Data Processing Agreement

1. Introduction

This DPA is entered into by and between the Controller and the Processor and supplements the Agreement. The purpose of this DPA is to ensure that the processing of Personal Data by the Processor on behalf of the Controller is carried out in compliance with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable privacy legislation.

In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data. All capitalized terms not defined herein shall have the meanings set forth in the Agreement.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings ascribed to them below:

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data and has entered into the Agreement with the Processor for the provision of the Varanic platform services.
• "Processor" means Varanic LLC, which processes Personal Data on behalf of the Controller in connection with the provision of the platform services.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the platform services.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the platform services.
• "Supervisory Authority" means an independent public authority established by a member state pursuant to the GDPR, or any analogous regulatory body with jurisdiction over data protection matters in the applicable jurisdiction.

3. Scope of Processing

Types of Personal Data Processed

The Processor may process the following categories of data in connection with the provision of the platform services:

• Counterparty Financial Data: Financial statements, credit metrics, SEC filings, and related financial information pertaining to entities monitored through the platform.
• User Account Data: Names, email addresses, job titles, organizational affiliations, and authentication credentials of individuals authorized to access the platform on behalf of the Controller.
• Usage Data: Platform activity logs, session data, feature usage patterns, and system interaction records generated through the use of the platform.

Purpose of Processing

Personal Data shall be processed solely for the purpose of providing the Varanic platform services as described in the Agreement, including counterparty financial monitoring, credit analysis, portfolio management, regulatory compliance support, and reporting functionality.

Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement between the Controller and the Processor, unless otherwise required by applicable law or as set forth in Section 10 of this DPA regarding data return and deletion.

4. Processor Obligations

The Processor shall comply with the following obligations with respect to the processing of Personal Data:

• Controller Instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
• Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to personnel who require such access to perform their duties.
• Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Section 5 of this DPA.
• Data Subject Requests: Assist the Controller, by appropriate technical and organizational measures and insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law.
• Breach Notification: Notify the Controller without undue delay after becoming aware of a personal data breach, as further described in Section 9 of this DPA.
• Data Return and Deletion: Upon termination of the Agreement, return or delete all Personal Data at the Controller's election, as further described in Section 10 of this DPA.
• Audit Cooperation: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as further described in Section 11 of this DPA.

5. Security Measures

The Processor implements and maintains appropriate technical and organizational security measures in accordance with its Information Security Policy. These measures are designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Current security measures include:

• Encryption in Transit: All data transmitted between the platform and end users is encrypted using TLS 1.2 or higher protocols, ensuring the confidentiality and integrity of data during transmission.
• Encryption at Rest: All stored data is protected by AES-256 encryption via volume-level encryption on production storage infrastructure.
• Multi-Factor Authentication (MFA): MFA is available for all user accounts and enforced for administrative accounts, providing an additional layer of identity verification beyond password-based authentication.
• Role-Based Access Control (RBAC): Access to Personal Data within the platform is governed by role-based permissions, ensuring that users can only access data and functionality appropriate to their assigned role.
• Audit Logging: Comprehensive audit trails are maintained for all user actions and system events, enabling detection of unauthorized access attempts and supporting forensic investigation capabilities.
• Session Management: Secure session handling with automatic expiration, token-based authentication, and protection against session hijacking and fixation attacks.
• Rate Limiting: API and endpoint rate limiting is implemented to prevent abuse, brute-force attacks, and denial of service attempts.

The Processor shall regularly review and update these security measures to address evolving threats and maintain alignment with industry best practices. A detailed description of the Processor's security practices is available at varanic.ai/security.

6. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors to assist in the provision of the platform services, subject to the conditions set forth in this section. The Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA.

Current Sub-processors

The following Sub-processors are currently engaged by the Processor in connection with the platform services:

• Anthropic — AI processing and large language model services. Located in San Francisco, California, United States.
• Amazon Web Services (AWS) — Cloud hosting, computing, and data storage infrastructure. Located in the United States (us-east-1 region).
• Resend — Transactional email delivery services for platform notifications and communications.

Notification of Changes

The Processor shall notify the Controller in advance of any intended changes to the list of Sub-processors, including the addition or replacement of Sub-processors. Such notification shall be provided with sufficient detail to enable the Controller to evaluate the proposed change.

Right to Object

The Controller may object to the appointment or replacement of a Sub-processor within thirty (30) days of receiving notification from the Processor. If the Controller raises a reasonable objection, the Processor shall use commercially reasonable efforts to make available to the Controller a change in the platform services or recommend a commercially reasonable alternative. If no resolution is possible, either party may terminate the affected portion of the Agreement.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable data protection law. Such rights may include, but are not limited to:

• Right of Access: The right to obtain confirmation of whether Personal Data is being processed and, where that is the case, access to the Personal Data and related information.
• Right to Rectification: The right to obtain the correction of inaccurate Personal Data and the completion of incomplete Personal Data.
• Right to Erasure: The right to obtain the deletion of Personal Data where the data is no longer necessary for the purposes for which it was collected, or where the Data Subject withdraws consent.
• Right to Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to Restriction of Processing: The right to obtain the restriction of processing in certain circumstances, such as where the accuracy of the data is contested.
• Right to Object: The right to object to the processing of Personal Data on grounds relating to the Data Subject's particular situation.

Upon receiving a request from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request directly unless authorized to do so by the Controller. The Processor shall provide reasonable cooperation and assistance to the Controller in handling such requests within the timeframes required by applicable law.

8. International Data Transfers

Personal Data processed under this DPA is stored and processed in the United States. The Processor maintains its primary infrastructure and operations within the United States.

For Controllers or Data Subjects located in the European Economic Area (EEA), United Kingdom, or Switzerland, the Processor shall ensure that any transfer of Personal Data to the United States is conducted in compliance with applicable data protection law. The Processor shall, upon request, enter into the Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914) as a lawful mechanism for the transfer of Personal Data to third countries. The applicable module is Module 2 (Controller to Processor).

The Processor shall implement appropriate supplementary measures as necessary to ensure that the level of protection afforded to Personal Data is not undermined by the transfer, taking into account the legal framework of the destination country.

9. Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include, to the extent available at the time of notification:

• A description of the nature of the personal data breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the Processor's data protection contact or other point of contact from whom further information may be obtained.
• A description of the likely consequences of the personal data breach.
• A description of the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the time of the initial notification, the Processor shall provide the information in phases without further undue delay. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Return and Deletion

Upon termination or expiration of the Agreement, the Processor shall, at the Controller's election, either return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, or securely delete all Personal Data within thirty (30) days of receiving the Controller's written instruction. The Controller shall communicate its election within fifteen (15) days of termination.

If no instruction is received from the Controller within the specified timeframe, the Processor shall securely delete all Personal Data within thirty (30) days following the expiration of the instruction period.

The Processor shall certify in writing to the Controller that all Personal Data has been deleted or returned, as applicable. Such certification shall be provided upon request. The Processor may retain copies of Personal Data only to the extent required by applicable law, and shall inform the Controller of any such retention requirement.

For the avoidance of doubt, the return and deletion obligations in this Section 10 apply to Personal Data and identifiable Customer Data only. Aggregated, anonymized, and de-identified data as described in Section 6 of the Terms of Service — including statistical benchmarks, model training data derived from user corrections, and anonymized extraction accuracy metrics — are not Personal Data and are not subject to the return or deletion requirements of this DPA. The Processor's rights in such Aggregated Data survive termination of the Agreement as set forth in the Terms of Service.

11. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per calendar year upon providing at least thirty (30) days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations.

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including SOC 2 audit reports, security assessment results, and other relevant compliance documentation. Where the Processor has obtained third-party audit reports or certifications relevant to its processing activities, such documentation may be provided in lieu of an on-site audit at the Processor's discretion.

The Controller shall bear its own costs in connection with any audit conducted under this section. The Processor shall cooperate in good faith with any audit and shall promptly address any deficiencies identified during the audit process.

12. Term

This DPA shall become effective on the date the Agreement is executed and shall remain in effect for the duration of the Agreement. Upon termination or expiration of the Agreement, this DPA shall automatically terminate, provided that the Processor's obligations with respect to the return or deletion of Personal Data under Section 10 and any obligations arising from applicable law shall survive termination.

The confidentiality obligations set forth in this DPA shall survive the termination of this DPA and the Agreement for a period of five (5) years, or for such longer period as required by applicable law.

13. Contact

For questions, requests, or communications regarding this DPA or the processing of Personal Data, please contact the Processor's data protection team:

The Processor shall respond to all inquiries related to this DPA within a reasonable timeframe and in accordance with the requirements of applicable data protection law.