Data Processing Agreement

The following terms have the meanings set out below when used in this Data Processing Agreement:

• “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this DPA, the Controller is the customer entity that has entered into the Terms of Service with Licentric Inc..
• “Processor” means the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. For the purposes of this DPA, the Processor is Licentric Inc..
• “Sub-processor” means any third party (including affiliates of the Processor) engaged by the Processor to process personal data on behalf of the Controller in connection with the Services.
• “Data Subject” means an identified or identifiable natural person to whom personal data relates, including end users, licensees, and authorized representatives of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law, including but not limited to names, email addresses, device fingerprints, IP addresses, license activation records, and billing information.
• “Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR, or the equivalent regulatory body under applicable data protection law in any other jurisdiction.

Terms not otherwise defined herein shall have the meanings ascribed to them in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) or, where applicable, equivalent national data protection legislation.

This Data Processing Agreement (“DPA”) supplements the Terms of Service between Licentric Inc. and the Controller and forms a legally binding agreement between the parties with respect to the processing of personal data. In the event of any conflict between this DPA and the Terms of Service regarding data processing matters, this DPA shall prevail.

This DPA applies whenever Licentric Inc., acting as Processor, processes personal data on behalf of the Controller in connection with the Licentricsoftware licensing platform (“Services”). The Processor shall process personal data only for the following purposes: license key generation, validation, and management; end-user activation tracking and device fingerprinting; usage analytics and reporting; billing and subscription management; transactional email delivery; and platform support and security operations.

The Processor shall process personal data solely on documented instructions from the Controller, unless required to do so by applicable law. In such cases, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, any instruction from the Controller infringes applicable data protection law.

The parties acknowledge and agree that, with regard to the processing of personal data under this DPA, the Controller is the Controller and Licentric Inc. is the Processor, within the meaning of Article 4 of the GDPR.

In accordance with Article 28 of the GDPR, the Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization, unless required to do so by applicable law.
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures as required by Article 32 of the GDPR and as further described in Annex II of this DPA.
• Respect the conditions for engaging Sub-processors as set out in Section 4 of this DPA.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising the Data Subjects' rights as set out in Section 5.
• Assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• Delete or return all personal data to the Controller upon termination of the Services, and delete existing copies unless applicable law requires storage of the data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

The Controller is responsible for ensuring that it has a lawful basis for the processing of personal data under this DPA and that it has provided adequate notice to Data Subjects. The Controller shall ensure that its instructions to the Processor at all times comply with applicable data protection law.

The Controller grants the Processor general written authorization to engage the Sub-processors listed below. The Processor shall inform the Controller of any intended additions or replacements of Sub-processors at least 30 days prior to any such change, thereby giving the Controller the opportunity to object to such changes.

If the Controller objects to the appointment of a new or replacement Sub-processor, the Controller shall notify the Processor in writing within 30 days of receiving notice. In such case, the Processor shall use reasonable endeavors to make available a commercially reasonable change in the provision of the Services to avoid the use of the objected Sub-processor. If the Processor is unable to make such a change within 30 days, the Controller may terminate the relevant Services by providing written notice to the Processor.

The Processor shall impose data protection terms on any Sub-processor it appoints that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of Sub-processors' obligations to the extent that such Sub-processors fail to fulfill their data protection obligations.

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law, including the rights of: access (Article 15 GDPR); rectification (Article 16 GDPR); erasure, commonly known as the “right to be forgotten” (Article 17 GDPR); restriction of processing (Article 18 GDPR); data portability (Article 20 GDPR); and objection to processing (Article 21 GDPR).

When the Processor receives a request from a Data Subject that is clearly directed to the Controller, the Processor shall promptly forward such request to the Controller without responding to the Data Subject directly. The Processor shall not respond to Data Subject requests except on documented instructions from the Controller or as required by applicable law.

The Processor shall provide the Controller with reasonable assistance in responding to Data Subject requests within 10 business days of receiving a written request from the Controller for such assistance. The Processor shall make available the following mechanisms to facilitate Data Subject rights:

• Data export functionality via the dashboard and API (structured, machine-readable format) to support portability requests.
• Account and license data deletion workflows available through the dashboard and upon written request to privacy@licentric.com.
• Audit log access for the Controller to identify all processing operations performed on behalf of a specific Data Subject.

The Processor shall notify the Controller without undue delay if it receives a legally binding request from a law enforcement authority for the disclosure of personal data, unless prohibited by applicable law. In such cases, the Processor shall use reasonable legal means to redirect the request to the Controller.

In accordance with Article 32 of the GDPR, the Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Processor implements the following technical security measures:

• Encryption at rest: All personal data stored by the Processor is encrypted using AES-256-GCM symmetric encryption. License keys are additionally encrypted at the application layer before storage.
• Encryption in transit:All data transmitted between clients and the Processor's infrastructure is encrypted using TLS 1.3. Older protocol versions are not accepted.
• Cryptographic integrity: Ed25519 digital signatures are applied to license keys and critical platform events to ensure data integrity and non-repudiation.
• Multi-tenant data isolation:Row-Level Security (RLS) policies are enforced at the database layer to ensure that each Controller's data is isolated from all other tenants. Cross-tenant data access is architecturally prevented.
• API key security: API keys are stored as SHA-256 hashes and are never retained in plaintext after initial generation. API keys are scoped to minimum required permissions.
• Access controls: Role-based access controls and the principle of least privilege are applied to all internal systems. Administrative access requires multi-factor authentication.
• Vulnerability management: Regular vulnerability scanning, dependency audits, and security code reviews are conducted. Critical vulnerabilities are remediated within 48 hours of discovery.
• Backup and recovery: Automated database backups are performed continuously with point-in-time recovery capability. Backups are retained for 30 days.

The Processor is pursuing SOC 2 Type II certification. A detailed description of all technical and organizational security measures is set out in Annex II to this DPA.

The Processor shall notify the Controller of any confirmed personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it. Notification shall be made to the Controller's designated security contact or, absent such designation, to the primary account holder's email address.

The breach notification shall, to the extent information is available at the time of notification, include the following:

• A description of the nature of the personal data breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned.
• The name and contact details of the Processor's data protection point of contact from whom more information can be obtained (reachable at security@licentric.com).
• The likely consequences of the personal data breach.
• The measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue further delay. The Controller is responsible for notifying its relevant Supervisory Authority and, where required, affected Data Subjects, in accordance with Articles 33 and 34 of the GDPR. The Processor shall cooperate fully with the Controller in connection with any such notifications.

The Processor shall document all personal data breaches, including those not required to be notified, comprising the facts relating to the breach, its effects, and the remedial action taken. Such documentation shall be made available to the Controller upon request.

The Processor and its Sub-processors are located in the United States. Where the Controller is established in the European Economic Area (EEA) or processes personal data of EEA Data Subjects, the transfer of personal data to the United States is governed by the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021 (“SCCs”), which are hereby incorporated into this DPA by reference.

For transfers subject to the SCCs: the Controller acts as “data exporter” and the Processor acts as “data importer” under Module Two (Controller to Processor). The applicable options, specifications, and annexes set out in this DPA constitute the relevant provisions required by the SCCs. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to transfers of personal data from the EEA.

The Processor shall not transfer personal data to any country outside the EEA (or the United Kingdom, Switzerland, or other countries with an adequacy decision) without: (a) the transfer being subject to an adequacy decision by the European Commission; (b) appropriate safeguards being in place pursuant to Article 46 of the GDPR (including the SCCs); or (c) a derogation applying pursuant to Article 49 of the GDPR.

Upon request, the Processor shall conduct and make available to the Controller a Transfer Impact Assessment (TIA) documenting: the laws and practices of the destination country affecting compliance with the SCCs; the technical and organizational measures implemented to protect personal data in transit and at rest; and the likelihood that competent public authorities in the destination country will access the personal data.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the conditions set out in this Section.

The Controller may exercise audit rights no more than once per calendar year, unless a material breach of this DPA or applicable data protection law has been confirmed by a competent authority. The Controller shall provide at least 30 days' prior written notice of any audit. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations. The Controller shall ensure that any mandated third-party auditor is bound by confidentiality obligations at least as protective as those in this DPA.

Cost allocation for audits: the Controller shall bear all costs associated with conducting audits, including travel, accommodation, and third-party auditor fees. If an audit reveals material non-compliance by the Processor with this DPA or applicable data protection law, the Processor shall bear its own remediation costs and shall reimburse the Controller for reasonable audit costs directly attributable to the identified non-compliance.

As an alternative to a direct audit, the Processor may satisfy audit requirements by providing the Controller with a current SOC 2 Type II report, ISO 27001 certification, or equivalent independent security assessment covering the Services, under appropriate confidentiality terms. The Controller shall accept such report as sufficient evidence of compliance unless it identifies specific concerns not addressed by the report.

This DPA shall remain in force for the duration of the Terms of Service between the parties and shall automatically terminate upon the expiration or termination of the Terms of Service, subject to the survival provisions set out below.

Upon termination or expiration of the Terms of Service for any reason, the Processor shall, at the Controller's election made in writing within 30 days of the effective date of termination:

• Return: Return all personal data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV), including all associated metadata and audit logs; or
• Delete: Securely delete all personal data processed on behalf of the Controller within 30 days of the termination date, using industry-standard deletion methods, and provide the Controller with written certification of deletion.

If the Controller does not make an election within 30 days of termination, the Processor shall securely delete all personal data in accordance with its standard data retention schedule. Notwithstanding the foregoing, the Processor may retain personal data for as long as required by applicable law, provided that such retained data is processed only for compliance purposes and subject to the protections of this DPA.

The following provisions of this DPA shall survive termination: Section 1 (Definitions), Section 7 (Data Breach Notification), Section 10 (Duration and Termination), Section 11 (Governing Law), and Section 12 (Liability). Audit log records required for regulatory compliance shall be retained for 7 years following termination, after which they shall be permanently deleted.

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws principles, except to the extent that applicable data protection law of another jurisdiction mandates the application of that jurisdiction's law.

For personal data processed subject to the GDPR, the Standard Contractual Clauses (Commission Decision 2021/914) incorporated herein are governed by the law of the EU Member State in which the data exporter (Controller) is established, or by the law of the Republic of Ireland where no such Member State law is specified. The supervisory authority with jurisdiction over the Controller in its Member State of establishment shall serve as the competent supervisory authority for the purposes of the SCCs.

Any dispute arising from or relating to this DPA that cannot be resolved by the parties within 30 days of written notice of the dispute shall be submitted to binding arbitration in accordance with the rules of the American Arbitration Association, with proceedings to be conducted in Wilmington, Delaware. Nothing in this Section prevents either party from seeking injunctive relief in a court of competent jurisdiction to prevent irreparable harm pending resolution of a dispute.

Each party's liability to the other arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service; provided, however, that nothing in the Terms of Service shall limit either party's liability under this DPA to the extent such limitation is prohibited by applicable data protection law or the Standard Contractual Clauses.

Where both parties are responsible for damage caused by a breach of this DPA or applicable data protection law, each party shall be held liable only for the damage attributable to its own fault, as determined by a court of competent jurisdiction. A party that has paid full damages to a Data Subject or Supervisory Authority shall be entitled to claim back from the other party that portion of the compensation corresponding to the other party's part of responsibility for the damage.

Notwithstanding any limitation of liability, neither party excludes or limits its liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; (c) any liability that cannot be limited or excluded by applicable law; or (d) a party's breach of its confidentiality obligations with respect to personal data.

For the avoidance of doubt, the Processor's liability for the acts and omissions of Sub-processors shall be governed by Section 4 of this DPA. Questions about this DPA may be directed to legal@licentric.com.

This Annex sets out the processing details required under Article 28(3) of the GDPR and Annex I of the Standard Contractual Clauses (Commission Decision 2021/914).

This Annex sets out the technical and organizational security measures implemented by Licentric Inc. as Processor, in accordance with Article 32 of the GDPR and Annex II of the Standard Contractual Clauses.

The Processor reserves the right to update these measures over time to reflect improvements in the state of the art and emerging threats, provided that any such updates maintain or exceed the current level of security. Material reductions in security measures require prior written consent from the Controller. For security inquiries, contact security@licentric.com.