DPA

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between MUGSHOT LABS INC, a Delaware corporation (“Company”) and the Customer.

By accepting the Terms of Service, or by accessing or using the Company’s services (marketed as GuardianStack), the Customer is deemed to have signed and accepted the terms of this DPA.

1. Definitions

• “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

• “CCPA” means the California Consumer Privacy Act, as amended by the CPRA.1

• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “process”), and “Supervisory Authority” have the meanings given to them in the GDPR.

• “Customer Personal Data” means any Personal Data that Company processes in the course of providing the Service to Customer.

• “Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU GDPR, UK GDPR, Swiss FADP, the CCPA, and applicable US State Privacy Laws (including but not limited to those of Virginia, Colorado, Connecticut, and Utah).

• “EU GDPR” means Regulation (EU) 2016/679.2

• “Service” means the device intelligence and browser fingerprinting services provided by Company via API and SDKs.

• “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

• “Standard Contractual Clauses” (SCCs) means the clauses annexed to Commission Implementing Decision (EU) 2021/914.3

• “Sub-processor” means any Processor engaged by Company to assist in fulfilling its obligations with respect to providing the Service.

2. Roles and Scope

2.1 Role of the Parties.

Except as set out in Section 2.2, the Parties agree that Customer is the Controller of Customer Personal Data and Company shall process Customer Personal Data only as a Processor on behalf of Customer.

2.2 Company as Controller.

The Parties acknowledge that Company collects and processes certain data (Administration Data and Usage Data) as a Controller for legitimate business purposes, including billing, account management, and product development/model improvement (the “Controller Purposes”).

2.3 Processing Instructions.

Company shall process Customer Personal Data only for the purposes of providing the Service in accordance with the Agreement, unless required to do otherwise by applicable law.

2.4 California (CCPA) and US State Law Designation.

To the extent the CCPA or similar US State Privacy Laws apply, Company acts as a “Service Provider” (or "Processor"). Company shall not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services; or (c) combine Customer Personal Data with personal data received from other sources, except as permitted by applicable law.

3. Sub-processing

3.1 Authorization.

Customer grants Company general authorization to engage Sub-processors to process Customer Personal Data. The current Sub-processors are listed in Schedule 4.

3.2 Changes to Sub-processors.

Company shall provide Customer with notice (via email or in-app notification) of any intended changes concerning the addition or replacement of Sub-processors. Customer may object to such changes within ten (10) days. If the Parties cannot resolve the objection, either Party may terminate the affected Service. Termination shall be the Customer’s sole and exclusive remedy with respect to such objection.

3.3 Obligations.

Company shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA.

4. Security and Audits

4.1 Security Measures.

Company shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data, as described in Schedule 3.

4.2 Confidentiality.

Company shall ensure that personnel authorized to process Customer Personal Data are subject to a duty of confidentiality.

4.3 Security Incidents.

Company will notify Customer without undue delay after becoming aware of a confirmed Security Incident. Such notification shall not be construed as an acknowledgement of fault or liability.

4.4 Audits and Demonstrating Compliance.

Upon written request, Company shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA. This may include:

(a) Completing a written security questionnaire provided by Customer;

(b) Providing certificates of compliance from its hosting providers (e.g., AWS/GCP SOC 2 reports); or

(c) Providing a summary of its most recent internal security review.

If the Customer requires an on-site audit or an audit by a third party, it shall be conducted at Customer’s sole expense, during normal business hours, no more than once per year, and in a manner that does not disrupt Company's business operations.

5. International Transfers (SCCs)

5.1 Application of SCCs.

To the extent that the processing involves a transfer of Personal Data to a country outside the European Economic Area (EEA), the UK, or Switzerland that has not been recognized as providing an adequate level of protection:

(a) Module Two (Controller to Processor) of the SCCs shall apply to the provision of the Service.

(b) Module One (Controller to Controller) of the SCCs shall apply to processing for Controller Purposes.

5.2 UK and Swiss Addenda.

For transfers subject to the UK GDPR, the UK Addendum to the EU SCCs shall apply. For transfers subject to Swiss Data Protection Laws, the SCCs shall apply with the necessary modifications to ensure compliance with the Swiss FADP.

6. Cooperation and Data Subject Rights

6.1 Data Subject Requests.

To the extent Customer cannot independently access the relevant data, Company shall (at Customer’s expense) provide reasonable cooperation to assist Customer in responding to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data (e.g., requests for deletion or access).

6.2 Impact Assessments.

Company shall provide reasonable assistance to Customer with any data protection impact assessments (DPIAs) required under Data Protection Laws, taking into account the nature of processing and the information available to Company.

7. Return or Deletion of Data

Upon termination or expiration of the Agreement, Company shall delete all Customer Personal Data processed on behalf of Customer, except to the extent that:

(a) The data is being processed for the Controller Purposes defined in Section 2.2 (e.g., fraud modeling and product improvement);

(b) Company is required by applicable law to retain some or all of the data; or

(c) The data is archived on backup systems (which shall be securely isolated until deleted in the normal backup cycle).

8. General

8.1 Conflict.

In the event of a conflict between the Agreement and this DPA, this DPA shall prevail. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

8.2 Governing Law.

Except where otherwise required by the SCCs (which shall be governed by the laws of Ireland), this DPA shall be governed by the laws of the State of Delaware, United States.

8.3 Liability.

Each Party’s liability for any breach of this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement. In no event shall Company’s liability under this DPA exceed the liability caps agreed upon in the Agreement.

Schedule 1: Parties

Data Exporter:

• Name: The Customer (as defined in the Agreement)

• Role: Controller

• Activities: Use of the Service to detect fraud.

Data Importer:

• Legal Name: MUGSHOT LABS INC

• Address: 850 New Burton Road, Suite 201, Dover, DE 19904, United States

• Contact: [email protected]

• Role: Processor (and Controller for Usage/Admin data)

• Activities: Provision of device intelligence and browser fingerprinting services.

Schedule 2: Details of Processing

1. Categories of Data Subjects

• End Users: Individuals visiting the Customer’s websites or applications.

• Authorized Users: Customer employees accessing the Company’s dashboard.

2. Categories of Personal Data

• End User Data: Device identifiers, IP address, browser configuration, operating system details, geolocation data (approximate), and behavioral signals used for fraud detection.

• Authorized User Data: Name, email address, login credentials, and billing information.

3. Sensitive Data

• Company does not intentionally collect or process special categories of data (e.g., health, race, biometric ID for identification) unless explicitly configured by the Customer.

4. Frequency and Duration

• Frequency: Continuous basis.

• Duration: For the term of the Agreement plus the period required for backup deletion or legal compliance.

5. Nature and Purpose of Processing

• Collecting, storing, and analyzing device and network signals to identify fraudulent behavior, bots, and account takeovers.

• Billing, account management, and service optimization.

Schedule 3: Technical and Organizational Security Measures

Company implements the following technical and organizational measures to ensure the security of processing:

1. Cloud Infrastructure Security

• Company utilizes top-tier cloud service providers (e.g., AWS, Google Cloud) that maintain industry-standard security certifications, including SOC 2 Type II and ISO 27001.

• Physical security of the data centers is managed entirely by these providers, ensuring strict access control, video surveillance, and environmental protections.

2. Encryption

• In Transit: All data transmitted between the Customer and Company, and between Company’s internal services, is encrypted using TLS 1.2 or higher.

• At Rest: All Customer Personal Data stored in databases and backups is encrypted at rest using AES-256 standards or equivalent.

3. Access Control

• Least Privilege: Access to production data is restricted to a limited number of authorized personnel on a strict need-to-know basis.4

• Authentication: Multi-Factor Authentication (MFA) is enforced for all employees accessing internal systems, cloud infrastructure, and administrative dashboards.

• Offboarding: Access rights are immediately revoked upon termination of employment or change in role.

4. Software Development Lifecycle (SDLC)

• Code Review: All changes to the codebase undergo peer review prior to deployment to production.

• Separate Environments: Development, testing, and production environments are logically segregated. Customer data is processed only in the production environment.

• Vulnerability Scanning: Company utilizes automated tools to scan code dependencies and infrastructure for known vulnerabilities.

5. Incident Management

• Company maintains a security incident response process to detect, investigate, and mitigate security events.

• In the event of a confirmed data breach affecting Customer Personal Data, Company will notify the Customer without undue delay.

6. Personnel Security

• All employees and contractors with access to Customer Personal Data are required to sign confidentiality agreements.

• Regular security awareness training is provided to employees to ensure understanding of data protection best practices.

7. Business Continuity

• Backups: Database backups are performed daily to ensure data availability in the event of a system failure.

• Retention: Backups are retained for a limited period (e.g., 30 days) and are encrypted to protect against unauthorized access.

Schedule 4: List of Sub-processors

The Customer authorizes the following Sub-processors:

The Customer may request the full list of current Sub-processors at any time by contacting [email protected].

Schedule 5: Standard Contractual Clauses (SCCs)

1. Modules Applied:

• Module One (Controller to Controller): Applies to Administration Data and Usage Data where Company acts as a Controller.

• Module Two (Controller to Processor): Applies to End User Data processed for the Service.

2. Docking Clause:

• Clause 7 (Docking Clause) shall not apply.

3. Choice of Forum and Jurisdiction (Clause 17 & 18):

• Governing Law: The laws of Ireland.

• Competent Courts: The courts of Dublin, Ireland.

4. Competent Supervisory Authority:

• The Data Protection Commission of Ireland shall act as the competent supervisory authority.