Data Processing Addendum

DATA PROCESSING ADDENDUM

Version 1.1

Last Updated: 05/14/2025

INTRODUCTION

This Data Processing Addendum (“DPA”) is an agreement between Service Provider and Client and supplements the Client Subscription Terms and Order Form(s) (“Agreement”). Capitalized terms not otherwise defined herein will have the meanings given to them in the Agreement.

General Note Regarding Annex I - List of Parties

This Annex supplements the Standard Contract Clauses as referenced in the Data Processing Addendum (DPA) published at https://www.anaphora.tech/data-processing-addendum.

The identities, roles, and contact persons of the parties required under Annex I of the SCCs and Article 28(3) GDPR are defined in each customer agreement (e.g., Client Subscription Order). These agreements, which incorporate the DPA by reference, serve as the authoritative source for that information.

Depending on the contracting entity, services are provided by one of the following:

Cetrez C5 Suite AB
Company Reg. No.: 559294-4531
Kvarnbygatan 8A, 431 34 Mölndal, Sweden

Anaphora, Inc.
261 Madison Avenue, 9th Floor
New York, NY 10016, United States

General privacy inquiries for both contracting entities may be directed to: privacy@anaphora.tech

CONTENTS

1. DEFINITIONS

2. DATA PROTECTION

3. DPA ANNEX 1: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

1. DEFINITIONS

In this DPA, the following definitions apply:

“Data Protection Law” means all applicable current data protection and privacy legislation to the extent binding on the parties, and as may be updated or amended from time to time, and which may include, without limitation, (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR”) and the UK GDPR, as that term is defined by section 3(10), and as supplemented by section 205(4)), of the UK Data Protection Act of 2018 ("UK GDPR"); (ii) any national implementing laws (including laws implementing the EU GDPR or UK GDPR), and associated regulations and secondary legislation; and (iii) any other applicable national, provincial, federal, state, and/or local legislation, including, without limitation, the California Consumer Privacy Act (“CCPA”), and any associated regulations and secondary legislation.

“Data Subject” will have the meaning given to it in the Data Protection Law.

“Personal Data” means “personal data”, as that term is defined in the Data Protection Law, that is uploaded to, generated by or transmitted via the Service Provider Solution under Client’s Service Provider accounts for processing as described herein.

“Standard Contractual Clauses” or "SCCs" means, as applicable, either (a) the annex found in the European Commission decision of 4 June 2021 on the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-ex.europa.eu/eli/dec_impl/2021/914/oj, specifically Module 2 and Module 3 (as applicable), and/or other standard contractual clauses adopted by the European Commission and entered into by the parties, from time to time ("EU SCCs"); or (b) the annex found in the European Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at https://op.europa.eu/en/publication-detail/-/publication/473b885b-31d6-4f3b-a10f-01152e62be6e/ as adapted for the UK, or such alternative contractual arrangement or clauses approved by the UK Information Commissioner’s Office and entered into by the parties, from time to time ("UK SCCs").

“Sub-processor” means any data processor other than Service Provider who have been instructed to process data on behalf of the Client by Service Provider.

2. DATA PROTECTION

1. Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in addition to, and does not relieve, remove, or replace, a party’s obligations under the Data Protection Law.

2. This DPA applies to Personal Data processed by Service Provider for Client, if any. In this context, Service Provider may act as “processor” to Client, who may act either as “controller” or “processor” (as those terms are defined in Data Protection Law) with respect to Personal Data.

3. Details of Data Processing (Annex 1 and Annex 2 to the EU SCCs and/or Appendix 1 and Appendix 2 to the UK SCCs, if and as applicable):

Data Exporter: the Client, as the party sending Content, some of which may contain Personal Data, to Service Provider for Service Provider's processing in furtherance of provision of the Service Provider Solution.

Data Importer: Service Provider as a conduit of Content transmitted through the use of the Service Provider Service, some of which may contain Personal Data.

Subject matter: the subject matter of the data processing under this DPA is the data and content as described below.

Purpose: the provision of the Service Provider Solution initiated by Client from time to time.

Nature of the processing: provision of Service Provider Services as described in the Agreement and initiated by Client from time to time.

Categories of Data Subjects: the Data Subjects may include Client's end users, visitors, guests employees and staff, and any others whose Personal Data is captured in Content.

Description of Processing: in addition to Personal Data incidentally captured and processed as Content in the Service Provider Service ("Captured Personal Data"), Service Provider collects and processes the following as a necessary step in providing the Service Provider Service, all or some of which may or may not be personally identifying or identifiable information:

IP addresses
authorized user login credentials
names
physical and email addresses, phone numbers
job role/title
social media links/accounts
auto dealer name, contact info, URL

Content transmitted through the use of the Service Provider Service may, unbeknownst to Service Provider, contain Personal Data. Such Personal Data is held only for as long as needed to transmit it (except if and to the extent of such data the Client elects to store, as data controller).

Special Categories of Data: the parties do not anticipate or knowingly enact the transfer of special categories of data, but such data may be included in Captured Personal Data.

Duration of processing: during the term of the Client’s subscription and for 90 days thereafter.

Processing operations: as described in this DPA, including Annex 1.

4. Client will ensure and warrants that it has all necessary and appropriate consents and notices, in any form required by Data Protection Law, in place to enable lawful transfer of the Personal Data to Service Provider for the duration and purposes of the Agreement.

5. Client will ensure and warrants that where Personal Data is transferred outside the European Economic Area (“EEA”) or outside the UK, as part of Client’s use or deployment of the Service Provider Solution, adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer. Subject to Service Provider’s obligation in section 9.5 below with respect to Service Provider sub-processors, and section 11 below with respect to the Standard Contractual Clauses if applicable, Client acknowledges that Client is solely responsible for ensuring that Personal Data is transferred out of the EEA or the UK in full compliance with the Data Protection Law.

6. Client will ensure and warrants that Client utilizes appropriate technical and organizational measures to ensure a level of security appropriate to such risks, including, as appropriate, the measures referred to in the Data Protection Law.

7. Client confirms that it has assessed any security measures in place at the time of this Agreement, and that it will continue to do so on an ongoing basis to ensure its obligations under this DPA. Client is solely responsible (as between the parties) if such measures fail to meet the standards required by Data Protection Law.

8. Client undertakes and confirms that any information required to be provided to a Data Subject has been so provided or an applicable exemption is available and is being relied upon by the Client.

9. Service Provider will, in relation to any Personal Data processed in connection with the provision of the Service Provider Service:

9.1. process that Personal Data only on the written instructions of Client and as set forth in the Agreement except to the extent Service Provider is required to process data by applicable law. Where Service Provider is relying on applicable law as the basis for processing Personal Data, Service Provider will without undue delay notify Client unless applicable law prohibits Service Provider from so notifying Client;

9.2. not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Service Provider Solution, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order);

9.3. ensure that it has in place appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

9.4. ensure that all Service Provider personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

9.5. ensure that where Sub-processors are used outside the EEA or the UK such that Personal Data is transferred outside the EEA or the UK, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers to provide an adequate level of protection (in the case of transfers subject to UK GDPR), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level (including without limitation use of the SCCs) and the Data Subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;

9.6. maintain records of processing activities carried out on behalf of Client as required by Data Protection Law;

9.7. assist the Client in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

9.8. notify Client without undue delay on becoming aware of a Personal Data security incident. Service Provider is not obligated to report unsuccessful incidents or incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or unauthorized access to Personal Data or any of Service Provider’s equipment or facilities storing Personal Data. Such incidents may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. Service Provider’s obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgement by Service Provider of any fault or liability of Service Provider with respect to the incident; and

9.9. at the written direction of Client, delete Personal Data to the extent Service Provider is capable of doing so via its standard retrieval and delete mechanism, unless required by applicable law to store the Personal Data.

10. Client will immediately notify Service Provider if any necessary appropriate consents and notices required to enable lawful transfer of Personal Data to Service Provider for the duration and purposes of this Agreement have been breached, terminated, withdrawn, or are otherwise no longer valid.

11. The parties agree that (a) the EU SCCs apply if Personal Data from the EEA is transferred via use of the Service Provider Solution to Service Provider in a country that is outside of the EEA, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection, and (b) the UK SCCs apply if Personal Data from the UK is transferred via use of the Service Provider Solution to Service Provider in a country that is outside of the UK, and such transfer is not to a country that the UK Secretary of State considers to provide an adequate level of protection (such outbound transfers of Personal Data from the EU or the UK, each an "EU/UK Outbound Transfer"). If no EU/UK Outbound Transfer occurs, the SCCs and this section 11 will not apply. As used in this section, the terms “Data Importer” and “Data Exporter” will have the meanings given to them in the Standard Contractual Clauses. The parties acknowledge that for the purposes of the Standard Contractual Clauses, Service Provider is acting in the capacity of a Data Importer and Client is the Data Exporter (notwithstanding that Client may be located outside of the EEA/UK or is acting as a processor on behalf of third-party controllers). Each party will comply with the applicable obligations of the Standard Contractual Clauses in their respective roles as Data Exporter and Data Importer. The data subjects, categories of data, and processing operations (as required to be disclosed in the Standard Contractual Clauses) are as set forth in this DPA. Annex 1 to this DPA details the technical and security measures Service Provider has implemented, as required to be disclosed in the Standard Contractual Clauses.

12. The parties further agree that for all EU/UK Outbound Transfers, the governing law of the Standard Contractual Clauses entered into by Service Provider and the Client will be: (a) the laws of Ireland, if the Client is established in the EEA, or (b) the laws of the UK, if the Client is located in the UK. If any inconsistency arises between this section 12 and any other provision for the governing law of the Standard Contractual Clauses entered into between Client and Service Provider, this section 12 will take precedence.

13. Client acknowledges and agrees that it shall exercise its audit rights under this DPA (including where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law, by instructing Service Provider to comply with the audit measures described in Annex 1 to this DPA.

14. Service Provider represents and warrants that it has not received any order, request, or other communication from a governmental body for the disclosure of Personal Data and it shall:

14.1. if it receives such order, request, or other communication, attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Service Provider may provide Client’s basic contact information to the relevant body. If compelled to disclose Client Data to a governmental body, then Service Provider will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Service Provider is legally prohibited from doing so;

14.2. publish a transparency report or provide information to Client on request regarding: (a) the number of orders, requests, or other communications from governmental bodies for the disclosure of Personal Data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests, and communications; and

14.3. notify Client if its ability to maintain the confidentiality and security of Personal Data has been compromised for any reason including by orders, requests or communications described above, and cease processing, including receiving such Personal Data.

15. Client agrees that Service Provider may use Sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services, and consents to the use of Sub-processors as described in this section. The Service Provider website (LINK) lists Sub-processors that are currently engaged by Service Provider to deliver the Service Provider Service. (Such webpage constitutes Annex III/Appendix 3 to the Standard Contractual Clauses if and as applicable.) At least 10 business days before Service Provider engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Client, Service Provider will endeavor to update the applicable website and provide Client notice of that update as per the means specified for notices in the Agreement. If Client objects to a new Sub-processor, Client must notify Service Provider in writing within ten days of Client’s notice of the change (without prejudice to any termination rights Client has under the Agreement), after which time Client shall be deemed to have consented to the new sub-processor’s appointment in the absence of any such notice. If Client objects to a new Sub-processor, Service Provider may either, in its sole discretion: (a) propose an alternative Sub-processor or remain with the current Sub-processor; or (b) refrain from the use of any Sub-processor; or (c) terminate the Client's subscription on thirty days written notice.

16. Service Provider may propose revisions to this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an approved code of conduct or applicable certification scheme (which will apply when replaced by attachment to this Agreement). Client and Service Provider will negotiate such changes in good faith as soon as reasonably practicable. The parties agree that if any new versions or revisions to the EU SCCs are approved by the European Commission, or if any new versions or revisions to the UK SCCs are adopted by the UK, such that the implementation of the Standard Contractual Clauses in this DPA no longer applies or is no longer appropriate, the parties shall work together to enter into the new standard contractual clauses as applicable as soon as reasonably practicable.

17. Where the EU SCCs apply to transfers of Personal Data governed by this DPA, the following options shall be deemed to be selected and incorporated, each clause reference in this section being a reference to a clause in the EU SCCs: (a) Clause 7 shall not apply; (b) at Clause 9, option 2 shall apply for both Module 2 and Module 3; and (c) at Clause 11, the optional redress mechanism shall not apply.

18. California Consumer Privacy Act (CCPA) Notice: as a “Service Provider” (as that term is defined in the CCPA), Service Provider will process California personal data that is subject to the CCPA strictly for the purpose of providing to Client the solutions and services described in the Agreement, or as otherwise permitted by the CCPA, and shall not retain, use, or disclose such data for any other purpose.

DPA Annex: Security Measures and Supplementary Terms to the Standard Contract Clauses

a) Access Control

i) Preventing Unauthorized Product Access

Outsourced processing: Service Provider hosts its Service with AWS and GleSYS and/or applicable affiliates. Additionally, Service Provider maintains contractual relationships with vendors in order to provide the Service. Service Provider relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: Service Provider hosts its product infrastructure with multi-tenant, outsourced infrastructure provider Amazon Web Services Inc. The physical and environmental security controls are audited for relevant certifications, such as SOC 2 Type II (https://aws.amazon.com/compliance/soc-faqs/) and ISO 27001 (https://aws.amazon.com/compliance/iso-27001-faqs/) compliance, among other certifications.

Authentication: Service Provider has implemented a uniform password policy for its customer products. Clients who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Client data is stored in multi-tenant storage systems accessible to Clients via only application user interfaces and application programming interfaces. Clients are not allowed direct access to the underlying application infrastructure. The authorization model in each of Service Provider’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

ii) Preventing Unauthorized Product Use

Service Provider implements industry standard access controls capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: Service Provider implements protections against unauthorized access and common attack vectors. These measures may include the use of Web Application Firewalls (WAF) or other layered defenses, depending on the architecture of the specific service. The WAF is designed to identify and prevent attacks against publicly available network services.

Repositories Security: Static code analysis, Security reviews of code stored in Service Provider’s source code repositories is performed (where applicable), checking for identifiable software flaws, and known vulnerabilities.

Penetration testing: Service Provider engages independent security experts for periodic vulnerability assessments, including penetration testing where relevant. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

iii) Limitations of Privilege & Authorization Requirements

Product access: A subset of Service Provider’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged.

Staff: All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In-transit: Service Provider makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Service Provider’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Service Provider stores user passwords following policies that follow industry standard practices for security and ensure that all passwords are never stored in plain text formats.

c) Input Control

Detection: Service Provider designed its infrastructure to log information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Service Provider personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Service Provider maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Service Provider will take appropriate steps to minimize product and Client damage or unauthorized disclosure.

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime. As Service Provider’s service is designed to be available across many regions simultaneously, the availability offered is much higher than the underlying infrastructure provider in any single region. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Client data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Service Provider’s products are designed to ensure redundancy and continuity in spite of failures. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Service Provider operations in maintaining and updating the product applications and backend without downtime.

e) Transparency

Client acknowledges that Service Provider is regularly audited by independent third-party auditors and internal auditors respectively. Upon written request, Service Provider shall supply (on a confidential basis) a summary copy of its most current audit report(s) to Client. In addition, Service Provider shall respond to all reasonable requests for information made by Client to confirm Service Provider’s compliance with this DPA, by making additional information available regarding its information security program upon Client’s written request, provided that Client shall not exercise this right more than once per calendar year.

f) Back Doors

Service Provider has not purposefully created back doors or similar programming that could be used to access the system and/or personal data. Service Provider has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems.

g) Applicability Across Services

The security controls described herein reflect Service Provider’s current practices and capabilities. Specific implementations may vary between product components depending on technical architecture, operational requirements, or risk level. All measures are designed with the goal of upholding the principles of integrity, confidentiality, and availability under GDPR Article 32.

Section1

Section2

Anchor 3