This Data Processing Agreement is entered into by and between:

and the entity identified in the applicable Business Console or API subscription agreement ("Controller," "Customer," or "you"), collectively referred to as the "Parties" and each individually as a "Party."

This DPA supplements and forms part of the Terms of Service, Master Service Agreement, or other written or electronic agreement between the Parties for the provision of Hail Sentinel Business Console and API services (the "Principal Agreement"). In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to matters relating to the processing of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined in this DPA shall have the meanings given to them in the Principal Agreement.

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection or privacy legislation.
• "Controller" means the entity that determines the purposes and means of the processing of Personal Data, being the Customer under the Principal Agreement.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Services, including any "personal data," "personal information," or equivalent term as defined under Applicable Data Protection Law.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor or its Sub-processors.
• "Processing" (and its cognates "Process," "Processed," and "Processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Processor" means the entity that processes Personal Data on behalf of the Controller, being Icarus Inc.
• "Services" means the Hail Sentinel Business Console, API services, and any related services provided by the Processor to the Controller under the Principal Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) or the UK International Data Transfer Addendum, as applicable.
• "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller in connection with the Services.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of Applicable Data Protection Law.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Principal Agreement.

2.2 Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Providing hail alerting, weather data delivery, and severe weather notification services through the Business Console and API
• Delivering alert notifications via SMS, email, push notifications, and webhook integrations configured by the Controller
• Processing and storing monitored location data, alert configurations, and geographic boundaries defined by the Controller
• Generating weather analytics, risk reports, and historical storm data for the Controller's account
• Managing user accounts, authentication, and access control for the Controller's Authorized Users
• Maintaining audit logs, API usage records, and security event logs
• Providing customer support and technical assistance

2.3 Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

• The Controller's employees, contractors, and agents who are Authorized Users of the Services
• The Controller's customers and end users whose data is processed through the Services
• Individuals whose contact information is used for alert notifications (e.g., SMS or email recipients)

2.4 Types of Personal Data

The following types of Personal Data may be processed under this DPA:

• Contact information (names, email addresses, phone numbers)
• Account credentials and authentication data
• Geographic location data (monitored addresses, coordinates, alert boundaries)
• Usage data (API calls, Console activity, feature interactions)
• Device and browser information (IP addresses, user agents)
• Notification preferences and delivery records
• Organization and role information

2.5 Duration of Processing

The Processor shall process Personal Data for the duration of the Principal Agreement, unless otherwise agreed in writing or required by Applicable Data Protection Law.

3. Data Processor Obligations

3.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Law — in such case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.

3.3 Security

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Section 6 of this DPA.

3.4 Assistance with Data Subject Requests

Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller.

3.5 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Applicable Data Protection Law, taking into account the nature of processing and the information available to the Processor, including with respect to:

• Data protection impact assessments
• Prior consultation with Supervisory Authorities
• Notification of Personal Data Breaches to Supervisory Authorities and Data Subjects
• Compliance with any order or request from a Supervisory Authority

3.6 Demonstrating Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law, and shall allow for and contribute to audits and inspections as described in Section 10.

4. Sub-processors

4.1 Authorized Sub-processors

The Controller hereby provides general written authorization for the Processor to engage Sub-processors to process Personal Data on behalf of the Controller. As of the Effective Date, the Processor engages the following Sub-processors:

Sub-processor	Purpose	Location
Google Cloud Platform	Cloud infrastructure, data storage, and compute services	United States
Firebase (Google)	Authentication, database, and cloud functions	United States
RevenueCat	Subscription management and billing	United States
Twilio	SMS alert notifications	United States
SendGrid (Twilio)	Email alert notifications	United States

4.2 Notification of Changes

The Processor shall notify the Controller in writing at least thirty (30) days prior to the addition or replacement of any Sub-processor, providing the name, location, and nature of processing to be performed by the new Sub-processor. The Controller may subscribe to Sub-processor change notifications by contacting legal@hailsentinel.com.

4.3 Right to Object

The Controller may object to the appointment of a new Sub-processor by notifying the Processor in writing within fifteen (15) days of receiving the notification described in Section 4.2. The objection must be based on reasonable grounds relating to the protection of Personal Data. In the event of such objection, the Processor shall use commercially reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable alternative. If the Processor is unable to accommodate the Controller's objection, the Controller may terminate the affected Services without penalty by providing written notice within thirty (30) days of the Processor's response.

4.4 Sub-processor Agreements

The Processor shall impose on each Sub-processor, by way of a written agreement, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

5. Data Subject Rights

5.1 Assistance with Requests

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfilment of the Controller's obligation to respond to Data Subject requests under Applicable Data Protection Law, including requests for:

• Access: Providing copies of Personal Data processed in connection with the Services
• Rectification: Correcting inaccurate or incomplete Personal Data
• Erasure: Deleting Personal Data where required under Applicable Data Protection Law
• Restriction: Restricting the processing of Personal Data
• Portability: Providing Personal Data in a structured, commonly used, and machine-readable format
• Objection: Ceasing processing of Personal Data where the Data Subject has exercised their right to object

5.2 Response Timelines

The Processor shall promptly notify the Controller of any Data Subject request received directly by the Processor, and in any event within five (5) business days. The Processor shall not respond to any Data Subject request directly unless authorized to do so by the Controller or required by Applicable Data Protection Law.

5.3 Self-Service Tools

The Processor provides the Controller with self-service tools within the Business Console to manage, export, and delete Personal Data, including the ability to manage Authorized User accounts, export account data and configuration, delete individual user records, and retrieve audit logs. The Controller is responsible for utilizing these tools to fulfil Data Subject requests where feasible.

6. Security Measures

6.1 Technical Measures

The Processor implements and maintains the following technical security measures to protect Personal Data:

• Encryption at Rest: All Personal Data stored in databases, file systems, and backups is encrypted using AES-256 encryption
• Encryption in Transit: All data transmitted between systems and between the Services and end users is encrypted using TLS 1.3 (minimum TLS 1.2)
• Access Control: Role-based access control (RBAC) is enforced across all systems, with the principle of least privilege applied to all personnel and service accounts
• Authentication: Multi-factor authentication is required for all administrative access to production systems. API access is secured through cryptographic API keys with SHA-256 hashing — raw API keys are never stored
• Audit Logging: Comprehensive audit logs are maintained for all access to and modifications of Personal Data, including user identity, timestamp, action performed, and affected resources
• Network Security: Production environments are isolated using Virtual Private Cloud (VPC) configurations with firewall rules restricting access to authorized services only
• Vulnerability Management: Regular vulnerability scanning and patching of infrastructure components and application dependencies
• Rate Limiting: API endpoints are protected by rate limiting to prevent abuse and ensure service availability

6.2 Organizational Measures

The Processor maintains the following organizational security measures:

• Written information security policies and procedures
• Confidentiality obligations for all personnel with access to Personal Data
• Security awareness training for personnel involved in processing Personal Data
• Incident response and business continuity plans
• Regular review and testing of security measures
• Secure development lifecycle practices for application development

6.3 Infrastructure Security

The Services are hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and other industry-recognized security certifications. The Processor leverages Google Cloud's built-in security features, including infrastructure encryption, identity and access management, security monitoring, and audit logging.

7. Data Breach Notification

7.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach, in accordance with Article 33 of the GDPR. Notification shall be made to the Controller's designated security contact or, if none has been designated, to the Controller's primary account administrator.

7.2 Contents of Notification

The notification shall include, to the extent reasonably available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's data protection contact point
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

7.3 Ongoing Obligations

Where it is not possible to provide all information at the time of initial notification, the Processor shall provide the information in phases without further undue delay. The Processor shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

7.4 Record Keeping

The Processor shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) of the GDPR.

8. International Data Transfers

8.1 Processing Location

Personal Data is primarily processed and stored in the United States. The Processor shall not transfer Personal Data to any country or territory outside the United States without the prior written consent of the Controller, except as necessary to provide the Services through the authorized Sub-processors listed in Section 4.

8.2 Transfer Mechanisms

To the extent that the provision of the Services involves the transfer of Personal Data from the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the Parties agree that the following transfer mechanisms shall apply:

• Standard Contractual Clauses: The Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference and shall apply to transfers of Personal Data from the EEA. For Module Two (Controller to Processor), the Controller acts as the data exporter and the Processor acts as the data importer.
• UK International Data Transfer Addendum: For transfers of Personal Data from the UK, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner) shall apply.
• Swiss Data Protection: For transfers from Switzerland, the SCCs shall apply with the modifications necessary to comply with the Swiss Federal Act on Data Protection.

8.3 Supplementary Measures

In addition to the Standard Contractual Clauses, the Processor implements the technical and organizational security measures described in Section 6 as supplementary measures to ensure that transferred Personal Data is afforded a level of protection essentially equivalent to that guaranteed within the EEA.

8.4 Government Access Requests

The Processor shall promptly notify the Controller of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited by law. The Processor shall not voluntarily disclose Personal Data to any government authority and shall challenge any request for disclosure that the Processor reasonably considers to be unlawful.

9. Data Retention and Deletion

9.1 Retention During the Agreement

During the term of the Principal Agreement, the Processor shall retain Personal Data in accordance with the retention schedule set forth in the Privacy Policy and any specific retention periods agreed with the Controller. The Controller may configure certain retention settings through the Business Console.

9.2 Deletion Upon Termination

Upon termination or expiration of the Principal Agreement, the Processor shall, at the choice of the Controller:

• Return: Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete: Delete all Personal Data and existing copies, unless Applicable Data Protection Law requires continued storage

The Controller shall communicate its choice in writing within thirty (30) days of the termination or expiration of the Principal Agreement. If no instruction is received within this period, the Processor shall delete all Personal Data.

9.3 Data Export Period

The Processor shall make Personal Data available for export for a period of thirty (30) days following the termination or expiration of the Principal Agreement. After this period, the Processor shall delete all remaining Personal Data within a further sixty (60) days, except where retention is required by Applicable Data Protection Law.

9.4 Certification of Deletion

Upon request, the Processor shall provide written certification that Personal Data has been deleted in accordance with this Section. Deletion shall include the secure destruction of all copies, replicas, and backups of Personal Data, subject to standard backup retention cycles not exceeding ninety (90) days.

10. Audit Rights

10.1 Right to Audit

The Controller may audit the Processor's compliance with this DPA up to once per calendar year. The Controller shall provide the Processor with at least thirty (30) days prior written notice of any audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations.

10.2 Scope of Audit

Audits may include inspection of the Processor's data processing facilities, systems, and records relevant to the processing of Personal Data under this DPA. The Controller may engage a qualified, independent third-party auditor to conduct the audit on its behalf, provided that such auditor enters into a confidentiality agreement acceptable to the Processor.

10.3 Costs

Each Party shall bear its own costs in connection with any audit. However, if an audit reveals a material breach of this DPA by the Processor, the Processor shall reimburse the Controller for the reasonable costs of that audit.

10.4 Audit Reports

The Processor shall make available, upon reasonable request, summaries of any third-party audit or certification reports relevant to the security of the Services (such as SOC 2 reports or penetration test summaries), subject to the Processor's confidentiality obligations to third parties. The Controller agrees that such reports may satisfy the Controller's audit requirements under this Section where the reports adequately address the Controller's concerns.

11. Term and Termination

11.1 Term

This DPA shall become effective on the Effective Date and shall remain in force for the duration of the Principal Agreement. To the extent that the Processor continues to process Personal Data after the termination or expiration of the Principal Agreement (e.g., during the data export period), the terms of this DPA shall continue to apply until such processing ceases.

11.2 Survival

The following provisions shall survive termination or expiration of this DPA: Section 1 (Definitions), Section 6 (Security Measures, to the extent the Processor retains any Personal Data), Section 7 (Data Breach Notification), Section 9 (Data Retention and Deletion), Section 10 (Audit Rights, for a period of twelve months following termination), and Section 12 (Governing Law).

11.3 Effect of Termination of Principal Agreement

Termination or expiration of the Principal Agreement shall automatically trigger the data return and deletion obligations set forth in Section 9. The Processor shall cease all processing of Personal Data on behalf of the Controller, except as necessary to comply with its obligations under this DPA or Applicable Data Protection Law.

12. Governing Law

12.1 Applicable Law

This DPA shall be governed by and construed in accordance with the laws of the State of Washington, United States, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law requires the application of the law of another jurisdiction.

12.2 Jurisdiction

Any disputes arising out of or in connection with this DPA shall be subject to the dispute resolution provisions of the Principal Agreement. Where no such provisions exist, the Parties submit to the exclusive jurisdiction of the state and federal courts located in the State of Washington, United States.

12.3 Relationship to Principal Agreement

This DPA is incorporated into and forms part of the Principal Agreement. Except as modified by this DPA, the terms of the Principal Agreement remain in full force and effect. In the event of any conflict between this DPA and the Principal Agreement with respect to the processing of Personal Data, this DPA shall prevail.

12.4 Amendments

This DPA may be amended by the Processor to reflect changes in Applicable Data Protection Law or regulatory guidance. The Processor shall notify the Controller of any material amendments at least thirty (30) days before they take effect. The Controller's continued use of the Services after the effective date of such amendments constitutes acceptance.

13. Contact

For questions, concerns, or requests regarding this Data Processing Agreement:

To request a countersigned copy of this DPA or to discuss custom data processing terms, please contact your account manager or email legal@hailsentinel.com.