Data Security Addendum (DSA)

1. Definitions

"Breach" means any unauthorized access, disclosure, modification, destruction, or loss of Personal Data or Customer Data.

"CCPA" means the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA).

"Consumer" means a natural person who is a resident of the State of California and is not a job applicant, employee, or contractor of Business.

"Controller" (under GDPR) means the entity that determines the purposes and means of processing Personal Data. For purposes of this DSA, Customer is the Controller.

"Data Subject" means any identified or identifiable natural person to whom Personal Data relates (under GDPR).

"GDPR" means the General Data Protection Regulation (EU 2016/679) and equivalent laws in the EEA, UK, and Switzerland.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR, CCPA, or other applicable data protection laws.

"Processor" (under GDPR) means the entity that processes Personal Data on behalf of the Controller. For purposes of this DSA, Excede is the Processor.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, or erasure.

"Service Provider" (under CCPA) means a for-profit entity that processes Consumer data on behalf of Business and is prohibited from using or disclosing Personal Information for any purpose other than performing the Services.

"Sub-Processor" means any entity engaged by Excede (or another Sub-Processor) to process Personal Data on behalf of Customer.

2. Data Processing Terms (GDPR Compliance)

This section applies when Customer is a data Controller under GDPR and Excede is a Processor.

2.1 Scope of Processing

Excede shall process Personal Data only on documented instructions from Customer, including regarding international transfers of Personal Data, unless required by applicable law.

Processing Activities:

• Data is processed to provide the Services described in the SOW
• Excede may access, use, and store Personal Data necessary to operate the Services
• Excede may process Personal Data to maintain security, prevent fraud, and comply with legal obligations

Categories of Personal Data Processed:

• Company contact information (names, email addresses, phone numbers)
• Employee/project team information (names, email addresses, roles)
• Project information (project names, timelines, budgets, resource allocations)
• Financial data (revenue figures, cost data, margin information)
• System usage data (login information, activity logs)
• Any other Personal Data Customer inputs into the Services

Categories of Data Subjects:

• Customer's employees
• Customer's contractors and consultants
• Customer's clients and project stakeholders
• Other individuals whose data is entered into the Services

Duration of Processing:

• During the term of the MSA
• Upon termination, as described in Section 10 (Data Deletion & Return)

2.2 Purpose of Processing

Personal Data is processed solely for the purpose of:

1. Providing the Services (Growth, Execution, Finance modules)
2. Operating and maintaining the Services (security, updates, support)
3. Complying with legal obligations (as required by law)
4. Creating anonymized, aggregated reports (with identifiers removed)

Excede shall not process Personal Data for any other purpose without prior written authorization from Customer.

2.3 Data Processor Obligations

Excede shall:

A. Security:

• Implement and maintain appropriate technical and organizational security measures (detailed in Section 4)
• Ensure that persons authorized to process Personal Data are committed to confidentiality or under an appropriate legal obligation of confidentiality
• Implement encryption for data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Maintain access controls to restrict processing to authorized personnel
• Conduct regular security assessments and penetration testing
• Maintain an incident response plan

B. Confidentiality:

• Ensure that persons processing Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel with a legitimate need to know
• Ensure all employees and contractors handling Personal Data are trained on data protection

C. Compliance:

• Process Personal Data only on instructions from Customer
• Assist Customer in meeting GDPR obligations (data subject rights requests, impact assessments, etc.)
• Notify Customer without undue delay if a Processing instruction violates GDPR
• Maintain records of Processing activities (as required by GDPR Article 28)
• Comply with data subject rights requests within 10 business days of notice from Customer

D. Sub-Processors:

• Obtain prior written authorization from Customer before engaging Sub-Processors
• Impose equivalent data protection obligations on Sub-Processors via written contract
• Remain liable to Customer for Sub-Processor performance

E. Audit & Compliance:

• Make available to Customer all information reasonably necessary to demonstrate compliance with GDPR Article 28
• Allow Customer to conduct audits or appoint an independent auditor
• Notify Customer of audits by competent authorities (unless prohibited by law)

2.4 Customer's Role as Controller

Customer, as the Controller, is responsible for:

• Determining the purposes and means of Processing
• Ensuring legal basis for Processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
• Providing lawful instructions to Excede
• Notifying Excede of data protection policies
• Responding to data subject rights requests (with Excede's assistance)
• Conducting data protection impact assessments
• Registering Processing activities with supervisory authorities (if required)
• Ensuring lawfulness of data collection and Processing

3. Customer Compliance Obligations

3.1 Lawful Basis for Processing

Customer is responsible for ensuring it has a lawful basis under GDPR or applicable law to process Personal Data. Customer warrants that:

• It has obtained necessary consents from data subjects (if consent is the lawful basis)
• It has provided required privacy notices to data subjects
• It has documented its lawful basis for Processing
• Processing is necessary for the purposes stated

3.2 Privacy Notice

Customer shall provide a privacy notice to data subjects that includes:

• Identity of the Controller (Customer)
• Purpose of Processing
• Identity of the Processor (Excede, Inc.)
• Data subject rights (access, correction, deletion, objection, etc.)
• Duration of Processing
• Existence of automated decision-making (if applicable)

3.3 Data Quality

Customer is responsible for:

• Ensuring Personal Data is accurate, complete, and current
• Updating or correcting inaccurate Personal Data
• Limiting Processing to what is necessary for the stated purposes
• Deleting Personal Data that is no longer necessary

Excede is not responsible for the accuracy or quality of Customer's data.

3.4 Legal Basis Documentation

Customer shall maintain documentation of the lawful basis for Processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests) and make this available to Excede or supervisory authorities upon request.

3.5 Third Party Integrations

The Services permit Customer to connect third-party business systems ("Third-Party Integrations"), including without limitation accounting, HR, time-tracking, and email/calendar systems, via OAuth or API credentials. Customer represents and warrants that it has all rights, consents, authorizations, and authority necessary to connect each Third-Party Integration and to instruct Excede to access, retrieve, and process data from such systems. Third-Party Integrations are governed by Customer's own agreements with the respective providers; such providers are not Sub-Processors of Excede. Excede shall access Third-Party Integrations solely on Customer's documented instructions for the purpose of providing the Services, and shall secure all integration credentials using encryption at rest, minimum-necessary scopes, and revocation upon disconnection or termination.

4. Excede Security Obligations

4.1 Technical Measures

Excede shall implement the following technical security measures:

A. Encryption:

• Data in Transit: TLS 1.2 or higher (minimum AES-128)
• Data at Rest: AES-256 encryption for sensitive data
• Encryption keys managed by Excede with customer inability to decrypt without providing keys
• Key management procedures documented and regularly reviewed

B. Access Controls:

• Role-based access control (RBAC) limiting access to authorized personnel
• Multi-factor authentication (MFA) for all user accounts
• Principle of least privilege (employees access only data necessary for their role)
• Regular access reviews (quarterly minimum)
• Immediate deprovisioning of access for terminated employees

C. Network Security:

• Firewalls and intrusion detection/prevention systems
• DDoS protection and monitoring
• Regular security patching (critical patches within 7 days)
• Virtual private network (VPN) for remote access
• Secure API endpoints with authentication

D. Data Isolation:

• Logical separation of Customer Data (multi-tenant architecture with technical controls)
• Database-level access controls
• Regular backups (daily minimum) stored securely and encrypted
• Backup restoration testing (quarterly minimum)

4.2 Organizational Measures

A. Personnel:

• Background checks for personnel handling Personal Data
• Mandatory data protection and security training for all employees
• Written confidentiality agreements with all employees
• Annual security awareness training
• Disciplinary procedures for unauthorized access

B. Access Controls & Logging:

• Logging of all access to Personal Data (logs retained for minimum 1 year)
• Monitoring for suspicious activity
• Regular review of access logs (monthly minimum)
• Automatic session timeouts (15 minutes of inactivity)
• Prohibition of unauthorized downloads or exports

C. Incident Response:

• Documented incident response plan
• Designation of security incident coordinator
• 24/7 incident reporting capability
• Incident response procedures tested annually
• Post-incident reviews and remediation

D. Vendor Management:

• Security assessments of Sub-Processors (before engagement and annually)
• Data processing agreements with Sub-Processors
• Regular security reviews of vendor relationships
• Right to audit Sub-Processor security

4.3 Third-Party Certifications

Excede shall maintain (or pursue):

• SOC 2 Type II certification (Security, Availability, Processing Integrity)
  • Third-party audit covering controls relevant to security, availability, and confidentiality
  • Reports provided to Customer upon request
  • Target: Achieved within 12 months of commercial availability
• ISO 27001 certification (Information Security Management)
  • International standard for information security
  • Third-party audit confirming implementation of security controls
  • Target: Achieved within 24 months of commercial availability
• GDPR Adequacy Assessment
  • Regular assessment of compliance with GDPR requirements
  • Documentation provided to Customer upon request

During the interim period before certifications are obtained:

• Excede shall conduct annual independent security assessments
• Results provided to Customer upon request
• Security gaps identified and remediation timeline established

4.4 Security Standards Compliance

Excede shall comply with industry best practices for data security, including:

• NIST Cybersecurity Framework
• CIS Top 20 Critical Controls
• OWASP Top 10 (for web application security)
• PCI DSS (if processing payment card data)

4.5 Vulnerability Management

Excede shall:

• Conduct regular vulnerability assessments (quarterly minimum)
• Perform annual penetration testing by qualified third party
• Maintain a vulnerability disclosure policy
• Remediate vulnerabilities promptly (critical: within 7 days, high: within 30 days)
• Provide vulnerability assessment reports to Customer upon request

5. Data Subject & Consumer Rights

5.1 GDPR Data Subject Rights

Under GDPR, data subjects have the following rights. Customer is primarily responsible for fulfilling these requests; Excede shall assist as follows:

A. Right of Access (Article 15)

• Data subjects may request access to their Personal Data
• Excede shall provide requested data in common machine-readable format
• Response timeframe: 10 business days of notice from Customer
• Excede shall not charge a fee (unless request is excessive or repetitive)

B. Right to Rectification (Article 16)

• Data subjects may request correction of inaccurate data
• Excede shall correct data promptly upon Customer's instruction
• Excede shall notify other recipients of the correction (unless impracticable)
• Response timeframe: 10 business days

C. Right to Erasure (Article 17)

• Data subjects may request deletion of their Personal Data
• Excede shall delete data upon Customer's instruction (exceptions: legal obligation, contract necessity, etc.)
• Excede shall notify other recipients of deletion requests (where applicable)
• Response timeframe: 10 business days

D. Right to Restrict Processing (Article 18)

• Data subjects may request restriction of Processing
• Excede shall restrict access/use of Personal Data upon Customer's instruction
• Restriction lifted upon Customer's instruction
• Response timeframe: 10 business days

E. Right to Data Portability (Article 20)

• Data subjects may request Personal Data in portable format
• Excede shall provide data in common machine-readable format (CSV, JSON, XML)
• Data shall be provided directly to data subject or to another processor (as requested)
• Response timeframe: 10 business days

F. Right to Object (Article 21)

• Data subjects may object to Processing for direct marketing
• Excede shall cease direct marketing upon Customer's instruction
• Response timeframe: 10 business days

G. Right Not to Be Subject to Automated Decision-Making (Article 22)

• Data subjects may request human review of automated decisions
• Excede shall not implement automated decision-making affecting data subjects without Customer authorization
• If implemented, Excede shall provide explanation and allow data subject to request human review

5.2 CCPA Consumer Rights

Under CCPA, California consumers have the following rights:

A. Right to Know (CCPA § 1798.100)

• Consumers may request what Personal Information is collected, used, disclosed, or sold
• Excede shall assist Customer in responding within 45 days (extendable 45 days)
• Information provided in portable, understandable format
• Free response to request (except if excessive or repetitive)

B. Right to Delete (CCPA § 1798.105)

• Consumers may request deletion of Personal Information
• Excede shall delete data upon Customer's instruction (exceptions: legal obligation, contract necessity, etc.)
• Response timeframe: 45 days (extendable 45 days)

C. Right to Opt-Out of Sale/Sharing (CCPA § 1798.120)

• Consumers may opt-out of "sale" or "sharing" of Personal Information
• Excede shall not sell or share Consumer Personal Information
• Excede shall comply with opt-out requests within 45 days
• Excede shall honor opt-out requests for 12 months

D. Right to Correct (CCPA § 1798.100)

• Consumers may request correction of inaccurate Personal Information
• Excede shall correct data upon Customer's instruction
• Response timeframe: 45 days (extendable 45 days)

E. Right to Limit Use (CCPA § 1798.120)

• Consumers may limit use of Personal Information to necessary business purposes
• Excede shall limit Processing upon Customer's instruction
• Response timeframe: 45 days (extendable 45 days)

F. Right to Non-Discrimination (CCPA § 1798.125)

• Consumers cannot be discriminated against for exercising CCPA rights
• Excede shall not provide different service, price, or quality based on privacy decisions
• Exception: Legitimate cost differences may be reflected in pricing

5.3 Procedures for Rights Requests

A. Customer Responsibility:

• Customer is responsible for responding to data subject/consumer rights requests
• Data subjects/consumers should submit requests to Customer (not directly to Excede)

B. Excede Assistance:

• Customer shall forward data subject/consumer rights requests to Excede
• Excede shall assist Customer in fulfilling requests within 10 business days (GDPR) or 15 days (CCPA)
• Assistance includes: data extraction, anonymization, deletion, or correction
• Excede shall not charge additional fees for assistance

C. Verification:

• Excede may request reasonable verification that the requester is the data subject/consumer
• Excede shall not disclose Personal Information until identity verified

6. International Data Transfers

6.1 Data Transfer Mechanisms

For EU/EEA Data Subjects (GDPR):

Excede acknowledges that Personal Data may be transferred to the United States, which the European Commission has not deemed adequate for data protection. Accordingly, Excede shall implement safeguards for international transfers:

A. Standard Contractual Clauses (SCCs):

• Excede shall incorporate EU Standard Contractual Clauses (Module Two: Controller to Processor; Module Three: Processor to Sub-Processor)
• SCCs govern all transfers of Personal Data from EU/EEA to Excede in the United States
• SCCs protect data subjects' rights to enforce the contract against Excede
• SCCs require Excede to notify Customer of legal demands for Personal Data

B. Transfer Impact Assessment:

• Customer shall conduct Transfer Impact Assessment (TIA) to evaluate data protection laws in the destination country
• Excede shall cooperate by providing information about:
  • Laws governing access to Personal Data
  • Government surveillance practices
  • Remedies available to data subjects
  • Security measures protecting data in transit/at rest

C. Supplementary Safeguards:

• Encryption in transit and at rest
• Access controls limiting access to authorized personnel
• Contractual obligations restricting access and use
• Data minimization (transfer only necessary data)
• Legal remedies for unauthorized access (US legal framework)

D. Right to Object:

• Data subjects may object to international transfers
• Customer shall communicate objections to Excede
• Excede shall assist in finding alternative transfer mechanisms

6.2 Adequacy Decisions

If a country is deemed "adequate" by the relevant regulator, transfers to that country are permitted without additional safeguards. Excede shall monitor adequacy decisions and adapt practices accordingly.

6.3 UK & Swiss Data Transfers

For UK Data Subjects:

• Excede shall implement UK International Data Transfer Addendum (UK IDTA)
• Governs transfers from UK to non-adequate countries

For Swiss Data Subjects:

• Excede shall comply with Swiss Federal Data Protection Act (FADP)
• Implements equivalent protections to GDPR

7. Sub-Processors & Third Parties

7.1 List of Sub-Processors

Excede's current sub-processor list is maintained at excede.ai/subprocessors and is incorporated by reference. Third-party systems connected by Customer as data sources are disclosed in Section 3 of that list and are not Sub-Processors.

Processor Sub-processors are engaged for:

• Cloud infrastructure and storage
• Email delivery and customer support
• Payment processing
• API integrations with customer systems

All Sub-Processors are bound by data processing agreements equivalent to this DSA.

7.2 Addition of New Sub-Processors

A. Advance Notice:

• Excede shall provide 30 days' written notice before engaging a new Sub-Processor
• Notice shall include Sub-Processor name, purpose, and location
• Notice shall describe Personal Data to be processed

B. Objection Rights:

• Customer may object to addition of Sub-Processor within 15 days
• Objection must be based on reasonable data protection concerns
• If Customer objects, parties shall work to resolve concerns
• If unresolved, Customer may terminate engagement without penalty (for that specific concern)

C. Deemed Consent:

• Failure to object within 15 days constitutes acceptance of new Sub-Processor

7.3 Sub-Processor Contracts

Excede shall ensure all Sub-Processors are bound by written data processing agreements that include:

• Obligations equivalent to Articles 28–32 of GDPR
• Liability limitations consistent with this DSA
• Data subject rights support
• Security measures appropriate to the data processed
• Right for Customer to audit Sub-Processor

8. Data Breach Notification

8.1 Definition of Breach

A Breach is any unauthorized access, disclosure, modification, destruction, or loss of Personal Data, including:

• Unauthorized access by internal personnel
• Unauthorized access by external actors (hackers, competitors)
• Unencrypted loss (theft of device containing unencrypted data)
• Accidental disclosure (sending to wrong recipient)
• Ransomware or malware infection

8.2 Notification Timeline

A. Excede to Customer:

• Excede shall notify Customer without undue delay and in no case later than 24 hours after discovery of a Breach
• Notification shall be via email to Customer's security contact and executive sponsor
• Notification shall include:
  • Description of the Breach (what happened)
  • Data affected (categories, estimated quantity, individuals affected)
  • Likely consequences of the Breach
  • Measures Excede has taken to contain the Breach
  • Name and contact of Excede's security contact
  • Preliminary assessment of risk to individuals

B. Customer to Supervisory Authority (GDPR):

• Customer is responsible for notifying supervisory authorities within 72 hours (unless risk is low)
• Customer is responsible for notifying affected individuals without undue delay (unless data is encrypted/pseudonymized)
• Excede shall assist with notifications

C. Customer to Regulators (CCPA):

• Customer is responsible for notifying California Attorney General (if more than 500 residents affected)
• Customer is responsible for notifying affected consumers without undue delay
• Excede shall assist with notifications

8.3 Excede's Breach Investigation

Upon discovery of a Breach, Excede shall:

1. Immediately contain the Breach (disconnect affected systems, revoke access, etc.)
2. Investigate the root cause (forensic analysis, log review)
3. Assess impact (data affected, individuals affected, risk level)
4. Remediate the vulnerability (patch, configuration change, process improvement)
5. Prevent recurrence (technical controls, procedural changes, training)
6. Document all findings and remediation steps
7. Report findings to Customer with timeline for remediation

Timeline:

• Initial notification: Within 24 hours
• Detailed report: Within 5 business days
• Root cause analysis: Within 15 business days
• Remediation completion: As soon as technically feasible (typically within 30 days)

8.4 Cooperation with Authorities

Excede shall cooperate with supervisory authorities (data protection authorities, law enforcement) investigations, including:

• Providing forensic evidence and logs
• Answering questions about Breach circumstances
• Implementing remediation measures ordered by authorities
• Submitting to audits or inspections

Excede shall notify Customer of authority requests (unless prohibited by law).

8.5 Breach Impact Assessment

Excede shall assess the risk to individuals for each Breach, considering:

• Type of Personal Data affected (sensitive vs. non-sensitive)
• Scope of Breach (number of individuals, quantity of data)
• Circumstances of Breach (accidental vs. intentional, contained vs. widespread)
• Likelihood of misuse
• Whether data was encrypted or pseudonymized
• Mitigating factors (notification provided, password resets offered, etc.)

Risk assessment determines:

• Whether supervisory authority notification is required (GDPR: 72 hours if risk is not low)
• Whether affected individual notification is required (GDPR: required unless risk is low; CCPA: usually required)
• Nature of notification (description of Breach, risks, remediation steps)

9. Audit & Compliance Verification

9.1 Customer Audit Rights

A. Documentation & Information:

• Customer may request documentation of Excede's compliance with this DSA
• Excede shall provide information necessary to demonstrate compliance with GDPR Article 28
• Information shall be provided within 15 business days of request
• Excede shall not charge unreasonable fees

B. Self-Audit:

• Customer may conduct annual audits of Excede's data security practices
• Audits may include: document reviews, interviews, system walkthroughs, log reviews
• Excede shall designate audit coordinator and provide reasonable access
• Audits shall be scheduled with 15 days' notice during business hours
• Audits may be conducted remotely (via Zoom, document review) or on-site (with notification)
• Frequency: Once per year, or more frequently if prior audit findings were not remediated

C. Third-Party Auditor:

• Customer may engage independent auditor (at Customer's expense) to audit Excede
• Independent auditor must sign NDA protecting Excede's Confidential Information
• Auditor may conduct on-site visits to Excede facilities (with 15 days' notice)
• Excede shall cooperate with auditor

D. Costs:

• Customer's internal audit costs: Borne by Customer
• Third-party auditor costs: Borne by Customer
• Excede's incremental costs to support audit: Borne by Customer (reasonable costs only)
• If audit reveals material non-compliance, Excede shall reimburse costs of remediation audit

9.2 Third-Party Certifications

Excede shall maintain (or pursue) the following certifications:

• SOC 2 Type II (Security, Availability, Processing Integrity, Confidentiality)
  • Annual audit by qualified independent auditor
  • Report covers controls relevant to data security
  • Current report provided to Customer upon request
• ISO 27001 (Information Security Management System)
  • Annual audit by qualified independent auditor
  • Demonstrates comprehensive security controls
  • Certificate provided to Customer upon request

Interim Period (before certifications obtained):

• Excede shall conduct annual independent security assessment
• Assessment shall evaluate security controls against industry standards
• Report provided to Customer upon request
• Gaps identified and remediation timeline established

9.3 Regulatory Audits

If a supervisory authority (data protection authority, law enforcement, etc.) audits or investigates Excede's data practices:

• Excede shall notify Customer without undue delay
• Excede shall provide Customer with copies of audit requests/findings (where permitted by law)
• Excede shall cooperate with authority investigations
• Excede shall implement remediation measures ordered by authorities

9.4 Excede's Audit Obligations to Regulators

Excede acknowledges that Excede's data practices may be audited by:

• European Data Protection Board (EDPB)
• EU Data Protection Authorities
• US regulators (FTC, state attorneys general)
• Other jurisdictional regulators

Excede shall cooperate with regulatory audits and inspections.

10. Data Deletion & Return Upon Termination

10.1 Termination Procedures

Upon termination or expiration of the MSA, Excede shall:

A. Data Transition (Days 1–30):

• Provide Customer with complete data export in standard formats (CSV, JSON, XML)
• Formats shall be compatible with common business intelligence tools
• Data shall include: All customer data, project data, GL transactions, usage history
• Data export shall be provided free of charge within 15 days of request

B. Data Deletion (Days 31–90):

• Excede shall securely delete Customer Data from all systems
• Deletion shall include:
  • Production databases
  • Backup systems
  • Archive storage
  • Disaster recovery systems
  • Local copies on developer machines
• Deletion shall use secure wiping methods (overwrite with random data, cryptographic erasure)
• Excede shall provide certificate of deletion confirming data has been securely deleted

C. Retention for Legal Purposes:

• Excede may retain minimal data if required by law (e.g., tax records, litigation holds)
• Retained data shall be encrypted and access-restricted
• Excede shall delete retained data as soon as legally permitted

10.2 Data Export Format

Excede shall provide data in standard, portable formats:

All data shall be provided with data dictionary (explanation of fields).

10.3 Data in Backups & Archives

Excede maintains backup copies of all data for disaster recovery purposes. Upon termination:

• Recent backups (within 30 days) shall be deleted within 90 days of termination
• Archived backups (older than 90 days) shall be deleted as part of normal rotation schedule (typically 1–2 years)
• Excede shall not use backups to restore data after termination unless Customer requests restoration

10.4 Sub-Processor Data Deletion

Excede shall ensure all Sub-Processors delete Customer Data upon termination, including:

• Cloud hosting provider (AWS, Google Cloud): Data deleted from all regions
• Backup services: Backups deleted according to retention schedule
• Third-party integrations: Deleted from integrated systems where technically feasible

10.5 Certification of Deletion

Excede shall provide Customer with written certification of data deletion, including:

• List of systems from which data was deleted
• Deletion method used
• Date of deletion completion
• Confirmation by appropriate manager/executive

11. GDPR-Specific Terms

This section applies only when Customer is subject to GDPR and Excede is processing Personal Data of EU/EEA residents.

11.1 Legal Basis for Processing

Excede processes Personal Data only based on the lawful bases specified by Customer and documented in writing. Common lawful bases include:

• Consent: Data subject has explicitly agreed to Processing
• Contract: Processing is necessary to perform the agreement with data subject
• Legal obligation: Processing is required by law
• Vital interests: Processing protects vital interests of the data subject
• Public task: Processing is necessary for a task of public interest
• Legitimate interests: Processing is necessary for Excede's or Customer's legitimate interests (after balancing against data subject rights)

Customer is responsible for:

• Determining the lawful basis for Processing
• Documenting the lawful basis
• Ensuring the lawful basis is valid and sufficient
• Providing data subjects with privacy notices explaining the lawful basis

11.2 Data Protection Impact Assessment

Customer is responsible for conducting a Data Protection Impact Assessment (DPIA) if Processing is likely to result in high risk to individuals. High-risk Processing includes:

• Large-scale processing of sensitive data
• Systematic monitoring
• Automated decision-making with legal effects
• Novel technologies

Excede shall assist Customer with DPIA by:

• Providing information about security measures
• Describing Processing activities
• Identifying potential risks to data subjects
• Suggesting technical/organizational safeguards

11.3 Data Protection Officer (DPO)

If Customer is required to appoint a Data Protection Officer (DPO) under GDPR:

• Customer shall provide Excede with DPO contact information
• Excede shall facilitate communication with DPO regarding data protection matters
• Excede shall allow DPO to conduct audits

Excede may optionally appoint a DPO or Privacy Officer for internal purposes and shall provide contact information to Customer upon request.

11.4 Standard Contractual Clauses

This DSA incorporates the EU Standard Contractual Clauses (SCCs) for Processor to Sub-Processor transfers (Module Two) and Excede shall incorporate SCCs for transfers from EU to non-adequate countries. Excede's Standard Contractual Clauses are posted at excede.ai/dsa/sccs and are incorporated by reference.

11.5 Processor Liability

Under GDPR Article 82, data subjects may claim damages from Excede (as Processor) for violations of GDPR. Excede's liability is limited as follows:

• Excede is liable only if it fails to comply with GDPR obligations specific to Processors (Articles 28–32)
• Excede is not liable if it acted upon Customer's instruction and Customer caused the violation
• Excede's total liability for GDPR violations is capped at the amount specified in the MSA (Section 7.3)

11.6 GDPR Compliance Representations

Excede represents and warrants that:

• Excede understands GDPR obligations for Processors
• Excede has implemented appropriate technical and organizational security measures
• Excede will assist Customer in meeting GDPR obligations
• Excede will not process Personal Data outside the scope of Customer's instruction
• Excede will cooperate with supervisory authorities

12. CCPA-Specific Terms

This section applies only when Customer is a Business under CCPA and Excede is a Service Provider processing Consumer Personal Information.

12.1 Service Provider Obligations

Under CCPA § 1798.140(ac), a Service Provider is a for-profit entity that:

• Processes Consumer Personal Information on behalf of a Business
• Is contractually prohibited from retaining, using, or disclosing Personal Information except to perform the specified Services
• Is contractually prohibited from combining Personal Information with other sources

Excede certifies that it shall:

A. Process Only for Specified Purpose:

• Process Consumer Personal Information only to provide the Services specified in the SOW
• Not use or disclose Personal Information for any other purpose
• Not retain, use, or disclose Personal Information for Excede's own commercial benefit

B. Prohibited Uses:

• Excede shall NOT:
  • Sell Consumer Personal Information
  • Share Consumer Personal Information for cross-context behavioral advertising
  • Combine Consumer Personal Information with data from other sources (except as necessary to perform the Services)
  • Use Consumer Personal Information for profiling in furtherance of unlawful discrimination
  • Retain, use, or disclose Consumer Personal Information except as necessary to perform the Services

C. Employee Limitations:

• Excede shall ensure employees have authority to access Consumer Personal Information and understand the confidentiality restrictions

12.2 Consumer Rights Assistance

Excede shall assist Customer in responding to Consumer rights requests (access, deletion, correction, opt-out) by:

• Providing mechanisms for Consumers to submit requests to Customer
• Extracting or deleting requested data within 45 days (or 15 days for opt-out requests)
• Assisting with verification of Consumer identity
• Documenting all requests received and responses provided

12.3 Sale & Sharing Prohibition

Excede certifies that Excede does NOT:

• Sell Consumer Personal Information (as defined under CCPA)
• Share Consumer Personal Information for cross-context behavioral advertising (as defined under CCPA)
• Retain, use, or disclose Consumer Personal Information for any purpose other than providing the Services

Excede shall not sell or share data without explicit written authorization from Customer, which Customer shall not grant without Consumer consent.

12.4 CPRA Compliance

The California Privacy Rights Act (CPRA) amends CCPA and adds new Consumer rights. Excede shall comply with CPRA by:

• Assisting with Consumer rights requests (access, deletion, correction, opt-out, limit, portability)
• Respecting Consumer opt-out of sale/sharing
• Providing information to support Consumer right to know
• Assisting with Consumer right to non-discrimination

12.5 CCPA Notices

Customer is responsible for providing CCPA privacy notices to Consumers, which shall include:

• Categories of Consumer Personal Information collected
• Purpose of collection
• Consumer rights (access, deletion, etc.)
• Contact information for submitting requests
• Information about Excede's role as Service Provider

Excede shall assist with privacy notice preparation by providing information about:

• Data categories collected
• Processing purposes
• Data retention practices
• Security measures

12.6 Data Brokers & Resale

Excede is not a "data broker" (as defined under CCPA) and shall not resell Consumer Personal Information. If Excede engages Sub-Processors that might be considered data brokers, Excede shall:

• Obtain prior written authorization from Customer
• Ensure Sub-Processors are bound by equivalent CCPA obligations
• Disclose Sub-Processors in privacy notices

13. General Provisions

13.1 Changes to This DSA

No changes to this DSA shall be valid unless in writing and signed by authorized representatives of both parties. Minor clarifications or administrative updates may be made by Excede with notice to Customer.

13.2 Precedence of Agreements

This DSA supplements the MSA. In case of conflict:

1. GDPR mandatory provisions (Articles 28–32) take precedence
2. CCPA mandatory provisions (§ 1798.100 et seq.) take precedence
3. This DSA takes precedence over the MSA
4. More restrictive provision applies

13.3 Survival of Obligations

Data security and privacy obligations shall survive termination of the MSA, including:

• Confidentiality of Personal Data
• Data deletion obligations
• Breach notification obligations
• GDPR/CCPA compliance obligations

13.4 Severability

If any provision of this DSA is found invalid or unenforceable, remaining provisions remain in force, and the invalid provision shall be reformed to be enforceable.

13.5 No Waiver

Failure to enforce any right or remedy does not constitute a waiver of that right or remedy.

13.6 Entire Agreement

This DSA, together with the MSA and SOW, constitutes the entire agreement regarding data security and privacy. All prior understandings are superseded.

13.7 Third-Party Beneficiaries

Data subjects are intended third-party beneficiaries of this DSA and may enforce data protection obligations in some jurisdictions. However, neither party intends to create any other third-party beneficiaries.

13.8 Interpretation

This DSA shall be interpreted in favor of data subject and Consumer protection where there is ambiguity.

13.9 Notices for Data Security Matters

All notices regarding data security, privacy, or compliance shall be directed to:

Excede Data Protection Officer / Privacy Officer:

Customer Privacy Contact:

Customer's account administrator email address as registered in the Service, or such other contact as Customer designates in writing via privacy@excede.ai.