Qevlar AI | Legal Agreements - General

This Data Processing Addendum (this “ DPA”) forms part of the Agreement, or other agreement between Customer and Provider governing Customer’s use of the Services, between the Qevlar AI or Qevlar AI, Inc., as identified in the Agreement (the “Provider”), and the party identified as “Customer” in the Agreement (“Customer”) (each a “Party” and together, the “Parties”). The effective date of this DPA is the Effective Date of the Agreement (“Effective Date”). This DPA describes the commitments of the Parties concerning the processing of Personal Data in connection with Customer’s use of the Services. Any capitalized term not defined in this DPA will have the meaning given it in the Agreement.

1. Definitions.

As used in the DPA, the following terms shall have the following meanings, and cognate terms shall be construed accordingly:.

‍

“Customer Data” means any Personal Data processed by Provider on behalf of Customer as a service provider or processor (as applicable) in connection with the Services, as more particularly described in Annex A of this DPA.

‍

“Data Protection Law” means all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to the Personal Data, including (but not limited to): (i) European Data Protection Laws; and (ii) all laws and regulations of the United States, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq (“CCPA”); as may be amended, superseded or replaced; Section 5 of the Federal Trade Commission Act; the FTC Standards for Safeguarding Customer Information, and other state and federal privacy and data breach notification laws and regulations.

‍

“EEA” means the Member States of the European Union, plus Iceland, Liechtenstein, and Norway.

‍

“European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of persona l data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in t he electronic communications sector (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss FDPA”); and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR, e - Privacy Directive or any other law relating to data and privacy as a consequence of the UK leaving the European Union (collectively, “UK Data Protection Laws”); in each case as may be amended, superseded or replaced.

‍

“Model Clauses” means, depending on the circumstances unique to Customer, any of the following: (i) the standard contractual clauses for processors as approved by the European Commission pursuant to its decision 2021/914 (the “2021 Standard Contractual Clauses”), and (ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, (“UK IDTA”), each alternatively referred to as Standard Contractual Clauses, incorporated by reference and forming part of this DPA.

‍

“Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Laws.

‍

“Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwis e processed by Provider and/or its Sub-processors in connection with the provision of the Services. The Parties acknowledge and agree that “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

‍

“Sub-processor” means any processor engaged by Provider or its Affiliates to assist in fulfilling its obligations with respect to the provision of the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Provider’s Affiliates but shall exclude any Provider’s employee, contractor or consultant.

‍

The terms “controll er”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider” and “sell” shall h ave the meanings given to them in the CCPA.

2. Role and Scope of Processing

(a) Scope.

This DPA applies to the extent that Provider Processes Customer Data on behalf of Customer in connection with the Services. This DPA does not apply to Provider’s Processing of Provider operational data, including any Personal Data containe d in technical, security, and usage telemetry that Provider collects in connection with operating the Services (“Provider Operational Data”), which is governed by Provider’s Privacy Policy and applicable law.

(b) Roles of the Parties.

The Parties acknowledge and agree that, with respect to the Processing of Customer Data under this DPA: (i) Customer is the controller or business (or, where Customer is itself acting as a processor or service provider for a third party, the processor or service provider) of the Customer Da ta; and (ii) Provider is the processor or service provider (or, where applicable, sub-processor) of the Customer Data, in each case acting on behalf of Customer. For the avoidance of doubt, the Parties acknowledge that Provider is the controller or busines s with respect to Provider Operational Data, including any Personal Data contained in technical, security, and usage telemetry that Provider collects in connection with operating the Services. Each Party will comply with all Applicable Data Protection Laws binding on it in the performance of this DPA.

(c) Provider’s Processing of Customer Data.

Provider shall Process Customer Data only: (i) on behalf of Customer; (ii) for the purposes described in the Agreement, this DPA (including Annex A), and Customer’s documented, lawful instructions; and (iii) as otherwise required by applicable law. The Parties agree that the Agreement (including this DPA) constitutes Customer’s complete and final instructions to Provider regarding the Processing of Customer Data. Any additional or alternative instructions require the Parties’ prior written agreement. Provider shall promptly notify Customer in writing if, in Provider’s reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless such notice is prohibited by law, and may suspend Processing of the affected Customer Data until Customer modifies or confirms the instruction.

(d) Customer Responsibilities.

Customer is responsible for the lawfulness of Customer Data and its Processing pursuant to the Agreement and this DPA. Customer represents and warrants that: (i) it has provided and will continue to provide all notices an d obtained and will continue to maintain all consents, permissions, and authorizations necessary under Applicable Data Protection Laws for Provider and its Sub-processors to lawfully Process Customer Data for the purposes contemplated by the Agreement and this DPA; (ii) it has complied and will continue to comply with all Applicable Data Protection Laws in its collection, use, transfer, and provision of Customer Data to Provider; and (iii) its Processing instructions to Provider comply with Applicable Data Protection Laws. Customer is solely responsible for determining whether the Services satisfy its obligations under Applicable Data Protection Laws. Customer is further responsible for the source, configuration, and lawful use of any Security Tool that generates Alerts and for ensuring that Personal Data made available to Provider through Security Tools may lawfully be Processed by Pro vider as contemplated by the Agreement.

(e) Aggregated and De-Identified Data.

Provider may collect, generate, derive, and use anonymized, aggregated, statistical, and de-identified data (as those terms are defined under Applicable Data Protection Laws) from the operation of the Services, provided that such data does not identify Customer, any Authorized User, or any other natural person. Provider may use such data for i ts own legitimate business purposes, including to operate, secure, support, evaluate, d evelop, and improve the Services. Where Applicable Data Protection Laws apply to de-identified data, Provider shall (i) take reasonable measures to ensure that the information cannot be associated with a natural person, (ii) publicly commit to maintaining and using the information in de - identified form and not to attempt re-identification, and (iii) contractually obligate any recipients to comply with equivalent restrictions.

3. Sub-processing

(a) Authorized Sub-processors.

Customer provides Provider with a general written authorization to engage Sub-processors to Process Customer Data on Customer’s behalf in connection with the Services. Provider shall maintain a current list of its Sub-processors at www.qevlar.com/legal/agreements/sub-processors, as updated from time to time (the “Sub-processor List”)."

(b) Notice of New Sub-processors.

Provider shall update the Sub-processor List at least fifteen (15) days before authorizing any new Sub-processor to Process Customer Data and shall notify Customer of the update through the mechanism designated on Provider’s website or by other reasonable means. If Provider reasonably determines that engagement of a new Sub-processor on an expedited basis is necessary to protect the confidentiality, integrity, or availability of Customer Data or to avoid material disruption to the Services, Provider shall provide such notice as soon as reasonably practicable.

(c) Sub-processor Obligations.

Provider shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protective of Customer Data than those imposed on Provider under this DPA, to the extent applicable to the services provided by that Sub-processor; and (ii) remain responsible for the performance of, and any acts or omissions by, its Sub-processors that cause Provider to breach this DPA.

(d) Objection to New Sub-processors.

Customer may object in writing to Provider’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Provider within ten (10) calendar days after Provider’s notice of the update. The notice must set forth the specific grounds for the objection, and the Parties shall discuss the objection in good faith to seek a commercially reasonable resolution. If no resolution is reached within fifteen (15) calendar days after Customer’s not ice, Provider may, in its sole discretion, (i) decline to engage the new Sub-processor for the affected portion of the Services, or (ii) permit Customer to terminate the affected portion of the Services in accordance with the termination provisions of the Agreement, in which case Provider shall refund any prepaid, unused fees for the terminated portion of the Services. Customer’s failure to object within the period set forth in this Section will constitute consent to the new Sub-processor.

4. Security and Audits

(a) Security Measures.

Provider shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data within Provider’s control from Security Incidents and to preserve the security and confidentiality of Customer Data, taking into account the state of the art, industry best practices, the cost of implementation, and the nature, scope, context, and purposes of the Processing (the “Security Measures”), as detailed in Annex B. Provider shall ensure that any personnel authorized to Process Customer Data are subject to a written or statutory obligation of confidentiality.

(b) Updates to Security Measures.

Customer acknowledges that the Security Measures are subject to technical progress and may be updated or modified b y Provider from time to time, provided that no such update or modification will materially diminish the overall security of the Services subscribed by Customer.

(c) Customer Security Responsibilities.

Customer is responsible for implementing and maintaining appropriate technical and organizational measures within its own environment, including: (i) protecting the confidentiality of all account credentials and authentication factors used to access the Services; (ii) securing Customer’s systems, networks, endpoints, and Security Tools; (iii) configuring the Services and the integrations with Security Tools in accordance with Provider’s Documentation; (iv) backing u p Customer Data and any Investigation Reports outside the Services to the extent necessary for Customer’s business continuity, retention, or regulatory needs; and (v) reviewing the information made available by Provider regarding data security and privacy and independently determining whether the Services meet Customer’s requirements under Applicable Data Protection Laws.

(d) Security Incident Response.

To the extent required by Applicable Data Protection Laws, Provider shall notify Customer of a Security Incident without undue delay after becoming aware of it and in any event within the time period required by Applicable Data Protection Laws. Each notice shall include, to the extent then known and as reasonably requested by Customer to assist Customer in complying with its notification obligations under Applicable Data Protection Laws: (i) a descript ion of the nature of the Security Incident, including the categories and approximate number of affected data subjects and records; (ii) the likely consequences of the Security Incident; (iii) the measures taken or proposed to be taken to address the Security Incident and mitigate its effects; and (iv) the contact details of Provider’s primary security contact. Provider shall promptly take reasonable steps within its control to contain, investigate, and remediate the Security Incident. Provider’s notification of or response to a Security Incident is not, and shall not be construed as, an acknowledgment of fault or liability by Provider. The obligations in this Section 4 (d) do not apply to Security Incidents to the extent caused by Customer, an Authorized User, a Security Tool, or any other third party not within Provider’s reasonable control.

(e) Security Audits.

Provider shall make available to Customer, on Customer’s reasonable written request and on a confidential basis, summary information and written res ponses to standard security and privacy questionnaires reasonably necessary to verify Provider’s compliance with this DPA, including a copy of Provider’s most recent third-party security audit reports (e.g., SOC 2 Type II) and certifications. Customer may exercise this right no more than once in any twelve (12) month period, except where (i) a supervisory authority requires Customer to provide additional information, (ii) Provider has experienced a confirmed Security Incident affecting Customer Data, or (iii) Customer has a reasonable, documented basis to believe Provider is in material breach of this DPA. Any on-premises or live-environment audit will be subject to a separate written agreement between the Parties addressing scope, timing, confidentiality, and cost, and shall be conducted by a reputable, mutually agreed independent auditor that is not a competitor of Provider, during normal business hours, in a manner that does not interfere with Provider’s operations or compromise the security or confidentiality of other Provider customers’ data, and at Customer’s sole cost. Provider may charge Customer for any audit support exceeding two (2) person-days per year at Provider’s then-current professional services rates.

5. International Data Transfers

(a) Processing Locations.

Customer acknowledges that, in providing the Services, Provider and its Sub-processors may Process Customer Data in the European Union or in the United States of America, at Customer’s request. Provider shall ensure that any such transfer of Customer Data is made in compliance with Applicable Data Protection Laws and this DPA.

(b) Transfers Governed by European Data Protection Laws.

To the extent Provider Processes any Personal Data protected by European Data Protection Laws in a jurisdi ction that has not been recognized by the European Commission, the UK Information Commissioner, or the Swiss Federal Data Protection and Information Commissioner (as applicable) as providing an adequate level of protection, Customer (as data exporter) is deemed to have entered into the Standard Contractual Clauses with Provider (as data importer), which are incorporated by reference into this DPA. If and to the extent any term of the Standard Contractual Claus es conflicts with this DPA, the Standard Contractual Clauses prevail with respect to Processing governed by them.

(c) Alternative Transfer Mechanisms.

If at any time the Standard Contractual Clauses are amended, replaced, repealed, or otherwise invalidated, or if Applicable Data Protection Laws require additional or different safeguards (including, without limitation, supplementary measures or additional cross-border transfer clauses) to lawfully transfer Customer Data, the Parties shall cooperate in good faith to take all steps reasonably required to m aintain a lawful basis for the transfer. Provider may, in lieu of relying on the Standard Contractual Clauses, rely on any alternative transfer mechanism approved by the relevant supervisory authority that lawfully permits the transfer of Customer Data.

6. Retention and Deletion of Customer Data.

During the term of the Agreement, the Services will provide Customer with controls (as described in the Documentation) that Customer may use to retrieve, export, or delete Customer Data. Customer authorizes Provider, upon expiration or earlier termination of the Agreement (or upon termination or suspension of the Services pursuant to the Agreement), to delete all Customer Data (including copies) in Provider’s possession or control in accordance with Provider’s standard procedures, subject to (i) any extended retention required by applicable law and (ii) any backup or archival copies retained in accordance with Provider’s standard retention schedule (which will continue to be protected in accordance with this DPA until securely overwritten or destroyed). Provider has no obligation to provide migration, conversion, or other professional services in connection with the deletion or return of Customer Data unless separately agreed in writing or required by applicable law.

7. Cooperation; Data Subject and Regulator Requests

(a) Data Subject Requests.

The Services provide Customer with controls (as described in the Documentation) that Customer may use to access, correct, delete, restrict, or export Customer Data in order t o assist Customer in responding to requests from data subjects or consumers (each, a “Data Subject Request”). To the extent Customer cannot independently respond to a Data Subject Request using the controls provided through the Services, Provider shall, taking into account the nature of the Processing, provide reasonable assistance to Customer at Customer’s cost. If Provider receives a Data Subject Request directly that identifies or relates to Customer, Provider shall not respond to the requestor other than to confirm receipt and direct the requestor to Customer, unless legally compelled, and shall promptly notify Customer of the request unless prohibited by law.

(b) Government and Law-Enforcement Requests.

If a government, regulator, or law-enforcement authority sends Provider a binding legal demand for Customer Data (such as a subpoena, court order, or search warrant), Provider shall (i) promptly notify Customer of the demand, unless legally prohibited from doing so, to enable Customer to seek a protectiv e order or appropriate remedy; (ii) take reasonable steps to challenge or limit over-broad demands; (iii) disclose only the minimum amount of Custome r Data legally required to comply; and (iv) where lawful, redirect the requestor to seek the data directly from Customer.

(c) Impact Assessments and Consultation.

To the extent required by Applicable Data Protection Laws, Provider shall provide Customer, at Customer’s reasonable written request and cost, with information reasonably necessary to enable Customer to conduct a data protection impact assessment, transfer impact assessment, or similar privacy assessment, and to consult with the appli cable supervisory authority where required.

8. Jurisdiction-Specific Terms

(a) California (CCPA).

To the extent that Customer Data is subject to the CCPA, the Parties acknowledge and agree that Customer is a “business” and that Customer appoints Provider as its “service provider” for the limited purposes of providing the Services as set forth in the Agreement and this DPA (the “Permitted Purposes”). Provider: (i) shall not sell or share (as those terms are defined in the CCPA) any Customer Data; (ii) shall not retain, use, or disclose Customer Data for any purpose other than the Permitted Purposes specified in the Agreement and this DPA, including any commercial purpose other than the business purpose of providing the Services, or as otherwise permitted by the CCPA; (iii) shall not retain, use, or disclose Customer Data outside the direct business relationship between Provider and Customer, except as permitted by the CCPA; (iv) shall not combine Customer Data with personal information that Provider receives from or on behalf of another person, or that Provider collects from its own interaction wi th a consumer, except as permitted by the CCPA; (v) shall comply with applicable obligations under the CCPA and provide the same level of privacy protection as is required of a business under the CCPA; and (vi) shall notify Customer if Provider determines that it can no longer meet it s obligations under the CCPA. Customer has the right, upon reasonable written notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Data by Provider. Provider may de-identify or aggregate Personal Data in the course of providing the Services, and any such de-identified or aggregated data is not Personal Data for purposes of this DPA.

9. Limitation of Liability.

Each Party’s and its affiliates’ liability arising out of or relating to this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence), or under any other theory of liability, is subject to, and shall be counted toward, the aggregate limitations and exclusions of liability set forth in the Agreement. Any reference in the Agreement to the aggregate liability of a Party means the aggregate liability of that Party and its affiliates under the Agreement and this DPA, taken together.

10. Term and Survival.

This DPA takes effect on the Effective Date and remains in effect for the term of the Agreement.

Provisions that by their nature are intended to survive (including Sections 4, 5, 7, 8, 9, this Section 10, and Section 1 1) survive expiration or termination of the Agreement for so long as Provider retains any Customer Data.

11. Miscellaneous

(a) Order of Precedence.

In the event of any conflict between this DPA and the Agreement with respect to the Processing of Customer Data, this DPA controls. If and to the extent the Standard Contractual Clauses conflict with this DPA, the Standard Contractual Clauses prevail with respect to Processing governed by them.

(b) Affiliates.

Customer’s rights and remedies under this DPA may be exercised only by the Customer entity that has signed the Agreement, on behalf of itself and its affiliates that are permitted users of the Services, in a single, combined manner; no Customer affiliate may independently exercise rights or seek remedies under this DPA except where Applicable Data Protection Laws expressly require otherwise.

(c) Counterparts; Electronic Signatures.

This DPA may be executed in counterparts (including by electronic signature), each of which is deemed an original, and all of which together constitute one and the same instrument.

(d) Severability.

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remainder of this DPA will continue in full force and effect, and the Parties will negotiate in good faith to modify the affected provision to reflect their original intent.

(e) Governing Law.

This DPA is governed by, and construed in accordance with, the governing law specified in the Agreement, except to the extent that Applicable Data Protection Laws require otherwise.

(f) Updates to this DPA.

Provider may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, or industry best practices, provided that any such update does not materially diminish Provider’s obligations or Customer’s rights under this DPA. Provider will provide reasonable advance notice of any material update.

ANNEX A — DATA PROCESSING DESCRIPTION

Subject matter	Provider's provision of the Services (an AI-based cybersecurity threat investigation and reporting software-as-a-service) to Customer pursuant to the Agreement.
Duration of Processing	The term of the Agreement, plus any post-termination period during which Provider retains Customer Data in accordance with Section 6 of this DPA or applicable law.
Nature and purpose of Processing	Collection, receipt, storage, organization, structuring, analysis (including machine-learning and rules-based analysis), enrichment, correlation, classification, scoring, retrieval, transmission, retention, and deletion of Customer Data, in each case for the purpose of: (i) receiving and processing Alerts from Customer's Security Tools; (ii) generating Investigation Reports, Scores, and suggested remediation actions; (iii) operating, supporting, maintaining, securing, and improving the Services in accordance with the Agreement; and (iv) complying with applicable law.
Types of Personal Data	Personal Data contained in or derived from Alerts and other Customer Data submitted to the Services, which may include, depending on the configuration and the source Security Tools: (i) Authorized User identification and contact data (e.g., name, business email, business phone, role, employee identifier); (ii) authentication and audit data (e.g., login identifiers, hashed passwords, IP addresses, session and API logs, timestamps); (iii) network, endpoint, application, and device telemetry (e.g., IP addresses, MAC addresses, hostnames, URLs, process and file metadata, user activity logs, security tool outputs); and (iv) any other Personal Data that Customer or an Authorized User submits to or generates through the Services.
Special categories of data	The Services are not intended to Process special categories of Personal Data (as defined under the GDPR) or "sensitive personal information" (as defined under the CCPA). Customer is responsible for not submitting such data to the Services other than as expressly authorized in writing by Provider and subject to additional safeguards.
Categories of data subjects	Authorized Users; Customer's employees, contractors, and personnel; users of Customer's information systems; and any other natural persons whose Personal Data is contained in Alerts or other Customer Data submitted to or generated through the Services.
Frequency of transfer	Continuous, for the duration of the Agreement.
Sub-processor List	The current Sub-processors include (i) cloud hosting and infrastructure providers (Amazon Web Services, Google Cloud Platform, and Microsoft Azure); (ii) hosted AI/LLM-inference providers (OpenAI and Microsoft Azure OpenAI Service); (iii) Qevlar group affiliates (Qevlar AI SAS and Qevlar AI Inc.); and (iv) operational and security tooling supporting the delivery of the Services, including Auth0 for identity, Sentry/Langfuse/Literal AI for application observability, threat-intelligence providers (AbuseIPDB, BigDataCloud, IPinfo, OPSWAT, urlscan.io, VirusTotal) for alert enrichment, Slack and Zendesk for customer communication and support, Postmark for transactional email, HubSpot for CRM and marketing, Notion for documentation, YouSign for electronic signature, and Mixpanel and PostHog for product analytics. The full, up-to-date list is set out in the Sub-Processor list maintained by Qevlar AI at qevlar.com/legal/sub-processors.

ANNEX B — SECURITY MEASURES

This Annex B describes the technical and organizational measures that Provider implements and maintains to protect Customer Data Processed by Provider in connection with the Services. Provider operates the Services pursuant to a shared-responsibility model, which requires Customer to take certain steps within its own environment as described in the Agreement and Section 4(c ) of this DPA. Provider may update or modify these measures from time to time provided that no such change will materially diminish the overall security of the Services.

‍

Encryption

• Customer Data is encrypted in transit using TLS 1.2 or higher.

• Customer Data at rest is encrypted using AES-256 encryption.

• Authentication credentials and secrets are encrypted in transit and at rest; key material is managed using a dedicated key- management service with regular rotation.

• Employee endpoints used to access production systems use full-disk encryption.

‍

Access Control

• Role-based access control with least-privilege principles is applied across the Services’ infrastructure, application, and data layers.

• Multi-factor authentication is enforced for access to production, administrative, and source-control systems.

• Strong password complexity, account lockout, and session controls are enforced for personnel access.

• Production access keys, service accounts, and privileged credentials are rotated regularly and on personnel changes.

• Personnel access is provisioned and de-provisioned in accordance with documented joiner-mover-leaver procedures and reviewed periodically.

‍

Network and Application Security

• Network segmentation, firewalls, and security groups separate production, staging, and corporate environments.

• Web application firewalls and DDoS protection are deployed at the network perimeter.

• Vulnerability scanning, dependency scanning, and continuous security monitoring are performed across production systems and application code.

• Application changes follow a documented secure development lifecycle, including peer code review, automated testing, and pre-production validation.

• Independent third-party penetration testing is performed at least annually, with findings remediated according to documented service-level objectives based on severity. Logging and Monitoring

• Authentication events, administrative actions, and security-relevant events are logged centrally with tamper-resistant controls.

• Logs are retained in accordance with Provider’s retention schedule and applicable law.

• Automated alerting and 24x7 monitoring detect anomalous and potentially malicious activity.

• A documented incident-response plan governs detection, triage, containment, eradication, recovery, and post-incident review.

‍

Availability and Resilience

• The Services are deployed in geographically redundant infrastructure operated by leading public cloud providers.

• Documented business continuity and disaster recovery plans are maintained and tested at least annually.

• Customer Data backups are encrypted and stored in controlled environments, with restoration tested periodically.

‍

Personnel and Organizational Security

• Provider maintains a formal information security program aligned with industry frameworks (SOC 2 type 2).

• Personnel are subject to background screening (to the extent permitted by applicable law), confidentiality obligations, and recurring security and privacy awareness training.

• Documented policies and procedures govern acceptable use, data classification, change management, vendor management, and risk assessment.

• Endpoint protection is deployed on devices used to access production or sensitive systems.

‍

Physical Security

• Production systems are hosted in data centers operated by leading public cloud providers, which implement physical security controls including 24x7 monitoring, visitor logging, access cards, biometric controls (where applicable), and environmental safeguards.

• Provider corporate offices implement physical access controls, visitor management, and clean-desk practices.

‍

Third-Party Risk Management

• All sub-processors and vendors with access to Customer Data undergo security and privacy due diligence before onboarding and are reviewed at least annually thereafter. Provider maintains a documented sub-processor inventory, notifies customers of any changes, and contractually binds all sub-processors to equivalent data protection obligations — a program independently validated under SOC 2 Type II with no exceptions noted.

• All sub-processors are contractually bound to data protection obligations equivalent to or stricter than those in this DPA, with Provider retaining full liability for sub-processor compliance. Compliance and Assurance

• Provider maintains, and provides Customer with summary information about, third-party audits and certifications applicable to the Services (e.g., SOC 2 Type II), as available, on a confidential basis.

• Provider performs periodic internal audits and risk assessments of the Services.

ANNEX C — CROSS-BORDER TRANSFERS

This Annex C sets forth the terms applicable when transfers of Personal Data subject to European Data Protection Laws are mad e from the EEA, the United Kingdom, or Switzerland to Provider in a jurisdiction that has not received an adequacy determination.

1. Application of the 2021 SCCs (EEA)

For data transfers subject to the GDPR, the 2021 SCCs apply as follows: (a) Module Two (Controller to Processor) applies where Customer is a controller and Provider is a processor of Customer Data; (b) Module Three (Processor to Processor) applies where Customer is a processor and Provider is a sub-processor of Customer Data; (c) in Clause 7 (docking clause), the optional language applies; (d) in Clause 9, Option 2 (general written authorization) applies, and the prior-notice period is as set forth in Section 3 of this DPA; (e) in Clause 11, the optional independent dispute resolution language does not apply; (f) in Clause 17, Option 1 applies and the 2021 SCCs are governed by the law of the Republic of Ireland; (g) in Clause 18(b), disputes will be resolved before t he courts of the Republic of Ireland; (h) Annex I.A is populated as set forth below; (i) Annex I.B incorporates the details set forth in Annex A of this DPA; (j) Annex I.C designates the supervisory authority of the EU member state in which the data exporter is established or, where no such authority is competent, the Irish Data Protection Commissi on; and (k) Annex II incorporates the technical and organizational measures set forth in Annex B of this DPA.

2. Application of the UK IDTA (United Kingdom)

For data transfers subject to the UK GDPR, the UK IDTA applies and is deemed to be entered into be tween Customer (as data exporter) and Provider (as data importer), incorporating by reference the 2021 SCCs (as modified above) and the information s et forth in Annex A and Annex B of this DPA.

3. Application to Swiss Transfers

For data transfers subject to the Swiss FADP, the 2021 SCCs apply as modified above, with the following adjustments: (a) references to “Regulation (EU) 2016/679” are read as references to the Swiss FADP; (b) references to “EU,” “Union,” “Member State,” and “Member State law” are rea d as references to Switzerland and Swiss law; and (c) references to the “competent supervisory authority” and “competent courts” are read as references to the Swiss Federal Data Protection and Information Commissioner and competent Swiss courts.

4. Data Exporter and Data Importer Details (Annex I.A)

Data Exporter	Customer and any authorized affiliate of Customer that uses the Services pursuant to the Agreement.
Contact details (Exporter)	The email address(es) designated by Customer to receive notices under the Agreement.
Activities relevant to the transfer (Exporter)	Receipt of the Services from Provider pursuant to the Agreement.
Role (Exporter)	Controller (or, where applicable, processor).
Data Importer	Qevlar AI Inc., a Delaware corporation.
Contact details (Importer)	Qevlar AI Inc., Legal & Privacy: morane.bensoussan@qevlar.com (or such other address as Provider may designate from time to time).
Activities relevant to the transfer (Importer)	Provision of the Services to Customer pursuant to the Agreement.
Role (Importer)	Processor (or, where applicable, sub-processor).
Signature and Date	By entering into the Agreement and this DPA, each Party is deemed to have signed the Standard Contractual Clauses (and, where applicable, the UK IDTA) incorporated herein, including their annexes, as of the Effective Date of this DPA.

5. Future Changes

If and to the extent any of the Standard Contractual Clauses or the UK IDTA are amended, replaced, repealed, or otherwise invalidated under Applicable Data Protection Laws, the Parties shall cooperate in good faith to enter into an updated or replacement transfer mechanism within a reasonable period. Provider may, in lieu of relying on the Standard Contractual Clauses or the UK IDTA, rely on any alternative transfer mechanism approved by the competent supervisory authority that lawfully permits the transfer of Customer Data.

Data Processing Agreement