Data Processing Agreement

1. PARTIES & SCOPE

This DPA is entered into between the customer organization identified in the Principal Agreement (the "Controller") and Rankiteo Inc., a Delaware corporation with its principal place of business at 3790 El Camino Real, Palo Alto, CA 94306, United States, identified by DUNS number 144988327 (the "Processor" or "Rankiteo").

This DPA forms an integral part of the Principal Agreement governing the customer's use of the Rankiteo platform (the "Services"), including the desktop underwriting application, web platform, APIs, and integrations.

The DPA applies to all processing of Personal Data carried out by Rankiteo on behalf of the Controller in connection with the Services.

2. DEFINITIONS

Capitalized terms not defined herein have the meaning given to them in the GDPR. Without prejudice to the foregoing:

• "GDPR" means Regulation (EU) 2016/679 of 27 April 2016.
• "Personal Data" means personal data within the meaning of Article 4(1) GDPR processed by Rankiteo on behalf of the Controller in connection with the Services.
• "Processing" has the meaning of Article 4(2) GDPR.
• "Data Subject" has the meaning of Article 4(1) GDPR.
• "Sub-Processor" means any processor engaged by Rankiteo to perform specific processing activities on behalf of the Controller.
• "Personal Data Breach" has the meaning of Article 4(12) GDPR.
• "TOMs" means the Technical and Organizational Measures described in Annex II.
• "SCCs" means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "Authorized Sub-Processors" means the Sub-Processors listed in Annex III.

3. SUBJECT MATTER & DURATION

3.1 Subject matter

This DPA governs how the Processor processes, on behalf of the Controller, the Personal Data required to deliver the Services as described in Annex I.

3.2 Duration

This DPA enters into force on the effective date of the Principal Agreement and remains in force for the entire term of the Principal Agreement and, where applicable, until the complete return or deletion of Personal Data pursuant to Section 13.

3.3 Roles of the parties

The Parties acknowledge that:

• The Customer acts as the Controller within the meaning of Article 4(7) GDPR.
• Rankiteo acts as the Processor within the meaning of Article 4(8) GDPR.

4. DESCRIPTION OF PROCESSING

The detailed characteristics of the Processing (categories of Personal Data, categories of Data Subjects, purposes, operations performed, retention periods) are described in Annex I of this DPA.

5. CONTROLLER OBLIGATIONS

1. The Controller represents that it has a valid legal basis under Articles 6 and, where applicable, 9 and 10 GDPR for the Personal Data transmitted to Rankiteo.
2. The Controller is responsible for the accuracy, quality, and lawfulness of the Personal Data it transmits or causes to be processed by Rankiteo.
3. The Controller is responsible for providing the information notices required by Articles 13 and 14 GDPR to its Data Subjects.
4. The Controller documents in writing any instruction given to Rankiteo regarding the Processing of Personal Data. The Principal Agreement and this DPA constitute the initial documented instructions.
5. The Controller represents that it will not transmit to Rankiteo any Personal Data falling within the special categories (Article 9 GDPR) or relating to criminal convictions (Article 10 GDPR), except with prior written agreement between the Parties detailing the enhanced safeguards.

6. PROCESSOR OBLIGATIONS (ARTICLE 28(3) GDPR)

6.1 Process on documented instructions

Rankiteo will process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or international organization, unless required to do so by Union or Member State law, in which case Rankiteo will inform the Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest.

Rankiteo will immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable Union or Member State data-protection provisions.

6.2 Confidentiality

• Personnel authorized to process Personal Data are subject to an appropriate confidentiality obligation (contractual or statutory).
• Access to Personal Data is restricted to personnel with a documented need-to-know (least-privilege principle).
• A documented access-management policy is in place, including immediate revocation upon termination of duties and quarterly access reviews.

6.3 Security of Processing (Article 32 GDPR)

Rankiteo implements the Technical and Organizational Measures detailed in Annex II to ensure a level of security appropriate to the risk. These measures are reviewed annually and adjusted in light of the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing.

6.4 Sub-processing

See Section 7.

6.5 Assistance to the Controller

Data Subject rights. Rankiteo assists the Controller, insofar as possible and taking into account the nature of the processing, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Articles 12 to 23 GDPR (right of access, rectification, erasure, restriction, portability, objection). Rankiteo will respond to assistance requests within 10 business days.

Security obligations (Articles 32–36 GDPR). Rankiteo assists the Controller in fulfilling its obligations regarding security of processing (Art. 32), notification of Personal Data Breaches (Art. 33–34), data-protection impact assessments (DPIAs — Art. 35), and prior consultation with the supervisory authority (Art. 36).

6.6 Return or deletion of Personal Data

Upon termination of the Services, Rankiteo will, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless retention is required by Union or Member State law. See Section 13.

6.7 Information availability

Rankiteo makes available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits in accordance with Section 11.

6.8 Data Protection Officer

Rankiteo appoints a Data Protection Officer reachable at [email protected].

7. SUB-PROCESSORS

7.1 General authorization

The Controller grants Rankiteo a general authorization to engage Sub-Processors for the provision of the Services. The list of authorized Sub-Processors as of the signing date is provided in Annex III.

7.2 Notification of changes

Rankiteo will notify the Controller in writing of any intended addition or replacement of a Sub-Processor at least 30 days before effective implementation. The Controller has 15 business days from the notification to object on reasonable grounds related to data protection.

7.3 Consequences of objection

If the Controller legitimately objects, the Parties will use good-faith efforts to find an alternative solution. Failing that, the Controller may terminate the relevant portion of the Principal Agreement without penalty on reasonable notice.

7.4 Obligations imposed on Sub-Processors

Rankiteo enters into a written contract with each Sub-Processor imposing data-protection obligations equivalent to those imposed on Rankiteo by this DPA, in compliance with Article 28(4) GDPR.

7.5 Liability

Rankiteo remains fully liable to the Controller for the performance by any Sub-Processor of its data-protection obligations.

8. INTERNATIONAL TRANSFERS

8.1 Hosting and effective Processing in the EEA

Rankiteo undertakes that the hosting, storage, and operational Processing of Personal Data takes place exclusively within the European Economic Area (EEA). The full list of sub-processors and their EEA processing locations is provided in Annex III.

8.2 Legal status of the Processor

The signing Processor, Rankiteo Inc., is a US corporation. Although no Personal Data is physically transferred to the United States in nominal Service operation, the legal qualification as "data exporter" under the SCCs requires contractual coverage solely because the Processor is incorporated outside the EEA.

8.3 Standard Contractual Clauses incorporated by reference

The Parties agree that the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor), are incorporated in full into this DPA by reference. In the event of any conflict between these provisions and the SCCs, the SCCs prevail on the matters they govern.

• For the application of the SCCs, the Controller is the "data exporter" and Rankiteo Inc. is the "data importer".
• SCC Annex I.A corresponds to Annex IV of this DPA (parties + DPO).
• SCC Annex I.B corresponds to Annex I of this DPA (description of processing).
• SCC Annex II corresponds to Annex II of this DPA (TOMs).
• SCC Annex III corresponds to Annex III of this DPA (sub-processors).
• The competent supervisory authority under Clause 13 SCCs is the French CNIL or the supervisory authority of the EU Member State of principal residence of the Controller's Data Subjects.

8.4 Transfer Impact Assessment (Schrems II)

Rankiteo has performed a documented Transfer Impact Assessment evaluating the impact of US laws (in particular FISA 702, Executive Order 12333, and the CLOUD Act) on the protection of Personal Data entrusted to Rankiteo Inc. Key conclusions:

• Personal Data is physically present only in EEA data centers;
• Rankiteo Inc. has no direct administrative access from US territory to the production servers hosted in the EEA in nominal operating mode;
• Administrative access is restricted by MFA, RBAC, audit logging, and limited to authorized personnel based in the EEA. The detailed network access controls and host-firewall rules implementing this policy are documented in Annex II and verified annually by Rankiteo's SOC 2 Type II auditor;
• Any access request from a US public authority concerning Personal Data would be challenged judicially, notified to the Controller (unless absolutely prohibited by law), and documented (see Section 8.6).

8.5 Schrems II supplementary measures

To strengthen protection against any extra-EEA government access, Rankiteo implements:

• End-to-end encryption of Personal Data at rest (AES-256) with EEA-managed keys;
• Pseudonymization of user identifiers in logs;
• BYOK / Customer-Managed Keys option available on the Enterprise tier (the encryption keys remain under the Controller's exclusive control);
• Published government-request resistance policy, with a contractual undertaking to challenge judicially any access demand that does not comply with the GDPR.

8.6 Government-request transparency commitment

Rankiteo commits to:

• Publish an annual Government Requests Transparency Report detailing the number and nature of requests received from public authorities (US or other);
• Notify the Controller of any request directly affecting it, in the shortest practicable time and before disclosure insofar as legally permitted;
• Challenge judicially any access request that does not comply with the GDPR or that does not respect the legal procedure of the originating country.

8.7 No undisclosed location change

No change to the effective location of Processing (outside the EEA) will be made without prior notification to the Controller respecting the 30-day notice in Section 7.2, allowing the Controller to object.

9. PERSONAL DATA BREACHES

9.1 Notification to the Controller

In the event of a Personal Data Breach affecting the Controller's Personal Data, Rankiteo will notify the Controller without undue delay and at the latest within 48 hours after becoming aware of it, by email to the notification address provided by the Controller.

9.2 Notification content

The notification will at minimum specify:

• The nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
• The name and contact details of Rankiteo's DPO;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate its adverse effects.

9.3 Cooperation

Rankiteo will fully cooperate with the Controller to enable the latter to notify the breach to the competent supervisory authority within the 72-hour deadline of Article 33 GDPR, and to inform the Data Subjects where necessary under Article 34 GDPR.

9.4 Documentation

Rankiteo maintains an internal register of Personal Data Breaches documenting facts, effects, and corrective measures, available to the Controller upon request.

10. DPIA & PRIOR CONSULTATION

Rankiteo assists the Controller, insofar as possible and taking into account the nature of the processing and the information available to it, in carrying out:

• A data-protection impact assessment (DPIA) under Article 35 GDPR;
• Any required prior consultation with the competent supervisory authority under Article 36 GDPR.

11. AUDITS & INSPECTIONS

11.1 Right to audit

The Controller has the right, at its expense, to audit Rankiteo's compliance with this DPA once per calendar year, except in the event of a confirmed Personal Data Breach in which case an additional audit may be conducted.

11.2 Modalities

Any audit must:

• Be notified to Rankiteo with a minimum 30-day notice;
• Be conducted during business hours, in a manner that minimizes disruption to Rankiteo's operations;
• Be carried out by the Controller itself or by an independent auditor duly authorized, bound by a confidentiality obligation, and whose identity is communicated to Rankiteo (which may object on reasonable grounds);
• Respect the confidentiality of information related to other Rankiteo customers.

11.3 Alternative documents

The Controller agrees that the provision of recent audit reports (SOC 2 Type II, ISO 27001 certification, GDPR audit report) may satisfy the audit obligation, provided they cover the subject matter of the Principal Agreement and are dated less than 18 months ago.

11.4 Costs

Audit costs are borne by the Controller, except where the audit reveals a substantial breach by Rankiteo, in which case Rankiteo will bear the reasonable costs.

12. LIABILITY & INDEMNITY

Each Party is liable for damage caused by Processing where such Processing constitutes a breach of the GDPR attributable to that Party, in accordance with Article 82 GDPR.

Rankiteo is only liable for damage caused by Processing where it has not complied with GDPR obligations specifically imposed on processors or where it has acted outside or contrary to the lawful instructions of the Controller.

The aggregate liability of each Party under this DPA is capped in accordance with the Principal Agreement, except in cases of:

• Gross negligence or willful misconduct;
• Privacy harm directly resulting from a manifest breach of this DPA;
• Administrative fines imposed by a supervisory authority for the portion attributable to the defaulting Party.

Each Party undertakes to indemnify the other Party for any administrative fine, compensation paid to a Data Subject, or reasonable defense costs resulting from a breach of its own obligations under this DPA.

13. TERMINATION, RETURN & DELETION

13.1 Controller's choice

Upon expiry or termination of the Principal Agreement, and no later than 30 days after that date, the Controller will notify Rankiteo whether it requests the return or deletion of the Personal Data.

13.2 Return modalities

If the Controller opts for return, Rankiteo will transmit the Personal Data in a structured, commonly-used, machine-readable format (CSV / JSON) within 30 days of the request.

13.3 Deletion modalities

Rankiteo will securely delete the Personal Data from all its systems, including backups, within 90 days of the request, and provide the Controller with a written certificate of deletion signed by its DPO.

13.4 Statutory retention

Rankiteo may retain Personal Data beyond this period only insofar as and for the duration required by Union or Member State law. In such cases, Rankiteo will inform the Controller and ensure the confidentiality of the Personal Data so retained and its non-Processing for other purposes.

14. GOVERNING LAW

This DPA is governed by the law designated in the Principal Agreement, without prejudice to the direct application of the GDPR and the SCCs.

For matters specifically governed by the SCCs, the law applicable is that designated in Clause 17 SCCs, by default the law of France.

Any dispute arising from this DPA related to the protection of personal data falls within the jurisdiction designated in Clause 18 SCCs, by default the courts of Paris, France, without prejudice to mandatory rules on the protection of personal data.

The Parties will endeavor to resolve any dispute through amicable negotiation before any judicial action. A conventional mediation procedure may be initiated at the request of either Party.

15. MISCELLANEOUS

1. Amendments. Any modification of this DPA must be the subject of a written amendment signed by both Parties, except for Annexes I, II, and III which may be updated in accordance with Sections 4, 6.3, and 7 respectively.
2. Severability. If a provision of this DPA is held invalid or unenforceable, the other provisions remain in force. The Parties will endeavor to replace the invalid provision with a valid one producing equivalent effects.
3. Notifications. Any notification under this DPA is validly made by email with acknowledgement of receipt to the following addresses: Rankiteo: [email protected] · Controller: address provided in the Principal Agreement.
4. Entry into force. This DPA enters into force on the effective date of the Principal Agreement, after electronic or manuscript signature by the duly authorized representatives of both Parties.

ANNEX I — DESCRIPTION OF PROCESSING

I.1 Nature and purpose of Processing

Rankiteo provides the Controller with a cyber-insurance underwriting software platform (the Rankiteo Underwriter desktop application and associated API services). The Processing of Personal Data is necessary to:

• Allow the Controller to evaluate the cyber risk of companies ("insureds")
• Calculate premium indications
• Model loss curves, reinsurance programs, and catastrophe scenarios
• Manage a portfolio of policies and claims
• Perform sanctions screening (OFAC SDN)
• Generate underwriting documents (quote letters, memos, etc.)

I.2 Categories of Personal Data processed

• Professional identification data — name, surname, role, employer of Controller staff using the platform
• Professional contact data — business email, business phone
• Technical data — IP address, session identifiers, access logs
• Professional contacts (insureds / brokers) — name, role, business email of officers or contacts of evaluated companies
• Pseudonymized sanctions data — OFAC SDN profiles downloaded from sanctionslistservice.ofac.treas.gov (aliases, addresses, identity documents, crypto addresses — public data by official decision)

Sensitive data (Art. 9 GDPR): none, except with prior specific written agreement.

Criminal data (Art. 10 GDPR): public OFAC profiles — processed on the basis of legal obligation (Art. 6(1)(c) GDPR: compliance with international sanctions regimes).

I.3 Categories of Data Subjects

• Controller users — underwriters, actuaries, portfolio managers, executives with platform accounts
• Professional contacts of evaluated companies — public officers or contacts of evaluated entities
• Brokers and intermediaries — professional contacts exchanged in underwriting operations
• Persons named in public sanctions lists — OFAC SDN profiles as published by the US Treasury

I.4 Retention periods

• User account data — duration of Principal Agreement + 3 years post-termination for legal defense
• Portfolio / policies / claims data — duration of Principal Agreement + return / deletion within 90 days post-termination
• Access and activity logs — 12 months (rolling), retained for security and compliance
• OFAC SDN data — refreshed at each download, complete deletion at termination
• Encrypted backups — 35 days (rolling retention)

I.5 Location of Processing

All Processing takes place within the European Economic Area:

• Network edge — Cloudflare Ireland Ltd. (EU edge nodes only)
• Application + data tier — Hetzner (Germany)
• Workload tier — OVH (France)
• CI/CD pipelines — Microsoft Azure DevOps (West Europe / North Europe regions only)

ANNEX II — TECHNICAL & ORGANIZATIONAL MEASURES

In accordance with Article 32 GDPR, Rankiteo implements the technical and organizational measures below, reviewed annually and adjusted to the state of the art.

II.1 Pseudonymization and encryption

• Encryption at rest — AES-256 on all production disks (native OVH / Hetzner — LUKS), application-level encryption of sensitive fields (user API keys, tokens)
• Encryption in transit — minimum TLS 1.2 (TLS 1.3 by default) on all external flows; HSTS enabled; Let's Encrypt certificates with automatic rotation
• Pseudonymization — pseudonymized user identifiers in logs; non-reversible session tokens
• Secret management — Azure Key Vault for pipeline secrets; no plaintext secrets in code repositories; annual rotation of production secrets
• Password hashing — bcrypt (cost ≥ 12); no plaintext storage

II.2 Confidentiality, integrity, availability, resilience

Confidentiality:

• Logical access control — mandatory MFA for all administrator accounts and production system access
• Least-privilege principle — RBAC with documented roles; JIT (Just-in-Time) access for privileged operations
• Environment segmentation — separation of production / staging / development; no real Personal Data in non-production environments
• Password policy — minimum 14 characters, complexity, rotation, lockout after 5 attempts, leak detection (haveibeenpwned check)
• Personnel confidentiality — contractual confidentiality undertaking for all staff; post-contractual confidentiality clauses; annual GDPR awareness training

Integrity:

• Logging — all accesses and modifications to Personal Data are logged (who, what, when); immutable logs retained 12 months
• Integrity detection — File Integrity Monitoring on critical systems
• Backups — encrypted daily backups; 35-day retention; quarterly restore tests
• Commit signing — mandatory signing of commits on protected branches (GPG / Sigstore); mandatory code review (≥ 1 reviewer)

Availability and resilience:

• Redundancy — multi-zone OVH architecture (Roubaix, Strasbourg); hot-standby Hetzner Germany failover
• High availability — target SLA 99.5% on the main service (measured: monthly uptime)
• Business Continuity Plan (BCP) — documented; annually tested; RTO 4h, RPO 1h
• Disaster Recovery Plan (DRP) — documented; restoration tested quarterly on a secondary site
• Monitoring — 24/7 supervision via Prometheus / Grafana; PagerDuty alerts on outages > 5 min
• DDoS protection — OVH / Cloudflare anti-DDoS; application rate-limiting

II.3 Procedures to verify effectiveness

• Penetration testing — annual test by external independent firm; report submitted to DPO; remediation deployed within 90 days
• Vulnerability scans — weekly (Trivy, Snyk, Dependabot); critical patches within 14 days
• Code review — SAST in pipeline (CodeQL / Semgrep); SCA for open-source dependencies; secret-scanning on all commits
• Internal audit — annual review of TOMs by DPO and CISO
• External audit — engagement towards SOC 2 Type II [target schedule to be confirmed] and ISO 27001 certification
• Training — security + GDPR training mandatory at hire; annual refresher; quarterly phishing simulations

II.4 CI/CD pipeline security (Azure DevOps)

In accordance with Microsoft Azure DevOps Security best practices:

• Identities — federated authentication via Entra ID (formerly Azure AD); mandatory MFA; service accounts with automatic credential rotation
• Permissions — granular per-project permissions; separation of Build / Release / Approve roles; least-privilege principle
• Secrets — Azure Key Vault integration; no plaintext secrets in YAML files; secrets referenced via linked variable groups; automatic service-principal credential rotation
• Branch protection — main branch protected; mandatory PR; mandatory review (≥ 1 approver); mandatory passing build; force-push disabled
• Pipeline as code — all pipelines in versioned YAML inside the repo; modifications via PR only
• Build agents — Microsoft-hosted agents (EU region); no publicly-exposed self-hosted agents
• Artifacts — signed artifacts; SBOM produced for each release (CycloneDX); 12-month retention
• Audit — Azure DevOps logs exported to Azure Monitor; 12-month retention; alerts on permission changes
• Dependency scanning — Mend / Snyk / Dependabot integrated; build blocked if CVSS ≥ 7.0; automatic minor-patch updates
• Code scanning — Microsoft Defender for DevOps; CodeQL; analysis on push and on every PR
• Secret scanning — enabled on all repos; immediate DPO alert on detected leak; immediate rotation of compromised secret

II.5 Tenant isolation

• Strict logical separation of customer data (indexed tenant ID); regular code reviews to prevent cross-tenant leaks
• Customer backups encrypted with dedicated key (BYOK option available on Enterprise tier)
• The Customer retains control of access to its own Personal Data via the platform at all times

II.6 Physical security of data centers

All data centers used comply with:

• Cloudflare — ISO 27001, ISO 27018, ISO 27701, SOC 2 Type II, PCI DSS Level 1 (edge points-of-presence are independently certified to the same physical-security standards as Tier-1 hyperscalers)
• OVH — ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, HDS (French Health-Data Hosting)
• Hetzner — ISO 27001, DIN EN 50600, BSI C5 (Cloud Computing Compliance Criteria Catalogue)

Data centers implement multi-factor physical access control (badge + biometrics), 24/7 video surveillance retained 90 days, fire detection + inert-gas suppression, redundant power (UPS + diesel generators), N+1 redundant cooling, and 24/7 on-site staff.

II.7 Security-incident management

• Detection / qualification — < 4h
• Initial containment — < 8h
• Notification to Customer in case of Personal Data Breach — < 48h (target < 24h)
• CNIL / supervisory authority notification (by Customer if required) — < 72h (Art. 33 GDPR)
• Full post-mortem report to Customer — < 14 days

II.8 Personnel security

• Background checks — verification of professional references at hiring; clean criminal record required for sensitive roles (production admin)
• Confidentiality undertaking — NDA signed at hiring; post-contractual clauses 5 years
• Initial training — mandatory security + GDPR onboarding (4h) within 30 days of hiring
• Continuous training — mandatory annual refresher; quarterly phishing tests
• Off-boarding — immediate revocation of all accesses on termination day; checklist signed by manager + DPO

ANNEX III — AUTHORIZED SUB-PROCESSORS

As of the signing date of this DPA, Rankiteo uses the following Sub-Processors:

• Cloudflare Ireland Ltd. (EU customer-of-record entity for Cloudflare, Inc.) · 7th Floor, 25-28 North Wall Quay, Dublin 1, D01 H104, Ireland · Edge network — CDN, Web Application Firewall (WAF), DDoS protection, DNS, bot management. All inbound HTTPS traffic terminates at the Cloudflare edge before being proxied to OVH origin · Processing constrained to EU edge nodes via the Cloudflare Data Localization Suite (Regional Services + Customer Metadata Boundary set to EU) · ISO 27001, ISO 27018, ISO 27701, SOC 2 Type II, PCI DSS Level 1; Cloudflare GDPR-compliant DPA.
• Hetzner Online GmbH · Industriestr. 25, 91710 Gunzenhausen, Germany · Primary application + data tier — web application servers (3× behind WAF/VPN), MongoDB database, encrypted backups · Processing in Germany (Falkenstein, Nuremberg) · ISO 27001, BSI C5, DIN EN 50600; Hetzner GDPR-compliant DPA; no transfer outside EEA.
• OVH SAS · 2 rue Kellermann, 59100 Roubaix, France · Workload tier — HAProxy load balancer + processing workloads (scoring pipelines, enrichment jobs, batch analytics) that pull data from Hetzner over an HTTPS-secured channel; no persistent Customer-data storage on OVH · Processing in France (Roubaix, Strasbourg, Gravelines) · ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, HDS; OVH GDPR-compliant DPA; no transfer outside EEA.
• Microsoft Ireland Operations Limited (for Azure DevOps) · One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland · CI/CD pipelines, secret management (Azure Key Vault), monitoring (Azure Monitor) · Microsoft Azure regions West Europe (Netherlands) and North Europe (Ireland) · ISO 27001, ISO 27017, ISO 27018, SOC 2 Type I/II/III, EU Data Boundary commitment; SCC Module 3 signed (in case of technical transfer to a non-EEA Microsoft entity for support, with Schrems II supplementary measures in place); end-to-end encryption of secrets via Customer-Managed Keys.

The up-to-date list is available at https://www.rankiteo.com/legal/subprocessors and notified to the Controller in case of modification (cf. Section 7.2).

ANNEX IV — DATA PROTECTION CONTACTS

Rankiteo Inc.

Customer (to be completed at signing)

Customer DPO contact: [to be filled in at signing]

Customer notification address: [to be filled in at signing]

This DPA is provided as a template. Final execution requires review by qualified legal counsel. Material modifications may be made on a case-by-case basis based on the Customer's requirements and applicable law. For UK / Switzerland customers, an UK IDTA / Swiss addendum is provided separately upon request.