Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between Customer (as defined in the Agreement) and Veridien Inc. ("Veridien"). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates, if any.

1. Definitions

"Affiliate" means an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, or an entity which is under common control with a party.

"Authorized Sub-Processor" means a third-party who has a need to know or otherwise access Customer's Personal Data to enable Veridien to perform its obligations under this DPA or the Agreement.

"Customer Account Data" means personal data that relates to Customer's relationship with Veridien, including names or contact information of individuals authorized to access Customer's account and billing information.

"Customer Usage Data" means Service usage data collected and processed by Veridien in connection with the provision of the Services, including activity logs and data used to optimize and maintain performance.

"Data Protection Laws" means any applicable laws and regulations relating to the use or processing of Personal Data including the CCPA, GDPR, the Swiss Federal Act on Data Protection, and the UK GDPR, as updated from time to time.

2. Relationship of the Parties

The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and Veridien is a processor. Customer shall, in its use of the Services, process Personal Data in compliance with Data Protection Laws.

Veridien shall not process Personal Data for purposes other than those set forth in the Agreement, in a manner inconsistent with this DPA or any documented instructions provided by Customer, or in violation of Data Protection Laws.

Following completion of the Services, at Customer's choice, Veridien shall return or delete Customer's Personal Data, unless further storage is required or authorized by applicable law.

3. Authorized Sub-Processors

Customer acknowledges and agrees that Veridien may engage its affiliates and Authorized Sub-Processors to access and process Personal Data in connection with the Services. Veridien provides general written authorization to engage sub-processors as necessary.

At least fifteen (15) days before enabling any new third party to access Personal Data, Veridien will notify Customer. Customer may object to such engagement within ten (10) days of receipt of notice, provided such objection is in writing and based on reasonable grounds.

Veridien will enter into written agreements with Authorized Sub-Processors imposing data protection obligations comparable to those in this DPA.

4. Security of Personal Data

Veridien shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

5. Transfers of Personal Data

Customer acknowledges that Veridien's primary processing operations take place in the United States, and that the transfer of Personal Data to the United States is necessary for the provision of the Services. If Veridien transfers Personal Data to a jurisdiction for which the European Commission has not issued an adequacy decision, Veridien will ensure that appropriate safeguards have been implemented in accordance with Data Protection Laws.

For ex-EEA Transfers, the EU Standard Contractual Clauses (SCCs) apply. For ex-UK Transfers, the UK Addendum to the SCCs applies.

6. Rights of Data Subjects

Veridien shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise their rights of access, rectification, erasure, data portability, restriction or cessation of processing, or withdrawal of consent. Customer is solely responsible for responding to such requests.

7. Audits and Compliance

Veridien shall maintain records sufficient to demonstrate compliance with its obligations under this DPA and retain such records for three (3) years after termination. Upon written request at reasonable intervals, Veridien shall make available certifications or reports demonstrating compliance with prevailing data security standards.

In the event of a Personal Data Breach, Veridien shall, without undue delay, inform Customer and take steps deemed necessary and reasonable to remediate such violation.

8. Technical and Organizational Measures

• Customer data is encrypted at rest and in transit (HTTPS/TLS)
• Database backups performed daily with tested restore capabilities
• Logical separation between customer instances in multi-tenant architecture
• Role-based access control with strong authentication requirements
• Regular security monitoring, testing, and assessment of controls
• Employee security training and background checks
• Data minimization and limited retention policies
• Data export capabilities via CSV and API for portability

9. Sub-Processors

10. Conflict

In the event of any conflict or inconsistency, the order of precedence will be: (1) the applicable Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) any other written agreement. Any claims brought in connection with this DPA will be subject to the terms and conditions, including exclusions and limitations, set forth in the Agreement.