This Data Protection Addendum (“DPA”) forms part of the Neostella Subscription Services Agreement and is incorporated therein. Capitalized terms used in this DPA that are not defined herein will have the same meanings as in the underlying Agreement.

The parties wish to set forth in this DPA the additional confidentiality, security, and privacy requirements with respect to Personal Information (as defined below) Processed by Neostella in performing such Services to ensure that such Processing by Neostella is compliant with Applicable Privacy Laws (as defined below).

1. Definitions. Capitalized terms not otherwise defined herein have the following meanings and will be construed in a manner with definitions set forth in the Agreement:
   1. “Applicable Privacy Law” means all applicable U.S. federal, state, and local laws, regulations, and legally binding requirements governing the privacy, protection, security, and processing of Personal Information, including but not limited to obligations related to notice, consent, data subject rights, data breach notification, and the implementation of administrative, technical, and physical safeguards to protect Personal Information against unauthorized access, use, disclosure, or destruction.
   2. “Data Security Incident” means any unauthorized or unlawful collection, disclosure, use, alteration, destruction of, or access to, or Processing Personal Information that compromises such information’s security, confidentiality, or integrity. 
   3. “Industry Standards” means applicable industry standards for information security and data privacy, as each may be updated, amended or replaced by the applicable industry body.
   4. “Personal Information” means (1) any information relating to an identified or identifiable natural person; and (ii) any other information defined as “personal information”, “personal data”, “personally identifiable information”, or any similar term under Applicable Privacy Laws, which in each Neostella may Process from time to time in connection with its performance of Services provided to Customer under this Agreement. 
   5. “Process,” “Processed” or “Processing” means any operation in relation to Personal Information irrespective of the purposes and means applied including, without limitation, access, collection, retention, storage, transfer, disclosure, use, copying, recording, organizing, hosting, transmitting, providing, disclosing, making available, generation, disposal, erasure, destruction, and any other operation.
2. Roles of the Parties. Neostella acknowledges and agrees that as between the Parties, and with respect to the Processing of Personal Information, Customer is a “Business” or “Controller” and Neostella is a “Service Provider” or “Processor” as defined under Applicable Privacy Laws
3. Processing of Data by Neostella.
   1. Neostella will Process Personal Information solely to provide the Services under the Agreement and in accordance with Customer’s instructions, this DPA, and Applicable Privacy Laws. Neostella will not Process Personal Information for any purpose other than those permitted under the Agreement, unless required by law.
   2. Neostella will use Personal Information only as necessary to perform its obligations under the Agreement and will not use it for any unrelated or unauthorized purpose.
   3. Neostella will not sell Personal Information or disclose it to third parties except as necessary to perform the Services or as permitted by the Agreement. Neostella will not use Personal Information for commercial purposes outside the scope of the Services. Any combination of Personal Information with other data will be limited to what is necessary to perform the Services or as otherwise authorized by Customer.
   4. Personal Information provided by Customer will be treated as the Confidential Information of Customer. Neostella will not claim ownership or assert any rights in or to such Personal Information.
   5. Upon written request from Customer, and subject to Neostella’s legal obligations, Neostella will return or delete Personal Information in its possession in a commercially reasonable manner and in accordance with the terms of the Agreement. If requested, Neostella will confirm completion of such deletion or return within a reasonable timeframe. Until such data is deleted or returned, Neostella shall continue to comply with this DPA.
   6. Neostella will reasonably cooperate with Customer to address any loss, destruction, or alteration of Personal Information caused by Neostella.
   7. Neostella will Process Personal Information within the United States unless otherwise agreed in writing by the parties.
   8. Neostella certifies that it understands and will comply with the obligations applicable to it under this DPA and Applicable Privacy Laws.
   9. Nothing in this DPA limits party’s responsibilities under Applicable Privacy Laws based on their respective roles in the Processing relationship.
4. Subcontractors. Neostella may engage subcontractors to assist in providing Services, including Processing Personal Information, provided that Neostella will ensure that any subcontractor is subject to a written agreement that imposes obligations substantially similar to those in this DPA and the Agreement. Neostella will remain fully responsible for the acts and omissions of its subcontractors. 
5. Security and Safeguards. Neostella has implemented and will maintain technical and organizational measures designed to protect the integrity, confidentiality, and availability of Customer’s Personal Information. Neostella’s Trust Center provides transparency into its security practices, which include safeguards such as secure facilities, systems, and devices; network and application security; secure data transmission and disposal; access controls and authentication; encryption of Personal Information in transit and at rest; segregation of Customer Data from other client data; and personnel screening practices consistent with applicable law.
6. Data Security Incident. Neostella will notify the Customer of any Data Security Incident without undue delay after becoming aware of the Data Security Incident and, in any event, within 72 hours of confirming such Data Security Incident. The Customer is solely responsible for complying with its obligations under incident notification Laws applicable to the Customer and fulfilling any third-party notification obligations related to any Data Security Incident. Neostella obligation herein to report or respond to a Data Security Incident is not an acknowledgement by Neostella of any fault or liability with respect to the Data Security Incident. Similarly, the Customer’s failure to comply with notification provisions hereunder or otherwise and any liabilities arising therefrom will not be attributed to Neostella. In the event of a Data Security Incident, Neostella will (i) investigate the Data Security Incident, (ii) provide the Customer with information about the Data Security Incident (including, where possible, the nature of the Data Security Incident, any remediation efforts undertaken by Neostella, and the contact from whom more information can be obtained), which information may be provided in phases as it becomes available, (iii) to the extent required for Customer to comply with Applicable Privacy Law applicable to Customer, reasonably cooperate with Customer’s investigation of the Data Security Incident, and (iv) take reasonable steps to mitigate the effects of, and to help minimize any damage resulting from, the Data Security Incident. 
7. Audit Rights. Customer may request documentation or certifications (e.g., SOC 2, ISO 27001) annually to demonstrate Neostella’s compliance with this DPA and Applicable Privacy Laws. Formal audits may be conducted only if required by law or following a verified Data Security Incident. Neostella shall make available relevant audit reports prepared by independent third-party auditors, provided that all such information shall be Neostella’s Confidential Information. Neostella may provide executive summaries of such reports or redact portions of such reports to protect sensitive business information, trade secrets, or information unrelated to Customer’s data. To the extent Customer’s audit requirements under Applicable Privacy Laws cannot reasonably be satisfied through (i) audit reports provided by Neostella, (ii) documentation, or (iii) other compliance information Neostella makes generally available to its customers (including via its Trust Center), Neostella will, no more than once per calendar year, reasonably cooperate with Customer’s audit request. Prior to the commencement of any audit, the parties will mutually agree on the scope, timing, duration, and applicable confidentiality and security protocols. Neostella will make available relevant systems, facilities, and documentation related to its Processing of Customer’s Personal Information, subject to reasonable notice (not less than 30 days), and provided that such access does not compromise Neostella’s obligations to other customers or third parties. Any audit must be conducted by an independent, accredited third-party auditor during regular business hours and in accordance with Neostella’s standard security procedures. Customer will be responsible for all costs associated with the audit, including Neostella’s reasonable internal costs. If the audit identifies material non-compliance, Customer will share the findings with Neostella, and Neostella will take commercially reasonable steps to address any verified issues.
8. Amendments. The Parties acknowledge that Applicable Privacy Laws are subject to change. The Parties will cooperate in good faith to amend the terms of the Agreement to the extent necessary for compliance with all amended and additional Applicable Privacy Laws.
9. Data Subject Access Requests. Neostella will use commercially reasonable efforts to notify Customer in writing, unless prohibited by law, of any legally binding request from a regulator, governmental entity, or other third party relating to the Services or the Agreement that involves disclosure of Personal Information. If Customer receives a request directly from an individual to exercise rights under Applicable Privacy Laws (a “Data Subject Access Request”), Neostella will reasonably cooperate with Customer to support its response, including by not responding directly unless required by law, and by taking requested actions such as deletion of Personal Information. Neostella will provide such assistance in a manner consistent with the nature of the Services and its role as a service provider or processor, and may do so through existing support channels or documentation. Neostella will not charge additional fees for reasonable cooperation unless such requests require material operational effort beyond standard support.
10. Security Breaches. Neostella will use commercially reasonable efforts to notify Customer without undue delay, and in any event within a reasonable period not to exceed seventy-two (72) hours, upon becoming aware of a confirmed Data Security Incident involving Customer’s Personal Information. Such notice will include information reasonably necessary for Customer to meet its obligations under Applicable Privacy Laws. Neostella will cooperate with Customer in good faith to support its investigation and response, including providing relevant information and assistance as appropriate under the circumstances. Neostella will take reasonable steps to mitigate the impact of any Data Security Incident and to prevent recurrence. Liability for breach-related costs will be determined in accordance with the Agreement and applicable law, and Neostella will not be responsible for costs or losses unless the incident results from its failure to comply with its obligations under this DPA or Applicable Privacy Laws.
11. General Terms. Neostella will notify Customer if it reasonably believes it cannot meet its obligations under this DPA while fulfilling its responsibilities under the Agreement, and the parties will work together in good faith to resolve the issue. The obligations under this DPA will survive termination of the Agreement to the extent Neostella continues to Process Customer’s Personal Information, and will remain in effect until such Processing ceases and the data is returned or deleted in accordance with this DPA. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will control solely with respect to the subject matter of data privacy and protection. If any provision of this DPA is found to be invalid or unenforceable under applicable law, it will be modified or severed only to the extent necessary, without affecting the remainder of the DPA or the Agreement. Headings are for convenience only and do not affect interpretation. This DPA may only be amended in writing signed by both parties. A material breach of this DPA may be treated as a material breach of the Agreement, subject to the terms and remedies set forth therein.