Data Processing Agreement

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and (e) any other applicable data protection or privacy law.

"Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, Customer is the Controller with respect to Customer Personal Data.

"Customer Personal Data" means any Personal Data contained within User Data that Layer IQ processes on behalf of Customer in the course of providing the Service.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law. For purposes of the CCPA, Personal Data includes "personal information" as defined therein.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means an entity that processes Personal Data on behalf of a Controller. Under this DPA, Layer IQ is the Processor with respect to Customer Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914 of June 4, 2021 (as amended, supplemented, or replaced from time to time).

"Sub-processor" means any third party appointed by Layer IQ to process Customer Personal Data on Layer IQ's behalf.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of Applicable Data Protection Law, including EU/EEA data protection authorities and the UK Information Commissioner's Office.

2.1 Roles. The parties acknowledge that with respect to Customer Personal Data: (a) Customer is the Controller; (b) Layer IQ is the Processor; and (c) Layer IQ processes Customer Personal Data solely on behalf of Customer and in accordance with Customer's documented instructions.

2.2 Scope of Processing. Layer IQ shall process Customer Personal Data only to the extent necessary to provide the Service as described in the Terms, and in accordance with Customer's documented instructions. The details of the processing are described in Annex 1.

2.3 Customer's Responsibilities. Customer shall: (a) comply with its obligations as a Controller under Applicable Data Protection Law; (b) ensure that it has obtained all necessary consents, authorizations, and legal bases for the processing of Customer Personal Data by Layer IQ; (c) ensure that its instructions to Layer IQ comply with Applicable Data Protection Law; and (d) be solely responsible for the accuracy, quality, and legality of Customer Personal Data.

2.4 Layer IQ as Controller. Nothing in this DPA limits Layer IQ's right to process data in its capacity as an independent Controller, including Usage Data, account information, and other data described in the Privacy Policy. Such processing is governed by the Privacy Policy, not this DPA.

3.1 Documented Instructions. Layer IQ shall process Customer Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. If Layer IQ is required by applicable law to process Customer Personal Data other than pursuant to Customer's instructions, Layer IQ shall inform Customer of that legal requirement before processing, unless the law prohibits such notification.

3.2 Instructions via Terms. Customer's instructions for the processing of Customer Personal Data are set forth in these Terms, including this DPA, and any additional instructions agreed in writing. Customer's use of the Service constitutes documented instructions for Layer IQ to process Customer Personal Data as necessary to provide the Service.

3.3 Scope Limitations. Layer IQ shall not: (a) process Customer Personal Data for any purpose other than providing the Service; (b) sell Customer Personal Data; (c) retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Service; or (d) combine Customer Personal Data with personal data received from other sources, except as necessary to provide the Service.

4.1 Personnel Obligations. Layer IQ shall ensure that any person authorized to process Customer Personal Data has committed to confidentiality obligations or is under an appropriate statutory obligation of confidentiality.

4.2 Access Limitations. Layer IQ shall limit access to Customer Personal Data to those employees, contractors, and agents who have a legitimate need to access such data for the purposes of performing the Service and who are bound by confidentiality obligations consistent with this DPA.

5.1 Security Measures. Layer IQ shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall include, at a minimum, the measures described in Annex 2.

5.2 Assessment. Layer IQ shall regularly assess and, where necessary, update the security measures to ensure an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

6.1 General Authorization. Customer grants Layer IQ general written authorization to engage Sub-processors to process Customer Personal Data on Layer IQ's behalf, subject to the requirements of this Section 6.

6.2 Sub-processor List. Layer IQ maintains a current list of Sub-processors at layer-iq.com/legal/subprocessors. The list identifies each Sub-processor's name, location, and the processing activities performed.

6.3 Notification of Changes. Layer IQ shall notify Customer at least thirty (30) days before engaging any new Sub-processor or replacing an existing Sub-processor. Notification shall be provided via the email address associated with Customer's account or through the Service.

6.4 Objection Right. If Customer has a reasonable objection to a new Sub-processor based on data protection grounds, Customer shall notify Layer IQ in writing within fifteen (15) days of receiving notice. The parties shall discuss the objection in good faith. If the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected portion of the Service by providing written notice, and Layer IQ shall refund prepaid fees for the unused portion of the subscription attributable to the affected Service.

6.5 Sub-processor Obligations. Layer IQ shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; and (b) remain liable for the acts and omissions of its Sub-processors to the same extent Layer IQ would be liable if performing the processing directly.

6.6 Current Sub-processors. As of the Effective Date, Layer IQ's Sub-processors include those listed in Annex 3.

7.1 Assistance. Layer IQ shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law ("Data Subject Requests").

7.2 Notification. If Layer IQ receives a Data Subject Request directly, Layer IQ shall promptly redirect the Data Subject to Customer and notify Customer of the request. Layer IQ shall not respond to a Data Subject Request directly unless authorized by Customer or required by applicable law.

7.3 Costs. If Customer's request for assistance under this Section 7 is excessive in scope or frequency, Layer IQ may charge Customer reasonable fees for such assistance, provided that Layer IQ notifies Customer of the fees in advance.

8.1 Notification. Layer IQ shall notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach. Notification shall be provided to the email address associated with Customer's account and shall include, to the extent available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
• The name and contact details of Layer IQ's contact point for further information;
• A description of the likely consequences of the Personal Data Breach; and
• A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.2 Cooperation. Layer IQ shall cooperate with Customer and take reasonable steps to assist Customer in investigating, mitigating, and remediating the Personal Data Breach.

8.3 No Admission. Notification of a Personal Data Breach under this Section 8 shall not be construed as an acknowledgment of fault or liability by Layer IQ.

9.1 Assistance. Layer IQ shall provide reasonable assistance to Customer, at Customer's expense, with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Applicable Data Protection Law, taking into account the nature of the processing and the information available to Layer IQ.

10.1 Processing Locations. Layer IQ processes Customer Personal Data in the United States. Layer IQ may also process Customer Personal Data in other jurisdictions where its Sub-processors operate, as identified in the Sub-processor list.

10.2 Transfer Mechanisms. Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a jurisdiction that has not been recognized as providing an adequate level of data protection:

• EU-US Data Privacy Framework. Where applicable, Layer IQ relies on the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework for transfers to the United States, to the extent Layer IQ is certified under such frameworks.
• Standard Contractual Clauses. Where the Data Privacy Framework does not apply or ceases to provide a valid transfer mechanism, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference and shall apply to such transfers. The SCCs are completed as set forth in Annex 4.
• UK Addendum. For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, is incorporated into this DPA.

10.3 Supplementary Measures. Layer IQ shall implement supplementary technical and organizational measures as necessary to ensure an adequate level of protection for Customer Personal Data transferred internationally, taking into account the laws and practices of the destination country.

11.1 Audit Information. Layer IQ shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

11.2 Audits. Customer (or an independent third-party auditor appointed by Customer) may conduct an audit of Layer IQ's processing activities to verify compliance with this DPA, subject to the following conditions:

• Customer shall provide at least thirty (30) days' prior written notice of any audit;
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Layer IQ's operations;
• Customer shall bear all costs associated with the audit;
• Audits shall not exceed one (1) per calendar year, unless a Personal Data Breach has occurred or a Supervisory Authority requests or requires an additional audit;
• The auditor shall execute a confidentiality agreement with Layer IQ before commencing the audit; and
• Customer shall promptly provide Layer IQ with a copy of any audit report and shall treat the report as Layer IQ's Confidential Information.

11.3 Certifications. Where Layer IQ has obtained relevant certifications or audit reports (such as SOC 2 Type II, ISO 27001, or similar), Layer IQ may provide copies of such certifications or reports to satisfy Customer's audit rights under this Section 11, provided that the certifications or reports adequately address the scope of Customer's audit request.

12.1 Duration. Layer IQ shall process Customer Personal Data for the duration of the Terms, unless otherwise agreed in writing.

12.2 Deletion or Return. Upon termination or expiration of the Terms, Layer IQ shall, at Customer's election and within thirty (30) days of receiving Customer's written request: (a) return all Customer Personal Data to Customer in a structured, commonly used, machine-readable format; or (b) delete all Customer Personal Data and certify such deletion in writing. If Customer does not make an election within thirty (30) days of termination, Layer IQ shall delete Customer Personal Data.

12.3 Exceptions. Layer IQ may retain Customer Personal Data to the extent required by applicable law or regulation, and to the extent necessary to maintain backup copies in accordance with standard data retention practices, provided that such retained data remains subject to the confidentiality and security obligations of this DPA.

12.4 Aggregated Data. For the avoidance of doubt, this Section 12 does not require Layer IQ to delete or return anonymized or aggregated data derived from Customer Personal Data that does not identify and cannot reasonably be used to identify any individual, as described in Section 9.2 of the Terms.

13.1 Applicability. This Section 13 applies to the extent that Customer Personal Data includes personal information of California residents that is subject to the CCPA.

13.2 Roles. For purposes of the CCPA, Customer is a "business" and Layer IQ is a "service provider."

13.3 Service Provider Obligations. Layer IQ shall not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than providing the Service as specified in the Terms, including for a commercial purpose other than providing the Service; or (c) combine Customer Personal Data with personal information received from or on behalf of other parties, except as permitted by the CCPA.

13.4 Certification. Layer IQ certifies that it understands and will comply with the restrictions in this Section 13.

14.1 Limitation of Liability. Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms.

14.2 Governing Law. This DPA is governed by the same governing law provisions as the Terms, except that the SCCs (where applicable) are governed by the law of the EU Member State in which the Controller is established, or, if the Controller is not established in an EU Member State, by the laws of Ireland.

14.3 Order of Precedence. In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of Customer Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

14.4 Amendments. Layer IQ may update this DPA from time to time to reflect changes in Applicable Data Protection Law, provided that any material changes that reduce Customer's rights or Layer IQ's obligations shall be notified to Customer at least thirty (30) days in advance.

14.5 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

A. List of parties

B. Description of processing

Layer IQ implements and maintains the following technical and organizational measures to protect Customer Personal Data:

Access Controls

• Role-based access control (RBAC) with least-privilege principles
• Multi-factor authentication (MFA) for administrative access
• Unique user credentials for all personnel
• Automated access revocation upon termination of personnel

Encryption

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Encryption key management with regular rotation

Infrastructure Security

• Hosting on enterprise cloud infrastructure (AWS/GCP/Railway) with SOC 2 Type II certifications
• Network segmentation and firewalls
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing

Application Security

• Secure software development lifecycle (SDLC) practices
• Code review and static analysis
• Dependency vulnerability scanning
• Regular security updates and patching

Monitoring and Logging

• Centralized logging of access and processing activities
• Audit trails for administrative actions
• Real-time monitoring and alerting for security events
• Log retention for a minimum of twelve (12) months

Business Continuity

• Regular automated backups with geographic redundancy
• Disaster recovery plan with documented recovery time objectives
• Incident response plan and team

Personnel Security

• Background checks for personnel with access to Customer Personal Data (where permitted by law)
• Data protection and security awareness training
• Confidentiality agreements for all personnel

Vendor Management

• Due diligence assessments for Sub-processors
• Contractual data protection requirements for all Sub-processors
• Regular review of Sub-processor compliance

The following Sub-processors are authorized to process Customer Personal Data as of the Effective Date:

This list is maintained at layer-iq.com/legal/subprocessors. Updates are notified per Section 6.3.

Where the Standard Contractual Clauses apply under Section 10.2(b), they are completed as follows:

Module: Module Two (Controller to Processor)

Clause 7 (Docking Clause): Included. Third parties may accede to the SCCs with the consent of both parties.

Clause 9(a) (Sub-processors): Option 2 (General written authorization) is selected. Layer IQ shall inform Customer of any intended changes to the list of Sub-processors, giving Customer the opportunity to object per Section 6.4 of this DPA.

Clause 11 (Redress): The optional language is not included.

Clause 13(a) (Supervision): The Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority.

Clause 17 (Governing Law): Option 1 is selected. The SCCs shall be governed by the law of Ireland.

Clause 18(b) (Choice of Forum): The courts of Ireland.

UK Addendum: Where transfers are subject to UK GDPR, the UK Addendum (as issued by the UK Information Commissioner) applies to the SCCs. The start date of the UK Addendum is the Effective Date of this DPA.