TitanFile Global Data Processing Addendum (DPA)

This Data Processing Addendum (“Addendum”) forms part of the Cloud Services Agreement entered into between TitanFile and Customer, or such other agreement between TitanFile and Customer that governs Customer’s use of the Services (the “Agreement”).

RECITALS

A. Customer has engaged TitanFile to provide the Services pursuant to the Agreement.

B. The parties are entering into this Addendum to ensure compliance with Privacy Laws and to provide for adequate safeguards with respect to the processing of Customer Content in connection with the Agreement.

1. DEFINITIONS

1.1    The following terms shall have the meanings ascribed below. Capitalized terms not defined herein shall have the same meaning set forth in the Agreement.

(a) “Data Controller” means the party who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data is processed.

(b) “Data Processor” means a person or entity who processes Personal Data on behalf of Customer on the basis of a formal written contract, but who is not an employee of Customer, including as applicable any “service provider” as that term is defined by the CCPA.

(c) “EU Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by Commission implementing decision (EU) 2021/914, as currently set out at https://eurlex. europa.eu/eli/dec_impl/2021/914/oj.

(d) “Personal Data” means any “personal data” or “personal information” or other equivalent term as defined by Privacy Laws that is processed by TitanFile in connection with the Agreement.

(e) “Privacy Authority” means any privacy commissioner, supervisory authority, or other governmental regulator with responsibility for privacy or data protection matters in a jurisdiction.

(f) “Privacy Laws” means all applicable legislation and regulations governing the processing of personal data in the jurisdictions where Customer has subscribed to use the Services, including, as applicable, the Personal Information Protection and Electronic Documents Act (Canada); the Personal Information Protection Act (Alberta); the Act respecting the protection of personal information in the private sector (Quebec); the Personal Information Protection Act (British Columbia); the EU General Data Protection Regulation (“GDPR”); the UK GDPR and Data Protection Act (2018) (the “UK GDPR”); the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (“CCPA”); and any similar state consumer privacy laws.

(g) “Process” or “Processing” means any operation or set of operations which is performed upon data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(h) “Security Incident” means a breach of security leading to the loss, theft, or unauthorized Processing of Customer Content, or any other breach of the protection of Customer Content.

(i) “Sub-processor” means a Processor engaged by TitanFile to process Customer Content.

(j) “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner in force 21 March 2022 under S119A(1) Data Protection Act 2018 for UK Restricted Transfers, as entered into by the parties under this Addendum.

(k) “UK Standard Contractual Clauses” means the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR.

2. DATA PROCESSING

2.1    Roles of the Parties. The parties acknowledge that for the purposes of this Addendum, Customer is the Data Controller of the Personal Data and TitanFile is a Data Processor with respect to Personal Data.

2.2    Scope of Processing. TitanFile will process Customer Content only for the purposes of performing the Services and in accordance with Privacy Laws. The scope and further details of the processing activities to be performed by TitanFile in connection with the Agreement are set out in Appendix 1. For clarity, TitanFile shall not sell, aggregate, analyze or otherwise process Customer Content unless required in connection with the Agreement or authorized in writing by Customer.

2.3    Customer Instructions. TitanFile shall process Customer Content only in accordance with Customer’s instructions. The Agreement and this Addendum constitute the documented instructions of Customer. If TitanFile considers that an instruction from Customer constitutes a violation of Privacy Laws, TitanFile shall inform Customer as soon as possible.

3. GENERAL OBLIGATIONS

3.1    Personnel. TitanFile shall limit access to Customer Content to only those employees, contractors, or agents who require access to perform their roles and responsibilities in connection with the Services. TitanFile shall ensure that such persons are subject to appropriate confidentiality obligations and have sufficient skills and training in the handling of Customer Content.

3.2    Segregation. The Services shall be provided by TitanFile such that all Customer Content is logically segregated from TitanFile data and the data of its other customers.

3.3    Security Safeguards. TitanFile shall maintain reasonable and appropriate physical, organizational and technical processes and procedures to protect accessibility, integrity, security and confidentiality of Customer Content and to protect against any anticipated threats or hazards and/or Security Incidents. These measures shall include, at a minimum, those set forth in Appendix 2.

4. COOPERATION AND ASSISTANCE

4.1    Individual Rights. If TitanFile receives a request from an individual to exercise their rights with respect to Personal Data as set out under Privacy Laws, TitanFile shall promptly forward the request to Customer. Service Provider shall implement appropriate technical and organizational measures and provide all reasonable cooperation necessary to enable Customer to lawfully respond to such requests.

4.2    Requests or Demands from Privacy Authorities. TitanFile shall inform Customer as soon as possible if it receives a request or demand from a Privacy Authority relating to TitanFile’s processing of Personal Data and shall fully cooperate with Customer in connection with responding to such request or demand.

4.3    Disclosure Requests. TitanFile shall promptly notify Customer if it is required to disclose Customer Content in connection with any judicial proceeding or government investigation, to the extent permitted by applicable law, to provide Customer with a reasonable opportunity to seek a protective order from the appropriate governmental authority. TitanFile may thereafter disclose Customer Content but only to the extent required by applicable law and subject to any applicable protective order.

4.4    Further Assistance. TitanFile shall provide all assistance reasonably necessary to enable Customer to comply with its obligations under Privacy Laws, including requirements to appropriately protect Personal Data, conduct data protection impact assessments, and consult with Privacy Authorities.

5. AUDITS AND COMPLIANCE

5.1    Audit Reports. Upon written request, TitanFile shall provide, if available, any data security compliance, assessment, testing, or audit reports that assess the effectiveness of TitanFile’s information security program, systems, internal controls, and procedures relating to the processing of Customer Content or to TitanFile’s (or it’s Sub-processors’) systems or networks used to process Customer Content (e.g., SOC 2 Type II report or ISO/IEC 27001 certificate). Any such reports are the Confidential Information of TitanFile under the terms of the Agreement.

5.2    Compliance Audit. No more than once annually, TitanFile shall permit Customer or its third party auditory to conduct an audit of TitanFile’s compliance with this Addendum. If a third party is to conduct the audit, the third party must be mutually agreed to by TitanFile and Customer and must execute a written confidentiality agreement acceptable to TitanFile before conducting the audit. To request an audit, Customer must submit an audit plan to TitanFile at least thirty days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. The scope may not exceed a review of TitanFile’s compliance with this Addendum. The audit must be conducted at Customer’s expense, during regular business hours, and may not interfere with TitanFile’s business activities. Any resulting audit report and all information and records observed or otherwise collected in the course of an audit are the Confidential Information of TitanFile under the terms of the Agreement.

6. SUB-PROCESSORS

6.1    Prior Authorization. Customer agrees that TitanFile may engage Sub-processors to process Customer Content. The Sub-processors currently engaged by TitanFile and authorized by Customer are listed in Appendix 3. TitanFile shall provide Customer with at least fourteen days’ prior written notice of any intended changes concerning the addition or replacement of Sub-processors. Such notice shall include the identity, location, and contact details of the Sub-contractor. If Customer does not object in writing to such change within fourteen days’ of receiving notice, TitanFile may proceed with the addition or replacement. If Customer objects in writing to such changes, the parties shall enter good faith discussions to address Customer’s concerns. Where such concerns cannot be addressed to Customer’s reasonable satisfaction within thirty days of Customer’s written objection, Customer has the right to terminate the Agreement upon thirty days’ written notice to TitanFile.

6.2    Compliance with Privacy Laws. TitanFile shall enter into an agreement with all Sub-processors that imposes obligations on the Sub-processor that are no less restrictive than those imposed on TitanFile under this Addendum. TitanFile is responsible for ensuring the compliance of its Sub-processors with Applicable Privacy laws in connection with the processing of Personal Data and shall remain fully liable for any acts and omissions of such Sub-processors to the same extent as if such acts or omissions were performed by TitanFile.

7. INTERNATIONAL TRANSFERS

7.1     TitanFile shall not process or transfer any Personal Data to any third country or international organization outside Canada, the United States, the European Economic Area (“EEA”), or the United Kingdom (“UK”), unless subject to an adequacy decision of the European Commission or on the prior written approval of Customer.

7.2    The parties shall ensure that any agreed transfers of Personal Data comply with all Privacy Laws, including any cross-border transfer requirements or prohibitions.

(a) To the extent required to comply with the GDPR or UK GDPR regarding any agreed transfers of Personal Data to third countries or international organizations outside the EEA or UK, TitanFile shall ensure that an appropriate and valid transfer mechanism is put in place and a transfer impact assessment is carried out so that such transfers satisfy the GDPR or UK GDPR requirements.

(b) To the extent required to comply with the GDPR, transfers of Personal Data from Customer to TitanFile are made pursuant to the EU Standard Contractual Clauses attached as Appendix 4.

(c) To the extent required to comply with the UK GDPR, transfers of Personal Data from Customer to TitanFile are made pursuant to the EU Standard Contractual Clauses as amended by the UK Addendum and Part 1 of the UK Addendum shall be populated as set out in Appendix 5.

8. SECURITY INCIDENT

8.1    Notice. TitanFile shall notify Customer of any actual or reasonably suspected Security Incident promptly after becoming aware of any such incident. The notice to Customer shall include, to the extent known by TitanFile, to be supplemented by TitanFile promptly on an ongoing basis: (a) the nature of the Security Incident, including, if applicable, the categories and approximate number of individuals affected and the categories and approximate number of records of Personal Data affected; (b) the name and contact details for TitanFile’s privacy officer or other contact point for more information; and (c) any measures proposed or taken by TitanFile to mitigate, remediate, or otherwise address the Security Incident. TitanFile shall not respond to governmental authorities (including Privacy Authorities) or any other third party or individual concerning such incident without prior written approval of Customer, unless otherwise required by applicable law.

8.2    Remediation. TitanFile shall promptly detect, respond to, and contain all vulnerabilities, activities or other circumstances that caused or gave rise to the Security Incident. Service Provider shall promptly and without unreasonable delay take all necessary and advisable corrective actions, and will reasonably cooperate with Customer in all reasonable and lawful efforts to prevent, eradicate, mitigate, and rectify such Security Incident.

8.3    Documentation. TitanFile shall document any Security Incident, including the facts relating to the Security Incident, its effects, and remedial action taken, and provide such documentation to Customer as is necessary to enable Customer to notify the relevant Privacy Authorities of such Security Incident, if applicable.

8.4    Unsuccessful Security Incidents. The Parties acknowledge and agree that this Section 8.4 constitutes notice by TitanFile to Customer of the ongoing existence and occurrence or attempts of unsuccessful security incidents for which no additional notice to Customer shall be required. “Unsuccessful security incidents” means, without limitation, pings and other broadcast attacks on TitanFile’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Personal Data.

9. RETENTION, RETURN OR DESTRUCTION

9.1   Retention. TitanFile shall retain Customer Content only for as long as is necessary to perform the Services, or as otherwise required or permitted by any applicable Privacy Laws or other applicable laws, and in all cases, the terms of this Addendum shall continue to apply with respect to such Customer Content during all periods in which it is retained by or accessible to TitanFile.

9.2   Return or Destruction. Upon completion of the Services or upon the expiry or termination of the Agreement for any reason, or at any time upon Customer’s request, TitanFile shall (and shall procure that any Sub-processor shall), at Customer’s discretion:

(a) return all Customer Content to Customer; or

(b) securely delete and destroy such Customer Content in accordance with any Privacy Laws and industry standards and certify to Customer in writing that it has done so,

unless any Privacy Laws or other applicable laws require the retention of Customer Content by TitanFile, in which case TitanFile shall promptly inform Customer of such requirement and shall (i) return or destroy the Customer Content as soon as possible following the end of the period stipulated by the relevant requirement; and (ii) comply with the provisions of this Addendum during the period stipulated by the relevant requirement.

10. GENERAL

10.1    Term. The provisions in this Addendum shall remain in effect as long as TitanFile has the instruction of Customer to process Customer Content on the basis of the Agreement.

10.2    Survival. This Addendum and all provisions herein shall survive so long as, and to the extent that, TitanFile processes or retains Customer Content.

10.3    Conflict. If there is any conflict or inconsistency between the Agreement and this Addendum, then the applicable terms and conditions of this Addendum shall control to the extent of such conflict or inconsistency.

APPENDIX 1 – PROCESSING OF PERSONAL DATA

1. PERSONAL DATA

Customer tasks TitanFile with the processing of the following Personal Data:

• Identification Data: Name, email address, phone number, address, and other contact details.

• Account Information: Username, password (encrypted), user role, and account preferences.

• Usage Data: IP addresses, browser types, operating systems, device information, and log data relevant to service usage.

• Any other Personal Data submitted by, sent to, or received by the Customer, or Customer’s end users, via the Services.

2. DATA SUBJECTS

The Personal Data processed by TitanFile concerns the following categories of Individuals:

• Employees of the Customer: including internal staff, volunteers, agents, temporary and casual workers

• Relatives, guardians and associates of the Data Subject

• Advisers, consultants and other professional experts

• Clients and Contacts of the Customer

• Complainants, correspondents and enquirers

• Suppliers

3. PURPOSES OF THE PROCESSING

Customer has appointed TitanFile for the following processing activities:

• The processing of personal data is conducted solely to provide and improve Services under the Agreement.

4. ACCESS

TitanFile will store and process all Personal Data strictly separate from personal data that it processes on its own behalf or on behalf of third parties.

5. DURATION

The Personal Data processed by TitanFile will be processed for the duration of the Agreement.

APPENDIX 2 – SECURITY MEASURES

TitanFile Inc. is committed to ensuring the highest standards of security and data protection for our customers. This document outlines the security measures implemented by TitanFile to safeguard Customer Content. Our security framework encompasses a comprehensive set of controls designed to protect data confidentiality, integrity, and availability across all stages of processing. These measures are regularly updated to addressemerging risks and to maintain the trust of our customers. The following sections provide a detailed overview ofthe policies and practices in place at TitanFile.

1. Infrastructure Security

Cloud Providers: TitanFile uses Microsoft Azure and Amazon AWS, both certified for SOC 2 Type II, ISO 27001,and PCI DSS compliance.

Data Redundancy: Frequent backups ensure data protection from environmental threats and hardware failures.

Physical Security: Data centers are protected by multiple physical security layers, including fencing, 24/7 surveillance, and alarm systems.

2. Encryption and Cryptography

Encryption at Rest: TitanFile applies AES-256 encryption for data storage.

Encryption in Transit: TLS 1.2/1.3 protocols secure all communications.

Customer-Managed Encryption Keys (CMEK): Enterprise clients can manage and revoke their own encryption keys independently.

3. Access Control

User Authentication: Supports multi-factor authentication (2FA), Single Sign-On (SSO), and custom password policies.

Role-Based Access Control (RBAC): Assigns granular permissions based on user roles.

4. Monitoring and Logging

Audit Trails: Comprehensive, time-stamped logs of all activities, available in CSV and via API (if the API capability is purchased) for audit and compliance purposes.

Continuous Monitoring: Risk assessments and monitoring systems are continuously active to detect

vulnerabilities.

5. Secure Development Practices

Secure Software Development Life Cycle (SSDLC): TitanFile incorporates security in all stages of development and regularly conducts penetration tests.

OWASP Guidelines: TitanFile follows the OWASP Top 10 recommendations to mitigate web application vulnerabilities.

6. Personnel Security and Training

Employee Training: TitanFile staff undergo regular security awareness training.

Access Controls: Access to systems and data is restricted based on role, and terminated employees have access revoked immediately.

7. Compliance and Certifications

Compliance Standards: TitanFile complies with ISO 27001 and SOC 2 Type II.

Data Residency: Clients can choose where their data is stored (Canada, U.S., Europe, MENA) to meet their regulatory needs.

8. Incident Response and Management

Incident Response Procedures: Established protocols for identifying, reporting, and mitigating security incidents.

Breach Reporting: TitanFile has a dedicated incident response team that investigates and resolves security breaches.

9. Data Minimization and Retention

Data Retention Policies: Clients can configure custom retention periods, and data is securely deleted when it is no longer required.

Data Deletion: Automatic file deletion after the expiration date to prevent unauthorized access.

10. Business Continuity and Disaster Recovery

Disaster Recovery: Data redundancy and disaster recovery plans ensure service continuity in case of hardware failure or data loss.

APPENDIX 3 – AUTHORIZED SUB-PROCESSORS

 

APPENDIX 4 – STANDARD CONTRACTUAL CLAUSES | TRANSFERS FROM DATA CONTROLLER TO DATA PROCESSOR

The EU Standard Contractual Clauses incorporated into this Addendum by this reference shall be completed as follows:

1. Module Two (Controller to Processor) of the SCCs applies, it being specified that Customer will be the Controller and TitanFile the Processor;

2. The optional docking clause in Clause 7 does not apply;

3. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in section 6 of this Addendum;

4. In Clause 11, the optional language does not apply;

5. In Clause 13, [Option 2 (the Supervisory Authority of the relevant data subjects whose Personal Data is being transferred)] applies;

6. In Clause 17, [Option 1 will apply, the EU Standard Contractual Clauses will be governed by the laws of the Republic of Ireland];

7. In Clause 18(b), disputes will be resolved before the courts with jurisdiction located at Dublin, Ireland;

8. Appendix 1 to this Addendum contains the information required in Annex I of the EU Standard Contractual Clauses;

9. Appendix 2 to this Addendum contains the information required in Annex II of the EU Standard Contractual Clauses;

10. Appendix 3 to this Addendum contains the list of authorised sub-processors required in Annex III of the EU Standard Contractual Clauses; and

11. By entering into this Addendum, the Parties are deemed to have signed the EU Standard Contractual Clauses incorporated herein, including their Annexes.

APPENDIX 5 – UK ADDENDUM

The UK Addendum incorporated into this Addendum by this reference shall be completed as follows:

1. Table 1. The “start date” will be the date this Addendum enters into force. The “Parties” are Customer as exporter and the TitanFile as importer.

2. Table 2. The “Transfer Details” are set out in the Agreement between the Parties.

3. Table 3. The “Appendix Information” is as set out in this Addendum.

4. Table 4. The exporter may end the UK Addendum in accordance with its Section 29. Unless the EEA Standard Contractual Clauses, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR in which case the UK Standard Contractual Clauses shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK Standard Contractual Clauses shall be populated using the information contained in this Addendum (as applicable).