Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the customer and Aethon Core Inc. ("Aethon Core") where Aethon Core processes personal data on behalf of the customer in connection with the services.

If there is a conflict between this DPA and the main services agreement, this DPA controls for matters related to personal data processing.

The customer is the controller or business, and Aethon Core is the processor or service provider, for personal data processed by Aethon Core on the customer's behalf, unless the parties expressly agree otherwise in writing.

Aethon Core may process personal data for the following purposes:

• Providing hosted products, managed services, and support
• Monitoring, securing, maintaining, and improving the services
• Responding to customer instructions and support requests
• Complying with legal obligations related to the services

Categories of data may include account information, contact details, system logs, usage records, and any other personal data that the customer chooses to submit to the services.

Aethon Core will process personal data only on documented instructions from the customer, unless required to do otherwise by applicable law. The agreement, this DPA, customer configuration choices, and support requests together form the customer's documented instructions.

Aethon Core will ensure that personnel authorized to process personal data are bound by confidentiality obligations.

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

The customer authorizes Aethon Core to use subprocessors that are reasonably necessary to provide the services. Aethon Core remains responsible for the performance of its subprocessors to the extent required by applicable law.

Aethon Core will maintain a list of material subprocessors upon reasonable request and will impose data protection obligations on subprocessors that are no less protective than those in this DPA.

Where personal data is transferred across borders, Aethon Core will use appropriate safeguards required by applicable law, which may include standard contractual clauses or other approved transfer mechanisms.

Taking into account the nature of the processing and the information available to us, Aethon Core will provide reasonable assistance to the customer with:

• Responding to data subject requests
• Security incident response and notification support
• Data protection impact assessments where relevant
• Reasonable compliance inquiries related to the services

If Aethon Core becomes aware of a confirmed security incident affecting personal data processed under this DPA, we will notify the customer without undue delay and provide reasonably available information needed for the customer to meet its own notification obligations.

At the end of the services, and subject to any lawful retention requirements, Aethon Core will delete or return personal data in accordance with the agreement and our retention practices.

Aethon Core will make available information reasonably necessary to demonstrate compliance with this DPA. Where additional audit rights are required by law or contract, the parties will work together in good faith to define a reasonable and secure process.

Questions about this DPA may be sent to privacy@aethoncore.com.