Data Processing Addendum

This Data Processing Addendum (this “DPA”) forms part of the agreement between Spenat Labs Inc. (“Spenat Labs,” “Processor,” “Service Provider,” “we,” “us,” or “our”) and the customer entity agreeing to this DPA (“Customer,” “Controller,” “Business,” or “you”) and supplements the applicable Terms and Conditions, order form, subscription agreement, or other services agreement governing Customer's use of the Service (the “Agreement”).

This DPA applies where and to the extent that Spenat Labs processes Customer Personal Data on behalf of Customer in connection with the Service.

1. Definitions

For purposes of this DPA:

• “Applicable Data Protection Law” means any law, regulation, or binding regulatory requirement applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, data protection, privacy, breach notification, and cross-border transfer laws.
• “Customer Personal Data” means personal data, personal information, or similar protected information processed by Spenat Labs on behalf of Customer in connection with the Service.
• “Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
• “Process” or “Processing” means any operation performed on Customer Personal Data, whether or not by automated means, including access, collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, analysis, combination, deletion, or destruction.
• “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data processed by Spenat Labs on behalf of Customer. A Security Incident does not include unsuccessful attempts or activities that do not result in unauthorized access to Customer Personal Data, such as pings, port scans, denial-of-service attempts, firewall events, failed login attempts, packet drops, malware blocked in transit, or other unsuccessful attacks.

The terms “controller,” “processor,” “business,” “service provider,” “contractor,” “personal data,” “personal information,” and similar terms shall have the meanings assigned under Applicable Data Protection Law where relevant.

2. Roles of the Parties

The parties acknowledge and agree that:

1. Customer determines the purposes and means of the processing of Customer Personal Data in connection with its use of the Service.
2. Spenat Labs processes Customer Personal Data on behalf of Customer as a processor, service provider, contractor, or similar role under Applicable Data Protection Law.
3. Customer is solely responsible for: (a) the lawfulness of its instructions; (b) providing any notices and obtaining any rights, consents, or authorizations required for its use of the Service; (c) the accuracy, quality, and legality of Customer Personal Data; and (d) its relationships with Data Subjects.
4. If and to the extent Spenat Labs acts as a controller, business, or similar primary responsible party for certain data outside Customer’s instructions, such processing shall be governed by Spenat Labs’s Privacy Policy and not this DPA.

3. Subject Matter, Duration, Nature, and Purpose of Processing

A. Subject Matter

Spenat Labs provides electronic document, signature, approval, workflow, storage, routing, team, branding, and related software functionality as described in the Agreement.

B. Duration

Spenat Labs will process Customer Personal Data for the duration of the Agreement and for any additional period during which retention, deletion, backup, archival, or transition processing occurs in accordance with the Agreement, this DPA, or our standard data lifecycle practices, unless otherwise required by law.

C. Nature and Purpose

Processing may include hosting, storing, organizing, displaying, transmitting, routing, signing, authenticating, indexing, retrieving, extracting, analyzing, securing, supporting, backing up, deleting, and otherwise processing Customer Personal Data as necessary to provide and operate the Service, maintain security, prevent abuse, troubleshoot issues, comply with law, and perform related service operations.

D. Categories of Data Subjects

Data Subjects may include, as applicable:

• Customer’s users, employees, contractors, agents, and representatives;
• senders, signers, recipients, approvers, reviewers, witnesses, and document participants;
• Customer’s customers, clients, vendors, counterparties, and prospective counterparties; and
• other individuals whose personal data Customer submits to the Service.

E. Categories of Customer Personal Data

Customer Personal Data may include, as applicable:

• identity and contact data, such as names, email addresses, phone numbers, titles, and organization information;
• account and workspace data;
• document contents and metadata;
• signature and consent data, including signature images, initials, timestamps, IP addresses, user agent information, audit trails, and event logs;
• communications and workflow records;
• billing or transactional contact details; and
• any other personal data Customer uploads, stores, sends, or otherwise makes available through the Service.

Customer acknowledges that, depending on how it uses the Service, Customer Personal Data may include categories of data that are subject to heightened protections under Applicable Data Protection Law. Customer is solely responsible for determining whether the Service is appropriate for such data and for implementing any additional measures it deems necessary.

4. Customer Instructions

Spenat Labs will process Customer Personal Data only on documented instructions from Customer, unless otherwise required by applicable law. The Agreement, this DPA, Customer’s use of the Service, Customer’s configuration of the Service, Customer’s administrative actions, and Customer’s communications to Spenat Labs each constitute documented instructions.

Customer instructs Spenat Labs to process Customer Personal Data as reasonably necessary to:

• provide the Service and related support;
• maintain, secure, monitor, and improve the Service;
• prevent fraud, abuse, misuse, and security threats;
• comply with law and lawful process; and
• carry out other processing consistent with the Agreement and Customer’s use of the Service.

Spenat Labs may refuse instructions that it reasonably believes violate law or exceed the scope of the Agreement. To the maximum extent permitted by law, Spenat Labs has no obligation to independently assess whether Customer’s instructions comply with law.

5. Confidentiality

Spenat Labs will ensure that persons authorized to process Customer Personal Data are subject to appropriate obligations of confidentiality, whether by contract, policy, or law.

6. Security Measures

Taking into account the nature of the processing, the state of the art, implementation costs, and the risks presented by the processing, Spenat Labs will implement and maintain commercially reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, alteration, or damage.

Such measures may include, as appropriate to the Service and risk profile, access controls, authentication controls, logging, encryption in transit and at rest where implemented, network protections, vulnerability management, backup practices, personnel confidentiality obligations, and incident response procedures.

Customer acknowledges that no security measure can guarantee absolute security and that the Service is not represented as fail-safe, intrusion-proof, or suitable for every possible regulatory environment or data category.

7. Subprocessors

Customer grants Spenat Labs a general authorization to engage affiliates and third-party subprocessors to process Customer Personal Data in connection with the Service.

Spenat Labs will impose data protection obligations on subprocessors that are materially protective of Customer Personal Data in light of the nature of the services provided by the subprocessor.

A current list of subprocessors may be made available by Spenat Labs separately. Spenat Labs may update its subprocessors from time to time in its discretion.

If Applicable Data Protection Law requires a process for subprocessor objections, Customer may raise a reasonable written objection on data protection grounds within ten (10) days after receiving notice of a new subprocessor, if notice is provided. If the parties cannot resolve the objection in good faith, Spenat Labs may, at its option, either: (a) recommend a commercially reasonable alternative configuration; or (b) terminate the affected portion of the Service, and Customer’s sole remedy shall be termination of the affected portion. Spenat Labs is not required to refrain from using a subprocessor it reasonably considers necessary.

8. International Transfers

Customer authorizes Spenat Labs and its subprocessors to process and store Customer Personal Data in the United States and other countries where Spenat Labs or its subprocessors operate.

Where Applicable Data Protection Law requires a transfer mechanism for cross-border transfers of Customer Personal Data, the parties agree to cooperate in good faith to implement a lawful mechanism reasonably selected by Spenat Labs, which may include standard contractual clauses or similar safeguards.

To the extent legally required and applicable, the Standard Contractual Clauses approved by the European Commission, together with any required UK or Swiss addenda, are incorporated by reference into this DPA as follows:

1. Module Two (Controller to Processor) applies where Customer is a controller and Spenat Labs is a processor.
2. Module Three (Processor to Processor) applies where Customer is a processor and Spenat Labs is a subprocessor.
3. The optional docking clause applies.
4. The audit-related, assistance-related, and technical-and-organizational-measures provisions of this DPA supplement the Standard Contractual Clauses.
5. The governing law and forum provisions of the Standard Contractual Clauses shall apply only as required for those clauses.
6. If and to the extent the Standard Contractual Clauses conflict with this DPA, the Standard Contractual Clauses control.

The parties will complete Annex information in a commercially reasonable manner based on the Service and this DPA, and Customer authorizes Spenat Labs to update non-material annex information to reflect operational changes.

9. Assistance with Data Subject Requests

Taking into account the nature of the processing, Spenat Labs will provide commercially reasonable assistance to Customer, through appropriate technical and organizational measures where feasible, to help Customer respond to requests from Data Subjects exercising rights under Applicable Data Protection Law.

If Spenat Labs receives a request from a Data Subject relating specifically to Customer Personal Data for which Customer is the responsible party, Spenat Labs may, where appropriate, direct the requester to Customer or notify Customer of the request.

Customer is responsible for responding to Data Subject requests and for verifying the requester’s identity and authority.

10. Assistance with Compliance Obligations

To the extent required by Applicable Data Protection Law and taking into account the nature of processing and information available to Spenat Labs, Spenat Labs will provide commercially reasonable assistance to Customer with respect to:

• data protection impact assessments;
• prior consultations with supervisory authorities;
• security assessments; and
• breach-response obligations,

in each case solely to the extent Customer cannot reasonably satisfy those obligations without Spenat Labs’s assistance and provided that Customer shall reimburse Spenat Labs for any time, costs, and expenses incurred in providing assistance beyond standard support obligations.

11. Security Incident Notification

Upon becoming aware of a confirmed Security Incident affecting Customer Personal Data processed on behalf of Customer, Spenat Labs will notify Customer without undue delay.

Such notification may be made by email, account notice, or other reasonable means and may be provided in phases as information becomes available.

Spenat Labs’s notification of or response to a Security Incident is not and shall not be construed as an admission of fault or liability.

Customer is solely responsible for determining whether to notify regulators, Data Subjects, customers, counterparties, or others regarding any Security Incident, unless Applicable Data Protection Law expressly requires otherwise.

12. Return and Deletion

Upon termination or expiration of the Agreement, Spenat Labs may delete Customer Personal Data in accordance with its standard deletion and retention practices unless otherwise required by law or expressly agreed in writing.

To the maximum extent permitted by law and absent a written agreement stating otherwise:

• Spenat Labs has no obligation to return, export, migrate, preserve, or recover Customer Personal Data after termination;
• Customer is solely responsible for exporting or retrieving any data it wishes to retain before termination or deletion; and
• residual copies may remain in backups, logs, archives, or disaster recovery systems until deleted in the ordinary course.

If Applicable Data Protection Law requires deletion or return upon Customer’s request, Spenat Labs may satisfy that obligation by deleting the relevant Customer Personal Data, unless return is technically feasible and separately agreed.

13. Audits and Information Rights

To the extent required by Applicable Data Protection Law, Spenat Labs will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

Any audit, inspection, questionnaire, or assessment requested by Customer shall be subject to the following conditions:

1. it must be reasonably necessary under Applicable Data Protection Law;
2. Customer must first make reasonable use of documentation, certifications, summaries, and other information made available by Spenat Labs;
3. it must be conducted no more than once per twelve (12) month period, unless a confirmed Security Incident or a clear legal requirement justifies an additional audit;
4. it must occur on reasonable prior written notice, during normal business hours, and in a manner that minimizes disruption;
5. it must be subject to appropriate confidentiality obligations;
6. it may not include access to data of other customers, source code, internal penetration-test results, or information that would create unreasonable security, confidentiality, legal, or competitive risk; and
7. Customer must reimburse Spenat Labs for its reasonable costs and time associated with the audit.

Spenat Labs may satisfy audit obligations through third-party audit reports, security summaries, certifications, or written responses where appropriate.

14. CCPA and Similar U.S. State Terms

To the extent the California Consumer Privacy Act, as amended, or a similar U.S. state privacy law applies to Customer Personal Data processed by Spenat Labs on Customer’s behalf, the parties agree that:

1. Spenat Labs is acting as a service provider, contractor, or similar role, as applicable;
2. Spenat Labs will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes and limited purposes described in the Agreement, this DPA, or as otherwise permitted by applicable law;
3. Spenat Labs will not sell or share Customer Personal Data, as those terms are defined under applicable law, except as permitted by law;
4. Spenat Labs will not combine Customer Personal Data with personal information received from other sources except as permitted by law;
5. Spenat Labs may use Customer Personal Data for internal use reasonably aligned with Customer’s expectations and for purposes permitted for service providers or contractors under applicable law, including security, fraud prevention, service improvement, and compliance; and
6. Spenat Labs certifies that it understands and will comply with the restrictions applicable to it under such laws.

15. Limitation of Liability

This DPA is subject to the liability limitations, disclaimers, exclusions, and other risk allocations set forth in the Agreement. To the extent the Agreement does not contain such provisions, Spenat Labs’s total aggregate liability arising out of or relating to this DPA shall be subject to the maximum limitations permitted by law.

16. Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls solely with respect to the processing of Customer Personal Data under Applicable Data Protection Law. If there is a conflict between this DPA and any incorporated Standard Contractual Clauses, the Standard Contractual Clauses control to the extent of that conflict.

17. Miscellaneous

This DPA will remain in effect for as long as Spenat Labs processes Customer Personal Data on behalf of Customer.

If any provision of this DPA is held invalid or unenforceable, the remainder will remain in full force and effect.

This DPA may be executed electronically and in counterparts.

No party may assign this DPA except as permitted under the Agreement.

Annex 1 — Description of Processing

A. Parties

Exporter / Customer: The customer entity identified in the Agreement.

Importer / Spenat Labs: Spenat Labs Inc., 995 Market St, San Francisco, CA 94103, USA, hello@spenatlabs.com.

B. Categories of Data Subjects

• Customer users and administrators
• Senders, signers, recipients, reviewers, approvers, witnesses, and other workflow participants
• Customer’s employees, contractors, agents, clients, vendors, and counterparties
• Other individuals whose personal data is included in documents or workflows submitted by Customer

C. Categories of Personal Data

• Names, email addresses, phone numbers, organization and title information
• Account, authentication, and workspace data
• Document content and metadata
• Signature, consent, timestamp, IP, device, browser, and audit trail information
• Communications and support-related data
• Other personal data submitted by Customer through the Service

D. Sensitive Data

Sensitive data, if any, is processed only as submitted by Customer and subject to Customer’s instructions. Customer is responsible for determining whether use of the Service for such data is appropriate and lawful.

E. Frequency and Duration

Processing is continuous, episodic, or ad hoc depending on Customer’s use of the Service and continues for the duration described in this DPA.

F. Nature of Processing

Collection, storage, organization, structuring, hosting, transmission, display, retrieval, use, disclosure by transmission, automated analysis, signature workflow processing, support, backup, and deletion.

G. Purpose of Processing

To provide the Service and related support and operations as described in the Agreement and this DPA.

Annex 2 — Technical and Organizational Measures Summary

Spenat Labs maintains commercially reasonable technical and organizational measures designed to protect Customer Personal Data, which may include as appropriate:

• role-based or permission-based access controls;
• authentication and credential management controls;
• encryption in transit and at rest where implemented;
• logging and monitoring;
• backup and resilience practices;
• vendor and subprocessor management practices;
• personnel confidentiality obligations;
• security policies and incident response practices; and
• reasonable measures to detect, prevent, and respond to unauthorized access and abuse.

Spenat Labs may update these measures from time to time, provided that such updates do not materially reduce the overall security posture of the Service in light of its nature.

Annex 3 — Subprocessors Placeholder

A current subprocessor list may be provided separately by Spenat Labs and may be updated from time to time.