Corvic, Inc. — Data Processing Agreement

"Controller" means the entity that determines the purposes and means of the processing of Personal Data. "Processor" means the entity that processes Personal Data on behalf of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data.

"Sub-processor" means any Processor engaged by Corvic to assist in fulfilling its obligations with respect to providing the Services. "Data Subject" means the individual to whom Personal Data relates.

You are the Controller and Corvic is the Processor of Personal Data processed in connection with the Services. Corvic will only process Personal Data in accordance with your documented instructions, including the instructions set forth in this DPA, the Terms of Service, and any additional written instructions agreed upon by the parties.

Corvic shall not process Personal Data for any purpose other than providing the Services unless required to do so by applicable law, in which case Corvic shall inform you of that legal requirement before processing.

Corvic shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Corvic shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.

You acknowledge and agree that Corvic may engage Sub-processors to assist in providing the Services. Corvic shall maintain an up-to-date list of Sub-processors and shall notify you of any intended changes to Sub-processors, giving you the opportunity to object.

Current authorized Sub-processors include: Auth0 (authentication), WorkOS (enterprise SSO), Google Cloud Platform (infrastructure), OpenAI (AI model services), ClickHouse Cloud (analytics database), Stripe (payment processing), Datadog (monitoring), SendGrid (email delivery), Segment (analytics), and Cloudflare (CDN and security).

Corvic shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (a) encryption of Personal Data at rest and in transit; (b) ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems; (c) ability to restore availability and access to Personal Data in a timely manner in the event of an incident; and (d) regular testing, assessing, and evaluating the effectiveness of security measures.

Corvic shall notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. Such notification shall include: the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address the breach.

Personal Data may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom. Where such transfers occur, Corvic shall ensure that appropriate safeguards are in place in accordance with applicable data protection law.

For transfers from the EU/EEA, Corvic relies on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism. For transfers from the UK, Corvic relies on the UK International Data Transfer Addendum to the EU SCCs.

Corvic shall, taking into account the nature of the processing, assist you by appropriate technical and organizational measures for the fulfillment of your obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law.

If Corvic receives a request from a Data Subject in relation to Personal Data, Corvic shall promptly redirect the Data Subject to you and shall not respond to the request directly without your prior authorization.

Corvic shall make available to you all information necessary to demonstrate compliance with this DPA and applicable data protection laws, and shall allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

Audits shall be conducted with reasonable advance notice and during normal business hours, and shall not unreasonably disrupt Corvic's operations.

This DPA shall be governed by and construed in accordance with the laws governing the underlying Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

Upon termination of the Services, Corvic shall, at your election, delete or return all Personal Data to you and delete existing copies unless applicable law requires storage of the Personal Data. Corvic shall certify in writing that it has complied with this requirement.