Data Processing Addendum

For personal data within Customer Data, the customer is the controller (or processor acting for its own customers) and WoneShield is the processor (or sub-processor). Each party will comply with applicable data protection laws, including PIPEDA, Quebec Law 25 and the GDPR where relevant.

WoneShield processes personal data only to provide the Service and on the customer’s documented instructions, including as configured through the platform, unless required to act otherwise by law (in which case we will notify the customer where permitted).

Processing consists of hosting, securing, analyzing and presenting the security and resilience data the customer connects to the platform, for the purpose of delivering the Service. The categories of data subjects and personal data are determined by the customer and described in Annex A.

WoneShield ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and are trained on their responsibilities.

WoneShield implements and maintains appropriate technical and organizational measures described in Annex B, including encryption in transit and at rest, access controls and least privilege, multi-tenant isolation, monitoring, immutable audit logging, and a documented incident-response program.

The customer authorizes WoneShield to engage sub-processors to provide the Service, subject to written contracts imposing data-protection obligations no less protective than this DPA. We maintain a current list of sub-processors and will provide a mechanism to receive notice of changes, with the ability to object on reasonable data-protection grounds.

Taking into account the nature of the processing, WoneShield will assist the customer with appropriate technical and organizational measures to respond to data-subject requests. Where a request reaches us directly, we will refer it to the relevant customer.

WoneShield will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to assist the customer in meeting its notification obligations.

WoneShield will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the customer or an auditor it mandates, subject to reasonable confidentiality and security conditions.

Where personal data is transferred across borders, WoneShield applies appropriate safeguards, such as standard contractual clauses, and honors the data-residency region selected by the customer.

On termination of the Service, WoneShield will, at the customer’s choice, return or delete Customer Data within a reasonable period, except where retention is required by law.

Annex A — Details of processing: categories of data subjects (e.g., the customer’s personnel and end users), categories of personal data (e.g., identifiers, account and security-event metadata), and duration (the term of the Service).

Annex B — Security measures: encryption, access control and authentication, tenant isolation via row-level security, network controls, logging and monitoring, vulnerability management, secure development, and incident response.