Data Processing Addendum

1. Introduction and scope

This Data Processing Addendum (the “DPA”) forms part of the Master Subscription Agreement, Terms of Service, or other written or electronic agreement (the “Agreement”) between ORDENTRAB.V. (“ORDENTRA,” “Processor”) and the customer identified in the applicable order form (the “Customer,” “Controller”) to reflect the parties' agreement with respect to the processing of personal data in connection with the Service.

This DPA applies to the extent that ORDENTRAprocesses personal data on behalf of Customer under the Agreement that is subject to (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), (b) the UK Data Protection Act 2018 and the UK GDPR, (c) the Swiss Federal Act on Data Protection, or (d) any other data protection law that the parties have agreed in writing to cover. In the event of a conflict between this DPA and the Agreement, this DPA controls in respect of the processing of personal data.

Customer enters into this DPA on its own behalf and, to the extent required under applicable law, in the name and on behalf of its Affiliates if and to the extent ORDENTRAprocesses personal data for which those Affiliates are controllers.

2. Definitions

The terms “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” “Sub-processor,” “Supervisory Authority,” and “Personal Data Breach” have the meanings given to them in Article 4 of the GDPR. In this DPA the following additional terms apply:

Customer Personal Data

Any personal data that ORDENTRA processes on behalf of Customer in the course of providing the Service, as further described in Annex I.

Data Protection Laws

All laws and regulations applicable to the processing of personal data under the Agreement, including the GDPR, the UK GDPR, and the Swiss FADP, and any successor or replacement legislation.

EU SCCs

The Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated or replaced from time to time.

UK Addendum

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

Restricted Transfer

A transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not been the subject of a decision recognizing an adequate level of protection under the applicable Data Protection Laws.

3. Processing of personal data

The subject matter, duration, nature, and purpose of the processing, the types of Customer Personal Data, the categories of Data Subjects, and the obligations and rights of Customer are set out in Annex I to this DPA. ORDENTRAwill process Customer Personal Data only (a) on Customer's documented instructions, including with respect to transfers to a third country, unless required to do so by Union or Member State law to which ORDENTRA is subject, in which case ORDENTRA will inform Customer of that legal requirement before processing unless prohibited from doing so; and (b) to the extent necessary to provide, maintain, and improve the Service in accordance with the Agreement.

Customer's documented instructions for processing are set out in the Agreement, this DPA, and the Service's configuration options. Customer may provide additional written instructions consistent with the Agreement, and ORDENTRA will, within a reasonable time, either implement those instructions or notify Customer that it believes the instructions infringe the Data Protection Laws.

4. Rights and obligations of the Controller

Customer is responsible for its compliance with the Data Protection Laws in its role as Controller, including for ensuring that there is an appropriate lawful basis for each category of processing of Customer Personal Data, that required notices have been given to Data Subjects, and that any required consents have been obtained and documented. Customer warrants that (a) its instructions to ORDENTRAcomply with the Data Protection Laws and (b) Customer has the authority to submit Customer Personal Data to the Service and to permit ORDENTRA to process it in accordance with this DPA.

Customer is responsible for the access rights it grants to its Users and for reviewing, acting on, and responding to Data Subject requests that Customer receives directly.

5. Obligations of ORDENTRA as Processor

5.1 Processing only on documented instructions

ORDENTRAwill process Customer Personal Data only on Customer's documented instructions, as described in Section 3, and will not process Customer Personal Data for any other purpose. ORDENTRA does not sell Customer Personal Data, does not use it for its own marketing, and does not use it to train foundation models.

5.2 Confidentiality of personnel

ORDENTRA will ensure that any personnel authorized to process Customer Personal Data are bound by written confidentiality obligations or statutory duties of confidentiality and have received training on data protection appropriate to their role. Access to Customer Personal Data is limited to personnel who need it to perform their duties under the Agreement.

5.3 Security

ORDENTRA will implement and maintain the technical and organizational measures set out in Annex II to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. ORDENTRA regularly reviews and updates these measures to maintain a level of security appropriate to the risk. A current summary of the security program, independent audit reports, and penetration-test results is available via our Trust Center at /trust.

5.4 Sub-processors

Customer provides general written authorization for ORDENTRA to engage Sub-processors to provide the Service. A current list of Sub-processors is available at /subprocessors. ORDENTRA will notify Customer at least thirty (30) days before any new Sub-processor is added or replaced, giving Customer the opportunity to object on reasonable data protection grounds. The process for objections is set out in Section 9.

ORDENTRA will enter into a written agreement with each Sub-processor that imposes data protection obligations at least as protective as those in this DPA, and will remain fully liable to Customer for any failure by a Sub-processor to fulfil its data protection obligations.

5.5 Assistance with data subject requests

Taking into account the nature of the processing, ORDENTRAwill provide reasonable assistance to Customer, by appropriate technical and organizational measures, in fulfilling Customer's obligation to respond to Data Subject requests under Chapter III of the GDPR. Where a Data Subject contacts ORDENTRA directly with a request relating to Customer Personal Data, ORDENTRA will promptly forward the request to Customer and will not respond to the Data Subject except to confirm receipt and to identify Customer as the Controller.

5.6 Personal data breach notification

ORDENTRA will notify Customer without undue delay and in any event within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, (a) a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned, (b) the name and contact details of our Data Protection Officer, (c) the likely consequences of the breach, and (d) the measures taken or proposed to address the breach.

ORDENTRAwill provide reasonable assistance to Customer in complying with Customer's notification obligations under Articles 33 and 34 of the GDPR. Notifications to Customer under this Section do not constitute an acknowledgment by ORDENTRA of fault or liability.

5.7 Data Protection Impact Assessments

Taking into account the nature of the processing and the information available, ORDENTRA will provide reasonable assistance to Customer in carrying out data protection impact assessments and prior consultations with Supervisory Authorities under Articles 35 and 36 of the GDPR, to the extent required in relation to the processing of Customer Personal Data by ORDENTRA.

6. Return or deletion of personal data

Upon expiration or termination of the Agreement, Customer may export Customer Personal Data through the Service's standard export tools for a period of thirty (30) days. Following that period, ORDENTRA will delete all Customer Personal Data from active systems within a further sixty (60) days, and from backups within the next backup cycle (not to exceed ninety (90) days), unless retention is required under applicable law. Where retention is required, ORDENTRA will continue to protect Customer Personal Data in accordance with this DPA and will delete it as soon as the legal obligation expires.

7. Audit rights

ORDENTRA will make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and the Data Protection Laws. In addition, ORDENTRA will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

Customer's audit rights will be satisfied in the first instance by ORDENTRA's provision of (a) its most recent SOC 2 Type II report, (b) its ISO/IEC 27001 certification, (c) a summary of its most recent independent penetration test, and (d) responses to a reasonable number of written questions about its security program. Where these materials are not sufficient for Customer to demonstrate compliance, or where a Supervisory Authority requires it, Customer may conduct an on-site audit no more than once per calendar year, on reasonable prior written notice, during normal business hours, and subject to reasonable confidentiality restrictions. Customer will bear its own costs of the audit and will reimburse ORDENTRA for its reasonable costs of supporting an on-site audit beyond a half-day of personnel time.

8. International data transfers

Where the processing of Customer Personal Data involves a Restricted Transfer, the parties agree that the EU SCCs are hereby incorporated into this DPA by reference and apply to that transfer. The parties select Module Two (Controller-to-Processor) where Customer is the Controller and ORDENTRA is the Processor, and Module Three (Processor-to-Processor) where Customer is itself a Processor acting on behalf of a third-party Controller.

For the purposes of Clause 7 of the EU SCCs, the parties do not use the docking clause. For Clause 9, Option 2 (general written authorization) applies, with the thirty (30) day notice period set out in Section 5.4. For Clause 11, the optional language is not included. For Clause 17, the parties select Option 1 and agree that the governing law is the law of the Netherlands. For Clause 18(b), the parties agree that the competent courts are the courts of Amsterdam, the Netherlands. Annex I and Annex II of this DPA form Annexes I.A, I.B, and II of the EU SCCs, and the list of Sub-processors published at /subprocessors forms Annex III.

Where the UK GDPR applies to a Restricted Transfer, the parties incorporate the UK Addendum into this DPA by reference, with the EU SCCs treated as the “Approved EU SCCs” for the purposes of the UK Addendum. Where the Swiss FADP applies, references to the GDPR are deemed to include equivalent provisions of the Swiss FADP, references to the European Union include Switzerland, and the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner.

ORDENTRAhas conducted a Transfer Impact Assessment for each Restricted Transfer in accordance with the European Data Protection Board's Recommendations 01/2020 and implemented supplementary measures as described in Annex II. The results of the Transfer Impact Assessments are available to Customer on request under NDA.

9. Sub-processor management

ORDENTRA maintains a current list of Sub-processors at /subprocessors. Customer may subscribe to updates by following the instructions on that page. ORDENTRA will notify Customer of any proposed addition or replacement of a Sub-processor at least thirty (30) days before the change takes effect.

Customer may object to a new Sub-processor on reasonable data protection grounds by notifying ORDENTRAin writing within the notice period. The parties will discuss Customer's objection in good faith to identify a commercially reasonable alternative. If no alternative can be identified within a further thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service and receive a pro-rata refund of prepaid fees attributable to the period after termination.

10. Liability and indemnification

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. Where the EU SCCs apply, the liability cap and exclusions in the Agreement apply to both the Agreement and the EU SCCs, to the extent permitted by applicable law. Nothing in this DPA limits either party's liability to Data Subjects under Clause 12 of the EU SCCs.

11. Term, termination, and order of precedence

This DPA becomes effective on the effective date of the Agreement and remains in effect for so long as ORDENTRAprocesses Customer Personal Data on Customer's behalf. In the event of a conflict between this DPA, the Agreement, and the EU SCCs, the EU SCCs prevail over this DPA and the Agreement in respect of matters they govern, this DPA prevails over the Agreement in respect of the processing of personal data, and the Agreement prevails in all other respects.

12. Governing law

This DPA is governed by the laws of the Netherlands, except where the Data Protection Laws require a different governing law for the protection of Data Subjects. Any dispute arising out of or in connection with this DPA will be resolved in accordance with the dispute resolution provisions of the Agreement.

Annex I — Details of processing

A. List of parties

Data exporter (Controller): The Customer, as identified in the applicable order form, acting on its own behalf and on behalf of its Affiliates that have entered into the Agreement. Contact details are those provided by Customer in the order form.

Data importer (Processor): ORDENTRA B.V., Herengracht 412, 1017 BZ Amsterdam, Netherlands. Contact: Data Protection Officer, dpo@ordentra.com.

B. Description of transfer

• Categories of Data Subjects — Customer's employees, contractors, and authorized users; Customer's suppliers, vendors, and counterparties to whom Customer-issued purchase orders, invoices, or contracts relate; and other natural persons whose data Customer chooses to submit to the Service.
• Categories of Personal Data — identification and contact data (name, business email, phone, job title, company), authentication data, transaction and master-data records (purchase orders, invoices, contract metadata), audit-trail and usage data, and any additional categories Customer chooses to submit.
• Special categories of data — not intended or routinely processed. Customer must not submit special category data except under express written agreement.
• Frequency of the transfer — continuous, for the duration of the Subscription Term.
• Nature of the processing — hosting, storage, transmission, retrieval, analysis, aggregation, and display of Customer Personal Data for the purpose of providing the Service and related support.
• Purpose of the processing — delivery of the Service in accordance with the Agreement, including authentication, core product functionality, customer support, billing, and security monitoring.
• Period of retention — for the duration of the Subscription Term, plus the return and deletion periods set out in Section 6.

C. Competent Supervisory Authority

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands.

Annex II — Technical and organizational measures

ORDENTRA has implemented and maintains the technical and organizational measures summarized below. Additional detail, independent audit reports, and the current penetration-test summary are available under NDA through our Trust Center.

• Pseudonymization and encryption — TLS 1.2 or higher for all data in transit; AES-256 for data at rest; tenant-scoped data encryption keys managed through an HSM-backed key management service; routine pseudonymization of identifiers in non-production environments.
• Confidentiality, integrity, availability, and resilience — role-based access control with least privilege, mandatory multi-factor authentication for all ORDENTRApersonnel, continuous monitoring, automated integrity checks of production data, multi-region availability with documented recovery-time and recovery-point objectives, and quarterly disaster recovery exercises.
• Ability to restore availability — daily encrypted backups retained in a separate region, tested restorations on a documented schedule, and publishable incident post-mortems for significant events.
• Testing, assessing, and evaluating — annual independent SOC 2 Type II audit, annual ISO/IEC 27001 audit, semi-annual third-party penetration tests, continuous automated security scanning, and a public vulnerability disclosure program with response SLAs.
• User identification and authorization — support for SAML 2.0, OpenID Connect, and SCIM 2.0; IP allow-listing; session token rotation; and granular audit-logging of access events.
• Protection of data during transmission — forward-secret cipher suites, HSTS, and mutual TLS for server-to-server integrations where feasible.
• Protection of data during storage — full-volume encryption, tenant isolation, and key rotation on a defined schedule.
• Physical security — all production infrastructure operates in SOC 2 / ISO 27001 certified data centers operated by our hosting Sub-processors. ORDENTRA does not maintain its own data centers.
• Events logging and governance — centralized, tamper-evident security logging; a dedicated security operations function; documented change-management, vendor-risk, and vulnerability-management procedures; and a formal incident response program with named roles.
• Data minimization — configuration options that allow Customer to restrict fields and retention, and product features for masking and access restriction.
• Supplementary measures for Restricted Transfers — documented processes for challenging and publicly reporting government access requests, segregation of production support from third-country personnel unless expressly authorized, and enhanced logging for access by personnel located outside the European Economic Area.

Annex III — List of Sub-processors

A current, categorized list of Sub-processors authorized under this DPA is published at ordentra.com/subprocessors. The list includes, for each Sub-processor, the nature of the processing, the regional location, and the relevant certifications and transfer safeguards. ORDENTRA updates the list when Sub-processors are added, removed, or replaced, and notifies Customer of changes in accordance with Section 5.4.