PROPEL DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is an addendum to the Propel Software Subscription Agreement (“Subscription Agreement”) between Propel Platform, Inc. (“Propel”) and _______________________________ (“Customer”). It reflects the parties’ obligations regarding the processing of Personal Data in connection with Propel’s services. Except as expressly modified by this DPA, the Subscription Agreement remains in full force and effect. In case of conflict, this DPA prevails with respect to data protection. Capitalized terms not defined herein have the meanings set forth in the Subscription Agreement.

1. DEFINITIONS

“Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, email, identification number, online identifier, or factors specific to the person’s identity. For purposes of California law, “Personal Data” includes “Personal Information” as defined in the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”).

“Processing” (and “Process”) means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, use, disclosure, analysis, or deletion.

“Controller” means the entity which alone or jointly determines the purposes and means of the processing of Personal Data. “Processor” means an entity which processes Personal Data on behalf of a Controller. For purposes of this DPA, the Customer is the Controller and Propel is the Processor of Customer’s Personal Data.

“Customer Personal Data” means any Personal Data submitted or provided by or on behalf of Customer to Propel, including within Customer’s code, documentation, repositories, commit histories, or other materials, or otherwise collected by Propel in the course of providing the Subscription Services (including user account information such as names, emails, and usage metadata). Customer Personal Data is a subset of “Customer Materials” under the Subscription Agreement.

“Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”); the GDPR as incorporated into United Kingdom law (“UK GDPR”) and the UK Data Protection Act 2018 (“UK DPA”); the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, “CCPA”) , as well as any implementing or supplemental laws, regulations, and binding guidance.

“Standard Contractual Clauses” (or “SCCs”) means the standard contractual clauses for data transfers to third countries as approved by the European Commission, including the clauses annexed to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”).

“UK Addendum” means the UK International Data Transfer Addendum (version B1.0) to the EU SCCs issued by the UK Information Commissioner’s Office, effective March 21, 2022.

“Subprocessor” means any third-party engaged by Propel to Process Customer Personal Data on behalf of Propel to assist in delivering the services to Customer.

“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed. (This corresponds to “Personal Data Breach” as defined in the GDPR.)

Other capitalized terms used in this DPA may be defined contextually herein. The definitions in Applicable Data Protection Laws apply if a term is not otherwise defined.

2. SCOPE AND ROLES OF THE PARTIES

2.1. Relationship of the Parties: As between Customer and Propel, Customer is the Data Controller (or “Business” under the CCPA) of Customer Personal Data, and Propel is the Data Processor (or “Service Provider/Contractor” under the CCPA) that Processes such data on behalf of Customer. Propel will act solely on behalf of and at the direction of Customer in Processing Customer Personal Data, as outlined in this DPA. Customer represents that it is (and will be) duly authorized to provide the Personal Data to Propel and to instruct Propel to process such data on Customer’s behalf.

2.2. Application to Services and Deployments: This DPA applies to all processing of Customer Personal Data by Propel in the course of providing the Subscription Services as defined in the Subscription Agreement, including Propel’s AI-powered code review and engineering platform offered in (a) Propel’s cloud-hosted environment and (b) any dedicated Virtual Private Cloud (VPC) deployment for the Customer. The terms of this DPA govern regardless of the deployment model. For clarity, all Customer code, repositories, documentation, metadata, and user information provided to Propel via either a cloud or VPC deployment are considered Customer Personal Data under this DPA. Customer Personal Data will be hosted and processed in the United States (in Propel’s Amazon Web Services data center region) unless otherwise expressly agreed in writing.

2.3. Customer as Business/Controller: Customer is responsible for determining the scope of Personal Data it submits to the Service and for ensuring that such data (and Customer’s directives to Propel) comply with Applicable Data Protection Laws. Customer will provide all required notices to, and obtain any required consents from, individuals (Data Subjects) before submitting their Personal Data to the Service. If Customer is a Processor of the Personal Data on behalf of a third-party Controller, Customer warrants that it is authorized to engage Propel as a sub-processor and will ensure that all instructions from the third-party Controller are relayed to Propel. In such case, Propel shall abide by all obligations in this DPA to support Customer in its role as a Processor.

3. OBLIGATIONS OF PROPEL AS PROCESSOR

3.1. Compliance with Instructions: Propel shall process Customer Personal Data only on documented instructions from Customer, including those set forth in the Subscription Agreement and this DPA, and such other instructions the Customer may provide in writing from time to time. Propel will not Process Customer Personal Data for any purpose or in any manner other than as necessary to provide the Subscription Services and as instructed by Customer (except as otherwise required by Applicable Data Protection Laws). If Applicable Data Protection Laws require Propel to process Customer Personal Data in a way that is not expressly authorized by Customer’s instructions, Propel will inform Customer of that legal requirement (unless prohibited from doing so by law). Propel will immediately inform Customer if, in Propel’s opinion, an instruction violates applicable law.

3.2. Processing Limitations (No Secondary Use or “Selling”): Propel shall not retain, use, disclose, or otherwise Process Customer Personal Data for any purpose other than for the specific purpose of providing the services to Customer, or as otherwise permitted by Customer in writing. In particular, and without limitation to the foregoing, Propel shall not:

• Sell or Share Personal Data: Propel will not “sell” or “share” any Customer Personal Data as defined under the CCPA/CPRA (meaning Propel will not disclose Customer Personal Data to a third party for monetary or other valuable consideration, or for cross-context behavioral advertising). Propel acknowledges and certifies that it is acting as Customer’s Service Provider/Contractor and that it receives Customer Personal Data only for the purposes of performing the services for Customer, and for no other commercial purpose.
• No Use Outside Business Purpose: Propel will not retain, use, or disclose Customer Personal Data for any purpose outside the scope of Customer’s business purposes specified in the Subscription Agreement and this DPA, including not using the data for Propel’s own marketing or other commercial purposes outside of providing the agreed services. Propel will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Propel and Customer.
• No Combining of Personal Data: Propel shall not combine or merge Customer Personal Data with personal information from other sources (including Propel’s other customers or Propel’s own data) except as necessary to achieve the purposes of Customer’s use of the services, or as permitted by the CCPA (for example, to detect security incidents or protect against fraud). Any processing of de-identified data (if authorized) will meet the requirements of Applicable Data Protection Laws for de-identification.

Propel certifies that it understands the restrictions in this Section and will comply with them in accordance with the requirements of Applicable Data Protection Laws, including the CCPA/CPRA. Customer discloses Customer Personal Data to Propel only for the limited and specified purposes described in the Subscription Agreement and this DPA, and Propel is prohibited from selling or sharing such data or using it for purposes outside of those business purposes.

3.3. Confidentiality: Propel shall treat all Customer Personal Data as Confidential Information of Customer (as defined in the Subscription Agreement). Propel will ensure that any person it authorizes to process Customer Personal Data (including Propel’s employees and contractors) is subject to a strict duty of confidentiality (whether by contract or statutory obligation) and only processes Customer Personal Data as instructed by Customer. Propel has implemented access controls to ensure Customer Personal Data is only accessible to personnel who need to know it for the Permitted Purposes, and such personnel are trained on their privacy and confidentiality obligations.

3.4. Security Measures: Propel shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such data, as well as against all other unlawful forms of processing. These measures are set forth in Annex II (Security Measures) to this DPA and are designed to ensure a level of security appropriate to the risk, including, as appropriate, measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Propel’s processing systems. Propel will regularly monitor compliance with these measures and will not materially decrease the overall security of the services during the term. Customer agrees that Propel’s security measures (as described in Annex II) are appropriate to the risks associated with Customer Personal Data, subject to regular updates as needed to address evolving risks.

3.5. Personal Data Breach Notification: In the event Propel becomes aware of a confirmed Security Incident involving Customer Personal Data, Propel will notify Customer without undue delay (and in any event promptly) after becoming aware of the Security Incident. Such notice will describe, to the extent known: the nature of the incident, the data involved, the likely consequences, and the measures taken or proposed by Propel to address the incident and mitigate its possible effects. Propel will promptly take reasonable steps to contain, investigate, and remediate any Security Incident. Propel will cooperate with Customer’s reasonable requests for further information regarding the Security Incident and assist Customer in notifying competent data protection authorities or affected data subjects, as required by law. Unless required by law, Propel will not inform any third party (including any data subject or regulator) of a Security Incident without Customer’s prior written consent, other than notifying a subprocessor whose data or systems may be impacted (in which case similar confidentiality obligations shall apply).

3.6. Assistance with Data Subject Requests: Taking into account the nature of the processing and the functionality of the services, Propel shall assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer’s obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (e.g. access, deletion, rectification, restriction, or portability requests). Propel provides self-service features (or admin tools) that Customer may use to delete, retrieve, or restrict Personal Data on the platform, as applicable. To the extent Customer is unable to independently address a Data Subject’s request through the provided tools, Propel will, upon Customer’s request, provide additional reasonable cooperation to facilitate Customer’s response to such Data Subject request, to the extent Customer does not otherwise have access to the relevant Personal Data. If a Data Subject sends a request regarding their Personal Data directly to Propel, Propel will, to the extent permitted by law, promptly notify Customer and refrain from responding directly to the request without Customer’s instruction (except to confirm receipt of the request or as otherwise required by law).

3.7. Cooperation and Compliance Assistance: Propel will assist Customer in ensuring compliance with Customer’s obligations under Applicable Data Protection Laws, including (taking into account the nature of processing and information available to Propel) providing reasonable assistance with: (i) any required data protection impact assessments and prior consultations with supervisory authorities; (ii) Customer’s duty to implement appropriate security measures; and (iii) notification of Personal Data breaches to supervisory authorities or data subjects. Propel shall, upon Customer’s request, provide Customer with a description of the processing activities and pertinent information needed to demonstrate Propel’s compliance with this DPA.

3.8. Data Retention and Deletion: Propel will not retain Customer Personal Data longer than necessary to fulfill the Permitted Purposes. Upon termination or expiration of Customer’s subscription (or upon Customer’s written request), Propel will promptly initiate the process to either return or securely destroy all Customer Personal Data in its possession or control, including that held by Subprocessors, except to the extent that Applicable Data Protection Laws require further retention. If return or deletion of certain data is technically not feasible (e.g. data stored in long-term backups), Propel will (a) continue to protect such data under the terms of this DPA and (b) not actively process such data further, and will delete it as soon as practicable. The parties agree that Customer will be responsible for exporting or retrieving any Customer data it wishes to retain prior to termination of the services; thereafter, Propel may delete the data as described above.

3.9. Audits and Assessments: Propel will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and Article 28 of the GDPR. In particular, upon written request, Propel can provide Customer with copies of relevant certifications or audit reports it holds, such as SOC 2 Type II reports or similar evaluations of Propel’s controls, to the extent available. If such documentation is insufficient to enable Customer to meet its legal obligations or assess Propel’s compliance with this DPA, Customer (or its authorized independent auditor that is not a competitor of Propel) may, no more than once annually, conduct an on-site or remote audit of Propel’s applicable systems and facilities used to process Customer Personal Data. Such audit shall be conducted upon at least 30 days’ prior written notice, during regular business hours, under reasonable confidentiality controls, and in a manner that does not unreasonably interfere with Propel’s business operations. Before the commencement of any on-site audit, the parties shall mutually agree upon the audit’s scope, timing, and duration. Propel may charge a reasonable fee (based on its costs) for such audits to the extent permitted by law. Customer shall provide Propel with a copy of the audit report and, at Customer’s request, Propel will address any material findings. All information and audit results obtained by Customer shall be used solely for the purpose of meeting Customer’s regulatory audit requirements and/or confirming Propel’s compliance with this DPA, and shall be treated as Propel’s confidential information.

3.10. Notice of Inability to Comply: If Propel becomes aware that it can no longer meet its obligations under this DPA or Applicable Data Protection Laws (for example, due to a change in law or a security incident), it will promptly notify Customer of its inability to comply, and the parties will work together in good faith to remediate or address the issue. Propel will also notify Customer promptly if a legally binding request is made by law enforcement for disclosure of Customer Personal Data processed under this DPA, unless prohibited by law from doing so. Propel shall not disclose Customer Personal Data to any government or law enforcement authority except as strictly required by applicable law. Where such disclosure is required, Propel will (to the extent permitted) inform Customer in advance and cooperate to limit the scope of disclosure to what is legally compelled.

4. SUBPROCESSORS

4.1. Authorization of Subprocessors: Customer provides a general authorization for Propel to engage or replace Subprocessors to help it deliver the Subscription Services, provided that Propel shall at all times remain responsible for Subprocessors and ensure Subprocessors are bound by written agreements that impose data protection obligations substantially equivalent to those set out in this DPA. Propel will conduct due diligence on Subprocessors and will require each Subprocessor to implement appropriate technical and organizational measures to protect Personal Data. A list of Propel’s current Subprocessors (as of the DPA Effective Date) is included in Annex III (Approved Subprocessors). Customer hereby approves the use of those Subprocessors listed in Annex III and generally consents to Propel’s appointment of additional or alternative Subprocessors in accordance with this Section.

4.2. Updates and Notice of New Subprocessors: Propel will provide advance notice to Customer of any intended addition or replacement of Subprocessors. Specifically, Propel will notify Customer (for example, via email or via an online dashboard or notification mechanism) at least 15 days before authorizing any new Subprocessor to Process Customer Personal Data. This notice will include the identity of the Subprocessor and the nature of its processing activities. If Customer has a reasonable, bona fide basis to object to the new Subprocessor (e.g., if the Subprocessor’s processing would materially weaken protections for the Personal Data), Customer must notify Propel in writing within 15 days of receiving the notice. The parties will then discuss Customer’s concerns in good faith with the goal of achieving a commercially reasonable resolution. If no such resolution can be reached, Propel will, at its option: (a) not appoint the Subprocessor, or (b) permit Customer to suspend or terminate the affected Services (without penalty) with respect to only those services that cannot be provided without the use of the objected-to Subprocessor. If Customer does not object within the 15-day period, the new Subprocessor will be deemed accepted.

4.3. Subprocessor Liability: Propel will remain fully liable to Customer for the performance of any Subprocessor that fails to fulfill its data protection obligations, as if those obligations were performed by Propel itself. Propel will regularly audit or otherwise have mechanisms to ensure that its Subprocessors provide the required level of protection for Customer Personal Data. Upon Customer’s request, Propel will provide further information about Subprocessors and their data protection practices (subject to confidentiality).

4.4. Special Service Providers: Customer acknowledges that, as part of providing the services, Propel may integrate with or transfer data to certain third-party developer tools or services at Customer’s direction (for example, connecting to a Git repository provider or communication tool as instructed by Customer). Such integrations initiated by Customer may result in third parties processing data on behalf of Customer outside of Propel’s control and are not considered Propel’s Subprocessors. Propel is not responsible for the data processing practices of third-party services that Customer elects to use in conjunction with the Propel services (for example, if Customer configures an integration that causes Personal Data to be transmitted to a third party not engaged by Propel).

5. INTERNATIONAL DATA TRANSFERS

5.1. Location of Processing: Customer acknowledges that Propel is a company established in the United States and, as provided in Section 2.2, will process and store Customer Personal Data in the United States (and possibly in other jurisdictions where Propel or its Subprocessors maintain facilities) in order to provide the services. The parties shall ensure that all transfers of Personal Data from the European Economic Area (EEA), Switzerland, and/or the United Kingdom to locations outside those regions are made in compliance with Applicable Data Protection Laws governing cross-border data transfers.

5.2. Transfers from the EEA: To the extent Customer Personal Data originating from the EEA, or that is otherwise subject to the GDPR, is transferred to Propel in a country that has not been found to provide an adequate level of protection under EU law, the parties agree that such transfer shall be governed by the EU Standard Contractual Clauses (Controller-to-Processor) by and between the Customer (as data exporter) and Propel (as data importer). The SCCs are hereby incorporated into this DPA by reference, and shall be deemed executed upon the effective date of the DPA (no further action is required to give effect to the SCCs). For the purposes of the SCCs, the Annexes of the SCCs shall be populated with the information contained in Annex I, Annex II, and Annex III of this DPA. The following selections apply to the SCCs:

• Module and Scope: Module Two (Controller to Processor) of the SCCs shall apply (and Module Three (Processor to Processor) shall also apply in the event Customer is acting as a Processor on behalf of a third-party Controller). The optional Clause 7 (Docking Clause) is selected, allowing for additional parties to accede to the SCCs as needed.
• Clause 9 (Subprocessors): Option 2 (General Written Authorization) is selected. The “time period” for prior notice of Subprocessor changes (if not otherwise stated in the SCCs) shall be the notice period set forth in Section 4.2 of this DPA (15 days).
• Clause 11 (Redress): The optional language in Clause 11 (allowing data subjects to lodge complaints with an independent dispute resolution body) is not included, as it is not applicable in the context of Processor services.
• Clause 17 (Governing law): Option 1 is selected, and the parties agree that the SCCs shall be governed by the law of Ireland (an EU Member State that allows for third-party beneficiary rights).
• Clause 18 (Choice of forum): The parties choose the courts of Ireland for disputes arising from the SCCs.
• Annexes: Annex I of the SCCs (List of Parties, Description of Transfer) is set forth in Annex I of this DPA; Annex II of the SCCs (Technical and Organizational Security Measures) is set forth in Annex II of this DPA; and Annex III of the SCCs (List of Subprocessors) is set forth in Annex III of this DPA.

By agreeing to this DPA, the parties are deemed to have signed the SCCs where required. If and to the extent the SCCs are superseded, invalidated, or otherwise replaced by an alternative data export mechanism under EU law, the parties agree to cooperate in good faith to promptly implement such alternative mechanism.

5.3. Transfers from the United Kingdom: With respect to Personal Data subject to UK Data Protection Laws (UK GDPR) that is transferred from the UK to countries not deemed “adequate” by UK authorities, the above EU SCCs (Module Two and/or Three, as applicable) shall be deemed amended as necessary to comply with UK law and incorporated by reference, subject to the UK Addendum. In particular, the UK Addendum (issued under S119A(1) of the UK Data Protection Act 2018) is hereby incorporated into this DPA and will be deemed executed by the parties upon executing this DPA. The UK Addendum shall be completed as follows: (i) Table 1 (Parties and details) is deemed to include the information in Annex I of this DPA; (ii) Table 2 (Selected SCCs) is deemed to refer to the EU SCCs (Controller-to-Processor, 2021 version) as outlined above; (iii) Table 3 (Appendices) is deemed to be populated by Annex I-III of this DPA; and (iv) for Table 4 (Mandatory Clauses), neither party opts out of the Addendum’s terms. Furthermore, any references in the SCCs to laws or supervisory authorities of an EU Member State shall be interpreted to refer to the equivalent UK laws and the UK Information Commissioner’s Office, and references to EU courts shall mean the courts of England and Wales. In case of conflict between the SCCs and the UK Addendum, the UK Addendum shall prevail for data transfers from the UK.

5.4. Transfers from Switzerland: For Personal Data subject to the Swiss FADP, the SCCs as incorporated above shall also apply to transfers from Switzerland, with the following modifications: references to “EU Member State” or “Member State law” shall be interpreted as references to Switzerland and Swiss law; references to the “competent supervisory authority” shall mean the Swiss Federal Data Protection and Information Commissioner (FDPIC); Clause 17 of the SCCs (Governing law) shall be the law of Switzerland (to the extent required by the FDPIC); and Clause 18 (Choice of forum) shall grant Swiss data subjects the right to pursue action in Switzerland. The parties agree to abide by the Schrems II ruling requirements, including implementing additional safeguards as necessary (such as encryption and access controls as described in Annex II) to protect Personal Data transferred under the SCCs.

5.5. Additional Transfer Mechanisms: In the event Propel adopts an alternative compliance measure for international transfers (for example, certification to an approved framework such as the EU-U.S. Data Privacy Framework or an Binding Corporate Rules program in the future), which is valid under Applicable Data Protection Laws, Customer agrees that such measure may be used in lieu of the SCCs and/or UK Addendum, upon notice from Propel and documentation of such measure.

6. ADDITIONAL PROVISIONS FOR SPECIFIC LAWS

6.1. CCPA (California) Compliance: The parties acknowledge and agree that Propel is a “Service Provider” to Customer for purposes of the CCPA/CPRA with respect to any Customer Personal Data. Propel shall not sell or share (as defined under CCPA) Customer Personal Data, nor retain, use, or disclose it for any purpose other than performing the Services and as permitted by this DPA and the Subscription Agreement. Propel certifies its understanding and compliance with the obligations of a Service Provider under CCPA/CPRA. Propel will reasonably assist Customer with handling verifiable consumer requests under CCPA, by providing functionality for Customer to delete or obtain Personal Data, and by forwarding to Customer any consumer requests that Propel receives directly (as described in Section 3.6). The parties agree that the Personal Data that Customer discloses to Propel is provided for a business purpose and not for any other purpose. If any term in this DPA would cause either party to be in violation of the CCPA/CPRA, such term shall be interpreted to the maximum extent possible to be consistent with the parties’ intent to comply with the CCPA/CPRA.

6.2. Documentation and Training: Upon Customer’s request, Propel can assist Customer in satisfying its compliance or audit obligations under privacy laws (such as providing records of processing). Propel maintains records of its data processing activities as required by Article 30(2) of GDPR and will make them available to competent authorities upon request. Propel ensures that its personnel engaged in processing Customer Personal Data are informed of and trained on their specific data protection responsibilities.

6.3. Modifications due to Legal Changes: If any change in Applicable Data Protection Laws or regulation (including due to invalidation of a transfer mechanism or new guidance) necessitates a change to this DPA, the parties will negotiate in good faith to modify this DPA accordingly. Propel may (upon notice to Customer) make reasonable amendments to this DPA as needed to comply with law, provided such changes do not materially degrade data protection. In the event a change in law or legal judgment renders this DPA insufficient or unlawful, the parties will suspend the affected processing until they implement an appropriate solution.

6.4. Liability and Indemnity: Each party’s liability arising from or in connection with this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Subscription Agreement. Nothing in this DPA is intended to limit a party’s liability with respect to data protection obligations in a manner prohibited by Applicable Data Protection Laws (for example, any rights of data subjects to compensation under the GDPR remain unaffected). Customer shall indemnify and hold harmless Propel from any claims or fines resulting from Customer’s failure to comply with its obligations under Applicable Data Protection Laws, including (if Customer is a Processor) failure to obtain necessary authorization from the relevant Controller. Propel’s indemnity obligations, if any, are as set forth in the Subscription Agreement.

6.5. Term and Termination: This DPA shall remain in effect as long as Propel processes Customer Personal Data, notwithstanding the termination or expiration of the Subscription Agreement. Termination or expiration of the Subscription Agreement shall automatically terminate this DPA. Sections of this DPA that are necessary to survive such termination (such as those relating to data return/deletion, confidentiality, liability, and international transfers) shall survive as required by Applicable Data Protection Laws.

6.6. Entire Agreement; Conflict: This DPA (including its Annexes) is the parties’ entire agreement with respect to its subject matter and supersedes any prior agreements or addenda relating to data processing or security. In the event of any conflict or inconsistency between this DPA and any other agreement between the parties (including the Subscription Agreement or any Order Form), the provisions of this DPA shall prevail with regard to the processing of Personal Data. In the event of conflict between this DPA and the Standard Contractual Clauses (or UK Addendum), the SCCs (or UK Addendum, as applicable) shall prevail to the extent required by law.

6.7. Governing Law: Except where the Standard Contractual Clauses or other mandatory data transfer terms apply a specific governing law, this DPA shall be governed by and construed in accordance with the governing law specified in the Subscription Agreement.

ANNEX I – DETAILS OF PROCESSING (DESCRIPTION OF DATA PROCESSING)

A. List of Parties:

• Data Exporter (Controller): The Customer. The Customer is the organization that has contracted with Propel for the Subscription Services. Contact details, including the Customer’s name, address, and contact person, are set forth in the Order Form or Subscription Agreement. The Customer’s activities relevant to the data transferred under the SCCs include the development of software and use of Propel’s AI-powered code review platform to improve code quality and engineering processes. The Customer acts as the Controller (or a Processor on behalf of other Controllers) with respect to the Personal Data it transfers to Propel for processing.
• Data Importer (Processor): Propel Platform, Inc., a Delaware corporation with offices at 182 Howard Street, Unit 823, San Francisco, CA 94105. Propel provides an artificial intelligence-driven code review and analysis service (the Propel Platform) which processes Customer’s code and related data to generate feedback and insights for software development teams. Contact: Yu “Tony” Dong, CEO (email: legal@propelcode.ai). Propel acts as a Processor on behalf of the Customer, and in some cases as a sub-processor if Customer is itself a Processor for a third party.

B. Data Processing Description:

• Subject Matter: Propel’s provision of the Subscription Services (AI-powered code review, analysis, and related engineering assistance) to Customer. This involves Propel processing Customer Personal Data as uploaded or submitted to the service by Customer and its authorized users.
• Nature and Purpose of Processing: The purpose of the processing is to enable Propel to deliver the services subscribed by Customer, including analyzing software code changes, documentation, and related data to provide automated review comments, architectural guidance, code quality metrics, and feedback to Customer’s development team. If Propel processes Customer Personal Data then it’s strictly for these business purposes and according to Customer’s instructions (as outlined in the DPA). Processing operations include collecting data from Customer’s repositories or inputs, storing it on Propel’s systems, performing automated analysis (which may involve algorithms or AI models processing the data), generating reports or comments back to Customer, and associated data management (such as logging, backup, and deletion as needed).
• Categories of Data Subjects: Data subjects include Customer’s personnel and authorized users who interact with the Propel services or whose personal information is contained in Customer’s codebase or documentation. This may include software developers, engineers, project managers, or other employees or contractors of Customer who commit code or author documentation (identifiable via commit metadata like name and email), as well as individuals who are the subject of comments or references in code or documentation (if any). In general, the service is not intended to process data about Customer’s end-users or customers; however, to the extent Customer’s code or documentation includes personal information about third parties (e.g. sample data, user records, or references), such individuals may also be considered data subjects.
• Categories of Personal Data: The Personal Data Processed by Propel on behalf of Customer is primarily work-related information in code repositories and user accounts. This includes: Contact and identity data of Customer’s authorized users (such as names, usernames, email addresses, profile information); Professional or technical data embedded in code or documentation (such as the name or username of a code committer, code comments or documentation authored by a person, commit timestamps and IDs, and potentially contact information if included in documentation or code comments); Metadata about code revisions and usage (such as commit history, file paths, configuration data, and comments within code review); and any other Personal Data that Customer elects to include in the code, documentation, or other materials uploaded to the service. Propel does not need or request any special categories of personal data (sensitive data) for the provision of the service, and Customer is encouraged to refrain from including sensitive personal data in code or materials uploaded to Propel. Propel does not intentionally process any data about children or any legally protected characteristics except as may be incidentally contained in the provided materials.
• Sensitive Data: Not intended or requested. The parties do not anticipate the processing of any special categories of data (as defined in GDPR Art. 9) or data relating to criminal convictions (Art. 10) by Propel. The service is designed to analyze software code and related technical information, which generally should not contain sensitive personal data. Customer shall avoid transmitting sensitive personal data to Propel. Any processing of sensitive data would be incidental and solely determined by Customer’s use of the service, and Customer is responsible for ensuring a lawful basis and appropriate safeguards for any such data. Propel treats all personal data with a high level of security regardless of sensitivity.
• Frequency of Processing: Continuous or on-demand. Customer Personal Data will be processed on an ongoing basis during the term of the Agreement, whenever Customer or its users use the Propel platform or submit code/commits for analysis. Data may be processed in real-time (e.g., analysis triggered by each code commit or pull request) and stored for the duration needed to provide the service (e.g., maintaining analysis results, historical metrics).
• Duration of Processing: For the duration of the Agreement, and any post-termination retention period as required by the Agreement or law. Customer Personal Data will be actively processed for as long as Customer maintains an account and the services are provided. Upon termination of the services, Propel will retain and/or delete the data in accordance with Section 3.8 of the DPA (typically, deletion will occur promptly after termination, except for any data we are required to retain by law or which is stored in secure backups). See also Data Retention in the main DPA.
• Locations of Processing: United States (primary). Customer Personal Data will be stored in Propel’s systems hosted in the United States (AWS U.S. regions) and may be accessed by Propel’s team in the United States. If Customer opts for a dedicated VPC deployment, data may reside in a cloud environment provisioned for Customer (e.g., within a specified AWS region). Transfers of data from the EEA/UK/Switzerland to the U.S. are covered by the SCCs and UK Addendum as described in Section 5. Propel and its Subprocessors shall not transfer Customer Personal Data to any location outside of the U.S. (or outside of a Customer-designated hosting region, if applicable) unless such transfer is authorized under the DPA and governed by an approved transfer mechanism.
• Purposes of Transfer (for SCCs): The transfer is made for the purpose of Propel performing the services and obligations under the MSA and this DPA, specifically to analyze and process Customer’s code and related data and provide results back to the Customer.
• Competent Supervisory Authority: For the purposes of the SCCs: (a) if Customer is established in an EU Member State, the supervisory authority of that Member State will be the competent authority; (b) if Customer is not established in the EU but falls under GDPR (e.g., via Article 3(2)), then the supervisory authority in the Member State indicated via Customer’s EU representative (if appointed) or the Member State where the Data Subjects are predominantly located; and (c) for UK transfers, the Information Commissioner’s Office (ICO) is the relevant authority; for Swiss transfers, the FDPIC is the competent authority.

C. Subprocessor Transfers: It is anticipated that the Data Importer (Propel) will transfer Personal Data to the Subprocessors listed in Annex III for the purpose of providing infrastructure and auxiliary services. Such Subprocessors (e.g., cloud hosting providers) may be located in the United States or other jurisdictions. Any such transfers shall be covered by the SCCs (via onward transfer clauses) or other lawful transfer mechanism as required. See Annex III for details on Subprocessors and their locations.

D. Contact points for data protection inquiries: For Customer: the contact information provided in the Order Form or as updated to Propel (e.g., Customer’s privacy office or admin contact). For Propel: legal@propelcode.ai (or such other contact as communicated to Customer).

ANNEX II – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Propel will implement the following technical and organizational measures (“TOMs”) to protect Customer Personal Data. These measures are aimed at ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems, in accordance with Article 32 of GDPR and industry best practices:

• Access Control (Physical & Environmental): Propel’s production systems are hosted on Amazon Web Services (AWS) cloud infrastructure, which provides robust physical security controls for its data centers, including 24/7 monitored security, access badge controls, surveillance cameras, and guard personnel. Propel itself does not maintain physical servers processing Customer data outside of AWS. Physical access to AWS data centers is strictly controlled by AWS in accordance with industry standards (SOC 1/2/3, ISO 27001 certified facilities). Propel’s offices are access-controlled and restricted to authorized personnel.
• Access Control (System & Logical): Propel enforces strict access control measures to ensure only authorized personnel can access systems and Customer Personal Data:

• Authentication: Access to production systems requires strong authentication (such as multi-factor authentication) and unique user IDs.
• Role-Based Access: Propel implements role-based access control (RBAC) so that employees only have the minimum access privileges necessary for their role (“least privilege” principle). Administrative access to databases or storage containing Customer Personal Data is limited to a small number of authorized engineers or administrators with a legitimate need.
• Account Management: Access rights are reviewed periodically, and promptly revoked or modified upon role change or termination of an employee. Default access for new employees does not include Customer data unless required. Shared accounts are not used for accessing sensitive systems; individual accountability is maintained.
• Credentials: Passwords and access keys are required to meet complexity standards and are stored in encrypted form. Propel employs a secure credential vault for managing secrets and API keys, with tight access controls.

• Data Encryption: Propel protects Personal Data in transit and at rest with strong encryption:

• In Transit: All network communications between Customer’s systems and Propel’s platform are encrypted using TLS (HTTPS) with up-to-date protocols and ciphers. This applies to web interfaces, APIs, and any git or CI/CD integrations to ensure that Personal Data (such as code or user info) is not intercepted during transfer.
• At Rest: Customer Personal Data (including code, analysis results, databases, and backups) is encrypted at rest using industry-standard encryption algorithms (for example, AES-256 encryption for data stored in AWS). Encryption keys are managed securely (using AWS Key Management Services or equivalent), and access to keys is restricted to authorized personnel.

• Network Security & System Integrity: Propel employs multiple layers of network and application security defenses:

• Firewalls and Isolation: Propel’s cloud environment is configured with virtual network segmentation and security groups that limit inbound and outbound traffic to only the necessary ports and protocols. Services are isolated in private subnets where applicable, inaccessible directly from the internet except through secure ingress points.
• Endpoint Security: All servers and containers are configured following secure baseline images. Operating systems and software dependencies are kept up-to-date with security patches to mitigate vulnerabilities. Anti-malware and intrusion detection agents may be installed where appropriate to monitor threats on hosts.
• Intrusion Detection/Prevention: Propel utilizes AWS security services and third-party tools to monitor for unusual or unauthorized activities in its cloud environment. Systems generating logs (see Monitoring below) feed into alerting mechanisms that can highlight potential intrusions or attacks (e.g., port scanning, failed login attempts). Any suspicious activity triggers an internal security review and response.
• Secure Development: Propel follows secure coding practices and peer review for changes to the codebase. The production environment is logically separated from development and testing environments. Secrets (such as API keys or credentials) are not hard-coded and are handled via secure configuration management. Before deployment, code changes are tested, and high-risk changes undergo security review.

• Monitoring and Logging: Propel maintains detailed logging of access and activities within its systems:

• Application and Access Logs: Key events (such as user logins, administrative actions, API calls, data access operations) are logged with timestamps and contextual information. Access to Customer Personal Data (e.g. retrieval of code or personal info) by Propel personnel is logged and monitored.
• Audit Trails: Changes to production infrastructure and configurations are tracked. For example, any elevation of privileges or modifications to firewall rules are logged.
• Log Protection: Logs are stored securely and are protected from tampering (using append-only storage or separate logging services). Access to logs is limited to authorized staff for troubleshooting or security monitoring purposes.
• Alerting: Automated alerts are configured for certain events (e.g., multiple failed login attempts, anomalous usage patterns, or system errors) to notify the engineering or security team for investigation. Propel’s team reviews security logs regularly to identify and respond to potential issues.

• Vulnerability Management: Propel has a vulnerability management program to identify and address security weaknesses:

• Patching: Operating system patches and application updates are applied on a regular schedule, with critical security patches applied as soon as feasible. Dependencies and libraries used in the Propel Platform are monitored for known vulnerabilities (e.g., via services or scanners), and updated accordingly.
• Vulnerability Scans: Regular vulnerability scans are performed on Propel’s systems and applications to detect known vulnerabilities or misconfigurations. This may include the use of automated scanning tools and external penetration testing. Any findings are evaluated and remediated based on severity.
• Penetration Testing: Propel may engage independent security experts to perform penetration tests on the platform periodically. Results of such tests are reviewed by management and any high-severity issues are fixed promptly.
• Bug Bounty/Reporting: Propel encourages responsible disclosure of security issues. If external researchers or users identify potential vulnerabilities, Propel will investigate and remediate as appropriate.

• Business Continuity and Backup: Propel maintains measures to ensure availability and rapid restoration of the service and data:

• Redundancy: The cloud infrastructure is designed for high availability, with redundant servers, storage, and network components minimizing single points of failure. Data is stored on reliable, redundant storage systems. Key services are deployed in a load-balanced or failover configuration.
• Backups: Regular backups of critical Customer data (such as stored code or analysis results, if persisted) are performed. Backups are encrypted and stored securely (including off-site or in geographically separate AWS regions as needed to protect against regional outages). Backup data is tested periodically for integrity and restoration.
• Disaster Recovery: Propel has a disaster recovery plan which includes processes to recover services in the case of a major incident (like a data center outage). Recovery procedures aim to restore functionality and data with minimal data loss (RPO – Recovery Point Objective) and within an acceptable downtime (RTO – Recovery Time Objective). These objectives are defined internally and tested to ensure they can be met.
• Business Continuity: Beyond IT systems, Propel maintains contingency plans for key business functions and workforce availability. Remote work capabilities and distributed team structure help ensure support and operations can continue in various scenarios.

• Incident Response: Propel has an established Incident Response Plan for security incidents:

• Response Team: Propel has designated a response team (or personnel) responsible for managing security incidents. Team members are trained to follow a defined process when an incident is suspected or confirmed.
• Procedure: The incident response procedure includes steps for identification, containment, eradication, recovery, and follow-up. Upon detection of a potential incident, the team will assess the severity, contain the issue (e.g., isolating affected systems, revoking compromised credentials), and mitigate further damage.
• Communication: Internal escalation paths are defined to ensure that incidents are promptly communicated to senior management and, when appropriate, to Customer (as described in Section 3.5 of the DPA) and law enforcement or regulators if required. Propel commits to providing timely and transparent updates to Customer throughout the investigation and resolution of any major incident affecting Customer Personal Data.
• Investigation and Follow-Up: Propel will investigate the root cause of incidents and implement necessary improvements or corrective actions. A post-incident review is conducted to update response plans and security measures to prevent similar incidents in the future.

• Organizational Measures & Governance:

• Policies: Propel has internal privacy and security policies governing the processing of personal data, data confidentiality, acceptable use of systems, and incident management. These policies are reviewed and updated at least annually or as needed to reflect changes in practices or law.
• Employee Training and Awareness: All employees undergo background checks in accordance with local law and industry standards as part of hiring (particularly those in sensitive positions). Propel provides training to employees upon hiring and periodically thereafter regarding data security, privacy, and confidentiality. This training includes best practices for data handling, recognizing social engineering attempts, and employees’ duty to protect Personal Data.
• Confidentiality Agreements: Propel ensures that employees and contractors with access to Customer Personal Data sign confidentiality agreements or are otherwise bound to maintain the confidentiality and security of such data, both during and after their engagement.
• Vendor Management: Propel evaluates the security and privacy practices of Subprocessors and critical vendors who may have access to Customer Personal Data. Propel enters into Data Processing Agreements with all Subprocessors imposing equivalent security obligations. Propel monitors Subprocessors’ compliance (for example, reviewing their security certifications or audit reports annually) and addresses any identified risks or incidents involving those Subprocessors.
• Governance and Oversight: Propel’s management is involved in overseeing information security and data protection compliance. If applicable, a data protection officer (DPO) or security officer is tasked with monitoring compliance and advising on Propel’s obligations. Regular internal audits or reviews are conducted to assess adherence to security policies and the effectiveness of controls.

• Privacy by Design & Default: Propel follows privacy by design principles in its product development lifecycle. Features and systems are designed to limit Personal Data collection to what is necessary (“data minimization”) and to use de-identified or aggregated data where possible. Default settings in the service are configured to the most privacy-friendly options that do not compromise utility (for example, data visibility is limited to the Customer’s organization; debug logs do not expose Personal Data unnecessarily, etc.). Any new processing of Personal Data or new feature undergoes a risk assessment, and if high risk, a Data Protection Impact Assessment (DPIA) is conducted and reviewed by appropriate stakeholders.
• Certifications and Standards: Propel aligns its security program with industry standards such as ISO 27001 and NIST CSF. While specific certifications (e.g., ISO 27001, SOC 2) may be pursued or maintained by Propel, the security measures in place are designed to meet the equivalent rigor of such standards. Upon request, Propel can provide documentation or summaries of independent evaluations of its security (e.g., a SOC 2 Type II report) to give Customer additional assurance of these controls.
• Documentation and Auditability: Propel maintains documentation of its security measures and can provide customers with relevant information to demonstrate compliance with this Annex and the security obligations under Applicable Data Protection Laws. Propel enables audits as described in Section 3.9 of the DPA, and cooperates with Customer or third-party auditors to verify that these technical and organizational measures are in place and effective.

The above measures are in place as of the Effective Date of the DPA. Propel may update or enhance its security measures from time to time, provided that no such change will result in a material reduction of the protection for Customer Personal Data. Significant improvements or changes will be reflected in an updated Annex II or notified to Customer as appropriate.

ANNEX III – APPROVED SUBPROCESSORS

This Annex III lists the Subprocessors that are currently engaged by Propel to carry out processing activities on Customer Personal Data. These Subprocessors are authorized to process Customer Personal Data strictly for the purposes of providing the Subscription Services and in accordance with the DPA. Propel will update this Annex to reflect any changes in Subprocessors, and will provide notice to Customer of such changes as described in Section 4.2 of the DPA.

Current Subprocessors (as of the DPA Effective Date):

• Amazon Web Services, Inc. (AWS) – Cloud Infrastructure Provider.
   Location: United States (primary region: us-west or us-east).
  Data Processing Role: Hosting and storage of all service data (application servers, databases, backups). AWS acts as the foundational infrastructure on which the Propel platform runs. Customer Personal Data is stored in AWS data centers. AWS is ISO 27001, SOC 1/2/3, and GDPR-compliant as a processor. Propel’s contract with AWS includes the AWS GDPR Data Processing Addendum.
• Logging/Monitoring Service (Datadog, Sentry, Logrocket) – Cloud Monitoring and Logging.
   Location: United States (with global infrastructure).
  Data Processing Role: Used to store and analyze operational logs and error reports from the Propel service. These logs may incidentally contain limited Personal Data (such as user IDs or filenames) as necessary for troubleshooting. The service provider ensures security of log data and acts under Propel’s instructions.

Propel will maintain an up-to-date list of subprocessors at a URL or upon request to Customer.

Subprocessor Commitments: Propel has executed written agreements with each Subprocessor imposing data protection obligations equivalent to those in this DPA , including requirements to implement adequate security measures (consistent with Annex II) and to process Personal Data only for the purposes of assisting Propel in providing the services to Customer. Propel has assessed the security and privacy practices of these Subprocessors to ensure they meet appropriate standards. In accordance with Section 4.3 of the DPA, Propel remains liable for any acts or omissions of its Subprocessors that cause Propel to breach its obligations to Customer.

Updates: Propel will provide notice of any new Subprocessors at least 15 days in advance of their engagement, allowing Customer the opportunity to object per Section 4.2. The current Subprocessor list may also be available on Propel’s website or by inquiry to legal@propelcode.ai, and includes any additional details or updates.

International Transfers by Subprocessors: Where Subprocessors will be processing or accessing Customer Personal Data outside of the EEA/UK/Switzerland, Propel will ensure that appropriate data transfer safeguards are in place between Propel and the Subprocessor (such as the SCCs or the Subprocessor’s certification to the EU-US Data Privacy Framework, if applicable). For example, AWS as a US entity is covered by SCCs in Propel’s agreement with AWS, thereby permitting lawful transfer of data to AWS’s US data centers. Propel shall make information about such transfer safeguards available to Customer on request.

ANNEX IV - UK ADDENDUM

The UK International Data Transfer Addendum (issued by the UK ICO, version B1.0) is hereby appended and incorporated when required for transfers of Personal Data from the UK to a third country. Where the UK Addendum applies, Tables 1 to 3 of the Addendum are deemed populated with the information from Annex I and II above, and Table 4 is set to “neither party” as the option for early termination. The Addendum is effective the same date as this DPA and is entered into by the Customer (as “Exporter”) and Propel (as “Importer”). In the event of conflict between the terms of the UK Addendum and any other part of this DPA, the terms of the UK Addendum shall prevail for UK transfers.

IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the Effective Date.