Data Processing Addendum.

1.Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in applicable Data Protection Laws.

• "Affiliate" means any entity that controls, is controlled by, or is under common control with Customer.
• "Agreement" means the Etlworks Terms of Service and any signed Software Subscription Agreement between Customer and Etlworks.
• "Customer Personal Data" means personal data that Etlworks processes on behalf of Customer in connection with providing the Service.
• "Data Protection Laws" means all laws and regulations applicable to the processing of personal data under the Agreement, including GDPR, UK GDPR, and CCPA/CPRA.
• "GDPR" means EU Regulation 2016/679, as amended.
• "UK GDPR" means the GDPR as it forms part of UK law by virtue of the UK Data Protection Act 2018, as amended.
• "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act of 2020 (CPRA).
• "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, approved by the European Commission in Decision 2021/914, Module 2 (Controller-to-Processor).
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office and effective from 21 March 2022.
• "Sub-processor" means any third party engaged by Etlworks to process Customer Personal Data.
• "Security Incident" means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

Terms not defined here — including "controller," "processor," "data subject," "personal data," "processing," and "supervisory authority" — have the meanings given in the applicable Data Protection Laws.

2.Scope and Application

2.1 This DPA applies whenever Etlworks processes Customer Personal Data on behalf of Customer in connection with the Service.

2.2 In the event of conflict between this DPA, the Agreement, and the Etlworks Privacy Policy, the order of precedence is: (1) this DPA, (2) the Agreement, (3) the Privacy Policy.

2.3 This DPA terminates automatically when the Agreement terminates, except that obligations regarding deletion or return of Customer Personal Data continue until those obligations are fulfilled.

3.Roles of the Parties

3.1 For purposes of GDPR and UK GDPR, Customer is the controller and Etlworks is the processor. Where Customer processes data on behalf of its own customers, Customer may be a processor and Etlworks a sub-processor — the Parties agree this DPA covers either scenario.

3.2 For purposes of CCPA/CPRA, Etlworks acts as a service provider with respect to Customer Personal Data.

3.3 Each Party is responsible for its own compliance with applicable Data Protection Laws.

4.Customer Responsibilities

4.1 Customer is responsible for:

• the lawfulness of personal data Customer transmits to or processes through the Service;
• providing all required notices to data subjects;
• obtaining all consents required under applicable law;
• complying with data subject rights requests, with assistance from Etlworks as set out in Section B and Section C below;
• ensuring Customer's instructions to Etlworks comply with applicable Data Protection Laws.

4.2 Customer warrants that it has authority to instruct Etlworks to process Customer Personal Data, including on behalf of any Affiliates whose data is processed through Customer's account.

5.Etlworks Obligations (General)

5.1 Etlworks will process Customer Personal Data only:

• on documented instructions from Customer (including those given through the Service or this DPA);
• as necessary to provide the Service under the Agreement;
• as required by applicable law (in which case Etlworks will inform Customer of the legal requirement before processing, unless prohibited from doing so).

5.2 Etlworks will not sell Customer Personal Data, retain it for purposes outside the Agreement, or process it for cross-context behavioral advertising.

5.3 Etlworks will not train artificial intelligence or machine learning models on Customer Personal Data, including its own AI agent. The agent operates on Customer Personal Data only within Customer's account, only when Customer instructs it to.

5.4 Etlworks ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations.

B.1Applicability

This Section B applies to the extent Etlworks processes "personal information" (as defined in CCPA) on behalf of Customer.

B.2Service Provider Status

The Parties acknowledge that Etlworks acts as a service provider under CCPA/CPRA. Etlworks will:

• process personal information only for the business purposes specified in the Agreement;
• not sell or share personal information (as those terms are defined in CCPA/CPRA);
• not retain, use, or disclose personal information outside the direct business relationship with Customer;
• not combine personal information received from Customer with personal information from any other source, except as permitted under CCPA/CPRA;
• comply with applicable obligations under CCPA/CPRA and provide the same level of privacy protection as required by CCPA/CPRA.

B.3Sensitive Personal Information

Etlworks will not use sensitive personal information (as defined in CPRA) for any purpose other than providing the Service to Customer. Etlworks will not use sensitive personal information for inferring characteristics about individuals.

B.4Consumer Rights Requests

If Etlworks receives a verifiable consumer rights request from a CCPA consumer regarding Customer Personal Data, Etlworks will:

• promptly notify Customer of the request;
• direct the consumer to contact Customer;
• provide Customer with reasonable assistance, taking into account the nature of processing, to enable Customer to respond to the request.

Etlworks will not respond directly to consumer rights requests except as instructed by Customer or required by law.

B.5Notification of Inability to Comply

Etlworks will notify Customer if Etlworks determines it can no longer meet its CCPA/CPRA obligations under this DPA. On receiving such notification, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

B.6Audit Rights

Customer has the right, upon reasonable notice, to take reasonable and appropriate steps to ensure Etlworks's use of personal information is consistent with Customer's obligations under CCPA/CPRA. Etlworks will make available the information reasonably necessary to demonstrate compliance, subject to Section 8 (Audits) below.

C.1Applicability

This Section C applies to the extent Etlworks processes personal data subject to GDPR or UK GDPR on behalf of Customer.

C.2Processing Details

The subject matter, duration, nature, and purpose of processing, as well as the types of personal data and categories of data subjects, are set out in Annex 1 to this DPA.

C.3Data Subject Rights Assistance

Etlworks will provide reasonable assistance to Customer, taking into account the nature of processing, to help Customer respond to data subject requests under GDPR / UK GDPR Articles 15–22 (right of access, rectification, erasure, restriction, portability, objection). The Service includes self-service functionality for many of these rights — Customer can use that functionality directly without contacting Etlworks.

C.4Other Compliance Assistance

Etlworks will provide reasonable assistance to Customer with:

• security of processing (Article 32);
• data breach notifications to supervisory authorities and data subjects (Articles 33–34);
• data protection impact assessments (Article 35);
• prior consultation with supervisory authorities (Article 36).

C.5Government and Law Enforcement Requests

If Etlworks receives a request from a government, regulator, or law enforcement authority for Customer Personal Data, Etlworks will:

• not disclose the data unless legally required to do so;
• notify Customer of the request before disclosure, unless prohibited by law;
• challenge any request that appears unlawful or overbroad, where legally permitted.

D.1Transfer Mechanism

Etlworks is a US-based company. To the extent Customer Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that is not subject to an adequacy decision, the transfer is governed by:

• The Standard Contractual Clauses (Module 2: Controller-to-Processor) for transfers from the EEA;
• The UK Addendum for transfers from the United Kingdom;
• The SCCs as adapted for Switzerland, with references to GDPR construed as references to the Swiss Federal Act on Data Protection.

D.2Incorporation by Reference

The Parties' selections under the SCCs and UK Addendum are:

• Clause 7 (Docking clause): Optional. Not exercised.
• Clause 9 (Sub-processors): Option 2 — General written authorization. Etlworks may engage sub-processors as set out in Annex 2. Customer is notified at least 30 days before changes.
• Clause 11 (Redress): Optional independent dispute resolution body. Not exercised.
• Clause 17 (Governing law): Law of the Republic of Ireland.
• Clause 18 (Choice of forum): Courts of the Republic of Ireland.

For the UK Addendum, the start date is the effective date of this DPA, and Etlworks does not receive personal data from countries outside the UK except as permitted under UK GDPR.

D.3Onward Transfers

Etlworks will not transfer Customer Personal Data to a sub-processor located outside the EEA, UK, or Switzerland unless:

• the sub-processor is in a country with an adequacy decision; or
• the transfer is governed by SCCs, the UK Addendum, or another lawful transfer mechanism between Etlworks and the sub-processor.

6.Security Measures

Etlworks implements appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:

• encryption in transit (TLS 1.2 or higher);
• encryption at rest for Customer Personal Data stored in cloud infrastructure;
• access controls limiting internal access to authorized personnel;
• annual SOC 2 Type II audits;
• HIPAA-eligible deployments under signed Business Associate Agreement;
• regular vulnerability management, including penetration testing and dependency scanning;
• incident response procedures with defined notification timelines.

A summary of current security measures is published in our Security Architecture and Policies documentation. SOC 2 Type II reports are available to enterprise customers under NDA.

7.Security Incident Notification

7.1 If Etlworks becomes aware of a confirmed Security Incident affecting Customer Personal Data, Etlworks will:

• notify Customer without undue delay, and in any event within 72 hours of confirmation;
• provide reasonable information about the nature of the incident, the affected data, and steps taken to mitigate impact;
• provide reasonable assistance to Customer for any required notifications to supervisory authorities or data subjects.

7.2 Notification under this section is not an admission by Etlworks of fault or liability.

8.Audits

8.1 Customer can verify Etlworks's compliance with this DPA by:

• reviewing Etlworks's most recent SOC 2 Type II report (under NDA);
• requesting written responses to security and privacy questionnaires;
• conducting an audit at Customer's expense, no more than once per year, on at least 30 days' written notice, during normal business hours, and subject to confidentiality obligations.

8.2 Audits must not unreasonably interfere with Etlworks's operations or compromise the security of other customers' data. Etlworks may satisfy audit requests by providing existing third-party audit reports where they reasonably address Customer's concerns.

8.3 Etlworks will cooperate with any audit by a supervisory authority required under applicable Data Protection Laws.

9.Sub-processors

9.1 Customer authorizes Etlworks to engage the sub-processors listed in Annex 2 to process Customer Personal Data.

9.2 Etlworks will:

• enter into written agreements with each sub-processor that impose data protection obligations no less protective than those in this DPA;
• remain liable for the acts and omissions of its sub-processors as if they were its own.

9.3 Etlworks will notify Customer at least 30 days before adding or replacing a sub-processor. If Customer reasonably objects to a new sub-processor on data protection grounds, Customer may notify Etlworks in writing within 30 days of notification. The Parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected portion of the Service without penalty.

10.Term

This DPA takes effect when the Agreement takes effect and continues for as long as Etlworks processes Customer Personal Data on behalf of Customer.

11.Deletion or Return on Termination

11.1 Within 30 days after termination of the Agreement, Customer may instruct Etlworks in writing to:

• provide Customer with a complete copy of Customer Personal Data in a portable format; or
• delete all Customer Personal Data and any copies, including those held by sub-processors.

11.2 If Customer does not provide instructions within 30 days, Etlworks will delete Customer Personal Data within 90 days of termination, except as required to be retained by applicable law.

11.3 Etlworks may retain Customer Personal Data:

• where required by applicable law, only for the period and purpose required by that law;
• in routine backup snapshots, which are deleted on the standard 30-day rolling schedule.

Retained data remains subject to the confidentiality and security obligations of this DPA.

12.Liability

12.1 Each Party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.

12.2 Where data subjects exercise their right to compensation under GDPR Article 82 against either Party, the Parties allocate liability between themselves according to each Party's responsibility for the breach.

13.Customer Indemnification

Customer indemnifies Etlworks against third-party claims arising from:

• Customer's instructions to Etlworks regarding processing;
• Customer's failure to obtain required consents;
• Customer's breach of warranties in this DPA;
• Customer's breach of applicable Data Protection Laws.

14.Entire Agreement; Order of Precedence

This DPA, together with the Agreement and the SCCs / UK Addendum incorporated by reference, forms the complete agreement between the Parties regarding processing of Customer Personal Data. In case of conflict: (1) SCCs and UK Addendum govern over (2) this DPA, which governs over (3) the Agreement.

15.Severability

If any provision of this DPA is held unenforceable, the remaining provisions stay in effect. The Parties will work in good faith to replace any unenforceable provision with an enforceable one that achieves the same result as closely as possible.

16.Amendments

Etlworks may update this DPA to reflect changes in applicable law, sub-processors, or security measures. Material changes are communicated to Customer at least 30 days in advance. If Customer does not agree to a material change, Customer may terminate the affected portion of the Service without penalty before the change takes effect.

17.Governing Law

This DPA is governed by the law of the Commonwealth of Pennsylvania, except where Section D requires otherwise (in which case the SCCs / UK Addendum and their respective governing laws apply to international transfers).

Details of Processing

Subject matter and duration of processing. Provision of the Service under the Agreement, for the duration of the Agreement.

Nature and purpose of processing. Etlworks processes Customer Personal Data to the extent necessary to deliver the Service: extracting, transforming, loading, replicating, transferring, and storing data Customer connects to or uploads through the Service.

Categories of data subjects. Determined by Customer. May include Customer's employees, contractors, customers, prospects, suppliers, or other individuals whose data Customer chooses to process through the Service.

Categories of personal data. Determined by Customer. May include any categories Customer connects to the Service, such as contact information, account identifiers, transactional records, employment data, or other operational data.

Special categories of data. Customer is responsible for assessing whether special categories of data (Article 9 GDPR) or sensitive personal information (CPRA) are processed through the Service, and for ensuring lawful basis. Etlworks does not actively process special categories of data except as Customer chooses to transmit them.

Frequency of processing. Continuous, for the duration of the Agreement.

Retention period. Customer Personal Data is retained for the term of the Agreement and deleted within 30 days of termination per Section F, except backup snapshots which are deleted on a 30-day rolling schedule.

Authorized Sub-processors

The following sub-processors are authorized as of the effective date of this DPA. The current list is also published in our Privacy Policy.

For dedicated enterprise instances, Customer can choose hosting region from any of the cloud providers above. Most regions globally are available on request.