Data Processing Agreement

1. Introduction & Scope

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service ("Agreement") between Strion Inc. ("Company," "we," "us," or "our") and the customer ("Customer," "you," or "your") for the use of the Adrow software-as-a-service platform ("Service"). This DPA applies to the extent that we process Customer Personal Data on your behalf as a Processor in the course of providing the Service. This DPA shall be effective for the term of the Agreement.

2. Definitions

Capitalized terms used but not defined in this DPA shall have the meanings set forth in the Agreement. In this DPA, the following terms shall have the meanings set out below:

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").
• "Controller" has the meaning given to it in the GDPR.
• "Customer Personal Data" means any Personal Data that Company processes on behalf of the Customer as a Processor in the course of providing the Service.
• "Data Subject" has the meaning given to it in the GDPR.
• "Personal Data" has the meaning given to it in the GDPR.
• "Processor" has the meaning given to it in the GDPR.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by the European Commission.
• "Sub-processor" means any third party engaged by the Company to process Customer Personal Data.

3. Roles and Responsibilities

The parties acknowledge and agree that with regard to the processing of Customer Personal Data, the Customer is the Controller and Strion Inc. is the Processor. The Customer shall be solely responsible for complying with its obligations as a Controller under Applicable Data Protection Law, including but not limited to the lawfulness of processing and the accuracy of Customer Personal Data. The Company shall process Customer Personal Data only on behalf of the Customer and in accordance with the Customer's documented instructions.

4. Scope and Purpose of Processing

The Company shall process Customer Personal Data for the sole purpose of providing, maintaining, and improving the Service as described in the Agreement. The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data and categories of Data Subjects, are determined by the Customer's use of the Service.

5. Sub-processing

The Customer provides a general authorization for the Company to engage Sub-processors to process Customer Personal Data. The Company shall maintain a list of its current Sub-processors, which shall be made available to the Customer upon request. The Company will notify the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. If the Customer has a reasonable basis to object to a new Sub-processor, the parties will negotiate in good faith to find a resolution. The Company will impose on its Sub-processors data protection obligations that are no less protective than those in this DPA.

6. Data Subject Rights

To the extent that the Customer is unable to independently access the relevant Customer Personal Data within the Service, the Company will, taking into account the nature of the processing, provide reasonable assistance to the Customer to enable the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. Such assistance shall be provided at the Customer's sole expense.

7. Security Measures

The Company shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. These measures are designed to prevent unauthorized access, use, alteration, or disclosure of Customer Personal Data. The Customer acknowledges that these measures are subject to technical progress and development and that the Company may update or modify them from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Service.

8. Security Incident Notification

Upon becoming aware of a Security Incident, the Company shall notify the Customer without undue delay. The notification will, to the extent possible, describe the nature of the Security Incident, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences of the Security Incident, and the measures taken or proposed to be taken by the Company to address the Security Incident. The Company's notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.

9. International Data Transfers

The Company may transfer and process Customer Personal Data outside of the European Economic Area ("EEA"). To the extent that the transfer of Customer Personal Data is subject to GDPR and the destination country is not covered by an adequacy decision from the European Commission, such transfers will be governed by the Standard Contractual Clauses, which shall be deemed incorporated into this DPA by reference. The Customer is deemed to have executed the SCCs as the "data exporter" and the Company as the "data importer."

10. Audits

The Customer may, upon reasonable request and at its own expense, audit the Company's compliance with its obligations under this DPA. To facilitate such an audit, the Company will make available to the Customer all information necessary to demonstrate compliance, including summaries of its most recent third-party audit reports (e.g., SOC 2). Direct audits of the Company's facilities or systems are not permitted.

11. Limitation of Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement. The Company's total liability for all claims from the Customer arising out of or related to this DPA shall not exceed the total amount of fees paid by the Customer to the Company under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

12. Term, Termination & Data Return

This DPA shall remain in effect for as long as the Company processes Customer Personal Data on behalf of the Customer under the Agreement. Upon termination or expiration of the Agreement, the Company shall, at the Customer's choice, delete or return all Customer Personal Data to the Customer, unless applicable law requires storage of the Personal Data. The Customer may export their data from the Service at any time during the term of the Agreement.