Data Processing Addendum.

Customer is the data controller (or, where applicable, business) for personal information contained in Customer Data. Counterpass is the data processor (or, where applicable, service provider).

Counterpass processes personal information only on documented instructions from Customer, including as set forth in the Order Form and the Terms of Service.

Subject matter: provision of the Counterpass trade compliance and shipment risk intelligence platform.

Duration: the term of the Order Form, plus any post-termination data return or deletion period.

Nature and purpose: hosting, screening, scoring, case management, audit logging, and related operational processing.

Categories of data subjects: Customer's Authorized Users and individuals identified in Customer's shipment, supplier, and counterparty records.

Counterpass uses sub-processors to host and operate the Service. A current list is available on request via contact@counterpass.ai. Counterpass remains responsible for sub-processor compliance.

Counterpass will notify Customer of any new sub-processor before that sub-processor begins processing personal information, and Customer may object on reasonable grounds.

Counterpass implements administrative, technical, and physical measures designed to protect personal information, including role-based access control, tenant-scoped data isolation, encryption in transit, and tenant-scoped audit logging.

Counterpass will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data, and will provide information reasonably necessary for Customer to meet its own notification obligations.

Taking into account the nature of the processing, Counterpass will provide reasonable assistance to Customer in responding to data subject requests (access, deletion, correction, opt-out) directed to Customer as the controller.

Where personal information is transferred from a jurisdiction that restricts international transfers, the parties will rely on Standard Contractual Clauses or another lawful transfer mechanism, as applicable.

On termination of the Order Form, Counterpass will, on Customer's written request, return or delete personal information contained in Customer Data, subject to standard backup retention and any legal retention obligation.

On reasonable written notice and no more than once per year, Customer (or its qualified third-party auditor under confidentiality) may audit Counterpass's compliance with this DPA. Counterpass may satisfy this obligation by providing recent third-party audit reports or written responses to a standardized security questionnaire.