Data Processing Addendum

• "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, and any other similar law governing the processing of Personal Data that applies to Customer's use of the Service.
• "Personal Data" has the meaning given in the Applicable Data Protection Law. For the avoidance of doubt, the structurally anonymous response data described in the Privacy Policy is not Personal Data.
• "Subprocessor" means a third party engaged by UpDoc to process Personal Data on Customer's behalf. The current list is published at hiyer.updocmedia.com/legal/subprocessors.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by UpDoc.

Customer is the Controller of Personal Data it submits into the Service. UpDoc is the Processor and processes Personal Data only on Customer's documented instructions as set out in the Agreement and this DPA, except where required by law.

Customer provides general authorization for UpDoc to engage Subprocessors to provide the Service, subject to the following obligations:

• UpDoc maintains and publishes the current list of Subprocessors at hiyer.updocmedia.com/legal/subprocessors.
• UpDoc imposes on each Subprocessor, by written contract, data protection obligations substantially the same as those in this DPA.
• UpDoc will notify Customer at least 14 days before onboarding a new Subprocessor that will process Personal Data. Customer on an Enterprise plan may object on reasonable data-protection grounds by written notice to UpDoc before the Subprocessor is onboarded. If the objection cannot be resolved, Customer's sole remedy is to terminate the affected subscription with a pro-rated refund of prepaid fees applicable to the period after termination.
• UpDoc remains fully liable to Customer for the Subprocessor's acts and omissions that cause UpDoc to breach this DPA.

UpDoc maintains the technical and organizational security measures described in the Privacy Policy, Section 9, and in the public posture document at hiyer.updocmedia.com/legal/security. In summary: Postgres row-level security for tenant isolation, structural anonymity of the response schema, append-only audit log, bcrypt + HMAC PIN protection, TLS 1.2+ in transit, at-rest encryption via the platform host, and role-based admin access with auditing.

UpDoc will maintain a SOC 2 Type II attestation (in progress) within 12 months of the Effective Date of this DPA. Until then, UpDoc will make available its security questionnaire and internal controls documentation on request.

UpDoc will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident that affects Customer's Personal Data. The notice will include the information required by Applicable Data Protection Law to the extent known at the time, and UpDoc will provide further information as the investigation proceeds.

UpDoc will not issue public statements about a Security Incident identifying Customer without Customer's prior written consent, except where required by law.

Taking into account the nature of processing, UpDoc will provide reasonable assistance to Customer in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection. Most requests can be fulfilled by Customer using the administrative features of the Service. For requests that require UpDoc action, email gene@updocmedia.com.

Where Customer's use of the Service involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States, the parties agree to rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor), the UK International Data Transfer Addendum, and/or the Swiss FADP equivalents, each incorporated into this DPA by reference. Additional supplementary measures, including encryption in transit and at rest and the structural anonymity described above, apply in each case.

UpDoc will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including the current SOC 2 report once issued. Customer may, no more than once per 12-month period, conduct an audit of UpDoc's compliance with this DPA on 30 days' notice, during business hours, at Customer's expense, subject to reasonable confidentiality and security constraints. In lieu of an on-site audit, UpDoc may satisfy this obligation by providing the most recent SOC 2 report.

On termination or expiration of the Agreement, UpDoc will, at Customer's choice, return or delete Personal Data within 90 days, except for backups, audit log entries, and billing records retained as described in the Privacy Policy.

In the event of conflict between this DPA and any other part of the Agreement with respect to the processing of Personal Data, this DPA controls, except that an executed order form explicitly stating the parties' intent to override a specific provision of this DPA controls to the extent of that explicit override.

Privacy operations, data subject requests, security incident notifications: gene@updocmedia.com.