DATA PROCESSING ADDENDUM

Sidero Labs, Inc.

Version 1.1 — March 13, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement for Sidero Labs’ Services (the “Agreement”) between Sidero Labs, Inc. (“Sidero,” “Processor”) and the entity or person agreeing to the Agreement (“Customer,” “Controller”).

This DPA applies to the extent that Sidero processes Personal Data on behalf of Customer in connection with the provision of the Services. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

The parties agree as follows:

1. Definitions

Capitalized terms not defined herein shall have the meaning given to them in the Agreement. In this DPA:

“Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable) the GDPR, UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (as amended by CPRA), and any other applicable data protection legislation.

“Customer Data” means any data, including Personal Data, that Customer or its Authorized Users submit to or store within the Services.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Sidero on behalf of Customer as part of the Customer Data.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Sidero.

“SCCs” means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.

“Sub-processor” means any third party engaged by Sidero to process Personal Data on behalf of Customer.

“UK GDPR” means the GDPR as retained in United Kingdom law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. Scope and Roles

2.1 Roles of the Parties

The parties acknowledge and agree that with respect to Customer Data: (a) Customer is the Controller; (b) Sidero is the Processor; and (c) Sidero shall process Customer Data only on behalf of and in accordance with Customer’s documented instructions.

2.2 Customer Obligations

Customer shall: (a) comply with its obligations under Applicable Data Protection Law with respect to its collection and use of Personal Data and its instructions to Sidero; (b) ensure that it has provided all necessary notices and obtained all necessary consents and rights for the lawful transfer of Personal Data to Sidero; and (c) be solely responsible for the accuracy, quality, and legality of Customer Data.

3. Processing Instructions

3.1 Sidero shall process Personal Data only in accordance with Customer’s documented instructions, unless required to do so by Applicable Data Protection Law. The Agreement (including this DPA) constitutes Customer’s complete and final instructions to Sidero for the processing of Personal Data. Any additional or alternative instructions must be agreed upon separately in writing.

3.2 Sidero shall immediately inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Law.

3.3 The subject matter, duration, nature, and purpose of the processing, the types of Personal Data processed, and the categories of data subjects are described in Annex I.

4. Confidentiality

4.1 Sidero shall ensure that any person authorized to process Personal Data under this DPA is subject to a duty of confidentiality (whether contractual or statutory).

4.2 Sidero shall not disclose Personal Data to any third party except as necessary to perform the Services, as authorized by Customer, or as required by Applicable Data Protection Law.

5. Security Measures

5.1 Sidero shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall include, at a minimum, the measures described in Annex II.

5.2 Sidero maintains SOC 2 Type II certification and undergoes annual independent audits of its security controls.

5.3 Sidero shall regularly test, assess, and evaluate the effectiveness of its technical and organizational measures for ensuring the security of processing.

6. Sub-processors

6.1 Customer provides general authorization for Sidero to engage Sub-processors to process Personal Data on Customer’s behalf. The current list of Sub-processors is set forth in Annex III and is also published at https://www.siderolabs.com/privacy-policy/.

6.2 Sidero shall notify Customer of any intended changes to its Sub-processors by updating the Sub-processor list at least fourteen (14) days before the new Sub-processor begins processing Personal Data. Customer may subscribe to email notifications of such changes by contacting [email protected].

6.3 If Customer has a reasonable objection to a new Sub-processor, Customer shall notify Sidero in writing within fourteen (14) days of receiving notice. The parties shall discuss the objection in good faith. If Sidero cannot reasonably accommodate the objection, Customer may terminate the affected portion of the Services without penalty upon thirty (30) days’ written notice.

6.4 Sidero shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Sidero shall remain liable for the acts and omissions of its Sub-processors to the same extent as if they were Sidero’s own acts and omissions.

7. Data Subject Rights

7.1 Sidero shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer’s obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.

7.2 If Sidero receives a request directly from a data subject, Sidero shall promptly redirect the data subject to Customer and notify Customer of the request, unless otherwise required by Applicable Data Protection Law.

8. Personal Data Breach

8.1 Sidero shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data.

8.2 Such notification shall include, to the extent available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and records concerned;
• The name and contact details of Sidero’s point of contact;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects.

8.3 Sidero shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

9. Data Protection Impact Assessments

Sidero shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and taking into account the nature of the processing and the information available to Sidero.

10. Data Return and Deletion

10.1 Upon termination or expiration of the Agreement, Sidero shall, at Customer’s election, return or delete all Customer Data (including Personal Data) within ninety (90) days, unless retention is required by Applicable Data Protection Law.

10.2 Sidero shall certify in writing the deletion of Customer Data upon Customer’s written request.

10.3 Sidero may retain copies of Customer Data to the extent required by Applicable Data Protection Law, provided that Sidero shall maintain the confidentiality of such data and shall not actively process it for any purpose other than compliance with such law.

11. Audit Rights

11.1 Sidero shall make available to Customer, on request, all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

11.2 Customer (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of Sidero’s processing activities under this DPA no more than once per twelve (12) month period, upon at least thirty (30) days’ prior written notice, during normal business hours, and in a manner that does not unreasonably disrupt Sidero’s operations.

11.3 In lieu of an on-site audit, Sidero may, at its discretion, provide Customer with: (a) a copy of its most recent SOC 2 Type II audit report; (b) responses to a reasonable information security questionnaire; or (c) other documentation demonstrating compliance.

11.4 Audits shall be at Customer’s expense unless the audit reveals a material breach of this DPA by Sidero.

12. International Data Transfers

12.1 Customer acknowledges that Sidero and its Sub-processors may process Personal Data in the United States and other countries outside the EEA, UK, and Switzerland.

12.2 To the extent that such processing involves the transfer of Personal Data from the EEA, Sidero shall ensure that appropriate safeguards are in place through the use of the Standard Contractual Clauses (SCCs), Commission Implementing Decision (EU) 2021/914. The SCCs are hereby incorporated into this DPA by reference.

12.3 For transfers of Personal Data from the United Kingdom, Sidero shall rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

12.4 For transfers of Personal Data from Switzerland, Sidero shall rely on the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

12.5 The parties agree that Sidero is the “data importer” and Customer is the “data exporter” for the purposes of the SCCs. Module Two (Controller to Processor) of the SCCs shall apply.

12.6 Sidero has appointed Data Protection Representative Limited (trading as DataRep) as its representative pursuant to Article 27 of the GDPR and Article 27 of the UK GDPR, and as its representative under the Swiss Federal Act on Data Protection (FADP). DataRep may be contacted at [email protected] or via www.datarep.com/data-request. Postal addresses: EU/EEA — DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland; UK — DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom; Switzerland — DataRep, Leutschenbachstrasse 95, Zurich, 8050, Switzerland. Data subjects and supervisory authorities in the EU, UK, and Switzerland may contact DataRep regarding Sidero’s processing of Personal Data under this DPA.

13. Liability

Each party’s liability under this DPA shall be subject to the limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party’s liability with respect to claims by data subjects or supervisory authorities to the extent such limitation is prohibited by Applicable Data Protection Law.

14. Term and Termination

14.1 This DPA shall take effect on the effective date of the Agreement and shall remain in effect for the duration of the Agreement.

14.2 The obligations of Sidero under this DPA with respect to any Personal Data retained after termination shall survive until such data is deleted.

15. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except that where required by Applicable Data Protection Law, the mandatory data protection laws of the relevant jurisdiction shall apply.

16. General Provisions

16.1 This DPA constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous agreements on that subject.

16.2 Amendments to this DPA must be in writing and signed by both parties.

16.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

— ANNEXES —

Annex I: Details of Processing

A. Subject Matter and Duration

Sidero processes Personal Data for the purpose of providing the Services described in the Agreement, for the duration of the Agreement.

B. Nature and Purpose of Processing

The provision, operation, and support of the Omni SaaS platform, including hosting customer workloads, authenticating users, processing transactions, providing technical support, and sending transactional communications.

C. Types of Personal Data

• Contact information (name, email address, phone number, company name, job title)
• Account credentials and authentication data
• Usage and log data (IP addresses, browser type, access timestamps)
• Billing and transaction data
• Support ticket content (which may include diagnostic data such as log files, hostnames, or screenshots provided by the user)
• Any other Personal Data that Customer or its Authorized Users submit to the Services

D. Categories of Data Subjects

• Customer’s employees, contractors, and authorized users of the Services
• Customer’s end users whose data is submitted to or stored within the Services
• Customer’s contacts, vendors, or other individuals whose data Customer submits to the Services

E. Sensitive Data

The Services are not designed for the processing of special categories of data (as defined under GDPR Article 9) or sensitive personal information. Customer shall not submit such data to the Services unless expressly agreed in writing.

Annex II: Technical and Organizational Security Measures

Sidero maintains the following security measures to protect Personal Data:

A. Organizational Measures

• SOC 2 Type II certification with annual independent audits
• Information security policies and procedures reviewed at least annually
• Employee security awareness training upon hire and annually thereafter
• Background checks for employees with access to Customer Data
• Designated security personnel responsible for information security
• Incident response plan tested and updated at least annually

B. Technical Measures

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-128 or higher
• Multi-factor authentication for all administrative access
• Role-based access controls implementing the principle of least privilege
• Network segmentation and firewall protections
• Automated vulnerability scanning and regular penetration testing
• Centralized logging and monitoring of security events
• Automated backup and disaster recovery procedures

C. Physical Measures

Sidero’s infrastructure is hosted by third-party cloud providers (see Annex III). Physical security is maintained by those providers in accordance with their respective security certifications (including SOC 2 and ISO 27001).

Annex III: Authorized Sub-processors

As of the effective date of this DPA, Sidero engages the following Sub-processors:

The current Sub-processor list is also maintained at https://www.siderolabs.com/privacy-policy/. Changes are notified with at least fourteen (14) days’ advance notice as described in Section 6.