Data Processing Addendum (DPA)

White Shores Tech d.o.o. ("SaaS Custom Domains" or "Processor") and the counterparty agreeing to these terms ("Customer") have entered into a Subscription Agreement or other written or electronic agreement for the Services provided by SaaS Custom Domains (the "Main Agreement"). This Data Processing Addendum, including the annexes (the "DPA"), forms part of the Main Agreement.

This DPA will be effective, and will replace and supersede any previously applicable terms relating to their subject matter, from the date on which Customer agreed to the Main Agreement or otherwise began using the Services.

By using the Services, Customer warrants that: (a) Customer has full legal authority to be bound by this DPA; (b) Customer has read and understands this DPA; and (c) Customer agrees to this DPA. If Customer does not agree to this DPA, Customer must not use the Services.

DATA PROCESSING TERMS

This DPA applies where SaaS Custom Domains processes Personal Data as a Processor on behalf of Customer to provide the Services and such Personal Data is subject to Applicable Data Protection Laws. The parties have agreed to enter into this DPA in order to ensure that appropriate safeguards are in place to protect such Personal Data in accordance with Applicable Data Protection Laws.

1. Definitions

1.1 The following definitions are used in this DPA:

• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Main Agreement, including European Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
• "Controller" means an entity that determines the purposes and means of the processing of Personal Data.
• "Customer Personal Data" means any Personal Data processed by SaaS Custom Domains on behalf of Customer pursuant to or in connection with the Main Agreement.
• "EEA" means the European Economic Area.
• "EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679.
• "European Data Protection Laws" means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom applicable to the processing of Personal Data, including the GDPR, UK GDPR, and Swiss FADP.
• "GDPR" means EU General Data Protection Regulation 2016/679.
• "Personal Data" means all data which is defined as 'personal data', 'personal information', or 'personally identifiable information' (or analogous term) under Applicable Data Protection Laws.
• "Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Processor" means an entity which processes Personal Data on behalf of the Controller.
• "Restricted Transfer" means a transfer of Personal Data from the EEA, Switzerland, or the United Kingdom to a country outside those territories which is not subject to an adequacy determination.
• "Services" means the custom domain proxy, SSL certificate management, WAF, CDN, and related services provided by SaaS Custom Domains through SaasCustomDomains.com.
• "Subprocessor" means any third party appointed by SaaS Custom Domains to process Personal Data on behalf of Customer in connection with the Services.

1.2 The terms "processing", "data subject", and "supervisory authority" shall have the meanings ascribed to them in the GDPR.

2. Status of the Parties

2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are described in Annex 1.

2.2 Each party warrants that it will comply with Applicable Data Protection Laws. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 The parties acknowledge and agree that Customer is the Controller (or a Processor processing Personal Data on behalf of a third-party Controller), and SaaS Custom Domains is a Processor (or sub-Processor, as applicable).

3. Processor Obligations

3.1 SaaS Custom Domains shall:

• (a) only process Personal Data for the purpose of providing the Services and in accordance with Customer's documented instructions as set out in the Main Agreement and this DPA, unless required to do so by applicable law;
• (b) not use Personal Data for marketing or advertising purposes;
• (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing, as described in Annex 2;
• (d) ensure that only authorized personnel have access to Personal Data and that such persons are under contractual or statutory obligations of confidentiality;
• (e) without undue delay notify Customer upon becoming aware of any Personal Data Breach and provide reasonable cooperation and assistance;
• (f) promptly notify Customer if it receives a request from a data subject to exercise any data protection rights, and not respond to such request without Customer's prior written consent except to confirm that the request relates to Customer;
• (g) provide reasonable assistance to Customer in responding to data subject requests, provided Customer shall cover all costs incurred;
• (h) following termination or expiry of the Main Agreement, at Customer's choice, delete or return all Personal Data (including copies) processed pursuant to this DPA, except as required by applicable law;
• (i) provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, provided Customer shall cover all costs incurred.

4. Subprocessing

4.1 SaaS Custom Domains will only disclose Personal Data to Subprocessors for the specific purpose of providing the Services.

4.2 SaaS Custom Domains will ensure that any Subprocessor is bound by a written contract imposing data protection obligations no less protective than those in this DPA.

4.3 Customer grants general written authorization for SaaS Custom Domains to appoint Subprocessors as listed in Annex 3.

4.4 SaaS Custom Domains will maintain the list of Subprocessors at https://saascustomdomains.com/legal/subprocessors and will add the names of new and replacement Subprocessors at least thirty (30) days prior to the date on which those Subprocessors commence processing of Personal Data. If Customer objects to any new or replacement Subprocessor on reasonable grounds related to data protection, Customer shall notify SaaS Custom Domains in writing within ten (10) days and the parties will seek to resolve the matter in good faith. If the matter cannot be resolved, Customer may terminate the affected Services.

5. Audit and Records

5.1 SaaS Custom Domains shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in SaaS Custom Domains' possession or control as Customer may reasonably request with a view to demonstrating compliance with the obligations of Processors under Applicable Data Protection Laws.

5.2 SaaS Custom Domains may fulfill Customer's right of audit under Applicable Data Protection Laws by providing:

• (a) upon reasonable request, documentation of technical and organizational security measures as described in Annex 2;
• (b) upon reasonable request, written responses to security questionnaires submitted by Customer, limited to one questionnaire per twelve (12) month period;
• (c) if SaaS Custom Domains obtains any third-party audit reports or certifications (such as SOC 2, ISO 27001, or equivalent), copies of such reports not older than thirteen (13) months; and
• (d) additional information in SaaS Custom Domains' possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data.

5.3 To the extent the information made available pursuant to Section 5.2 is insufficient in Customer's reasonable judgment, and Customer's Personal Data is subject to the EU SCCs, Customer may request one on-site audit per annual period subject to the following:

• (a) Customer must send audit requests in writing with at least sixty (60) days' advance notice;
• (b) Following receipt of a request, the parties will discuss and agree in advance on the reasonable start date, scope, duration, and security and confidentiality controls applicable to the audit;
• (c) SaaS Custom Domains may charge a fee based on its reasonable costs. SaaS Custom Domains will provide an estimate of applicable fees in advance, and Customer will be responsible for any fees charged by any auditor appointed by Customer;
• (d) SaaS Custom Domains may object in writing to an auditor appointed by Customer if the auditor is, in SaaS Custom Domains' reasonable opinion, not suitably qualified or independent, a competitor, or otherwise manifestly unsuitable. Any such objection will require Customer to appoint another auditor or conduct the audit itself.

6. Data Transfers

6.1 The parties anticipate that SaaS Custom Domains (and its Subprocessors) may process Personal Data outside of the EEA, Switzerland, and the United Kingdom.

6.2 Where the transfer of Personal Data from Customer to SaaS Custom Domains is a Restricted Transfer, the parties agree that the EU SCCs shall apply, completed as follows:

• (a) Module Two (Controller to Processor) will apply where Customer is a Controller; Module Three (Processor to Processor) will apply where Customer is a Processor;
• (b) In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be thirty (30) days as set out in Section 4.4;
• (c) In Clause 17, the governing law shall be the laws of Croatia;
• (d) In Clause 18(b), disputes shall be resolved before the courts of Croatia;
• (e) Annexes I and II of the EU SCCs shall be deemed completed with the information set out in Annexes 1 and 2 to this DPA.

6.3 For transfers of Personal Data protected by the UK GDPR, the EU SCCs shall apply as amended by the UK Addendum issued by the UK Information Commissioner's Office. For transfers protected by Swiss FADP, the EU SCCs shall apply with the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.

7. General Terms

7.1 Confidentiality. Each party must keep this DPA and information it receives about the other party confidential and must not disclose such information without prior written consent except as required by law or where the information is already public.

7.2 Order of Precedence. In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the EU SCCs, the EU SCCs shall prevail.

7.3 Limitation of Liability. SaaS Custom Domains' liability under or in connection with this DPA is subject to the exclusions and limitations on liability contained in the Main Agreement. In no event does SaaS Custom Domains limit or exclude its liability towards data subjects or competent data protection authorities.

7.4 Governing Law. This DPA shall be governed by and construed in accordance with the laws of Croatia. The parties consent to the exclusive jurisdiction of the courts of Croatia.

7.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

ANNEX 1: Data Processing Description

A. List of Parties

Data Exporter (Customer):

Data Importer (Processor):

B. Description of Processing

ANNEX 2: Technical and Organizational Security Measures

SaaS Custom Domains implements the following technical and organizational measures to ensure the security of Personal Data:

Encryption

• All traffic encrypted in transit using TLS
• SSL certificates stored securely in AWS S3
• Caddy Server used for proxy services with automatic HTTPS and modern cipher suites
• Database connections encrypted

Infrastructure Security

• Proxy servers hosted on Amazon Web Services (AWS) across multiple geographic regions
• Traffic routed through AWS Global Accelerator for improved performance and DDoS protection
• Web and API applications hosted on Heroku with enterprise-grade security controls
• Regular security patches and updates applied to all infrastructure components

Access Control

• Role-based access control implemented for all systems
• Multi-factor authentication required for administrative access
• Principle of least privilege applied to all system access
• Personnel with access to Personal Data are under confidentiality obligations

Data Storage

• Access logs stored in ClickHouse on AWS EC2 with appropriate security configurations
• Backup logs stored in AWS S3
• Application caching via Redis on Heroku with appropriate access controls
• Web and API logs stored in Mezmo with automatic deletion after 3-7 days

Application Security

• Web and API built with Ruby on Rails following security best practices
• Regular dependency updates and security patches
• Application Performance Monitoring via New Relic for anomaly detection
• Input validation and sanitization implemented throughout

Business Continuity

• Multi-region deployment for high availability
• Regular backups of critical data
• Incident response procedures documented

ANNEX 3: List of Subprocessors

Customer authorizes SaaS Custom Domains to engage the following Subprocessors. An up-to-date list is maintained at https://saascustomdomains.com/legal/subprocessors