Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the Propel Software Subscription Agreement (“Subscription Agreement”) between Propel Platform, Inc. (“Propel”) and the Customer. It reflects the parties’ obligations regarding the processing of Personal Data in connection with Propel’s services.

Except as expressly modified by this DPA, the Subscription Agreement remains in full force and effect. In the event of any conflict between this DPA and the Subscription Agreement, this DPA shall prevail with respect to matters relating to data protection.

For the purposes of this DPA, the following terms shall have the meanings set forth below:

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
• “Processor” means the entity that processes Personal Data on behalf of the Controller. Customer is the Controller and Propel is the Processor.
• “Customer Personal Data” means any Personal Data processed by Propel on behalf of the Customer in the course of providing the Services under the Subscription Agreement.
• “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including but not limited to: the EU General Data Protection Regulation (GDPR, Regulation 2016/679); the UK General Data Protection Regulation (UK GDPR); the UK Data Protection Act 2018 (UK DPA); the Swiss Federal Act on Data Protection (FADP); and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
• “Standard Contractual Clauses” (SCCs) means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries, as set out in the Annex to the European Commission’s Implementing Decision (EU) 2021/914.
• “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office under Section 119A of the UK Data Protection Act 2018.
• “Subprocessor” means any third party appointed by Propel to process Customer Personal Data on behalf of the Customer.
• “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed.

2.1 Relationship of the Parties

The Customer acts as the Controller (or “Business” under the CCPA) and Propel acts as the Processor (or “Service Provider” under the CCPA) with respect to Customer Personal Data. Propel shall process Customer Personal Data only on behalf of and in accordance with the Customer’s documented instructions.

2.2 Application to Services

This DPA applies to all Processing of Customer Personal Data carried out by Propel in connection with the Services, including cloud and VPC (Virtual Private Cloud) deployments. The Services are hosted in the United States on Amazon Web Services (AWS) infrastructure.

2.3 Customer as Business/Controller

The Customer is responsible for determining the scope and purposes of Processing, providing all required notices to data subjects, and obtaining all necessary consents or other legal bases for the Processing of Customer Personal Data. The Customer warrants that its instructions to Propel comply with all Applicable Data Protection Laws.

3.1 Compliance with Instructions

Propel shall process Customer Personal Data only in accordance with the Customer’s documented instructions, unless required to do so by applicable law. In such a case, Propel shall inform the Customer of that legal requirement before Processing, unless prohibited by law from doing so.

3.2 Processing Limitations

Propel shall not:

• Sell or share Customer Personal Data;
• Use Customer Personal Data for any purpose other than the specific purposes set forth in this DPA and the Subscription Agreement;
• Combine Customer Personal Data with Personal Data obtained from or on behalf of other sources, except as expressly permitted under the Subscription Agreement.

3.3 Confidentiality

Propel shall ensure that all personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Propel shall ensure that access to Customer Personal Data is limited to those individuals who need to know or access it for the purposes described in this DPA.

3.4 Security Measures

Propel shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures are described in Annex II to this DPA. Propel shall regularly test, assess, and evaluate the effectiveness of these measures.

3.5 Personal Data Breach Notification

Propel shall notify the Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. Such notification shall include: the nature of the incident, including the categories and approximate number of data subjects and records concerned; the likely consequences of the incident; the measures taken or proposed to address the incident and mitigate its effects; and the contact details of Propel’s point of contact for further information.

3.6 Assistance with Data Subject Requests

Propel shall assist the Customer, insofar as possible, in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws. Such assistance shall include providing technical and organizational measures to facilitate the Customer’s ability to respond to access, rectification, erasure, portability, restriction, and objection requests.

3.7 Cooperation and Compliance Assistance

Propel shall assist the Customer in ensuring compliance with its obligations under Applicable Data Protection Laws, including with respect to data protection impact assessments, prior consultations with supervisory authorities, and notifications of Security Incidents to supervisory authorities and data subjects.

3.8 Data Retention and Deletion

Upon termination or expiration of the Subscription Agreement, Propel shall, at the Customer’s election, delete or return all Customer Personal Data and delete existing copies, unless applicable law requires further retention. Propel shall certify the deletion in writing upon the Customer’s request.

3.9 Audits and Assessments

Propel shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws. Propel maintains a SOC 2 Type II certification and conducts annual audits of its security and data protection practices. The Customer may request an audit of Propel’s Processing activities with at least 30 days’ prior written notice, subject to reasonable confidentiality obligations and conducted during normal business hours.

3.10 Notice of Inability to Comply

Propel shall promptly inform the Customer if, in Propel’s opinion, an instruction from the Customer infringes Applicable Data Protection Laws. Propel shall also notify the Customer if it can no longer meet its obligations under this DPA.

4.1 Authorization

The Customer provides Propel with a general authorization to engage Subprocessors for the Processing of Customer Personal Data, subject to the requirements of this Section 4.

4.2 Updates and Notice

Propel shall provide the Customer with at least 15 days’ advance written notice before engaging a new Subprocessor or replacing an existing Subprocessor. The notice shall include the name, location, and nature of the Processing to be carried out by the Subprocessor. If the Customer objects to the appointment of a new Subprocessor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution can be reached, the Customer may terminate the affected Services without penalty.

4.3 Subprocessor Liability

Propel shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA. Propel shall remain fully liable to the Customer for the performance of each Subprocessor’s obligations.

4.4 Special Service Providers

Certain third-party service providers may process Customer Personal Data in connection with ancillary services such as logging, monitoring, and error tracking. These providers are listed in Annex III and are subject to the same contractual and compliance requirements as Subprocessors.

5.1 Location of Processing

Customer Personal Data is processed and stored in the United States. Propel shall not transfer Customer Personal Data to any other country without the Customer’s prior written consent, unless required by applicable law.

5.2 Transfers from the EEA

To the extent that Customer Personal Data originating from the European Economic Area (EEA) is transferred to the United States, such transfer shall be governed by the Standard Contractual Clauses (SCCs), Module Two (Controller to Processor). The following Clause selections apply:

• Clause 7: The optional docking clause is included.
• Clause 9(a): General written authorization with 15 days’ advance notice of new Subprocessors.
• Clause 11: The optional language regarding independent dispute resolution is not included.
• Clause 13: The competent supervisory authority shall be determined in accordance with Clause 13(a).
• Clause 17: Governing law shall be the law of Ireland.
• Clause 18: Disputes shall be resolved before the courts of Ireland.

5.3 Transfers from the United Kingdom

To the extent that Customer Personal Data originating from the United Kingdom is transferred to the United States, such transfer shall be governed by the UK Addendum to the EU SCCs, as issued by the UK Information Commissioner’s Office.

5.4 Transfers from Switzerland

To the extent that Customer Personal Data originating from Switzerland is transferred to the United States, the SCCs shall apply with the modifications required by the Swiss Federal Act on Data Protection (FADP), including recognition of the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent supervisory authority.

5.5 Additional Transfer Mechanisms

If an alternative or additional transfer mechanism becomes available under Applicable Data Protection Laws (such as an adequacy decision or certification framework), Propel shall take reasonable steps to adopt such mechanism to facilitate lawful transfers of Customer Personal Data.

6.1 CCPA Compliance

To the extent that the CCPA applies to the Processing of Customer Personal Data, Propel, as a Service Provider, shall not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data for any purpose other than providing the Services, or combine Customer Personal Data with Personal Data received from or on behalf of another person. Propel certifies that it understands and will comply with these restrictions.

6.2 Documentation and Training

Propel shall maintain documentation of its Processing activities and provide appropriate training to personnel who have access to Customer Personal Data regarding their obligations under Applicable Data Protection Laws.

6.3 Modifications due to Legal Changes

If changes in Applicable Data Protection Laws require amendments to this DPA, the parties shall negotiate in good faith to make such amendments. Either party may propose amendments to this DPA to ensure continued compliance with Applicable Data Protection Laws.

6.4 Liability and Indemnity

Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Subscription Agreement. Each party shall indemnify the other against any losses, claims, damages, or expenses arising from a breach of this DPA, subject to the limitations set forth in the Subscription Agreement.

6.5 Term and Termination

This DPA shall remain in effect for as long as Propel processes Customer Personal Data on behalf of the Customer. Upon termination, Propel shall comply with its obligations under Section 3.8 regarding data retention and deletion.

6.6 Entire Agreement

This DPA, together with the Subscription Agreement and any annexes, constitutes the entire agreement between the parties with respect to the Processing of Customer Personal Data and supersedes all prior or contemporaneous agreements, representations, and understandings relating to the subject matter hereof.

6.7 Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the Subscription Agreement, unless otherwise required by Applicable Data Protection Laws.

A. List of Parties

Data Exporter / Controller: The Customer, as identified in the Subscription Agreement.

Data Importer / Processor: Propel Platform, Inc., 182 Howard Street, Unit 823, San Francisco, CA 94105, United States.

B. Data Processing Description

• Subject Matter: Processing of Customer Personal Data in connection with the provision of the Services under the Subscription Agreement.
• Nature and Purpose of Processing: Propel processes Customer Personal Data to provide, maintain, and improve the Services, including cloud-based and VPC deployments, code analysis, and related operational functions.
• Categories of Data Subjects: Employees, contractors, consultants, and end users of the Customer who interact with the Services.
• Categories of Personal Data: Name, email address, IP address, user identifiers, usage data, log data, and any other Personal Data submitted by the Customer through the Services.
• Sensitive Data: The Customer is not expected to submit sensitive or special categories of Personal Data. If such data is submitted, the Customer is solely responsible for ensuring a lawful basis for its Processing.
• Frequency of Processing: Continuous, for the duration of the Subscription Agreement.
• Duration of Processing: For the term of the Subscription Agreement and as required thereafter for data retention and deletion obligations.
• Location of Processing: United States (Amazon Web Services infrastructure).
• Purposes of Transfer: To provide the Services as described in the Subscription Agreement.
• Competent Supervisory Authority: As determined in accordance with Applicable Data Protection Laws and the Standard Contractual Clauses.

C. Subprocessor Transfers

A current list of Subprocessors and their locations is provided in Annex III. Transfers to Subprocessors are governed by the same safeguards and contractual obligations as set forth in this DPA.

D. Contact Points

For data protection inquiries, the Customer may contact Propel at: legal@propelcode.ai.

Access Control (Physical)

All infrastructure is hosted on Amazon Web Services (AWS), which maintains SOC 1/2/3, ISO 27001, and other industry certifications for physical security of its data centers.

Access Control (System / Logical)

• Multi-factor authentication (MFA) is required for all access to production systems.
• Role-based access control (RBAC) is enforced across all services and internal tools.
• Least privilege principles are applied to all user and service accounts.
• User accounts are reviewed and deprovisioned promptly upon role change or termination.
• Credentials are managed using a secrets management solution and are rotated regularly.

Data Encryption

• In Transit: All data in transit is encrypted using TLS 1.2 or higher.
• At Rest: All data at rest is encrypted using AES-256 or equivalent encryption standards.

Network Security

• Firewalls and network segmentation are used to isolate production environments.
• Endpoint security solutions are deployed on all workstations and servers.
• Intrusion detection and prevention systems are in place to monitor for threats.
• Secure development practices, including code reviews and vulnerability scanning, are followed.

Monitoring and Logging

Comprehensive logging and monitoring of access and activity across all production systems. Logs are retained for a minimum period in accordance with industry best practices and are reviewed regularly for anomalies.

Vulnerability Management

Regular vulnerability assessments and penetration testing are conducted. Identified vulnerabilities are remediated in accordance with a defined severity-based timeline.

Business Continuity and Backup

Automated backups are performed regularly and tested for integrity. Disaster recovery plans are maintained and tested at least annually.

Incident Response

A documented incident response plan is in place, including procedures for identification, containment, eradication, recovery, and post-incident review. Incidents are reported in accordance with Section 3.5 of this DPA.

Organizational Measures & Governance

• Data protection and security policies are documented and communicated to all personnel.
• Regular security awareness training is provided to all employees.
• Background checks are conducted on employees with access to Customer Personal Data, where permitted by law.
• A dedicated security team oversees information security and compliance.

Privacy by Design & Default

Propel incorporates data protection principles into the design and development of its Services, including data minimization, purpose limitation, and access controls.

Certifications and Standards

• ISO 27001 certification (or equivalent) for information security management.
• NIST Cybersecurity Framework (CSF) alignment.
• SOC 2 Type II audit conducted annually.

Documentation and Auditability

All security policies, procedures, and controls are documented and available for review upon request, subject to reasonable confidentiality obligations.

The following Subprocessors are authorized to process Customer Personal Data on behalf of Propel:

• Amazon Web Services (AWS). Location: United States. Purpose: Cloud infrastructure and hosting. Compliance: ISO 27001, SOC 1/2/3, GDPR-compliant Data Processing Addendum.
• Datadog. Location: United States. Purpose: Logging and monitoring. Compliance: SOC 2 Type II, ISO 27001.
• Sentry. Location: United States. Purpose: Error tracking and monitoring. Compliance: SOC 2 Type II, GDPR-compliant Data Processing Addendum.
• LogRocket. Location: United States. Purpose: Session replay and monitoring. Compliance: SOC 2 Type II.

Commitments

Propel ensures that each Subprocessor is bound by data protection obligations no less protective than those set forth in this DPA. Propel conducts due diligence on all Subprocessors prior to engagement and on an ongoing basis.

Updates

Propel shall provide the Customer with at least 15 days’ advance written notice before adding or replacing any Subprocessor, in accordance with Section 4.2 of this DPA.

International Transfers by Subprocessors

Where a Subprocessor processes Customer Personal Data outside of the country of origin, such transfer shall be subject to the same safeguards and transfer mechanisms described in Section 5 of this DPA.

To the extent that Customer Personal Data originating from the United Kingdom is transferred to Propel in the United States, the parties agree to incorporate the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, as issued by the UK Information Commissioner’s Office under Section 119A of the UK Data Protection Act 2018.

The UK Addendum shall be deemed incorporated into and form part of this DPA. In the event of any conflict between the UK Addendum and this DPA, the UK Addendum shall prevail with respect to transfers of Personal Data from the United Kingdom.