Data Processing Addendum

Definitions

“Agreement” the underlying subscription agreement, self-service terms, order form, or other written agreement governing Customer’s use of the Services. “Applicable Data Protection Law” any privacy, data protection, or data security law applicable to the processing of Customer Personal Data under the Agreement, including U.S. state privacy laws to the extent applicable to the parties and the processing at issue. “Customer Personal Data” personal information or personal data contained in Customer Data that Borealis processes on behalf of Customer as a processor, service provider, or contractor in connection with the Services. “Customer Data” data, content, files, materials, records, configurations, prompts, outputs, and other information submitted to, stored in, transmitted through, or otherwise processed by the Services on behalf of Customer. “Data Subject Request” a request from an individual to access, delete, correct, restrict, opt out of, or otherwise exercise a right regarding personal information or personal data under Applicable Data Protection Law. “Personal Information” and “Process / Processing” have the meanings given under Applicable Data Protection Law, and include analogous concepts such as personal data, controller, processor, business, service provider, or contractor where applicable. “Security Incident” a confirmed breach of Borealis’s security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data in Borealis’s possession or control. Security Incident does not include unsuccessful attempts, scans, pings, denials of service, malware blocked in the ordinary course, or events that do not result in unauthorized access to Customer Personal Data. “Subprocessor” a third party engaged by Borealis to process Customer Personal Data on Borealis’s behalf in connection with the Services.

Scope, Roles, and Order of Precedence

2.1 Borealis will process Customer Personal Data only to provide, secure, support, maintain, and improve the Services, to comply with law, and as otherwise permitted by the Agreement and this DPA. 2.2 As between the parties, Customer determines the purposes and means of the processing of Customer Personal Data for Customer’s use of the Services and is responsible for providing all notices and obtaining all rights, consents, authorizations, and other lawful bases required to disclose Customer Personal Data to Borealis and to instruct Borealis to process it under the Agreement. 2.3 Borealis acts as a processor, service provider, or contractor (or equivalent role) to the extent required by Applicable Data Protection Law when processing Customer Personal Data on behalf of Customer. If Borealis processes limited personal information for its own independent purposes, such as billing administration, account management, fraud prevention, or legal compliance, Borealis acts in its own capacity for that processing. 2.4 If there is a conflict between this DPA and the Agreement on the subject of privacy or data processing, this DPA controls for the processing of Customer Personal Data; otherwise the Agreement controls.

Customer Instructions

3.1 Customer instructs Borealis to process Customer Personal Data as necessary to provide and support the Services, in accordance with the Agreement, Customer’s documented use and configuration of the Services, and Customer’s documented written instructions. 3.2 Customer acknowledges that use of the Services, including configuration of integrations, reviewer-sharing, exports, AI features, and customer-supplied API keys, constitutes Customer’s instructions to Borealis to process Customer Personal Data consistent with those actions. 3.3 Borealis may refuse or suspend a requested processing activity that, in Borealis’s reasonable judgment, would violate law, expose Borealis or the Services to undue security risk, exceed the scope of the Services, or require Borealis to process prohibited or unsupported categories of data.

Borealis Obligations

4.1 Borealis will process Customer Personal Data only on Customer’s documented instructions, unless otherwise required by law. If Borealis is legally required to process Customer Personal Data other than on Customer’s instructions, Borealis will provide notice to Customer unless prohibited by law. 4.2 Borealis will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations. 4.3 Borealis will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the Services, the information processed, and the risks presented. 4.4 Borealis will not be required to process Customer Personal Data in a way that is technically infeasible, impossible due to the design of the Services, or inconsistent with the Agreement or Applicable Data Protection Law.

Customer Obligations and Restrictions

• Customer is solely responsible for the legality, accuracy, quality, and means by which Customer acquires and uploads Customer Data, including whether Customer has provided all required notices and obtained all required rights, consents, or other permissions.
• Customer must not instruct Borealis to process prohibited or unsupported data categories through the self-service service unless a separate written agreement expressly authorizes that processing. Unless expressly agreed otherwise, prohibited or unsupported data includes payment card data subject to PCI DSS, protected health information subject to HIPAA, children’s data, and other highly regulated or restricted data categories not supported by the service.
• Customer is responsible for responding to Data Subject Requests and for determining whether a request should be fulfilled, denied, limited, or referred to another party, except to the extent Applicable Data Protection Law requires Borealis to respond directly.
• Customer is responsible for the actions of its authorized users, administrators, reviewers, recipients, and any third-party systems or model providers Customer chooses to connect or use through the Services.

Confidentiality

Borealis will ensure that persons authorized to process Customer Personal Data are bound by a duty of confidentiality, whether by contract, policy, or legal obligation, and are given access only as reasonably necessary for their roles.

Security Measures

Borealis will maintain the security measures described in Schedule 2, or materially comparable measures, and may update those measures from time to time provided that Borealis does not materially diminish the overall security of the Services during the applicable subscription term. Customer acknowledges that no security program eliminates all risk and that Customer remains responsible for securing its own environments, endpoints, user credentials, identity systems, review recipients, integrations, and any third-party services or model providers used at Customer’s direction.

Subprocessors

8.1 Customer authorizes Borealis to engage Subprocessors in connection with the Services. Borealis will require each Subprocessor that processes Customer Personal Data on Borealis’s behalf to be bound by written obligations that are materially protective of Customer Personal Data and consistent with Borealis’s obligations under this DPA. 8.2 Borealis may make a current Subprocessor list available through a website, Trust Center, or written disclosure process. Borealis may update its Subprocessors from time to time. 8.3 If Customer reasonably objects to a new Subprocessor on documented grounds related to Applicable Data Protection Law and the parties cannot resolve the issue in good faith within a reasonable period, Customer’s sole remedy is to stop using the affected feature or terminate the affected Services before the new Subprocessor begins processing Customer Personal Data for that feature, without refund for prepaid amounts except as required by law or the Agreement.

Assistance with Data Subject Requests and Compliance

9.1 Taking into account the nature of the processing and the functionality made available through the Services, Borealis will provide Customer with commercially reasonable assistance to help Customer respond to Data Subject Requests, where Borealis is legally required to do so or where Customer cannot reasonably do so without Borealis’s assistance. 9.2 Borealis may refer a Data Subject Request directly to Customer where appropriate. Borealis is not responsible for responding to a Data Subject Request except to the extent required by Applicable Data Protection Law. 9.3 To the extent legally required and reasonably possible, Borealis will provide commercially reasonable assistance to Customer with Customer’s obligations relating to security, breach notification, impact assessments, consultations, or similar requirements, taking into account the nature of the processing and the information available to Borealis. Borealis may charge reasonable fees for assistance that is excessive, repetitive, highly customized, or outside the ordinary scope of the Services.

Security Incidents

10.1 Borealis will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data. 10.2 Borealis’s notification will describe, to the extent reasonably known at the time, the nature of the Security Incident, the categories of affected Customer Personal Data, and the measures Borealis has taken or recommends to address the Security Incident. 10.3 Borealis’s notice of or response to a Security Incident is not an admission of fault or liability, and Borealis may provide updates as additional information becomes available. 10.4 Customer is solely responsible for determining whether to notify individuals, regulators, customers, insurers, or other parties, unless Applicable Data Protection Law expressly requires Borealis to do so.

Audit and Assessment Rights

11.1 To the extent Applicable Data Protection Law requires Customer to assess Borealis’s processing, Borealis will make available, on a confidential basis, documentation or information reasonably necessary to demonstrate Borealis’s compliance with this DPA, which may include security summaries, questionnaire responses, certifications, reports, or other materials Borealis chooses to provide. 11.2 Borealis is not required to disclose information that would compromise security, violate another customer’s confidentiality, reveal trade secrets, or exceed what Applicable Data Protection Law requires. 11.3 On-site audits are not permitted for the self-service service unless required by Applicable Data Protection Law and only where the documentation Borealis makes available is insufficient and the parties first agree on scope, timing, security controls, confidentiality, and allocation of costs. Any such audit may occur no more than once in any 12-month period and must be conducted during normal business hours with minimal disruption.

Deletion and Return of Customer Personal Data

12.1 During the term of the Agreement, the Services may permit Customer to access, export, or delete Customer Data through the standard functionality of the Services. 12.2 Following termination or expiration of the Agreement, Borealis will delete or return Customer Personal Data in accordance with the Agreement and Borealis’s standard data-retention and deletion processes, unless Borealis is required by law to retain it or the information remains in backups, logs, archives, or similar systems that are protected and deleted in the ordinary course. 12.3 Borealis is not required to delete Customer Personal Data from archived or backup systems immediately, provided the data remains subject to appropriate safeguards and is not restored to active use except as required for business continuity or legal obligations.

Data Transfers

The Services are offered on a U.S.-first basis. If Customer requires specific data-transfer documentation for cross-border transfers under Applicable Data Protection Law, the parties may discuss and, if commercially reasonable and legally required, execute an additional transfer mechanism or addendum. Unless the parties expressly agree otherwise in writing, this DPA does not itself incorporate any international transfer mechanism.

U.S. State Privacy Law / Service Provider Terms

To the extent Borealis processes Customer Personal Data as a service provider, contractor, or processor under Applicable Data Protection Law:

• Borealis will process Customer Personal Data only for the limited and specified purposes described in the Agreement, this DPA, and Customer’s documented instructions.
• Borealis will not sell or share Customer Personal Data and will not retain, use, or disclose Customer Personal Data for any purpose other than the limited and specified purposes permitted by the Agreement, this DPA, Customer’s instructions, or Applicable Data Protection Law.
• Borealis will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Borealis and Customer, except as permitted by Applicable Data Protection Law.
• Borealis will not combine Customer Personal Data with personal information it receives from other sources except as permitted by Applicable Data Protection Law and necessary to provide the Services, maintain security, detect abuse, or otherwise carry out a permitted business purpose.
• Borealis will notify Customer if Borealis determines that it can no longer meet its obligations under Applicable Data Protection Law with respect to the processing covered by this DPA.
• Customer may take reasonable and appropriate steps to help ensure Borealis uses Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Data Protection Law, subject to the audit limitations in this DPA and the confidentiality and security restrictions in the Agreement.
• Where Applicable Data Protection Law requires it, Borealis will provide commercially reasonable assistance, taking into account the nature of the processing, to help Customer fulfill verified consumer requests or other legal obligations.

Liability

This DPA does not create or expand either party’s liability beyond what is stated in the Agreement. Any exclusions, limitations, caps, procedures, and allocation of risk stated in the Agreement apply to this DPA to the fullest extent permitted by law.

Term and Survival

This DPA takes effect on the effective date of the Agreement and remains in effect for as long as Borealis processes Customer Personal Data on behalf of Customer under the Agreement. The obligations in this DPA survive for so long as Borealis retains Customer Personal Data. Schedule 1 - Details of Processing Item Description Subject matter The provision of Aurora Command’s website, software platform, onboarding and setup services, reviewer-sharing workflows, AI-assisted features, support, maintenance, billing administration, and related services under the Agreement. Duration For the term of the Agreement and any additional period during which Borealis retains Customer Personal Data in accordance with the Agreement, this DPA, legal obligations, or standard backup and deletion processes. Nature of the processing Collection, receipt, storage, organization, structuring, retrieval, transmission, import, export, hosting, analysis, logging, deletion, and other processing necessary to provide and secure the Services. Purpose of the processing To provide, maintain, secure, support, and improve the Services; to administer accounts and subscriptions; to facilitate integrations and reviewer sharing; to deliver onboarding and implementation assistance; and to comply with law and enforce the Agreement. Categories of data subjects Customer personnel, administrators, end users, support contacts, reviewers, recipients of shared materials, and other individuals whose personal information is included in Customer Data. Categories of Customer Personal Data Business contact details, login and account data, role and permission data, uploaded documents and evidence containing personal information, ticket or support communications, integration-imported data, usage logs, reviewer access data, and AI interaction data to the extent included in Customer Data. Sensitive or restricted data Sensitive or restricted data should not be submitted through the self-service service unless expressly authorized in writing. If such data is submitted, Customer remains responsible for ensuring the submission is lawful and supported by the Agreement and this DPA. Schedule 2 - Security Measures The following describes Borealis’s security measures at a high level. Borealis may modify these measures over time, provided Borealis does not materially diminish the overall security of the Services during the applicable subscription term.

Schedule 3 - Subprocessor Notice Framework Borealis may maintain its Subprocessor list in a Trust Center, website posting, or other written disclosure process. The list should identify, at a minimum, the Subprocessor name, the general service performed, the general category of Customer Personal Data processed, and the primary hosting or processing region where reasonably appropriate. For launch, Borealis should ensure the published Subprocessor list accurately reflects the actual vendor stack in production. This DPA is drafted to support that operating model but does not itself populate the vendor-specific list. Schedule 4 - Trust Center Publication, Register, and Notice Mechanics Borealis may satisfy any contractual obligation to make Subprocessor information or similar operational privacy materials available by maintaining a current Subprocessor Register and related trust materials in an authenticated Trust Center, designated website page, or successor written-disclosure mechanism. Customer is responsible for maintaining current administrator, legal, procurement, or privacy contact details if Customer wishes to receive courtesy notices or access invitations in addition to such publication. Unless a different period is expressly stated in the Agreement or required by Applicable Data Protection Law, Borealis may update the Subprocessor Register on a prospective or contemporaneous basis and may archive prior versions for reasonable historical reference. Any notice obligation may be satisfied by posting the updated Register, by email to Customer’s designated contact, or both, at Borealis’s election. Operational urgency, security response, legal compliance, vendor changes, or replacement of a substantially similar vendor may require Borealis to engage, replace, or reconfigure Subprocessors without extended advance notice. Trust Center or Register materials are intended to provide operational transparency. They do not expand Borealis’s substantive obligations beyond this DPA, the Agreement, and applicable law, and they do not create audit rights, service levels, representations of full vendor inventory outside the in-scope service, or obligations to disclose information that would compromise security, another customer’s confidentiality, or a vendor’s confidential information.

• Access management. Measures designed to restrict logical access to production systems and Customer Personal Data based on role, business need, and approval workflows, together with offboarding and credential-management controls.
• Authentication controls. Measures such as password protections, optional or required multi-factor authentication, single sign-on integrations where supported, session-management controls, and secure credential handling.
• Encryption and transport protections. Measures designed to protect data in transit and, where appropriate, at rest, together with key-management or equivalent safeguards appropriate to the environment.
• Logging and monitoring. Logging of authentication, administrative actions, and security-relevant events, together with alerting, monitoring, and investigation procedures designed to identify and address suspicious activity.
• Secure operations. Change-management, configuration-management, vulnerability-management, patching, and other operational safeguards appropriate to the service and risk profile.
• Business continuity and backups. Backup, recovery, and resiliency measures appropriate to the service design, recognizing that backup copies may be retained and deleted on different cycles than live production data.
• Vendor oversight. Risk-based review and contracting for critical service providers and subprocessors that may access or process Customer Personal Data on Borealis’s behalf.
• Personnel and confidentiality. Background, confidentiality, training, and access-control measures appropriate to personnel roles and the sensitivity of the information they may handle.
• Incident response. Policies and procedures designed to identify, contain, investigate, document, and remediate security incidents, including procedures for legally required customer notice.

No Third-Party Beneficiaries. Except to the extent non-waivable applicable law expressly provides otherwise, this DPA does not create rights in any person other than Customer and Borealis, and no data subject, reviewer, recipient, affiliate, regulator, or other third party is an intended beneficiary of this DPA.