Data Processing Addendum

"Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Supervisory Authority" have the meanings given in the GDPR. "Applicable Data Protection Law" means all privacy and data-protection laws applicable to the processing, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss FADP, and U.S. state privacy laws such as the California Consumer Privacy Act (CCPA). "Customer Personal Data" means Personal Data contained in Customer Content or telemetry that we process on your behalf under the Terms. "Sub-processor" means any third party we engage to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to third countries.

In Short: You are the controller; we are your processor for Customer Personal Data.

For Customer Personal Data, you act as the Controller (or as a processor on behalf of a third-party controller) and SEW INC. acts as your Processor. The subject matter, nature, purpose, and duration of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I. Each party will comply with its obligations under Applicable Data Protection Law.

We will process Customer Personal Data only on your documented instructions — including as set out in the Terms, this DPA, and your configuration of the Services — unless required to do otherwise by law, in which case we will inform you unless legally prohibited. If we believe an instruction violates Applicable Data Protection Law, we will inform you. We will not sell Customer Personal Data, and we will not process it for our own purposes or for advertising.

You are responsible for the lawfulness of Customer Personal Data and of your processing instructions, including having a valid legal basis and providing all required notices to, and obtaining all required consents from, Data Subjects (including end users of your protected applications). You will not provide us with special categories of Personal Data except where necessary and lawful, and you are responsible for configuring the monitoring and telemetry features appropriately.

We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to provide the Services.

We implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as described in Annex II. You are responsible for your own use of the Services, including securing your account credentials and access.

In Short: You authorize the sub-processors listed in Annex III; we remain responsible for them.

You provide general authorization for us to engage the Sub-processors listed in Annex III to process Customer Personal Data. We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will provide notice of any intended addition or replacement of a Sub-processor and give you a reasonable opportunity to object on reasonable data-protection grounds; if you object, the parties will work in good faith to resolve the matter, and you may terminate the affected Services if it cannot be resolved.

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. If we receive such a request directly, we will, where permitted, direct the Data Subject to you.

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your breach-notification obligations. Our notification is not an acknowledgment of fault or liability.

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance with your data protection impact assessments and prior consultations with Supervisory Authorities, as required by Applicable Data Protection Law.

We process Customer Personal Data in the United States. Where Customer Personal Data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (and, for the United Kingdom, the UK International Data Transfer Addendum) are incorporated into this DPA by reference and apply to such transfers, and we will, where applicable, rely on the EU-U.S. Data Privacy Framework. For the SCCs, you are the "data exporter" and SEW INC. is the "data importer," Module Two (Controller-to-Processor) applies, and the docking option and governing-law and forum selections are completed consistent with this DPA and the Terms.

Upon termination of the Services, we will, at your choice, delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by law. Customer Content and telemetry are deleted in accordance with the retention practices described in our Privacy Policy; data held in backups is deleted or isolated until deletion is possible.

We will make available to you information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, security, frequency, and notice conditions. We may satisfy audit requests by providing then-current third-party certifications or reports where available.

In Short: For the CCPA and similar laws, we act as a "service provider" and do not sell or share Customer Personal Data.

To the extent the CCPA or a similar U.S. state law applies, we act as a "service provider" (or "processor") and not a "third party." We will not sell or share Customer Personal Data; will not retain, use, or disclose it except as necessary to provide the Services or as permitted by law; will not process it outside the direct business relationship; and will not combine it with Personal Data from other sources except as permitted by law. We certify that we understand and will comply with these restrictions.

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

This DPA takes effect when you accept the Terms or begin using the Services and remains in effect for as long as we process Customer Personal Data. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls; the SCCs prevail over both in the event of a conflict concerning restricted transfers. This DPA is governed by the law stated in the Terms, except where Applicable Data Protection Law requires otherwise.

Parties

Data exporter: the Customer identified in the account. Data importer: SEW INC.

Categories of Data Subjects

• Your authorized users and account contacts.
• End users of the applications you protect, for the telemetry features you enable.

Categories of Personal Data

• Account data: names, business email addresses, and account identifiers.
• Customer Content: application files you upload, which may contain Personal Data you have embedded.
• Telemetry: runtime threat-detection events, crash and stability diagnostics, and device metadata such as device model, operating-system version, CPU architecture, application version, coarse region or locale, timestamps, and pseudonymous identifiers.

Special categories of data

None are intended or required. You are responsible for not submitting special-category data except where lawful.

Nature, purpose, and duration

Processing to provide the Services — protecting uploaded applications and operating the monitoring and telemetry features — as described in the Terms, for the term of the Services and the retention periods described in our Privacy Policy.

• Encryption of Customer Personal Data in transit (TLS) and at rest.
• Authentication and role-based access controls, on a least-privilege, need-to-know basis.
• Per-application authentication for telemetry ingestion.
• Network and application security controls and monitoring.
• Logical separation of customer data within our systems.
• Secure software-development practices and change management.
• Regular backups and resilience measures.
• Vendor and sub-processor due diligence.

These measures may be updated as the Services evolve, provided the level of protection is not materially decreased.

• Vercel Inc. — web application hosting and content delivery (United States).
• Convex, Inc. — database, backend functions, and telemetry ingestion and storage (United States).
• Fly.io, Inc. — compute for the protection engine that processes uploaded applications (United States).
• Tigris Data, Inc. — object storage for uploaded application files and protected outputs (United States).

Stripe, Inc. processes billing data for payments and does not process end-user telemetry. A current list of Sub-processors is available on request.

Questions about this DPA, or to submit data-protection requests, contact our Data Protection Officer, Min Hong, at dpo@se.works.

SEW INC., 200 Continental Drive, Suite 401, Newark, DE 19713, United States.