Data Processing Agreement

Parties and Execution

Customer:

Prophetic AI Corporation: A Delaware corporation with a mailing address of 254 Chapman Rd, Ste 208 #903, Newark, DE 19702 ("Prophetic AI")

	Customer	Prophetic AI Corporation
Signature
Name		Ryan Bernardo
Title		General Counsel
Date		10/01/2023
Contact Email		privacy@prophetic.ai

Data Protection Contact: For any data protection inquiries related to this DPA, please contact Prophetic AI's data protection team at privacy@prophetic.ai.

Variables

Parties' relationship: Controller to Processor and/or Processor to Processor

Parties' roles:

• Customer is a Controller and/or Processor
• Prophetic AI is a Processor on behalf of Customer

Main Agreement: Prophetic AI Corporation Terms of Service (EULA) available online at: https://prophetic.ai/terms-of-service

Term: This DPA will commence on the final date of signature and will continue for the duration of the applicability of the Main Agreement.

Breach Notification Period: Without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal data breach

Sub-processor Notification Period: Fourteen (14) days before the new sub-processor is granted access to Personal Data

Liability Cap: Each party's aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement

Governing Law and Jurisdiction: As per the Main Agreement

Data Protection Laws: All laws, regulations, and court orders which apply to the processing of Personal Data controlled or processed by Customer in:

• the European Economic Area (EEA)
• the United Kingdom
• Switzerland
• the United States
• Canada
• Japan
• Australia
• any other applicable jurisdictions

This includes the European Union Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018 (UK) and the UK General Data Protection Regulation, the Federal Act on Data Protection 1992 (Switzerland), the California Consumer Privacy Act of 2018 (CCPA)/California Privacy Rights Act of 2020 (CPRA), the Personal Information Protection and Electronic Documents Act (Canada), the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) (Japan), the Privacy Act 1998 (Australia), each as amended from time to time, and any other applicable laws.

Services related to processing: As described in the Main Agreement

Duration of processing: For the duration of the applicability of the Main Agreement

Nature and purpose of processing:

• To provide network detection and response services to aid Customer in protecting its networks;
• To conduct investigations into events impacting Customer's network(s) and/or cloud environment(s), as instructed by Customer from time to time;
• To resolve technical or administrative issues, billing and invoicing, and otherwise comply with Prophetic AI's own legal obligations;
• To optimize and improve the performance of Prophetic AI's Services, including through the use of federated learning and other machine learning techniques to refine detection models. As described in the Main Agreement, only learned model parameters and anonymized behavioral representations are used across customer environments — raw Network Telemetry is not shared between customers.

Personal Data: Data processed by Prophetic AI for the provision of the Services may include the following types of personal data:

• IP Addresses: Network Telemetry may contain the IP address of the source and destination of the flow.
• Username: Protocol telemetry streams such as HTTP, Kerberos, NTLM, RDP, LDAP, Azure AD, Microsoft 365, and AWS may contain usernames.
• Device names: Network Telemetry may contain device names, which may in turn contain the username in them depending on how they are constructed, e.g. "Bob-MBP".
• HTTP Cookies: HTTP protocol telemetry will contain the cookie value if the HTTP is not encrypted. Prophetic AI recommends that customers enforce encrypted communications (HTTPS/TLS) across their networks to minimize exposure of sensitive data.
• Keyboard layout: Remote Desktop communication that is not encrypted may contain the keyboard layout of the originating host.

Data subjects: The individuals whose Personal Data will be processed may include the Customer's:

• employees
• job applicants
• customers/end users
• website visitors
• business contacts (of customers, business partners, suppliers)

Transfer Mechanism:

• Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country
• International Data Transfer Addendum issued by the Information Commissioner's Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022, for the transfer of personal data from the UK to a third country that is both outside the EEA and a nonadequate country

ANNEX 1

Security measures. Technical and organisational measures to ensure the security of the data

Available at: https://prophetic.ai/toms

ANNEX 2

Sub-processors. Current subprocessors

Available at: https://prophetic.ai/sub-processors

Obligations

Prophetic AI will:

• process Personal Data only on documented instructions from Customer, unless required to do so by applicable law, in which case Prophetic AI will inform Customer of that legal requirement before processing (unless prohibited by law);
• ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, as described in Annex 1;
• notify Customer within the Breach Notification Period of any personal data breach and provide the following information: (a) the nature of the breach, including where possible the categories and approximate number of data subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and (d) the name and contact details of Prophetic AI's data protection contact;
• assist Customer in conducting data protection impact assessments where required;
• assist Customer in responding to data subjects' requests to exercise their rights under Data Protection Laws;
• assist Customer in engaging with supervisory authorities;
• if requested, provide Customer with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA;
• allow for audits at Customer's reasonable request with at least sixty (60) days' notice, performed by an independent auditor as agreed upon by Customer and Prophetic AI, provided that audits are limited to once a year and during business hours except in the event of a security incident. The foregoing shall only extend to those documents and facilities relevant and material to the processing of Customer Personal Data and shall be conducted in a manner that causes minimal business disruption. At Prophetic AI's discretion, Prophetic AI may satisfy an audit request by providing a current SOC 2 Type II report or equivalent independent certification. Customer and Prophetic AI each bear their own costs related to an audit; and
• upon termination of the Main Agreement or upon Customer's written request, return Personal Data to Customer or delete Personal Data, unless retention is legally required, and certify such deletion in writing upon Customer's request. Notwithstanding the above, Prophetic AI is permitted to retain anonymised datasets.

Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

Sub-processing

Use of sub-processors. Customer authorises Prophetic AI to engage sub-processors when processing Personal Data. Prophetic AI's existing sub-processors are listed in Annex 2.

Sub-processor requirements. Prophetic AI will:

• require its sub-processors to comply with terms that are equivalent to Prophetic AI's obligations in this DPA;
• ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor; and
• be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA.

Approvals. Prophetic AI may appoint new sub-processors provided that they notify Customer in writing within the Sub-processor Notification Period.

Objections. Customer may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

International Personal Data Transfers

Instructions. Prophetic AI will transfer personal data outside the UK, the EEA, or an adequate country only on documented instructions from Customer, unless otherwise required by law.

Transfer mechanism. Where a party is located outside the UK, the EEA, or an adequate country and received Personal Data:

• that party will act as the data importer;
• the other party is the data exporter; and
• the relevant Transfer Mechanism(s) will apply.

Additional measures. If the Transfer Mechanism(s) is/are insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

Disclosures. Subject to the terms of the relevant Transfer Mechanism(s), if the data importer receives a request from a public authority to access Personal Data, it will (if legally permitted):

• challenge the request and promptly notify the data exporter about it; and
• only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

Other Important Information

Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.

Order of precedence. In case of a conflict between this DPA and other relevant agreement, they will take priority in this order:

• Transfer Mechanism,
• DPA,
• Main Agreement.

Notices. Notices under this DPA must be in writing and sent by email to the respective email addresses listed on the DPA's front page as may be updated by a party to the other in writing.

Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.

Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.

Amendments. Any amendments to this DPA must be agreed in writing.

Assignment. Neither party can assign this DPA to anyone else without the other party's consent.

Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.