Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service available at https://surfboard.ai/terms, as updated from time to time between Customer and Company ("Terms"). In the event of a conflict between this DPA and the Terms with respect to the subject matter of this DPA, this DPA will control to the extent of such conflict. In the event of a conflict between the meanings of defined terms in Data Protection Law, the meaning from the U.S. Privacy Laws applicable to the state of residence of the relevant Consumer will apply.

Definitions

Capitalized terms used but not defined in this DPA will have the meanings given to them by the Terms. For the purposes of this DPA:

"CCPA" means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.

"Consumer" means a natural person. Where applicable, Consumer will be interpreted consistent with the same or similar term under U.S. Privacy Laws.

"Controller" means a person or entity that collects individuals' Personal Data and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Data. Where applicable, Controller will be interpreted consistent with the same or similar term under U.S. Privacy Laws.

"Party" means, as applicable, Company or Customer (collectively, the "Parties").

"Personal Data" means Customer Data that constitutes "personal data," "personal information," or an equivalent term under applicable U.S. Privacy Laws.

"Process" means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means. Where applicable, "Processing," "Process," and "Processed" will be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

"Processor" means "Processor," "Service Provider," or "Contractor" as those terms are defined in U.S. Privacy Laws.

"Sale" and "Selling" have the meaning defined in U.S. Privacy Laws.

"Share" has the meaning defined in the CCPA.

"U.S. Privacy Laws" means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health), in each case where applicable to the Processing of Personal Data by Company pursuant to the Terms. U.S. Privacy Laws may include, but are not limited to, the CCPA.

Scope, Roles, and Termination

a) Applicability

This DPA applies solely to the extent Company Processes Personal Data on behalf of Customer for the nature, purposes, and duration set forth in Appendix A.

b) Roles of the Parties

For the purposes of the Terms and this DPA, Customer is the Controller with respect to Personal Data and appoints Company as a Processor to Process Personal Data on behalf of Customer for the limited and specific purposes set forth in Appendix A.

c) Obligations at Termination

Upon termination of the Terms, except as set forth therein or herein, Company will discontinue Processing and delete Personal Data in its possession and instruct its subcontractors to do the same, in accordance with the Terms and Company's record retention practices. Company may also retain Personal Data where required by law, but only to the extent and for such period as required by such law and always provided that Company will take steps to ensure the confidentiality of all such Personal Data.

Compliance

a) Compliance with Obligations

Company will take steps to ensure that its employees, agents, subcontractors, and sub-processors will: (i) comply with applicable obligations of U.S. Privacy Laws, (ii) provide the level of privacy protection for Personal Data required by applicable U.S. Privacy Laws, and (iii) provide Customer with reasonable assistance to enable Customer to fulfill its own obligations under applicable U.S. Privacy Laws. Upon the reasonable request of Customer, Company will make available to Customer information in Company's possession necessary to demonstrate Company's compliance with this subsection.

b) Compliance Monitoring and Assurance

No more than once per calendar year, Company will provide to Customer, upon Customer's written request, information and documentation in Company's possession and control necessary to demonstrate Company's compliance with its obligations under this DPA.

c) Compliance Remediation

Company will notify Customer if Company determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Company in accordance with this subsection, Customer may direct Company to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

d) Security

The Parties will implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, designed to protect Personal Data from unauthorized Processing, which will include, at a minimum, those set forth in Appendix B.

Restrictions on Processing

a) Limitations on Processing

Company will Process Personal Data as instructed in the Terms and this DPA. Except as expressly permitted by U.S. Privacy Laws, Company is prohibited from (i) Selling or Sharing Personal Data, (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of providing the Service specified in Appendix A, (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between the Parties, and (iv) combining Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws.

b) Confidentiality

Company will take steps to ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Personal Data.

c) Subcontractors: Sub-processors

Company will take steps to notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Company will take steps to ensure that Company's subcontractors or sub-processors who Process Personal Data on Company's behalf agree in writing to the same or materially equivalent restrictions and requirements that apply to Company in this DPA and the Terms with respect to Personal Data, as well as to comply with U.S. Privacy Laws.

d) Right to Object

Customer may object in writing to Company's appointment of a new subcontractor or sub-processor on reasonable grounds by notifying Company in writing within 10 calendar days of receipt of notice described in the Subcontractors section above. In the event Customer objects, the Parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution.

Consumer Rights

Company will provide commercially reasonable assistance to Customer for the fulfillment of Customer's obligations to respond to U.S. Privacy Law-related Consumer rights requests regarding Personal Data.

Where applicable, Customer will inform Company of any Consumer request made pursuant to U.S. Privacy Laws that Company must comply with. Customer will provide Company with the information necessary for Company to comply with the request.

Company will not be required to delete any Personal Data to comply with a Consumer's request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Company will not use Personal Data retained for any purpose other than provided for by that exception.

Sale of Data

The Parties acknowledge and agree that the disclosure or making available of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Terms or this DPA.

Exemptions

Notwithstanding any provision to the contrary in the Terms or this DPA, the terms of this DPA will not apply to Company's Processing of Personal Data that is exempt from applicable U.S. Privacy Laws.

Changes to Applicable Privacy Laws

The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, U.S. Privacy Laws.

Appendix A - Processing Details

Nature of the Processing

To provide the Services to Customer and as otherwise set forth in the Terms.

Purpose(s) of the Processing

To provide the Services to Customer and as otherwise set forth in the Terms.

Types of Personal Data Subject to Processing

Any Personal Data contained in Customer Data.

Duration of Processing

For the duration of the Terms unless otherwise required by applicable law or agreed to in writing by the Parties.

Appendix B - Security Measures

Company will apply at least the following types of security measures to Personal Data:

Physical access control

Technical and organizational measures designed to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed.

Virtual access control

Technical and organizational measures designed to prevent data processing systems from being used by unauthorized persons.

Data access control

Technical and organizational measures designed to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified, or deleted without authorization.

Disclosure control

Technical and organizational measures designed to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data is disclosed.

Entry control

Technical and organizational measures designed to monitor whether Personal Data has been entered, changed or removed (deleted), and by whom, from data processing systems.

Control of instructions

Technical and organizational measures designed to ensure that Personal Data is Processed solely in accordance with the instructions of the Controller.

Availability control

Technical and organizational measures designed to ensure the integrity, availability, and resilience of the processing systems, and that Personal Data is protected against accidental destruction or loss (physical/logical).

Separation control

Technical and organizational measures designed to ensure that Personal Data collected for different purposes can be Processed separately.

Testing controls

Technical and organizational measures designed to test, assess, and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of the Processing.

IT governance

Technical and organizational measures designed to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with applicable compliance requirements.

© 2026 Artemis Software Works, Inc. All rights reserved.