STARSEER, INC.
DATA PROCESSING ADDENDUM
Last Modified: March 13, 2026
Capitalized terms used in this Data Processing Addendum (this "DPA") shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the End User License Agreement to which this DPA is attached (the "Agreement"). Except as modified below, the terms of the Agreement shall remain in full force and effect.
APPLICABILITY. This DPA applies solely to Hosted Services where Provider processes Customer Personal Data. This DPA does not apply to On-Premise Deployments; for On-Premise Deployments, Customer is solely responsible for compliance with Data Protection Laws as set forth in Section 11 of the Agreement.
The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement.
"Affiliate" means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with either Customer or Starseer respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.
"Customer Personal Data" means data that is Processed by Starseer, or collected by Starseer, on behalf of Customer which identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular identified or identifiable person or household.
"Data Protection Laws" means any data privacy or security law that applies to the Processing of Customer Personal Data.
"Data Subject" means any identifiable individual or household included, or previously included, within the Customer Personal Data.
"Personal Data Breach" means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed that compromises the security, confidentiality or integrity of such Customer Personal Data.
"Process" means any operation or set of operations that are performed on Customer Personal Data.
"Processor" means any entity that performs the Processing of Customer Personal Data. For the purposes of the Agreement and this DPA, Starseer is the primary Processor.
"Regulator" refers to any government agency responsible for enforcing the Data Protection Laws.
"Subprocessor" means any Processor (including any third party and any Starseer Affiliate) engaged by Starseer to Process Customer Personal Data.
(a) Starseer is instructed by Customer to Process Customer Personal Data in accordance with the terms of the Agreement and this DPA, unless the parties agree otherwise in writing. Starseer shall not Process Customer Personal Data for any other purpose without the consent or instruction of Customer and shall immediately inform the Customer if, in its opinion, any request related to the Processing of Customer Personal Data or any request for audits or inspections of Starseer's compliance with this DPA infringes upon any Data Protection Law, provided that Starseer is not responsible for performing legal research or providing legal advice to Customer.
(b) Starseer is prohibited from: (i) selling or sharing (as such terms may be defined in Data Protection Laws) Customer Personal Data; (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than providing the Hosted Services under the Agreement; and (iii) processing Customer Personal Data outside of the direct business relationship between Starseer and Customer. Except as otherwise expressly provided in the Agreement, no Customer Personal Data is processed by Starseer as consideration for any service provided to Customer. Customer may take reasonable and appropriate steps to help to ensure that Starseer uses Customer Personal Data in a manner consistent with Starseer's obligations. Starseer will notify Customer if it makes a determination that Starseer can no longer meet its obligations under Data Protection Laws. Customer may, upon written notice to Starseer and as set forth herein, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
(c) Annex I.B to Schedule 1 to this DPA provides a description of Starseer's Processing of the Customer Personal Data.
(d) Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Starseer in accordance with the Agreement. For the avoidance of doubt, Customer's instructions for the processing of Customer Personal Data shall comply with the Data Protection Laws.
(e) Unless otherwise expressly permitted by Starseer, Customer Personal Data shall not include any sensitive or special data that imposes specific data security or data protection obligations on Starseer in addition to or different from those specified in Agreement or which are not provided as part of the Hosted Services. Without limiting the foregoing, Customer shall comply with Section 7(h) of the Agreement regarding Prohibited Data.
(f) Each party will comply with Data Protection Laws applicable to such party in connection with the Agreement and this DPA.
Starseer will limit access to those individuals who need to Process Customer Personal Data for the purposes specified in the Agreement or in this DPA and will ensure such individuals keep such data confidential except for any permitted Processing or sub-Processing.
(a) Starseer shall implement reasonable and appropriate technical and organizational measures to protect Customer Personal Data, as further described in Annex II to Schedule 1 to this Addendum. Starseer may update its security practices from time to time but will not materially decrease the overall security of the Hosted Services during the Term of the Agreement.
(b) In assessing the appropriate level of security, Starseer shall consider the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Customer Personal Data transmitted or stored.
(a) The parties agree that Starseer has general authorization to utilize Subprocessors and has specific authorization to utilize the Subprocessors listed on Annex III to Schedule 1 to assist in providing the Hosted Services. Starseer shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors, to which changes Customer has the right to reasonably object in writing within ten (10) days of Starseer so informing Customer. In such a case, the parties agree to work together in good faith to address such objection.
(b) Starseer shall confirm that all Subprocessors are subject to privacy and security obligations that are no less onerous than those in this DPA.
(c) For the avoidance of doubt, Customer-Connected Third-Party Products (as defined in the Agreement) are not Subprocessors under this DPA. Customer is solely responsible for any data transmitted to or processed by Customer-Connected Third-Party Products, including any Third-Party AI Systems connected by Customer via API keys or other credentials.
(a) Starseer shall promptly notify Customer if it receives a request from a Data Subject in respect to Customer Personal Data, including a request by a Data Subject that Starseer access, modify, or delete Customer Personal Data. Starseer shall await instructions from Customer concerning whether and how to respond to such a request. Such instructions shall be given promptly by Customer.
(b) Starseer shall reasonably assist Customer in responding to complaints, communications, or requests by a Data Subject to exercise a right under Data Protection Laws relating to Customer Personal Data about the Data Subject.
(a) Starseer will implement appropriate technical and organizational security measures to protect the Customer Personal Data that it Processes, which such measures as further specified in Annex II to Schedule 1 hereto. Starseer shall notify Customer without undue delay upon Starseer becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform applicable Data Subjects or Regulators of the Personal Data Breach.
(b) Customer is solely responsible for fulfilling any Personal Data Breach notification obligations applicable to Customer. Customer and Starseer shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications to applicable Data Subjects and Regulators in accordance with Data Protection Laws and to finalize the content thereof, as required by Data Protection Laws. Starseer's prior written approval shall be required for any statements regarding, or references to, Starseer made by Customer in any such notifications.
Starseer shall provide reasonable assistance to Customer, at Customer's expense, in conducting data protection impact assessments required under Data Protection Laws in relation to the Starseer's Processing of Customer Personal Data.
(a) Starseer shall promptly upon Customer's request or in any event within sixty (60) calendar days of the effective date of termination of the Agreement: (i) securely return a copy of all Customer Personal Data to Customer; or (ii) delete and procure the deletion of all other copies of Customer Personal Data Processed by Starseer or any Subprocessor.
(b) Notwithstanding Section 9(a) of this DPA, Starseer may retain Customer Personal Data to the extent required by Data Protection Laws, but only to the extent and for such period as required by Applicable Laws. If required by law to retain Customer Personal Data, Starseer will continue to ensure the confidentiality of such Customer Personal Data and only Process Customer Personal Data as necessary for the purpose specified in the Data Protection Laws that require its storage and in accordance with the terms of this DPA.
Upon Customer's request, Starseer shall promptly make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
To the extent that the Agreement involves the transfer of Customer Personal Data from a jurisdiction where the Data Protection Laws require that additional steps or safeguards be imposed before the Customer Personal Data can be transferred to a second jurisdiction, Starseer agrees to cooperate with Customer to implement and execute such steps or safeguards.
This DPA and the other portions of the Agreement shall be read together and construed, to the extent possible, to be in concert with each other. With respect to any conflict between the Agreement and this DPA, the DPA shall prevail.
Starseer may share and disclose Customer Personal Data and other Customer Data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Starseer's business by or to another company, including the transfer of contact information and other personal data of customers, partners, and end users.
Data exporter(s): Customer
Data importer(s): Starseer
1. Categories of Data Subjects
The Customer Personal Data Processed concerns the following categories of Data Subjects:
2. Categories of Personal Data
The categories of Customer Personal Data Processed depend on the Customer Data submitted by Customer. Customer Personal Data may include:
Important: Customer shall not submit Prohibited Data as defined in Section 7(h) of the Agreement, including protected health information (PHI), payment card information subject to PCI-DSS, data subject to ITAR or EAR export controls, or biometric data subject to BIPA or similar laws.
3. The Frequency of the Transfer
With the exception of transfers that may happen in the context of a specific request, all transfers happen on a continuous basis.
4. Nature of the Processing
Provision of the Hosted Services to Customer, including storage, retrieval, analysis, and display of Customer Data.
5. Purpose of the Data Transfer and Further Processing
Customer Personal Data is Processed within the Hosted Services to provide AI transparency and explainability capabilities as described in the applicable Order.
6. The Period for which the Personal Data will be Retained
For the Term of each applicable Order, plus any retention period required for deletion processing (not to exceed 60 days following termination).
7. For Transfers to Subprocessors, the Subject Matter, Nature and Duration of the Processing
Refer to this DPA and the Agreement. Subprocessors process Customer Personal Data solely to support the provision of the Hosted Services for the duration of the Agreement.
Starseer maintains technical and organizational measures designed to protect Customer Personal Data. These measures are subject to ongoing development and improvement as Starseer's business and the threat landscape evolve. Starseer's current measures include the following:
Information Security Program Starseer maintains an information security program designed to align with the SOC 2 Framework.
Third-Party Assessments Starseer engages independent third-party assessors to evaluate its security and compliance controls. Current certification status is available upon request under NDA.
Penetration Testing Starseer's security program includes periodic third-party penetration testing.
Roles and Responsibilities Starseer maintains documentation defining roles and responsibilities related to information security. Starseer personnel with access to Customer Personal Data are required to acknowledge applicable security policies.
Security Awareness Starseer maintains a security awareness program for personnel covering topics such as phishing and password management.
Confidentiality Starseer personnel are bound by confidentiality obligations.
Background Checks Starseer conducts background checks on new employees where permitted by applicable law.
Cloud Infrastructure Starseer's Hosted Services are hosted with DigitalOcean or other reputable cloud infrastructure providers.
Encryption at Rest Starseer employs encryption at rest for databases containing Customer Personal Data.
Encryption in Transit Starseer employs TLS/SSL encryption for data in transit.
Vulnerability Management Starseer maintains processes for vulnerability scanning and threat monitoring.
Logging and Monitoring Starseer maintains logging and monitoring capabilities for its cloud services.
Business Continuity Starseer maintains backup and recovery processes designed to reduce risk of data loss.
Incident Response Starseer maintains an incident response process that includes escalation procedures and communication protocols.
Access Controls Access to cloud infrastructure and sensitive systems is restricted to authorized personnel based on job function.
Least Privilege Starseer's access management is designed to follow the principle of least privilege.
Access Reviews Starseer conducts periodic reviews of access privileges for personnel with access to sensitive systems.
Authentication Requirements Starseer maintains password complexity requirements and, where available, multi-factor authentication for access to sensitive systems.
Risk Assessments Starseer conducts periodic risk assessments to identify potential threats.
Vendor Management Starseer evaluates vendors prior to engagement where such vendors will have access to Customer Personal Data.
Customer has authorized the use of the following Subprocessors:
DigitalOceanCloud infrastructure and hostingUnited StatesCloudflareContent delivery, DDoS protection, DNSUnited States
Note: Customer-Connected Third-Party Products, including any Third-Party AI Systems that Customer connects via API keys or other credentials, are not Subprocessors. Customer is solely responsible for compliance with the terms and data processing practices of any Customer-Connected Third-Party Products.