Data Processing Addendum

Capitalized terms not defined in this DPA have the meaning given in the Agreement, the GDPR, the UK GDPR, the EU Standard Contractual Clauses, or applicable US state privacy laws (including the California Consumer Privacy Act as amended by the CPRA, the Virginia CDPA, the Colorado CPA, the Connecticut CTDPA, and the Utah UCPA), as the context requires.

• "Applicable Data Protection Laws" means all data protection and privacy laws applicable to a party's processing of Customer Personal Data, including the EU GDPR, the UK GDPR, the Swiss FADP, and US State Privacy Laws.
• "Customer Personal Data" means personal data within Customer Data that Cobalt Glacier processes on Customer's behalf to provide the Service.
• "Data Subject", "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Personal Data Breach" have the meanings given in the GDPR.
• "EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by Commission Implementing Decision (EU) 2021/914.
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under s.119A of the Data Protection Act 2018, version B1.0.
• "Sub-processor" means any third party engaged by Cobalt Glacier to Process Customer Personal Data.
• "US State Privacy Laws" means the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and any successor or analogous US state privacy law applicable to the Processing.

Customer is the Controller (or, where Customer is acting on behalf of a third-party controller, the Processor) of Customer Personal Data. Cobalt Glacier is the Processor (or Sub-processor, as applicable). Each party will comply with its obligations under Applicable Data Protection Laws.

This DPA applies whenever Cobalt Glacier Processes Customer Personal Data in the course of providing the Service. It does not apply to data Cobalt Glacier Processes as a Controller for its own purposes (for example, account-level contact information, billing data, and aggregated/de-identified usage data described in Section 9), which is governed by the RenewalPad Privacy Policy.

Cobalt Glacier will Process Customer Personal Data only on Customer's documented instructions, including:

• The Agreement, this DPA, and any applicable order form;
• Configurations Customer selects in the Service;
• Use of the Service's standard features (including integrations and exports) by Customer's authorized users; and
• Other written instructions from Customer that Cobalt Glacier expressly accepts.

Cobalt Glacier will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws, but Cobalt Glacier is not obligated to monitor Customer's compliance with applicable law.

• Subject matter: provision of the RenewalPad procurement-intelligence Service by Cobalt Glacier to Customer.
• Duration: the term of the Agreement plus the limited tail period described in Section 11.
• Nature and purpose: hosting, organizing, structuring, storing, analyzing, and producing renewal calendars, benchmark estimates, negotiation playbooks, alerts, exports, and other outputs from Customer-supplied vendor, contract, invoice, and usage data.
• Categories of Data Subjects: Customer's authorized users; Customer's employees and contractors whose business contact information appears in uploaded materials; vendor representatives whose business contact information appears in contracts, invoices, or correspondence; and other Data Subjects whose personal data Customer chooses to upload.
• Categories of Personal Data: name, business email, business phone, job title, employer, account identifiers and authentication metadata, IP address, device and browser information, product usage logs, and any personal data Customer includes within Customer Data (e.g., signatory names and titles in contracts).
• Special-category and sensitive data: none expected. Customer agrees not to upload special categories of personal data (Article 9 GDPR), criminal-conviction data, government-issued identifiers, payment-card data, or data of children under 16.
• Frequency of transfer: on a continuous basis for the duration of the Agreement.

Cobalt Glacier ensures that personnel authorized to Process Customer Personal Data:

• Are bound by written confidentiality obligations that survive termination of their engagement;
• Receive appropriate data-protection and security training at hire and at least annually;
• Access Customer Personal Data only on a need-to-know basis under role-based access controls; and
• Are subject to background checks where production access is granted, to the extent permitted by law.

Cobalt Glacier implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account Article 32 GDPR. Current measures are described in the Security Annex (Annex II) and include, at a minimum:

• Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256);
• Multi-tenant logical isolation of Customer Personal Data;
• Role-based access controls, least-privilege provisioning, and mandatory MFA for production access;
• Centralized audit logging, anomaly detection, and 24×7 alerting;
• Hardened cloud infrastructure with hardened-image baselines and automated patching;
• Annual independent penetration testing and continuous vulnerability scanning;
• Documented incident response, business continuity, and disaster recovery plans, tested at least annually;
• Secure software development lifecycle including peer code review and dependency scanning;
• Written information security policies reviewed at least annually.

Cobalt Glacier may update its security measures from time to time provided that the updated measures do not materially diminish the protection of Customer Personal Data.

Customer grants Cobalt Glacier general written authorization to engage Sub-processors to Process Customer Personal Data, subject to this Section 7. Cobalt Glacier:

• Performs reasonable diligence on each Sub-processor before engagement;
• Imposes data-protection obligations on each Sub-processor by written contract that are no less protective than those in this DPA, including the relevant obligations under Article 28(3) GDPR;
• Remains liable to Customer for the acts and omissions of its Sub-processors that cause Cobalt Glacier to breach its obligations under this DPA; and
• Maintains a current list of Sub-processors in the Sub-processor List (Annex III).

Cobalt Glacier will notify Customer at least 30 days before adding or replacing a Sub-processor (the "Notice Period"), by updating Annex III and notifying account administrators by email or in-product notice. During the Notice Period, Customer may object on reasonable data-protection grounds by emailing privacy@renewalpad.com. The parties will work in good faith to resolve the objection. If no resolution can be reached, Customer may, as its sole remedy, terminate the affected portion of the Service for convenience and receive a pro-rata refund of prepaid fees for the unused portion of the term.

Cobalt Glacier is established in the United States. Customer Personal Data may be Processed in the United States and in any other country where Cobalt Glacier or its Sub-processors operate, as identified in Annex III.

Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not been recognized by the relevant authority as providing an adequate level of protection, the parties agree:

• EU transfers: the EU SCCs, Module Two (Controller-to-Processor) or, where Customer is itself a Processor, Module Three (Processor-to-Processor), are incorporated by reference into this DPA. The Annexes to the EU SCCs are completed by Annex I, Annex II, and Annex III to this DPA. The optional docking clause applies. For Clause 7, the parties select the option allowing entities to accede. For Clause 9, Option 2 (general written authorization) applies with the Notice Period in Section 7. For Clause 11, the optional independent dispute-resolution language is not selected. For Clause 17, the SCCs are governed by the law of Ireland. For Clause 18, disputes are resolved in the courts of Ireland.
• UK transfers: the UK Addendum is incorporated by reference and modifies the EU SCCs as set out therein. Tables 1–3 are completed using Annexes I–III; for Table 4, neither party may end the UK Addendum by reason of changes to the Approved Addendum, except as the UK Addendum permits.
• Swiss transfers: the EU SCCs apply with the modifications set out by the Swiss Federal Data Protection and Information Commissioner, including treating the FADP as the governing data-protection law and the Swiss FDPIC as the competent supervisory authority for transfers governed exclusively by Swiss law.

Cobalt Glacier will implement supplementary measures (technical, contractual, and organizational) where required following a transfer impact assessment. A summary is available on request.

Cobalt Glacier may create aggregated, anonymized, or de-identified data from Customer Personal Data and use such data for any lawful business purpose, including improving the Service and producing benchmarks, provided that such data: (a) cannot reasonably be used to identify Customer, any Data Subject, or any specific vendor; and (b) is not re-identified by Cobalt Glacier. Cobalt Glacier commits to maintaining and using such data in de-identified form and not to attempt to re-identify it, in line with the requirements of US State Privacy Laws.

Cobalt Glacier provides functionality within the Service that allows Customer to access, correct, export, and delete Customer Personal Data and to fulfill Data Subject requests. Taking into account the nature of the Processing and the information available to Cobalt Glacier, Cobalt Glacier will provide reasonable assistance to Customer to:

• Respond to Data Subject requests under Articles 12–22 GDPR or analogous rights under other Applicable Data Protection Laws;
• Ensure the security of Processing (Article 32);
• Notify and document Personal Data Breaches (Articles 33–34);
• Carry out data protection impact assessments and prior consultations (Articles 35–36).

If Cobalt Glacier receives a Data Subject request directly relating to Customer Personal Data, it will, unless legally prohibited, promptly refer the request to Customer and not respond to the Data Subject except to confirm that the request has been routed to Customer. Assistance beyond reasonable efforts may be provided on a time-and- materials basis at Cobalt Glacier's then-current rates.

On termination or expiration of the Agreement, and at Customer's choice stated in writing within 30 days of termination, Cobalt Glacier will either delete or return all Customer Personal Data, and delete existing copies, except to the extent that storage is required by applicable law. If Customer makes no choice within 30 days, Cobalt Glacier will delete Customer Personal Data.

Backups containing Customer Personal Data are deleted on a rolling 90-day cycle. During that period, Cobalt Glacier will continue to protect Customer Personal Data in accordance with this DPA and will not actively Process it except for backup, security, and disaster-recovery purposes.

Cobalt Glacier will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

• The nature of the breach, including the categories and approximate number of Data Subjects and records affected;
• The likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate its adverse effects; and
• The name and contact details of Cobalt Glacier's security contact for further information.

Cobalt Glacier will cooperate with Customer's reasonable requests for information necessary for Customer to meet its own notification obligations to supervisory authorities and Data Subjects. A notification under this Section 12 is not an acknowledgement by Cobalt Glacier of any fault or liability.

Cobalt Glacier will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, including:

• The most recent SOC 2 Type II report (or comparable report) where available, under NDA;
• A summary of the most recent independent penetration test, under NDA; and
• Responses to reasonable security questionnaires.

On at least 30 days' prior written notice, no more than once per 12-month period (except where required by a competent supervisory authority or following a confirmed Personal Data Breach), Customer (or an independent third-party auditor that is not a competitor of Cobalt Glacier and is bound by confidentiality obligations) may conduct an audit of Cobalt Glacier's compliance with this DPA. Audits will be conducted during normal business hours, will not unreasonably interfere with Cobalt Glacier's business, will be subject to Cobalt Glacier's on-site security and confidentiality requirements, and will not include access to Cobalt Glacier's other customers' data, source code, or non-relevant systems. Each party bears its own costs unless the audit reveals material non-compliance attributable to Cobalt Glacier.

For Customer Personal Data subject to US State Privacy Laws, the parties acknowledge and agree:

• Cobalt Glacier is a "service provider" (CCPA/CPRA), "processor" (VCDPA, CPA, CTDPA, UCPA), or analogous role, and Customer is a "business" or "controller".
• Customer discloses Customer Personal Data to Cobalt Glacier solely for the limited and specified business purposes set out in the Agreement and this DPA (collectively, the "Business Purpose").
• Cobalt Glacier will not (a) "sell" or "share" Customer Personal Data as those terms are defined under US State Privacy Laws; (b) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than the Business Purpose; (c) combine Customer Personal Data with personal data Cobalt Glacier receives from other sources except as permitted by US State Privacy Laws; or (d) retain, use, or disclose Customer Personal Data for any "commercial purpose" other than the Business Purpose.
• Cobalt Glacier will notify Customer if it determines it can no longer meet its obligations under applicable US State Privacy Laws, and Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
• Cobalt Glacier certifies that it understands the restrictions in this Section 14 and will comply with them.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. For clarity, references to the liability of a party in the Agreement include the liability of that party under this DPA and the EU SCCs and UK Addendum (taken together) in aggregate.

In the event of conflict, the order of precedence is: (1) the EU SCCs and UK Addendum as completed by the Annexes to this DPA, in respect of their subject matter; (2) this DPA; (3) the Agreement.

This DPA takes effect on the effective date of the Agreement and remains in force for the duration of the Agreement and for so long as Cobalt Glacier Processes Customer Personal Data. Sections that by their nature should survive termination (including Sections 5, 9, 11, 12, 13, 15, and 16) survive.

Cobalt Glacier may update this DPA from time to time, including to reflect changes in Applicable Data Protection Laws, sub-processor engagements, or security measures. Material changes that adversely affect Customer's rights will be communicated by email or in-product notice at least 30 days before they take effect. Cobalt Glacier will not amend the EU SCCs or UK Addendum except as permitted by the relevant Approved Clauses.

Notices to Cobalt Glacier under this DPA must be sent to legal@renewalpad.com (legal notices) and privacy@renewalpad.com (data protection). Cobalt Glacier's data protection contact is the RenewalPad Data Protection Officer, c/o Cobalt Glacier, LLC.

Cobalt Glacier, LLC (operator of RenewalPad, a product of Cobalt Glacier, LLC), Delaware, United States.

A. List of parties

• Data exporter: Customer, as identified in the Agreement. Role: Controller (or Processor on behalf of a third-party controller). Activities: use of the Service for procurement-intelligence purposes. Contact: as designated by Customer in its account.
• Data importer: Cobalt Glacier, LLC, a Delaware limited liability company, operator of RenewalPad. Role: Processor (or Sub-processor). Activities: provision of the Service. Contact: privacy@renewalpad.com.

B. Description of transfer

• Categories of Data Subjects: as set out in Section 4.
• Categories of Personal Data: as set out in Section 4.
• Sensitive data: not expected; see Section 4.
• Frequency of transfer: continuous, for the duration of the Agreement.
• Nature of Processing: hosting, organizing, structuring, storing, analyzing, and producing outputs from Customer Data, as further described in the Agreement.
• Purpose: provision of the RenewalPad procurement-intelligence Service to Customer.
• Retention: for the term of the Agreement plus the periods described in Section 11.
• Sub-processor processing: for the same subject matter, nature, purpose, and duration as the main processing, limited to what is necessary to provide the relevant Sub-processor's component of the Service.

C. Competent supervisory authority

For EU SCC Module Two/Three transfers, the competent supervisory authority is the Irish Data Protection Commission. For UK transfers governed by the UK Addendum, the competent authority is the UK Information Commissioner's Office. For Swiss transfers, the competent authority is the Swiss FDPIC.

Cobalt Glacier implements the following measures, which may be updated from time to time provided that the protection of Customer Personal Data is not materially diminished:

• Pseudonymization and encryption: TLS 1.2+ in transit; AES-256 at rest for Customer Personal Data and backups; encrypted secrets management with rotation.
• Confidentiality: role-based access control; least-privilege provisioning; mandatory MFA on all production systems; documented joiner/mover/leaver process; written confidentiality obligations on personnel.
• Integrity: code review and CI checks before deployment; signed deployments; tamper-evident audit logs; integrity monitoring on production systems.
• Availability and resilience: high-availability cloud architecture across multiple availability zones; documented business-continuity and disaster-recovery plans tested at least annually; defined RPO and RTO available on request.
• Restoration: encrypted backups taken at least daily and tested regularly for restorability.
• Testing and evaluation: annual independent penetration testing; continuous vulnerability scanning; risk-based remediation SLAs.
• User identification and authorization: SSO and SAML available on eligible plans; password complexity and rate limiting on direct authentication; session management with configurable timeouts.
• Data transmission and storage protection: network segmentation; private connectivity between application tiers; hardened cloud images; provider-managed key management with audit-logged access.
• Physical security: Customer Personal Data is hosted in Tier-3+ certified data centers operated by Cobalt Glacier's infrastructure providers, with biometric access controls, 24×7 staffing, and CCTV.
• Event logging: centralized logging of authentication, administrative actions, and data-access events; retained for at least 12 months on a rolling basis.
• Configuration management: infrastructure-as-code with peer review; baseline hardening; automated drift detection.
• Internal IT and security governance: written information security program; annual risk assessments; vendor security reviews; incident response plan with defined roles.
• Certifications: Cobalt Glacier's hosting providers maintain ISO 27001 and SOC 2 Type II certifications. Cobalt Glacier itself is pursuing SOC 2 Type II; current status is available on request.
• Sub-processor oversight: diligence on engagement, contractual flow-down of obligations no less protective than this DPA, and ongoing monitoring.

The current list of authorized Sub-processors that Process Customer Personal Data is set out below. Cobalt Glacier will update this list in accordance with Section 7.

For requests for an updated list, including affiliates engaged as Sub-processors, email privacy@renewalpad.com.