Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", acting as controller) and ShadeSec Inc. ("ShadeSec", acting as processor) for use of the Control+S service (the "Service"). It applies to the extent ShadeSec processes Personal Data on Customer's behalf, and is designed to satisfy Article 28 of the EU and UK General Data Protection Regulation, PIPEDA accountability requirements, and the equivalent provisions of Quebec's Law 25.

In the event of conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls.

Capitalized terms not defined here have the meanings given in the Terms of Service or in applicable Data Protection Laws. "Data Protection Laws" means all applicable laws on the protection of Personal Data, including the GDPR, the UK GDPR, PIPEDA, and Law 25. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR. "Subprocessor" means any third party engaged by ShadeSec to Process Personal Data on Customer's behalf.

The subject-matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.

ShadeSec will Process Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country or international organization, unless required to do otherwise by law (in which case ShadeSec will inform Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest). Customer's use of the Service and the features it selects constitute documented instructions. Additional instructions require agreement in writing and may be subject to additional fees.

ShadeSec will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

ShadeSec ensures that personnel authorized to Process Personal Data are bound by a duty of confidentiality (whether by contract or statute) and receive appropriate training on the handling of Personal Data.

ShadeSec will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. A summary of these measures is set out in Annex 2 and may be updated from time to time, provided that the overall level of protection is not reduced.

Customer provides a general authorization for ShadeSec to engage Subprocessors to Process Personal Data in connection with the Service. ShadeSec maintains a current list of its Subprocessors, including their purpose and location, on its Trust page.

Customer authorizes ShadeSec to use the Subprocessors listed on the Trust page as of the date Customer accepts this DPA. ShadeSec may add or replace Subprocessors from time to time and will update the Trust page and public Trust updates feed to reflect material changes. Where practicable, ShadeSec will post the update before a new or replacement Subprocessor begins Processing Personal Data; otherwise, ShadeSec will post the update promptly after the change. Customer may object on reasonable grounds related to the protection of Personal Data by sending an objection to contact@controls.run. The parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected portion of the Service and receive a pro rata refund of any prepaid fees for the unused term.

ShadeSec will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains liable to Customer for the acts and omissions of its Subprocessors.

Taking into account the nature of the Processing, ShadeSec will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws. Where ShadeSec receives such a request directly, it will promptly inform Customer and will not respond to the Data Subject except as instructed by Customer or required by law.

ShadeSec will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide Customer with the information reasonably required for Customer to meet its own breach-notification obligations, including the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Taking into account the nature of Processing and the information available to it, ShadeSec will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Data Protection Laws.

ShadeSec will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Upon Customer's written request (no more than once per twelve months, except in the case of a material breach or regulatory demand), ShadeSec will respond to a reasonable security questionnaire and provide copies of relevant third-party audit reports or certifications it holds. On-site audits may be conducted on reasonable prior notice, during business hours, by an auditor acceptable to both parties and bound by confidentiality, at Customer's expense.

ShadeSec is established in Canada, which benefits from the European Commission's adequacy decision for commercial organizations subject to PIPEDA. Where ShadeSec transfers Personal Data originating in the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where relevant, the UK International Data Transfer Addendum, with Customer as the "data exporter" and ShadeSec as the "data importer", Module Two (controller to processor) applying, and the docking clause enabled. ShadeSec will take supplementary measures as necessary to maintain an essentially equivalent level of protection.

Before termination or expiration of the Service, Customer should download supported reports, evidence files, or workspace data it needs using export or download features available in the product. Where Customer needs reasonable assistance retrieving supported Personal Data, Customer may contact ShadeSec before termination. After termination or expiration, ShadeSec will delete Personal Data from live systems within 90 days, with backup copies overwritten on the standard cycle (typically within 30 days), unless retention is required by law. At Customer's written request, ShadeSec will certify deletion.

Each party's liability under or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Terms of Service.

This DPA is governed by the laws of the Province of Ontario, Canada, except to the extent that Data Protection Laws require otherwise.

This DPA is accepted by Customer when Customer accepts the Terms of Service and begins using the Service. A counter-signed copy is available on request by emailing contact@controls.run.