Data Processing Addendum

Article 1. Definitions

Capitalised terms used but not defined in this DPA have the meaning given to them in the Agreement. For the purposes of this DPA:

• "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss FADP and any other data protection or privacy law applicable to the processing of Customer Personal Data under this DPA.
• "Customer" means the legal entity that has entered into the Agreement with VerifyPDF and on whose behalf VerifyPDF processes Customer Personal Data.
• "Customer Data" means any data, including documents, files and metadata, that the Customer or its authorised users submit to or generate through the Service.
• "Customer Personal Data" means Personal Data contained in Customer Data that VerifyPDF processes on behalf of the Customer in connection with the Service.
• "Personal Data" has the meaning given in Article 4(1) of the GDPR and equivalent terms under the UK GDPR and Swiss FADP.
• "Processor", "Controller", "Data Subject", "Processing" and "Supervisory Authority" have the meanings given in Article 4 of the GDPR.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data processed by VerifyPDF or any Subprocessor.
• "Service" means the VerifyPDF document verification platform and associated APIs and web application made available to the Customer under the Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
• "Subprocessor" means any third party engaged by VerifyPDF or any VerifyPDF affiliate to process Customer Personal Data on behalf of the Customer.
• "VerifyPDF" means VerifyPDF LLC, the contracting entity under the Agreement.

Article 2. Roles and Scope

For the purposes of this DPA the Customer is the Controller of Customer Personal Data and VerifyPDF is the Processor. The parties acknowledge that, where Customer Personal Data relates to Data Subjects whose personal data the Customer itself processes on behalf of a third party, the Customer may be acting as a Processor for that third party. In that case the Customer warrants that it has the necessary authority to instruct VerifyPDF to process such data as a Subprocessor of the Customer, and VerifyPDF's obligations under this DPA are owed to the Customer in that capacity.

This DPA is incorporated by reference into the Agreement and forms an integral part of it. No separate signature is required. In the event of a conflict between this DPA and any other part of the Agreement, including the Terms of Service, this DPA prevails to the extent the conflict concerns the processing of Customer Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses in Schedule 4, the Standard Contractual Clauses prevail.

This DPA applies to the processing of Customer Personal Data by VerifyPDF in the course of providing the Service, in any case where Applicable Data Protection Law applies to such processing, including where Customer Personal Data relates to Data Subjects located in the European Economic Area ("EEA"), the United Kingdom or Switzerland, or where the Customer is established in any of those territories.

Article 3. Processor Obligations

VerifyPDF will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which VerifyPDF is subject. In that case VerifyPDF will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Agreement, including this DPA, the Customer's lawful use of the Service and any written instructions issued by the Customer to [email protected], constitute the Customer's complete and final instructions to VerifyPDF.

VerifyPDF will not sell, share or otherwise make Customer Personal Data available to any third party except as expressly permitted by this DPA. VerifyPDF will not use Customer Personal Data, and will not permit any Subprocessor to use Customer Personal Data, to train, fine-tune, evaluate or otherwise develop any machine-learning model, large language model or other artificial-intelligence system, whether for the benefit of VerifyPDF, any affiliate or any third party.

VerifyPDF will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and will limit access to Customer Personal Data to those personnel whose access is necessary to provide the Service.

Taking into account the nature of the processing and the information available to VerifyPDF, VerifyPDF will assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the GDPR (security of processing, notification and communication of personal data breaches, data protection impact assessments and prior consultation with the Supervisory Authority). VerifyPDF may charge a reasonable fee for assistance that goes materially beyond the standard features of the Service.

VerifyPDF will inform the Customer without undue delay if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Law. VerifyPDF is not obliged to perform an independent legal review of Customer instructions.

Article 4. Subprocessors

The Customer grants VerifyPDF a general written authorisation to engage the Subprocessors listed in Schedule 3 (Approved Subprocessors), and to engage additional or replacement Subprocessors subject to the notice and objection mechanism in this Article 4.

VerifyPDF will give the Customer at least thirty (30) days' prior notice of any addition or replacement of a Subprocessor that processes Customer Personal Data, by updating Schedule 3 and notifying the Customer by email to the account billing or administrative contact, or via a banner or notice in the Service. The Customer may also subscribe to subprocessor change notifications by emailing [email protected].

The Customer may object to the proposed addition or replacement of a Subprocessor on reasonable grounds related to the protection of Customer Personal Data by giving written notice to [email protected] within the thirty (30) day notice period. The parties will work together in good faith to find a commercially reasonable resolution, which may include offering an alternative configuration of the Service where available. If no resolution is reached, the Customer may, as its sole and exclusive remedy, terminate the Agreement with respect to the affected components of the Service by giving written notice to VerifyPDF within fifteen (15) days after the end of the good-faith discussion. Termination on this basis does not entitle the Customer to a refund of fees already paid for the period before termination, but VerifyPDF will refund any prepaid fees for the affected components covering the period after the effective date of termination.

Where VerifyPDF engages a Subprocessor to carry out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA are imposed on that Subprocessor by way of a written contract, providing in particular sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of Applicable Data Protection Law. Where the Subprocessor fails to fulfil its data protection obligations, VerifyPDF remains fully liable to the Customer for the performance of that Subprocessor's obligations.

Article 5. Security Measures

VerifyPDF will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data, as set out in Schedule 2 (Technical and Organisational Measures). Those measures take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects.

VerifyPDF may update the measures in Schedule 2 from time to time, provided that any update does not materially reduce the overall level of security of Customer Personal Data.

Article 6. Data Subject Requests

Taking into account the nature of the processing, VerifyPDF will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law, including the rights of access, rectification, erasure, restriction of processing, data portability and objection.

If VerifyPDF receives a request directly from a Data Subject relating to Customer Personal Data, VerifyPDF will, without undue delay, forward the request to the Customer at the administrative contact on file and will not respond to the Data Subject directly except to confirm receipt and to direct the Data Subject to the Customer. The Customer is responsible for responding to the request, including for verifying the identity of the Data Subject and for assessing whether the request is well-founded under Applicable Data Protection Law.

Article 7. Security Incidents

VerifyPDF will notify the Customer in writing without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident affecting Customer Personal Data. The notification will be sent to the administrative contact on file and to any data protection or security contact that the Customer has provided to [email protected].

The notification will describe, to the extent then known to VerifyPDF: the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; the name and contact details of VerifyPDF's data protection officer or other contact point where more information can be obtained; the likely consequences of the Security Incident; and the measures taken or proposed to be taken by VerifyPDF to address the Security Incident and to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay.

VerifyPDF's notification of or response to a Security Incident under this Article 7 is not an acknowledgement by VerifyPDF of any fault or liability with respect to the Security Incident. The Customer remains solely responsible for assessing whether the Security Incident triggers any notification obligation on its part to a Supervisory Authority or to Data Subjects under Applicable Data Protection Law and, if so, for making any such notification within the applicable statutory timeframe.

Article 8. Audits

VerifyPDF will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, in accordance with this Article 8.

The Customer's audit right is satisfied by VerifyPDF making available, on reasonable written notice and subject to confidentiality undertakings: (a) the most recent independent third-party security or compliance assessment report covering the Service, which for the avoidance of doubt may take the form of a SOC 2 Type II report, an ISO/IEC 27001 certificate and statement of applicability, an independent penetration-test summary or a substantially equivalent instrument, where one is in place; and (b) responses to a written security and data protection questionnaire submitted by the Customer, which VerifyPDF will use reasonable efforts to return within thirty (30) days of receipt. The Customer may exercise this right no more than once in any rolling twelve (12) month period, except where the Customer is required to do so by a Supervisory Authority or following a Security Incident affecting Customer Personal Data, in which case additional exercises may be made on reasonable notice.

VerifyPDF maintains a written record of the categories of processing activities carried out on behalf of the Customer in accordance with Article 30(2) of the GDPR, and will make a summary of that record available to the Customer on reasonable written request as part of the audit mechanism set out in this Article 8.

VerifyPDF does not permit customer-led on-site audits of its data centres, infrastructure or office premises. Where a Supervisory Authority requires an on-site audit that cannot be satisfied by the documentation and questionnaire process set out above, the parties will work together in good faith to scope an audit that meets the Supervisory Authority's requirements while respecting VerifyPDF's confidentiality obligations to other customers and the security of the Service.

Any auditor mandated by the Customer must execute a non-disclosure agreement with VerifyPDF on reasonable terms before receiving any information or access. Each party bears its own costs in connection with an audit under this Article 8, except that the Customer will reimburse VerifyPDF for any out-of-pocket costs reasonably incurred by VerifyPDF where the audit exceeds the once-per-twelve-month limit set out above.

Article 9. Return and Deletion

At the choice of the Customer, VerifyPDF will delete or return all Customer Personal Data after the end of the provision of services relating to the processing, and will delete existing copies unless Union or Member State law requires storage of the Customer Personal Data. Deletion or return will be completed within thirty (30) days after termination or expiry of the Agreement, or, where the Customer requests deletion or return during the term of the Agreement, within thirty (30) days after the date of the request.

The retention windows set out in Schedule 1, including the maximum ninety (90) day retention of uploaded documents, apply throughout the term of the Agreement and continue to apply to any Customer Personal Data submitted in the final billing period. The thirty (30) day deletion window in this Article 9 applies to account-level data, including account identifiers, configuration, audit logs and any Customer Personal Data not already deleted under the Schedule 1 retention windows.

VerifyPDF may retain Customer Personal Data to the extent and for the period required by Applicable Data Protection Law or other applicable law, in which case VerifyPDF will continue to protect the Customer Personal Data in accordance with this DPA and will process it only for the purposes mandated by that law. VerifyPDF will, on the Customer's written request, certify in writing that it has deleted or returned Customer Personal Data in accordance with this Article 9.

Article 10. International Transfers

VerifyPDF primarily processes Customer Personal Data in the European Union, in Amazon Web Services region eu-central-1 (Frankfurt, Germany). Where the provision of the Service requires the transfer of Customer Personal Data outside the EEA, the United Kingdom or Switzerland to a country that has not received an adequacy decision from the European Commission, the United Kingdom Government or the Swiss Federal Council, as applicable, the parties agree that such transfers will be governed by the appropriate transfer mechanism set out in Schedule 4.

For transfers of Customer Personal Data from the EEA to which the GDPR applies, the parties agree to the EU Standard Contractual Clauses (Module 2: controller to processor) on the terms set out in Schedule 4. For transfers from the United Kingdom to which the UK GDPR applies, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B.1.0, applies as set out in Schedule 4. For transfers from Switzerland to which the Swiss FADP applies, the Swiss Addendum set out in Schedule 4 applies.

Where Customer Personal Data is transferred to a Subprocessor in a third country, VerifyPDF will ensure that an appropriate transfer mechanism is in place between VerifyPDF and that Subprocessor, as identified in Schedule 3, including the Standard Contractual Clauses or, where applicable, an adequacy decision of the European Commission, the United Kingdom Government or the Swiss Federal Council.

Article 11. General

This DPA takes effect on the date the Customer first accepts the Agreement or, if later, the date this DPA is published, and remains in force for the duration of the Agreement and for as long as VerifyPDF retains any Customer Personal Data after termination or expiry. Article 7 (Security Incidents), Article 8 (Audits to the extent of retained data), Article 9 (Return and Deletion) and Article 10 (International Transfers) survive termination for as long as VerifyPDF retains any Customer Personal Data.

This DPA, and any non-contractual obligations arising out of or in connection with it, are governed by the laws of the Kingdom of the Netherlands, and any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the competent courts of the Netherlands. Where the Standard Contractual Clauses in Schedule 4 apply, the governing law and jurisdiction clauses of the Standard Contractual Clauses prevail to the extent required by those Clauses.

If any provision of this DPA is held to be invalid, illegal or unenforceable, the remaining provisions continue in full force and effect. VerifyPDF may update this DPA on reasonable prior notice to the Customer where the update is required to comply with Applicable Data Protection Law, a decision of a Supervisory Authority or a court of competent jurisdiction, or where the update does not materially diminish the protection of Customer Personal Data. Any other amendment requires the written agreement of both parties.

The Customer may obtain a counter-signed copy of this DPA by emailing [email protected] from the administrative contact of record. Notices under this DPA may be given by email to [email protected] for VerifyPDF, and to the administrative contact on file for the Customer.

Schedule 1. Details of Processing

Part A. Nature and Purpose of Processing

Subject matter. The processing of Customer Personal Data necessary for VerifyPDF to provide the Service to the Customer under the Agreement, including the verification of uploaded documents for indicators of fraud, signature validation, metadata extraction and the provision of structured verification results to the Customer.

Duration. The term of the Agreement, plus the retention windows set out in Part B of this Schedule 1 and Article 9 of this DPA.

Nature of the processing. Storage, retrieval, cryptographic verification, heuristic and statistical analysis, optional optical character recognition, generation of verification reports, transmission of results to the Customer and deletion at the end of the applicable retention period. Processing is automated. VerifyPDF personnel access Customer Personal Data only where strictly necessary for the provision and support of the Service.

Purpose of the processing. Detection and prevention of document fraud, provision of structured verification results to the Customer and operation, maintenance and security of the Service.

Part B. Data Subjects, Data Categories and Retention

Categories of Data Subjects. As determined by the Customer in its capacity as Controller, including: the Customer's end users; document signatories and issuers; individuals named or referenced in documents uploaded by the Customer to the Service; and the Customer's authorised personnel who hold accounts in the Service.

Categories of Personal Data. As determined by the Customer in its capacity as Controller. Depending on the documents the Customer chooses to upload, this may include identity documents, payslips, bank statements, tax returns, contracts, invoices, utility bills, names, contact details, residential and business addresses, dates of birth, financial information, employment information, government-issued identification numbers, signatures, photographs and any other Personal Data contained in the uploaded document. The Customer is responsible for determining whether the Service is appropriate for the categories of Personal Data it chooses to submit, including any special categories of Personal Data under Article 9 of the GDPR.

Retention periods.

• Uploaded documents and Customer Personal Data extracted from them: retained for a maximum of ninety (90) days from the date of upload, after which they are deleted from primary and backup storage in accordance with VerifyPDF's data lifecycle policies.
• Account and billing data: retained for the term of the Agreement and for up to seven (7) years after termination, to the extent required by tax and accounting law applicable to VerifyPDF.
• Security and operational logs: retained for up to twelve (12) months for security monitoring, incident response and audit purposes, after which they are deleted or anonymised.

All processing of Customer Personal Data takes place in Amazon Web Services region eu-central-1 (Frankfurt, Germany), subject to the limited transfers to Subprocessors identified in Schedule 3.

Schedule 2. Technical and Organisational Measures

VerifyPDF implements and maintains the following technical and organisational measures to protect Customer Personal Data. The measures are subject to ongoing review and may be updated from time to time, provided that any update does not materially reduce the overall level of security.

1. Encryption

• In transit. All Customer Personal Data is encrypted in transit using Transport Layer Security version 1.2 or higher with strong cipher suites.
• At rest. All Customer Personal Data stored in Amazon S3, DynamoDB and other AWS managed services is encrypted at rest using AWS-managed server-side encryption with AES-256.

2. Access Control

• Access to production systems and Customer Personal Data is restricted on a least-privilege basis through AWS Identity and Access Management roles tied to job function.
• Multi-factor authentication is enforced on all administrative access to production systems and on all VerifyPDF employee accounts that can reach Customer Personal Data.
• Access is logged, reviewed periodically and revoked promptly on role change or termination of employment.

3. Data Location and Network Security

• Primary processing and storage of Customer Personal Data takes place in Amazon Web Services region eu-central-1 (Frankfurt, Germany).
• Production networks are segmented from corporate networks and from development and test environments.
• Public-facing endpoints are protected by AWS WAF rules, rate limiting and Cloudflare DDoS mitigation.

4. Vulnerability and Patch Management

• Container images and application dependencies are scanned for known vulnerabilities on every build and on a recurring schedule.
• Critical and high-severity vulnerabilities are remediated according to a documented service-level objective.
• Underlying AWS managed services are patched by AWS in accordance with AWS's shared-responsibility model.

5. Incident Response

• A documented incident response procedure governs the detection, triage, containment, eradication, recovery and post-incident review of Security Incidents.
• On-call engineering staff are reachable around the clock.
• Security Incident notifications to Customers are made in accordance with Article 7.

6. Backup, Resilience and Business Continuity

• Customer Personal Data stored in S3 and DynamoDB benefits from AWS native durability guarantees and is mirrored to a backup S3 bucket within the same EU region.
• Recovery procedures are documented and exercised periodically.

7. Vendor and Subprocessor Management

• Subprocessors are selected on the basis of their ability to meet the data protection and security obligations set out in this DPA.
• Subprocessor contracts include the flow-down obligations required by Article 4 and an appropriate transfer mechanism where required.

8. Personnel

• All VerifyPDF personnel with access to Customer Personal Data are bound by written confidentiality obligations that survive termination of their engagement.
• Personnel receive security and data protection training on hire and at regular intervals thereafter.

Schedule 3. Approved Subprocessors

The following Subprocessors are authorised by the Customer to process Customer Personal Data as of the "Last updated" date at the top of this DPA. VerifyPDF will update this list and notify the Customer in accordance with Article 4 when a Subprocessor is added or replaced.

Subprocessors may engage further sub-processors only on terms equivalent to those of this DPA. VerifyPDF remains liable to the Customer for the acts and omissions of its Subprocessors as if they were its own.

Schedule 4. Cross-Border Transfer Mechanisms

Part A. EU Standard Contractual Clauses

Where Customer Personal Data is transferred from the EEA to a country outside the EEA that has not received an adequacy decision from the European Commission, the parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller to processor), with the following selections:

• Data exporter: the Customer, acting as Controller of the Customer Personal Data identified in Schedule 1.
• Data importer: VerifyPDF LLC, acting as Processor of the Customer Personal Data identified in Schedule 1.
• Docking clause (Clause 7): the optional docking clause does not apply.
• Subprocessing (Clause 9): Option 2 (general written authorisation) applies, with a minimum notice period of thirty (30) days for additions or replacements, as set out in Article 4.
• Redress (Clause 11): the optional independent dispute resolution body does not apply.
• Governing law (Clause 17): the laws of the Kingdom of the Netherlands.
• Choice of forum and jurisdiction (Clause 18): the competent courts of the Netherlands.
• Competent Supervisory Authority (Annex I.C): the supervisory authority of the EU or EEA Member State in which the data exporter is established. Where the data exporter is not established in the EEA, the competent supervisory authority is determined in accordance with Clause 13(a) of the Standard Contractual Clauses.
• Annex I (description of the transfer): populated by the parties from Schedule 1 of this DPA.
• Annex II (technical and organisational measures): populated by Schedule 2 of this DPA.
• Annex III (list of sub-processors): populated by Schedule 3 of this DPA.

Where VerifyPDF onward-transfers Customer Personal Data to a Subprocessor located in a third country, Module 3 (processor to processor) of the same Standard Contractual Clauses applies between VerifyPDF and that Subprocessor, flowed down in accordance with Clause 9 of Module 2 and Article 4 of this DPA.

Part B. UK International Data Transfer Addendum

Where Customer Personal Data is transferred from the United Kingdom to a country outside the United Kingdom that has not received an adequacy regulation from the United Kingdom Government, the parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018, version B.1.0, in force on 21 March 2022, with the following selections:

• Table 1 (Parties): the data exporter and data importer identified in Part A of this Schedule 4.
• Table 2 (Selected SCCs, Modules and Selected Clauses): Module 2 of the EU SCCs as incorporated in Part A of this Schedule 4.
• Table 3 (Appendix Information): populated by Schedules 1, 2 and 3 of this DPA.
• Table 4 (Ending this Addendum when the Approved Addendum Changes): neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

Part C. Swiss Addendum

Where Customer Personal Data is transferred from Switzerland to a country outside Switzerland that has not received an adequacy decision from the Swiss Federal Council, the EU Standard Contractual Clauses as incorporated in Part A of this Schedule 4 apply with the following adaptations, in accordance with the guidance of the Federal Data Protection and Information Commissioner ("FDPIC"):

• References to the GDPR are read as also referring to the Swiss FADP, where the Swiss FADP applies to the relevant transfer.
• The competent supervisory authority is the FDPIC, where the Swiss FADP applies to the relevant transfer.
• The term "Member State" is read so as not to deprive Data Subjects in Switzerland of the possibility of enforcing their rights in their place of habitual residence.
• References to personal data are read as including the personal data of legal persons until the entry into force of the revised Swiss FADP that no longer covers legal persons.

Part D. Other Transfers

Where Customer Personal Data is transferred under another data protection law that requires a specific transfer mechanism, the parties will cooperate in good faith to put in place the appropriate mechanism, including any standard contractual clauses or equivalent instrument issued by the relevant authority.