- SCALIBIT technology

Effective Date: March 1, 2025

SCALIBIT - DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) is executed between you (“Customer”) and the applicable SCALIBIT entity that is a party to the General Terms of Service and any other agreements between you and SCALIBIT (collectively, the "Agreement"). SCALIBIT and the Customer are referred to herein individually as a "Party" and collectively as the "Parties." This DPA is effective as of the effective date of the Agreement ("Effective Date") and governs all processing activities of Customer Personal Data performed under the Agreement.

1. SCOPE, ORDER OF PRECEDENCE, AND TERM

1.1 This Data Processing Addendum (“DPA”) forms an addendum to the Terms of Service (“Agreement”) between SCALIBIT.COM (“SCALIBIT”) and the Customer. SCALIBIT and the Customer are each a “Party” and collectively the “Parties.”

For clarity, this DPA does not apply to Virtual Machines (VPS Hosting, VDS Hosting, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard Performance, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Servers (Dedicated Servers or Bare Metal) services, where SCALIBIT acts solely as an infrastructure provider. In these services, SCALIBIT provides and maintains the physical and network infrastructure and delivers the base operating system to the Customer, but does not access, manage, or process any Customer Data stored or transmitted within. The Customer retains full administrative control and assumes sole responsibility for the management, security, and compliance of all hosted data under applicable Data Protection Laws, including but not limited to the GDPR, KVKK, and other equivalent international privacy frameworks. All data transfers under such services remain subject to lawful cross-border transfer mechanisms, as defined in Section 12 and Section 13 of this DPA.
1.2 This DPA applies where, and only to the extent that, SCALIBIT processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws applicable in one or more jurisdictions in which SCALIBIT operates — including but not limited to the State of California, the European Union, the European Economic Area and its Member States, Switzerland, the United Kingdom, Türkiye, and any other jurisdiction with comparable privacy legislation. The Parties agree to comply with the terms and conditions of this DPA in connection with such Personal Data.
1.3 The duration of the processing activities covered by this DPA shall be consistent with the term of the Agreement and shall continue until all Customer Personal Data is deleted or returned in accordance with this DPA.

2. DEFINITIONS

Unless otherwise defined in the Agreement, all capitalized terms used in this DPA shall have the meanings set forth below:

2.1 “Affiliate” means any entity that controls, is controlled by, or is under common control with a Party. “Control” means direct or indirect ownership or control of fifty percent (50%) or more of the voting interests of such entity.
2.2 “Agreement” means the Terms of Service (“ToS”) and all other written or electronic agreement(s) between SCALIBIT and the Customer governing the use of the Websites, Products, or Orders (as applicable), as updated from time to time. References to the “Agreement” include the Standard Contractual Clauses (“SCCs”) and any other applicable cross-border transfer mechanisms required by law.
2.3 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Personal Data under the Agreement.
2.4 “Customer” means the purchaser or end-user of the Services from SCALIBIT, or the entity identified in the applicable Order or Service Agreement.
2.5 “Database Software” means any software used for creating, editing, and maintaining databases (e.g., MySQL, MariaDB, PostgreSQL).
2.6 “Logical Security” means the protection of operating systems and applications on SCALIBIT’s platform through mechanisms such as authentication, access-control lists, and user authorization to ensure only authorized users can access data or perform actions.
2.7 “Physical Security” means the protection of hardware, networking, and facilities from physical actions or events that could cause damage or loss, including fire, flood, natural disasters, theft, or vandalism.
2.8 “SCALIBIT Network” means SCALIBIT’s global network of data-center facilities, servers, networking equipment, and supporting software systems under SCALIBIT’s direct management and control used to deliver its Websites and Services.
2.9 “SCALIBIT Data” means (a) all information relating to SCALIBIT’s business operations and the delivery of Services, including Personal Data concerning Customer representatives; (b) operational data such as Customer account information, transaction history, and usage analytics; and (c) De-Identified Data generated from Customer interactions, subject to applicable Data Protection Laws.
2.10 “Customer Data” means the Personal Data processed by SCALIBIT on behalf of the Customer through its hosting infrastructure as described in this DPA. Customer Data excludes SCALIBIT Data. For the avoidance of doubt, data stored or transmitted on customer-managed or self-managed servers (including Virtual Machines, Cloud, or Dedicated Server environments) is not considered Customer Data under this DPA.
2.11 “Data Protection Laws” means all applicable worldwide data-protection, privacy, and cybersecurity laws governing the Processing of Customer Data under the Agreement, including (where applicable) the European Data Protection Laws, the Türkiye Personal Data Protection Law (KVKK, Law No. 6698), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other comparable U.S. state privacy frameworks such as the Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Utah UCPA, and Texas TDPSA, as well as equivalent national or international privacy statutes.
2.12 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
2.13 “European Data Protection Laws” means, collectively, (i) the GDPR (Regulation 2016/679); (ii) Directive 2002/58/EC; (iii) their national implementations; (iv) the UK Data Protection Act 2018 and related UK laws; and (v) the Swiss Federal Data Protection Act.
2.14 “Non-European Data Protection Laws” means, without limitation, the Türkiye KVKK, United States federal and state privacy laws (including the CCPA, CPRA, CPA, VCDPA, CTDPA, UCPA), Brazil’s LGPD, Canada’s PIPEDA, and Australia’s Privacy Act 1988 (Cth), together with any other comparable data-protection or privacy laws enacted worldwide.
2.15 “Personal Data” means any information relating to an identified or identifiable natural person, including any information defined as Personal Data, Personal Information, or Personally Identifiable Information (“PII”) under applicable Data Protection Laws, but excluding De-Identified Data.
2.16 “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction. “Process,” “Processes,” and “Processed” shall be construed accordingly.
2.17 “Processor” means any natural or legal person, public authority, agency, or other body which processes Customer Data on behalf of the Controller. Under applicable U.S. state privacy laws (e.g., the CCPA, CPRA, CPA, and VCDPA), the term “Processor” shall have the same meaning as “Service Provider”.
2.18 “Services” means the hosting, cloud, or related services provided by SCALIBIT under the Agreement that involve, or may involve, the Processing of Customer Data.
2.19 “Security Incident” means any confirmed unauthorized or unlawful breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or otherwise controlled by SCALIBIT.
2.20 “Sensitive Data” means (i) government-issued identifiers (e.g., social-security, tax, passport, driver’s-license numbers); (ii) payment-card data; (iii) financial, genetic, biometric, or health information; (iv) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sexual orientation, or criminal history; or (v) any data defined as “special categories of data” under applicable Data Protection Laws.
2.21 “Sub-Processor” means any processor engaged by SCALIBIT or its Affiliates to assist in fulfilling its obligations in providing the Services under the Agreement or this DPA. Sub-Processors may include third parties or SCALIBIT Affiliates but exclude SCALIBIT’s own employees or individual contractors.
2.22 “Transfer” means any movement, disclosure, access, storage, or other processing of Customer Data across jurisdictions, including (a) transfers from Controller to Processor, and (b) onward transfers from Processor to Sub-Processor. All such Transfers are subject to lawful cross-border mechanisms such as Standard Contractual Clauses (SCCs), the UK Addendum, adequacy decisions, or other recognized safeguards under applicable Data Protection Laws.
2.23 “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the UK Information Commissioner’s Office, as amended from time to time.
2.24 “De-Identified Data” means data that cannot reasonably identify, relate to, describe, or be linked, directly or indirectly, to a specific Data Subject.

3. DATA PROCESSING

3.1 Scope and Roles. If European Data Protection Laws and/or any other applicable Data Protection Law (including but not limited to the KVKK, CCPA, CPRA, LGPD, or PIPEDA) apply to either Party’s processing of Customer Data, the Parties acknowledge and agree that, with respect to such processing, this DPA shall apply when Customer Data is processed by SCALIBIT. In this context, SCALIBIT acts as a “Processor” to the Customer, who may act as a “Controller” or another “Processor” with respect to the Customer Data (as those terms are defined under the GDPR, Article 4 and Article 28(3)).

Under applicable U.S. state privacy laws (including but not limited to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and comparable state frameworks such as the Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Utah UCPA, and others), SCALIBIT acts as a “service provider” or “processor” with respect to managed environments (e.g., Shared Web Hosting or limited technical support cases), and as a “business” with respect to Customer account, billing, authentication, and communication data.

3.1.1 For clarity, SCALIBIT acts as a Data Processor only for services where it actively manages and maintains the hosting environment, including Shared Hosting and Managed WordPress Hosting. In all infrastructure-based services — including Virtual Machines (VPS, VDS, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard Performance, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Servers — SCALIBIT acts solely as an Infrastructure Provider. In these cases, SCALIBIT delivers and maintains the physical and network infrastructure and provides the base operating system to the Customer but does not access, manage, or process any data hosted or transmitted by the Customer. The Customer retains full administrative control and assumes exclusive responsibility for the management, security, and compliance of all hosted data.

All cross-border transfers of Customer Data, where applicable, shall be conducted in accordance with lawful transfer mechanisms described in Sections 12 and 13 of this DPA.
3.2 Purpose Limitation and Customer Controls. SCALIBIT shall process, transfer, and store Customer Data, as further described in Annex A (Details of Data Processing), only in accordance with Customer’s documented lawful instructions, as set forth in this DPA, as necessary to comply with applicable laws, or as otherwise agreed in writing (“Permitted Purposes”). The Websites and Products provide Customers with multiple technical and organizational controls to retrieve, correct, delete, or restrict Customer Data. The Customer may use these controls to assist in fulfilling obligations under the GDPR, CCPA, CPRA, KVKK, and other applicable Data Protection Laws, including responses to Data Subject requests.
3.3 Processing on Documented Instructions. SCALIBIT shall only process Personal Data on behalf of and in accordance with the Customer’s documented instructions and shall treat such data as Confidential Information. The Customer instructs SCALIBIT to process Personal Data for the following purposes:

(i) processing in accordance with the Agreement and applicable Orders;

(ii) processing to comply with reasonable Customer instructions (e.g., via support ticket), provided such instructions are consistent with this DPA; and

(iii) processing required by applicable law to which SCALIBIT or its Affiliates are subject, in which case SCALIBIT shall, to the extent permitted by law, inform the Customer of such legally required processing.

The Customer shall, in its use or receipt of the Services, process Personal Data in accordance with applicable Data Protection Laws and shall ensure that its instructions for such processing are lawful. The Customer remains solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it is acquired.
3.4 Prohibited Data. The Customer shall not provide, or cause to be provided, any Sensitive Data (as defined under Article 9 of the GDPR and Article 6 of the KVKK) to SCALIBIT for processing under the Agreement, unless expressly agreed in writing. SCALIBIT shall have no liability for any Sensitive Data (including financial account access credentials) provided in violation of this clause.
3.5 Compliance with Laws.

3.5.1 The Customer represents and warrants that:

- it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions issued to SCALIBIT; and

- it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for SCALIBIT to process Customer Data for the purposes described in the Agreement.

The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which such data was acquired. Without limiting the foregoing, the Customer agrees to comply with all laws (including Data Protection Laws) applicable to any content created, sent, or managed through the Websites or Products, including obtaining required consents for email communications, the content of those emails, and their deployment practices.
3.6 SCALIBIT will comply with all applicable laws, rules, and regulations globally and within each jurisdiction where it operates or processes Customer Data, including those governing cross-border data transfers.
3.7 SCALIBIT will promptly inform the Customer of any instruction that it reasonably believes violates applicable Data Protection Laws and will not execute such instruction until it has been confirmed or modified.
3.8 When Customer Data is processed by SCALIBIT in connection with managed hosting services, both Parties acknowledge and agree that:

- SCALIBIT acts as a Data Processor of Customer Data under the GDPR and, where applicable, other Data Protection Laws; and

- the Customer acts as the Data Controller of such Customer Data under the same legal frameworks.
3.9 Customer Instructions. The Parties agree that the Agreement and this DPA, including configuration tools such as any SCALIBIT management console, control panel, or APIs, constitute the Customer’s documented instructions regarding SCALIBIT’s processing of Customer Data (“Documented Instructions”). SCALIBIT will process Customer Data only in accordance with these Documented Instructions. Any additional or modified instructions require prior written agreement between the Parties, including any associated fees. The Customer may terminate this DPA and the Agreement if SCALIBIT declines to follow instructions outside the agreed scope.
3.10 Confidentiality and Legal Disclosure. SCALIBIT shall treat all Customer Data as strictly confidential and shall not copy, transfer, or otherwise process it in conflict with the Customer’s instructions unless required by law. All SCALIBIT employees and authorized personnel are bound by confidentiality obligations ensuring that Customer Data is processed only as instructed.

SCALIBIT will not access, use, or disclose any Customer Data except as necessary to maintain or provide the Services, or as required by a valid and verifiable request from a competent authority, such as a law enforcement agency, prosecutor’s office, court, or data-protection regulator, acting within lawful jurisdiction. Where permitted by law, SCALIBIT will notify the Customer prior to such disclosure and will make reasonable efforts to limit the disclosure to the minimum necessary information to fulfill the legal obligation.

Where necessary, SCALIBIT may also disclose limited Customer Data to protect its legal rights, enforce contractual obligations, prevent fraud or abuse, ensure the safety of individuals, or respond to claims and legal processes, consistent with applicable law.

4. SCALIBIT'S RESPONSIBILITIES

4.1 Scope of Responsibility. SCALIBIT’s responsibilities regarding the processing of personal data provided by the Customer in connection with the Services are limited to maintaining adequate physical and logical security for the hosting infrastructure on which such data resides. SCALIBIT is responsible for the Physical Security of its global data-center platform and for the Logical Security of the operating systems and database software layers it manages. SCALIBIT is not responsible for the security, configuration, or content of data uploaded, stored, or otherwise processed by the Customer within its hosting environment or Customer-managed software; these remain the sole responsibility of the Customer.

All SCALIBIT infrastructure operates on a multi-region basis, and cross-border data transfers (if any) are conducted under lawful transfer mechanisms as defined in Sections 12 and 13 of this DPA.
4.2 Data-Protection Obligations. In relation to any personal data processed by SCALIBIT in connection with the performance of its obligations under this Agreement:

- 4.2.1 SCALIBIT shall process such personal data only on the documented instructions of the Customer, unless otherwise required to do so under applicable laws of any jurisdiction in which SCALIBIT operates (“Applicable Laws”). Where SCALIBIT is required by Applicable Laws to process personal data, it shall, to the extent permitted, notify the Customer before such processing occurs.

- 4.2.2 Pursuant to Article 32 of the GDPR and equivalent provisions of other Data Protection Laws, SCALIBIT shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Such measures are outlined in Annex 2 (Security Standards) of this Agreement. Such measures shall also meet or exceed the reasonable security procedures and practices required under applicable U.S. state privacy laws (including the CCPA/CPRA and comparable frameworks).

- 4.2.3 SCALIBIT shall ensure that only personnel required for the purposes of performing this Agreement have access to personal data, and that all such personnel are subject to confidentiality obligations covering any personal data they access or process. All such personnel are informed of their data-protection obligations and receive periodic privacy and security training.

- 4.2.4 If the Customer cannot reasonably access the relevant information, SCALIBIT shall, at the Customer’s request and expense, provide reasonable assistance in responding to lawful requests from supervisory authorities or data subjects, and in ensuring compliance with obligations relating to security, breach notifications, impact assessments, and consultations with regulators.

- 4.2.5 SCALIBIT shall promptly notify the Customer upon becoming aware of a personal-data breach involving Customer Data.

- 4.2.6 Upon termination or expiration of the Agreement, and in accordance with SCALIBIT’s standard retention and deletion policies, SCALIBIT shall delete or, at the Customer’s cost, return personal data and any copies thereof in a format determined by SCALIBIT, unless Applicable Laws require continued storage. Where applicable (e.g., Shared Hosting services), backup copies may be retained for a limited retention period (typically up to 90 days) solely for operational continuity, after which they are permanently deleted in accordance with SCALIBIT’s data-retention policy. For all other infrastructure-based services — including Virtual Machines (VPS, VDS, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Servers (Bare Metal) — SCALIBIT does not provide backups. In such cases, all Customer Data is permanently deleted and unrecoverable upon termination, cancellation, or re-provisioning of the service. Any previously assigned IP addresses (IPv4/IPv6) may be reallocated to other customers after termination.

- 4.2.7 SCALIBIT shall maintain complete and accurate records sufficient to demonstrate compliance with this clause and shall permit audits by the Customer only to the extent necessary to verify such compliance, provided that:

(a) the Customer provides SCALIBIT with at least 30 days’ written notice of any audit or inspection;
(b) the Customer reimburses SCALIBIT for all reasonable costs and expenses incurred as a result of the audit; and
(c) both Parties agree in advance on the scope, duration, and purpose of the audit.

If the Customer obtains any confidential information of SCALIBIT as a result of such audit, it shall keep that information strictly confidential and shall not disclose or use it for any purpose other than verifying SCALIBIT’s compliance, unless required by law. The Customer acknowledges that SCALIBIT shall only be required to use reasonable efforts to facilitate access to any relevant third-party assets, records, or information as part of an audit.

- 4.2.8 Cooperation with Competent Authorities and Disclosure Requests. SCALIBIT may, where required under Applicable Laws or upon receipt of a verified written request, cooperate with competent public authorities, including but not limited to law enforcement agencies, judicial bodies, data protection regulators, or other authorized governmental entities. Such cooperation shall be strictly limited to the scope of the lawful request and conducted in compliance with applicable Data Protection Laws, including GDPR Article 6(1)(c) and KVKK Article 8(1). SCALIBIT shall ensure that any disclosure of Customer Personal Data is performed only:

(a) upon receipt of a valid and verifiable official written request, court order, subpoena, or equivalent legal instrument;
(b) when required by law or necessary to protect SCALIBIT’s infrastructure, systems, or data from harm, misuse, or unlawful activity;
(c) after confirming the legal authority and authenticity of the requesting body; and
(d) limited to the minimum amount of information necessary to comply with the legal or security obligation.

Unless prohibited by law, SCALIBIT will make reasonable efforts to notify the Customer before disclosing any Customer Personal Data in response to such requests, enabling the Customer to take appropriate legal or administrative action. SCALIBIT shall maintain records of all such disclosures in accordance with its internal compliance policies.

In addition to the foregoing, SCALIBIT may disclose limited Customer or Account Data when it reasonably believes such disclosure is necessary to protect its legal rights, enforce contractual obligations, prevent fraud or abuse, ensure the safety of individuals, or respond to claims and legal processes, in full compliance with applicable law.

SCALIBIT does not sell, rent, or share Personal Data for monetary or other valuable consideration, and processes such data solely for the purposes described in this DPA.

5. THE CUSTOMER'S RESPONSIBILITIES

5.1 The Customer acknowledges that SCALIBIT has no knowledge of the nature, scope, or content of any personal data received, stored, or transmitted by the Customer through the Services. The Customer is solely responsible for determining the categories of data processed and ensuring that all such processing complies with applicable Data Protection Laws.

The Customer also acknowledges that SCALIBIT does not monitor, access, or review any Customer content except as strictly necessary to maintain or provide the Services, in accordance with this DPA.
5.2 If SCALIBIT reasonably believes or becomes aware that its processing of Customer Personal Data may result in a high risk to the rights and freedoms of Data Subjects, it shall inform the Customer without undue delay and provide reasonable cooperation (at the Customer’s expense in accordance with applicable law) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
5.3 In respect of Personal Data that the Customer collects, receives, stores, or transmits using the Services, the Customer agrees and warrants that it shall:

- 5.3.1 Ensure and warrant that it has obtained all necessary and appropriate consents, notices, and authorizations required under applicable Data Protection Laws to lawfully transfer Personal Data to SCALIBIT for the duration and purposes of this Agreement.

- 5.3.2 Undertake that its use of the Services and processing of Personal Data shall (i) comply with all applicable privacy and data protection laws and regulations, and (ii) not cause SCALIBIT to breach any such laws. The Customer shall ensure that lawful bases, consents, and transparency obligations are properly implemented.

- 5.3.3 Unless otherwise provided under this Agreement, be solely responsible for the legality, confidentiality, integrity, availability, accuracy, and quality of all data processed using the Services.

- 5.3.4 Be solely responsible for implementing and maintaining adequate technical and organizational security measures for protecting all Personal Data it collects or processes. The Customer must assess and verify the adequacy of SCALIBIT’s security measures as appropriate for the type of Personal Data hosted on SCALIBIT’s platform. The Customer should also refer to the Acceptable Use Policy to ensure full compliance with SCALIBIT’s terms and conditions. The Customer is encouraged to implement its own additional safeguards such as encryption, access controls, and regular backups, as SCALIBIT does not provide managed security or backup services for infrastructure-based environments.

- 5.3.5 Be solely responsible for responding to any request or inquiry from a Data Subject and for ensuring its own compliance with applicable Data Protection Laws regarding rights of access, rectification, erasure, restriction, portability, objection, and other obligations relating to breach notifications, impact assessments, and consultations with supervisory authorities.

- 5.3.6 For Virtual Servers (VPS), Virtual Machines (VM), Cloud Servers, and Dedicated Servers, the Customer shall assume full administrative control and responsibility for the management, processing, and security of any data hosted on those servers. SCALIBIT does not have root access or administrative privileges over such servers and therefore cannot be considered a Data Processor in relation to the hosted data. Accordingly, the Customer acts as the Data Controller for all data stored or processed on such infrastructure.

- 5.3.7 Indemnify and hold harmless SCALIBIT, its affiliates, officers, and employees from and against any claims, actions, liabilities, proceedings, direct losses, damages, fines, or costs (including any regulatory fines imposed by supervisory authorities, and reasonable legal and court fees) incurred by SCALIBIT as a direct result of any negligence, willful misconduct, or breach of this Agreement or of applicable Data Protection Laws by the Customer.

SCALIBIT shall not be responsible for any data loss, corruption, unauthorized access, or misuse arising from the Customer’s configuration, negligence, or use of third-party software within Customer-managed environments.

6. LEGAL PROCESS AND THIRD-PARTY REQUESTS FOR CUSTOMER PERSONAL DATA

6.1 SCALIBIT will not disclose or provide access to any Customer Personal Data in response to any informal, unverifiable, or non-official request from any person, private entity, or unauthorized organization. SCALIBIT shall only disclose such data to competent public authorities or law enforcement agencies — including, but not limited to, judicial bodies, prosecutor’s offices, police departments, cybercrime units, regulatory authorities, or other government bodies — upon receipt of an official written request, court order, subpoena, or other legally valid and verifiable document (“Legal Process”), or where SCALIBIT determines, in its reasonable discretion, that disclosure is:

(a) Required under applicable laws or regulations;
(b) Necessary to protect SCALIBIT’s infrastructure, systems, or data from harm, misuse, or unauthorized access; or
(c) Necessary to prevent or mitigate serious harm or physical danger to SCALIBIT, its customers, or any individual.

SCALIBIT does not sell, rent, or otherwise share Customer Personal Data with any third party for marketing, advertising, or commercial purposes under any circumstances.
6.2 Unless prohibited by law, court order, or governmental directive, SCALIBIT shall notify the Customer without undue delay upon receiving any Legal Process that compels access to or disclosure of Customer Personal Data, providing the Customer with an opportunity to challenge, limit, or otherwise address such request before disclosure occurs.
6.3 SCALIBIT carefully reviews each Legal Process to ensure that the request is lawful, proportionate, and specific in scope. Any disclosure made in response to a Legal Process shall be limited to the minimum amount of information necessary to comply with the legal obligation, and only to the competent authority making the verified request.
6.4 SCALIBIT maintains detailed internal records of all official requests and disclosures made pursuant to this clause to ensure transparency, accountability, and compliance with applicable Data Protection Laws, including GDPR Article 30 and KVKK Article 12. All such records are securely maintained within SCALIBIT’s internal compliance systems and retained in accordance with its Data Retention and Legal Compliance Policy.

7. SECURITY OF DATA PROCESSING

7.1 Security Measures. SCALIBIT shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from unauthorized access, disclosure, alteration, or destruction (“Security Incidents”). These measures are intended to preserve the confidentiality, integrity, and availability of Customer Data in accordance with SCALIBIT’s global security standards described in Annex B (“Security Measures”) of this DPA, and aligned with industry-recognized frameworks such as ISO 27001, GDPR Article 32, and applicable regional data protection requirements.

These measures apply only to infrastructure, platform, and network layers managed directly by SCALIBIT and exclude Customer-managed software, configurations, or content.
7.2 Customer Security Responsibilities. Customer expressly acknowledges that SCALIBIT provides various security features and functionalities that Customer can use to protect Customer Personal Data. Customer is solely responsible for configuring, managing, and maintaining such controls within the Services, including user access permissions, password policies, and other account-level protections. Customer must also ensure that any content or software uploaded to SCALIBIT’s systems is free from vulnerabilities or malicious components that could compromise Customer Data or SCALIBIT’s infrastructure.
7.3 Data Backups. SCALIBIT is not responsible for backing up Customer Personal Data unless otherwise expressly agreed in writing as part of a managed service or add-on offering. Customer is responsible for maintaining adequate backups of all data hosted or processed through SCALIBIT’s infrastructure.

For Shared Hosting and Managed Services, limited system backups may be maintained solely for operational continuity (typically up to 90 days) and are not guaranteed for full data recovery.
7.4 PCI-DSS Compliance. Customer must comply with all applicable Payment Card Industry Data Security Standard (“PCI-DSS”) requirements. Customer Personal Data that includes credit, debit, or other payment cardholder information (“PCI-DSS Data”) may only be processed through Services specifically designed for such use. SCALIBIT does not provide PCI-DSS-certified Services; therefore, if Customer processes PCI-DSS Data using SCALIBIT’s Services, Customer assumes full responsibility for any related compliance violations or penalties.

SCALIBIT shall not be liable for any loss, breach, or penalty resulting from the Customer’s handling of payment data in non-PCI-compliant environments.
7.5 Confidentiality Obligations. SCALIBIT shall ensure that any person authorized by SCALIBIT to process Customer Data (including employees, contractors, or service providers) is subject to appropriate confidentiality obligations, whether contractual or statutory, and processes such data only under SCALIBIT’s documented instructions.
7.6 Personnel Access Controls. SCALIBIT restricts its personnel from accessing or processing Customer Data without proper authorization. Access rights are granted on a least-privilege basis and are regularly reviewed in accordance with SCALIBIT’s internal security policies and SCALIBIT Security Standards. All personnel are bound by confidentiality, data protection, and information security requirements.
7.7 Continuous Improvement. Customer is responsible for reviewing the security information made available by SCALIBIT and independently determining whether it meets Customer’s own security and legal requirements. Customer acknowledges that SCALIBIT may update or modify its Security Measures from time to time to reflect technological advancements or regulatory requirements, provided that such updates do not materially reduce the overall level of protection afforded to Customer Data.
7.8 Customer Use and Encryption. Except as expressly provided in this DPA, Customer is responsible for the secure use of the Website and Services, including securing authentication credentials, using secure transmission methods (e.g., HTTPS, SFTP), and implementing encryption and backup mechanisms appropriate to the sensitivity of the Customer Data processed.

SCALIBIT recommends that all Customers implement end-to-end encryption for sensitive data in transit and at rest where feasible.

SCALIBIT strongly recommends that all Customers enable Multi-Factor Authentication (MFA) for their accounts to enhance protection. Customers should also use strong passwords, restrict administrative access, regularly monitor account activity, and review access logs to prevent unauthorized access or misuse. These recommendations are strongly aligned with industry security best practices and SCALIBIT’s Zero Trust security principles.

8. DATA SECURITY INCIDENTS

8.1 SCALIBIT offers Customer extensive opportunities to access and control Customer Personal Data Processed on Customer’s behalf. SCALIBIT is not responsible for any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that does not result from a compromise of SCALIBIT’s systems. Examples of Security Incidents for which SCALIBIT is not responsible include Customer’s failure to maintain the secrecy of its passwords, downloading of malicious content, or any other security vulnerability caused by or introduced into the Services and Customer’s hosted environment by Customer.
8.2 SCALIBIT will use commercially reasonable efforts to notify Customer of a breach of security of SCALIBIT’s systems leading to the accidental or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Security Incident”) within the time period required under applicable law. Notifications of such incidents will be sent to the account email address as set by Customer. It is Customer’s sole responsibility to ensure this information is correct and kept up to date inside the control panel.

Notifications may also be provided through SCALIBIT’s ticketing system or other verified communication channels, depending on the nature of the incident.
8.3 Upon becoming aware of a Security Incident, SCALIBIT shall use commercially reasonable efforts to:

- notify Customer without undue delay, and where feasible, within forty-eight (48) hours of awareness, in accordance with GDPR Article 33(1) and equivalent Data Protection Laws;
- provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and
- promptly take reasonable steps to contain and investigate any Security Incident. SCALIBIT’s notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by SCALIBIT of any fault or liability with respect to the Security Incident.
8.4 SCALIBIT will take appropriate, risk-based steps that are reasonably necessary to contain, mitigate, and remediate a Security Incident without unreasonable delay.
8.5 SCALIBIT will provide information reasonably requested by Customer to assess the impact of a Security Incident on Customer Personal Data and for Customer to provide notice of the Security Incident to governmental authorities, affected Data Subjects, or any other person. Such assistance will be provided to the extent permitted by law and limited to information available within SCALIBIT’s systems.
8.6 Customer agrees that Data Breach Notifications will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
8.7 SCALIBIT’s acknowledgement of a Security Incident or decision to notify Customer of a Security Incident is not an admission of fault or liability.

9. SUB-PROCESSING

9.1 Customer acknowledges, understands, and agrees that SCALIBIT may use Sub-Processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as data-center operations, infrastructure management, monitoring, tracking, or customer-support services. The Sub-Processors currently engaged by SCALIBIT to carry out processing activities on Customer Data on behalf of the Customer are, as amended by SCALIBIT, available online or upon request. SCALIBIT shall notify Customer if it adds or removes Sub-Processors prior to any such changes. SCALIBIT may update the Sub-Processor list and may provide the Customer with a mechanism to obtain notice of such updates. Customer hereby consents to SCALIBIT’s use of Sub-Processors as described in this Section. Except as set forth in this Section, or as Customer may otherwise authorize, SCALIBIT will not permit any Sub-Processor to carry out processing activities on Customer Data on behalf of the Customer.
9.2 Sub-Processor Obligations. Before transferring Customer Personal Data to a Sub-Processor, SCALIBIT will:

- 9.2.1 Enter into a written agreement with each Sub-Processor that imposes data-protection obligations equivalent to those set forth in this DPA. SCALIBIT remains fully liable for any Sub-Processor’s acts or omissions to the same extent as for its own actions. SCALIBIT will restrict Sub-Processor access to Customer Data to what is strictly necessary to perform the contracted services.

- 9.2.2 Customer acknowledges and agrees that, where applicable, SCALIBIT fulfills its obligations under Clause 9 of the Controller-to-Processor Clauses and Processor-to-Processor Clauses (as applicable) by complying with this Section. SCALIBIT may be prevented from disclosing full Sub-Processor agreements to Customer due to confidentiality restrictions but shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with such agreements.
9.3 New Sub-Processors; Right to Object.

- 9.3.1 SCALIBIT will use reasonable efforts to notify Customer in writing at least thirty (30) days in advance if SCALIBIT intends to appoint a new Sub-Processor; provided, however, that thirty (30) days’ advance notice is not required where immediate appointment is necessary to maintain service continuity, perform critical system maintenance, or comply with applicable law. Notifications of such engagements will be delivered to the account email address and/or through the Customer control panel. It is the Customer’s sole responsibility to ensure this information is accurate and up to date.

- 9.3.2 If the Customer reasonably objects to a new Sub-Processor, the Customer must notify SCALIBIT in writing within thirty (30) days after receipt of notice. In SCALIBIT’s sole discretion, SCALIBIT may use commercially reasonable efforts to address the Customer’s objection. If the Parties are unable to resolve the objection within thirty (30) days, the Customer may terminate this DPA and any portion of the Agreement relating to the processing of Customer Personal Data.

- 9.3.3 If the Customer does not object to a new Sub-Processor within thirty (30) days of notice, the Customer will be deemed to have accepted the Sub-Processor.
9.4 A list of SCALIBIT’s current Sub-Processors is available in Annex C or may be disclosed upon written request by the Customer.

10. DATA SUBJECT RIGHTS

10.1 Customer is solely responsible for responding to any request to exercise a Data Subject’s rights under applicable Data Protection Laws, Customer’s privacy policies, or Customer’s terms of service — including but not limited to requests to know, access, correct, restrict, or delete Customer Personal Data (“Data Subject Requests”). SCALIBIT does not have access to Customer-managed data and therefore cannot directly verify, modify, or delete such data. The Customer must ensure that all such requests are handled in compliance with applicable laws and within the legally prescribed timeframes.
10.2 SCALIBIT will not respond to a Data Subject Request except on documented instructions from the Customer or as otherwise required to comply with obligations under GDPR Articles 12–23, the KVKK Article 11, or equivalent provisions of other applicable Data Protection Laws.
10.3 SCALIBIT will notify the Customer without undue delay upon receiving a Data Subject Request related to Customer Personal Data. Notifications will be sent to the Customer’s registered account email address or via the SCALIBIT ticketing system. The Customer remains solely responsible for responding to such requests. If the Customer has exhausted all available means to respond and requires SCALIBIT’s technical assistance — subject to the Customer’s agreement to pay SCALIBIT’s reasonable expenses in advance — SCALIBIT will provide assistance reasonably necessary and limited to information visible within SCALIBIT’s systems, within a commercially reasonable timeframe.

11. DATA PROTECTION IMPACT ASSESSMENTS, PRIOR CONSULTATION, AND COMPLIANCE INQUIRIES

11.1 Data Protection Impact Assessments and Prior Consultation. At the Customer’s expense and to the extent SCALIBIT’s role and visibility permit, SCALIBIT will provide reasonable assistance to the Customer in conducting any Data Protection Impact Assessments (DPIAs) and, where required, prior consultations with supervisory authorities concerning the processing of Customer Personal Data, in accordance with GDPR Articles 35–36 and KVKK Article 12.
11.2 Compliance Inquiries. The Customer may periodically request information reasonably necessary to confirm SCALIBIT’s compliance with its obligations under applicable Data Protection Laws. Such information may include SCALIBIT’s current security documentation, privacy certifications, or compliance summaries. If SCALIBIT fails to respond to the Customer’s request within forty-five (45) days, the Customer may terminate the Agreement. For the avoidance of doubt, nothing in this DPA grants the Customer the right to conduct an on-site audit of SCALIBIT’s business, systems, or services. SCALIBIT’s obligation under this section is limited to providing information reasonably necessary to confirm compliance with applicable Data Protection Laws.
11.3 Data Subject Claims. If a Data Subject brings a claim directly against SCALIBIT for an alleged violation of their Data Subject rights, the Customer shall indemnify and hold SCALIBIT harmless from any cost, charge, damages, expenses, or losses arising from such a claim — provided that SCALIBIT has promptly notified the Customer of the claim and given the Customer the opportunity to cooperate in its defense and settlement, unless the claim results from SCALIBIT’s proven breach of this DPA or applicable law.

12. TRANSFERS OF PERSONAL DATA

12.1 Global Processing and Transfers. Customer acknowledges that SCALIBIT operates a globally distributed infrastructure and may transfer and process Customer Data in multiple jurisdictions — including but not limited to the European Union, the United States, the United Kingdom, Türkiye, South America, Asia-Pacific, and South Africa — where SCALIBIT, its Affiliates, or authorized Sub-Processors maintain data-processing facilities. Such transfers may occur both to and from the United States or other regions in which SCALIBIT provides hosting or network services. SCALIBIT shall ensure that all such transfers are performed in full compliance with applicable Data Protection Laws, this DPA, and lawful cross-border transfer mechanisms.
12.2 Türkiye Data Transfers. To the extent that SCALIBIT is a recipient of Customer Data protected under Türkiye’s Personal Data Protection Law (KVKK, Law No. 6698), the Parties acknowledge and agree that SCALIBIT may transfer such Customer Data outside of Türkiye as permitted by the Agreement, provided that SCALIBIT complies with this DPA and KVKK requirements. SCALIBIT ensures that data transfers from Türkiye are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) or other legally recognized mechanisms approved by the Turkish Data Protection Authority (KVKK Kurumu).
12.3 South African Data Transfers. To the extent that SCALIBIT processes Customer Data subject to the Protection of Personal Information Act, 2013 (POPIA) of South Africa, such transfers shall only occur where adequate data-protection safeguards are implemented in accordance with Section 72 of the POPIA. SCALIBIT ensures that personal data transferred to or from South Africa is protected through appropriate contractual and technical measures consistent with international standards.
12.4 Australian Data Transfers. To the extent that SCALIBIT processes Customer Data protected by the Australian Privacy Act 1988 (Cth), the Parties acknowledge that such data may be transferred outside of Australia, provided SCALIBIT complies with this DPA and the Australian Privacy Principles (APPs).
12.5 EEA Data Transfers. To the extent that SCALIBIT is a recipient of Customer Data protected by the GDPR in a country outside the European Economic Area (EEA) that is not recognized as providing an adequate level of protection, the Parties agree that the transfer shall be governed by the latest version of the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914). These SCCs are incorporated into and form an integral part of this DPA, and SCALIBIT shall implement any additional technical and organizational measures required to ensure equivalent protection.
12.6 UK Data Transfers. With respect to transfers subject to UK Data Protection Laws, the UK Addendum to the EU SCCs shall apply and is incorporated into this DPA. In particular: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annexes I and II of the relevant SCCs, and Table 4 shall be deemed completed by selecting “neither party.”
12.7 Swiss Data Transfers. With respect to transfers subject to the Swiss Federal Data Protection Act (FADP), the SCCs shall apply with the following modifications:

(a) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP;
(b) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”;
(c) references to “competent supervisory authority” shall mean the Swiss Federal Data Protection and Information Commissioner (FDPIC);
(d) Clause 17 shall read: “The Clauses are governed by the laws of Switzerland”; and
(e) Clause 18 shall read: “Any dispute arising from these Clauses shall be resolved by the competent courts of Switzerland.”
12.8 Compliance with SCCs and Transfer Safeguards. If SCALIBIT determines that it can no longer comply with the SCCs or equivalent transfer safeguards, it shall promptly notify the Customer. If the Customer elects to suspend transfers or terminate the affected Services, both Parties shall cooperate in good faith to implement additional or alternative safeguards. Suspension or termination shall only occur if compliance cannot be restored within a reasonable period.
12.9 Alternative or Updated Transfer Mechanisms. If SCALIBIT adopts an alternative lawful transfer mechanism — such as the EU-U.S. Data Privacy Framework (DPF), Binding Corporate Rules (BCRs), or other equivalent international instruments — such mechanisms shall supersede the SCCs for the applicable jurisdictions, provided they ensure an adequate level of protection in accordance with GDPR Chapter V and other relevant laws.
12.10 Transparency of Transfer Mechanisms. SCALIBIT maintains internal documentation describing its data-transfer safeguards and may provide a summary or list of applicable mechanisms to the Customer upon written request or as outlined in Annex D of this DPA.

13. JURISDICTION-SPECIFIC REQUIREMENTS AND INTERNATIONAL DATA TRANSFERS OF PERSONAL DATA

13.1 The processing of Customer Personal Data under this DPA may be subject to multiple and overlapping data protection frameworks, including but not limited to the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (UK GDPR), the Türkiye Personal Data Protection Law (KVKK), the California Consumer Privacy Act (CCPA/CPRA), the Brazilian General Data Protection Law (LGPD), the South African Protection of Personal Information Act (POPIA), and the Australian Privacy Act 1988 (Cth). SCALIBIT shall ensure compliance with each applicable legal framework based on the location of processing, the origin of the Customer Personal Data, and the relevant data subject’s jurisdiction.
13.2 SCALIBIT stores and processes EU Data in data centers located inside and outside the European Union. Customer Personal Data may be transferred and processed in the United States and in other countries where SCALIBIT, its Affiliates, or authorized Sub-Processors maintain processing operations. Transfers may occur both to and from the United States and other SCALIBIT infrastructure regions (including Türkiye, Europe, South America, Asia-Pacific, and South Africa). SCALIBIT shall implement appropriate legal safeguards to protect all Customer Personal Data, wherever it is processed, in accordance with the requirements of applicable Data Protection Laws.
13.3 Notwithstanding Section 7.1, to the extent SCALIBIT processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union, the European Economic Area, and/or their member states, the United Kingdom, Switzerland, or other regions that require adequate protection, the Customer hereby authorizes any such international transfer of Customer Data, provided that SCALIBIT maintains appropriate safeguards under GDPR Chapter V, UK GDPR, and equivalent laws.
13.4 United States Data. If Customer Personal Data originates from the United States, or is processed within the United States, the provisions relating to U.S. Data Protection Laws specified in Annex B (California: Section 2, All U.S. States: Section 3) shall apply. SCALIBIT may transfer U.S.-origin data to its data centers or Sub-Processors located in other countries, provided that adequate transfer safeguards (e.g., SCCs, DPF, or equivalent frameworks) are applied.
13.5 EU/EEA, UK, and Swiss Data. If Customer Personal Data originates from the European Union/European Economic Area (“EU/EEA”), the United Kingdom (“UK”), or Switzerland, or if the Customer is established in one or more of those jurisdictions, the provisions relating to applicable EU/EEA, UK, and/or Swiss Data Protection Laws specified in Annex B (Europe: Section 1, Switzerland: Section 4, United Kingdom: Section 5) shall apply. Cross-border transfers from these regions shall be governed by the Standard Contractual Clauses (SCCs) and any applicable addenda or adequacy decisions.
13.6 Türkiye Data. To the extent that SCALIBIT is a recipient of Customer Data protected by Türkiye’s Personal Data Protection Law (KVKK), the Parties acknowledge and agree that SCALIBIT may transfer such data outside of Türkiye, provided that such transfers are made in compliance with KVKK Article 9 and relevant Board decisions, using legally recognized mechanisms such as Standard Contractual Clauses or explicit consent where required.
13.7 South African Data. Where Customer Data is subject to the Protection of Personal Information Act (POPIA) of South Africa, SCALIBIT shall ensure that such transfers comply with Section 72 of the POPIA. Transfers to or from South Africa shall be made only where adequate protection is ensured through contractual safeguards or equivalent international mechanisms.
13.8 Australian Data. To the extent that SCALIBIT is a recipient of Customer Data protected by the Australian Privacy Act 1988 (Cth), such data may be transferred outside Australia as permitted by the Act and this DPA. SCALIBIT shall ensure that any overseas recipient of such data provides a level of protection substantially similar to the Australian Privacy Principles (APPs).
13.9 Mandatory Transfer Mechanisms. If a valid international transfer mechanism (“Mandatory Transfer Mechanism”) is required to lawfully transfer Customer Personal Data, the provisions of Schedule 4 to this DPA shall apply. Where applicable, SCALIBIT may implement or update such mechanisms (e.g., SCCs, DPF, BCRs) to maintain compliance with international transfer laws.

14. RETURN OR DELETION OF PERSONAL DATA

Upon termination or expiration of the Services, SCALIBIT shall delete all Customer Personal Data processed on behalf of the Customer, except where retention is required by applicable law or necessary for the establishment, exercise, or defense of legal claims. Any retained data shall be securely isolated, encrypted, and protected from further processing, except as required by law.

For Shared Hosting environments, backup copies may be retained for operational continuity for up to 90 days after termination, after which all data and backups are permanently deleted in accordance with SCALIBIT’s data retention and deletion policy. For Virtual Machines (VPS/VDS), Cloud Servers, and Dedicated Servers, SCALIBIT does not maintain backups; all data, configurations, and any Customer-generated data or uploaded files stored by the Customer are permanently erased upon service cancellation or termination and cannot be recovered thereafter.

Notwithstanding the foregoing, SCALIBIT may retain limited Customer Account Data — such as account registration details, service identifiers, assigned IP addresses, billing history, and access logs — where necessary to comply with applicable laws, prevent fraud or abuse, assist law enforcement inquiries, or establish, exercise, or defend legal claims. Such retained data shall be stored securely, with access strictly limited to authorized personnel, and deleted once the applicable retention period expires.

At the Customer’s written request, SCALIBIT may delete Customer Personal Data prior to service expiration, provided such deletion does not conflict with legal or regulatory retention obligations. SCALIBIT shall confirm completion of the deletion process upon request.

15. TERMINATION OF THE DPA

This DPA shall remain in effect for as long as SCALIBIT carries out Customer Data processing operations on behalf of the Customer or until termination of the Agreement. Upon termination, Sections relating to confidentiality, data protection, liability, and deletion obligations shall survive and remain binding until all Customer Personal Data has been deleted or returned in accordance with this DPA.

If any provision of this DPA is found to be unenforceable, that provision shall be modified to the extent necessary to make it enforceable, and the remainder shall remain in full force and effect. However, if modification would defeat the essential purpose of this DPA, the entire DPA shall be deemed null and void unless amended by mutual written agreement in accordance with Section 16.2.

16. GENERAL

16.1 Complete Agreement; Interpretation. This DPA constitutes the entire agreement between the Parties concerning the subject matter of this DPA and supersedes all prior or contemporaneous representations, understandings, agreements, and communications between the Parties, whether written or verbal, regarding the same subject matter. In the event of a conflict between this DPA and the Agreement (or any other agreement between the Parties), this DPA shall govern and control with respect to the processing of Customer Personal Data.
16.2 Amendment. This DPA may be modified or amended by SCALIBIT in its sole discretion, pursuant to the amendment procedures set forth in the Agreement. If the Customer disagrees with such amendment, the Customer’s sole remedy is to terminate that portion of the Agreement relating to the processing of Customer Personal Data by providing thirty (30) days’ prior written notice. Unless expressly agreed in writing, any amendment to this DPA shall only apply to processing that occurs after the effective date of such amendment.
16.3 Waiver. No waiver of any breach of this DPA shall be effective unless made in writing and signed by an authorized representative of the waiving Party. No such waiver shall constitute or be construed as a waiver of any subsequent breach or default.
16.4 Notices. For data protection inquiries, Customers may contact SCALIBIT’s Data Protection Officer (DPO) at dpo@scalibit.com. The DPO is responsible for ensuring SCALIBIT’s compliance with the GDPR, KVKK, CCPA, CPRA, and other applicable data protection frameworks. All lawful requests related to privacy rights, data access, or security incidents should be submitted to this address.
16.5 Liability. This DPA does not create any additional right for either Party or any third party to recover damages or claims beyond those set forth in the Agreement. Any liability arising under or in connection with this DPA shall be subject to the same limitations and exclusions of liability as provided in the Agreement.
16.6 Enforcement. The terms of this DPA may only be enforced by the Parties on behalf of themselves and their respective Affiliates, in accordance with the dispute resolution provisions of the Agreement. Nothing in this section shall restrict or limit an individual Data Subject’s ability to exercise their rights under applicable Data Protection Laws.
16.7 Termination. Unless terminated earlier pursuant to the Agreement or applicable Data Protection Laws, this DPA shall terminate upon the completion of processing or the termination of the Agreement, whichever occurs later. Following termination, SCALIBIT shall return, delete, or de-identify Customer Personal Data in accordance with this DPA and the Agreement, unless retention is required under applicable law. If SCALIBIT is required to retain Customer Personal Data after termination, it shall continue to comply with the data protection and confidentiality obligations of this DPA until such data is securely deleted or returned.

17. U.S. PRIVACY LAW & CALIFORNIA PRIVACY LAWS

17.1 California Privacy Laws (CCPA & CPRA)
For managed environments (such as Shared Web Hosting: cPanel Hosting, CWPpro Hosting, WordPress Hosting) or temporary technical support cases where SCALIBIT personnel may require limited, purpose-bound access, SCALIBIT acts as a “Service Provider” under the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.140) and the California Privacy Rights Act (CPRA), in accordance with this Data Processing Addendum (DPA).

SCALIBIT acts as a “Business” with respect to Customer account, billing, authentication, and communication data. SCALIBIT does not act as a Data Controller or Data Processor for any data stored or transmitted on Customer-managed or self-managed servers, including but not limited to Virtual Machines (VPS, VDS, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard Performance, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Servers or Bare Metal systems.

Any access provided to SCALIBIT personnel in such cases shall be strictly limited to the minimum necessary, time-bound, and fully logged for audit and compliance purposes.

SCALIBIT shall not sell or share Personal Data, and shall not retain, use, or disclose Personal Data except as necessary to perform the Services or as otherwise permitted under California privacy law. SCALIBIT certifies that it understands and will comply with these obligations.

17.2 Other U.S. State Privacy Laws
For managed environments (such as Shared Web Hosting: cPanel Hosting, CWPpro Hosting, WordPress Hosting) or temporary technical support cases where SCALIBIT personnel may require limited, purpose-bound access, SCALIBIT acts as a “Service Provider” under other applicable U.S. state privacy laws — including but not limited to the Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and any other substantially similar state-level privacy frameworks.

SCALIBIT acts as a “Business” with respect to Customer account, billing, authentication, and communication data. SCALIBIT does not act as a Data Controller or a Data Processor for any data stored or transmitted on Customer-managed or self-managed servers, including but not limited to Virtual Machines (VPS, VDS, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard Performance, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Servers or Bare Metal systems.

Any support access, if requested, shall also be strictly least-privilege, time-bound, and logged in accordance with SCALIBIT’s internal compliance procedures.

SCALIBIT applies substantially equivalent privacy protections to all U.S. residents, regardless of their state of residence, ensuring consistent compliance across all U.S. jurisdictions.

18. GOVERNING LAW AND JURISDICTION

This DPA, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it, its subject matter, or its formation, shall be governed by and construed in accordance with the laws of the jurisdiction specified in the Terms of Service (ToS).

Any disputes arising from or relating to this DPA shall be resolved under the same governing law and forum selection as set forth in the Agreement. Where European Data Protection Laws apply, such disputes shall fall under the jurisdiction of the competent courts of the European Union Member State in which the Customer is established, in accordance with GDPR Article 79(2).

Nothing in this Section shall limit the right of either Party or any Data Subject to bring proceedings before a competent supervisory authority or court in accordance with applicable Data Protection Laws.

19. LIMITATION OF LIABILITY AND INDEMNIFICATION

The total liability of each Party under this DPA shall be subject to the same limitations and exclusions of liability as set forth in the SCALIBIT Terms of Service (ToS). For the avoidance of doubt, in no instance shall SCALIBIT be liable for any losses or damages suffered by the Customer arising from the Customer’s use of the Services in violation of the ToS, including any suspension or termination of an account as a result of such violation.

Indemnification. The Customer shall indemnify, defend, and hold harmless SCALIBIT, its Affiliates, officers, employees, agents, and Sub-Processors from and against any and all claims, actions, damages, losses, liabilities, costs, and expenses (including reasonable attorney fees and court costs) arising out of or related to any third-party dispute, claim, or action resulting from:

(i) the Customer’s or its End Users’ breach of this DPA, the Agreement, or any applicable law or regulation;
(ii) the Customer’s or its End Users’ authorized or unauthorized use of SCALIBIT Services;
(iii) the Customer’s or its End Users’ authorized or unauthorized access to, maintenance of, or transmission of any content or data through SCALIBIT resources;
(iv) any wrongful, negligent, or unlawful act or omission by the Customer or its End Users in connection with the performance or use of the Services;
(v) any infringement or misappropriation of intellectual-property or proprietary rights by the Customer or its End Users;
(vi) the Customer’s disclosure of any information that is confidential or protected by law; and
(vii) any dispute between the Customer and its End Users.

Each Party shall be responsible only for direct damages arising from its own proven breach of this DPA, and under no circumstances shall either Party be liable for indirect, consequential, incidental, punitive, or special damages, including loss of profit, revenue, or data, even if advised of the possibility of such damages.

ANNEX 1

Details of Processing of Customer Personal Data

This Annex 1 provides the mandatory information required under applicable Data Protection Laws regarding the Processing of Customer Personal Data by SCALIBIT.

Subject Matter and Duration of Processing of Customer Personal Data:

The subject matter and duration of the Processing correspond to the Services defined in the Agreement and shall continue for the term of the Agreement, until all Customer Personal Data is deleted or returned in accordance with this DPA.

Nature and Purpose of Processing of Customer Personal Data:

The Processing of Customer Personal Data by SCALIBIT is necessary to perform the contractual obligations under the Agreement, including providing, maintaining, securing, and supporting the Services, fulfilling technical and billing operations, and ensuring compliance with legal and regulatory requirements.

Type of Personal Data and Categories of Data Subjects:

The specific types of Personal Data and categories of Data Subjects are determined and controlled by the Customer and may include, but are not limited to:

Contact information (e.g., name, email address, phone number)
Account and billing information (e.g., payment details, VAT ID, billing address)
Service usage data (e.g., IP addresses, login records, session timestamps)
Technical data uploaded or generated by the Customer (e.g., website content, databases, files, logs)
End user data processed via Customer’s applications hosted on SCALIBIT infrastructure

Sensitive Data or Special Categories of Data:

SCALIBIT does not intentionally collect or Process Sensitive Data unless explicitly authorized in writing by the Customer and only where necessary to provide the Services. The type and scope of such Sensitive Data, if any, are determined solely by the Customer acting as Controller.

Obligations and Rights of the Controller:

The obligations and rights of the Customer (as Controller) are set forth in the Agreement and this DPA, including the right to issue lawful processing instructions, request deletion or return of Personal Data, and conduct compliance inquiries as provided herein.

Data Exporter:

The Data Exporter is the entity identified as the Customer in the Agreement and this DPA.

Data Importer:

The Data Importer is SCALIBIT, acting as a web-services provider and Processor as defined under applicable Data Protection Laws.

Data Subjects:

As defined in Section 2.12 of the DPA, Data Subjects may include the Customer’s employees, clients, end users, website visitors, or other individuals whose Personal Data is transmitted or stored through the Services.

Security:

The technical and organizational security measures implemented by SCALIBIT (the Data Importer) are described in Annex 3 – SCALIBIT Security Standards to this DPA and are aligned with ISO 27001, GDPR Article 32, and KVKK Article 12.

ANNEX 2

Technical and Organisational Measures in Accordance with Article 32 GDPR

1. Applicability

1.1 The requirements of this Annex 2 apply to SCALIBIT and any Sub-Processor (including but not limited to any third-party cloud or infrastructure provider) used by SCALIBIT to provide the Services and/or Process Customer Personal Data.
1.2 SCALIBIT shall ensure that all Sub-Processors engaged in providing Services comply with each requirement of this Annex and maintain security standards substantially equivalent to those applied by SCALIBIT.

2. Information Privacy and Data Security Management

2.1 Risk Management. SCALIBIT maintains a continuous risk management process to assess, respond to, and monitor risks affecting Customer Personal Data, consistent with the DPA and applicable laws.
2.2 Security Program. SCALIBIT’s information security program is designed to: (a) protect the confidentiality, integrity, and availability of Customer Personal Data; and (b) prevent reasonably anticipated threats, unauthorized access, or unlawful processing.
2.3 Program Updates. SCALIBIT reviews and updates its information security framework regularly to align with recognized standards such as ISO/IEC 27001 and NIST.
2.4 Risk Assessments. SCALIBIT periodically performs internal and third-party risk assessments and penetration testing on systems handling Customer Personal Data.
2.5 Continuity and Resilience. SCALIBIT implements redundancy, power backup, load balancing, DDoS protection, and monitoring measures to ensure service availability and resilience.

3. Organisational Security

3.1 Accountability. SCALIBIT maintains clear accountability for data protection, designating responsible personnel including a Data Protection Officer (DPO) for oversight.
3.2 Asset Controls. SCALIBIT maintains an inventory of assets and applies classification and protection controls to devices used for processing Customer Data.
3.3 Physical Security. Access to facilities is restricted to authorized personnel through access cards, CCTV, visitor management, and secure equipment disposal procedures.

4. Security Operations

4.1 Secure Configuration. SCALIBIT enforces hardening standards and secure configuration baselines across systems processing Customer Personal Data.
4.2 Patch Management. Regular updates and patches are applied in a risk-based manner depending on the criticality of vulnerabilities.
4.3 Malware Protection. SCALIBIT employs advanced malware detection and remediation controls and conducts regular awareness training for staff.
4.4 Logging and Auditing. Logs are centrally collected, monitored, and retained per SCALIBIT’s security policy for forensic and compliance purposes.
4.5 Incident Detection and Response. SCALIBIT maintains detection, response, and escalation procedures for Security Incidents as outlined in Section 8 of this DPA.

5. Training

All SCALIBIT personnel receive mandatory and periodic training on information security, data protection, and confidentiality obligations related to Customer Personal Data.

6. Access Controls

6.1 For self-managed Dedicated / VPS / Cloud Servers: SCALIBIT holds initial deployment credentials only. After provisioning, administrative passwords and access are managed by the Customer. SCALIBIT does not retain or store updated root passwords.
6.2 For SCALIBIT Control Panels: Access is restricted to authorized SCALIBIT personnel via secure authentication systems (MFA, LDAP, RADIUS, cryptographic keys). Customer credentials are stored only in encrypted form. This excludes third-party control panels (e.g., cPanel, Plesk, CWP).
6.3 Provisioning and Credential Handling. SCALIBIT does not routinely store or maintain administrative credentials (root/admin usernames, passwords, SSH ports, encryption keys) for customer-managed Virtual Machines, Dedicated Servers, Cloud instances, or Bare Metal servers. Customers retain operational control over these resources. SCALIBIT may, at the Customer’s explicit request, perform limited support actions when the Customer supplies temporary credentials or grants explicit access. Such access is strictly purpose-bound, time-limited, and must be revoked by the Customer upon completion of the requested support task.

7. Internal Access Control

For self-managed servers, colocation, and customer-owned environments, Customers are solely responsible for access control within their own infrastructure.

8. Transfer Control

8.1 Web Hosting / Mailboxes: Upon service cancellation or non-renewal, all hosted data, including databases, is securely deleted. Customers are responsible for removing their data prior to expiry.
8.2 Dedicated / VPS / Cloud Servers: Upon service termination, SCALIBIT securely wipes storage devices before reallocation.
8.3 Colocation Servers: Customer-owned equipment is returned directly to the Customer after disconnection.

9. Isolation Control

For Dedicated, VPS, Cloud, and Colocation servers, isolation control is managed by the Customer to prevent cross-tenant data access.

10. Pseudonymisation

For Dedicated, VPS, Cloud, and Colocation servers, pseudonymisation measures are the responsibility of the Customer.

11. Integrity and Transmission Control

11.1 Data Transfer Controls: SCALIBIT employees are trained to handle data in compliance with data protection requirements. Customers are responsible for encrypting data transmitted to or from their servers.

12. Data Entry Control

12.1 SCALIBIT Internal Systems: Data entries and modifications are logged, and audit trails are maintained within SCALIBIT systems.
12.2 Self-managed or Colocation Servers: The Customer is solely responsible for data entry control.

13. Availability and Resilience (Article 32(1)(b) GDPR)

13.1 SCALIBIT Internal Systems: Daily backups, RAID protection, firewalls, malware scanning, and uptime monitoring ensure continuity and resilience.
13.2 Dedicated / VPS / Cloud Servers: Customers are solely responsible for maintaining backups and implementing security controls such as firewalls and restricted ports.
13.3 Rapid Recovery: SCALIBIT maintains defined escalation and incident response procedures to restore services promptly.
13.4 Regular Testing and Evaluation: SCALIBIT performs regular internal audits, incident simulations, and security testing as part of continuous improvement.

ANNEX 3

SCALIBIT Security Standards

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Agreement or the DPA.

1. Information Security Program.
SCALIBIT maintains a comprehensive information security program — including internal security policies, technical controls, and administrative procedures — designed to:
- Protect Customer Data against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access;
- Identify, evaluate, and mitigate reasonably foreseeable internal and external risks to the confidentiality, integrity, and availability of Customer Data and SCALIBIT systems;
- Maintain an appropriate framework of risk management, vulnerability assessment, and regular security testing;
- Ensure continuous improvement and compliance with applicable Data Protection Laws and recognized industry standards (including ISO/IEC 27001 and NIST SP 800-53).
SCALIBIT designates qualified personnel — including a Data Protection Officer (DPO) and an Information Security Manager — responsible for implementing and maintaining the information security program.

The SCALIBIT network and infrastructure are accessible only to authorized personnel and service providers strictly necessary for providing the Services. Access is controlled and monitored using firewalls, VPN gateways, intrusion detection/prevention systems (IDS/IPS), and multi-factor authentication.

SCALIBIT maintains documented Incident Response and Business Continuity procedures to ensure prompt containment, investigation, and resolution of potential security threats or breaches.
2. Continued Evaluation and Improvement.
SCALIBIT conducts regular reviews of its information security policies, technical safeguards, and infrastructure controls to ensure their effectiveness and alignment with evolving risks and standards.
- Periodic vulnerability scanning, penetration testing, and system hardening are performed on infrastructure supporting SCALIBIT Services.
- Security measures are re-evaluated in response to changes in technology, identified vulnerabilities, or emerging threats.
- Audit results and security assessments are used to determine whether additional or updated controls are required to maintain a robust security posture.
SCALIBIT’s continuous improvement framework ensures that its Network and Data Protection measures remain effective, resilient, and compliant with global data protection regulations.

ANNEX 4

International Mandatory Cross-Border Transfer Mechanisms

1. Definitions

1.1 Data Privacy Framework (“DPF”): Refers to the EU–U.S., Swiss–U.S., and UK–U.S. Data Privacy Framework certification programs operated by the U.S. Department of Commerce (www.dataprivacyframework.gov).
1.2 UK–U.S. Data Bridge: Refers to the UK Extension to the EU–U.S. Data Privacy Framework as recognized by the UK Information Commissioner’s Office (ICO).
1.3 EU Standard Contractual Clauses (“EU SCCs”): Means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.
1.4 UK International Data Transfer Agreement (“UK IDTA”): Means the agreement issued by the UK Information Commissioner’s Office, Version B1.0, which is deemed executed by the Parties as of the Effective Date of this Agreement. The EU SCCs shall be deemed amended and supplemented by the UK IDTA in relation to personal data transfers originating from the United Kingdom.
1.5 Swiss Addendum: Refers to the modifications required for transfers of personal data from Switzerland under the Swiss Federal Act on Data Protection (FADP), aligning the EU SCCs to Swiss law requirements.
1.6 Türkiye Data Transfers: Refers to data transfers from Türkiye governed by the Personal Data Protection Law (Law No. 6698 – “KVKK”). Where Customer Data is transferred from Türkiye to jurisdictions not recognized as providing adequate protection, SCALIBIT applies Standard Contractual Clauses (SCCs) or other legally recognized safeguards approved by the Turkish Data Protection Authority (“KVKK Kurumu”).
1.7 Alternative Transfer Mechanisms: Refers to any other lawful mechanism recognized under applicable Data Protection Laws (e.g., Binding Corporate Rules, Approved Codes of Conduct, or Certifications) that provide an equivalent level of protection.

2. Order of Precedence

2.1 Adequacy Decisions: No Mandatory Transfer Mechanism shall apply where a transfer is made to a country that the relevant Data Protection Authority has deemed to provide an adequate level of protection (e.g., countries listed under EU, UK, Swiss, or Turkish adequacy determinations).
2.2 Priority of Mechanisms: Where multiple transfer mechanisms are available and valid, the following order of precedence shall apply:
1. The applicable EU–U.S., Swiss–U.S., or UK–U.S. Data Privacy Framework (DPF);
2. The UK–U.S. Data Bridge;
3. The EU Standard Contractual Clauses (EU SCCs);
4. The UK International Data Transfer Agreement (UK IDTA);
5. The Swiss Addendum (where applicable);
6. The Türkiye-approved transfer mechanisms under the KVKK;
7. Any other legally recognized alternative transfer mechanism.
2.3 Invalidity or Replacement: If any Mandatory Transfer Mechanism becomes invalid, ineffective, or withdrawn, the Parties shall cooperate in good faith to promptly implement an alternative lawful mechanism ensuring continued compliance with applicable Data Protection Laws. Until such replacement is in effect, SCALIBIT shall continue to provide adequate safeguards consistent with the applicable data protection principles.

DATA PROCESSING ADDENDUM – ANNEX A

Details of Data Processing

This Annex A describes the categories of Data Subjects, types of Personal Data, and processing activities carried out by SCALIBIT in connection with the Services, as required under applicable Data Protection Laws (including GDPR and KVKK).

1. Categories of Data Subjects

The categories of Data Subjects whose Personal Data is processed include:

(a) Website users and visitors (e.g., individuals accessing scalibit.com or affiliated portals);
(b) Customers (individuals or representatives with registered Customer Accounts);
(c) Customer’s end-users, clients, or visitors — i.e., individuals whose data is uploaded, stored, or otherwise processed through Customer-managed services (e.g., websites, virtual servers, or applications hosted on SCALIBIT infrastructure);
(d) Potential or former customers who have interacted with SCALIBIT through marketing, billing, or support channels.

2. Categories of Personal Data

The extent of Personal Data processed is determined by the Customer and typically includes, but is not limited to:

2.1 Identification and Contact Data: name, address, title, company, username, email, phone number, country, and account credentials.
2.2 Billing and Financial Data: billing address, VAT/tax identifiers, payment method, credit card or bank information (handled securely via PCI-compliant processors).
2.3 Technical and Usage Data: IP addresses, system and device identifiers, login and access logs, usage statistics, cookies, browser and OS data, location metadata, network events, and error logs.
2.4 Support and Communication Data: messages or attachments submitted via support tickets, abuse reports, or live chat systems.
2.5 Optional Account Data: customer preferences, language, marketing consents, and publicly available profile information voluntarily provided by the Customer.

3. Sensitive Data (if applicable)

SCALIBIT does not intentionally collect or process Sensitive or Special Categories of Personal Data (as defined under GDPR Article 9 and KVKK Article 6) in the course of providing Services. Any such data uploaded by the Customer is processed solely under Customer’s control and responsibility.

4. Frequency of Processing

Continuous — processing occurs automatically and as determined by the Customer’s use of the Services.

5. Subject Matter and Nature of the Processing

SCALIBIT provides infrastructure-based hosting and cloud computing services — including Shared Web Hosting, Virtual Machines (VPS/VDS), Cloud Compute, Optimized Cloud Compute, and Dedicated Servers. Processing includes storage, transmission, backup (where applicable), and other operations necessary to provide, maintain, and secure these Services.

6. Purpose of the Processing

SCALIBIT processes Customer Data only for the following Permitted Purposes:

(a) To deliver and operate SCALIBIT Services in accordance with the Agreement;
(b) To manage Customer accounts, authentication, and billing operations;
(c) To provide support, maintenance, monitoring, and system improvements;
(d) To comply with applicable laws, financial regulations, or law enforcement requests;
(e) To ensure security, detect fraud or abuse, and protect network integrity;
(f) To process Customer requests or instructions received via the Customer Portal, email, or support channels.

7. Duration of Processing and Data Retention

SCALIBIT processes Customer Data for the duration of the Agreement and retains it as necessary to fulfill legal, contractual, or operational obligations. Upon termination, data is deleted or returned in accordance with Section 14 (Return or Deletion of Personal Data) of this DPA, subject to legal retention requirements (e.g., accounting, law enforcement, or fraud prevention purposes).

DATA PROCESSING ADDENDUM – ANNEX B

Security Measures

The Security Measures implemented by the data importer are as described in Annex 3 to the DPA (SCALIBIT Security Standards).

Jurisdiction - Specific Terms

1. Europe:

1.1. Objection to Sub-processors. Customer may object in writing to the appointment of a new Sub-processor within thirty (30) days of receiving notice in accordance with Section 9.1 of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, SCALIBIT will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
1.2. Government Data Access Requests. As a matter of general practice, SCALIBIT does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about SCALIBIT accounts (including Customer Data). If SCALIBIT receives a compulsory request (whether through a preservation request, subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a SCALIBIT account (including Customer Data) belonging to a Customer whose primary contact information indicates the Customer is located in Europe, SCALIBIT shall: (a) review the legality of the request; (b) inform the government agency that SCALIBIT is a processor of the data; (c) attempt to redirect the agency to request the data directly from Customer; (d) subject to applicable law related to the request, notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and (e) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. As part of this effort, SCALIBIT may provide Customer’s primary and billing contact information to the government agencies or authorities. SCALIBIT shall not be required to comply with this paragraph if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or SCALIBIT’s property, systems, or Services, but where SCALIBIT is legally prohibited from notifying Customer of requests it shall use commercially reasonable efforts to obtain a waiver of the prohibition.

2. California:

2.1. Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.
2.2. For this “California” section of Annex B only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
2.3. SCALIBIT’s obligations regarding Data Subject requests, as described in Section 10 (Data Subject Rights) of this DPA, extend to rights requests under the CCPA.
2.4. Notwithstanding any use restriction contained elsewhere in this DPA, SCALIBIT shall process Customer Data to provide the Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.
2.5. Notwithstanding any use restriction contained elsewhere in this Annex B, SCALIBIT may de-identify or aggregate Customer Data as part of providing the Services specified in this DPA and the Agreement.
2.6. Where Sub-processors process the Personal Information of Customer contacts, SCALIBIT takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom SCALIBIT has entered into a written contract that includes terms substantially similar to this “California” section of Annex B or are otherwise exempt from the CCPA’s definition of “sale.” SCALIBIT conducts appropriate due diligence on its Sub-processors.

3. All U.S. States (including California):

3.1. SCALIBIT may not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or (c) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between SCALIBIT and Customer.
3.2. SCALIBIT’s access to Customer Personal Data is not part of the consideration exchanged by the Parties under the Agreement.
3.3. Customer shall have the right to take reasonable steps to: (a) verify SCALIBIT processes Customer Personal Data in a manner consistent with this DPA, including exercising the rights set forth in Section 11 of the DPA; (b) require stopping and remediation of SCALIBIT’s processing activities conducted in violation of the DPA’s terms; and (c) take any other reasonable steps (as determined in Customer’s sole discretion) to ensure SCALIBIT’s compliance with this DPA. If SCALIBIT is unable or unwilling to comply with Customer’s reasonable requests pursuant to this Section 3.3, Customer’s sole remedy is to terminate this DPA and that portion of the Agreement that relates to processing of Customer Personal Data.
3.4. SCALIBIT certifies that it understands and will comply with the obligations under the Data Protection Laws and this DPA, including all restrictions on processing Customer Personal Data.

4. Switzerland:

4.1. When SCALIBIT engages a Subprocessor, it will:

- 4.1.1 Require the Subprocessor to comply with those Technical and Organizational Measures set forth in Sections 7, 8, and 11, and Annex 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all Technical and Organizational Measures required by Article 28 of the GDPR; and

- 4.1.2 Require the Subprocessor to agree in writing to only process Customer Personal Data (a) in Switzerland, (b) in the EU/EEA, (c) in another country that the European Commission has declared to have an “adequate” level of data protection, or (d) on terms set forth in Annex 4 regarding international transfers of Customer Personal Data.
4.2. To the extent Customer Personal Data transfers from Switzerland are made subject to the EU Standard Contractual Clauses (as defined in Annex 4), the following amendments apply:

- 4.2.1 References to “Member State” will be interpreted to include Switzerland; and

- 4.2.2 To the extent transfers are subject to the Federal Act on Data Protection (“FADP”), references to “Regulation (EU) 2016/679” will be deemed to be references to the FADP.
4.3. To the extent required by the FADP, the EU Standard Contractual Clauses will be deemed to include data relating to legal entities as Customer Personal Data.

5. United Kingdom:

5.1. References to “GDPR” will be deemed to be references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and UK Data Protection Act of 2018.
5.2. When SCALIBIT engages a Subprocessor, it will:

- 5.2.1 Require the Subprocessor to comply with those technical and organizational measures set forth in Sections 7, 8, and 11, and Annex 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all technical and organizational measures required by Article 28 of the UK GDPR; and

- 5.2.2 Require the Subprocessor to agree in writing to only process Customer Personal Data in (a) the UK, (b) the EU/EEA, (c) another country that the United Kingdom has declared to have an “adequate” level of data protection, or (d) on terms set forth in Annex 4 regarding international transfers of Customer Personal Data.

6. Canada:

6.1. SCALIBIT takes steps to ensure that SCALIBIT’s Sub-processors, as described in Section 9 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom SCALIBIT has entered into a written contract that includes terms substantially similar to this DPA. SCALIBIT conducts appropriate due diligence on its Sub-processors.
6.2. SCALIBIT will implement technical and organizational measures as set forth in Section 7 (Security of Data Processing) of the DPA.

ANNEX C

List of SCALIBIT Sub-processors

The list of current Sub-processors authorized by SCALIBIT to process Customer Personal Data is available upon request in accordance with Section 9 of this DPA. SCALIBIT shall provide such information to Customer following a written request submitted to privacy@scalibit.com.

Data Processing Agreement (DPA)

Effective Date: March 1, 2025

SCALIBIT - DATA PROCESSING ADDENDUM

ANNEX 1

ANNEX 2

Technical and Organisational Measures in Accordance with Article 32 GDPR

ANNEX 3

SCALIBIT Security Standards

ANNEX 4

International Mandatory Cross-Border Transfer Mechanisms

DATA PROCESSING ADDENDUM – ANNEX A

DATA PROCESSING ADDENDUM – ANNEX B

ANNEX C

Produtos

Domains

Company

SCALIBIT Dashboard

Data Processing Agreement (DPA)

Effective Date: March 1, 2025

SCALIBIT - DATA PROCESSING ADDENDUM

ANNEX 1

ANNEX 2

Technical and Organisational Measures in Accordance with Article 32 GDPR

ANNEX 3

SCALIBIT Security Standards

ANNEX 4

International Mandatory Cross-Border Transfer Mechanisms

DATA PROCESSING ADDENDUM – ANNEX A

DATA PROCESSING ADDENDUM – ANNEX B

ANNEX C

Produtos

Domains

Company

SCALIBIT Dashboard

Gerar Senha