Last Updated: OCT 27, 2025

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Pierre Computer Company, Inc. (“Company”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

• “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
• “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”) and all laws implementing or supplementing the foregoing.
• “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Company may Process on Customer’s behalf in performing the services under the Agreement.
• “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.
• “Standard Contractual Clauses” means:
  • (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and
  • (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).

Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.

Company agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Company will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.

When Company Processes Personal Data, it will:

1. Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. Company will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless prohibited by law.
2. Assist Customer, taking into account the nature of the Processing and information available to Company, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals.
3. Implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk.
4. Only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements.
5. Upon termination of the Agreement, permit Customer to delete or obtain copies of Personal Data consistent with the functionality of the Services and applicable law.

Company certifies that it will not:

• (a) “sell” the Personal Data;
• (b) retain, use, or disclose the Personal Data for any purpose other than as permitted;
• (c) retain, use, or disclose the Personal Data outside the context of the direct relationship with Customer.

Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will:

• (i) provide all required notices and obtain all required consents;
• (ii) make appropriate use of the services to ensure security;
• (iii) comply with all applicable Data Protection Law for Personal Data collection and transfer;
• (iv) ensure processing instructions comply with applicable law.

Customer agrees that Company may use third-party suppliers listed in Annex III as Subprocessors.

Company will:

• Maintain and update a list of Subprocessors.
• Notify Customer by email prior to authorizing a new Subprocessor.
• Allow Customer ten (10) days to object with legitimate grounds.
• Ensure Subprocessors enter into substantially similar written terms.
• Remain liable for any breaches by Subprocessors.

If European Data Protection Law applies and SCCs are required, the SCCs are incorporated with Customer as “data exporter” and Company as “data importer”.

Specific clause implementation and completion details are included here and in Annex references.

Upon request, Company will provide cooperation to enable Customer to:

• Respond to regulatory investigations/inquiries.
• Conduct data protection impact assessments.

Company must inform Customer without undue delay if it:

• Receives a request, complaint, or inquiry regarding Personal Data Processing.
• Receives a binding or non-binding disclosure request.
• Is subject to a conflicting legal obligation.
• Becomes unable to comply.

Upon becoming aware of a Security Incident, Company will inform Customer without undue delay and provide timely updates.

Company will make available necessary information to demonstrate compliance and allow audits as requested.

Customer must accept any third-party Audit Report, subject to confidentiality. If additional info is required:

• An audit may be performed at Customer’s cost upon 30 days’ notice, during business hours, and without unreasonable interference.

• This DPA prevails over conflicting Agreement terms.
• Invalid provisions do not affect remaining terms.
• Liability is subject to contractual limitations.
• Governing law aligns with that of the Agreement.

• Customer is the controller and data exporter.
• Company is the processor and data importer.

• Subject Matter: Platform to help developers host, review, and collaborate on code.
• Duration: Term of the Agreement.
• Nature and Purpose: Provide access to and use of the platform.
• Frequency: Continuous.
• Categories of Data: Customer Personal Data relating to authorized users.
• Special Categories: N/A
• Data Subjects: Authorized users

Irish Data Protection Commission.

Company shall implement and maintain controls including but not limited to:

Security areas, restricted paths, access authorizations, ID/card systems, key management, surveillance, alarm systems, securing decentralized equipment.

User identification/authentication, password procedures, monitoring failed logins, user records, data encryption.

Access rights management, monitoring, logging, disciplinary actions, procedures for change and deletion, encryption.

Encryption/tunneling, logging, transport security.

Logging/reporting, audit trails and documentation.

Contract clarity, formal commissioning, processor selection criteria.

Backups, mirroring, UPS, remote storage, antivirus/firewall, disaster recovery.

Database separation, limited-use concepts, separation of environments, storage/transmission procedures.