Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Agreement between Terrastruct and Customer. If there is any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA will govern. Capitalized terms not defined here have the meanings in the Agreement.

---

1. Definitions

1.1 "Controller", "Processor", "Data Subject", "Personal Data", "Process/Processing" have the meanings given in applicable Data Protection Laws.

1.2 "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: the EU GDPR, UK GDPR and UK Data Protection Act 2018, the Swiss FADP, and the CCPA/CPRA, each as updated, amended, or replaced.

1.3 "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Terrastruct.

1.4 "Subprocessor" means any third party engaged by Terrastruct to Process Personal Data.

1.5 "Restricted Transfer" means any transfer of Personal Data to a country outside the EEA/UK/Switzerland that is not subject to an adequacy decision.

1.6 "Specified Notice Period" means seventy‑two (72) hours.

---

2. Roles; Scope; Duration; Precedence

2.1 Roles. Customer acts as Controller, and Terrastruct acts as Processor when Processing Personal Data to provide D2 Studio under the Agreement.

2.2 Scope. This DPA applies only to Processing of Personal Data subject to Data Protection Laws.

2.3 Duration. This DPA is effective for the term of the Agreement and, thereafter, as long as Terrastruct Processes Personal Data for Customer.

2.4 Precedence. If there is a conflict, the order of precedence is: (1) the SCCs and any region‑specific terms (Annex IV), (2) this DPA, and (3) the Agreement.

---

3. Processing of Personal Data

3.1 Customer Instructions. Terrastruct will Process Personal Data only (a) in accordance with Customer's documented instructions, including as necessary to provide D2 Studio and as described in Annex I (Subject Matter and Details of Processing), or (b) as required to comply with law. If Terrastruct reasonably determines an instruction infringes Data Protection Laws, Terrastruct may suspend performance until Customer confirms or modifies the instruction.

3.2 Confidentiality. Terrastruct will ensure that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations.

3.3 Compliance. Each party will comply with Data Protection Laws applicable to its Processing; Customer is responsible for establishing all necessary lawful bases and providing all required notices to Data Subjects for Terrastruct's Processing contemplated by the Agreement.

3.4 Changes to Laws. The parties will cooperate in good faith to amend this DPA as reasonably necessary to address changes in Data Protection Laws.

---

4. Subprocessors

4.1 Authorization. Customer authorizes Terrastruct to engage Subprocessors to provide D2 Studio. Terrastruct will enter into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA and remains responsible for their acts and omissions.

4.2 List & Notice. Terrastruct maintains a current list of Subprocessors in Annex III and may update it from time to time. Terrastruct will notify Customer at least 30 days before authorizing any new Subprocessor.

4.3 Objections. Customer may object in writing to a new Subprocessor based on reasonable data‑protection grounds within 30 days of notice. The parties will discuss in good faith to reach a resolution; if none is reached, Customer may terminate the affected services and receive a pro‑rated refund of prepaid, unused fees.

---

5. Security

5.1 Technical and Organizational Measures (TOMs). Terrastruct will implement and maintain appropriate TOMs designed to protect the security, confidentiality, integrity, and availability of Personal Data as described in Annex II. Terrastruct will regularly monitor compliance with its TOMs.

5.2 Security Incidents. Terrastruct will (a) maintain procedures to detect and respond to Security Incidents; and (b) notify Customer without undue delay and in any event within the Specified Notice Period after becoming aware of a Security Incident affecting Customer's Personal Data. Terrastruct will investigate, mitigate, and remediate the cause to the extent within its control and assist Customer with any notifications required by law.

5.3 Customer Responsibilities. Customer is responsible for determining whether D2 Studio meets Customer's security requirements and for complying with any security‑incident notification laws applicable to Customer.

---

6. Assistance; DPIAs; Data Subject Requests

6.1 Assistance. Taking into account the nature of the Processing and the information available to Terrastruct, Terrastruct will reasonably assist Customer in (a) responding to requests from Data Subjects to exercise their rights under Data Protection Laws (to the extent Customer cannot reasonably fulfil the request itself), and (b) carrying out data protection impact assessments and consultations with supervisory authorities required by Data Protection Laws.

6.2 Data Subject Requests. If Terrastruct receives a request directly from a Data Subject relating to Customer's Personal Data, Terrastruct will notify Customer and advise the Data Subject to submit the request to Customer unless required by law to respond.

---

7. Return and Deletion

7.1 During Term. During the term, Customer may export or delete Personal Data via D2 Studio's available functionality.

7.2 Post‑Termination. Upon termination or expiration of the Agreement, Terrastruct will delete Personal Data from its systems in accordance with industry‑standard secure deletion practices and, upon request, provide a certificate of deletion. Terrastruct may retain Personal Data if required by law or under standard backup/record‑retention policies, in which case it will maintain confidentiality and not Process the data except as required by law.

---

8. Audits

8.1 Records. Terrastruct will maintain records of its Processing of Personal Data as required by Data Protection Laws and make such records available to Customer upon reasonable request.

8.2 Third‑Party Reports. Upon written request not more than once annually, Terrastruct will provide summary copies of third‑party audit reports (e.g., SOC 2) subject to confidentiality obligations. Customer may share such summaries with regulators upon request.

8.3 Customer Audit. If the information made available by Terrastruct is not reasonably sufficient to demonstrate compliance, Customer may, at its expense and no more than once annually, conduct a security meeting with Terrastruct's security personnel and/or submit a reasonable security questionnaire. Any on‑site visit will be subject to Terrastruct's approval of scope and timing and execution of a mutually agreeable NDA. Terrastruct will remediate any mutually agreed material deficiencies within a reasonable time.

---

9. Cross‑Border Transfers; Region‑Specific Terms

9.1 Restricted Transfers. Where Customer Personal Data is transferred outside the EEA/UK/Switzerland to a country not subject to an adequacy decision, the parties agree the EU Standard Contractual Clauses (2021/914) – Module 2 (Controller to Processor), completed as set out in Annex IV, are incorporated by reference; for UK transfers, the UK International Data Transfer Addendum is incorporated as set out in Annex IV; for Swiss transfers, references to GDPR in the SCCs are to be read as references to the FADP where appropriate.

9.2 Order of Precedence. The SCCs and region‑specific terms in Annex IV prevail in case of conflict with this DPA.

---

10. CCPA/CPRA (Service Provider) Terms

10.1 Service Provider. Terrastruct acts as a "Service Provider" (or "Processor") with respect to Customer Personal Information. Terrastruct will Process such Personal Information solely to provide D2 Studio, to maintain or improve the service, or as otherwise permitted by CCPA/CPRA; it will not sell or share Personal Information or combine it with other data except as permitted by law or this DPA.

10.2 Consumer Requests. Terrastruct will assist Customer in responding to verified consumer requests under CCPA/CPRA as described in Section 6.

10.3 No Retention After Purpose Ends. Terrastruct will not retain, use, or disclose Personal Information for any purpose other than those specified in the Agreement and this DPA or as permitted by law.

---

11. Liability; Miscellaneous

11.1 Liability. Any limitation of liability in the Agreement applies to this DPA and the SCCs permitted by law.

11.2 Governing Law. This DPA is governed by the governing law of the Agreement, except as otherwise required by applicable Data Protection Laws or the SCCs.

11.3 Amendment. Terrastruct may make updates to this DPA that do not materially reduce protections; material updates will be notified to Customer.

---

Annex I – Subject Matter and Details of Processing

A. Parties

• Data exporter (Controller): Customer, as identified in the Agreement and applicable ordering document.
• Data importer (Processor): Terrastruct, Inc., 2443 Fillmore St #380-3882, San Francisco, CA 94115, USA (or updated corporate address, if different), privacy@terrastruct.com.

B. Description of Processing

• Subject matter: Provision of D2 Studio (diagramming and developer documentation platform) and related support.
• Duration: For the term of the Agreement and as otherwise set forth in this DPA.
• Nature and purpose: Hosting, storage, transmission, display, transformation, analysis, logging, support, and other Processing necessary to provide D2 Studio and its integrations.
• Categories of Data Subjects: Authorized users of Customer (e.g., employees and contractors); individuals whose information may appear in diagrams or related content Customer uploads or integrates.
• Categories of Personal Data: Account/profile data (name, email, username), organization/workspace identifiers, authentication identifiers and tokens (including OAuth), usage and telemetry data, IP address and approximate location, content and metadata included in user diagrams, exported files, or images Customer uploads; integration metadata from connected services (e.g., GitHub repository names, issue IDs). Customer may choose to Process additional Personal Data at its discretion via the service.
• Special categories: Not intentionally collected or required. Customer is responsible for not submitting special categories unless agreed in writing.
• Frequency: Continuous and on‑demand, as initiated by Customer.
• Data retention: For the term of the Agreement and as set forth in product documentation or Customer's configuration; backups retained per standard retention schedules.

C. Authorized Subprocessors

See Annex III.

---

Annex II – Technical and Organizational Measures

Terrastruct maintains TOMs appropriate to the risk, including, without limitation:

• Information security program & policies reviewed at least annually.
• Access controls with role‑based provisioning, MFA for corporate systems, and periodic access reviews.
• Encryption: Customer data encrypted at rest and in transit.
• Network security and segmentation; hardened configurations; firewalls; intrusion detection/monitoring.
• Vulnerability management including code scanning, dependency monitoring, and at least quarterly external‑facing scans; annual penetration testing; timely patch management.
• Business continuity and disaster recovery including backups encrypted and replicated; periodic testing.
• Incident response with documented procedures, on‑call 24/7 monitoring, and defined escalation.
• Asset management and endpoint security including MDM and full‑disk encryption on company‑managed devices.
• Vendor management including security reviews of critical vendors and contractual data‑protection obligations.
• Data minimization & segregation, separate environments for development and production; no production customer data in lower environments.
• Logging and monitoring of systems and applications.
• Employee screening, confidentiality, and security awareness training.

(Where helpful, Terrastruct may provide Customer with current third‑party audit summaries (e.g., SOC 2) under NDA.)

---

Annex III – Subprocessors (Third‑Party Service Providers)

Terrastruct may update this list from time to time in accordance with Section 4.

---

Annex IV – Cross‑Border Transfer Mechanisms and Region‑Specific Terms

A. EU/EEA Transfers – Standard Contractual Clauses (Controller → Processor, Module 2).

The parties agree the SCCs promulgated by Commission Implementing Decision (EU) 2021/914 are incorporated by reference. The SCCs' Annex I(A)–(C) are completed by Annex I and Annex III. Annex II is completed by Annex II of this DPA. The competent supervisory authority is determined under Clause 13. Governing law for the SCCs is the law of Ireland unless otherwise required by Customer's location.

B. UK Transfers – International Data Transfer Addendum (IDTA) to the EU SCCs.

The parties incorporate the UK IDTA (version as issued by the UK ICO) to the SCCs. Table 1–3 are completed by the information in Annex I–III; Table 4: neither party may unilaterally terminate due to changes to the IDTA except as permitted by law.

C. Switzerland.

For Swiss transfers, references to GDPR in the SCCs will be interpreted to include the Swiss FADP; the competent supervisory authority is the FDPIC; "member state" will be read to include Switzerland.

D. CCPA/CPRA.

Terrastruct's commitments in Section 10 satisfy the service provider/processor requirements of CCPA/CPRA.

---

Annex V – Security Point of Contact

Email: security@terrastruct.com
Address: Terrastruct, Inc., 2443 Fillmore St #380-3882, San Francisco, CA 94115, USA

---

Annex VI – Data Deletion Certification (Template)

Terrastruct certifies that, as of the date below, it has deleted Customer Personal Data from its systems in accordance with the DPA.

---