Subprocessors and Third-Party Tooling

1. Purpose and Scope

This Annex identifies the categories of third-party services and Subprocessors engaged by the Processor to deliver "The Services" as defined in the Master Data Processing Agreement (DPA). Its purpose is to provide transparency and meet the requirements of Article 28 of the General Data Protection Regulation (GDPR), while establishing a flexible framework that can evolve with the technology and services offered. This Annex describes the categories of third-party tools, platforms, and providers that may be used in connection with the provision of The Services. It also records the principles under which such third parties are selected and used, including where they act as Subprocessors under the DPA. Specific vendors within these categories may change as the Service evolves. A current, detailed list of specific entities engaged for the Customer is available upon request.

To ensure consistency and compliance, the selection and use of all third-party providers are governed by the general principles set forth in Section 2.

2. General Principles

The engagement of third-party services is governed by the following principles to ensure data protection, operational integrity, and the logical separation of Customer Data.

● Tool Neutrality The Processor is tool-neutral. Specific tools and data providers used for a given Customer may differ based on the Customer’s needs, existing subscriptions, and the agreed Statement of Work.

● Pass-Through Use Where applicable, the Customer may be the direct contractual partner of a provider (e.g., a data or infrastructure provider). In such cases, the Processor acts as an authorized user operating the Customer’s accounts in accordance with the Main Agreement.

● Subprocessor Role All third parties that process Personal Data on behalf of the Processor in connection with The Services are treated as Subprocessors under Article 28 of the GDPR. The Processor concludes written contracts with all Subprocessors that impose data protection obligations at least as protective as those set out in the DPA.

● Data Separation Data from one Customer is never shared with or reused for another Customer. This principle of strict logical separation is enforced regardless of whether the same third-party tool is used for multiple Customers.

These principles are applied across all categories of third-party services utilized in the delivery of The Services.

3. Categories of Subprocessors and Third-Party Services

The following section provides a comprehensive, category-based overview of the types of third-party services that may be utilized to deliver The Services. This categorical approach allows for flexibility in vendor selection while maintaining transparency about the functions being performed with Customer Data

3.1  Cloud Infrastructure, Hosting & Storage

o Function: Providing the underlying server, compute, storage, and networking infrastructure required to host, operate, and deliver the Software and Services.

3.2 Data Enrichment & External API Services

○ Function: Retrieving external data sets via APIs to enrich, validate, or contextualize Customer Data (e.g., business contact information, currency rates, or other public data sets).

3.3 Email and Communication Infrastructure

○ Function: Sending and receiving transactional and business communications related to the provision and support of The Services, which may include operating through the Customer's own email infrastructure as an authorized user.

3.4 Application Performance Monitoring (APM) & User Telemetry

○ Function: Monitoring application stability, error logging, infrastructure performance, and aggregated usage patterns to maintain and improve the reliability and functionality of the Software.

3.5 Artificial Intelligence & Machine Learning Platforms

○ Function: Processing text inputs, generating content, code, or summaries, and performing semantic analysis to power specific features within The Services.

○ Data Protection Role: Acts as a Subprocessor. Customer Data is processed to generate outputs but is not used to train the provider’s public foundation models unless explicitly authorized by the Customer.

3.6 Cloud-Based Productivity & Collaboration Tools

○ Function: Internal storage and collaboration on documents, configurations, and reports related to the development and provision of The Services.

3.7 Professional Advisors and Administrative Services

○ Function: Providing legal, accounting, and administrative services where incidental access to limited Personal Data may occur (e.g., during audits or invoicing).

The management and updating of Subprocessors within these categories follow a formal process, as outlined in the subsequent section.

4. Subprocessor Management and Updates

A transparent and compliant process for managing Subprocessors is critical to providing customers with appropriate oversight and control, in line with GDPR requirements.

1. The Processor maintains internal records of all specific      Subprocessors used for each Customer, including the name, location of      processing, services provided, and key data transfer safeguards in place.

2. The Processor commits to providing an up-to-date list of specific      Subprocessors that process Personal Data on behalf of the Customer upon      written request.

3. The Processor will notify the Customer of any intended changes      concerning the addition or replacement of Subprocessors, providing      reasonable prior written notice in accordance with the DPA.

4. The Customer has the right to object to a new Subprocessor on      reasonable data protection grounds within the timeframe and according to      the process specified in Section 7.5 of the DPA.Special considerations      apply when Subprocessors are located outside the European Economic Area.

5. International Data Transfers

Chapter V of the GDPR imposes strict requirements for transferring Personal Data outside the European Economic Area (EEA). The Processor is committed to ensuring that all such transfers are protected by appropriate legal safeguards to maintain a level of data protection equivalent to that within the EEA.Where third-party services or Subprocessors process Personal Data outside the EEA or a jurisdiction subject to an adequacy decision by the European Commission, the Processor will ensure that one of the following safeguards is in place:

● Standard Contractual Clauses (SCCs): Implementation of the most current version of the standard contractual clauses approved by the European Commission.

● Binding Corporate Rules (BCRs): Reliance on approved Binding Corporate Rules for intra-group transfers.

● Adequacy Decisions: Transfers to countries that the European Commission has formally recognized as providing an adequate level of data protection.

● Other Lawful Transfer Mechanisms: Use of any other transfer mechanism recognized under the GDPR as providing sufficient safeguards for Personal Data.

While the Processor ensures these safeguards are in place for its Subprocessors, the Customer retains distinct responsibilities, particularly when instructing the Processor to use specific third-party services, as detailed below.

6. Customer Responsibilities

While the Processor is responsible for managing its Subprocessors, the Customer retains key responsibilities as the Data Controller, particularly when instructing the Processor to use specific third-party services or data sources.

● Review and accept the contractual terms and privacy policies of any third-party providers the Customer chooses to use directly or instructs the Processor to use on its behalf.

● Ensure that its instructions to the Processor comply with those third-party terms and all applicable laws, including data protection and e-privacy regulations.

● Inform the Processor of any restrictions that apply to the use of specific tools or data providers that the Customer subscribes to directly.

The framework governing this Annex itself is subject to periodic review, as outlined in the final section.

7. Changes to this Annex

The Processor may update this Annex from time to time to reflect changes in the categories of tools and providers used, developments in legal requirements or regulatory guidance, or the evolution of The Services.

Any material changes to this Annex that affect the way Personal Data is processed by Subprocessors will be communicated to the Customer in accordance with the notification procedures outlined in the Master DPA.