Data Processing Addendum (DPA)

1. Definitions

For purposes of this DPA, the terms "Personal Data", "Processing", "Controller", and "Processor" shall have the meanings given in applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), where applicable.

2. Roles of the Parties

The Customer acts as the Data Controller, determining the purposes and means of Processing. Open G acts as the Data Processor, processing Personal Data only on documented instructions from the Customer and as necessary to provide the Services.

3. Scope of Processing

3.1 Subject Matter

Processing of Personal Data in connection with Open Web Audit, including audit generation, platform access, diagnostics, and reporting.

3.2 Duration

For the duration of the Customer's use of the Services, unless otherwise agreed.

3.3 Nature and Purpose

Processing is limited to what is necessary to provide audit and decision-support services, operate, secure, and improve the platform, and comply with legal obligations.

3.4 Categories of Data Subjects

Customer employees and authorized users, and business contacts associated with Customer-managed digital properties.

3.5 Categories of Personal Data

May include name, business email address, organizational affiliation, user credentials and access logs, and platform usage metadata. Open Web Audit primarily operates on publicly accessible, non-personal, business-oriented signals. Personal Data processing is incidental and limited.

4. Processing of Publicly Accessible Information

Customer acknowledges that Open Web Audit analyzes publicly accessible digital properties and signals. Such analysis does not require ownership or authorization from the analyzed property and does not constitute processing of personal consumer data in most cases.

5. Processor Obligations

Open G shall process Personal Data only on documented instructions from the Customer; ensure personnel are bound by confidentiality obligations; implement appropriate technical and organizational security measures; not sell Personal Data; and not process Personal Data for purposes other than providing the Services.

6. Subprocessors

Customer authorizes Open G to engage subprocessors for hosting, infrastructure, analytics, security, and customer support. Open G remains responsible for subprocessors' compliance with this DPA. A list of subprocessors may be provided upon request.

7. Security Measures

Open G implements reasonable measures designed to protect Personal Data, including access controls, encryption in transit where applicable, system monitoring, and role-based access. No system can guarantee absolute security.

8. Data Subject Rights

Taking into account the nature of Processing, Open G shall assist the Customer, where reasonably possible, in responding to data subject requests (e.g., access, deletion, correction).

9. Personal Data Breach

Open G shall notify the Customer without undue delay upon becoming aware of a Personal Data breach affecting data processed under this DPA, to the extent required by applicable law.

10. Data Retention and Deletion

Upon termination of the Services, Open G will delete or anonymize Personal Data processed on behalf of the Customer, unless retention is required by law or for legitimate business purposes (e.g., security, dispute resolution).

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions.