Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Panguard AI, Inc. ("Panguard" or "Processor") and the entity agreeing to these terms ("Customer" or "Controller") for the provision of Panguard's security services (the "Service"). This DPA applies to the extent that Panguard processes Personal Data on behalf of the Customer in connection with the Service.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Panguard on behalf of the Customer in connection with the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by Panguard to process Personal Data on behalf of the Customer.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR (EU) 2016/679, Taiwan's Personal Data Protection Act, and any other applicable privacy legislation.

2. Scope and Purpose

2.1 This DPA applies to all processing of Personal Data by Panguard on behalf of the Customer in connection with the provision of the Service, including endpoint security monitoring, threat detection, vulnerability scanning, and compliance reporting.

2.2 The categories of Personal Data processed may include: employee names, email addresses, device identifiers, IP addresses, system usernames, and organizational metadata. The categories of Data Subjects include: Customer employees, contractors, and authorized users of the Service.

2.3 The duration of processing shall be for the term of the agreement between Panguard and the Customer, plus any retention period required by applicable law.

3. Customer Responsibilities

3.1 The Customer, as Controller, is responsible for ensuring that the processing of Personal Data through the Service complies with Applicable Data Protection Law, including obtaining any necessary consents and providing required notices to Data Subjects.

3.2 The Customer shall ensure that it has a lawful basis for transferring Personal Data to Panguard and for instructing Panguard to process such data on its behalf.

3.3 The Customer shall promptly notify Panguard of any changes in applicable data protection requirements that may affect Panguard's obligations under this DPA.

4. Panguard Obligations

Panguard shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Customer in fulfilling its obligations to respond to Data Subject requests
• Assist the Customer in ensuring compliance with its obligations regarding data security, breach notification, and data protection impact assessments
• At the Customer's election, delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law
• Make available to the Customer all information necessary to demonstrate compliance with this DPA

5. Sub-processors

5.1 The Customer hereby provides general authorization for Panguard to engage Sub-processors to assist in providing the Service. Panguard maintains a current list of Sub-processors, available upon request.

5.2 Panguard shall notify the Customer of any intended changes to its list of Sub-processors at least 30 days before the engagement of a new Sub-processor, providing the Customer an opportunity to object.

5.3 Panguard shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Panguard remains fully liable for the acts and omissions of its Sub-processors.

6. Data Transfers

6.1 Panguard shall not transfer Personal Data to a country outside the Customer's jurisdiction unless appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules.

6.2 Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland, Panguard shall ensure compliance with the applicable Standard Contractual Clauses as adopted by the European Commission.

7. Security Measures

Panguard implements and maintains the following technical and organizational security measures:

• Encryption at Rest: All Personal Data stored by Panguard is encrypted using AES-256 encryption
• Encryption in Transit: All data transmitted between Customer endpoints and Panguard infrastructure is encrypted using TLS 1.3
• Access Controls: Role-based access controls with multi-factor authentication for all personnel with access to Personal Data
• Monitoring: Continuous monitoring and logging of all access to systems containing Personal Data
• Infrastructure Security: SOC 2 Type II certified cloud infrastructure with physical security controls, redundancy, and disaster recovery
• Employee Training: Regular data protection and security awareness training for all personnel

8. Data Subject Requests

8.1 Panguard shall promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, or objection.

8.2 Panguard shall not respond to such requests directly unless instructed by the Customer or required by applicable law. Panguard shall provide reasonable assistance to the Customer in responding to such requests.

9. Breach Notification

9.1 Panguard shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach that affects Customer Personal Data.

9.2 Such notification shall include: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the name and contact details of Panguard's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach and mitigate its effects.

9.3 Panguard shall cooperate with the Customer and take all reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data breach.

10. Audit Rights

10.1 Panguard shall make available to the Customer, on request, all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

10.2 The Customer (or a qualified third-party auditor appointed by the Customer) may conduct an audit of Panguard's processing activities, provided that: (a) the Customer gives at least 30 days' prior written notice; (b) audits are conducted during normal business hours; (c) the auditor is bound by confidentiality obligations; and (d) audits are limited to once per year unless required by a supervisory authority or following a data breach.

10.3 Panguard may satisfy audit requests by providing current SOC 2 Type II reports, ISO 27001 certification documentation, or equivalent third-party audit reports.

11. Term and Termination

11.1 This DPA shall remain in effect for the duration of the agreement under which Panguard provides the Service to the Customer.

11.2 Upon termination of the Service agreement, Panguard shall, at the Customer's election and within 30 days of receiving written instructions, either return all Personal Data to the Customer in a commonly used, machine-readable format, or securely delete all Personal Data and certify such deletion in writing.

11.3 Panguard may retain Personal Data to the extent required by applicable law, provided that such data is processed only for the purposes required by law and is subject to the confidentiality and security obligations of this DPA.