Data Processing Addendum

TensorGuard Data Processing Addendum

Last Updated: August 12, 2025

Effective Date: August 12, 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the applicable written agreement between TensorGuard Inc. (“TensorGuard”) and the applicable customer or reseller (each, a “Customer”) that governs Customer’s use of the TensorGuard services (the “Agreement”). Capitalized terms not defined in this DPA have the meanings in the Agreement. If there is a conflict between this DPA and the Agreement with respect to the Processing of Personal Information, this DPA controls.

1. Scope & Roles

1.1 Scope. This DPA applies to TensorGuard’s Processing of Personal Information on behalf of Customer in connection with providing the Services in the United States.

1.2 Roles. For U.S. Privacy Laws (including CCPA/CPRA):

• Where Customer provides the Services to an End User (e.g., MSSP model), the End User is the Business, Customer is the Service Provider/Processor, and TensorGuard is Customer’s Sub-processor/Sub-service provider.
• Where TensorGuard contracts directly with a business customer, such customer is the Business, and TensorGuard is the Service Provider.

2. Definitions

“Personal Information” (or “Personal Data”) has the meaning in applicable U.S. Privacy Laws and includes any information that identifies or relates to a consumer/household and is Processed by TensorGuard on Customer’s behalf. “Process/Processing” means any operation performed on Personal Information. “U.S. Privacy Laws” means U.S. federal and state privacy laws applicable to the Services, including the California Consumer Privacy Act as amended by the CPRA (collectively, “CCPA/CPRA”). “Forensic Data” means device and account data collected via the Services for DFIR and related investigations.

3. Customer Instructions

TensorGuard will Process Personal Information solely:

(a) to provide, secure, maintain, and support the Services described in the Agreement and Annex A;

(b) to comply with law; and

(c) as otherwise documented in Customer’s written instructions. TensorGuard will promptly notify Customer if, in TensorGuard’s opinion, an instruction violates U.S. Privacy Laws.

4. CPRA Service-Provider/Contractor Terms

TensorGuard certifies it understands and will comply with the following:

(a) No Sale/Share. TensorGuard will not sell or share Personal Information.

(b) Purpose Limitation. TensorGuard will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement and this DPA, including not for cross-context behavioral advertising.

(c) No Outside Use. TensorGuard will not retain, use, or disclose Personal Information outside the direct business relationship with Customer.

(d) Combining Data. TensorGuard will not combine Personal Information it receives from Customer with Personal Information it receives from another source, except as permitted by U.S. Privacy Laws (e.g., to detect security incidents, protect against illegal activity, or to improve the Services using de-identified/aggregated data as described in §5.2).

(e) Subcontracting. TensorGuard will bind sub-processors by written contracts imposing materially the same obligations as this §4 and §5–§10.

5. Confidentiality, Security & Improvement Use

5.1 Confidentiality. TensorGuard ensures personnel authorized to Process Personal Information are subject to appropriate confidentiality obligations and have a need to know.

5.2 De-identified/Aggregated Use. TensorGuard may use de-identified and/or aggregated data derived from Customer’s data to maintain and improve the Services. TensorGuard will (i) take reasonable measures to ensure the information cannot be associated with a consumer or household; (ii) publicly commit to maintain and use de-identified information only in de-identified form; and (iii) not attempt to re-identify the data.

5.3 Security Measures. TensorGuard implements and maintains administrative, physical, and technical safeguards appropriate to the nature, scope, and risks of the Processing, including encryption at rest and in transit, access controls, logging/monitoring, vulnerability management, and secure software development practices. The current measures are summarized in Annex B.

6. Sub-processors

6.1 Authorization. Customer provides general authorization for TensorGuard to engage sub-processors to support the Services.

6.2 Process. TensorGuard will:

(a) maintain a current list of sub-processors (available on request);

(b) impose data protection obligations materially equivalent to this DPA; and

(c) provide ≥30 days’ prior notice of material additions or replacements, allowing Customer to object on reasonable data-protection grounds. If the Parties cannot resolve an objection in good faith, Customer may suspend the affected functionality.

6.3 Named Sub-processors (Authentication/Identity). Google LLC and GitLab Inc. are used as mandatory identity providers (IdPs) for authentication; IdP transactions may be processed on their own infrastructure consistent with their architectures. TensorGuard does not store user passwords.

6.4 Other Current Sub-processors (Core Services). Google Cloud, Hetzner US, and Cloudflare (hosting, processing, networking/security); Mailgun (email); Stripe (payments). Customer-designated tools (e.g., a Customer’s SIEM) are not TensorGuard sub-processors.

7. Data Location

TensorGuard stores and Processes Customer-controlled data (including Forensic Data) in U.S. regions only, including backups and disaster recovery. Authentication transactions handled by Google/GitLab may be processed per those providers’ regional architectures.

8. Incident Management

TensorGuard will notify Customer without undue delay and in any event within 72 hours after confirming a Personal Information breach affecting the Services, and will provide information reasonably necessary for Customer to meet its obligations. TensorGuard will investigate, mitigate, and cooperate with Customer consistent with law and industry practice.

9. Assistance

TensorGuard will, taking into account the nature of Processing and the information available to TensorGuard:

(a) Consumer Requests. Provide reasonable assistance to Customer for verifiable consumer requests under U.S. Privacy Laws (access, deletion, correction, etc.).

(b) Security/DPIAs. Provide information reasonably required to support risk assessments, DPIAs, or consultations with authorities related to TensorGuard’s Processing.

(c) Opt-Out Signals. Because TensorGuard does not sell/share Personal Information or use it for targeted advertising, no global privacy control processing is required for Services data.

10. Audits & Information

Upon reasonable written request no more than once per 12 months, TensorGuard will make available information necessary to demonstrate compliance with this DPA, which may include a SOC 2 report or equivalent, security summaries, and sub-processor lists. On-site audits are permitted only where required by law or mutually agreed and are subject to reasonable scheduling, scope, and confidentiality. Any auditor must be independent and bound by NDA. Customer will avoid duplication where existing third-party attestations suffice.

11. Return & Deletion

At termination or upon Customer’s written instruction, TensorGuard will delete or return Personal Information, and delete existing copies within a reasonable period, unless retention is required by law or a documented legal hold. Where Customer elects archival (if available under the Agreement), retention will follow the agreed archival terms.

12. Government & Law Enforcement Requests

TensorGuard will not disclose Personal Information to public authorities unless required by law. Where legally permitted, TensorGuard will provide Customer with notice of any demand and will challenge unlawful or overbroad requests.

13. Minors

Customer represents it will not instruct TensorGuard to Process Personal Information of individuals under 18. TensorGuard will promptly notify Customer if it becomes aware of Processing involving minors contrary to this representation.

14. Liability; Precedence; Governing Law

14.1 Liability. The Parties’ liability under this DPA is governed by the limitations and exclusions in the Agreement.

14.2 Precedence. If there is a conflict between this DPA and any privacy policy, the DPA controls.

14.3 Governing Law. This DPA is governed by Delaware law, consistent with the Agreement.

Annex A — Details of Processing

Subject Matter & Purpose. Provision, maintenance, support, and security of TensorGuard’s DFIR, insider-threat, and investigation Services; generation of reports and dashboards; limited improvement of Services using de-identified/aggregated data.

Duration. For the term of the Agreement and any post-termination archival or legal-hold period.

Frequency & Nature. Continuous, as initiated by Customer’s Administrators/users and the Services’ operation.

Categories of Data Subjects. Customer’s and End Users’ personnel, contractors, and other authorized users; individuals whose data resides on devices/accounts Customer lawfully collects for investigation.

Types of Personal Information.

• Account & Identity: name, email, org identifiers, roles, IdP identifiers.
• Operational/Logs: IP addresses, timestamps, device IDs, usage metadata.
• Forensic Data: device and account artifacts potentially containing files, file metadata, system logs, process/network artifacts, browser history, communications content and headers, and other content Customer chooses to upload/collect.
• Sensitive Personal Information (SPI): may be included within Forensic Data; TensorGuard Processes SPI solely to provide the Services per Customer’s instructions.

Special Processing. No biometric, health, or education records are targeted; such data may exist within Forensic Data at Customer’s direction. No intentional Processing of children’s data (<18).

Annex B — Technical & Organizational Security Measures

1. Governance & Access: role-based access control; least privilege; MFA for admin access; background-checked personnel where permitted.
2. Encryption: TLS for data in transit; strong encryption for data at rest; managed keys.
3. Network & Infrastructure: segmented environments; endpoint hardening; vulnerability scanning and timely patching; DDoS/WAF protections.
4. Monitoring & Logging: centralized logging; security event monitoring; audit trails for admin actions and data access.
5. Secure Development: code review; dependency scanning; secrets management; change control.
6. Resilience: regular backups; tested restoration; disaster recovery in U.S. regions.
7. Third Parties: risk assessment and contractual controls for sub-processors; periodic reviews.
8. Incident Response: documented plan; 24×7 alerting; breach notification within 72 hours of confirmation.
9. Data Lifecycle: data minimization; retention aligned to Agreement (default deletion, optional archival); secure deletion.

Annex C — Current Sub-processors

Authentication/Identity (mandatory IdPs):

• Google LLC — Authentication/IdP
• GitLab Inc. — Authentication/IdP

Hosting/Processing/Networking:

• Google Cloud — Cloud hosting/compute (U.S. regions)
• Hetzner US — Cloud hosting/compute (U.S. regions)
• Cloudflare, Inc. — Network edge, CDN, WAF, DDoS mitigation

Communications & Payments:

• Mailgun Technologies, Inc. — Transactional email
• Stripe, Inc. — Payment processing (tokenized billing data only)

Note: Authentication transactions may be processed by IdPs on their own infrastructure per their architectures. Customer tools designated by Customer (e.g., SIEMs) are not TensorGuard sub-processors.