Data Processing Agreement

Last Updated: July 25, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Data Controller") and Pathlock ("Service Provider" or "Data Processor") (collectively "the Parties") and applies to the extent that Pathlock processes Personal Data on behalf of the Customer in the course of providing access to the Pathlock documentation portal ("Documentation").

This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679, and establishes the rights and obligations of each party regarding the processing of Personal Data.

1. Definitions

The terms "Personal Data," "Data Subject," "Processing," "Controller," "Processor," "Supervisory Authority," "Personal Data Breach," and "Special Categories of Personal Data" shall have the meanings given to them in applicable data protection laws, including the GDPR.

2. Scope and Details of Processing

2.1 Subject Matter: The subject matter of the processing is the provision of access to the Documentation.

2.2 Duration: Processing will be performed for the duration of the Customer's access to the Documentation.

2.3 Nature and Purpose: Pathlock will process Personal Data for the purpose of providing access to the Documentation, managing accounts, authenticating users, and for security, analytics, and improving the service.

2.4 Types of Personal Data: The Personal Data processed may include:

• Account information (name, email address)
• Authentication information
• Usage data and analytics
• Device information (IP address, browser type, operating system)

2.5 Categories of Data Subjects: The Data Subjects whose Personal Data is processed include Customer's employees, agents, advisors, and other authorized users of the Documentation.

3. Obligations of the Data Processor

Pathlock shall:

• Process Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country or international organization, unless required to do so by EU or Member State law to which the Processor is subject;
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data;
• Not engage another processor without prior specific or general written authorization of the Customer;
• Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR;
• At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data;
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer;
• Immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other data protection provisions of the EU or a Member State.

4. Sub-processors

Pathlock may engage sub-processors to fulfill its obligations under this DPA. Pathlock shall maintain an up-to-date list of sub-processors and shall provide prior notice to the Customer of any intended changes concerning the addition or replacement of sub-processors. The Customer may reasonably object to such changes within 30 days.

Pathlock shall ensure that any sub-processor it engages to provide services on its behalf only processes the Personal Data in accordance with the Customer's documented instructions and that the security, confidentiality, and data protection obligations equivalent to those set out in this DPA are imposed on the sub-processor.

5. Data Transfers

Pathlock may only transfer Personal Data to a third country or international organization if it provides appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available. Such safeguards may include:

• The Standard Contractual Clauses adopted by the European Commission;
• Binding Corporate Rules;
• Approved Codes of Conduct or Certification Mechanisms;
• Any other valid transfer mechanism under the GDPR.

6. Data Subject Rights

Taking into account the nature of the processing, Pathlock shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under applicable data protection laws.

If Pathlock receives a request from a Data Subject regarding their Personal Data, Pathlock shall notify the Customer without undue delay.

7. Personal Data Breach

In the event of a Personal Data Breach, Pathlock shall notify the Customer without undue delay after becoming aware of the breach. The notification shall include, at a minimum:

• A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• The name and contact details of Pathlock's data protection officer or other contact point where more information can be obtained;
• A description of the likely consequences of the Personal Data Breach;
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Audit Rights

Upon reasonable notice, Pathlock shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

Any audit shall be conducted during regular business hours, with minimal disruption to Pathlock's business, and subject to reasonable confidentiality procedures.

9. Deletion or Return of Personal Data

Upon termination of the Customer's access to the Documentation, Pathlock shall, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies unless EU or Member State law requires storage of the Personal Data.

10. Liability

Each party shall be liable for its own acts and omissions which result in a breach of, or non-compliance with, this DPA or applicable data protection laws.

The Customer shall indemnify and hold harmless Pathlock from any claims, damages, liabilities, costs, and expenses arising from the Customer's breach of, or non-compliance with, this DPA or applicable data protection laws.

Pathlock shall indemnify and hold harmless the Customer from any claims, damages, liabilities, costs, and expenses arising from Pathlock's breach of, or non-compliance with, this DPA or applicable data protection laws.

11. Governing Law

This DPA shall be governed by the laws applicable to the Terms of Service between the Parties.

12. Modifications

This DPA may only be modified by a written amendment executed by both Parties.

13. Contact Information

For any matters related to this DPA, please contact:

Pathlock Data Protection Officer
Email: support@pathlock.com