Data Processing Addendum.

Capitalized terms not defined in this Addendum carry the meaning given in the underlying Master Subscription Agreement between [FIRM] (“Customer”) and Interline, Inc. (“Processor”).

“Customer Data” means any personal data that Customer or its Authorized Users submit to the Service. “Data Subject”, “Controller”, “Processor”, “Processing”, and “Personal Data Breach” have the meanings given in Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the California Consumer Privacy Act of 2018 as amended (“CCPA”).

This Addendum applies to all Processing of Customer Data by Processor on behalf of Customer under the Agreement, beginning [EFFECTIVE_DATE] and continuing for the term of the Agreement and any post-termination retention window described herein.

With respect to Customer Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Processor is the Processor. Processor will only Process Customer Data on documented instructions from Customer, including those set out in the Agreement, this Addendum, and any subsequent written instructions accepted by Processor.

Processor agrees that it will:

• Process Customer Data only on Customer's documented instructions and in accordance with this Addendum.
• Inform Customer without undue delay if it considers an instruction to infringe applicable Data Protection Law.
• Ensure that personnel authorized to Process Customer Data have committed themselves to confidentiality.
• Implement and maintain the technical and organizational measures described in Section 5.
• Assist Customer in fulfilling its obligations to respond to Data Subject requests under Section 7.
• Assist Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent reasonably required.

Processor will treat Customer Data as Customer's Confidential Information and will not disclose it except as required to perform the Service, as compelled by valid legal process, or with Customer's prior written consent. Where Processor is compelled by law to disclose Customer Data it will, where legally permitted, notify Customer in advance so that Customer may seek a protective order.

Processor maintains technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. Current measures include:

• Encryption of Customer Data at rest using AES-256 or equivalent and in transit using TLS 1.2 or higher.
• Tenant isolation enforced at the database row through a non-nullable tenant identifier and a session-scoped tenant filter.
• Append-only audit logs with hash chaining covering authentication events, record creation, and record modification.
• Role-based access controls with multi-factor authentication required on personnel accounts that can access production systems.
• Annual review of access privileges and prompt revocation on personnel changes.
• A documented incident response plan covering detection, containment, notification, and post-incident review.

A current description of measures is published at /trust and is updated as the Service evolves; the level of protection will not be materially reduced during the term of the Agreement.

Customer authorizes Processor to engage subprocessors to perform the Service. The current list is published at /legal/subprocessors.

Processor will give Customer at least thirty (30) days' prior notice of any intended addition or replacement of a subprocessor by updating the published list and emailing the workspace owner. If Customer reasonably objects to a new subprocessor on data protection grounds, Customer may terminate the affected portion of the Service without penalty by giving written notice within the notice period.

Processor will impose data protection obligations on each subprocessor that are materially equivalent to those in this Addendum and remains liable for the acts and omissions of its subprocessors with respect to Customer Data.

Processor will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligation to respond to requests for the exercise of Data Subject rights under applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

If Processor receives a request directly from a Data Subject relating to Customer Data, Processor will not respond to the request itself (other than to confirm receipt) and will forward the request to Customer without undue delay.

Processor will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

Processor will reasonably cooperate with Customer in investigating, mitigating, and remediating the breach and will document the breach and the response in Processor's incident-response record.

On termination or expiration of the Agreement, and at Customer's option, Processor will return or delete Customer Data within ninety (90) days of the effective termination date. A thirty (30) day grace window is provided during which Customer may export Customer Data through the Service. Backups containing Customer Data will age out within twelve (12) months under the standard backup rotation; Processor will not restore Customer Data from a backup after termination except to fulfill a legal obligation.

Processor will make available to Customer, on reasonable request, the information necessary to demonstrate compliance with the obligations laid down in this Addendum. This information will include the documentation published on the Trust Center, summaries of any third-party audit reports Processor holds (made available under NDA where applicable), and reasonable responses to a security questionnaire no more than once per calendar year.

Where Customer reasonably requires an on-site or virtual audit beyond the information so provided, the parties will agree on the scope, timing, and cost in advance, and Customer will bear its own costs and reasonable additional costs incurred by Processor.

Where Processor transfers Customer Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, the parties will rely on the Standard Contractual Clauses adopted by the European Commission, incorporated herein by reference, with Customer as the data exporter and Processor as the data importer. The applicable module is Module Two (Controller to Processor) or Module Three (Processor to Processor) as the case may be.

This Addendum takes effect on [EFFECTIVE_DATE] and remains in force for as long as Processor processes Customer Data on behalf of Customer under the Agreement. The deletion and return obligations in Section 9 survive termination.

This Addendum forms part of the Agreement. In the event of a conflict between this Addendum and the Agreement with respect to the Processing of Customer Data, this Addendum prevails. Each party's liability under this Addendum is subject to the limitations of liability set forth in the Agreement.