Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service, Order Form, subscription agreement, or other written agreement between Draxis, Inc. (“Draxis”) and the customer entity agreeing to this DPA (“Customer”) governing Customer’s access to and use of the Draxis.ai Service (the “Agreement”).

This DPA applies where Draxis Processes Customer Personal Data on behalf of Customer in connection with the Service. This DPA supplements and is incorporated into the Agreement. In the event of any conflict between this DPA and the Agreement with respect to privacy or data protection matters, this DPA will prevail to the extent of the conflict.

1. Definitions

For purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given in the Agreement or applicable Data Protection Law.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data, as defined under applicable Data Protection Law.

“Customer Personal Data” means Personal Data Processed by Draxis on behalf of Customer in connection with the Service.

“Data Protection Law” means, as applicable to the Processing of Customer Personal Data: (a) Regulation (EU) 2016/679, the General Data Protection Regulation (“EU GDPR”); (b) the EU GDPR as incorporated into the law of the United Kingdom under the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any implementing legislation, regulations, or binding guidance issued thereunder, in each case as amended, replaced, or superseded from time to time.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Draxis Controller Data” means Personal Data that Draxis Processes as an independent Controller for its own business purposes, including account administration, billing, security, fraud prevention, legal compliance, analytics, service improvement, and business communications.

“EEA” means the European Economic Area.

“EU SCCs” means the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced, or superseded from time to time.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Law.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined under applicable Data Protection Law. “Process” and “Processed” have correlative meanings.

“Processor” means the entity that Processes Personal Data on behalf of the Controller, as defined under applicable Data Protection Law.

“Restricted Transfer” means a transfer of Customer Personal Data from the EEA, United Kingdom, or Switzerland to a country, recipient, or jurisdiction that is not recognized as providing an adequate level of protection for Personal Data under applicable Data Protection Law.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Draxis under this DPA. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.

“Service” means the Draxis.ai cyber risk intelligence platform and related services provided by Draxis under the Agreement.

“Sub-processor” means any third-party Processor engaged by Draxis to Process Customer Personal Data on behalf of Customer in connection with the Service.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018, as may be amended, replaced, or superseded from time to time.

2. Roles and scope

2.1 Customer as Controller; Draxis as Processor. With respect to Customer Personal Data Processed through the Service, Customer is the Controller and Draxis is the Processor. Draxis will Process Customer Personal Data only on behalf of Customer and in accordance with this DPA, the Agreement, and Customer’s documented instructions.

2.2 Draxis as independent Controller. Draxis may Process Draxis Controller Data as an independent Controller for its own legitimate business purposes, including account administration, billing, customer relationship management, security, fraud prevention, legal compliance, analytics, service improvement, and business communications. Draxis’s Processing of Draxis Controller Data is governed by Draxis’s Privacy Policy and is not subject to the Processor obligations in Sections 4 through 8 of this DPA, except to the extent expressly required by applicable Data Protection Law.

2.3 Customer instructions. Customer’s instructions to Draxis are set forth in this DPA, the Agreement, applicable Order Forms, and Customer’s use and configuration of the Service. Customer may issue additional documented instructions in writing, provided such instructions are consistent with the Agreement, commercially reasonable, and technically feasible. Draxis will notify Customer if Draxis reasonably believes that an instruction infringes applicable Data Protection Law.

2.4 Details of Processing. The subject matter, duration, nature, purpose, types of Customer Personal Data, and categories of Data Subjects are described in Schedule 1.

3. Customer obligations

3.1 Compliance and lawful basis. Customer is responsible for complying with applicable Data Protection Law in connection with its use of the Service, including determining the purposes and means of Processing Customer Personal Data and ensuring that Customer has a valid legal basis for the Processing of Customer Personal Data and the transfer of Customer Personal Data to Draxis.

3.2 Accuracy and minimization. Customer is responsible for ensuring that Customer Personal Data submitted to the Service is accurate, relevant, and limited to what is necessary for Customer’s use of the Service. Customer will not submit Special Category Data, criminal offense data, government identification numbers, financial account numbers, payment card data, or other sensitive Personal Data to the Service unless expressly authorized in the Agreement or otherwise agreed by Draxis in writing.

3.3 Notices and consents. Customer is responsible for providing any notices and obtaining any consents, authorizations, or permissions required under applicable Data Protection Law for Customer’s use of the Service and Draxis’s Processing of Customer Personal Data in accordance with this DPA.

3.4 Data Subject requests. Customer is responsible for receiving, evaluating, and responding to requests from Data Subjects to exercise rights under applicable Data Protection Law. Draxis will provide reasonable assistance in accordance with Section 6.

4. Draxis obligations as Processor

4.1 Processing on instructions. Draxis will Process Customer Personal Data only on documented instructions from Customer, including as necessary to provide, secure, maintain, support, and improve the Service, except where Draxis is required to Process Customer Personal Data by applicable law. In such case, Draxis will inform Customer of the legal requirement before Processing, unless the law prohibits such notice.

4.2 Confidentiality. Draxis will ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations, whether by contract, policy, or statutory obligation.

4.3 Security measures. Draxis will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents. Such measures are described in Schedule 2. Draxis may update the security measures from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

4.4 Assistance. Taking into account the nature of the Processing and the information available to Draxis, Draxis will provide reasonable assistance to Customer in connection with Customer’s obligations under applicable Data Protection Law, including obligations relating to Data Subject requests, security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

4.5 Deletion and return. Upon termination or expiration of the Agreement, or upon Customer’s written request, Draxis will delete or return Customer Personal Data in accordance with the Agreement and Draxis’s standard deletion procedures, unless applicable law requires retention. If Customer requests return of Customer Personal Data, Draxis will provide Customer Personal Data in a commonly used format to the extent technically feasible and commercially reasonable.

4.6 Demonstration of compliance. Draxis will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, subject to reasonable confidentiality, security, and operational limitations.

4.7 Regulatory cooperation. Draxis will cooperate reasonably with competent supervisory authorities in connection with the Processing of Customer Personal Data under this DPA, to the extent required by applicable Data Protection Law.

5. Sub-processors

5.1 General authorization. Customer provides general written authorization for Draxis to engage Sub-processors to Process Customer Personal Data in connection with the Service, including the Sub-processors listed in Schedule 3.

5.2 Notice of new or replacement Sub-processors. Draxis will provide at least thirty (30) days’ prior notice of any intended addition or replacement of a Sub-processor by updating its Sub-processor list or providing notice by email, account notification, in-product notice, or other reasonable means. Draxis may provide shorter notice where reasonably necessary due to emergency, security, legal, or service-continuity reasons.

5.3 Objection right. Customer may object to Draxis’s intended use of a new or replacement Sub-processor by providing written notice within fifteen (15) days after Draxis’s notice. Customer’s objection must be based on reasonable, documented grounds relating to data protection. The parties will work in good faith to resolve the objection.

5.4 Resolution of objection. If the parties cannot resolve Customer’s objection, Draxis may, at its option: (a) not use the new or replacement Sub-processor to Process Customer Personal Data; (b) provide a commercially reasonable alternative that avoids Processing by the objected-to Sub-processor; or (c) permit Customer to terminate only the affected portion of the Service that cannot be provided without the objected-to Sub-processor. Customer will remain responsible for all fees incurred before the effective date of termination.

5.5 Sub-processor obligations. Draxis will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective in substance than those imposed on Draxis under this DPA, to the extent applicable to the nature of the services provided by the Sub-processor. Draxis remains responsible for the performance of its Sub-processors’ obligations with respect to Customer Personal Data.

6. Data Subject rights

6.1 Assistance. Upon Customer’s written request, and taking into account the nature of the Processing, Draxis will provide reasonable assistance to Customer in responding to Data Subject requests under applicable Data Protection Law.

6.2 Direct requests. If Draxis receives a request directly from a Data Subject relating to Customer Personal Data, Draxis will, unless prohibited by applicable law, direct the Data Subject to submit the request to Customer. Draxis will not independently respond to such request except to confirm that the request relates to Customer or as required by applicable law.

6.3 Technical feasibility. Draxis’s assistance may include, where technically feasible and commercially reasonable, retrieving, correcting, deleting, restricting, or exporting Customer Personal Data associated with a specific Data Subject.

6.4 Fees. Draxis may charge a reasonable fee for assistance that requires significant technical effort, excessive resources, or assistance outside the ordinary functionality of the Service, provided that Draxis will notify Customer of such fee in advance where practicable.

7. Security Incidents

7.1 Notification. Draxis will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and, in any event, within seventy-two (72) hours after becoming aware of such Security Incident.

7.2 Content of notice. Draxis’s notice will include, to the extent known and available at the time: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of affected Data Subjects and records, where known; (c) the name and contact details of Draxis’s privacy or security contact; (d) the likely consequences of the Security Incident, where known; and (e) measures taken or proposed to address the Security Incident.

7.3 Ongoing updates. Draxis will provide reasonable updates regarding material developments related to the Security Incident and will cooperate reasonably with Customer’s investigation and breach notification obligations.

7.4 No admission. Draxis’s notification of or response to a Security Incident will not be construed as an acknowledgment by Draxis of fault or liability.

7.5 Customer responsibility. Customer is responsible for determining whether a Security Incident requires notification to a supervisory authority, Data Subject, or other third party and for making any such notification, except to the extent applicable law requires Draxis to make a notification directly.

8. Audits and assessments

8.1 Documentation. Upon Customer’s reasonable written request, Draxis will provide information reasonably necessary to demonstrate compliance with this DPA, which may include summaries of third-party audit reports, security certifications, penetration test summaries, security documentation, or other relevant materials, subject to confidentiality and security limitations.

8.2 Audit rights. If the information provided under Section 8.1 is insufficient to demonstrate Draxis’s compliance with this DPA, Customer may request an audit no more than once per calendar year, unless required by a competent supervisory authority or following a Security Incident affecting Customer Personal Data. Any audit must be conducted: (a) on at least thirty (30) days’ prior written notice; (b) during normal business hours; (c) by Customer or a qualified independent auditor subject to confidentiality obligations; (d) in a manner that does not unreasonably disrupt Draxis’s business operations; and (e) subject to reasonable security and confidentiality requirements.

8.3 Costs. Customer is responsible for all costs and expenses associated with any audit requested by Customer, unless the audit reveals material non-compliance by Draxis with this DPA.

8.4 Restrictions. Customer may not access systems, environments, data, or information relating to Draxis’s other customers, internal financial information, trade secrets, privileged information, or information that would compromise the security of Draxis’s systems or services.

9. International data transfers

9.1 Restricted Transfers. Where Customer Personal Data is subject to a Restricted Transfer, the transfer will be governed by the transfer mechanism set forth in this Section 9. The parties agree that the EU SCCs are incorporated by reference into this DPA and apply to Restricted Transfers as described below.

9.2 EU GDPR transfers. In relation to transfers of Customer Personal Data subject to the EU GDPR, the EU SCCs will apply, completed as follows:

Module 2 (Controller to Processor) will apply.
In Clause 7, the optional docking clause will not apply.
In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set forth in Section 5.2 of this DPA.
In Clause 11, the optional language is excluded.
In Clause 17, Option 1 will apply, and the governing law will be the laws of Ireland.
In Clause 18(b), disputes will be resolved before the courts of Ireland.
The competent supervisory authority will be the Irish Data Protection Commission.
The information required by the Annexes to the EU SCCs is set forth in Schedule 1, Schedule 2, and Schedule 3 of this DPA.

9.3 UK GDPR transfers. In relation to transfers of Customer Personal Data subject to UK Privacy Laws, the EU SCCs: (a) will apply as completed in accordance with Section 9.2; and (b) will be deemed amended as specified by the UK Addendum, which will be deemed executed by the parties and incorporated into and form an integral part of this DPA.

For purposes of the UK Addendum:

Table 1 will be deemed completed with the parties’ information set forth in the Agreement and this DPA.
Table 2 will be deemed completed with the EU SCCs, as completed under Section 9.2.
Table 3 will be deemed completed with the information set forth in Schedule 1, Schedule 2, and Schedule 3 of this DPA.
Table 4 will be deemed completed by selecting “neither party.”

9.4 Swiss FADP transfers. In relation to transfers of Customer Personal Data subject to the Swiss FADP, the EU SCCs will apply in accordance with Section 9.2, with the following modifications:

The supervisory authority with respect to such Customer Personal Data will be the Swiss Federal Data Protection and Information Commissioner.
References to the “EU,” “Union,” “Member State,” and “Member State law” will be interpreted as references to Switzerland or Swiss law, as applicable.
Data Subjects located in Switzerland will be able to enforce their rights in Switzerland.
References to the EU GDPR will be interpreted as references to the Swiss FADP, as amended or replaced.
In Clause 17, Option 1 will apply, and the governing law will be the laws of Switzerland.
In Clause 18(b), disputes will be resolved before the competent courts of Switzerland.
References to the “competent supervisory authority” and “competent courts” will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland, as applicable.

9.5 Data Privacy Framework. As of the Effective Date, the parties do not rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework as the transfer mechanism for Restricted Transfers under this DPA. If Draxis becomes certified under an applicable Data Privacy Framework program and maintains such certification, Draxis may rely on such certification as an additional or alternative transfer mechanism to the extent permitted by applicable Data Protection Law.

9.6 Alternative or successor transfer mechanisms. If applicable Data Protection Law permits use of an alternative or successor transfer mechanism for Restricted Transfers, the parties may rely on such mechanism to the extent valid and applicable. Draxis may update this DPA to incorporate such mechanism in accordance with Section 14, provided that such update does not materially reduce the level of protection for Customer Personal Data.

9.7 Additional measures and cooperation. If a court of competent jurisdiction, competent supervisory authority, or applicable Data Protection Law determines that the measures described in this DPA cannot be relied upon to lawfully transfer Customer Personal Data, the parties will reasonably cooperate to agree and take actions required to implement additional safeguards or an alternative lawful transfer mechanism to enable the lawful transfer of Customer Personal Data.

10. Government access requests

10.1 Notice. If Draxis receives a legally binding request from a governmental, regulatory, law enforcement, or public authority for access to Customer Personal Data, Draxis will, to the extent legally permitted, promptly notify Customer.

10.2 Review and challenge. Draxis will review such requests and, where Draxis reasonably determines that a request is unlawful, overbroad, or inconsistent with applicable legal process, Draxis will use reasonable efforts to challenge or limit the request.

10.3 Minimum disclosure. Draxis will disclose only the minimum amount of Customer Personal Data necessary to comply with a legally binding request.

11. Data protection contact

Draxis has not appointed a mandatory Data Protection Officer but has designated a privacy contact responsible for data protection matters. Privacy-related inquiries may be directed to:

Draxis, Inc.
Attn: Privacy Contact
PO Box 126
Bolton, MA 01740
United States
Email: legal@draxis.ai

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent such limitations or exclusions are prohibited by applicable Data Protection Law.

13. Term and termination

This DPA will remain in effect for so long as Draxis Processes Customer Personal Data on behalf of Customer. Termination or expiration of the Agreement will automatically terminate this DPA, except for provisions that by their nature should survive, including provisions relating to deletion, return, confidentiality, liability, and international transfers.

14. Updates to this DPA

14.1 Updates generally. Draxis may update this DPA, including its Schedules, from time to time to reflect changes in the Service, applicable Data Protection Law, sub-processors, security measures, transfer mechanisms, or Draxis’s data protection practices, provided that such updates do not materially reduce the level of protection provided for Customer Personal Data or otherwise diminish Draxis’s obligations under applicable Data Protection Law.

14.2 Notice of material updates. Draxis will provide notice of material updates to this DPA by email, account notification, in-product notice, posting an updated version on its website, or other reasonable means. Updates to Sub-processors will be handled in accordance with Section 5.

14.3 Legally required updates. If an update is required to comply with applicable Data Protection Law, a binding order of a court or supervisory authority, or a successor transfer mechanism, such update will become effective as required by law or as otherwise stated in Draxis’s notice.

15. Governing law

This DPA is governed by the governing law specified in the Agreement, except that: (a) the EU SCCs will be governed by the law specified in Section 9.2; (b) the UK Addendum will be governed as required by UK Privacy Laws; and (c) Swiss transfer provisions will be governed by the law specified in Section 9.4.

Schedule 1: Details of Processing

Element	Details
Subject matter	Provision of the Draxis.ai cyber risk intelligence platform, including AI-powered risk analysis, advisory functions, and related support services.
Duration	For the term of Customer’s subscription to the Service, plus any applicable retention period under the Agreement, this DPA, or applicable law.
Nature of Processing	Collection, receipt, ingestion, hosting, storage, organization, analysis, retrieval, consultation, use, transmission, disclosure by transmission, display, deletion, and other Processing necessary to provide the Service.
Purpose of Processing	To provide, secure, maintain, support, and improve the Service; to ingest and analyze security control telemetry and related data; to generate cyber risk intelligence, key risk indicators, business-risk mappings, and AI-supported risk analysis on behalf of Customer; and to perform related obligations under the Agreement.
Types of Customer Personal Data	Usernames, business contact information, email addresses, role/title data, employer or team information, system user identifiers, audit logs, security event logs, security telemetry, access logs, device or network identifiers, metadata, and other Personal Data submitted to or generated through Customer’s use of the Service.
Categories of Data Subjects	Customer’s employees, contractors, representatives, administrators, authorized users, system users, and, where applicable, third-party vendor contacts or other individuals referenced in security telemetry or related Customer systems.
Special categories of data	Not expected. Customer should not submit Special Category Data under Article 9 GDPR, criminal offense data, government identification numbers, payment card data, financial account numbers, or other sensitive Personal Data unless expressly authorized in the Agreement or otherwise agreed by Draxis in writing.
Frequency of transfer	Continuous or as otherwise initiated by Customer through use of the Service.
Processing location	United States, EEA, United Kingdom, Switzerland, and other locations where Draxis or its authorized Sub-processors Process Customer Personal Data, subject to Section 9 of this DPA.

Schedule 2: Technical and Organizational Security Measures

Draxis implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data. Draxis may update these measures from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

1. Access controls

Role-based access controls using least-privilege principles.
Multi-factor authentication for Draxis personnel with access to production systems.
Access provisioning and de-provisioning procedures.
Periodic access reviews for personnel with access to production systems or Customer Personal Data.

2. Encryption

Encryption of Customer Personal Data in transit using TLS 1.2 or higher, or substantially equivalent technology.
Encryption of Customer Personal Data at rest using AES-256 or substantially equivalent technology.
Key management using cloud provider key management services or substantially equivalent controls.

3. Infrastructure and network security

Hosting with reputable cloud infrastructure providers.
Network segmentation, firewall controls, and secure configuration practices.
Vulnerability management and patching processes.
Environment separation for production and non-production systems where appropriate.

4. Monitoring and logging

Security event logging and monitoring for anomalous activity.
Audit logging for relevant administrative and system activities.
Incident detection and response procedures.
Log retention consistent with Draxis’s security and operational requirements.

5. Business continuity and disaster recovery

Regular backups or other resilience measures designed to support restoration of Customer Personal Data.
Business continuity and disaster recovery planning.
Defined recovery objectives, where applicable to the Service.

6. Organizational measures

Confidentiality obligations for personnel with access to Customer Personal Data.
Data protection and security training for relevant personnel.
Vendor security review and due diligence for Sub-processors.
Documented security policies and incident response procedures.

7. Data minimization and retention

Retention of Customer Personal Data in accordance with the Agreement, this DPA, and Draxis’s standard retention practices.
Deletion or return of Customer Personal Data following termination or expiration of the Agreement, subject to applicable legal retention requirements.

For more detail on Draxis’s security architecture, see the Trust Center.

Schedule 3: Approved Sub-processors

The following Sub-processors are authorized as of the Effective Date of this DPA. Draxis maintains an up-to-date list on this page and in the Trust Center, and will notify Customers of changes in accordance with Section 5.

Sub-processor	Purpose	Location
Google Cloud Platform (GCP)	Cloud infrastructure, compute, storage, database services, and related hosting	United States
Anthropic, PBC (Claude API)	AI-powered risk advisor, expert panel, and vCISO functionality (queries processed per-session, not used for model training)	United States
PostHog, Inc.	Product analytics and user behavior telemetry	United States
Langfuse	LLM observability, tracing, and prompt/response evaluation	United States
HubSpot, Inc.	CRM and customer communications	United States
Stripe, Inc.	Payment processing	United States

Schedule 4: SCC Annex Mapping

For purposes of the EU SCCs, the UK Addendum, and Swiss transfer provisions, the parties agree that the SCC Annexes are completed as follows:

SCC Annex	DPA Reference
Annex I.A: List of Parties	Customer is the data exporter and Controller. Draxis is the data importer and Processor. Party details are set forth in the Agreement, Order Form, and this DPA.
Annex I.B: Description of Transfer	See Schedule 1.
Annex I.C: Competent Supervisory Authority	For EU GDPR transfers, the Irish Data Protection Commission. For Swiss FADP transfers, the Swiss Federal Data Protection and Information Commissioner.
Annex II: Technical and Organizational Measures	See Schedule 2.
Annex III: Sub-processors	See Schedule 3.