Exponent Data Processing Addendum

This Customer Data Processing Addendum (“DPA”) forms part of the SaaS Services Agreement (“Agreement”) between Minimal Surface, Inc. (“Company”) and Customer. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. Unless clearly stated otherwise, references to “Sections” in this DPA refer to sections of this DPA.

With respect to the Processing of Personal Data, the parties agree as follows:

1. Definitions
   
   

As used in this DPA:

1.1. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.

1.2. “Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by Company or a Sub-processor.

1.3. “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

1.4. “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.

1.5. “Data Protection Laws” means all data protection and privacy laws applicable each party’s respective activities involving the Processing of Personal Data under this DPA, including, where applicable, GDPR and CCPA.

1.6. “EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.

1.7. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any member state law implementing the same.

1.8. “Personal Data” means any information relating to an identified or identifiable natural person that is (i) included in Customer Data that Company Processes on behalf of Customer in the course of providing the Services; and (ii) subject to the Data Protection Laws.

1.9. “Processing” has the meaning given to it under applicable Data Protection Laws and “process,” “processes” and “processed” shall be interpreted accordingly.

1.10. “Services” means the Services and the Implementation Services as described in the Agreement.

1.11. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC pursuant to the European Commission Decision of 5 February 2010 and attached to this DPA as Annex 2.

LIBC/3968202.1

1.12. “Sub-processor” means any Data Processor engaged by Company to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.

2. Relationship with the Agreement

2.1. The parties agree that this DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may have previously entered into in connection with Services.

2.2. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.3. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Agreement.

3. Roles of the parties; Processing of Personal Data

3.1. As between Company and Customer, Customer is the Data Controller of Personal Data and Company is the Data Processor of Personal Data.

3.2. Customer agrees that (i) it shall comply with its obligations as a Data Controller under the Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Company; and (ii) it has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws for Company to Process Personal Data and provide the Services as described in the Agreement. Customer shall immediately notify Company and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.

3.3. Company shall Process Personal Data only to provide the Services and for the purposes described in the Agreement, or otherwise in accordance with Customer’s documented and agreed-upon lawful instructions, unless Processing is required by applicable law, in which case Company shall to the extent permitted by applicable law inform Customer of that legal requirement before the relevant Processing. Company shall not otherwise retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services as described in the Agreement and this DPA, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services.

4. Details of Processing of Personal Data

4.1. The subject matter and duration of the Processing of the Personal Data are described in the Agreement and this DPA. The nature and purpose of the Processing of Personal Data is providing the AI Pair Programmer Services as described in the Agreement.

4.2. The types of Personal Data that may be Processed are determined by Customer and may include:

• User account information such as name, email address, and user ID

• Code snippets, function names, variable names, and other programming-related text input by users

• Metadata about coding sessions, including timestamps, programming languages used, and project identifiers

• User preferences and settings related to code generation and formatting

• Version control system information, if integrated (e.g., repository names, branch names, commit messages)

• Usage data such as frequency of use, features accessed, and performance metrics

• Any other Personal Data that Customer chooses to include in their code or comments

4.3. The Processing of Personal Data pursuant to this DPA will pertain to individuals including employees, contractors, and authorized users of Customer who interact with the AI Pair Programmer Services. This may include software developers, engineers, data scientists, and other technical staff of Customer. The obligations and rights of Customer and Company and the duration of Processing are set forth in the Agreement and this DPA.

4.4. Customer acknowledges and agrees that it is responsible for ensuring that any Personal Data submitted to the AI Pair Programmer Services is done so in compliance with applicable Data Protection Laws and Customer's own privacy policies and procedures.

5. Data Security

Each party shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. Company shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, including the security measures described in Annex 1 to this DPA. Customer agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Agreement.

6. Data Breach Response

Company shall notify Customer without undue delay after becoming aware of any Data Breach. Company shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Company deems necessary and reasonable in order to remediate the cause of such Data Breach. Company shall provide information related to the Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with the Data Protection Laws.

7. Confidentiality of Processing

Company shall ensure that any person who is authorized by Company to Process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality.

8. Return or Deletion of Personal Data

Upon expiration or termination of the Agreement, Company shall (at Customer's election) delete or return, if feasible, to Customer all Personal Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Company is required by applicable law to retain some or all of the Personal Data; or (ii) to Personal Data Company has archived on back-up systems. In all such cases, Company shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data. The terms of this DPA shall survive for so long as Company continues to retain any Personal Data.

9. Sub-processing

Customer hereby authorizes Company to engage Sub-processors to Process Personal Data on Customer's behalf, including the Sub-processors currently engaged by Company. Company shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this DPA; (ii) enter into a written agreement with each Sub-processor that requires the Sub-processor to protect the Personal Data to the same standard required by this DPA; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Company to breach any of its obligations under this DPA. Company will notify Customer in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this DPA, which may be done by email or posting on a website identified by Company to Customer. Customer must raise any objection to posted Sub-processors within five (5) calendar days of the posted update. Customer’s objection shall only be effective if submitted to Company in writing, specifically describing Customer’s reasonable belief that Company’s proposed use of the Sub-processor(s) will materially,

adversely affect Customer’s compliance with GDPR. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event Customer’s concern cannot be resolved, Company may terminate the Agreement with no penalty and Customer shall immediately pay all fees and costs then owing and incurred by Company as a result of termination.

10. International Transfers

10.1. Company may Process Personal Data anywhere in the world where Company or its Sub-processors maintain data Processing operations. Company shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws.

10.2. To the extent Company’s performance of the Services requires the transfer of Personal Data from within the EEA to a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR), the Standard Contractual Clauses will apply to the transfer and are incorporated by reference herein.

11. Data Protection Authority Inquiries

Company shall provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to Company, Company shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

12. Individual Rights and Requests

To the extent Customer does not have the ability to independently correct, amend, or delete Personal Data, or block or restrict Processing of Personal Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Company shall

provide reasonable assistance to Customer with any commercially reasonable request by Customer to facilitate such actions. Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Company shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently.

13. Data Protection Impact Assessments; Prior Consultations with Supervisory Authorities

Upon Customer’s written request, Company shall provide Customer with reasonable cooperation and assistance as needed to fulfil Customer’s obligation under GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Company. Company shall further provide reasonable assistance to Customer in the cooperation or prior consultation with the supervisory authority in the performance of its tasks, to the extent required under GDPR.

14. Audits and Inspections

Company shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Personal Data, including responses to information security reviews, that are necessary to confirm Company’s compliance with this DPA. To the extent Company’s responses are not sufficient to enable customer to satisfy its obligations under applicable Data Protection Laws, Company shall cooperate with audits and

inspections performed by Customer or a vendor of Customer reasonably acceptable to Company, provided however, that any audit or inspection: (i) may not be performed unless necessary to determine Company’s compliance with this DPA and Customer reasonably believes that Company is not complying with this DPA, or as otherwise specifically required by applicable Data Protection Laws; (ii) must be conducted at Customer’s sole expense and subject to reasonable fees and costs charged by Company; (iii) may be conducted on no less than thirty (30) days prior written notice from Customer, at a date and time and for a duration mutually agreed by the parties; and (iv) must be performed in a manner that does not cause any damage, injury, or disruption to Company’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Company will not be required to disclose any proprietary or privileged information to Customer or an agent or vendor of Customer in connection with any audit or inspection undertaken pursuant to this DPA.

15. Law Enforcement Requests

If a law enforcement or other governmental agency sends Company a request or other lawful process for Personal Data (for example, a subpoena or court order), Company may attempt to redirect the agency to request that data directly from Customer. As part of this effort, Company may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Company shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so.

16. Customer Obligations

Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Company so that Company may lawfully use, process, and transfer the Personal Data in accordance with the Agreement on the Customer’s behalf. Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by any applicable Data Protection Law and acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to use and process the Personal Data. Company will not be liable for any claim brought against Company arising from any action or omission by Company to the extent that such action or omission resulted directly from Customer’s instructions and/or any failure of Customer to comply with this DPA.

17. Miscellaneous

17.1. Except as may be otherwise provided pursuant to the Standard Contractual Clauses, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

17.2. Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this DPA will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.