 50% of the voting interests of the entity.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.

"Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Singapore, and Japan, in each case as amended, repealed, consolidated or replaced from time to time.

"Data Subject" means the individual to whom Personal Data relates.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

"European Data" means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); EU Directive 95/64/EC as transposed into the legislation of each EU Member State in its current form, and other applicable national implementations in the European Economic Area (EEA), including the UK and Switzerland.

"Personal Data" means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.

"Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

"Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded or replaced.

"Sub-Processor" means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations under the Agreement.

2.1.  Role of the Parties

1. 1. The Parties hereby acknowledge and agree that for the purposes defined in the Agreement, the Customer is the Controller and Knostic is a Processor. 
   2. Knostic agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA, and will follow Customer's Instructions for Processing.
   3. If Customer is acting on behalf of a third party and handles Personal Data as a Processor, then the Knostic shall be a Sub-Processor. Where Customer is a Processor, Customer warrants to Company that Customer's instructions and actions with respect to the Personal Data, including its appointment of Company as Sub-Processor and concluding the Standard Contractual Clauses, have been authorized by the relevant Controller. 

2.2.  Compliance With Laws

1. 1. Each party to this DPA shall comply with its respective obligations under the Data Protection Laws applicable to the Agreement.
   2. Without derogation from the general instruction set in this section, Customer shall be responsible for complying with all requirements that apply to it with respect to its Instructions regarding the Processing of Personal Data. In particular, and without prejudice to the generality of this sub-section, Customer will be solely responsible for: 
      1. The accuracy, quality, and legality of possession of the Customer Data and the means by which Customer acquired the Personal Data. Without derogation from the above, Customer is also responsible for protecting the security of Personal Data in transit to and from the Knostic, and independently determining whether Knostic's data security arrangements adequately meets Customer's obligations under applicable Data Protection Laws
      2. Complying with all necessary transparency and lawfulness requirements under the applicable Data Protection Laws, including obtaining necessary consent and authorizations from any Data Subject included in Customer's data sets;
      3. Ensuring Customer has the rights to transfer, provide access to or confer by other means the Personal Data to Knostic for Processing; and
      4. Ensuring that Customer's Instructions regarding the Processing of Personal Data comply with any and all applicable laws, with an emphasis on compliance with the applicable Data Protection Laws.

Customer shall inform Knostic without delay if it is unwilling or unable for any reason to comply with its responsibilities under this section or applicable Data Protection Laws, and inform Knostic of what measures it will undertake to remedy the non-compliance. If Customer is unable or unwilling to remedy this non-compliance, Knostic reserves the right to terminate this DPA or the Agreement as a result, and this termination shall be deemed as "for cause."

c. Without derogation from the general instruction set in this section, Knostic shall:

1. 1. 1. Provide Customer with reasonable cooperation and assistance in relation to the processing of Personal Data, so as to allow the Customer to comply with the requirements Customer has a Data Controller under applicable Data Protection Laws;
      2. Comply with the Processing Instructions, maintain and enforce reasonable security measures and policies, as defined in the sections below;
      3. If Knostic becomes aware of circumstances in which the Customer's Processing Instructions are incompatible with a legal requirement under any applicable law, Knostic will promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and where necessary, cease all Processing (except for storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions that are compatible with the applicable Data Protection Laws.Knostic reserves the right to cease the provision of services until such alternative instructions are issued, and Knostic shall bear no liability of any kind for failure by Customer to Provide Knostic with alternative instructions in accordance to this section. Cessation of services under this section does not suspend any payment due in accordance to the Agreement and does not extend the term of the services.

2.3.  Processing Purposes and Instructions

1. 1. The Customer may disclose Personal Data to Knostic only for the performance of the Agreement, and acknowledges and agrees that this constitutes a valid business purpose for the processing of such data. The parties further acknowledge and agree that the disclosure of this information by Customer to Knostic does not form part of any monetary or other valuable consideration exchanged between the parties.
   2. Customer agrees that the terms of the Agreement, including the terms of this DPA and its annexes as incorporated by reference, constitute the Processing Instructions given by the Controller to the Processor. Customer may provide to Knostic additional written instructions that are consistent with the Agreement and the natural and lawful use of Knostic's products.
   3. Knostic shall Process Personal Data only for the purpose of the performance of the Agreement, in accordance to Customer Instructions, to the extent permissible by applicable Data Protection Laws.
   4. Customer further acknowledges that Knostic shall have the right to Process certain Personal Data collected in the context of providing the Services, for its legitimate business purposes as a Controller, such as: incorporating the data into its AI-systems, the provision and operation of its services, administrating the business and/or contractual relationship with the Customer, billing, audit and recordkeeping purposes, as well as for account management, security, establishment or exercise of legal claims and protection against fraudulent or illegal activity. Knostic may also process Personal Data for the purpose of improving customers' threat protection. Knostic may also use aggregated and/or anonymized information for any purpose, including AI-related uses, subject to the confidentiality obligation in the Main Agreement. For the avoidance of doubt, non-aggregated and non-anonymized data referred to in this section shall be retained for the same period as the Personal Data.

3.1.  Security Measures

Knostic will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, Knostic reserves the right to modify, update or otherwise reconfigure the Security Measures at its sole discretion, provided that such modifications or updates do not result in a material degradation in the protection offered by the Security Measures. If Knostic determines, in its sole discretion, that a material change in Security Measures is required, it will provide Customer with notice of the anticipated change, if circumstances permit, at least 10 days in advance of the implementation. 

3.2.  Compliance Assessments and Audits

1. 1. Knostic represents that it audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted either internally or by third party auditors engaged by Knostic, at its sole discretion.
   2. Knostic may satisfy the requirements set out in this section by providing Customer with a redacted SOC Type II report, so that Customer can reasonably verify Knostic complies with its obligations under this DPA. This report will serve as evidence of proper information security practices and Customer acknowledges it has no additional auditing or inspections rights, unless such rights are specifically granted to Customer under applicable law. This report may be provided to Customer no more than once a year.
   3. The limitation of auditing rights listed above shall not apply solely in the case of a Personal Data Breach resulting in a material business impact to Customer or in connection to a Supervisory Authority specific request. In such event, Customer shall provide Company with 30 days prior written notice and the details of any 3rd party auditor acting on Customer's behalf, for approval. Without derogation from the generality of this section, Knostic shall bear no costs resulting from the independent auditing process requested by Customer, and Customer agrees to reimburse Knostic for any expenses it incurs during this auditing process. 

3.3.  Confidentiality

Knostic will employ reasonable efforts to ensure that any Knostic personnel authorized to access or Process Personal Data is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data. 

3.4.  Personal Data Breaches

If Knostic becomes aware of any Personal Data Breach, it will notify Customer without undue delay and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. If Customer is required by applicable Data Protection Laws to issue notices of Personal Data Breaches, Knostic will, at Customer's request, provide reasonable assistance as necessary to enable the notification of relevant competent authorities or affected Data Subjects of the Personal Data Breach.

3.5.  Deletion or Return of Personal Data

Knostic will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Agreement. This term will apply except where Knostic is required by applicable law to retain some or all of the Data, or where Knostic has archived Data on back-up systems, which are securely isolated and protected from any further Processing, and will be deleted in accordance with Knostic's deletion practices.

1. 1. If Knostic receives any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Laws, Knostic will promptly redirect the request to the Customer, and will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. The Customer is responsible for verifying the identity of the requestor and that the requestor is either the Data Subject whose information is being sought or a duly authorized representative thereof. Knostic bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
   2. If Knostic receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, it shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. Customer agrees to reply to this legally binding request as soon as possible. If Customer fails to provide Knostic with a response within three business days (or any other shorter time-period required by applicable Data Protection Laws) from receipt of the request, Customer acknowledges that Knostic may provide the information requested and shall bear no responsibility for disclosure of information provided in good faith in reliance on this subsection.
   3. Without derogation from the above, Knostic will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data and provide reasonable technical assistance in complying with such requests. Customer shall pay Knostic for the actual costs it incurs in connection with its provision of such assistance.

1. 1. Customer hereby provides Knostic with a general authorization to appoint Sub Processors of information, in accordance to the provisions of this DPA, for the purposes of fulfilment of the Agreement.
   2. The Sub Processors may include, among other legitimate uses, Sub-Processors that assist Knostic with hosting and infrastructure, support product features and integrations, and Knostic Affiliates.
   3. Knostic's list of Sub-Processors are listed in Annex 3 to this DPA. Knostic will give Customer the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notification. Such objections will be reviewed by Knostic and Knostic will undertake reasonable efforts to discuss the concerns in good faith, and attempt to resolve the matter with a commercially reasonable resolution. If no such resolution can be reached, Knostic will, at its sole discretion, decide to either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the Agreement in accordance with the termination provisions of the Agreement without liability to either party, but without prejudice to any fees or payments due by Customer prior to the termination of the Agreement. 
   4. Knostic will impose on its Sub-Processors contractual terms that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors.
   5. Knostic will remain responsible for each Sub-Processor's compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause breaches of any of its obligations under this DPA.

1. 1. Customer acknowledges and agrees that Knostic may access, transfer and Process Personal Data on a global basis including the transfer of European Data, as necessary to fulfil the terms of the Agreement. In particular Customer accepts and agrees that Personal Data may be transferred to and Processed by Knostic, Inc. in the United States, and to other jurisdictions where Knostic Affiliates and Sub-Processors have operations.Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws, and in accordance to the principles of the Data Privacy Framework for Europe to United States transfers
   2. In particular, Company shall not sell the Personal Data without prior consent of Customer, nor shall it share the Personal Data or disclose it for any commercial purpose other than (i) the fulfilment of the terms of the Agreement with the Customer and (ii) its own legitimate uses, as defined in this DPA.

1. 1. Knostic reserves the right to modify the terms of this DPA, in order to comply with changes to Data Protection Laws, court orders, guidance issues by competent authorities (including but not limited to data protection agencies, competent governments, or regulatory agencies), provided that such changes do not have a material adverse impact on the Customer, as reasonably determined by Knostic at its sole discretion ("Material Changes"), including but not limited to -
      1. A change in the categorization of Knostic as a data Processor (or Sub Processor, where Customer is a Processor);
      2. Expansion of the scope of the permitted Processing;
      3. Removal of limitations or restrictions imposed on the Processing of Personal Data.
   2. If Knostic intends to introduce Material Changes to this DPA, Knostic shall inform Customer at least 10 business days prior to the implementation of the Material Changes. Customer may object to the implementation of the Material Change on reasonable grounds relating to the protection of Personal Data within 10 business days of notification. Such objections will be reviewed by Knostic, and Knostic will undertake reasonable efforts to discuss the concerns in good faith, and attempt to resolve the matter with a commercially reasonable resolution. If no such resolution can be reached, Knostic will, at its sole discretion, decide to either not implement the Material Changes, or permit Customer to suspend or terminate the Agreement in accordance with the termination provisions of the Agreement without liability to either party, but without prejudice to any fees or payments due by Customer prior to the termination of the Agreement.
   3. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
   4. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Agreement and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA (including any other DPAs between the parties and the Standard Contractual Clauses, where applicable) or otherwise.
   5. This DPA will be governed by and construed in accordance with the applicable law of the Agreement and subject to the competence of the courts defined in the Agreement, unless explicitly required otherwise by applicable Data Protection Laws.

1. List of Parties

1.1. Data exporter

2. Description of Transfer

2.1. Categories of Data Subjects whose Personal Data is Transferred

The Personal Data transferred by Customer to Knostic concern the following categories of Data Subjects:

1. 1. Individuals whose personal data is on Customer's systems or environments, including Generative AI technologies used by the Customer, that are monitored or accessed by Knostic's product(s).
   2. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customers' end users.

2.2. Categories of Personal Data Transferred

1. 1. Personal Data that is included in the data and meta-data scanned by Knostic software, such as: names, email addresses, IP, contact information, organizational role or position, etc.
   2. Links to and information regarding file paths or directory addresses of Personal Data that is accessible to Generative AI technologies deployed by Customer on its systems, as monitored by Knostic's product(s).
   3. Any other Personal Data submitted by, sent to, or received by Customer that is actively transmitted to Knostic in the pursuit of fulfilment of the Agreement.

2.3 Sensitive Data transferred and applied restrictions or safeguards

The processing of Sensitive Data is subject to the scope limitations, restrictions, and safeguards mutually agreed upon by the parties, as reflected in the Agreement.

2.4. Frequency of the transfer

Continuous

2.5. Nature of the Processing

Personal Data will be Processed in accordance with the Agreement (including this DPA). The parties may mutually agree, in writing, to amend this Annex.

2.6. Purpose of the transfer and further processing

Personal Data will be Transferred and further Processed in accordance with the Agreement (including this DPA). The parties may mutually agree, in writing, to amend this Annex.

2.7. Period for which Personal Data will be retained

Personal Data will be retained (and disposed of) in accordance with the Agreement (including this DPA). The parties may mutually agree, in writing, to amend this Annex.