Data Processing Agreement

Parties

This Data Processing Agreement (“DPA” or “Agreement”) is entered into by and between:

Data controller (“Controller” or “Customer”)

Data Processor (“Processor” or “Xygeni”):

Controller and Processor are hereinafter referred to individually as a “Party” and collectively as the “Parties”.

This DPA forms part of the Master Service Agreement or Terms of Service (“Principal Agreement”) between the Parties governing the provision by Xygeni of its application security and software supply chain security services (the “Services”). In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.

1. Definitions

For the purposes of this DPA:

• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
• “LOPDGDD” means Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales.
• “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Supervisory Authority”, “Personal Data Breach” shall have the meanings ascribed to them in the GDPR.
• “Customer Data” means any Personal Data submitted by or on behalf of Controller to the Services, or processed by Processor on behalf of Controller in connection with the Services.
• “Sub-processor” means any third party engaged by Processor, with prior authorization from Controller (as described in Clause 7), to process Customer Data on behalf of the Controller.
• “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to GDPR, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• “Services” means the application security posture management, software supply chain security, vulnerability detection and related services provided by Xygeni to Controller under the Principal Agreement.
• “Applicable Data Protection Law” means the GDPR, LOPDGDD, and any other applicable national data protection legislation as amended from time to time.

2. Roles of the Parties

The Parties acknowledge and agree that:

• Controller acts as the data controller in respect of Customer Data and is responsible for determining the purposes and means of processing Customer Data submitted to the Services.
• Processor acts as the data processor in respect of Customer Data and processes such data solely on behalf of and upon the documented instructions of Controller.
• Each Party shall comply with its respective obligations under Applicable Data Protection Law in its role as Controller or Processor.

Where Xygeni processes personal data for its own purposes (e.g., account management, billing, service improvement analytics), it acts as an independent Controller. Such processing is governed by Xygeni’s Privacy Policy and is outside the scope of this DPA.

3. Subject Matter, Nature and Purpose of Processing

The subject matter, nature, duration and purpose of the processing, as well as the types of Personal Data processed and categories of Data Subjects, are set out in Schedule 1 (Processing Details) to this DPA.

Processor shall process Customer Data only to the extent necessary to provide the Services described in the Principal Agreement and in accordance with Controller’s documented instructions, unless required to do so by applicable law. In such case, Processor shall inform Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest.

4. Controller’s Instructions

Controller instructs Processor to process Customer Data as necessary to: (a) provide the Services in accordance with the Principal Agreement; (b) comply with Controller’s instructions communicated in writing from time to time; and (c) fulfil Processor’s obligations under this DPA.

Processor shall promptly inform Controller if, in Processor’s reasonable opinion, an instruction from Controller infringes Applicable Data Protection Law. In such event, Processor shall be entitled to cease processing pursuant to such instruction until Controller has clarified or modified the instruction.

Controller warrants and represents that: (a) it has a valid lawful basis under GDPR Art. 6 (and, where applicable, Art. 9) for processing the relevant Personal Data; (b) it has provided all required notices and obtained all required consents; and (c) the transfer of Customer Data to Processor does not violate any applicable laws.

5. Processor Obligations

5.1 Processing restrictions

Processor shall process Customer Data only on the documented instructions of Controller, unless required to do so by applicable EU or Member State law. Processor shall not process Customer Data for its own purposes or disclose it to third parties except as necessary to provide the Services or as required by law.

5.2 Confidentiality

Processor shall ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Data shall be limited to those employees, contractors and sub-processors who need access for the purpose of providing the Services.

5.3 Security measures

Processor shall implement and maintain appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, taking into account:

• the state of the art and the costs of implementation;
• the nature, scope, context and purposes of processing;
• the risks to the rights and freedoms of natural persons, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored or otherwise processed.

Such measures shall include, at minimum, those set out in Schedule 2 (Technical and Organisational Security Measures) to this DPA. Processor’s ISO 27001 certification provides evidence of a baseline information security management system. Processor shall maintain ISO 27001 certification or equivalent throughout the term of this DPA.

5.4 Data Subject Rights

Processor shall, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil Controller’s obligation to respond to requests for exercising Data Subjects’ rights under Applicable Data Protection Law (including the rights of access, rectification, erasure, restriction, portability and objection under GDPR Articles 15–22).

Processor shall: (a) promptly notify Controller if Processor receives a request from a Data Subject in respect of Customer Data; (b) not respond to such requests except on the documented instructions of Controller or as required by applicable law; and (c) provide Controller with reasonable assistance in responding to such requests within the applicable statutory deadlines (30 days under GDPR Art. 12).

5.5 Assistance with Controller’s obligations

Processor shall assist Controller in ensuring compliance with the obligations under GDPR Articles 32–36, taking into account the nature of processing and the information available to Processor, including with respect to:

• security of processing (Art. 32);
• notification of Personal Data Breaches to the supervisory authority and communication to Data Subjects (Arts. 33–34);
• data protection impact assessments and prior consultation (Arts. 35–36).

5.6 Deletion or return of data

Upon termination or expiration of the Principal Agreement, or upon Controller’s request, Processor shall, at Controller’s choice, delete or return to Controller all Customer Data in its possession, and shall delete existing copies, unless applicable EU or Member State law requires storage of the Personal Data. Processor shall confirm completion of deletion in writing within 30 days of the relevant trigger.

Processor’s standard data retention schedule (set out in Schedule 1) shall apply unless Controller makes an earlier request for deletion.

5.7 Audit and demonstration of compliance

Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set out in this DPA, and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

Processor may satisfy this obligation by providing:

• a copy of its current ISO 27001 certificate or SOC 2 Type II report (once obtained);
• completion of Controller’s security questionnaire (within 10 business days of receipt);
• reasonable on-site audits upon 30 days’ prior written notice, at Controller’s expense, no more than once per calendar year (unless there is a reasonable suspicion of non-compliance).

6. Personal Data Breach Notification

Processor shall notify Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Customer Data. Such notification shall include, to the extent available at the time:

• a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
• a description of the likely consequences of the Personal Data Breach;
• a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all the above information simultaneously, the information may be provided in phases without undue further delay. Processor shall cooperate with Controller and take such reasonable steps as Controller may require to assist in the investigation, mitigation and remediation of the breach.

The Parties acknowledge that the obligation under GDPR Article 33 to notify the competent supervisory authority (Agencia Española de Protección de Datos — AEPD, or other relevant authority) within 72 hours of becoming aware of a Personal Data Breach rests with Controller as data controller. Processor’s notification to Controller under this Clause is intended to enable Controller to fulfil this regulatory obligation. Processor’s notification shall not constitute an admission of fault or liability.

7. Sub-processors

7.1 General authorisation

Controller grants Processor general authorisation to engage Sub-processors as listed in Schedule 3 (Approved Sub-processors) to this DPA. Processor shall impose on each Sub-processor data protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

7.2 Changes to Sub-processors

Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors by: (a) updating the Sub-processor list published at https://xygeni.io/legal/subprocessors with the revised “Last updated” date; and (b) providing written notice to Controller at least ten (10) days prior to the change taking effect. Controller may object to the change on reasonable data protection grounds within seven (7) days of such notification. If Controller objects and the Parties cannot resolve the objection, Controller may terminate the Principal Agreement on reasonable notice without penalty.

If Processor engages a Sub-processor, Processor shall remain fully liable to Controller for the performance of that Sub-processor’s obligations to the extent the Sub-processor fails to fulfil its data protection obligations.

7.3 Sub-processor flow-down requirements

For each Sub-processor, Processor shall:

• conduct appropriate due diligence before engaging the Sub-processor;
• enter into a written data processing agreement imposing data protection obligations no less protective than those in this DPA;
• ensure the Sub-processor’s security measures are at least equivalent to those required under Clause 5.3 and Schedule 2;
• include breach notification obligations requiring the Sub-processor to notify Processor within 24 hours of becoming aware of a Personal Data Breach, to enable Processor to meet its 48-hour notification obligation to Controller.

8. International Transfers

Processor shall not transfer Customer Data to a country outside the European Economic Area (EEA) unless:

• the European Commission has adopted an adequacy decision for that country under GDPR Article 45; or
• appropriate safeguards have been implemented in accordance with GDPR Article 46, including but not limited to the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“SCCs”).

Where SCCs are required, Processor shall, upon Controller’s request, execute the applicable SCCs with Controller and/or with the relevant Sub-processor. The applicable module of the SCCs shall be Module Two (Controller to Processor) for transfers from Controller to Processor, and Module Three (Processor to Sub-processor) for onward transfers by Processor to Sub-processors.

The competent supervisory authority for the purposes of the SCCs is the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD), unless otherwise agreed in writing.

Processor shall maintain and make available to Controller, upon request, a current record of all international transfers of Customer Data and the applicable transfer mechanism for each.

9. Data Protection Impact Assessments

Where a processing activity is likely to result in a high risk to the rights and freedoms of natural persons and Controller is required to carry out a Data Protection Impact Assessment (DPIA) under GDPR Article 35, Processor shall provide Controller with reasonable assistance and information as necessary to enable Controller to carry out the DPIA. Processor shall respond to Controller’s reasonable DPIA-related requests within 15 business days.

10. Records of Processing Activities

Processor shall maintain, at Controller’s request, a record of processing activities carried out on behalf of Controller in accordance with GDPR Article 30(2), including: the name and contact details of the Processor and any Sub-processors; the categories of processing carried out on behalf of Controller; transfers of Personal Data to a third country; and a general description of the technical and organisational security measures.

11. Liability

Each Party’s liability to the other under or in connection with this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement. Where a Data Subject has suffered damage as a result of processing that infringes Applicable Data Protection Law, each Party shall be liable for the damage caused by its processing that infringes the GDPR in accordance with GDPR Articles 82–83. Nothing in this Clause limits either Party’s liability to Data Subjects under applicable law.

12. Term and Termination

This DPA shall commence on the date of the Principal Agreement (or the date of execution of this DPA if later) and shall remain in force for the duration of the Principal Agreement. Termination of the Principal Agreement for any reason shall automatically terminate this DPA.

Following termination, Processor’s obligations under Clause 5.6 (deletion or return of data) shall survive and Processor shall complete deletion or return of Customer Data within 30 days of termination. Clauses relating to confidentiality, liability, governing law and audit shall also survive termination.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Spain. The Parties submit to the non-exclusive jurisdiction of the courts of Madrid for the resolution of any dispute arising out of or in connection with this DPA. To the extent that any provision of this DPA conflicts with the SCCs, the SCCs shall prevail.

14. Miscellaneous

Entire Agreement: This DPA, together with its Schedules and the Principal Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings or representations relating to data processing.

Amendments: This DPA may only be amended by written agreement signed by authorised representatives of both Parties.

Severability: If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Precedence: In the event of a conflict between this DPA and the Schedules, the body of the DPA shall prevail unless the Schedule explicitly states otherwise. In the event of conflict between this DPA and the SCCs (where applicable), the SCCs shall prevail.

SCHEDULE 1 — Processing Details

1. Subject Matter

The subject matter of the processing is the provision by Xygeni of application security posture management, software supply chain security analysis, vulnerability detection, CI/CD security monitoring, and related services as described in the Principal Agreement.

2. Nature of Processing

Collection, organisation, structuring, storage, analysis, retrieval, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction of Customer Data.

3. Purpose of Processing

Processing of Customer Data is carried out for the sole purpose of providing the Services to Controller, including: security vulnerability detection and reporting; software supply chain risk analysis; CI/CD pipeline security monitoring; anomaly detection; and customer support.

4. Duration of Processing

Processor shall process Customer Data for the duration of the Principal Agreement. Upon termination, Processor shall retain Customer Data for 3 months after the subscription end date before deletion, unless Controller requests earlier deletion. Trial account data is retained for 1 month after trial expiration.

5. Types of Personal Data

6. Categories of Data Subjects

Data Subjects include: employees, contractors, and other authorised users of Controller who access the Services; contributors (developers, bot accounts, build agents) to repositories and pipelines monitored by the Services; and representatives and contact persons of Controller.

7. Special Category Data

The Services are not designed to process special category personal data as defined in GDPR Article 9. Controller warrants that it will not submit special category personal data to the Services without prior written agreement with Xygeni and implementation of appropriate additional safeguards.

SCHEDULE 2 — Technical and Organisational Security Measures

Xygeni implements the following technical and organisational measures to protect Customer Data, consistent with Xygeni’s ISO 27001 certified information security management system:

Access Control

• Role-based access control (RBAC) enforced across all systems processing Customer Data.
• Multi-factor authentication (MFA) required for all Xygeni personnel accessing production systems.
• Principle of least privilege applied to all user accounts; access rights reviewed quarterly.
• SSH key-based authentication for production server access; password authentication disabled.

Data Encryption

• Customer Data encrypted in transit using TLS 1.2 or higher.
• Customer Data encrypted at rest using AES-256 or equivalent.
• Encryption keys managed through AWS Key Management Service (KMS).

Network Security

• Production systems hosted within AWS Virtual Private Cloud (VPC) with network segmentation.
• Web Application Firewall (WAF) deployed for public-facing endpoints.
• Intrusion detection and prevention systems in place.
• Regular vulnerability scanning and penetration testing of infrastructure and application layers.

Physical Security

• Customer Data hosted in AWS data centres with SOC 2 Type II and ISO 27001 certifications.
• Physical access to data centre facilities restricted to authorised AWS personnel with biometric controls.

Availability and Resilience

• Daily automated backups of all Customer Data, retained for a minimum of 7 days.
• Backup integrity verified periodically.
• Disaster recovery procedures documented and tested annually.

Incident Management

• Security incident response plan maintained and tested annually.
• Security events monitored and logged; alerts reviewed by security operations function.
• Personal Data Breach notification procedures in place to meet the 48-hour notification obligation to Controller.

Personnel

• All Xygeni personnel with access to Customer Data bound by confidentiality obligations.
• Security awareness training conducted for all personnel annually.
• Background checks conducted for personnel with access to production systems, to the extent permitted by applicable law.

Third-Party Management

• Sub-processors assessed for security compliance prior to engagement.
• Data processing agreements in place with all Sub-processors.

Certification

• Xygeni holds ISO 27001 certification (information security management system).
• Xygeni is pursuing SOC 2 Type II certification; certificate will be provided to Controller upon completion.