Vendor Data Protection Addendum

Gear Wave is the controller (or business) of Gear Wave Data. Vendor is the processor (or service provider) and acts only on Gear Wave's documented instructions.

Vendor will process Gear Wave Data solely to perform the services in the underlying agreement. Vendor will not (a) sell or share Gear Wave Data, (b) use it for advertising, (c) use it to train or improve models other than as needed to deliver the contracted service, or (d) combine it with data from other sources except as instructed by Gear Wave in writing.

Vendor will keep Gear Wave Data confidential, restrict access to personnel with a need-to-know, and require those personnel to be bound by written confidentiality obligations.

Vendor will maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect Gear Wave Data, including: encryption in transit and at rest, least-privilege access controls, MFA on administrative accounts, secure software-development practices, vulnerability management, logging and monitoring, vendor risk management, and a written information-security program. Vendor will, on request, provide a current SOC 2 Type II, ISO 27001, or equivalent report.

Vendor will use subprocessors only under written terms no less protective than this DPA, will maintain a list of subprocessors available on request, and remains liable for their acts and omissions.

If Vendor transfers Gear Wave Data outside the jurisdiction in which it was collected, Vendor will rely on a lawful transfer mechanism (e.g. Standard Contractual Clauses, UK IDTA, or equivalent) and implement required supplementary measures.

Vendor will (a) promptly forward any data-subject request received by Vendor to Gear Wave, and (b) provide reasonable assistance to Gear Wave in responding to such requests and in conducting any required data-protection impact assessment or regulator inquiry.

Vendor will notify Gear Wave without undue delay, and in any event within 48 hours, after becoming aware of any actual or reasonably suspected security incident affecting Gear Wave Data, and will cooperate in investigation, containment, mitigation, and required notifications.

Once per twelve (12) month period (and more frequently following a confirmed incident), Vendor will respond to a reasonable written security questionnaire from Gear Wave and, where Vendor cannot provide an audit report covering the relevant controls, will permit an on-site or virtual audit on reasonable notice.

On termination of the underlying agreement, or on Gear Wave's written request, Vendor will return or securely delete Gear Wave Data within thirty (30) days and certify deletion, except for copies retained to comply with law (which remain subject to this DPA for as long as they are held).

Vendor will comply with all applicable privacy and data-protection laws, including (as applicable) the CCPA/CPRA, GDPR/UK-GDPR, and U.S. state privacy laws, and will execute any further documentation Gear Wave reasonably requires to demonstrate that compliance.

Liability under this DPA is governed by the limitation-of-liability provisions in the underlying agreement, except that nothing in those provisions limits liability for breaches of Sections 2 (Permitted Use), 4 (Security), or 8 (Security Incidents).