FOSSORIAL DATA PROCESSING ADDENDUM (CUSTOMER AGREEMENT)

Last modified: June 9, 2026

This Data Protection Addendum (“DPA”) is incorporated into and forms part of the master agreement, terms of service, sales order, or other principal written or electronic agreement (the “Agreement”) by and between Fossorial, Inc. (“Fossorial,” “we,” “us,” or “our”) and the legal entity using the self-hosted or cloud-based identity, tunneling, and secure access software and services (the “Services”) as identified in the Agreement (“Customer”).

Fossorial and Customer are each referred to as a “Party” and collectively as the “Parties.” Customer enters into this DPA on behalf of itself and, to the extent applicable, its authorized Affiliates.

Applicability of this DPA

This DPA applies to and takes strict precedence over the underlying Agreement to the extent of any operational or legal conflict concerning the Processing of Personal Data. Capitalized terms not explicitly defined herein shall carry the meanings assigned to them in the Agreement or applicable Data Protection Laws.

1. Definitions

• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA, where “control” refers to the direct or indirect ownership or management of more than fifty percent (50%) of the voting or equity interests of the subject entity.
• “Contractual Documents” means the master agreement between Fossorial and Customer together with any associated sales orders, statements of work, or service specifications.
• “Data Protection Laws” means all applicable regional, national, and state laws, regulations, and statutory requirements in any global jurisdiction relating to privacy, data protection, data security, data residency, or data breach notification, including, without limitation:
  • The European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);
  • The United Kingdom Data Protection Act 2018 and the GDPR as incorporated into UK law (“UK GDPR”);
  • The Swiss Federal Act on Data Protection (“FADP”);
  • The California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”); and
  • Any omnibus privacy enactments passed by other U.S. states (together with the CCPA, “U.S. Privacy Laws”).
• “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and includes the term “consumer” as specified under U.S. Privacy Laws.
• “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• “Personal Data” means any personal data, personal information, or personally identifiable information (as defined by applicable Data Protection Laws) that Customer or its authorized end users submit, transmit, store, or route through the platform infrastructure, software, or SaaS Services.
• “Process” or “Processing” means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, hosting, retrieval, execution, transmission, routing, dissemination, alignment, restriction, erasure, or destruction.
• “Security Breach” means any confirmed accidental, unauthorized, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed on Fossorial’s managed infrastructure.
  Note: For the avoidance of doubt, Security Breaches do not include unsuccessful infrastructure attempts or activities that do not compromise the security or integrity of Personal Data, including unsuccessful log-in attempts, ping sweeps, port scans, broadcast storms, denial-of-service attacks, or other routine network edge security events.
• “Subprocessor” means any third-party corporate entity or infrastructure provider engaged by Fossorial to assist in Processing Personal Data under the strict terms of this DPA.
• “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner’s Office (ICO).
• Core Privacy Roles: The terms “Business,” “Controller,” “Processor,” and “Service Provider” shall carry the definitions established within applicable Data Protection Laws. For interpretation purposes, “Controller” is deemed to include a “Business” and “Processor” is deemed to include a “Service Provider.”

2. Roles, Scope, and Purposes of Processing

2.1. Dual-Role Applicability

The Parties acknowledge and agree that with respect to the Processing of Customer’s Personal Data via the identity platform, secure access tunnels, or cloud routing components of the Services:

• To the extent that Customer acts as the direct Controller of the data, Fossorial is its Processor.
• To the extent that Customer acts as a Processor of Personal Data on behalf of a third party, Fossorial operates as its Subprocessor.

2.2. Trial and Free Tier Abuse Exception

As set forth in the underlying Agreement, Fossorial explicitly retains the right to monitor Customer's use of the Software or SaaS Services during any Free Trial or Free Tier to verify operational compliance with platform resource usage and anti-malware laws. If Fossorial reasonably suspects that Customer's account or secure tunnels are being utilized for unlawful activities—including but not limited to financial fraud, phishing, ransomware command-and-control infrastructure, or the dissemination of malicious binaries—Fossorial may access, monitor, audit, and review Customer's account metadata and activities. This DPA does not apply to Personal Data processed for these platform abuse monitoring purposes.

2.3. Documented Instructions

Fossorial will Process Personal Data solely:

1. To execute its technical obligations to Customer under the underlying Agreement;
2. On Customer’s explicit documented instructions;
3. In compliance with Data Protection Laws; and
4. For the technical purposes set forth in Exhibit A of this DPA.

2.4. Explicit Service Provider Restrictions

Fossorial certifiably warrants that it will:

• i. Not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Fossorial, or for any commercial purpose other than the specific infrastructure purposes specified in this DPA and the Agreement.
• ii. Not “sell” or “share” any Personal Data, as such terms are defined across applicable U.S. Privacy Laws, to any third party for behavioral advertising or monetization.
• iii. Not attempt to re-identify any pseudonymized, anonymized, or aggregated telemetry or technical logs derived from the operations of the Services without Customer’s express prior written permission.
• iv. Comply with all applicable restrictions under Data Protection Laws on combining Personal Data received from Customer with data collected from other customer interactions or separate commercial services.
• v. Comply with all applicable provisions of the CCPA/CPRA, providing the baseline level of privacy protection required by the CCPA/CPRA to all covered data.

2.5. Customer Warranties

Customer is solely responsible for fulfilling its statutory obligations as a Controller under Data Protection Laws. Customer represents and warrants that it has executed all legally mandatory requirements (including providing clear privacy notices and obtaining active user consents) to ensure that its transmission of Personal Data through Fossorial's secure tunneling mechanisms is entirely compliant with law. Customer will not instruct Fossorial to process data in a manner that violates privacy regulations. Fossorial will immediately inform Customer if, in its professional opinion, an instruction from Customer infringes Data Protection Laws.

3. Personnel Confidentiality and Technical Security

3.1. Authorized Personnel

Fossorial will ensure that all employees, contractors, and engineering personnel authorized to have access to or handle the Personal Data have committed themselves to strict contractual confidentiality or are bound by an appropriate statutory obligation of confidentiality.

3.2. Technical and Organizational Measures

Fossorial will implement, maintain, and test appropriate administrative, technical, physical, and organizational security controls designed to protect Personal Data against a Security Breach, as detailed in Exhibit B of this DPA.

3.3. Regulatory Inquiries and Data Subject Requests

Fossorial will promptly notify Customer if it receives:

• (i) Any Data Subject requests exercising rights under Data Protection Laws (such as deletion or access rights); or
• (ii) Any formal regulatory or government inquiries regarding the data processed on Customer's behalf.

Unless compelled by law, Fossorial will not respond directly to such requests but will instead await written instructions from Customer on how to assist.

4. Security Breach Notification and Mitigation

4.1. Notice Timeline

Fossorial will notify Customer of any confirmed Security Breach without undue delay, and where feasible, within 72 hours of confirming the event. Notice will be sent to the administrative or legal contact specified in the Customer's Account.

4.2. Mitigation and Assistance

Fossorial will immediately take steps to mitigate the effects of any Security Breach and minimize security risks to Data Subjects. Fossorial will assist Customer in satisfying its statutory breach notification obligations by providing the following data points as they become known:

• i. The nature of the Security Breach, including how it occurred and the approximate categories/number of Data Subjects and records impacted;
• ii. The anticipated operational or security consequences of the breach; and
• iii. The exact remedial measures taken or planned to be taken by Fossorial.

5. Subprocessors

5.1. General Authorization

Customer grants Fossorial general written authorization to engage infrastructure Subprocessors (such as primary cloud hosting services, logging endpoints, or database infrastructure) to maintain the platform.

5.2. Notice of Updates

An up-to-date list of authorized Subprocessors is maintained at https://trust.pangolin.net/subprocessors. Customer acknowledges and agrees that it is Customer's sole responsibility to check this URL periodically for updates. Fossorial will post any new Subprocessor additions to this page at least 10 days before authorizing the Subprocessor to process any Personal Data.

Fossorial may provide a mechanism on that page (such as an email list signup or RSS feed) where Customer can subscribe to receive automated alerts regarding changes, but the lack of a direct email from Fossorial shall not invalidate the notice.

5.3. Objection Mechanics

Customer may reasonably object to a new Subprocessor within 10 days of the addition being posted to the URL specified in Section 5.2, provided such objection is made on documented, reasonable data protection grounds. Upon receipt of a valid written objection, the Parties will cooperate in good faith to discuss alternative configurations. If the Parties cannot reach a mutually agreeable solution within 30 days, Customer’s sole and exclusive remedy is to terminate the specific portion of the Services involving the objected-to Subprocessor upon written notice to Fossorial.

5.4. Downstream Agreements

Fossorial will execute a legally binding agreement with each Subprocessor containing data protection obligations at least as restrictive as those imposed on Fossorial within this DPA.

6. International Data Transfers

6.1. Cross-Border Compliance

Fossorial will not engage in cross-border Processing or transmit Personal Data out of the EEA, United Kingdom, or Switzerland to a country without an adequacy decision unless it complies strictly with valid transfer mechanisms.

6.2. Incorporation of EU SCCs

For data transfers subject to the GDPR, the Parties hereby agree that by executing the underlying Agreement, they are deemed to have executed and signed the EU Standard Contractual Clauses (SCCs), which are fully incorporated by reference into this DPA. The clauses are completed as follows:

• i. Module 2 (Controller-to-Processor) applies where Customer is a Controller and Fossorial is a Processor.
• ii. Module 3 (Processor-to-Processor) applies where Customer is a Processor and Fossorial is a Subprocessor.
• iii. Clause 7 (Docking Clause) is excluded.
• iv. Clause 9 (Use of sub-processors): The Parties select Option 2 (General written authorization) as governed by Section 5 of this DPA.
• v. Clause 11 (Redress): The optional language regarding independent dispute resolution is excluded.
• vi. Clause 17 (Governing Law): The Parties select the law of Ireland.
• vii. Clause 18 (Choice of Forum): The Parties select the courts of Ireland.

6.3. UK Data Transfers

For transfers of Personal Data subject to the UK GDPR, the Parties are deemed to have executed the UK Addendum issued by the ICO. The information required within Tables 1 through 4 of the UK Addendum is mapped directly to the details specified in Section 6.2 and Exhibit A of this DPA. Either Party may terminate the UK Addendum in accordance with Section 19 of its standard terms.

6.4. Swiss Data Transfers

For transfers subject to the Swiss FADP, the EU SCCs shall apply with the following adjustments:

• i. References to the GDPR are understood to apply to the FADP.
• ii. The term “Member State” shall not be interpreted to prevent Swiss Data Subjects from seeking redress or filing claims in their place of habitual residence (Switzerland).
• iii. The relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

7. Audit Rights

7.1. Independent Audits

Fossorial utilizes independent, third-party external auditors to perform annual security audits of its systems. These evaluations result in the generation of a confidential audit report (such as a SOC 2 Type II, ISO 27001 certificate, or equivalent standard).

7.2. Review Rights

Upon reasonable written request, and no more than once per 12-month calendar period, Fossorial will make available to Customer a copy of its most recent third-party security verification report under strict non-disclosure controls.

To the extent that this report does not provide sufficient detail to satisfy Customer's regulatory audit requirements under Data Protection Laws, Customer may submit a list of specific compliance queries, and Fossorial will provide written answers or technical documentation to demonstrate adherence to this DPA. Customer agrees that these procedures fully satisfy its statutory audit rights.

8. Return or Destruction of Personal Data

8.1. Post-Termination Deletion

Within 60 days of Customer’s written request or the formal termination of the underlying Agreement, Fossorial will securely delete or return all Personal Data processed within its systems.

8.2. Archival Retention

Customer acknowledges and accepts that Fossorial may retain structural fragments of Personal Data as necessary within system backups and archival media. Fossorial will securely isolate such media and delete the associated data in accordance with its routine archival rotation cycles. Fossorial will maintain the full legal protections of this DPA for any data retained until destruction is finalized.

9. Indemnification and Limitation of Liability

9.1. Liability Cap Alignment

To the maximum extent permitted under applicable Data Protection Laws, any liability, indemnification claims, or structural losses arising out of a breach of this DPA or a Security Breach shall be subject to the standard Limitations of Liability and commercial liability caps established within the underlying main Agreement.

10. Survival

10.1. Indefinite Protection

The commercial and technical provisions of this DPA shall survive the expiration or formal termination of the underlying Agreement for as long as Fossorial or its downstream Subprocessors retain or maintain any operational access to Customer's Personal Data.

EXHIBIT A: DETAILS OF PROCESSING AND TRANSFER

A. List of Parties

• Data Exporter: Customer (as identified in the main Agreement, Sales Order, or corporate registration).
  • Role: Controller (or Business).
• Data Importer: Fossorial, Inc., 10612 Fiesta Rd., Fairfax, VA.
  • Role: Processor (or Service Provider).

B. Description of Processing and Transfer

• Categories of Data Subjects: Customer’s internal employees, software developers, security teams, network administrators, system architects, and authorized corporate end users who utilize the identity routing or tunneling platforms.
• Categories of Personal Data: Operational network metadata, user login records, secure connection email addresses, source and destination IP addresses, platform authentication tokens, cryptographic public keys, SSH/Kubernetes technical connection logs, configuration file schemas, and telemetry logs routing through secure access tunnels.
• Sensitive Data: None.
• Frequency of Transfer: Continuous and on-demand for the full duration of the underlying Agreement.
• Nature and Purpose of Processing: The Data Importer will process the data to provide secure access routing, manage zero-trust network tunnels, authenticate end users to internal infrastructure components, prevent network performance anomalies, and fulfill its engineering delivery obligations under the main Agreement.
• Retention Period: Personal Data is maintained for the operational duration of the Customer’s account, or as modified by explicit retention configurations, and is deleted within 60 days following platform termination.

C. Competent Supervisory Authority

The competent supervisory authority is the Irish Data Protection Commission (for GDPR-related transfers).

EXHIBIT B: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Fossorial implements the following industry-standard technical, organizational, and physical security measures to guarantee the safety and isolation of processed data:

• 1. Transport Layer Encryption: All customer session data and tunnel routing traffic are forcefully encrypted in transit using industry-standard TLS 1.3 or SSHv2 protocols over public networks.
• 2. Access Control Architecture: Production system clusters, data routing logs, and configuration interfaces are locked down using zero-trust access profiles. Administrative access is granted purely on the principle of least privilege and requires hardware-backed multi-factor authentication (MFA).
• 3. Continuous Infrastructure Monitoring: Security logging agents actively track system behavior, authentication anomalies, port configurations, and edge state changes across our infrastructure platforms.
• 4. Vendor Risk Management: All primary infrastructure hosting sub-vendors utilize SOC 2 Type II and ISO 27001 certified physical data centers with automated data isolation routines.
• 5. Operational Resiliency: Daily backup systems maintain fully isolated recovery targets to prevent complete data loss or catastrophic state failures.