Customer Data Processing Addendum

This DPA is part of Magma’s Master Cloud Agreement (“MCA”) or Terms of Service ("ToS") for select customers. If you have an executed Order that references our MCA (or if your signed contract or Terms of Service otherwise incorporates this DPA by reference), this DPA applies to the extent we process Personal Data on your behalf. By purchasing or continuing to use Magma’s enterprise services, you agree to this DPA, which supplements our MCA (or applicable Terms).

SECTION A – KEY TERMS

SECTION B – LEGAL TERMS

1. Purpose and Scope

1.1 Compliance with Data Protection Law. This DPA aims to ensure compliance with any applicable data protection or privacy laws and regulations, including EU Regulation 2016/679 (GDPR), UK GDPR, Swiss Federal Data Protection Act (FADP), U.S. state privacy laws (e.g., CCPA/CPRA, as well as other states with substantially similar requirements), and any equivalent or successor laws (collectively, “Data Protection Laws”).

1.2 Applicability. This DPA applies only to the extent Magma processes Personal Data on behalf of Customer under the Magma Master Cloud Agreement (“MCA”) or an equivalent signed agreement referencing this DPA. It supplements the Base Agreement. In case of conflict, this DPA prevails unless otherwise stated in writing.

1.3 Customer Warranties. Customer is responsible for ensuring it has the lawful basis (e.g., consent, legitimate interest) to collect and process Personal Data. Customer warrants it has provided necessary notices to data subjects (or “consumers” under U.S. law), obtained any required consents, and does not violate any third-party rights or applicable law by providing the data to Magma.

2. Interpretation

2.1 Terms like “Controller,” “Processor,” “Personal Data,” “Processing,” “Sub-processor,” and “Data Subject” have the meanings given in the GDPR and analogous definitions under other Data Protection Laws.

2.2 Under U.S. state privacy laws, such as CCPA/CPRA, “Business,” “Service Provider,” “Sell,” “Share,” “Consumer,” and “Personal Information” carry the meanings from those statutes, to the extent such laws apply.

2.3 In the event of any inconsistencies between this DPA and mandatory requirements of Data Protection Law, the latter shall prevail.

3. Description of Processing

3.1 Details of Processing. The nature, categories, duration, and purposes of processing, and the types of Personal Data, are set out in Section A (Key Terms) and the Base Agreement.

3.2 Controller’s Responsibility. Customer shall ensure that Personal Data is relevant, accurate, and limited to what is necessary for the intended purpose(s). Magma shall not be responsible for reviewing the lawfulness of the Personal Data itself.

4. Obligations of the Parties

4.1 Instructions and Purpose Limitation

• Magma will process Personal Data only in accordance with Customer’s documented instructions, including those in this DPA and the Base Agreement, unless required by law.

• Magma will promptly inform Customer if it believes an instruction violates any Data Protection Law.

4.2 Erasure or Return of Data

• Upon termination of the Base Agreement or upon Customer’s request, Magma will delete or return all Personal Data and certify such deletion, unless further retention is required by law.

• Customer should export or retrieve data before the end of the Base Agreement if it wishes to keep a copy.

4.3 Security of Processing

• Magma implements technical and organizational measures to protect Personal Data, outlined in Section C (TOMs) below.

• In case of a personal data breach, Magma shall notify Customer without undue delay (and in any event within 72 hours of awareness), providing known details to enable Customer to fulfill breach notification obligations.

• Magma ensures personnel authorized to process Personal Data have committed to confidentiality.

4.4 Documentation and Compliance

• The Parties shall each maintain records necessary to demonstrate compliance with this DPA.

• Magma shall cooperate with Customer’s reasonable requests for information to confirm Magma’s compliance.

4.5 Use of Sub-processors

• General Authorization: Customer authorizes Magma to engage Sub-processors listed in Section A or posted online in Magma’s Sub-processor list.

• Changes: Magma shall inform Customer at least 15 days before adding or replacing any Sub-processor, giving Customer the opportunity to object in writing (not unreasonably).

• Liability: Magma remains fully liable for Sub-processors’ performance of obligations under this DPA.

• Sub-processors must be bound by terms at least as protective as this DPA.

4.6 International Transfers

• Magma (and its Sub-processors) may process Personal Data outside the EU/EEA/Switzerland/UK, provided such processing complies with Data Protection Law.

• If required, the Standard Contractual Clauses, Data Privacy Framework, or another lawful transfer mechanism will apply.

• In the event any lawful transfer mechanism is invalidated, the Parties shall cooperate in good faith to adopt an alternative compliant mechanism.

5. Data Subject Rights

5.1 Handling Requests: If Magma receives a Data Subject Request (e.g., access, rectification, erasure, portability) directly, Magma will promptly forward it to Customer and await instructions (unless prohibited by law).

5.2 Assistance: Magma shall reasonably assist Customer in fulfilling data subject requests and other obligations (e.g., data protection impact assessments, breach notifications) to the extent Magma has relevant information or capabilities.

6. Personal Data Breach Notification

• Magma shall inform Customer without undue delay (within 72 hours of becoming aware) of a personal data breach involving Customer’s Personal Data, including details on the nature of the breach, categories of data affected, and measures taken or proposed.

• Magma will cooperate with Customer’s efforts to notify supervisory authorities or impacted individuals, as required by law.

7. Security Reports & Inspections

7.1 Information Sharing: Upon written request, Magma will provide copies of certifications or relevant documentation (e.g. third-party audit summaries) sufficient to demonstrate compliance with this DPA.

7.2 Audits:

• Following a confirmed personal data breach or if required by a data protection authority, Customer may, at its own expense, conduct a reasonable audit of Magma’s relevant systems or records.

• The scope, timing, and duration of any such audit must be agreed in advance, with at least 30 days’ notice.

• Audits must not unreasonably disrupt Magma’s operations and are subject to confidentiality obligations.

7.3 This Section satisfies any audit obligations under EU SCCs Clause 8.9 or equivalent provisions under other data transfer frameworks.

8. U.S. STATE PRIVACY LAWS (E.G., CCPA/CPRA)

8.1 Service Provider Relationship: To the extent Customer Personal Data is subject to the California Consumer Privacy Act (as amended by the California Privacy Rights Act, collectively “CCPA”), or any analogous U.S. state privacy law, Magma acts as a “Service Provider” (or “Processor,” if that law uses GDPR-like terminology), and Customer is the “Business.”

8.2 No Selling or Sharing: Magma shall not Sell or Share (as those terms are defined in applicable U.S. privacy law) any Customer Personal Data or otherwise collect, retain, use, or disclose such data for any purpose other than for the specific business purposes of performing the Services under the Base Agreement or as required by law. Magma does not receive or process any Customer Personal Data as “valuable consideration.”

8.3 Data Subject Requests (CCPA): To the extent Magma assists with responding to consumer requests (e.g., right to know, delete, opt out of sale/sharing), Magma will do so only upon Customer’s instructions or as required by law.

8.4 Certification: Magma certifies that it understands and will comply with the restrictions and obligations under applicable U.S. privacy laws regarding its role as a Service Provider and will not use Customer Personal Data for cross-context behavioral advertising or any other purpose outside the scope of the Base Agreement and this DPA.

9. Termination

• This DPA terminates upon the later of (i) termination or expiry of the Base Agreement; or (ii) completion of Magma’s personal data processing under Customer’s instructions.

• If Magma cannot comply with this DPA for any reason, it shall promptly inform Customer, and Customer may suspend or terminate the relevant processing or the Base Agreement if the breach cannot be remedied.

10. Liability and Indemnity

9.1 Liability Limitations: All liability arising out of or related to this DPA is subject to the limitations/exclusions set forth in the Base Agreement, unless otherwise mandated by Data Protection Laws (including U.S. state privacy laws).

9.2 Direct Liability: Where law imposes direct liability on a Processor/Service Provider (Magma), nothing in this DPA restricts Magma’s responsibilities or liability to data subjects/consumers. However, the contractual liability between Magma and Customer remains subject to the Base Agreement’s limitations.

SECTION C – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Magma implements the following measures (among others) to ensure a level of security appropriate to potential risks:

1. Security Management & Policies

   • A documented security policy addressing roles, responsibilities, and procedures for data handling.

   • Defined change management process tracking modifications to systems.

2. Access Controls & Authentication

   • Unique user accounts, strict password policies (complexity, rotation).

   • “Need-to-know” principle for granting or revoking access.

   • Encrypted transmission of credentials.

3. Logging & Monitoring

   • System/application logs tracking user access and key events.

   • Monitoring to detect unauthorized access or unusual activity.

4. Server & Workstation Security

   • Timely application of security patches and OS updates.

   • Protection via firewalls and intrusion detection/prevention systems.

   • Data in transit encrypted with TLS/SSL or equivalent.

5. Backups & Business Continuity

   • Regular data backups stored securely; tested restoration procedures.

   • Documented disaster recovery plan for business continuity.

6. Physical Security

   • Restricted access to data centers (e.g., locked facilities, security guards, badge/card systems).

   • Secure disposal/wiping of media when decommissioned.

7. Incident Response

   • An incident handling plan with escalation procedures.

   • 24/7 monitoring and logging for potential security threats.

8. Mobile/Portable Device Management

   • Authorization required for any device accessing Personal Data.

   • Encryption and ability to remote wipe, if applicable.

9. Secure Development & Testing

   • Secure coding and testing practices (code reviews, vulnerability scans).

   • Regular assessment of potential vulnerabilities in the application stack.

SECTION D – DATA TRANSFERS & STANDARD CONTRACTUAL CLAUSES

• Where EU/EEA, Swiss, or UK data protection laws apply to cross-border data transfers, the Parties rely on:

  • The EU-US Data Privacy Framework, or Swiss-US / UK extensions, where Magma self-certifies,

  • and/or the Standard Contractual Clauses (SCCs) as adopted by the European Commission (including the UK Addendum if applicable),

  • or other lawful mechanisms.

• These mechanisms are incorporated by reference. Appendices in Section A and Section C serve as Annexes to the SCCs when required.

SECTION E – FINAL PROVISIONS

1. Hierarchy. If there is a conflict between this DPA and any other agreement, this DPA prevails regarding the processing of Personal Data unless expressly stated otherwise.

2. Governing Law. This DPA is governed by and construed in accordance with the same governing law and venue as the Base Agreement, unless otherwise required by Data Protection Law.

3. Entire Agreement. This DPA, together with the Base Agreement, constitutes the entire agreement on the subject of data processing on behalf of Customer.

4. Changes. We may update this DPA from time to time. If the revisions materially affect Customer’s rights, we will notify Customer in advance in accordance with the Base Agreement’s notice provisions.