Modal Labs, Inc. Data Processing Addendum

Effective October 31, 2025.

This Data Processing Addendum (the "DPA") is incorporated by reference into the agreement between Modal Labs, Inc. (“Modal”) and Customer (the "Agreement") regarding the Services described in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Modal under the Agreement. Capitalized terms have the meanings provided in the Agreement except as provided here.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

"Applicable Privacy Law(s)" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable:

"EU Data Protection Law”: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC), each as implemented and transposed into local law by any EU member states.

"Swiss DPA”: the Swiss Federal Act on Data Protection 1992 (including as amended or superseded).

"UK Data Protection Law”: the UK Data Protection Act and GDPR as incorporated into UK law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

"US Data Protection Law”: all applicable comprehensive state Applicable Privacy Laws and regulations in each case as may be amended or superseded from time to time, including the California Privacy Rights Act ("CPRA"); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Delaware Personal Data Privacy Act; Indiana Consumer Data Protection Act; Iowa Consumer Data Protection Act; Montana Consumer Data Privacy Act; Oregon Consumer Privacy Act; Tennessee Information Protection Act; Texas Data Privacy and Security Act; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act.

"Customer Personal Data" means any Personal Data Processed by a Subprocessor on behalf of Customer pursuant to or in connection with the Agreement;

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Controller", "Data Subject", "Process" (whether or not capitalized), "Processor”, and "Subprocessor" have the meanings ascribed to them by GDPR and include equivalent terms in California Data Protection Law, in each case as applicable to the Services.

"EEA" means the European Economic Area;

"Standard Contractual Clauses" or "SCCs" means: (a) where EU Data Protection Law or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (b) where UK Data Protection Law applies, standard data protection clauses adopted pursuant to or permitted under UK Data Protection Law (“UK SCCs”).

2. Processing of Customer Personal Data

1. Purpose Limitation. Modal will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in this DPA, unless obligated to do otherwise by Applicable Privacy Law. In such case, Modal will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Modal shall only Process Customer Personal Data for the following purposes: (a) Processing as reasonably required to provide the Service and perform Modal’s obligations under the Agreement and this DPA, and as otherwise agreed by the Parties; (b) Processing initiated by Customer and its users in their use of the Service; (c) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement and Applicable Privacy Laws; and (d) as otherwise required by Applicable Privacy Laws. Further details regarding Modal’s Processing operations are set forth in Schedule 1.

2. Lawful Instructions. Customer shall, in its use of the Service, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will not instruct Modal to Process Personal Data in violation of Applicable Privacy Law. Modal has no obligation to monitor the compliance of Customer’s use of the Service with Applicable Privacy Law, though Modal will immediately inform Customer if, in Modal’s opinion, an instruction from Customer infringes Applicable Privacy Law.

3. CPRA Requirements. With respect to Customer Personal Data to which the CPRA applies (capitalized terms used in this section having the meanings provided in CPRA):

1. Modal shall act as a Service Provider to Customer and shall collect, access, maintain, use, process, and transfer Customer Personal Data solely for the purpose of performing Modal’s obligations under this Agreement for or on behalf of Customer and for no commercial purpose other than the performance of such obligations.

2. Modal shall not Sell or Share (as defined in CPRA), disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another business or third party without Customer’s prior written consent unless and to the extent that such disclosure is made to a Subcontractor for a business purpose, subject to Section 5.1(a) below. Notwithstanding the foregoing, nothing in this DPA shall restrict Modal’s ability to disclose Customer Personal Data to comply with applicable laws; provided that if such disclosure is required, Modal will promptly notify Customer of the request for disclosure unless such notification is prohibited by applicable law or a legally binding order.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures, described on Schedule 2, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

2. In assessing the appropriate level of security, Processor shall take account, in particular, the risks that are presented by Processing from a Personal Data Breach perspective.

5. Subprocessing

1. Customer hereby consents to Modal’s appointment of Subprocessors of Personal Data under this Agreement. Modal’s current Subprocessors are listed on Schedule 3 hereto. Modal confirms that it:

   1. has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are at least as protective of Personal Data provided by Customer as those set out in this DPA; and
   2. will update the website above with any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to object to such changes. That website includes a self-enrollment system where Customer can add an email address to receive notices of Subprocessor changes. Customer’s sole recourse if it objects to a Subprocessor will be to terminate Customer’s subscription to the Service.

2. Emergency Replacement. Modal may replace a Subprocessor if the need for the change is urgent and necessary to provide the Service. In such instance, Modal shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor as described above.

6. Data Subject Rights

1. Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Applicable Privacy Laws.

2. Processor shall:

   1. promptly notify Customer if it receives a request from a Data Subject under any Applicable Privacy Laws in respect of Customer Personal Data; and
   2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Privacy Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Privacy Laws inform Customer of that legal requirement before the Processor responds to the request.

7. Personal Data Breach

1. Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Privacy Laws.

2. Processor shall co-operate with the Customer and take commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.

9. Deletion or return of Customer Personal Data

1. On termination of the Agreement, Modal will delete and procure the deletion of all copies of Customer Personal Data as described in the MSA.

10. Audit rights

1. Customer may request an on-site audit of Processor’s applicable controls related to the processing activities under this DPA when: (a) the information provided under the information provided by Processor is not sufficient to demonstrate compliance with the obligations set out in this DPA or (b) required by Applicable Privacy Laws or Customer’s competent supervisory authority. Upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Processor shall make available to Customer information regarding Processor’s compliance with the obligations set forth in this DPA in the form of a copy of Processor’s then most recent third-party audits or certifications, if any.

11. Cross Border Transfers

1. Consent. Modal may not transfer Personal Data to, or process such data in, a location outside of the European Economic Area or the UK without Customer’s prior written consent, except in compliance with Section 10.2 below (in each case a “Transfer”).

2. Compliant Transfer Mechanisms. Without prejudice to the foregoing, Customer consents to Transfers where Modal has implemented a Transfer solution compliant with GDPR and UK GDPR, which for example may include: (a) an adequacy decision by applicable authorities; (b) the Standard Contractual Clauses as incorporated herein pursuant to Appendix 1; (c) another appropriate safeguard pursuant to Article 46 of GDPR or UK GDPR equivalent; or (d) a derogation pursuant to Article 49 of GDPR or UK GDPR equivalent.

12. General Terms

1. This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.

2. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless required otherwise by GDPR, in which case this DPA will be governed by the laws of Sweden.

3. In the event of inconsistencies between this DPA and the SCCs, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for data subjects. Otherwise the SCCs shall apply.

APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS

1. Incorporation of Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:

1. Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Modal Processes Personal Data as a Controller, Modal and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

2. Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Modal Processes Personal Data as a Processor, Modal and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

3. Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Modal Processes Personal Data as a Processor, Modal and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

2. Standard Contractual Clause Optional Provisions

Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

1. Clause 7 (Docking Clause) is omitted;
2. In Clause 9(a) (Use of sub-processors) – Option 2 shall apply and the parties shall follow the process and timing agreed in the DPA to appoint sub-processors;
3. In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
4. In Clause 16(b) (Suspension of transfers) if Modal is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
5. In Clause 17 (Governing Law) – the laws of Sweden shall govern; and
6. In Clause 18 (Choice of forum and jurisdiction) – the courts of Sweden shall have jurisdiction.

3. Supplementary Terms to Standard Contractual Clauses

1. Documentation and compliance. For the purposes of Clauses 8.9(b) and 8.9(e) the review and audit provisions in the Agreement and DPA shall apply.

2. Notification and Transparency.

   1. The Parties acknowledge and agree that Modal, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly.

   2. For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Modal to make the appropriate communications to data subjects and accordingly, Customer shall (following notification from Modal) have the option to be the party who communicates with the data subject, and Modal shall provide the level of assistance set out in the DPA.

3. Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Modal and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.

4. Swiss Law Provisions

1. Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:

   1. references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
   2. In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.

5. United Kingdom Law Provisions

   1. Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.

   2. In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement, the DPA and these SCCs.

   3. The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.

   4. References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom and UK GDPR.

   5. In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.

Schedule 1
Description Of Data Processing

The data processing activities carried out by Modal under the Agreement may be described as follows:

Categories of data subjects whose personal data is transferred

Data subjects are: (a) Customer’s personnel who use the Service by or at the direction of Customer, and (b) users of Customer’s product or service, if Customer imports their Personal Data into the Service.

Categories of personal data transferred

The categories of Personal Data are: (a) the name, email and telephone contact information for Customer personnel who use the Service, (b) other Personal Data that Customer or its users may process via the Service or otherwise provide to Modal, and (c) contact information for users of Customer’s product or service, if Customer stores such information and imports it into the Service.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

Modal will process Personal Data to provide the Service identified in the Agreement.

Purpose(s) of the data transfer and further processing

Modal will transfer Personal Data to provide the Service identified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described in the DPA

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subprocessors referenced in the DPA provide portions of the platform used by Modal to provide the Service

Schedule 2
Technical and Organizational Measures (TOMs)

The technical and organizational measures (TOMs) provided below apply to Services provided by Modal Labs, Inc. except where Customer is responsible for its own TOMs in its use of the Services. Evidence of the implementations of these TOMs may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon written request from Customer.

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	Customer data is stored in a multi-tenant application with logical separation between Customer instances. Sensitive authentication information is encrypted, and the database is encrypted at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Modal has policies and procedures in place to ensure confidentiality, integrity and resilience of processing systems and services. These include an Access Control Policy, Business Continuity and Disaster Recovery Policy, Data Classification Policy and a Secure Development Policy.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Customer data is backed up at least at a daily cadence. Restoration tests are performed annually.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Modal monitors and tests controls to ensure they are operating as intended and updated as needed. Modal uses Vanta Inc. to automate several of these controls, including employee activity and adherence to Modal policies and procedures, infrastructure monitoring, and development procedures. Outside of this, Modal has completed its SOC2 Type II certification and maintains an active security program.
Measures for user identification and authorization	Modal maintains an Access Control Policy. Measures for access control and authorization include formally documented roles and permissions, encrypted connection to production systems and networks, and single-sign on or 2FA where available. Access reviews are performed on a regular basis.
Measures for the protection of data during transmission	All data transfer outside Modal’s private network is encrypted with HTTPS/SSL.
Measures for the protection of data during storage	Modal’s database and file stores are encrypted at rest.
Measures for ensuring physical security of locations at which personal data are processed	Modal does not operate physical servers or other infrastructure. For employer-provided computers: All Modal employees are required to complete physical security training, and all employees and contractors are required to enable a screen lock when the work computer is left unattended.
Measures for ensuring events logging	Modal has detailed event and data access logging, with automated alerts for anomalies or missing data.
Measures for ensuring system configuration, including default configuration	Modal maintains guidelines for configuring and hardening instances, images and containers before they can be used in production.
Measures for certification/assurance of processes and products	Modal has completed its SOC2 Type II certification, and engages a third-party to perform penetration tests on a regular basis.
Measures for ensuring data minimisation	Modal collects data in connection with Customer’s use of the Service, but only in aggregate, de-identified form which is not linked specifically to Customer or any individual, excluding Customer Data uploaded or submitted by Customer.
Measures for ensuring data quality	Changes to Modal data collection are reviewed, tested and monitored after deployment.
Measures for ensuring limited data retention	Modal retains data as long as the Modal has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived.
Measures for ensuring accountability	Modal employees are required to review and acknowledge Modal security practices and policies, complete security training, and go through a security walkthrough with a senior member of the engineering organization. Modal conducts background checks on all new employees and requires all employees to sign a non-disclosure agreement before gaining access to systems.
Measures for allowing data portability and ensuring erasure	Customer may exercise portability or erasure rights upon request to Modal.
Technical and organizational measures of sub-processors	Modal collects and reviews the most security assessments from sub-processors on an annual basis.

Schedule 3
Subprocessor List

Identified at https://trust.modal.com/subprocessors