This Data Processing Addendum (this “DPA”) forms part of and supplements the agreement between Spenat Labs Inc. (d/b/a Walk and Code) (“Walk and Code,” “Company,” “Processor,” “we,” “us,” or “our”) and the customer entity agreeing to this DPA (“Customer” or “Controller”) for the provision of Walk and Code services (the “Agreement”).

This DPA applies where and to the extent Walk and Code processes Personal Data on behalf of Customer as a processor or service provider in connection with the Services under the Agreement.

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the subject matter of this DPA. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

For purposes of this DPA:

• “Applicable Data Protection Law” means any law or regulation applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU GDPR, UK GDPR, Swiss data protection law, and U.S. state privacy laws.
• “Controller” means the entity that determines the purposes and means of the processing of Personal Data. Where applicable under U.S. state privacy laws, this may include a business.
• “Customer Personal Data” means Personal Data processed by Walk and Code on behalf of Customer in connection with the Services.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Personal Data” means information that is protected as personal data, personal information, or a similar term under Applicable Data Protection Law.
• “Process” or “Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, access, storage, use, disclosure, transfer, analysis, organization, adaptation, deletion, or destruction.
• “Processor” means an entity that processes Personal Data on behalf of a Controller. Where applicable under U.S. state privacy laws, this may include a service provider or contractor.
• “Restricted Transfer” means a transfer of Personal Data for which Applicable Data Protection Law requires an approved transfer mechanism.
• “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Walk and Code as Processor under this DPA. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as pings, scans, denial of service attempts, or firewall attacks.
• “Subprocessor” means a third party engaged by Walk and Code to process Customer Personal Data on behalf of Customer in connection with the Services.

The terms “business,” “consumer,” “controller,” “processor,” “service provider,” “contractor,” “sell,” “share,” and “sensitive personal information” shall have the meanings given in Applicable Data Protection Law where such law applies.

2. Roles of the Parties

The parties agree that:

1. Customer is the Controller of Customer Personal Data, except to the extent Customer acts as a Processor on behalf of another controller, in which case Customer represents that it is duly authorized to instruct Walk and Code on behalf of that controller.
2. Walk and Code is the Processor or service provider of Customer Personal Data processed on behalf of Customer under the Agreement.
3. Each party will comply with Applicable Data Protection Law as it applies to that party’s role and processing activities.

Customer remains solely responsible for:

• the lawfulness of the collection and use of Customer Personal Data;
• providing notices and obtaining consents, authorizations, and rights necessary for Walk and Code to process Customer Personal Data under the Agreement and this DPA;
• the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired it; and
• its decisions, instructions, configurations, and use of the Services.

3. Subject Matter, Duration, Purpose, and Nature of Processing

3.1 Subject Matter

The subject matter of the Processing is the provision of the Services under the Agreement.

3.2 Duration

Walk and Code will process Customer Personal Data for the duration of the Agreement, and thereafter only for as long as necessary to comply with the Agreement, this DPA, our documented retention practices, legal obligations, dispute resolution needs, security purposes, backup processes, or as otherwise permitted by Applicable Data Protection Law.

3.3 Purpose and Nature of Processing

Walk and Code may process Customer Personal Data as necessary to provide, operate, secure, support, maintain, improve, and develop the Services, including to:

• host, store, organize, retrieve, display, and transmit Customer Personal Data;
• enable account administration, authentication, billing, support, and access management;
• process prompts, code, repositories, voice inputs, transcripts, metadata, and related materials submitted through the Services;
• provide AI-assisted coding, voice, automation, and workflow features;
• monitor, detect, investigate, prevent, and remediate bugs, abuse, fraud, policy violations, and Security Incidents;
• conduct diagnostics, debugging, troubleshooting, service analytics, product quality review, and technical support;
• maintain backups, logs, archives, and disaster recovery systems;
• comply with law and enforce the Agreement; and
• otherwise process Customer Personal Data in accordance with Customer’s documented instructions as reflected in the Agreement, this DPA, Customer’s configuration of the Services, and Customer’s use of the Services.

4. Categories of Data Subjects and Personal Data

The categories of Data Subjects and Personal Data processed under this DPA depend on Customer’s use of the Services and may include the categories described in Annex 1.

5. Customer Instructions

Walk and Code will process Customer Personal Data only on Customer’s documented instructions, as set out in the Agreement, this DPA, and Customer’s use and configuration of the Services, unless otherwise required by applicable law to which Walk and Code is subject. If Walk and Code is required by law to process Customer Personal Data for another purpose, Walk and Code will, to the extent legally permitted, inform Customer of that requirement before processing.

Customer instructs Walk and Code to process Customer Personal Data as reasonably necessary to provide the Services and related support, security, maintenance, analytics, and operational functions described in the Agreement and this DPA.

Walk and Code may refuse or suspend any instruction that it reasonably believes violates law, the Agreement, this DPA, or would create a material security, technical, or legal risk.

6. Confidentiality

Walk and Code will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or otherwise.

7. Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to individuals, Walk and Code will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Such measures may include, as appropriate:

• access controls and least-privilege practices;
• authentication measures;
• network and infrastructure protections;
• encryption in transit and, where appropriate, at rest;
• logging and monitoring;
• backup and resilience measures;
• vulnerability management and patching practices;
• personnel confidentiality measures; and
• incident response procedures.

Customer acknowledges that no security measure is perfect and that Walk and Code does not guarantee absolute security.

8. Security Incident Notification

If Walk and Code becomes aware of a Security Incident, Walk and Code will notify Customer without undue delay after becoming aware of the Security Incident.

Such notification may:

• describe the nature of the Security Incident, if known;
• describe the categories of Customer Personal Data affected, if known;
• describe measures taken or proposed to address the Security Incident; and
• provide information reasonably available to Walk and Code at the time.

Walk and Code may provide information in phases as it becomes available.

Walk and Code’s notification of or response to a Security Incident is not an admission of fault or liability. Walk and Code will take such measures as it considers reasonable and appropriate to contain, investigate, and mitigate the Security Incident.

Customer is solely responsible for determining whether to notify regulators, affected individuals, customers, employees, or any other persons, except where applicable law expressly requires Walk and Code to do so directly.

9. Subprocessors

Customer authorizes Walk and Code to engage Subprocessors in connection with the Services.

Walk and Code will impose data protection obligations on Subprocessors that are materially protective of Customer Personal Data and appropriate to the nature of the services provided by the Subprocessor.

Walk and Code will remain responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law.

Walk and Code may update its Subprocessors from time to time. Walk and Code may make a current Subprocessor list available separately.

If Applicable Data Protection Law gives Customer a right to object to a new Subprocessor, Customer must notify Walk and Code promptly and in writing with a reasonable, documented basis related to data protection. If the parties cannot resolve the objection in good faith, Walk and Code may, at its option, either: (a) instruct Customer to stop using the affected feature of the Services; or (b) terminate the affected portion of the Services without liability.

10. Assistance with Data Subject Requests

Taking into account the nature of the Processing, Walk and Code will provide reasonable assistance to Customer, to the extent reasonably possible and appropriate, to help Customer respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

Customer remains solely responsible for responding to Data Subject requests and for determining whether a request is valid or legally required.

If Walk and Code receives a Data Subject request relating to Customer Personal Data, Walk and Code may refer the requester to Customer or, where appropriate, notify Customer, unless prohibited by law.

11. Assistance with Compliance

Taking into account the nature of Processing and the information available to Walk and Code, Walk and Code will provide reasonable assistance to Customer with Customer’s compliance obligations under Applicable Data Protection Law where such obligations are directly applicable to Walk and Code’s role as Processor under this DPA, including with respect to:

• security of processing;
• personal data breach notifications;
• data protection impact assessments; and
• prior consultations with supervisory authorities,

in each case only to the extent required by Applicable Data Protection Law and reasonably feasible given the nature of the Services.

Walk and Code may charge reasonable fees for assistance beyond what is legally required or beyond what is reasonably included in the Services.

12. Audits and Information Rights

To the extent required by Applicable Data Protection Law, Walk and Code will make available to Customer information reasonably necessary to demonstrate Walk and Code’s compliance with this DPA.

If such information is not sufficient and Applicable Data Protection Law gives Customer an audit right, Customer may request an audit no more than once per twelve-month period, subject to the following conditions:

1. the audit must be limited to matters directly relevant to Walk and Code’s compliance with this DPA;
2. Customer must provide at least thirty (30) days’ prior written notice;
3. the audit must occur during normal business hours and in a manner that minimizes disruption;
4. the audit must be conducted either by Walk and Code providing available audit materials or, if necessary, by an independent third-party auditor reasonably acceptable to Walk and Code and bound by confidentiality obligations;
5. Customer must not access information of other customers, confidential information unrelated to this DPA, or systems not relevant to the audit;
6. Customer will bear all costs of the audit; and
7. Walk and Code may object to any audit scope or method that would create security, confidentiality, legal, or operational risk.

Nothing in this Section requires Walk and Code to disclose trade secrets, vulnerability information, information that could compromise security, or information belonging to other customers or third parties.

13. Return and Deletion

Upon termination or expiration of the Agreement, Walk and Code may delete or render inaccessible Customer Personal Data in accordance with the Agreement and its standard retention practices, unless applicable law requires retention.

If Customer requests deletion and Walk and Code agrees to process the request, deletion may not occur immediately and may be delayed by backups, archives, logs, technical constraints, legal obligations, fraud prevention needs, security needs, dispute preservation, or other legitimate retention grounds.

Notwithstanding anything to the contrary, Walk and Code may retain Customer Personal Data as permitted or required by law, for security, backup, disaster recovery, fraud prevention, abuse prevention, dispute resolution, legal compliance, enforcement, tax, accounting, and other legitimate business purposes, in each case subject to appropriate protections.

14. International Data Transfers

Customer authorizes Walk and Code to transfer Customer Personal Data to the United States and other jurisdictions where Walk and Code or its Subprocessors operate, provided that Walk and Code complies with Applicable Data Protection Law regarding Restricted Transfers.

Where required by Applicable Data Protection Law for a Restricted Transfer, the parties agree that the applicable transfer mechanism shall apply, including, as applicable:

• the European Commission Standard Contractual Clauses;
• the UK International Data Transfer Addendum or UK-approved addendum to the SCCs;
• the Swiss addendum or interpretation required under Swiss law; or
• another valid transfer mechanism recognized under Applicable Data Protection Law.

To the extent applicable, the SCCs are incorporated by reference as follows:

1. for transfers from Customer as controller to Walk and Code as processor, Module Two applies;
2. for transfers from Customer as processor to Walk and Code as subprocessor, Module Three applies;
3. the optional docking clause applies;
4. the audit provisions are satisfied by the audit terms in Section 12 of this DPA;
5. the technical and organizational measures are described in Section 7 and Annex 2;
6. the list of Subprocessors is described in Section 9 and may be supplemented by a separate Subprocessor list; and
7. the governing law and forum provisions of the SCCs will apply only as required by the SCCs.

If a transfer mechanism is replaced, amended, invalidated, or supplemented, the parties will cooperate in good faith to implement an alternative lawful transfer mechanism where required.

15. U.S. State Privacy Law Terms

To the extent U.S. state privacy laws apply to Customer Personal Data processed under this DPA, the parties agree that:

1. Walk and Code is acting as a service provider or contractor, as applicable, with respect to such Customer Personal Data.
2. Walk and Code will not sell or share Customer Personal Data, as those terms are defined under applicable U.S. state privacy laws, except as permitted by the Agreement, this DPA, or Customer’s instructions.
3. Walk and Code will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer except as permitted by Applicable Data Protection Law, the Agreement, or this DPA.
4. Walk and Code may use Customer Personal Data for internal purposes permitted by Applicable Data Protection Law, including helping to detect security incidents, protect against malicious or illegal activity, debug, repair, improve, and maintain the Services, and for other uses permitted for service providers or contractors.
5. Walk and Code will comply with applicable restrictions on combining Customer Personal Data with personal data received from other sources, except as permitted by U.S. state privacy laws.
6. Walk and Code will provide the level of privacy protection required by applicable U.S. state privacy laws and will notify Customer if Walk and Code determines it can no longer meet its obligations under this Section.

16. Liability

This DPA does not expand either party’s liability beyond what is provided in the Agreement. Any liability arising under or in connection with this DPA will be subject to the exclusions, limitations, disclaimers, and liability caps set out in the Agreement, to the maximum extent permitted by Applicable Data Protection Law.

17. Order of Precedence

If there is any conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls to the extent of the conflict. In all other respects, the Agreement remains in full force and effect.

18. Changes to this DPA

Walk and Code may update this DPA from time to time to reflect changes in the law, the Services, our processing practices, or compliance requirements. Any updated DPA will become effective as stated in the updated version or, if not stated, when posted or otherwise made available, except to the extent Applicable Data Protection Law requires a different process.

19. Annex 1 – Details of Processing

A. List of Parties

Data Exporter / Controller: Customer entity entering into the Agreement.
Data Importer / Processor: Spenat Labs Inc. (d/b/a Walk and Code)

B. Categories of Data Subjects

Depending on Customer’s use of the Services, Data Subjects may include:

• Customer’s employees, contractors, founders, and authorized users;
• Customer’s developers, engineers, product personnel, and operations personnel;
• Customer’s end users, customers, prospects, vendors, or business contacts, to the extent Customer submits their Personal Data to the Services;
• persons whose information appears in Customer codebases, repositories, logs, tickets, prompts, transcripts, support materials, or connected systems; and
• other persons whose Personal Data Customer or its authorized users submit to the Services.

C. Categories of Personal Data

Depending on Customer’s use of the Services, Customer Personal Data may include:

• name, email address, username, account identifiers, and contact details;
• billing and transaction metadata;
• prompts, chats, instructions, requests, and associated metadata;
• code, repositories, files, folders, snippets, diffs, commits, logs, configurations, outputs, and related materials that may contain Personal Data;
• microphone recordings, voice data, transcripts, annotations, and associated metadata;
• device information, IP address, browser information, log data, session data, usage data, and diagnostic information;
• support communications and support records; and
• any other Personal Data Customer or its authorized users submit to or connect with the Services.

D. Sensitive Data

Customer may choose to submit data that may be considered sensitive under applicable law. Customer is solely responsible for determining whether submission of such data is lawful and appropriate. Walk and Code does not require Customer to submit sensitive data unless Customer chooses to do so through its use of the Services.

E. Nature of Processing

Collection, recording, organization, storage, hosting, access, retrieval, consultation, use, analysis, transmission, alignment, combination, adaptation, generation, disclosure, deletion, and destruction, as necessary to provide the Services and as otherwise described in this DPA and the Agreement.

F. Purpose of Processing

Provision, operation, support, security, maintenance, debugging, analytics, improvement, and development of the Services, and other purposes described in the Agreement and this DPA.

G. Duration of Processing

For the duration of the Agreement and thereafter as permitted under Section 13 of this DPA.

20. Annex 2 – Technical and Organizational Measures

Walk and Code will maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data, which may include measures such as:

• logical access controls designed to limit access to authorized personnel;
• authentication and password controls;
• role-based access restrictions where appropriate;
• encryption in transit and, where appropriate, at rest;
• logging and monitoring of systems and events;
• backup, redundancy, and recovery practices;
• patching and vulnerability management processes;
• personnel confidentiality obligations;
• incident response and escalation procedures; and
• vendor management practices for subprocessors and service providers.

Customer acknowledges that these measures may evolve over time and that Walk and Code may update or modify them, provided that the overall security posture is not materially reduced in a manner inconsistent with Applicable Data Protection Law.

21. Contact

If you have questions regarding this DPA, contact:

Spenat Labs Inc. (d/b/a Walk and Code)
Email: hello@walkandcode.com