Data Processing Addendum

For the personal data that the customer submits to the ThreatSpire service, the customer is the data controller and ThreatSpire LLC is the data processor. Where ThreatSpire processes personal data for its own purposes, such as account administration or service usage analytics with identified individuals, ThreatSpire is the controller.

If applicable law requires a different characterization of roles, the parties agree to adapt their relationship to achieve the same substantive protections described in this addendum.

Capitalized terms used in this addendum have the meanings given below or in the main agreement:

• Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• Personal Data means any information relating to an identified or identifiable natural person ("Data Subject"), consistent with the GDPR definition.
• Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Subprocessor means any processor engaged by ThreatSpire to carry out specific processing activities on behalf of the customer.

This addendum applies to the processing of personal data that the customer submits to the ThreatSpire service, including names, work email addresses, roles, and any other information about identifiable individuals contained in customer content.

The details are as follows:

• Subject matter: Provision of the ThreatSpire threat intelligence platform.
• Duration: For the term of the agreement and as specified in the return and deletion section.
• Nature and purpose: Hosting, processing, securing, and improving the service; supporting customer users; generating AI-assisted drafts under documented instructions; and performing account management and security functions.
• Categories of data: Contact data (name, work email); account data (role, organization); customer content that may contain personal data (intelligence requirements, assessments, evidence, indicators); and authentication and security data (IP addresses, session metadata, audit logs).
• Categories of data subjects: Users authorized by the customer (analysts, managers, administrators); individuals mentioned in customer content (for example subjects of intelligence reports); and individuals who contact ThreatSpire for support.

Documented instructions. ThreatSpire will process personal data only on the customer's documented instructions, including as set out in this addendum and the main agreement, unless required to do so by applicable law.

Confidentiality. ThreatSpire ensures that personnel authorized to process personal data are subject to confidentiality obligations.

Assistance with data subject requests. ThreatSpire will assist the customer in responding to requests from data subjects to exercise their rights under applicable data protection law, including access, correction, deletion, restriction, and objection.

Assistance with security and breach obligations. ThreatSpire will assist the customer in meeting its security, breach notification, and data protection impact assessment obligations under applicable law, to the extent those obligations relate to the service.

ThreatSpire does not sell your data, and does not provide customer data to third parties for their own purposes. We may use your data internally to improve the ThreatSpire application and for marketing opportunities. To operate the service we rely on a limited set of vetted infrastructure subprocessors (such as cloud hosting) under contract, who may process data only on our instructions and solely to deliver the service.

AI features process relevant customer content solely to generate outputs for the customer. Customer content and prompts are not used to train third-party foundation models.

ThreatSpire uses a limited set of vetted subprocessors to provide the service. Each subprocessor is bound by a written agreement that requires data protection measures materially equivalent to those in this addendum, restricts processing to our instructions, and limits use of the data to delivering the service to us.

We will notify the customer of any intended changes to subprocessors with at least 30 days' advance notice, unless the change is required for security or legal compliance, in which case we will notify as soon as practicable. Objections will be handled in good faith.

Current subprocessors

The current list of subprocessors, including entity names, is available on request from legal@threatspire.com.

ThreatSpire implements administrative, technical, and physical safeguards designed to protect personal data. These include, at minimum:

• Encryption in transit and at rest. Data is encrypted using TLS in transit and encrypted at rest using industry-standard algorithms.
• Access control and least privilege. Access to production systems and customer data is limited to authorized personnel on a need-to-know basis, with role-based permissions and strong authentication.
• Per-tenant isolation. Customer data is logically isolated so that one tenant cannot access another tenant's data through the application.
• Logging and monitoring. We maintain audit logs of access and changes to production systems, and we monitor for anomalous activity.
• Secure development lifecycle. We perform security reviews, dependency scanning, and testing as part of our development and deployment processes.

ThreatSpire will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data. The notification will include, to the extent known at the time, the nature of the breach, the categories and approximate number of affected data subjects and records, the likely consequences, and the measures taken or proposed to address the breach.

ThreatSpire will assist the customer in meeting its own breach notification obligations under applicable law, including by providing information the customer reasonably requests.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, ThreatSpire will implement appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, or rely on another lawful transfer mechanism.

Subprocessors engaged to process personal data in other jurisdictions are bound by equivalent transfer safeguards where required by applicable law.

The customer may request information from ThreatSpire to verify compliance with this addendum. ThreatSpire will respond to reasonable requests within a commercially reasonable timeframe.

Where the customer requires an independent audit, the parties will agree on the scope, timing, and methodology in advance. The customer will bear the cost unless the audit reveals a material non-compliance, in which case ThreatSpire will bear the reasonable cost of the audit.

On termination or expiry of the agreement, ThreatSpire will, at the customer's election, return or delete the customer's personal data, except where retention is required by applicable law or for legitimate business purposes such as backups, audit records, and dispute resolution.

Deletion will be performed using methods designed to make the data irrecoverable in ordinary course. Backups may be retained for a limited period in accordance with our backup retention policy and will be deleted in due course.

This addendum forms part of the agreement between ThreatSpire and the customer and remains in force for as long as ThreatSpire processes personal data on the customer's behalf.

In the event of a conflict between this addendum and the main agreement or Terms of Service, the provisions that provide stronger protection for personal data will prevail. Otherwise, this addendum is subordinate to the main agreement, which governs all other matters.

Questions about this addendum, including requests for the current subprocessor list or transfer documentation, can be sent to legal@threatspire.com.

ThreatSpire LLC
Dover, Delaware
United States