Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Customer ("Controller"): The entity that has agreed to the IX Bond Terms of Service and deploys the IX Bond Software on its infrastructure.
• IX Bond Inc. ("Processor"): A Delaware corporation that develops and distributes the IX Bond mesh VPN platform, with contact at privacy@ixbond.com.

This DPA supplements and forms part of the IX Bond Terms of Service ("Agreement") and applies to the extent that IX Bond Inc. processes Personal Data on behalf of the Customer in connection with the IX Bond platform and related services.

2. Definitions

For the purposes of this DPA, the following definitions apply in addition to those set out in the Agreement. Where not otherwise defined herein, capitalized terms shall have the meanings given to them in Regulation (EU) 2016/679 ("GDPR"), Article 4:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Article 4(1).
• "Processing" means any operation or set of operations performed on Personal Data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction, as defined in GDPR Article 4(2).
• "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data, as defined in GDPR Article 4(7).
• "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8).
• "Sub-processor" means any third party engaged by IX Bond Inc. to process Personal Data on behalf of the Customer.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

3. Scope and Nature of Processing

IX Bond is a cloud-managed software platform. The Customer deploys and operates the Software on its own infrastructure. As a result, the vast majority of data processing — including all network traffic, mesh configurations, encryption keys, access control policies, and audit logs — occurs entirely within the Customer's environment and is under the Customer's sole control.

IX Bond Inc. acts as a Processor only with respect to the following limited processing activities:

Processing Activity	Data Processed	Purpose
License Validation	License key identifier, software version, active node count	Verify license validity and entitlements
Software Update Checks	Software version, operating system type	Notify of available updates and security patches
Optional Telemetry (opt-in only)	Anonymized aggregate metrics: node count, OS distribution, feature usage, error counts	Improve software quality and prioritize development
Website and Account	Name, email, company, IP address, usage analytics	Account management, support, communications
Support Communications	Name, email, content of support requests, diagnostic data voluntarily submitted	Provide technical support

4. Data Subjects and Categories of Personal Data

4.1 Data Subjects

The Data Subjects whose Personal Data may be processed under this DPA include:

• Customer employees and contractors who manage the IX Bond deployment
• Customer employees and contractors who use devices connected to the IX Bond mesh network
• Customer personnel who interact with IX Bond Inc. for support, account management, or other communications

4.2 Categories of Personal Data

The categories of Personal Data processed by IX Bond Inc. are limited to:

• Contact information: names, email addresses, company names, job titles
• Technical identifiers: IP addresses (of the control server contacting IX Bond's license/update servers), device identifiers included in optional telemetry
• Connection metadata: timestamps of license validation and update check requests
• Support data: content of support communications and any diagnostic data voluntarily provided

5. Duration of Processing

IX Bond Inc. shall process Personal Data for the duration of the Agreement between the parties. Upon termination of the Agreement, IX Bond Inc. shall, at the Customer's election, delete or return all Personal Data within 30 days, unless retention is required by applicable law. IX Bond Inc. shall confirm deletion in writing upon the Customer's request.

6. Obligations of the Processor

IX Bond Inc. shall:

• Process on instructions: Process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case IX Bond Inc. shall inform the Customer of that legal requirement before processing unless the law prohibits such notification.
• Ensure confidentiality: Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement security measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Appendix A of this DPA.
• Engage Sub-processors properly: Not engage any Sub-processor without prior written authorization from the Customer, subject to Section 7 below.
• Assist with data subject requests: Assist the Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under GDPR Chapter III.
• Assist with compliance obligations: Assist the Customer in ensuring compliance with obligations under GDPR Articles 32 through 36, taking into account the nature of processing and the information available to IX Bond Inc.
• Delete or return data: At the Customer's choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless applicable law requires retention.
• Provide audit information: Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits and inspections conducted by the Customer or an auditor mandated by the Customer, as described in Section 9.

7. Sub-processors

The Customer provides general written authorization for IX Bond Inc. to engage the following Sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure hosting for IX Bond's license server, update server, and website	United States (us-east-1)
Postmark (ActiveCampaign LLC)	Transactional email delivery for account notifications and support communications	United States
Google LLC (Google Analytics)	Website analytics (anonymized, optional)	United States

IX Bond Inc. shall inform the Customer of any intended changes to the list of Sub-processors at least 30 days in advance, giving the Customer the opportunity to object to such changes. If the Customer objects on reasonable grounds relating to data protection, and IX Bond Inc. cannot reasonably accommodate the objection, either party may terminate the affected portion of the Agreement.

IX Bond Inc. shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. IX Bond Inc. shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.

8. International Data Transfers

To the extent that Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission, IX Bond Inc. shall ensure that appropriate safeguards are in place:

• Standard Contractual Clauses: The parties agree to the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) as annexed to Commission Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference.
• Supplementary Measures: IX Bond Inc. implements supplementary technical measures including encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256), strict access controls, and regular security assessments to ensure that the level of protection required by GDPR is maintained.
• EU-US Data Privacy Framework: IX Bond Inc. adheres to the EU-US Data Privacy Framework where applicable.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Customer, IX Bond Inc. shall:

• Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the Data Breach, via email to the Customer's designated contact and through the IX Bond administration dashboard.
• Provide the Customer with sufficient information to enable the Customer to meet its own notification obligations under GDPR Article 33, including:
  • The nature of the Data Breach, including categories and approximate number of Data Subjects and records affected
  • The likely consequences of the Data Breach
  • The measures taken or proposed to address the Data Breach, including measures to mitigate possible adverse effects
  • The name and contact details of IX Bond Inc.'s point of contact for further information
• Cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.
• Document the Data Breach, including its effects and the remedial actions taken, and make such documentation available to the Customer and relevant supervisory authorities upon request.

10. Audit Rights

The Customer (or its designated independent third-party auditor, subject to reasonable confidentiality obligations) may conduct audits to verify IX Bond Inc.'s compliance with this DPA, subject to the following conditions:

• The Customer shall provide at least 30 days' written notice of any audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with IX Bond Inc.'s operations.
• Audits shall be conducted no more than once per 12-month period, unless required by a supervisory authority or triggered by a Data Breach.
• IX Bond Inc. may satisfy audit requests by providing the Customer with relevant third-party audit reports (e.g., SOC 2 Type II), certifications, or other documentation demonstrating compliance.
• The Customer shall bear its own costs in connection with any audit, except where the audit reveals material non-compliance by IX Bond Inc.

Appendix A: Technical and Organizational Security Measures

IX Bond Inc. implements the following technical and organizational measures to protect Personal Data:

A.1 Encryption

• All data in transit is encrypted using TLS 1.3 with strong cipher suites
• All data at rest is encrypted using AES-256-GCM
• Database backups are encrypted using AES-256 before storage
• Encryption keys are managed using a dedicated key management system with automatic rotation

A.2 Access Controls

• Role-based access control (RBAC) for all internal systems
• Multi-factor authentication (MFA) required for all employee accounts
• Principle of least privilege enforced for all access permissions
• Access reviews conducted quarterly
• Privileged access logging and monitoring

A.3 Network Security

• Network segmentation between production and development environments
• Intrusion detection and prevention systems (IDS/IPS)
• Web application firewall (WAF) for public-facing services
• DDoS protection for all public endpoints

A.4 Monitoring and Logging

• Centralized logging with tamper-evident storage
• Real-time alerting for security events
• Log retention for a minimum of 1 year
• Regular log review and analysis

A.5 Business Continuity

• Regular backups with tested restoration procedures
• Disaster recovery plan with documented recovery time objectives (RTO) and recovery point objectives (RPO)
• Redundant infrastructure for critical services

A.6 Personnel

• Background checks for all employees with access to Personal Data
• Annual security awareness and data protection training
• Confidentiality obligations in employment contracts
• Immediate access revocation upon termination of employment

A.7 Vulnerability Management

• Regular vulnerability scanning of all systems
• Annual third-party penetration testing
• Responsible disclosure program for external security researchers
• Documented patch management process with defined SLAs

Appendix B: Signature Block

To execute this DPA, please contact legal@ixbond.com. A signed copy will be provided for your records.