Data Processing Addendum

This Data Processing Addendum ("Addendum") is made and entered into as of the effective date (the "Effective Date") of the applicable customer's ("Customer") acceptance of the Terms of Use between Thunder Client, Inc. (“Thunder Client”) and Customer. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• Personal Data: means any Personal Data Processed on behalf of the Customer;
• EU: means the European Union;
• Processor SCCs: means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Data Protection Laws: means the Data Protection Act 2018 (as may be amended from time to time), the GDPR (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "Regulation"), any national legislation passed to implement the Regulation, and any legislation amending or replacing the Regulation from time to time, whether in the United Kingdom or the European Union), the Privacy and Electronic Communication (EU Directive) Regulations 2003 and all applicable EU directives, statutes, regulations or codes of practice (to the extent that such codes of practice have legal effect) relating to data protection or the privacy of individuals.
• Services: means the services provided as a part of the Thunder Client platform.
• Process, Processing or Processed: means any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
• The terms Controller, Data Subject, Personal Data, Personal Data Breach, Process and Processor have the same meanings as described in the Data Protection Laws.

Annex 1 to this Addendum sets out certain details of the Personal Data to be Processed by the Thunder Client pursuant to this Addendum. Annex 1 does not create any obligation or rights for any party to this Agreement.

Thunder Client, acting as a data processor on behalf of the Customer, shall:

• 3.1 Process the Personal Data solely on the documented instructions of the Customer (as set out by the Customer or otherwise), for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Agreement;
• 3.2 Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• 3.3 Take all measures required pursuant to Article 32 of the GDPR to ensure the security of Processing of Personal Data;
• 3.4 Be generally authorized to engage another Processor to Process Personal Data ("Sub-Processor"), subject to Thunder Client meeting the conditions set out in Article 28 (2) and (4) of the GDPR. Thunder Client will notify the Customer of any changes at least 30 days prior to engaging a new Sub-Processor;
• 3.5 Promptly notify the Customer of any communication from a Data Subject regarding the Processing of Personal Data, or any other communication (including from a supervisory authority) related to the processing activities carried out under the Agreement in connection with the services provided;
• 3.6 Assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the data subject's rights;
• 3.7 Notify the Customer without undue delay of any Personal Data Breach related to Customer data. Such notice will include all information reasonably required by the Customer to comply with its obligations under the Data Protection Laws and assist the Customer with their obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and information available to Thunder Client;
• 3.8 Upon termination or expiry of this Agreement, the Customer may instruct Thunder Client within three (3) years to either delete or return all Personal Data. Absent such instruction, Personal Data will be retained for a period of 3 years, after which it will be deleted. Thunder Client may retain Personal Data beyond this period as required by EU or Member State law, but only as long as necessary for legal compliance;
• 3.9 Make available to the Customer on request all information necessary to demonstrate compliance with this Addendum and with Article 28 of the GDPR and shall allow for and contribute to audits, provided that Thunder Client is given at least 60 days’ prior notice and provided further that such audits shall not be performed more than once in any 12 month period (unless otherwise required by a supervisory authority); and Thunder Client shall not be required to provide or permit access to information concerning: (i) Thunder Client's internal pricing information; (ii) information relating to other clients; (iii) any Thunder Client's non-public external reports; or (iv) anything which infringes any Data Protection Law.

Thunder Client does not transfer personal data outside the European Union. Personal data is processed solely within the EU, in compliance with GDPR requirements.

The parties agree that this Addendum shall terminate automatically upon expiry or termination of all services under the Client contract.

Each party to this Addendum shall comply with all applicable Data Protection Laws when processing Personal Data. This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail.

• Nature and Purpose of Transfer and Processing: Thunder Client provides a lightweight extension for API testing, enabling businesses to verify that their APIs are secure and function correctly under various conditions. The subject matter of the processing is derived from the Agreement to which this Addendum refers. It is important to note that any processing of personal data by the Processor on behalf of the Controller is not intended.
• Frequency of Processing: Continuous basis depending on the use of the Services by Customer.
• Duration of the Processing: Subject to section 4.8 of the DPA, Thunder Client will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
• Categories of Data Subjects: Employees and other personnel of Customer.
• Categories of Personal Data: Personal Data may include: full name, email address. Additionally, as applicable, any Customer Personal Data input into the Services.
• Sensitive Data or Special Categories of Data: Personal Data Processed does not include special categories of Personal Data.

Thunder Client currently observe the security measures described in this Schedule 3:

• Restricted User Access: Thunder Client follows industry best practices to prevent unauthorised access to data and protect data from unauthorised actions such as input, reading, copying, removal, modification, or disclosure. Such measures include that employee access is restricted in accordance with least privilege principles based on personnel job functions. Additionally, Thunder Client enforces robust user authentication and privilege management by verifying authorised personnel with strong passwords and secure multi-factor authentication.
• Personnel: Thunder Client maintains industry best practices for vetting, training, and managing personnel with respect to security matters, including annual security training for employees and supplemental security training as appropriate. Additionally, Thunder Client imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
• Third Party Risk Management: Thunder Client maintains industry best practices for managing third-party security risks, including ensuring that all third parties undergo a formal vendor due diligence assessment and all vendors are required to have a written contract in place to ensure that any agent agrees to maintain reasonable and appropriate safeguards to protect customers’ data.
• Systems Monitoring: Thunder Client relies on Azure’s built-in monitoring and security features to detect, log, and respond to events that may pose security risks. This integration enables timely identification and mitigation of potential threats to the integrity and confidentiality of data, leveraging Azure’s robust security infrastructure..
• Security in Storage and Transmission: Thunder Client uses technical controls to protect against unauthorised access to Personal Data that is transmitted over public electronic communications networks or stored in Thunder Client, including encryption of sensitive data stored on laptops and removable storage devices.