Data Processing Agreement

This DPA governs the processing of personal data by Citelock, Inc. ("Processor") on behalf of customers ("Controller") who use the Citelock legal hold platform. The terms "personal data," "data subject," "processing," "controller," and "processor" have the meanings given in GDPR Article 4.

Processor and Controller Roles

Controller. The Customer is the data controller with respect to personal data contained in legal hold notices, custodian records, acknowledgment responses, matter details, and all other Customer Data submitted to the Services. The Customer determines the purposes and means of processing that data.

Processor. Citelock acts as a data processor. We process personal data only on documented instructions from the Controller — including instructions given through configuration of the Services, submission of data, and initiation of workflows within the platform. We do not process Customer Data for any independent purpose.

Employee data. Custodian records typically contain employee personal data (names, email addresses, department, manager information). The Customer is responsible for ensuring an appropriate legal basis exists for processing employee data in connection with legal hold obligations, which may include legal obligation, legitimate interests, or applicable employment law.

Processing Instructions

Citelock processes personal data only to:

• Provision and operate the legal hold platform and associated features
• Deliver, track, and record legal hold notices and acknowledgments on the Customer's behalf
• Generate audit logs, compliance reports, and matter records as directed by the Customer
• Provide customer support when requested by an authorized user
• Comply with applicable law, court order, or government authority

If Citelock is required by law to process personal data in a manner inconsistent with the Customer's instructions, we will inform the Customer before processing unless prohibited from doing so by law. Citelock will promptly notify the Customer if, in our reasonable opinion, any instruction violates applicable data protection law.

Sub-Processors

Citelock engages the following categories of sub-processors to support the Services. Each sub-processor is bound by data processing agreements that impose at least equivalent protections to those in this DPA.

• Cloud infrastructure: Hosting, storage, and compute (U.S.-based, with regional options available for enterprise customers)
• Email delivery: Transactional email for hold notices and system notifications
• Error monitoring: Application performance and crash reporting
• Payment processing: Subscription billing and invoice management
• Identity provider: Optional SSO integration support

Citelock maintains a current list of sub-processors and will notify Customers of any material changes to the sub-processor list at least 30 days in advance. Customers may object to a new sub-processor on reasonable grounds within that period. If we cannot resolve the objection, the Customer may terminate their subscription without penalty.

International Data Transfers

Customer Data is processed and stored primarily within the United States. For Customers in the EEA, UK, or Switzerland, Citelock relies on Standard Contractual Clauses (SCCs) adopted by the European Commission as the lawful mechanism for international data transfers. The applicable module (Controller-to-Processor, Module 2) is incorporated into this DPA by reference.

Enterprise customers may request a Transfer Impact Assessment or documentation of Citelock's supplementary technical and organizational measures by contacting [email protected].

Security Measures

Citelock implements the following technical and organizational measures to protect personal data:

• AES-256 encryption at rest for all Customer Data and database backups
• TLS 1.3 for all data in transit, including API communications and web traffic
• Role-based access controls limiting personnel access to Customer Data on a need-to-know basis
• Multi-factor authentication required for all Citelock personnel accessing production systems
• Annual third-party penetration testing with remediation tracking
• Continuous vulnerability scanning, dependency audits, and patch management
• Physical access controls at all data center facilities
• Security awareness training for all personnel with data access
• Incident response procedures with documented RTO and RPO targets
• SOC 2 Type II audit covering security, availability, and confidentiality trust service criteria

Breach Notification

Citelock will notify the Customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Data. Notification will be sent to the Customer's designated security contact and will include:

• The nature of the breach, including categories and approximate number of data subjects affected
• The categories and approximate number of personal data records affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

The Customer is responsible for determining whether to notify supervisory authorities or affected data subjects, and for any notifications required under applicable law. Citelock will cooperate with and assist the Customer in meeting those obligations.

Audit Rights

Citelock will make available to the Customer all information reasonably necessary to demonstrate compliance with GDPR Article 28 and this DPA. This includes providing current SOC 2 Type II reports, completing reasonable security questionnaires, and responding to written compliance inquiries.

Customers may request on-site audits of Citelock's processing facilities no more than once per year, with at least 30 days advance written notice, subject to reasonable confidentiality requirements, and at the Customer's expense. Citelock may satisfy audit obligations by providing third-party audit reports in lieu of on-site audits where those reports address the scope of the audit request.

Data Deletion and Return

Upon termination of the Customer's subscription, Citelock will delete Customer Data from production systems within 90 days. Backups are purged on a rolling 30-day cycle following the deletion of production data. The Customer may request an export of their data in standard formats during the 90-day post-termination window.

Audit logs may be retained longer than the standard retention period where required by applicable law or where Citelock has a legitimate legal interest in retention. Citelock will notify the Customer of any such extended retention.

GDPR Article 28 Compliance Statement

This DPA is structured to satisfy the requirements of GDPR Article 28(3). Specifically:

• Article 28(3)(a): Citelock processes personal data only on documented instructions from the Controller.
• Article 28(3)(b): Citelock ensures personnel authorized to process personal data are bound by confidentiality obligations.
• Article 28(3)(c): Citelock implements appropriate technical and organizational security measures as described above.
• Article 28(3)(d): Sub-processor engagement is governed as described in the Sub-Processors section of this DPA.
• Article 28(3)(e): Citelock assists the Controller in responding to data subject rights requests.
• Article 28(3)(f): Citelock assists with security, breach notification, DPIAs, and prior consultation obligations.
• Article 28(3)(g): Citelock deletes or returns personal data as described in the Data Deletion section.
• Article 28(3)(h): Citelock makes available all information necessary to demonstrate compliance and cooperates with audits.

To request a countersigned copy of this DPA or to discuss enterprise data processing arrangements, contact [email protected].