A processor agreement that maps cleanly to Art. 28.

Terms used in this Addendum have the meaning given in the GDPR (Regulation (EU) 2016/679), the Swiss FADP, and the UK Data Protection Act 2018. In particular: controller, processor, personal data, processing, data subject, and supervisory authority have the meanings in Art. 4 GDPR. SCCs means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914.

Subject matter. Processing of personal data on behalf of the Customer for the purpose of operating the WebWall platform — including policy evaluation, anomaly detection, enforcement, and signed audit generation — together with the related support and operator services.

Duration. The Addendum applies for the term of the subscription plus any post-termination retrieval window agreed in the order form.

Nature. Inline, real-time classification and enforcement; generation and retention of signed verdict records; operator-initiated replay and investigation.

Purpose. Preventing and responding to security incidents affecting the Customer's applications, agents, and users.

Categories of personal data may include identifiers contained in traffic payloads (user identifiers, session identifiers, IP addresses), content of messages where that content is inspected by a rule the Customer has authored, and metadata about the actor issuing a request (time, transport, peer DID). The Customer is solely responsible for configuring the rule set; WebWall inspects only what the rule set requires it to inspect.

Categories of data subjects include the Customer's end-users, the Customer's employees and contractors, and any third parties whose interactions with the Customer's systems are mediated by the platform.

Special categories of personal data (Art. 9) are not expected to be processed in the normal course. Where the Customer's use case requires such processing, additional safeguards must be agreed in writing before go-live.

We will:

• Process personal data only on documented instructions from the Customer, including with regard to international transfers, unless Swiss or EU law requires otherwise, in which case we will inform the Customer unless that law prohibits it
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality
• Take all measures required pursuant to Art. 32, as detailed in the Security Measures schedule
• Respect the conditions for engaging sub-processors set out in § 05
• Assist the Customer, by appropriate technical and organisational measures, in responding to requests for exercising data-subject rights (Arts. 12–22)
• Assist the Customer in ensuring compliance with obligations under Arts. 32–36 (security, breaches, DPIAs, prior consultation), taking into account the information available to us
• At the Customer's choice, delete or return all personal data at the end of the Addendum, and delete existing copies unless Swiss or EU law requires retention
• Make available all information necessary to demonstrate compliance with Art. 28, and allow and contribute to audits conducted by the Customer or a mandated auditor, subject to § 09

The Customer grants general written authorisation for us to engage sub-processors from the list published at webwall.ai/security/subprocessors. Before adding or replacing a sub-processor, we will publish an updated list and notify active customer contacts by email at least 30 days in advance. The Customer may object on reasonable grounds related to data-protection; where objection is sustained and we cannot reasonably accommodate it, the Customer may terminate the affected service with a pro-rated refund of prepaid fees.

Each sub-processor is bound by contractual obligations no less protective than those in this Addendum, and we remain fully liable to the Customer for the sub-processor's performance.

The primary processing location is Switzerland. Where personal data is transferred outside Switzerland, the EEA, the UK, or a jurisdiction recognised as adequate, the following apply in the order listed:

• For EU transfers — the 2021 SCCs, Module Two, with the Customer as data exporter and us (or the receiving sub-processor) as data importer, with the docking clause for additional parties and with Option 2 in Clause 9(a) for sub-processor authorisations
• For Swiss transfers — the SCCs as amended by the FDPIC, with references to the GDPR read as references to the FADP where applicable
• For UK transfers — the SCCs together with the UK Addendum (the IDTA Addendum)
• Supplementary technical measures: at-rest encryption under tenant-scoped keys, transit encryption with modern ciphers, and separation of duties so that access by a support engineer to customer payloads is logged, notified, and justified

We implement, among others:

• Tenant isolation with per-tenant cryptographic material and strict access controls at the process, data, and network boundary
• Post-quantum signatures (FIPS 203 / 204 profile) on verdicts and on operator actions in the audit-log
• MFA and hardware tokens for all staff access to production; time-bounded, audit-logged just-in-time privilege elevation
• Continuous vulnerability management with documented SLAs by severity class; annual third-party penetration testing
• Monitoring and logging of access to personal data, with anomaly detection tied to on-call paging
• A written incident-response plan with tabletop exercises at least annually
• Background checks where permitted by local law, and a written privacy- and security-training programme for staff

We will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting the Customer's data. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. We will cooperate with the Customer in its Art. 33 notification to the supervisory authority and, where applicable, its Art. 34 communication to data subjects.

We make our compliance demonstrable through:

• Current SOC 2 Type II and/or ISO/IEC 27001 reports, which we share under NDA on reasonable request; we pursue and maintain these certifications at the scope and pace published in our compliance roadmap
• Written responses to a reasonable industry-standard questionnaire (for example CAIQ) once per year per Customer
• On-site or remote audits conducted by the Customer or a mutually agreed, qualified third-party auditor, on at least 30 days' written notice, during business hours, no more than once per year except following a Customer-affecting breach or on the reasoned request of a supervisory authority

The Customer bears the cost of audits it commissions, except where the audit reveals material non-compliance, in which case we bear the reasonable documented cost. The auditor will be bound by confidentiality terms no less protective than those in the Terms of Service.

At termination, and at the Customer's election stated within 30 days of termination, we will return or delete all personal data processed on the Customer's behalf. Where deletion is chosen, we will effect it via cryptographic shred of the tenant key, which renders downstream archives unreadable; a deletion certificate will be provided on request. We may retain personal data to the extent and for the duration required by law; any such data remains subject to the confidentiality obligations here.

Liability under this Addendum is governed by the limitation of liability in the Terms of Service, with the exceptions stated there. Where this Addendum conflicts with the Terms of Service on a matter of data protection, this Addendum prevails; where either conflicts with the SCCs, the SCCs prevail.

We may update this Addendum to reflect changes in law, certification, or sub-processors; material changes that reduce the protection offered will take effect only with 30 days' notice and the Customer's right to object.