Data Processing Addendum

Last Updated: March 1, 2025

This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the "DPA"), is incorporated into and is subject to the terms and conditions of the Sublime Terms of Service ("Agreement") between the Sublime Security contracting entity identified in the Agreement ("Sublime") and the party identified as the customer in the Agreement ("Customer") pursuant to which Sublime provides certain Services to Customer.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Sublime Processes Personal Data on behalf of Customer when providing the Services protected by Applicable Data Protection Law under the Agreement.

By entering into the Agreement, Customer enters into this DPA, and the Standard Contractual Clauses (as applicable and as defined below) on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its Affiliates (if any) permitted to use the Services. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and such Affiliates.

The parties agree as follows:

Definitions
1. "Affiliates" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term "Controlled" will be construed accordingly.
2. "Applicable Data Protection Law" means all data protection and privacy laws and regulations applicable to Sublime's provision of the Services to its customers generally, including, without limitation the European Data Protection Law and US Data Protection Law (without regard to Customer’s particular use of the Services).
3. "Controller" means an entity that alone or jointly with others determines the purposes and means of Processing of Personal Data. For purposes of this DPA, a Controller includes a "business" as such term is defined under US Data Protection Law or a similar designation under Applicable Data Protection Law.
4. "Customer Data" means any Personal Data Processed by Sublime in accordance with Section 2.1 of this DPA in connection with the Services, and as more particularly described in Schedules 1 and 2 of this DPA (as applicable).
5. “Data Privacy Framework” means, as applicable, EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework.
6. "Europe" means, for the purposes of this DPA, the member states of the European Economic Area ("EEA"), Switzerland and the United Kingdom ("UK").
7. "European Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) the EU GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively referred to for these purposes as the "UK GDPR"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances, as revised as of 25 September 2020 ("Swiss DPA"); (iv) the e-Privacy Directive (Directive 2002/58/EC); (v) any applicable national data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), (iii) or (iv) (in each case, as superseded, amended or replaced from time to time).
8. "Personal Data" means all information relating to an identified or identifiable natural person or consumer ("Data Subject" or "Consumer" as applicable), including any data or information that is deemed “personal data”, "personally identifiable information" and/or “personal information” under Applicable Data Protection Law.
9. "Process," "Processes," "Processing," "Processed" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, destruction, or creating information from, Personal Data.
10. "Processor" means an entity that Processes Personal Data on behalf, and in accordance with the instructions, of a Controller. For purposes of this DPA, a Processor includes a "service provider" as such term is defined by US Data Protection Law, or any similar or analogous designation under Applicable Data Protection Law.
11. "Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission ("ex-EEA"); (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018 ("ex-UK"); and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
12. "Security Incident" means a personal data breach or any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise Processed by Sublime in connection with the provision of the Services. "Security Incident" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.
13. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, as amended by the UK Addendum where applicable.
14. "Sub-processor" means any third party that has access to the Customer Data and which is engaged by Sublime or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Sublime Affiliates but shall exclude any Sublime employee, contractor or consultant.
15. "Sublime Account Data" means Personal Data that relates to Sublime’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Sublime Account Data also includes any Personal Data Sublime may need to collect for the purpose of managing its relationship with Customer (including communications and support), identity verification, or as otherwise required by applicable laws and regulations.
16. "Sublime Usage Data" means Services usage data collected and processed by Sublime in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent security threats and malicious activity (e.g., Threat Intelligence), as may be more specifically set forth in the Agreement.
17. "Supervisory Authority" means any regulatory, supervisory, governmental, state agency, Attorney General or other competent authority with jurisdiction or oversight over compliance with Applicable Data Protection Law.
18. "UK Addendum" means the "UK Addendum to the EU Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018.
19. "US Data Protection Law" means all privacy laws and regulations applicable in the United States, including the: (i) California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”); (ii) Colorado Privacy Act (the “CPA”); (iii) Connecticut Data Privacy Act (the “CTDPA”); (iv) Delaware Personal Data Privacy Act (“DPDPA”); (v) Iowa Consumer Data Protection Act (“ICDPA”); (vi) Montana Consumer Data Privacy Act (“MCDPA”); (vii) Nebraska Data Privacy Act (“NDPA”); (viii) Oregon Consumer Privacy Act (“OCPA”); (ix) Texas Data Privacy and Security Act (“TDPSA”); (x) New Hampshire Privacy Act (“NHPA”); (xi) New Jersey Privacy Act (“NJPA”); (xii) Utah Consumer Privacy Act (the “UCPA”); and (xiii) the Virginia Consumer Data Protection Act (the “VCDPA”), in each case as may be amended or superseded from time to time. The terms “controller” and “processor” include “business” and “service provider,” respectively, each as defined in the CCPA.‍‍
‍Scope and Relationship of the Parties
1. ‍Scope. This DPA applies to the extent Sublime Processes any Customer Data protected by Applicable Data Protection Law in the course of providing the Services pursuant to the Agreement as follows:
  1. Where Customer is a Controller of the Customer Data covered by this DPA, Sublime shall be a Processor Processing Customer Data on behalf of the Customer and this DPA shall apply accordingly;
  2. Where and to the extent Sublime and/or each relevant Sublime Affiliate Processes Customer Data as a Controller, Sublime will Process such Customer Data in compliance with Applicable Data Protection Law, the Sublime Privacy Policy which can be found at https://sublime.security/privacy, and Sections 3, 5.1, 5.2, 6 and 8 of this DPA, to the extent applicable, only.‍
2. Sublime Processing of Personal Data. As a Processor, Sublime shall Process Customer Data only for the purposes described in Schedules 1 and 2 of this DPA (the "Business Purposes") and only in accordance with Customer's documented lawful instructions, except to the extent required by Applicable Data Protection Law. The parties agree that this DPA and the Agreement set out the Customer's complete and final instructions to Sublime in relation to the Processing of Customer Data, and (if applicable) include and are consistent with all instructions from third party Controllers, and Processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Sublime. Without prejudice to Section 2.3, Sublime shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Law, if it becomes aware or believes that any Processing instruction from Customer violates Applicable Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that Sublime may be required to provide to or receive from a third party Controller. ‍
3. Customer Responsibilities. Customer is responsible for the lawfulness of Customer Data Processing under or in connection with the Agreement. Customer represents and warrants that: (i) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Law for Sublime to lawfully Process Customer Data for the purposes contemplated by the Agreement; (ii) it has complied with Applicable Data Protection Law as a Controller of Customer Data for the collection and provision to Sublime and its Sub-processors of such Customer Data; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Applicable Data Protection Law) and that the Processing of Customer Data by Sublime in accordance with Customer's instructions will not cause Sublime to be in breach of Applicable Data Protection Law.‍
Sublime as a Controller
1. The parties acknowledge and agree that with respect to Sublime Account Data and Sublime Usage Data, Sublime is an independent controller, not a joint controller with Customer. Sublime will process Sublime Account Data and Sublime Usage Data as a controller: (i) to manage the relationship with Customer; (ii) to carry out Sublime’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Sublime is subject; and (vi) as otherwise permitted under Privacy Laws and in accordance with this DPA and the Agreement. Sublime may also process Sublime Usage Data as a controller to provide, optimize and maintain the Services, to the extent permitted by Applicable Data Protection Law. Any processing by Sublime as a controller shall be in accordance with Sublime's Privacy Policy.
2. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a separate, independent Controller under Applicable Data Protection Law and neither party shall be responsible for the other party's compliance with Applicable Data Protection Law. ‍
Sub-processors ‍
1. Authorized Sub-processors. Customer hereby provides a general authorization to Sublime to engage Sub-processors to process Customer Data on Customer's behalf (with respect to its role as a Processor). The Sub-processors engaged by Sublime depend on the Services purchased by Customer and are made available at Sublime's website at trust.sublime.security/subprocessors ("Sub-processor List"). Such list may be updated by Sublime from time to time in accordance with this Section 4.‍
2. Notice. Sublime will provide a mechanism to subscribe to notifications (which may include but are not limited to email notifications) of new Sub-Processors and Customer, if it wishes, will subscribe to such notifications where available. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to Sub-Processors. At least ten (10) days before enabling any third party other than existing Sub-Processors to access or participate in the processing of Customer Data, Sublime will add such third party to the Sub-Processor List and notify subscribers, including Customer, via the aforementioned notifications.‍
3. Sub-processor Obligations. Sublime shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require Sub-processor to protect Customer Data to the standard required by applicable European Data Protection Law and this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Sublime to breach any of its obligations under this DPA. Where required by European Data Protection Law, Sublime shall use reasonable efforts to provide relevant extracts of the agreement with any Sub-processor it appoints to Customer upon request.‍
4. Objections to Sub-processors. Customer may object in writing to Sublime’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g., if making Customer Data available to the Sub-processor may violate European Data Protection Law or materially weaken the protections for such Customer Data) by notifying Sublime promptly in writing within five (5) calendar days of receipt of Sublime’s notice in accordance with Section 4.2 above. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If no such resolution can be reached, Sublime will, at its sole discretion, either not appoint the Sub-processor, or permit Customer to suspend or terminate the affected Product in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer before suspension or termination). If such objection right is not exercised by Customer in the terms described above, silence shall be deemed to constitute an approval of such engagement. The obligations and rights under this Section 4 shall only apply to the extent accorded under Applicable Data Protection Law.‍
Security and Audits ‍
1. Security Measures. Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sublime shall maintain appropriate technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data. Such measures will include, at minimum, those measures described in Schedule 3 of this DPA ("Security Measures"). Sublime shall ensure that any person who is authorized by Sublime to Process Customer Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). ‍
2. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Sublime may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the material degradation of the overall security of the Services purchased by the Customer.‍
3. Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data Processed in connection with the Services. Customer shall maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Personal Data while in its dominion and control.‍
4. Security Incident Response. Upon becoming aware of a Security Incident, Sublime shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. Sublime will, taking into account the nature of the processing and the information available to Sublime, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority or regulatory agency and (ii) Data Subjects affected by such Security Incident without undue delay. The obligations under this section will not apply in the event that a Security Incident results from the actions or omissions of Customer. Sublime's notification of or response to a Security Incident in accordance with this section will not be construed as an acknowledgment by Sublime of any fault or liability with respect to the Security Incident.‍
5. Data Protection Audits. Sublime will keep records of its Processing activities in compliance with Applicable Data Protection Law. On written request from Customer, Sublime shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to its Processing of Customer Data necessary to confirm Sublime's compliance with this DPA, provided that Customer shall not exercise this right more than once in any rolling 12-month period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Sublime has experienced a Security Incident, or on another reasonably similar basis. Nothing herein shall be construed to require Sublime to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Sublime’s confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Sublime’s infrastructure, networks, systems, or data.‍
‍Return or Deletion of Customer Data ‍
1. Return or Deletion. Upon termination or expiration of the Agreement, on Customer's request, Sublime shall return or delete all Customer Data Processed by Sublime as a Processor (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Sublime is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data Sublime shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices, except to the extent required by applicable law. Customer Data Processed by Sublime as a Controller will be deleted or retained in accordance with the Sublime Privacy Policy. If the parties have entered into relevant SCCs as described in Section 8, the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the SCCs (as applicable) shall be provided by Sublime to Customer only upon Customer's request.‍
Rights of Individuals and Cooperation ‍
1. Data Subject Requests. To the extent Customer is unable to independently access the relevant Customer Data within the Services, Sublime shall, at Customer's expense and taking into account the nature of the Processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the Processing of Customer Data under the Agreement. In the event that any such request is made to Sublime directly, and Sublime is able to readily discern that such request is associated with Customer, Sublime shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Sublime is required to respond to such a request, Sublime shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. ‍
International Transfers and Jurisdiction Specific Terms ‍
1. Transfer Jurisdictions. Customer acknowledges and agrees that Sublime and its Sub-processors may transfer (including conduct Restricted Transfers) and Process Customer Data to and in the United States and anywhere else in the world where Sublime, its Affiliates or its Sub-processors maintain Processing operations, as more particularly described in the Sub-processor List. The parties shall ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Law and this DPA. If Sublime transfers Customer Data to a jurisdiction for which the European Commission has not issued an adequacy decision, Sublime will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with Applicable Data Protection Law.‍
2. Ex-EEA Restricted Transfers. The parties agree that when the transfer of Personal Data from Customer (as "Data Exporter") to Sublime (as "Data Importer") is an ex-EEA Restricted Transfer, it shall be made pursuant to (i) the Data Privacy Framework to the extent the recipient of such Restricted Transfer is certified accordingly, or (ii) the SCCs, which shall be automatically incorporated by reference and form an integral part of this DPA, as follows:
3. Module One (Controller to Controller) of the EU SCCs applies when Sublime is processing Customer Data as a controller pursuant to Section 3 of this DPA.
4. Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and Sublime is a processor of Customer Data pursuant to Section 2 of this DPA.
  1. The optional docking clause in Clause 7 will apply;
  2. In Clause 9, Option 2 (general authorization) will apply, and the time period for prior notice of Sub-processor changes is identified in Section 4 of this DPA;
  3. In Clause 11, the optional language will not apply;
  4. All square brackets in Clause 13 are hereby removed;
  5. In Clause 17, Option 1 will apply, and the SCCs will be governed by the law of the EU Member State in which the data exporter is established and if no such law, the laws of the Republic of Ireland;
  6. In Clause 18(b), disputes shall be resolved before the courts of the law of the EU Member State in which the data exporter is established and if no such law, the laws of the Republic of Ireland;
  7. Annex I of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and
  8. Subject to Sections 5.1 and 5.2 of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA.‍
5. Ex-UK Restricted Transfers. The parties agree that ex-UK Restricted Transfers shall be made pursuant to: (i) the Data Privacy Framework to the extent the recipient of the ex-UK Restricted Transfer is certified accordingly; or (ii) the SCCs as completed in accordance with Section 8.2 above and as amended by the UK Addendum attached as Schedule 4, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.‍
6. Restricted Transfers from Switzerland. The parties agree that Restricted Transfers from Switzerland shall either be made pursuant to: (i) the Data Privacy Framework to the extent that recipient of the transfer from Switzerland is certified accordingly; or (ii) the SCCs with the following modifications:
  1. references to "Regulation (EU) 2016/679" or specific Articles thereof shall be interpreted as references to the Swiss DPA and its equivalent sections;
  2. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland", or "Swiss law";
  3. the term "member state" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
  4. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection and Information Commissioner;
  5. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";
  6. in Clause 17, the SCCs shall be governed by the laws of Switzerland;
  7. Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and
  8. the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.‍‍
7. ‍Supplementary Measures. In respect of any ex-EEA, ex-UK or Switzerland-related Restricted Transfer, the following supplementary measures shall apply:
  1. As of the date of this DPA, Sublime has not received any formal legal requests from any government intelligence or security service/agencies in the country to which Customer Data is being exported, for access to (or for copies of) Customer Data (“Government Agency Requests”);
  2. If, after the date of this DPA, Sublime receives any Government Agency Requests, Sublime shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Sublime may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer Data to a law enforcement or government agency, Sublime shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Sublime is legally prohibited from doing so. Sublime shall not voluntarily disclose Customer Data to any law enforcement or government agency. Customer and Sublime shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Customer Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and
  3. Customer and Sublime may meet, as reasonably requested by either Party or as required under applicable Data Protection Laws, to consider whether: (i) the protection afforded by the laws of the country where Sublime is based to data subjects whose Customer Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be; (ii) additional measures are reasonably necessary to enable the transfer to be compliant with Applicable Data Protection Law; and (iii) it is still appropriate for Customer Data to be transferred to the Sublime, considering all relevant information available to the parties, along with guidance provided by Supervisory Authorities. ‍
8. Alternative Transfer Arrangement. If, and to the extent Sublime adopts an alternative data export solution (including adopting Binding Corporate Rules or any new version of or successor to the SCCs or Data Privacy Framework adopted pursuant to applicable European Data Protection Law) for the transfer of Customer Data as prescribed by applicable European Data Protection Laws ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Law and extends to the territories to which Customer Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Data to a country that does not ensure an adequate level of protection (within the meaning of applicable European Data Protection Law), the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or safeguards not described in this DPA or alternative transfer mechanisms ("Alternative Transfer Arrangements") to enable the lawful transfer of such Customer Data.‍
9. Data Protection Impact Assessment. To the extent Sublime is required under applicable European Data Protection Law, Sublime shall provide reasonably requested information regarding Sublime's Processing of Customer Data under the Agreement and this DPA to enable Customer to carry out data protection impact assessments or prior consultations with Supervisory Authorities as required by law.‍
10. United States. Sublime shall comply with the requirements of US Data Protection Law (as applicable). Capitalized terms used but not defined in this Section 8.8 shall have the same meaning as under US Data Protection Law. The parties agree that Sublime is a “service provider” in the performance of its obligations hereunder, and that Customer is a “business,” and that the transfer of Customer Data to Sublime shall not be considered a “sale” or “sharing.”
11. Sublime shall Process Customer Data only for the Business Purposes.
  1. As a service provider, Sublime shall not: (a) sell or share Customer Data, as these terms are defined under US Data Protection Law; (b) retain, use, or disclose Customer Data for any purpose other than for the Business Purposes, including retaining, using, or disclosing Customer Data for a commercial purpose other than the Business Purposes, or as otherwise permitted by US Data Protection Laws; (c) retain, use, or disclose Customer Data outside of the direct business relationship between Sublime and Customer; or (d) combine Customer Data that Sublime receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Sublime may combine personal information to perform any Business Purpose in accordance with US Data Protection Law.
  2. Sublime shall: (a) provide reasonable assistance to Customer where a risk assessment, cybersecurity audit or similar is required under US Data Protection Law and/or a query, inquiry, complaint or prior consultation with a Supervisory Authority is required over compliance with US Data Protection Law; (b) grant Customer the right to take reasonable and appropriate steps to help ensure that Sublime uses Customer Data in a manner consistent with Customer’s obligations under US Data Protection Law; (c) notify Customer if Sublime determines that it can no longer meet its obligations under US Data Protection Law; (d) grant Customer the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Data.
  3. To the extent required by US Data Protection Law, Customer shall inform Sublime of any consumer requests made pursuant to US Data Protection Law that Sublime must comply with, and shall provide all information reasonably necessary for Sublime to comply with such request.
‍Miscellaneous ‍
1. Disclosures. Customer acknowledges that Sublime may disclose this DPA (including the Standard Contractual Clauses) and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, a European data protection authority or any other U.S. or European judicial or regulatory body upon their request.‍
2. Necessary Modifications. Notwithstanding anything to the contrary in the Agreement, Sublime may modify the terms of this DPA where necessary to (i) comply with a request or order by a Supervisory Authority; (ii) comply with Applicable Data Protection Law; or (iii) implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Applicable Data Protection Law. Supplemental terms may be added as an Annex to this DPA where such terms only apply to the Processing of Customer Data under the Applicable Data Protection Law of specific countries or jurisdictions. Sublime shall provide notice of such changes to Customer, and the modified DPA shall become effective in accordance with the terms of the Agreement or, if not specified in the Agreement, as otherwise provided on Sublime's website.‍
3. Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.‍
4. Claims. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In particular, any claim or remedy Customer or its Affiliates may have against Sublime, its Affiliates, employees, contractors, agents and Sub-processors, arising under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together. Notwithstanding the foregoing, in no event may any party limit its liability with respect to any Data Subject rights or Supervisory Authorities under this DPA.‍
5. Severability. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.‍
6. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law or the SCCs.

SCHEDULE 1 (C2P TRANSFERS)

‍

Description of the Processing Activities / Transfer

Annex 1(A) List of Parties:

‍

Data Exporter	Data Importer
Name: the party identified as the "Customer" in the Agreement and this DPA	Name: Sublime Security, Inc. ("Sublime")
Address: As set out in the Agreement	Address: 712 H St NE, PMB 14, Washington, DC 20002, USA
Contact Person's Name, position and contact details: The contact details specified in this DPA or the Agreement or otherwise associated with Customer's account	Contact Person's Name, position and contact details: Legal Department, legal@sublimesecurity.com
Activities relevant to the transfer: See Annex 1(B) below	Activities relevant to the transfer: See Annex 1(B) below
Role: Controller	Role: Processor

‍

Annex 1(B) Description of Transfer

‍

	Description
Categories of Data Subjects:	Customer’s employees, consultants, contractors, and agents
Categories of Personal Data:	Sublime's Services Process Personal Data contained in email files, including the contents thereof and any attachments. Sublime may process any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Sublime to provide the Services or as otherwise set forth in the Agreement or this DPA, including but not limited to: Name Username Email address Roles / Job Titles Organization, domain and group names and assignments Personal Data contained in rules and configuration settings Personal Data contained in activity and audit logs Online identifiers such as IP addresses (including associated geolocation data)
Sensitive data (if applicable) and applied restrictions or safeguards:	N/A. Customer shall not provide any sensitive personal data or special categories of data to Sublime.
Frequency of the transfer:	Ongoing in accordance with Customer’s documented lawful instructions as described in Section 2.2 of the DPA.
Nature of the Processing:	Customer Data will be processed in accordance with the Agreement and this DPA.
Purpose(s) of the data transfer and further processing:	Providing software security Services to Customer as more fully described in the Agreement.
Retention period (or, if not possible to determine, the criteria used to determine that period):	See Section 6.1 of the DPA.

‍

Annex 1(C): Competent supervisory authority

The competent supervisory authority will be determined in accordance with European Data Protection Law.

SCHEDULE 2 (C2C TRANSFERS)

Description of Processing Activities / Transfer

Annex 1(A) List of Parties:

‍

Data Exporter	Data Importer
Name: the party identified as the "Customer" in the Agreement and this DPA	Name: Sublime Security, Inc. ("Sublime")
Address: As set out in the Agreement	Address: 712 H St NE, PMB 14, Washington, DC 20002, USA
Contact Person's Name, position and contact details: The contact details specified in this DPA or the Agreement or otherwise associated with Customer's account	Contact Person's Name, position and contact details: Legal Department, legal@sublimesecurity.com
Activities relevant to the transfer: See Annex 1(B) below	Activities relevant to the transfer: See Annex 1(B) below
Role: Controller	Role: Controller

‍

Annex 1(B) Description of transfer:

‍

	Description
Categories of Data Subjects:	Customer’s employees, consultants, contractors, and agents
Categories of Personal Data:	Sublime Account Data Sublime Usage Data
Sensitive data (if applicable) and applied restrictions or safeguards:	N/A
Frequency of the transfer:	Frequency of transfer depends on Customer’s use of the Services.
Nature of the processing:	Sublime primarily offers email security software services. The Services are set out in the Agreement.
Purpose(s) of the data transfer and further processing:	Sublime will process the Personal Data for the following business purposes: (i) account registration, (ii) order and purchase, (iii) customer communications and support, (iv) to operate and enhance Sublime offerings; (v) to prevent, detect and investigate security incidents; and (vi) to resist and respond to malicious, deceptive, fraudulent or illegal actions.
Retention period (or, if not possible to determine, the criteria used to determine that period):	See Sublime’s Privacy Policy as applicable.

‍

Annex 1(C) Competent supervisory authority:

The competent supervisory authority will be determined in accordance with European Data Protection Law.

SCHEDULE 3

Technical and Organizational Measures

The following includes the information required by Annex II of both the EU SCCs and the UK Addendum.

‍

Measure	Description
Measures of pseudonymisation and encryption of personal data	Sublime has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing Customer Data are encrypted at rest. Sublime uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Sublime’s customer agreements contain strict confidentiality obligations. Additionally, Sublime requires every downstream Sub-processor to sign confidentiality provisions that are substantially similar to those contained in Sublime’s customer agreements. Sublime has undergone a SOC 2 Type II audit.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Daily, weekly and monthly backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	Sublime performs internal audits and external audits at least annually to ensure the effectiveness of technical and organisational measures, including a SOC 2 Type II audit.
Measures for user identification and authorisation	Sublime uses secure access protocols and processes and follows industry standard practices for authentication, including Multifactor Authentication and Single Sign On (SSO) where appropriate. Network infrastructure is securely configured to vendor and industry standard practices designed to block all unnecessary ports, services and unauthorized network traffic.
Measures for the protection of data during transmission	Sublime has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Sublime uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.2)
Measures for the protection of data during storage	Encryption-at-rest is automated using AWS’s transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS.
Measures for ensuring physical security of locations at which personal data are processed.	All Sublime processing occurs in physical data centers managed and protected by AWS in accordance with their security protocols. Access is limited to approved personnel.
Measures for ensuring events logging	Sublime monitors access to applications, tools and resources that process or store Customer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration	Sublime adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management	Sublime maintains a SOC 2 Type II audit and is generally aligned to the ISO 27001 risk-based information security governance program. The framework for Sublime's security program includes administrative, organizational, technical and physical safeguards reasonably designed to protect the Services and confidentiality, integrity and availability of Customer Data.
Measures for certification/assurance of processes and products	Sublime undergoes regular SOC 2 Type II audits.
Measures for ensuring data minimisation	Sublime's Customers unilaterally determine what data they route through the Services. As such, Sublime operates on a shared responsibility model. Sublime gives Customers control over exactly what data enters the platform. Additionally, Sublime has built in self-service functionality to the Services that allows customers to delete and suppress data at their discretion.
Measures for ensuring data quality	Sublime has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design to enforce a strict contract between official clients and API resolvers. Sublime applies these measures across the board, both to ensure the quality of any Usage Data that Sublime collects and to ensure that the Services are operating within expected parameters. Sublime ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported.
Measures for ensuring limited data retention	Customers unilaterally determine what data they route through the Services. As such, Sublime operates on a shared responsibility model. If a Customer is unable to delete Personal Data via the self-service functionality of the Services, then the Sublime will delete such Personal Data upon the Customer's written request, within the timeframe specified in this DPA and in accordance with Applicable Data Protection Law. All Personal Data is deleted from the Services following service termination upon request.
Measures for ensuring accountability	Sublime has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, Sublime conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure	Personal Data submitted to the Services by Customer may be deleted by the Customer or at the Customer’s request. Personal Data is incidental to Sublime's Services. Based on Privacy by Design and Data Minimization principles, Sublime limits the instances of Personal Data collection and processing within the Services. Most use cases for porting Personal Data from Sublime are not applicable. However, Sublime will respond to all reasonable requests for data porting in order to address Customer needs.
Technical and organizational measures of Sub-processors	Sublime enters into Data Processing Agreements with its Sub-Processors with data protection obligations substantially similar to those contained in this DPA.

‍

SCHEDULE 4

UK Addendum

This Schedule 4 incorporates the UK Addendum, as completed herein, and forms part of this DPA and applies in accordance with Section 8.3 ("ex-UK Restricted Transfers") of the DPA.

‍

Start Date

The date of the Agreement.

Parties

Exporter

Importer

Parties’ Details

Name: The entity identified as the Customer in the Agreement and this DPA.

Address: The address for the Customer associated with its account or otherwise specified in this DPA or the Agreement.

Contact person’s name, position and contact details: The contact details specified in this DPA or the Agreement or otherwise associated with Customer's account

Name: Sublime Security, Inc. ("Sublime")

Address: 712 H St NE, PMB 14, Washington, DC 20002, USA

Contact person’s name, position and contact details: Legal Department, legal@sublimesecurity.com

‍

Addendum SCCs

The Approved SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the approved SCCs brought into effect for the purposes of this Addendum: See Section 8.3 of the DPA.

‍

Appendix Information

See Schedules 1 and 2

‍

Ending this Addendum when the Approved Addendum changes

Neither Party

‍

Mandatory Clauses

Part 2: Mandatory Clauses of the UK Addendum, as it is revised under Section 18 of those Mandatory Clauses.