If you signed a separate Cover Page for a Data Processing Agreement to access the Product with the same account, and that agreement has not ended, the terms below do not apply to you. Instead, your separate Cover Page applies to your use of the Product.

This Data Processing Agreement (”DPA”) has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.0 posted at https://commonpaper.com/standards/data-processing-agreement/1.0 (”DPA Standard Terms”) which is incorporated by reference.

By using the Product, you agree to be bound by this DPA, and represent that you have the legal authority to bind your company to this DPA.

If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be “none” or “not applicable” and the correlating clause, sentence, or section does not apply to this Agreement. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.

Cover Page

Key Terms

Agreement

This DPA supplements the following agreement: https://about.costa.security/terms/1-0

Approved Subprocessors

https://about.costa.security/subprocessors

Provider Security Contact

hi@costa.security 3790 El Camino Real #1090 Palo Alto, California 94306 United States of America

Security Policy

As defined in the Agreement

Other Changes to the DPA Standard Terms

Governing Law and Chosen Courts

Notwithstanding the governing law or similar clauses of the Agreement, all interpretations and disputes about this DPA will be governed by the laws of the Governing State without regard to its conflict of laws provisions. In addition, and notwithstanding the forum selection, jurisdiction, or similar clauses of the Agreement, the parties agree to bring any legal suit, action, or proceeding about this DPA in, and each party irrevocably submits to the exclusive jurisdiction of, the courts of the Governing State. Governing State means: Delaware

Service Provider Relationship

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.

Restricted Transfers

Governing Member State

EEA Transfers: Ireland UK Transfers: England

Data Exporter

Name: the Customer signing this DPA

Activities relevant to transfer: See Annex 1(B)

Role: Controller

Data Importer

Name: the Provider signing this DPA

Contact person: Jacob Heimark, CEO

Address: 3790 El Camino Real #1090, Palo Alto, California 94306, United States of America

Activities relevant to transfer: See Annex 1(B)

Role:

Processor

Annex I(B) Description of Transfer and Processing Activities

Service

The Service is:

Costa Security Platform

Categories of Data Subjects

Customer's end users or customers

Customer's employees

Categories of Personal Data

Name Contact information such as email, phone number, or address Transactional information such as account information or purchases User activity and analysis such as device information or IP address Location information

Special Category data

Is special category data (as defined in Article 9 of the GDPR) Processed?

No

Frequency of Transfer

Continuous

Nature and Purpose of Processing

Receiving data, including collection, accessing, retrieval, recording, and data entry Holding data, including storage, organization, and structuring Protecting data, including restricting, encrypting, and security testing Returning data to the data exporter or data subject

Duration of Processing

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

Annex I(C)

Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II

Technical and Organizational Security Measures

Provider and Customer have not changed the DPA Standard Terms except for the details on the Cover Page above. By signing this Cover Page, each party agrees to enter into this DPA as of the date of first usage of the Product.