Data Processing Addendum

This Data Processing Addendum, including its Exhibits and Appendices ("DPA") forms part of the Platform Services Agreement available at https://gethyrax.app/legal/terms or, if applicable, any superseding written agreement between Hyrax LLC ("Hyrax") and You (in either case, the "Agreement").

By signing the Agreement, You (as such term is defined in the Agreement) enter into this DPA on behalf of Yourself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of Your Authorized Affiliates, if and to the extent Hyrax processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purpose of this DPA only, and except where indicated otherwise, the term "You" shall include You and Authorized Affiliates. All capitalized terms not defined herein have the same meaning set forth in the Agreement.

In the course of providing the Services under the Agreement, Hyrax may Process Personal Data on Your behalf and the parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

How to Execute This DPA

This DPA consists of two parts: (a) the main body of the DPA, and (b) Schedules 1 and 2.

This DPA has been pre-signed on behalf of Hyrax. Schedule 1 has been pre-signed by Hyrax LLC as the data importer.

To complete this DPA, You must:

1. Complete the information in the signature box and sign on the designated page.
2. Send the completed and signed DPA to Hyrax by email to legal@gethyrax.app.

This DPA becomes legally binding upon receipt by Hyrax of this validly executed DPA at the above email address.

1. Data Processing Terms

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.

"Authorized Affiliate" means any of Your Affiliate(s) which (a) is subject to Data Protection Laws and Regulations and (b) is permitted to use the Services pursuant to the Agreement between You and Hyrax, but has not signed its own Order Form with Hyrax and is not "You" as defined under the Agreement.

"Controller" means the entity which determines the means and purposes of the Processing of Personal Data.

"Data Protection Laws and Regulations" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including: 1) the California Consumer Privacy Act including as amended by the California Privacy Rights Act (together, "CCPA"), 2) the Virginia Consumer Data Protection Act, 3) and other laws and regulations of the United States and its states, 4) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR" or "GDPR"), 5) The Data Protection Act 2018 which is the UK's implementation of the General Data Protection Regulation ("UK GDPR"), 6) and other European Data Protection Laws and Regulations, each as amended from time to time.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"Personal Data" or "Personal Information" means any information describing or relating to (i) an identified or identifiable natural person or household and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Your Data.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the Party which Processes Personal Data on behalf of the Controller, including as applicable any "Service Provider" as that term is defined by the CCPA.

"Sub-processor" means any Processor engaged by Hyrax.

"Your Data" has the same meaning as defined in the Agreement, provided that such data is electronic data and information submitted by or for You to the Services.

2. Processing of Personal Data

2.1 Roles of the Parties. The parties acknowledge and agree that (a) with regard to the Processing of Personal Data, You are the Controller and Hyrax is the Processor, as applicable, and (b) Hyrax will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-Processors" below.

2.2 Duration. Hyrax shall process Personal Data throughout the duration of the term of the Agreement (including any Order Form(s) thereto) or any renewal term thereof. Upon termination of the Services by either party, Hyrax shall cease processing Personal Data on Your behalf upon completion of the termination provisions described herein.

2.3 Your Processing of Personal Data. You shall, in Your use of the Services, Process Personal Data in accordance with the requirements of all applicable Data Protection Laws and Regulations, including without limitation requirements to provide notice to Data Subjects of the use of Hyrax as Processor. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data.

2.4 Hyrax's Processing of Personal Data. You appoint Hyrax to process the Personal Data contained in Your Data on Your behalf as necessary for Hyrax to provide the Services under the Agreement. All Personal Data Processed under the Agreement (including this DPA) will be stored, organized, and made available to You as the Controller. Hyrax shall treat Personal Data as Confidential Information.

2.5 Nature, Purpose, and Subject-Matter of the Processing. The nature and purpose of Hyrax's Processing of Personal Data as Your Processor is described in and governed by the Agreement. The subject-matter of data Processed under this DPA includes:

• Repository metadata and code content submitted for scanning and fixing
• User account information for authentication and authorization
• Usage data related to the Services
• Any Personal Data contained within code comments, configuration files, or repository content

3. Rights of Data Subjects

Hyrax shall, to the extent legally permitted, promptly notify You if Hyrax receives a request from a Data Subject to exercise the Data Subject's right under applicable Data Protection Laws and Regulations relating to Your Data. Taking into account the nature of the Processing, if You are unable to independently address a Data Subject Request, Hyrax will assist You by appropriate technical and organizational measures, insofar as this is possible and to the extent Hyrax is legally permitted to do so.

4. Hyrax Personnel

4.1 Confidentiality. Hyrax shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.

4.2 Reliability. Hyrax shall take commercially reasonable steps to ensure the reliability of any Hyrax personnel engaged in the processing of Personal Data.

4.3 Limitation of Access. Hyrax shall ensure that Hyrax's access to Personal Data is limited to those personnel who are necessary to provide the Services.

4.4 Data Protection Officer. Hyrax has appointed a data protection officer. The appointed person may be reached at privacy@gethyrax.app.

5. Sub-processors

5.1 Appointment of Sub-processors. You authorize Hyrax to engage Sub-Processors to Process Your Data pursuant to the Agreement. Hyrax or a Hyrax Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement.

5.2 List of Current Sub-processors. Hyrax shall make available to You the current list of Sub-processors for the applicable Service(s) at https://gethyrax.app/legal/service-providers.

5.3 Objection Right for New Sub-processors. You may object to Hyrax's use of a new Sub-processor by notifying Hyrax promptly in writing within ten (10) business days after receipt of Hyrax's notice.

6. Security

6.1 Controls for the Protection of Your Data. Hyrax shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Your Data. Those safeguards include measures designed to prevent unauthorized access to or disclosure of Your Data.

6.2 Code and Repository Data. For Hyrax's code scanning and fixing services specifically:

• Code is processed in isolated, ephemeral compute environments
• Repository content is not retained after processing is complete
• Scanning results and fix suggestions are stored only as long as necessary to deliver the Services
• No code is used to train machine learning models without explicit consent

7. Data Incident Management

Hyrax shall notify You without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Data, including Personal Data, transmitted, stored or otherwise Processed by Hyrax or its Sub-processors (a "Data Incident"). Hyrax shall make reasonable efforts to identify the cause of such Data Incident and take such steps as Hyrax deems necessary and reasonable to remediate the cause.

8. Return or Deletion of Personal Data

Upon termination or expiration of the Agreement or any renewal term thereof, Hyrax will delete all Personal Data Processed under the Agreement that is in Hyrax's possession within 60 days. The requirements of this Section do not apply to the extent that Hyrax is required by applicable law to retain some or all of Your Data.

9. European Union Specific Provisions

The parties agree that transfers of Personal Data, which are processed in accordance with the EU GDPR, from the Data Exporter to the Data Importer outside of the European Economic Area, are made pursuant to the Module Two (Controller to Processor) EU Standard Contractual Clauses.

10. US State Specific Provisions

To the extent Hyrax Processes Personal Data that is subject to the protection of the CCPA and other US State Privacy Laws:

• Hyrax will Process Personal Information as Your Service Provider strictly for the business purpose of performing the Service
• Hyrax shall not Sell Personal Information contained in Your Data
• Hyrax shall not Share Personal Information with third parties for cross-contextual behavioral advertising purposes
• Hyrax shall not retain, use, or disclose Personal Information outside of the direct business relationship between You and Hyrax

11. Limitation of Liability

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement.

Contact Information