Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between Daros Systems, Inc., a Delaware corporation (“Daros,” “we,” or “Processor”), and the customer identified in the Agreement (“Customer” or “Controller”) for the provision of the Provendor procurement platform (the “Service”). It reflects the parties' obligations under Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) (collectively, “Data Protection Laws”). In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to Processing of Customer Personal Data.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or Data Protection Laws.

• Customer Personal Data: Personal Data contained within Customer Content Processed by Daros on behalf of Customer under the Agreement.
• Data Subject: the identified or identifiable natural person to whom Personal Data relates.
• Processing: any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
• Sub-processor: any third party engaged by Daros that Processes Customer Personal Data.
• Standard Contractual Clauses or SCCs: the European Commission's clauses approved under Decision (EU) 2021/914 (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor, as applicable).
• UK IDTA: the UK International Data Transfer Addendum to the SCCs issued by the UK ICO.
• Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2. Scope, Roles, and Duration

Customer is the Controller and Daros is the Processor of Customer Personal Data. Where Customer acts as a Processor for its own customer, Daros acts as Sub-processor and the parties agree that Module 3 of the SCCs applies where required. This DPA applies for the term of the Agreement and survives termination to the extent Daros continues to Process Customer Personal Data.

3. Nature, Purpose, and Subject Matter of Processing

The subject matter of Processing is the provision of the Service to Customer. The nature and purpose of Processing is to enable Customer to run RFQ workflows, manage vendor relationships, collect and compare quotations, generate purchase orders, and otherwise use the Service's procurement features as described in the Agreement.

4. Categories of Data Subjects and Personal Data

Data Subjectsmay include: Customer's employees and contractors using the Service; Customer's suppliers, vendors, and their representatives; and other individuals referenced in Customer Content (e.g., project stakeholders, points of contact).

Categories of Personal Data may include: name, business email address, business phone number, job title, employer name, account credentials, IP address, device and usage data, content of communications sent through the Service (e.g., RFQs, emails, vendor responses), and any other Personal Data Customer chooses to submit to the Service. Customer must not submit special categories of data (GDPR Art. 9), government identifiers, payment card data, or protected health information through the Service unless expressly agreed in writing.

5. Customer Instructions

Daros will Process Customer Personal Data only on Customer's documented instructions, including as necessary to (a) provide and support the Service, (b) comply with the Agreement, and (c) comply with applicable law. The Agreement and the Customer's use of Service configuration constitute Customer's complete and final documented instructions at the time of execution. Additional instructions require written agreement between the parties. Daros will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

6. Confidentiality of Processing

Daros ensures that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and have received training relevant to their role.

7. Security Measures

Daros implements and maintains the technical and organizational measures described in Annex II to ensure a level of security appropriate to the risk. Daros regularly reviews these measures and may update them provided the updates do not materially degrade the overall security of the Service.

8. Sub-processors

Customer provides a general authorization for Daros to engage Sub-processors, subject to the safeguards in this Section. A current list of Sub-processors is maintained at provendor.io/sub-processors and summarized in Annex III.

Daros will (a) enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to those in this DPA; (b) remain liable for each Sub-processor's acts and omissions as if they were its own; and (c) provide at least 30 days' advance notice of new Sub-processors by updating the public list (and, on request, notifying Customer by email). Customer may object in writing on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if unresolved, Customer may terminate the affected portion of the Service for convenience.

9. International Data Transfers

Where Daros Processes Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the transfer is governed by the SCCs (and, for UK data, the UK IDTA), which are incorporated into this DPA by reference. For purposes of the SCCs:

• Module 2 (Controller to Processor) applies where Customer is a Controller; Module 3 (Processor to Processor) applies where Customer is a Processor.
• The optional docking clause in Clause 7 applies.
• Option 2 of Clause 9(a) applies with 30 days' notice for Sub-processor changes.
• The governing law (Clause 17) is the law of Ireland; the supervisory authority and forum (Clause 18) is Ireland.
• Annexes to the SCCs are populated by Annex I, Annex II, and Annex III of this DPA.

For Customer Personal Data subject to Swiss FADP, references to the GDPR are deemed references to the FADP and the competent authority is the Swiss Federal Data Protection and Information Commissioner.

10. Data Subject Requests

Taking into account the nature of Processing, Daros provides the Service features that enable Customer to access, correct, export, and delete Customer Personal Data. Where Daros receives a request directly from a Data Subject, Daros will, unless legally required to respond, promptly forward the request to Customer and will not respond except on Customer's instruction. Daros will provide reasonable assistance to enable Customer to respond to Data Subject requests.

11. Security Incident Notification

Daros will notify Customer without undue delay and in any event within 72 hoursof becoming aware of a Security Incident affecting Customer Personal Data. The notice will describe the nature of the incident, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the incident and mitigate its effects. Daros will provide updates as the investigation progresses and cooperate with Customer's reasonable efforts to meet any regulatory notification obligations.

12. Data Protection Impact Assessments and Prior Consultation

Daros will provide reasonable assistance to Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to Daros.

13. Audit Rights

Daros will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On Customer's written request no more than once per calendar year (and at any time following a Security Incident affecting Customer Personal Data), Daros will provide (a) a copy of its most recent third-party security audit report (e.g., SOC 2 Type II or equivalent) under NDA, and (b) written responses to a reasonable security questionnaire. Where the audit report is insufficient to demonstrate compliance and Data Protection Laws require an on-site audit, the parties will agree the scope, timing, and cost in advance, conducted during business hours by a mutually acceptable auditor subject to appropriate confidentiality obligations.

14. Return and Deletion of Customer Personal Data

On termination or expiration of the Agreement, Daros will delete or return Customer Personal Data as provided in the Agreement and Privacy Policy. Customer may export its data through the Service for at least 30 days after termination. Thereafter, Daros will delete Customer Personal Data from active systems within 30 days and from backups within 90 days, except where applicable law requires continued retention or as necessary to defend legal claims.

15. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement. Where permitted by applicable law, this allocation applies to claims among the parties and does not limit the rights of Data Subjects under the SCCs.

16. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, except that Clauses 17 and 18 of the SCCs are governed by Irish law and subject to the jurisdiction of the Irish courts, as required by the SCCs.

17. Precedence and Effect

This DPA supersedes any prior data processing agreements between the parties with respect to the Service. If you require a countersigned copy for your records, email dpa@provendor.io from a verified customer account and we will execute the DPA.

Annex I — Description of Processing

A. List of Parties

Data Exporter (Controller): Customer, as identified in the Agreement. Contact point: the Customer administrator email on file.

Data Importer (Processor): Daros Systems, Inc., a Delaware corporation. Contact: dpa@provendor.io.

B. Description of Transfer

• Categories of Data Subjects: see Section 4.
• Categories of Personal Data: see Section 4.
• Sensitive data: none intended; Customer must not submit special-category data.
• Frequency of transfer: continuous, for the duration of the Agreement.
• Nature of Processing: hosting, storage, transmission, analysis, and display of Customer Content to deliver the Service.
• Purpose: provision, support, and improvement of the Service under the Agreement.
• Retention period: for the term of the Agreement plus the deletion windows described in Section 14.
• Sub-processor transfers: see Annex III.

C. Competent Supervisory Authority

The supervisory authority of Ireland (Data Protection Commission) for EEA transfers; the UK ICO for UK transfers; the Swiss FDPIC for Swiss transfers.

Annex II — Technical and Organizational Measures

Daros implements and maintains measures designed to protect Customer Personal Data against a Security Incident. These measures include:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest in production databases and object storage.
• Access control: role-based access with least-privilege defaults; SSO and MFA required for employee access to production systems; periodic access reviews.
• Network security: private subnets for application and data tiers; WAF at ingress; rate limiting and bot mitigation; IP allowlisting for administrative paths.
• Application security: secure SDLC with mandatory code review; static analysis and dependency scanning; secret scanning on commit; periodic penetration testing by a third party.
• Tenant isolation: logical isolation of Customer Content at the application layer with tenant-scoped queries and row-level authorization checks.
• Logging and monitoring: centralized application, infrastructure, and audit logs with alerting on anomalous events; log retention at least 13 months.
• Backup and recovery: encrypted backups with defined RPO and RTO targets; disaster recovery procedures tested at least annually.
• Vendor management: security review of material Sub-processors and written data protection commitments substantially similar to this DPA.
• Personnel: background checks where permitted by law; mandatory annual security and privacy training; written confidentiality obligations.
• Incident response: documented plan with defined roles, severity tiers, and a 72-hour external notification target for Security Incidents affecting Customer Personal Data.
• Business continuity: multi-zone infrastructure; failover runbooks; defined maintenance and change management procedures.
• Physical security: Customer Personal Data is hosted in data centers operated by vetted cloud providers (see Annex III) with industry-standard physical access controls.

Annex III — Sub-processors

The current list of Sub-processors is published at provendor.io/sub-processors and is incorporated by reference. Categories typically include cloud hosting, transactional email, analytics and product telemetry, AI inference, customer support, and billing. Daros provides at least 30 days' advance notice of new Sub-processors as described in Section 8.

Contact

Data protection inquiries: dpa@provendor.io. Privacy inquiries: privacy@provendor.io. Security inquiries: security@provendor.io.