Trust · Data Processing Addendum

Data Processing Addendum

Last updated: May 19, 2026

Richpanel is committed to protecting the privacy and security of our customers' data. This Data Processing Addendum (the "DPA") sets out the terms under which Richpanel processes personal data on behalf of its customers, in compliance with applicable data-protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, and analogous frameworks worldwide.

1. Overview

This DPA is hereby incorporated into the underlying subscription agreement (the "Agreement") between the customer ("Company") and Richpanel Inc., a Delaware corporation ("Service Provider"). It governs the processing of Personal Information that Service Provider performs on Company's behalf in connection with the Richpanel Services.

Key points:

• Defines the roles and responsibilities of Richpanel as a data processor.
• Outlines processing limitations and required security measures.
• Addresses sub-processor engagement and international data transfers.
• Includes provisions for data-subject rights and breach notifications.
• Covers audit rights and compliance with applicable Data Privacy Laws.

2. Definitions

Capitalized terms not defined below have the meaning given to them in the Agreement.

• Data Privacy Laws: applicable laws, rules, regulations, and other legal requirements relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including GDPR, UK GDPR, and any successor legislation.
• Personal Information: all information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person, as defined by applicable Data Privacy Laws.
• Processing: any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
• Security Breach: any unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to Personal Information.
• Service Provider: includes the terms "Processor" and equivalent terms as defined under applicable Data Privacy Laws.
• Sub-processor: any third party engaged by Service Provider to Process Personal Information on its behalf.

3. Service Provider Obligations

3.1 Processing limitations

Service Provider shall Process Personal Information solely for the purpose of providing the Services to Company as set out in the Agreement, and in compliance with applicable Data Privacy Laws. Service Provider shall not:

• sell Personal Information;
• retain, use, or disclose Personal Information for any purpose other than the business purposes set out in the Agreement.

3.2 Re-identification prohibition

Service Provider shall not attempt to re-identify any pseudonymized, anonymized, aggregated, or de-identified Personal Information in violation of Data Privacy Laws.

3.3 Legal disclosure

If Service Provider is legally compelled to disclose Personal Information to a third party, it shall disclose only the minimum amount necessary to comply with the legal obligation, and where permitted by law shall notify Company in advance so that Company may seek appropriate protective relief.

3.4 Breach notification

Service Provider shall notify Company without undue delay, and in any event within five (5) business days (or sooner where required by applicable Data Privacy Laws), upon determining that it (a) can no longer meet its obligations under this DPA or Data Privacy Laws, (b) has breached any of its obligations under this DPA, or (c) has experienced a Security Breach affecting Company's Personal Information.

3.5 Data deletion

Upon termination of the Services that involve Processing, Service Provider shall delete all Personal Information from its systems. If Service Provider is legally required to retain Personal Information, or if Company requests retention, Service Provider shall notify Company of the same; thereafter, such Personal Information may continue to be stored within Service Provider's systems but shall be Processed only to comply with applicable Data Privacy Laws.

3.6 Sub-processor engagement

Service Provider may engage Sub-processors to Process Personal Information, provided that Service Provider publishes the current list of Sub-processors at richpanel.com/security/sub-processors and binds each Sub-processor by a written contract to data-protection terms substantially equivalent to those in this DPA. Company has the right to object to the engagement of a new Sub-processor as set out in §6 of the Sub-processor List.

3.7 Assistance with compliance

Service Provider shall provide reasonable cooperation to Company in complying with new or amended Data Privacy Laws. Service Provider will assist with individual-rights requests made by data subjects to Company regarding Personal Information Processed by Service Provider, including requests for access, rectification, erasure, restriction, portability, or objection. If Company requests deletion or modification of Personal Information, Service Provider shall promptly comply and pass along these requests to downstream parties where applicable.

3.8 Audit rights

Company or its designated auditor may audit Service Provider's compliance with this DPA up to once per calendar year, or more frequently if required by a competent supervisory authority. Service Provider shall allow such audits during regular business hours, subject to a mutually agreed audit plan, reasonable confidentiality obligations, and without unreasonable interference with Service Provider's business activities. Service Provider may satisfy its audit obligations by providing copies of its most recent third-party audit reports (e.g. SOC 2 Type II) where permitted by law.

4. Security

Service Provider shall implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Information appropriate to the risk, including those described in Richpanel's App Security documentation. Specific measures include: encryption of Personal Information at rest and in transit, role-based access controls, least-privilege provisioning, regular penetration testing, secure software-development practices, and incident-response procedures.

5. Compliance

Service Provider and anyone acting on its behalf shall Process Personal Information in compliance with this DPA and applicable Data Privacy Laws. Service Provider warrants that it has no reason to believe it (or anyone acting on its behalf) is in violation of any Data Privacy Law that would prevent it from performing its obligations under this DPA. Service Provider warrants that it has implemented appropriate technical and organizational measures to prevent unauthorized Processing of Personal Information and will continue to do so.

6. Indemnification

Service Provider shall indemnify and hold harmless Company and its affiliates, parents, subsidiaries, employees, officers, contractors, and agents from and against any third-party claims arising from (a) a breach of Service Provider's representations or warranties under this DPA, or (b) a violation of any Data Privacy Law by Service Provider or anyone acting on its behalf.

7. International Transfers

Where Personal Information originating from the European Union, European Economic Area, United Kingdom, or Switzerland is transferred outside those territories, Service Provider certifies compliance with GDPR and related data-protection laws governing such transfers. The parties incorporate by reference, as applicable:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) — Module Two (controller to processor) and Module Three (processor to processor), with selections as set out in Schedule 1.
• UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner under section 119A of the UK Data Protection Act 2018, version B.1.0 (laid before Parliament on 2 February 2022).
• Swiss FDPIC amendments to the EU SCCs, for transfers governed by the Swiss Federal Act on Data Protection.

8. Miscellaneous

Data Protection Officer (DPO): a Data Subject who wishes to exercise its data-subject rights under applicable Data Privacy Laws (including the right of access, rectification, and erasure of Personal Information Processed by Richpanel) may submit such a request directly to Richpanel's DPO. Concerns or complaints related to Customer Personal Data may also be raised with the DPO:

• Name: Manoj Kumar Pathipati
• Email: dpo@richpanel.com

9. Schedule 1 — Details of Processing

Annex I-A: List of parties

Data exporter(s) (controller / data exporter, and where applicable its data protection officer or representative in the European Union):

• Name: the party identified as the "Customer" in the Agreement and this DPA.
• Address: as set forth in the Agreement.
• Contact person: as set forth in the Agreement.
• Activities relevant to the data transferred: see Annex I-B below.
• Signature and date: this Annex I shall automatically be deemed executed when the Agreement is executed by Customer.
• Role: Controller or Processor (as applicable).

Data importer(s) (processor / data importer, including any contact person with responsibility for data protection):

• Name: Richpanel Inc.
• Address: 1885 Caba Dr, San Jose, CA 95125, United States.
• Contact person: Richpanel Privacy Team — privacy@richpanel.com.
• Activities relevant to the data transferred: see Annex I-B below.
• Signature and date: this Annex I shall automatically be deemed executed when the Agreement is executed by Richpanel.
• Role: Processor.

Annex I-B: Description of transfer

Categories of data subjects, categories of personal data, frequency of the transfer, nature and purpose of the Processing, period for which the Personal Information will be retained, and (for transfers to sub-processors) the subject matter, nature, and duration of Processing — to be completed based on the specific Services and processing activities involved under the Agreement. Where not specifically completed at execution, the Processing is described by the Services as defined in the Agreement.

Annex I-C: Competent supervisory authority

To be completed based on the applicable supervisory authority of the Data exporter (typically the supervisory authority of the EU Member State in which the Data exporter is established, or where the Data exporter has no establishment in the EU, the supervisory authority of the EU Member State where the data subjects whose Personal Information is transferred under the SCCs are predominantly located).

10. Contact us

If you have any questions about this DPA or our data-protection practices, please contact: