Data Processing Addendum

01Definitions

Capitalised terms not defined here have the meaning given in the Terms or in the GDPR. "Personal Data", "Controller", "Processor", "Processing", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021. "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner's Office. "Sub-processor" means any third party engaged by Dodger to Process Personal Data on its behalf in connection with the Service.

02Roles & scope

Customer is the Controller of Personal Data submitted to the Service ("Customer Personal Data"). Dodger is the Processor and Processes Customer Personal Data on Customer's behalf for the purposes set out in Annex I. Each party will comply with the obligations applicable to it under Data Protection Law.

For limited categories — including account contact details, billing data, and aggregated security and product-usage telemetry — Dodger acts as an independent Controller and Processes that data in accordance with our Privacy Policy.

03Customer instructions

Dodger will Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to Process by applicable law (in which case Dodger will inform Customer of that legal requirement before Processing, unless prohibited by law). The Terms, this DPA, the Service's documented features, and Customer's configuration of the Service together constitute Customer's complete and final instructions. Additional instructions require a written agreement between the parties.

Dodger will inform Customer if, in its opinion, an instruction infringes Data Protection Law.

04Confidentiality

Dodger ensures that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate data protection training.

05Security measures

Dodger has implemented and will maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The current measures are described in Annex II. Customer acknowledges that the measures are subject to technical progress and that Dodger may update them from time to time provided that the overall level of protection is not reduced.

06Sub-processors

Customer authorises Dodger to engage Sub-processors to Process Customer Personal Data in connection with the Service. The current list of Sub-processors is set out in Annex III. Before engaging a new Sub-processor or replacing an existing one, Dodger will:

• impose contractual obligations on the Sub-processor that are no less protective than those in this DPA;
• remain liable for the Sub-processor's acts and omissions to the same extent Dodger would be liable if performing the services directly; and
• provide Customer with at least 30 days' prior notice — by updating Annex III and emailing the address Customer has registered for legal notices, where one has been provided — during which Customer may object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of pre-paid fees for the unused period.

07Data subject requests

The Service includes self-service tools that allow Customer to access, export, correct, delete, and restrict Processing of Customer Personal Data. To the extent Customer cannot achieve a Data Subject's request through those tools, Dodger will, on Customer's reasonable written request and at Customer's expense (where the work is significant), provide reasonable assistance.

If Dodger receives a request directly from a Data Subject relating to Customer Personal Data, Dodger will not respond to that request directly without Customer's authorisation, except to acknowledge receipt and refer the Data Subject to Customer.

08Personal data breaches

Dodger will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed. Dodger will provide reasonable assistance to Customer in fulfilling Customer's notification obligations under Data Protection Law.

Dodger's notification of, or response to, a Personal Data Breach is not an admission of fault or liability.

09DPIAs & consultation

On Customer's reasonable request and taking into account the nature of the Processing and the information available to Dodger, Dodger will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities.

10International transfers

Customer Personal Data is primarily Processed in the United States. Where Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, the parties agree that:

• the SCCs (Module 2: Controller-to-Processor or Module 3: Processor-to-Processor, as applicable) are incorporated by reference and apply to the transfer, with the optional clauses selected as set out in Annex I;
• the UK Addendum is incorporated by reference and applies to transfers governed by the UK GDPR; and
• for transfers from Switzerland, references in the SCCs to the GDPR are read as references to the Swiss FADP and references to supervisory authorities and courts include the Swiss Federal Data Protection and Information Commissioner.

Dodger has implemented supplementary measures, including encryption in transit and at rest, access controls, and contractual challenges to over-broad government access requests, to address the risks identified in Schrems II.

11Return & deletion

On termination or expiry of the Terms, Dodger will, at Customer's choice, delete or return Customer Personal Data within 30 days, and will delete existing copies unless retention is required by law. Backups containing Customer Personal Data are overwritten in the ordinary course within 30 days. Customer may also delete its data at any time using the in-product self-service tools.

12Audits

Dodger will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports, security certifications, and a written description of Dodger's security programme. Customer may, on at least 30 days' prior written notice and not more than once per 12-month period (except where Customer has reasonable grounds to suspect non-compliance, or where required by a supervisory authority), request an audit conducted by an independent third-party auditor agreed by the parties, during business hours, in a manner that does not interfere with Dodger's operations and subject to confidentiality obligations. Customer bears the cost of any audit it commissions.

13US state laws

To the extent the CCPA/CPRA or another US state privacy law applies, Dodger acts as a "service provider" or "processor" (as defined in the applicable law) with respect to Customer Personal Data. Dodger will not:

• sell or share Customer Personal Data;
• retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties or for any purpose other than the specific purpose of providing the Service; or
• combine Customer Personal Data with personal information received from another source, except as permitted by applicable law.

Dodger certifies that it understands and will comply with these restrictions.

14Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms. The parties agree that any data-protection-related claim against Dodger arising out of or in connection with the Terms or this DPA will be considered a single claim for purposes of those limitations.

15General

This DPA and the Annexes form an integral part of the Terms. In the event of a conflict between this DPA and any other agreement between the parties, this DPA prevails on matters relating to data protection. The SCCs, where applicable, prevail over this DPA on matters they govern. Dodger may update this DPA where required to reflect a change in law, regulatory guidance, or our security programme; updates that materially reduce Customer's rights will not take effect for an existing customer earlier than 30 days after notice is given.

A1Annex I — Processing details

A. List of parties

• Data exporter / Controller: The Customer identified in the Order Form or account record.
• Data importer / Processor: Dodger AI, Inc., a Delaware corporation, contact: legal@dodger.ai.

B. Description of transfer

C. Competent supervisory authority

Where the GDPR applies, the supervisory authority of the EU Member State where the Customer's main establishment is located. Where the UK GDPR applies, the UK Information Commissioner's Office. Where the Swiss FADP applies, the Swiss Federal Data Protection and Information Commissioner.

D. SCC options

• Module 2 applies where Customer is the Controller and Dodger is the Processor; Module 3 applies where Customer is itself a Processor for an underlying Controller.
• Clause 7 (docking clause): not used.
• Clause 9 (sub-processor authorisation): Option 2 — general written authorisation, with at least 30 days' notice of changes.
• Clause 11 (redress): the optional independent dispute resolution body is not selected.
• Clause 17 (governing law): the law of Ireland.
• Clause 18 (forum): the courts of Ireland.

A2Annex II — Security measures

Dodger maintains the following measures, as reasonable and appropriate to the risk:

• Encryption. TLS 1.2+ for all data in transit. AES-256 (or stronger) encryption at rest for the primary database and object storage.
• Authentication. Identity provided by WorkOS AuthKit; multi-factor authentication available; SSO/OIDC for administrative access; mandatory MFA for all Dodger personnel with production access.
• API key handling. Customer-issued API keys are SHA-256 hashed at rest; only a non-reversible prefix is shown for identification.
• Access control. Least-privilege role-based access; Postgres row-level security for tenant isolation; service-role keys restricted to backend functions; production access logged and reviewed.
• Network security. Cloudflare DDoS protection and Web Application Firewall in front of public endpoints; restricted egress from worker infrastructure.
• Application security. Code review on every change, dependency vulnerability scanning, static analysis on backend code, and a documented secure software development lifecycle.
• Logging & monitoring. Centralised application and infrastructure logs with anomaly alerting; security-relevant events retained for at least 90 days.
• Backups & resilience. Daily encrypted backups of the Postgres database with point-in-time recovery; documented restore procedures; periodic restore testing.
• Vulnerability management. Dependency CVE scanning, prompt patching of high and critical issues, and a responsible-disclosure channel at security@dodger.ai.
• Incident response. Documented incident-response runbook, designated incident commander, and post-incident review.
• Personnel. Background checks where lawful, confidentiality obligations, and annual security and privacy training.
• Vendor management. Security and privacy review of Sub-processors before onboarding and at least annually thereafter.

A3Annex III — Sub-processors

The following Sub-processors are engaged to provide the Service as of the date above:

To subscribe to email notifications about changes to this list — additions, replacements, or removals of Sub-processors — email legal@dodger.ai with the subject "Subscribe: DPA Annex III".