Data Processing Agreement

This Data Processing Agreement, including all schedules and exhibits attached hereto, (“DPA”) is entered into between Tenex Security, Inc. [dba TENEX.AI] (“TENEX”) and Client, in connection with TENEX’s provision of services to Client pursuant to any existing, written, and currently valid agreements between the parties (collectively, “Agreement”). This Addendum is effective as of the date it is signed by both parties (“Effective Date”) and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern. This DPA will survive termination of the Agreement. Client and TENEX agree as follows: 

1. Definitions. 
   1. “Applicable Data Protection Law” means all applicable data protection laws, rules, regulations, orders, ordinances, regulatory guidance, and industry self-regulations, including subsequent amendments, that: (i) relate to the confidentiality, Processing, privacy, security, protection, disclosure, sharing, transfer, or trans-border data flow of Personal Data; (ii) relate to the privacy or interception, recording or monitoring of communications; (iii) provide rights to an individual whose Personal Data is being Processed; or (iv) that triggers a duty to notify an individual whose Personal Data has been, or may have been, the subject of a Personal Data Breach. Applicable Data Protection Laws include, but are not limited to, the CCPA, FADP, GDPR, and UK GDPR.
   2. “CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
   3. “Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing of Personal Data. A Controller includes “businesses,” “controllers,” “data owners,” and other similar terms under Applicable Data Protection Law that refer to persons or entities that determine the purposes and means of the Processing of Personal Data.
   4. “Data Subject” means an identified or identifiable person or household.
   5. “Data Subject Access Request” means a request pertaining to Personal Data from a Data Subject to exercise its rights pursuant to Applicable Data Protection Laws. 
   6. “De-Identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Client or any Data Subject or as that term is otherwise defined under Applicable Data Protection Law.
   7. “FADP” means the Swiss Federal Act on Data Protection of September 25, 2020.
   8. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
   9. “Personal Data” means information that TENEX Processes on behalf of Client that identifies, relates to, describes, could be associated with or linked, directly or indirectly, to a Data Subject, or as that term or a similar term is defined under Applicable Data Protection Law.
   10. “Personal Data Breach” means a misuse, compromise, or unauthorized, accidental, or unlawful access, disclosure, acquisition, destruction, loss, or alteration of Personal Data, including without limitation, any circumstance pursuant to which Applicable Data Protection Law requires either notification to be given to affected parties or other activity in response to such circumstance.
   11. “Process” “Processed” or “Processing” means any operation or set of operations performed, whether or not by automated means, such as the access, collection, use, storage, retention, disclosure, sale, dissemination, combination, recording, organization, structuring, adaptation, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure, and/or destruction. 
   12. “Processor” means an entity that Processes Personal Data on behalf of a Controller. A Processor includes “service providers,” “processors,” “third-party service providers,” “third-party agents,” and other similar terms under Applicable Data Protection Law that refer to persons or entities that process Personal Data on behalf of a Controller.
   13. “SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. 
   14. “Services” means the services provided by TENEX pursuant to the Agreement.
   15. “UK GDPR” means the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
   16. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
2. Roles and Responsibilities.  TENEX will Process Personal Data on behalf of Client, as described in more detail in Schedule 1. As between Client and TENEX, Client will be the Controller and TENEX will be the Processor. 
   1. TENEX agrees to:
      1. Process Personal Data solely for the purpose of performing the Services and in accordance with Client’s documented instructions, including to improve the Services and prevent fraud and as otherwise set forth in this DPA, the Agreement, or any other written agreement between the parties;
      2. not Process the Personal Data outside the direct business relationship between TENEX and Client or for any commercial purpose other than providing the Services as described in more detail in Schedule 1 to Client, except as permitted by Applicable Data Protection Law; 
      3. not “sell” or “share” Personal Data, as those terms are defined under Applicable Data Protection Law;
      4. treat all Personal Data as the confidential information of Client and ensure that all personnel who Process Personal Data have undergone data protection training and are bound by obligations of confidentiality;
      5. promptly notify Client if TENEX directly receives a Data Subject Access Request that explicitly identifies Client, and TENEX shall not respond to such requests except as instructed by Client unless otherwise required by Applicable Data Protection Law, provided, however, that TENEX may: (i) confirm receipt; (ii) advise that such request relates to Client; (iii) direct such Data Subject to Client; or (iv) take other action as may be necessary to comply with Applicable Data Protection Laws;
      6. reasonably cooperate with and assist Client in complying with Applicable Data Protection Law, including but not limited to assisting with data protection impact assessments, audits, and consultations with regulatory bodies; and
      7. upon receipt of a government access request or other legally-mandated disclosure and where permitted by applicable law, promptly notify Client of the access request and provide details about the requesting party, the types of Personal Data requested, and the purpose and methods of the disclosure (so as to provide Client the opportunity to comply with its notice and consent obligations with respect to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief)
   2. Client instructs TENEX to Process Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Schedule 1. Client will not instruct TENEX to perform any Processing of Personal Data that violates any Applicable Data Protection Law. If TENEX believes or becomes aware that any of Client’s instructions conflict with Applicable Data Protection Law, TENEX shall promptly inform Client. 
3. Deidentified Data. Notwithstanding anything to the contrary in this DPA, TENEX may create and derive Deidentified Data for its business purposes. TENEX will: (a) take reasonable measures designed to ensure that Deidentified Data cannot be associated with a Data Subject and (b) publicly commit to maintain and use Deidentified Data in a deidentified form and not attempt to re-identify such data except as permitted by Applicable Data Protection Laws
4. Sub-processors. Client authorizes TENEX to use subcontractors to Process Personal Data in connection with providing the Services (each, a “Sub-processor”). Tenex maintains a list of Sub-processors currently engaged by TENEX. TENEX will remain fully responsible for its obligations under the Agreement and will remain the primary point of contact regarding any Processing of Personal Data. TENEX will be responsible for the acts and omissions of its Sub-processors and will impose contractual obligations on its Sub-processors that are at least equivalent to those obligations imposed on TENEX under this DPA.
5. Cross-Border Data Transfers. 
   1. The parties will collaborate to ensure that the Processing of Personal Data under this DPA complies with any data transfer restrictions under Applicable Data Protection Law. If Client and TENEX will engage in cross-border or onward transfers of Personal Data about individuals in:
      1. the European Economic Area, and such Personal Data is subject to the GDPR, the parties will conduct such transfers pursuant to the SCCs, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism.
      2. the UK, and such Personal Data is subject to the UK GDPR, the parties will conduct such transfers pursuant to the SCCs in tandem with the UK Addendum, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism.
      3. Switzerland, and such Personal Data is subject to the FADP, the parties will conduct such transfers pursuant to the SCCs, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism. In the event the parties rely on the SCCs for such transfers, the following modifications will apply: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the Data Transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to limit or prevent Data Subjects in Switzerland from seeking to exercise their rights; and references to “GDPR” in the SCCs will be understood as references to the FADP. 
   2. If the parties will engage in cross-border or onward transfers of Personal Data subject to the SCCs and/or the UK Addendum, TENEX will be the “data importer” and Client will be the “data exporter”. If there is any conflict between this DPA and the SCCs and/or UK Addendum, the SCCs and UK Addendum will prevail.
   3. For purposes of the SCCs, Module 2 will apply to the Processing of Personal Data by TENEX on behalf of Client. Whereby: 
      1. Clause 7 (“Docking clause”) shall apply. 
      2. The audits contemplated by Section 8.9 shall be conducted according to the audit provisions of this DPA. 
      3. In Clause 9, Option 2 will apply and the time-period for notice of Sub-processor changes will be as set forth in this DPA. 
      4. In Clause 11 the optional language will not apply to the SCCs. 
      5. In Clause 17, the SCCs shall be governed by the laws of Ireland. 
      6. In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland. 
      7. The parties will complete Schedule 1 of this DPA, which includes information called for in the SCC’s Annexes I and III.  
      8. The information needed to complete Annex 2 of the SCCs is included in Schedule 2 of this DPA. 
   4. In the event TENEX subsequently engages in cross-border or onward transfers of Personal Data with a subcontractor or other third-party recipient, TENEX will conduct such transfers pursuant to the relevant Module of the Standard Contractual Clauses promulgated by the EU Commission Decision (EU) 2021/914, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914) and/or another lawful mechanism.
6. Security Safeguards. TENEX will implement and maintain appropriate technical, organizational, and administrative security measures to safeguard Personal Data and provide the level of protection required by Applicable Data Protection Law. 
7. Personal Data Breach Notice and Management. TENEX will notify Client without undue delay after becoming aware of a Personal Data Breach and take commercially reasonable steps to remediate the Personal Data Breach. TENEX will provide Client with information, to the extent feasible or known at the time of notification, that is designed to allow Client to meet its obligations under Applicable Data Protection Law. TENEX’s notification of, or response to, a Personal Data Breach under this Section will not be construed as an acknowledgement by TENEX of any fault or liability with respect to the Personal Data Breach.

  

1. Audits. 
   1. TENEX will make available to Client all information as TENEX, acting reasonably, considers appropriate to demonstrate its compliance with this DPA and Applicable Data Protection Law. TENEX may procure audits by third parties to assess TENEX’s compliance with this DPA and Applicable Data Protection Law. These audits may include assessments of TENEX’s then-current audit reports on Client’s reasonable written request. Such reports will be TENEX’s confidential information.

 

1. Client will exercise its audit rights by first requesting the audit reports as described in Section 8(a). Client may request additional information if the audit reports do not reasonably demonstrate TENEX’s compliance with this DPA and/or Applicable Data Protection Law. To the greatest extent possible, Client shall utilize TENE’s audit reports and other privacy documentation made available pursuant to the above to assess TENEX’s compliance with its obligations in this DPA. Only to the extent that Client is not able to do so, and in any event, no more than once per year (except if otherwise required by applicable law) and following at least 45 days’ notice in writing from Client, at Client’s cost and expense, TENEX shall allow for and contribute to remote audits conducted by Client or a qualified, independent auditor that has agreed to confidentiality provisions reasonably acceptable to TENEX and is not a competitor of TENEX. The parties shall agree on the scope, methodology, timing and conditions of such audits in advance. Client shall use reasonable endeavors to ensure that the conduct of each audit does not disrupt TENEX’s business. In no event shall Client be permitted to access any information, including without limitation, data that belongs to TENEX’s other customers or such other information that is not relevant to TENEX’s compliance with this the DPA.  

1. Compliance. Both Client and TENEX will comply with their respective obligations under Applicable Data Protection Law. TENEX will notify Client if it determines that it cannot meet its obligations under Applicable Data Protection Law.  
2. Return or Destruction of Personal Data. Upon the expiration or termination of the Agreement, TENEX will cease all Processing of Personal Data and, at Client’s direction, either (a) return such data to Client or (b) destroy such data and certify such destruction to Client in writing. TENEX will comply with such Client instruction as soon as reasonably practicable. TENEX is permitted to retain Personal Data where it has a legal requirement to do so.
3. Records. TENEX will maintain accurate and up-to-date records of all Processing activities carried out on Client’s behalf, in compliance with its requirements under Applicable Data Protection Law.
4. Miscellaneous. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.

List of Schedules

Schedule 1- Scope of Processing

Schedule 2- TENEX Security Measures

 

Schedule 1

Scope of Processing

1. Controller / Data Exporter:

Name:	Client, as set out in the Agreement
Address:	As set out in the Agreement
Point of Contact	As set out in the Agreement

 

2. Processor / Data Importer:

Name:	Tenex Security, Inc.
Address:	9401 Indian Creek Pkwy, Suite #400, Overland Park, KS 66210
Point of Contact	Privacy Officer, [email protected]

3. Subject Matter of Processing:  The Processing is in relation to TENEX’s provision of Services in accordance with the Agreement.
4. Duration of Processing:  The Processing will begin after the Effective Date and will end upon expiration or termination of the Agreement.
5. Nature and Purpose of Processing:  The nature and purposes of Processing include performing the Agreement, this DPA and/or other contracts executed by the parties, including, providing the Services to Client and complying with documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement. 
6. Types of Personal Data: Client determines the categories of any Client Personal Data that is made accessible to TENEX, which may include, without limitation, Client Personal Data 
7. Special Categories of Data (as applicable): TENEX does not anticipate that Client will submit special categories of data to the Services. 
8. Categories of Data Subjects:  As a part of providing the Services, TENEX may process Client Personal Data related to Client’s customers or users, employees and service providers, the extent of which is solely determined by Client.
9. Frequency of Cross-Border Data Transfers:  As regular as is required to provide the Services.
10. Period of Data Retention by Processor: TENEX will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.
11. Table 4 of the UK Addendum: Which Party can Terminate this DPA if the UK Data Protection Authority Changes this “Approved Addendum”.

Ending This DPA When the Approved Addendum Changes

Which Parties may end this DPA as set out in Section 19 of the UK Addendum: ✔ Data Importer ☐ Data Exporter ☐ Neither Party

 

Schedule 2

TENEX Security Measures

1. Technical Security Measures: TENEX employs a “defense-in-depth” strategy to protect data throughout its lifecycle:

Cryptography: All customer data is encrypted at rest using industry-standard AES encryption and in transit using Transport Layer Security (TLS).

Logical Access Control: Access is governed by the principle of least privilege. Multi-factor authentication (MFA) is mandatory for accessing production environments (GCP).

Network Security: External points of connectivity are protected by firewalls. The organization performs monthly internal network vulnerability scans and annual third-party external penetration tests.

Endpoint Protection: All corporate devices are managed via Mobile Device Management (MDM), which enforces full-disk encryption and anti-virus/malware protection.

2. Organizational Security Measures: Security is integrated into the organizational culture and operational workflows:

Governance & Oversight: The Board of Directors and Executive Leadership provide oversight of cyber-risk. A dedicated Compliance Manager is responsible for maintaining adherence to GDPR, CCPA, and other regulatory requirements.

Risk Management: TENEX follows a formal risk assessment process performed at least annually. This process evaluates risks to the confidentiality, integrity, and availability of data, specifically considering the impact on natural persons.

Personnel Security: All employees undergo criminal background checks prior to hire and must sign a Code of Conduct and confidentiality agreement.

Security Awareness: Mandatory security awareness training is required upon hire and annually thereafter for all personnel.

Incident Response: A documented Incident Response Plan is in place and tested annually to ensure the organization can effectively contain and remediate security events.

Third-Party Management: Tenex.ai performs due diligence and annual risk assessments on all critical vendors to ensure they meet the organization’s security and privacy standards.

3. Measures to Restore Availability and Access: Procedures and controls related to access management activities (e.g., granting, modifying, reviewing, and removing) implemented in a manner that ensures only individuals who have a legitimate need will have access to such systems and information.

Business Continuity Programs and associated plans that ensure the availability of systems and services covered under the Agreement based on documented and tested procedures for monitoring the same.