Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between DataSetIQ ("Processor") and the customer ("Controller") who uses the Services and, where applicable, the DataSetIQ Terms of Service ("Agreement").

2. Subject Matter and Duration

This DPA governs DataSetIQ's Processing of Personal Data on behalf of Controller in connection with the Services. Processing will continue for the duration of the Agreement, unless otherwise required by law.

3. Roles of the Parties

For purposes of Applicable Data Protection Laws, Controller is the controller (or equivalent) and DataSetIQ is the processor (or equivalent) Processing Personal Data on Controller's behalf.

4. Processing Instructions

DataSetIQ will Process Personal Data only:

• to provide and improve the Services;
• as documented in the Agreement and this DPA; and
• as required by law, in which case DataSetIQ will inform Controller unless prohibited.

5. Confidentiality and Security

DataSetIQ will ensure persons authorized to Process Personal Data are bound by confidentiality obligations and will implement appropriate technical and organizational measures as described on our Security & Compliance page.

6. Subprocessors

Controller authorizes DataSetIQ to engage Subprocessors for the Processing of Personal Data. DataSetIQ will:

• impose data protection obligations on Subprocessors that are no less protective than those in this DPA; and
• remain responsible for Subprocessor performance.

A current list of Subprocessors is maintained at /legal/subprocessors.

7. International Transfers

Where DataSetIQ transfers Personal Data outside the EEA/UK to a country without an adequacy decision, DataSetIQ will rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

8. Data Subject Requests

Taking into account the nature of Processing, DataSetIQ will provide reasonable assistance to Controller in responding to Data Subject requests to exercise rights under Applicable Data Protection Laws.

9. Data Breach Notification

In the event of a Personal Data Breach affecting Controller's Personal Data, DataSetIQ will notify Controller without undue delay and provide available information to support required notifications under Applicable Data Protection Laws.

10. Data Retention and Deletion

Upon termination of the Agreement, DataSetIQ will delete or anonymize Personal Data within a reasonable period, unless retention is required by law. Copies in backups will be deleted in accordance with retention schedules.

11. Audits

DataSetIQ will provide documentation reasonably necessary to demonstrate compliance with this DPA. Where legally required, Controller may request an audit, which will be subject to reasonable notice, scope, and confidentiality obligations.

12. Precedence

In case of conflict between this DPA and the Agreement regarding data protection, this DPA will prevail to the extent of the conflict.