Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between LaunchSafe ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of security scanning services. This DPA sets out the terms that apply when Personal Data is processed by LaunchSafe on behalf of the Customer.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Definitions

• —"Personal Data" means any information relating to an identified or identifiable natural person that is processed by LaunchSafe in connection with the Services.
• —"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• —"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR (Regulation (EU) 2016/679), CCPA, UK GDPR, and other relevant regulations.
• —"Sub-processor" means any third party engaged by LaunchSafe to process Personal Data on behalf of the Customer.
• —"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• —"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles of the Parties

For the purposes of this DPA:

• —The Customer is the Controller of Personal Data
• —LaunchSafe is the Processor of Personal Data

The Customer determines the purposes and means of processing Personal Data. LaunchSafe processes Personal Data only on behalf of and under the instructions of the Customer.

3. Scope of Processing

LaunchSafe processes Personal Data solely for the purpose of providing security scanning services as described in the Terms of Service. The types of data processed may include:

• —Source code containing personal identifiers (names, emails, etc.)
• —Configuration files with credentials or personal data
• —Application data encountered during security testing
• —Customer account information (email, name, company)
• —Technical data (IP addresses, browser information, usage data)

Categories of Data Subjects: Customer employees, Customer's end users, and any individuals whose data appears in Customer's source code or applications.

4. Processor Obligations

LaunchSafe agrees to:

• —Process Personal Data only on documented instructions from the Customer, unless required by law
• —Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• —Implement appropriate technical and organizational security measures as required by Article 32 of GDPR
• —Respect the conditions for engaging sub-processors as set out in this DPA
• —Assist the Customer in responding to data subject requests
• —Assist the Customer in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations
• —Delete or return all Personal Data upon termination of services, at the Customer's choice
• —Make available all information necessary to demonstrate compliance and allow for audits
• —Immediately inform the Customer if an instruction infringes Data Protection Laws

5. Security Measures

LaunchSafe implements the following technical and organizational measures to protect Personal Data (Article 32 GDPR):

• —Encryption: Data in transit (TLS 1.3) and at rest (AES-256)
• —Isolation: Isolated processing environments for each customer scan
• —Data Minimization: Automatic deletion of source code within 24 hours after scan completion
• —Access Control: Role-based access controls and multi-factor authentication
• —Monitoring: Continuous monitoring and logging of system access
• —Testing: Regular security assessments and penetration testing
• —Incident Response: Documented incident response and breach notification procedures
• —Business Continuity: Regular backups and disaster recovery procedures

6. Sub-processors

The Customer provides general authorization for LaunchSafe to engage sub-processors. The current list of authorized sub-processors:

All sub-processors maintain SOC 2 Type II certification and GDPR compliance. LaunchSafe will notify Customers of any changes to sub-processors with 30 days advance notice. Customer may object to a new sub-processor within 14 days of notification.

7. International Data Transfers

Personal Data is primarily stored and processed within the European Economic Area (EEA). Where transfers outside the EEA are necessary, LaunchSafe ensures appropriate safeguards:

• —Standard Contractual Clauses (SCCs) approved by the European Commission
• —EU-US Data Privacy Framework certification (where applicable)
• —Supplementary measures as required by Schrems II decision

8. Data Subject Rights

LaunchSafe will assist the Customer in fulfilling its obligations to respond to data subject requests under GDPR, including:

• —Right of access (Article 15)
• —Right to rectification (Article 16)
• —Right to erasure ("right to be forgotten") (Article 17)
• —Right to restriction of processing (Article 18)
• —Right to data portability (Article 20)
• —Right to object (Article 21)

LaunchSafe will respond to data subject requests within 10 business days and will not respond directly to data subjects without Customer authorization unless required by law.

9. Personal Data Breach Notification

In the event of a Personal Data Breach, LaunchSafe will:

• —Notify the Customer without undue delay and within 72 hours of becoming aware of the breach
• —Provide details of the nature of the breach
• —Describe the categories and approximate number of data subjects concerned
• —Describe the likely consequences of the breach
• —Describe the measures taken or proposed to address the breach
• —Cooperate with the Customer and take reasonable steps to assist in investigation and mitigation

10. Data Retention and Deletion

LaunchSafe retains Personal Data only as long as necessary for the purposes specified:

• —Source code: Deleted within 24 hours after scan completion
• —Security reports: Retained for 90 days or until Customer requests deletion
• —Account data: Retained until account deletion or 2 years of inactivity
• —Backup data: Deleted within 30 days of primary data deletion

11. Audits and Compliance

LaunchSafe will make available to the Customer all information necessary to demonstrate compliance with this DPA and Article 28 of GDPR.

Upon reasonable request (no more than once per year) and subject to confidentiality obligations, LaunchSafe will allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer.

LaunchSafe maintains SOC 2 Type II compliance and will provide audit reports upon request.

12. Termination

Upon termination of the Services, LaunchSafe will, at the Customer's choice:

• —Return all Personal Data to the Customer in a commonly used format
• —Delete all Personal Data and certify such deletion in writing

Deletion will be completed within 30 days of termination, unless applicable law requires retention.

13. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. LaunchSafe shall be liable for damages caused by processing that violates Data Protection Laws or this DPA, to the extent required by Article 82 of GDPR.

14. Governing Law

This DPA shall be governed by the laws of the State of Delaware, except where Data Protection Laws require otherwise. For EU data subjects, this DPA shall be interpreted in accordance with GDPR.

15. Contact

For any questions regarding this DPA or to exercise your rights, please contact our Data Protection Officer:

Email: dpo@launchsafe.co