Effective / updated March 6, 2025

1. Applicability.
   This Data Processing Addendum (“DPA”) is incorporated by reference into the Sola Security Terms of Service and/or any other agreement governing the use of Sola’s services (“Agreement“) entered by and between Sola Security Inc., and its affiliates (“Sola“) and you, the User (as defined in the Agreement), and for purposes of this DPA shall be referred to as (the “Client“), to the extent that Sola processes Personal Data (as defined below) solely on behalf of Client. 
   By signing the DPA, and/or accepting the Agreement, and/or accessing and/or using the Services (as defined in the Agreement), Client accepts this DPA, and if the person signing or accepting or clicking through to the Services is entering the DPA on behalf of another entity or person, such person hereby represents and warrants to Sola that such person is authorized to bind Client to this DPA through such consent or use of the Services. If such person does not have such authority or if Client does not agree to this DPA, please do not provide Personal Data to Sola.
   
2. Definitions.
   Terms used in this DPA but not defined herein (whether or not capitalized) shall have the meanings assigned to such terms in the Applicable Data Protection Laws or the Agreement.
   1. “Applicable Data Protection Laws” shall mean, to the extent applicable to Sola’s processing of Personal Data hereunder (with respect to each data subject): (i) General Data Protection Regulations (European Parliament and Council of European Union (2016) Regulation (EU) 2016/679) (EU GDPR); (ii) EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (UK GDPR); (iii) California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA); (iv) Protection of Privacy Law 5741- 1981 (Israel); and (v) any rules or regulations that amend and/or replace any of the aforementioned Data Protection Laws, or are issued pursuant to such Applicable Data Protection Laws. 
   2. “Personal Data” refers to the definition of that term or any other similar term defined under the Applicable Data Protection Laws.
   3. “Services” means the services provided to Client by Sola in accordance with the Agreement.
   4. “Security Documentation/s” means the security documentation applicable to the Services, as updated from time to time and as made reasonably available by Sola. This can be provided upon request. 
   5. “Standard Contractual Clauses” or “SCCs” shall mean: where the EU GDPR applies, the standard contractual clauses pursuant to the EU Commission’s Implementing Decision 2021/914 of 4 June 2021 currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); (ii) where the UK GDPR applies, the EU SCCs together with the UK Information Commissioner’s Office addendum, under S119A(1) of the Data Protection Act 2018 (“UK Addendum”); or any other Standard Contractual Clauses which amended and/or replace such Standard Contractual Clauses in accordance with Applicable Data Protection Law.
3. Processing of Personal Data on behalf of Client.
   1. Sola’s Processing of Personal Data. Sola acts as a processor/service provider for Client and performs processing operations on behalf of Client and upon the instructions of Client as a controller/business, as set forth herein, in the Agreement, and any additional agreement entered into between Client and Sola (collectively, the “Terms”), pursuant to which Client may provide Personal Data to Sola (“Contracted Business Purpose”).
   2. Sensitive Data. The Parties agree that the provision of the services under the Agreement is not intended for the processing of Sensitive Data (as that term or its cognates may be defined under Applicable Data Protection Laws). For the avoidance of doubt, this DPA will not apply to Sensitive Data and Sola shall have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise.
4. Client Representations.  
   Client sets forth the details, including the purpose, the means and the ways in which Sola shall process Personal Data, as required by Applicable Data Protection Laws in Appendix A, attached hereto, and Client represents and warrants that:
   1. It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/business, and that the Client’s provision of Personal Data and/or the Client’s instructions to Sola is in strict compliance with Applicable Data Protection Laws;
   2. It only processes Personal Data for which Client has obtained any legally required consent from respective data subjects or has in place any other legal basis and that has been collected in accordance with the Applicable Data Protection Laws; 
   3. It has in place procedures in case an individual whose Personal Data is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws; 
   4. It provides Personal Data to Sola for the Contracted Business Purpose in accordance with the representations Client makes to individuals in Client’s privacy policy, and Client does not sell Personal Data to Sola;
      It shall have the sole responsibility for the accuracy, quality, and legality of such Client’s Personal Data;
   5. It shall provide to Sola as a processor/service provider, or otherwise have Sola (or anyone on its behalf) process such Personal Data which is explicitly permitted under Applicable Data Protection Laws (“Permitted Personal Data”). Solely Client shall be liable for any data which is made available to Sola in excess of the Permitted Personal Data (“Non-Permitted Data”). Sola’s obligations under the Terms shall not apply to any such Non-Permitted Data;
   6. It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which Sola is lawfully processing Personal Data.
5. Sola Obligations.
   1. Sola carries out the processing of Personal Data on Client’s behalf;
   2. to the extent applicable with respect to each data subject, Sola agrees that it will:
      1. process Personal Data solely on Client’s behalf and in compliance with Client’s lawful reasonable and documented instructions, including instructions in this DPA and all Terms, unless required to do so under Applicable Data Protection Laws. Moreover, without derogating from the foregoing and Section 6 below (Sub-Processing), Sola may disclose and process the Personal Data (a) to the extent required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, or (b) otherwise as required by Applicable Data Protection Laws (in such a case, Sola shall inform the Client of the legal requirement before the disclosure, unless legally prohibited from doing so), or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).
      2. implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR;
      3. take reasonable steps to ensure that access to the processed Personal Data is limited on a need to know/access basis, and that all Sola personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Personal Data; 
      4. provide reasonable assistance to Client with any data protection impact assessments or prior consultations with supervising authorities in relation to processing of Personal Data by the processor/service provider, as required under any Applicable Data Protection Laws, at the written request of the Client, and at Client’s sole expense; and
      5. in the event that an instruction for the Processing of Personal Data given by Client infringes Applicable Data Protection Laws in Sola’s opinion, (i) Sola shall inform Client without undue delay; (ii) Sola may, temporarily cease all processing of the affected Personal Data (other than securely storing such data) and/or suspend access to the Services (or part thereof); and (iii) Client may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected processing, if the parties do not agree on a resolution to the issue in question and the costs thereof, and Client shall pay Sola all the amounts owed to Sola. Client will have no further claims against Sola (including, without limitation, requesting refund for Service) pursuant to the termination of the Agreement and the DPA as described in this section.
      6. Pursuant to the CCPA, to the extent applicable with respect to each data subject, Sola agrees that, solely with respect to Personal Data subject to the CCPA:
         1. Sola is acting solely as a service provider with respect to Personal Data;
         2. Sola shall not: (i) sell or share (as such terms are defined under the CCPA) Client’s Personal Data; or  (ii) retain, use or disclose Personal Data for any purpose other than for the Contracted Business Purpose;
         3. Sola may de-identify or aggregate Personal Data as part of performing the services specified in the Terms, and shall take reasonable measures to ensure the de-identified or aggregate Personal Data cannot be re-identified or associated with a data subject or household;
         4. Sola shall not combine Personal Data received from Client with Personal Data Sola receives from, or on behalf of, another person or collects from Sola’s own interaction with data subjects unless permitted by the CCPA; 
         5. Sola will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose; 
         6. Client may take reasonable and appropriate steps to ensure that Sola uses Personal Data processed for the Contracted Business Purpose in a manner consistent with Client’s obligations under the CCPA, and Client may take reasonable and appropriate steps to stop and remediate unauthorized use of such Personal Data; 
         7. Sola will promptly notify Client if Sola determines in can no longer meet its obligations under the CCPA; and
            Sola certifies it understands the restrictions and obligations described above and will comply with them in accordance with the CCPA. 
6. Sub-Processing.
   1. Authorized Sub-processors. Sola may continue to use those sub-processors already engaged by Sola as of the date of this DPA. Client acknowledges and agrees that as of the date of this DPA Sola uses certain sub-processors; a list of such sub-processors is attached hereto as Appendix B (“Sub-processors”). 
   2. Changes to Sub-Processors List. 
      • Sola may appoint new Sub-processors and shall give reasonable notice of the appointment of any new Sub-processor, before authorizing such new Sub-processor to process Personal Data in connection with the provision of the services under the Agreement. 
      • Client may reasonably object to Sola’s use of a new Sub-processor on grounds relating to a Sub-Processor’s non-compliance with Applicable Data Protection Laws, by notifying Sola in writing within no more than fourteen (14) days after receipt of Sola’s notice of any planned appointment. Client’s written objection shall reasonably explain the objection to Sola’s use of such new Sub-processor. Client’s continued use of the applicable services after the lapse of fourteen (14) days from such notification constitutes Client’s acceptance of the new sub-processor. 
      • In the event Client reasonably objects to a new Sub-processor hereunder, as described above, Sola will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s use of the services, to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If Sola is unable to make available such change within sixty (60) days, Client may, as a sole remedy, terminate the applicable Agreement and this DPA only with respect to those Services which cannot be provided by Sola without the use of the objected-to new Sub-processor, by providing written notice to Sola. For the avoidance of doubt all amounts due under the Agreement shall be duly paid to Sola. Until a decision is made regarding the new Sub Processor, Sola may temporarily suspend the processing of the affected Personal Data and/or suspend access to the Services. Client will have no further claims against Sola due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA under the circumstances described herein.
   3. Sola shall ensure that any sub-processor used must qualify as a service provider under the Applicable Data Protection Laws and Sola cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
7. Data Subjects’ Rights.
   1. Client shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed Personal Data, etc.). Sola shall reasonably endeavor to assist Client insofar as feasible, to fulfil Client’s said obligations with respect to such data subject requests, as applicable, at Client’s sole expense.
   2. Sola shall (i) without undue delay notify (to the extent legally permitted), or refer the data subject to Client if it receives a request from a data subject to exercise their rights, to the extent available to them under any Applicable Data Protection Laws in respect of processed Personal Data; and (ii) not respond to that request, except on the written instructions of Client or as required by Applicable Data Protection Laws, in which case Sola shall, to the extent permitted by Applicable Data Protection Laws, inform Client of that legal requirement before it responds to the request.
8. Personal Data Breach.
   1. Sola shall notify Client without undue delay upon Sola becoming aware of any breach of Personal Data within the meaning of Applicable Data Protection Laws relating to Personal Data processed on behalf of the Client, which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws (“Personal Data Breach“). 
   2. At the written request of the Client, Sola shall provide reasonable co-operation and assistance to Client in respect of Client’s obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach.
   3. The obligations herein shall not apply to Personal Data Breaches that are caused by Client or Client’s users. Client will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies Sola, without Sola’s prior written approval, unless Client is compelled to do so pursuant to Applicable Data Protection Laws, in which case, Client shall provide Sola with reasonable prior written notice of such disclosure and will limit the disclosure to the minimum scope required.
9. Retention of Processed Personal Data.
   Sola may retain Personal Data to the extent authorized or required by Applicable Data Protection Laws, provided that Sola shall ensure the confidentiality of such Personal Data and shall ensure that it is only processed for such legal purpose(s).
10. Audit Rights.
    1. Subject to the terms hereof, and not more than once in each calendar year, Sola shall make available to a reputable auditor mandated by Client in coordination with Sola, at the cost of the Client, upon prior written request, within normal business hours at Sola premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the Client in relation to the processing of the Personal Data by the processor/service provider, provided that such third-party auditor shall be subject to confidentiality obligations and (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Client to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Sola’s prior written approval. Upon Sola’s first request, Client shall return all records or documentation in Client’s possession or control provided by Sola in the context of the audit and/or the inspection). Client shall be responsible for bearing all the costs and expenses arising from or related to this Section.
    2. Client shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Sola’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. 
11. International Data Transfers.
    1. Personal Data may be transferred to countries outside of the European Economic Area (“EEA”) and/or outside of the United Kingdom (“UK”), to countries that offer an adequate level of data protection, under or pursuant to the adequacy decisions, as determined by the European Commission pursuant to Article 45 of GDPR, and by the Secretary of State, pursuant to Section 17A of the United Kingdom Data Protection Act 2018, respectively,  or other adequate authority as determined by the EU and the UK (“Adequacy Decisions”), as applicable, without any further safeguard being necessary. 
    2. To the extent that Sola transfers (either directly or via onward transfer) Client’s Personal Data to countries outside the EEA and/or outside of the UK, which have not been subject to a relevant Adequacy Decision, or such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of Personal Data (as set out under the GDPR), and to the extent applicable with respect to each data subject, such transfer of Client’s Personal Data to other countries, shall be subject to, where the application of the SCCs, as between the parties, is required under Applicable Data Protection Laws, the Standard Contractual Clauses, as such are incorporated into this DPA by reference, which shall be implemented as follows:
       1. In the case of transfer of Personal Data from Client to Sola, the parties shall implement Module II – “Controller to Processor”, of the Standard Contractual Clauses, with modifications detailed hereunder, in which case Sola shall be deemed as a “Data Importer” and Client shall be deemed as a “Data Exporter”. However, when Client is acting as a processor, Module III (“Processor-to-Processor”) shall apply, provided that, taking into account the nature of the processing, Client agrees that it is unlikely that Sola will know the identity of Client’s controllers, as Sola has no direct relationship with Client’s controllers and therefore, Client will fulfil Sola’s obligations to Client’s controllers under the Processor-to-Processor SCCs. 
       2. The parties are deemed to have accepted and executed the SCCs, including the associated annexes. The contents of Annex I of the SCCs are included within Appendix A to this DPA. The contents of Annex II of the SCCs are included within the Security Documentation. The contents of Annex III of the SCCs shall be provided upon request. The parties further agree to the following implementation choices under the SCCs:
          • The Parties agree that for the purpose of transfer of Personal Data between Sola (Data Importer) and the Client (Data Exporter), the following shall apply:
          • Clause 7: shall not be applicable.
          • Clause 9(a): The parties choose Option 2, “General Written Authorization” and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 7 of the DPA.
          • Clause 11: The parties choose not to include the optional language relating to the use of an independent dispute resolution body.
          • Clause 17: The parties select Option 1 and specify the law of Ireland.
          • Clause 18(b): The parties specify the courts of Dublin, Ireland.
       3. In the case of transfer of Personal Data between Sola and its Sub-Processors for the purposes of carrying out specific Processing activities (on behalf of Client), Sola and its Sub-Processors will enter into Module III (“Processor-to-Processor”) of the Standard Contractual Clauses. 
    3. If required when transferring Personal Data governed by the UK GDPR, the parties will negotiate in good faith and make the required amendments, in accordance with the instractions of the UK’s Information Commissioner’s Office (“ICO”), as available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, or as amended and/or replaced by the ICO. Appendix A attached to this DPA shall also apply in connection with the processing of Personal Data, subject to Applicable Data Protection Law. 
    4. Sola reserves the right to adopt an alternative compliance standard to the SCCs for the lawful transfer of Personal Data, provided it is recognized under Data Protection Law. Sola will provide 30 days’ advance notice of its adoption of an alternative compliance standard.
12. General Terms.
    1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the governing law provisions set forth in the Agreement. 
    2. Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including agreements entered into after the date of this DPA, the provisions of this DPA shall prevail solely with respect to the Processing of Personal Data.
    3. Changes in Applicable Data Protection Laws. Client may by at least forty-five (45) calendar days’ prior written notice to processor/service provider, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of Personal Data. If Client provides its modification request, Sola shall make commercially reasonable efforts to accommodate such modification request, and Client shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect Sola against any additional risks, and/or to indemnify and compensate Sola for any further costs associated with the changes made hereunder.
    4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Appendix A

DETAILS OF PROCESSING OF PROCESSED PERSONAL DATA

1. The subject matter and duration of the processing of processed personal data:
   Sola will process personal data pursuant to the DPA and the Terms for the duration of the Agreement, unless otherwise agreed upon in writing.
2. The nature and purpose of the processing of personal data:
   1. Providing the Services to Client under the Agreement, including support and technical maintenance services;
   2. Performing the Agreement, and this DPA; 
   3. Acting upon Client’s reasonable written instructions in accordance with the Agreement and the DPA;
   4. Enforcing the Agreement or this DPA and defending Sola’s rights.
   5. Complying with applicable laws and regulations including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
3. The types of processed personal data: 
   In providing the Services to Client under the Agreement, Sola may have access to Personal Data as required for the provision of Sola’s Services, including:
   • Name and business email address;
   • IP address and logs.
4. The categories of data subjects to whom the processed personal data relates to are as follows: 
   • Client’s customers or users, employees and service providers or as otherwise determined by Client.
5. Sensitive Data (if applicable).
   The Parties do not intend for Sensitive Data to be transferred. 
   COMPETENT SUPERVISORY AUTHORITY 
   The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section ‎11.1 above.
   SOLA SECURITY MEASURES
   The technical and organizational measures, including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Sola’s Security Documentation.
6. Sub-processors. Sola’s sub-processors engaged for the purpose of processing personal data: see Appendix B.

Appendix B

List of Sub-Processors