This Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Terms of Service, or such other agreement (collectively, the “Agreement”), governing the direct relationship between User and Monad, Inc. (the “Company”).
‍

1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings ascribed to them herein.

2. Designation

The Parties acknowledge and agree that with regard to the Covered Data, User is a Business and a Controller, and that the Company is a Service Provider and a Processor (“Service Provider”).
‍

3. Obligations

1. Compliance with Law. With respect to the Covered Data, the Parties shall comply with Data Protection Law.
   
2. Limitations on Processing. Service Provider shall at all times comply with Controller’s written instructions pursuant to the Agreement, this DPA, and all applicable laws, rules and regulations, including but not limited to, all applicable Data Protection Law. Service Provider shall only process the Covered Data for the limited purposes specified in the Agreement.
   

3. CCPA.

   1. To the extent any Covered Data is deemed “Personal Information” (as such term is defined under the CCPA) and is subject to the CCPA, Service Provider agrees not to: (a) “sell” or “share” the Personal Information as such terms are defined under the CCPA; (b) retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services or as otherwise expressly permitted under the Agreement including retaining, using or disclosing the Personal Information for a commercial purpose other than the business purposes specified in this DPA or the Agreement, or as otherwise permitted by the CCPA; (c) retain, use or disclose the Personal Information outside of the direct business relationship with Controller; (d) combine Personal Information it receives from Controller with Personal Information it receives from or on behalf of another person or collects from its own interactions with consumers, except where required to provide the Service provided it is permitted under the CCPA.
   2. For the avoidance of doubt, any Personal Information that: (i) Controller uploads directly to the Service, (ii) is received to the Service directly through Controller‘s implementation, configuration, and/or use of the Developer Tools or (iii) Controller directs or instructs its partner (e.g. through configuration of the Services) to send to or share with Service Provider for Processing on Controller’s behalf for the purpose of providing the Services under the Agreement, shall be deemed Controller Personal Information received from Controller.
   3. Business Purposes. In accordance with the CCPA, Service Provider may engage in the following Business Purposes:

   1. Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
   2. Debugging to identify and repair errors that impair existing intended functionality.
   3. Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
   4. Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
   5. Undertaking internal research for technological development and demonstration.
   6. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

4. Data Subject Rights. Service Provider shall promptly notify Controller if Service Provider receives a request from a Data Subject exercising a Data Subject Request. Upon Controller’s request, Service Provider shall assist Controller in responding to such Data Subject Requests.

5. Security.

   1. Service Provider shall maintain appropriate technical and organizational measures for protection of the (i) security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), (ii) confidentiality of Personal Data and (iii) integrity of Personal Data, as set forth in Annex II to this DPA.
   2. The Parties shall take reasonable steps to ensure that access to the Covered Data is limited on a need to know/access basis and that all personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Covered Data.
   3. Security Breach or other Non-Compliance. Service Provider shall notify Controller without undue delay (and, in any event, within seventy two (72) hours) upon Service Provider or any sub-processor of Service Provider becoming aware of (i) a breach of security measures leading to any actual or reasonably suspected unauthorized, accidental or unlawful (a) use, destruction, loss, or unauthorized disclosure, of, or (b) alteration or access to, Personal Data; (ii) any security breach (or substantially similar term) as defined by applicable Data Protection Law; or any incident that impacts the Processing of Personal Data including (i) a Data Subject Request, (ii) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent, or (iii) where, in the opinion of Service Provider, implementing an instruction received from Controller would violate the applicable Data Protection Law to which Controller or Service Provider are subject. Service Provider shall include in such notification sufficient information to allow Controller to meet any obligations to report or inform Data Subjects or any government regulators or other independent public authorities of the security breach under the Data Protection Law.

4. Cross-Border Transfers

If the Services involves the transfer of Personal Data of Data Subjects in the EEA or the UK, to a country or territory outside of those regions which has not received an applicable adequacy decision, the Parties hereby incorporate, and agree to comply with, the Standard Contractual Clauses set out by the European Commission Decision 2021/914/EU and approved for use in data transfers under the UK GDPR, located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. In such case: (1) The Parties will complete Annexes IA, IB, IC, and II of this DPA; and (2) The Parties represent that they do not believe the laws and practices in any country to which Personal Data is transferred for purposes of the Agreement will prevent the importing Party from fulfilling its obligations under this DPA or the SCCs. By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
‍

1. Ex-EEA Transfers. The Parties agree that the transfer of Personal Data, outside the EEA that is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR will be made pursuant to the EU SCCs, which are deemed entered into (and incorporated this DPA by this reference) and completed as follows:

   1. Module 2 shall apply;
   2. The optional docking clause in Clause 7 does not apply;
   3. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be thirty (30) days;
   4. In Clause 11, the optional language does not apply;
   5. All square brackets in Clause 13 are hereby removed;
   6. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the member state of the Data Exporter;
   7. In Clause 18(b), disputes will be resolved before the courts of member state of the Data Exporter;
   8. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex IA, Annex IB, and Annex IC attached hereto; and
   9. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II attached hereto.

2. Ex-UK Transfers. The Parties agree that transfer of Personal Data of UK Data Subject outside the UK, and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018 are made pursuant to the SCCs as well as the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers and attached hereto as Exhibit B (the “IDTA”). The IDTA is hereby incorporated by reference.

   1. Module 2 shall apply;
   2. The optional docking clause in Clause 7 does not apply;
   3. The Parties shall complete Annex IV of this DPA.
   4. ‘Part I: Tables’ of the IDTA shall be deemed completed with the information set out in Exhibit B attached hereto.

5. Data Protection Impact Assessment and Prior Consultation

Service Provider shall provide reasonable assistance to Controller with any data protection impact assessments, audits, certifications, or prior consultations with legal or regulatory authorities or other competent data protection authorities, which Controller reasonably considers to be appropriate or required under any Data Protection Laws, in relation to Processing of Personal Data by Service Provider.
‍

6. Return or Deletion of Personal Data

Upon the expiration or termination of the Agreement, Service Provider shall, at Controller’s request either (i) securely return to Controller, or (ii) securely destroy, all Personal Data obtained by Service Provider in connection with the Agreement. Service Provider will provide written confirmation to Controller of its compliance with this provision.
‍

7. Audit

Upon the reasonable written request of Controller, and no more than once per twelve (12) month period (except where required by a Supervisory Authority or following a Personal Data Breach affecting Controller’s Personal Data), Service Provider shall make available to Controller a summary of its most recent independent third-party audit reports (such as SOC 2 reports), together with such additional information as is reasonably necessary to demonstrate Service Provider’s compliance with the obligations described in this DPA. Such audit reports and additional information are Service Provider’s Confidential Information and shall be subject to the confidentiality obligations of the Agreement (and, if not otherwise covered, a separate non-disclosure agreement). Controller shall not use such an audit report for any other purpose than to assess Service Provider’s compliance with this DPA. To the extent the information made available is insufficient to demonstrate compliance, or where required by a Supervisory Authority, Controller (or an independent, mutually-agreed third-party auditor bound by confidentiality obligations) may, on reasonable prior written notice and during normal business hours, conduct an on-site audit limited in scope to Service Provider’s compliance with this DPA, and not disruptive of Service Provider’s normal business operations. Controller shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Service Provider.
‍

8. General Terms

1. Termination and Survival. This DPA and all provisions herein shall remain in effect so long as the Agreement is in effect, and shall survive termination or expiration of the Agreement to the extent necessary to give effect to obligations relating to the return or deletion of Personal Data and any other obligations that by their nature are intended to survive.

2. Counterparts. This DPA may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this DPA by executing a counterpart.

3. Non-compliance. Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Party cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Agreement insofar as it concerns processing of Covered Data.

4. Ineffective clause. If individual provisions of this DPA are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

5. Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

6. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.

A. List of Parties

Data exporter(s): User; contact information provided during User registration with the Company

‍Role (Controller): User

‍Data importer(s): Company
Name: Monad, Inc.
Address: 440 Davis Court, No. 1422,
San Francisco, California 94111

Contact person’s name, position and contact details: privacy@monad.com
‍
Activities relevant to the data transferred under these Clauses: As detailed in the Agreement, and Annex IB.

‍Role (Processor): Company
‍

B. Description of Transfer

Categories of data subjects whose personal data is transferred
‍Controller’s employees, contractors, and authorized users whose activities generate security telemetry; Controller’s end users and customers whose interactions with Controller’s systems are reflected in security logs and event data.

‍Categories of personal data transferred
‍IP addresses, usernames, email addresses, device identifiers, user agent strings, timestamps, authentication events, access logs, network metadata, and other identifiers contained within security telemetry data transmitted through the Services.

‍Sensitive data transferred (if applicable) and applied restrictions or safeguards
‍The Services are not designed to process sensitive personal data (e.g., health data, biometric data, racial/ethnic origin). However, security telemetry may incidentally contain such data depending on Controller’s systems and configurations.

Safeguards include: encryption in transit and at rest using strong cryptographic algorithms, role-based access controls aligned to least-privilege principles, audit logging of access to systems Processing Personal Data, data retention limits as configured by Controller, and processing limited strictly to providing the Services. Additional safeguards are described in Annex II.

‍The frequency of the transfer
‍Continuous.

‍Nature of the processing
‍Processor will collect, process, and disclose the Covered Data to provide the Services as detailed in the Agreement.

‍Purpose(s) of the data transfer and further processing
‍Processor will process Covered Data for the purposes of providing the Services and otherwise detailed in the Agreement.

‍The period for which the personal data will be retained
‍For the duration of the Agreement, after which Personal Data is returned or deleted in accordance with Section 6 of this DPA, subject to any retention required by applicable law. Personal Data is largely transient within the platform; data flowing through Monad’s pipelines is processed and routed to Controller-designated destinations rather than stored long-term by Monad. Limited account data (e.g., user email address and name) is retained for the duration of the business relationship to enable platform access.

‍For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
‍As detailed in Annex III.
‍

C. Competent Supervisory Authority

As directed by the Controller.

Description of the technical and organisational measures implemented by Monad, Inc. (the “Data Importer” and “Processor”) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. These measures are validated by Monad’s SOC 2 Type 1 examination as of January 31, 2026; Monad’s SOC 2 Type 2 examination is underway with completion targeted for May 2026. Additional information is available at https://trust.monad.com.
‍

1. Information Security Governance and Accountability

1. Monad maintains a written, comprehensive information security program aligned with the AICPA Trust Services Criteria, validated by an independent SOC 2 Type 1 examination. Information security policies (including the Information Security Policy, Acceptable Use Policy, Access Control Policy, Data Classification Policy, Data Retention Policy, Encryption Policy, Incident Response Plan, Logging and Monitoring Policy, Network Security Policy, Password Policy, Risk Assessment Policy, Software Development Lifecycle Policy, Vendor Management Policy, and Vulnerability Management Policy) are reviewed and approved by management at least annually.
   
2. The Chief Technology Officer is responsible for the design, implementation, and ongoing operation of the security program.
   
3. Risk assessments are conducted at least annually, with results documented in a risk register and risk owners assigned to each identified risk.
   
4. Executive management meets at least annually with independent advisors to review company performance, strategic objectives, compliance initiatives, and security and privacy risk and mitigation strategies.
   
5. Drata is used as a compliance automation platform to continuously monitor the operation of selected internal controls and alert administrators to control failures or task deadlines.
   

2. Personnel Security

1. Background checks are conducted on employees and contractors with access to Monad’s systems, network, or data prior to hire, as permitted by local laws.
   
2. All employees and contractors with access to Monad’s systems are required to sign a non-disclosure agreement prior to hire and to acknowledge Monad’s Code of Conduct, Information Security Policy, and other topic-specific policies during onboarding and at least annually thereafter.
   
3. Information security awareness training is provided to employees and contractors during onboarding and at least annually thereafter.
   
4. System access is revoked within one (1) business day of the effective termination date for terminated personnel.
   

3. Identity and Access Management

1. Access to information resources, systems, and data is documented and approved by management based on least privilege, need-to-know, and segregation of duties principles.
   
2. Access to cloud infrastructure, identity and access management tools, the source code repository and CI/CD platform, and the VPN requires the use of unique identities and multi-factor authentication (MFA).
   
3. Administrative or privileged access to the cloud infrastructure, identity and access management tools, source code repository and CI/CD platform, and VPN is restricted to authorized personnel. Access to Monad’s container management environment is restricted through authenticated, identity-based access controls and role-based authorization aligned to least-privilege principles.
   
4. Access to the AWS root account requires MFA, and root account activity is monitored, investigated, and validated for appropriateness.
   
5. Okta is used for internal user identity and access management; Auth0 is used to authenticate and authorize external (customer) users of the platform.
   
6. Management performs user access reviews at least quarterly to validate user accounts and ensure associated privileges remain appropriate.
   
7. Tailscale is used to provide encrypted, identity-based VPN access to AWS production resources. Remote access to the cloud infrastructure is only available through an encrypted connection.
   

4. Encryption and Key Management

1. Personal Data is encrypted in transit using strong cryptographic algorithms (TLS) when connecting from web browsers to the web application and when transmitted between systems over public networks.
   
2. Production Personal Data is encrypted at rest using strong cryptographic algorithms.
   
3. Cryptographic keys are managed using AWS Key Management Service (KMS). Encryption keys and API keys are securely stored, and access to these keys is restricted to authorized individuals.
   
4. Password is used as an enterprise-grade password and secrets management platform for personnel credentials.
   

5. Network and Infrastructure Security

1. Production environments are logically separated from pre-production environments, and the separation is enforced through access controls.
   
2. Monad implements layered network security controls within AWS, including public and private subnets, security groups, VPC isolation, and EKS network policies, to restrict unauthorized access and protect internal workloads. Cloud infrastructure resources are configured to deny public access by default.
   
3. AWS Web Application Firewall (WAF) protects public-facing web applications from common web exploits and malicious traffic, with alerts configured to notify appropriate personnel on predefined events.
   
4. AWS Shield provides managed DDoS protection for applications running on AWS.
   
5. AWS GuardDuty continuously monitors AWS accounts and workloads for malicious activity and delivers security findings for review and remediation.
   
6. AWS Inspector continuously scans AWS workloads for software vulnerabilities and unintended network exposure. Vulnerability scans of the production environment are conducted in accordance with policy, with results reviewed and vulnerabilities tracked to resolution.
   
7. Independent third-party penetration testing is performed on at least an annual basis, with findings tracked through remediation.
   
8. CrowdStrike provides endpoint security (anti-malware, EDR) on Monad workstations and is kept current via automatic updates.
   
9. FleetDM is used as the Mobile Device Management (MDM) solution to enforce security policies on company-issued and contractor-managed devices, including hard-disk encryption, automated operating system security updates, screensaver locks after a defined period of inactivity, and anti-malware enforcement.
   

6. Secure Software Development

1. Monad maintains a documented Software Development Lifecycle (SDLC) policy and Change Management Policy governing requirements, design, implementation, testing, and deployment of changes to infrastructure, systems, and applications.
   
2. GitHub is used as the source code repository, version control, and CI/CD platform. All changes to production code are peer-reviewed and approved prior to deployment by an individual different from the developer, with review enforced via branch protection settings.
   
3. Changes are tested in an environment separate from production prior to deployment, with documented evidence of testing criteria and results retained.
   
4. Access to make changes in production environments is restricted to authorized personnel in accordance with segregation of duties principles.
   
5. Baseline security configuration standards aligned to industry-accepted hardening standards are documented for system components and automatically verified upon installation or modification of production components.
   
6. Terraform is used as an infrastructure-as-code tool to provision and manage cloud resources in a controlled and auditable manner.
   

7. Logging and Monitoring

1. Audit logs are enabled and active for the cloud infrastructure, identity and access management tools, source code repository and CI/CD platform, and VPN, in accordance with Monad’s Logging and Monitoring Policy..
   
2. VPC flow logs are enabled to log network traffic to and from the production VPC and to support detection of unusual or anomalous activity.
   
3. Logs are aggregated to a centralized system that sends alerts to personnel based on pre-configured rules. Access to logs is restricted to authorized personnel. Logs are retained in accordance with Monad’s Logging and Monitoring Policy and Data Retention Policy.
   
4. AWS CloudTrail records account activity across AWS infrastructure; AWS CloudWatch is used for monitoring and observability.
   
5. A threat detection system monitors web traffic and suspicious activity; anomalous activity triggers automated alerts to personnel and is escalated through the incident management process.
   

8. Physical Security

1. Personal Data is hosted in cloud infrastructure operated by Amazon Web Services (AWS), which maintains independent certifications including SOC 1, SOC 2, and ISO 27001, and provides 24/7 physical security, environmental controls, redundant power and cooling, and strict access controls at its data centers. Monad does not operate its own data centers.
   
2. Monad’s corporate headquarters is located in San Francisco, California. Personal Data is not stored on local workstations except as strictly necessary, and only in encrypted form.
   

9. Business Continuity, Disaster Recovery, and Resilience

1. Monad maintains a documented Disaster Recovery Plan and Business Continuity Plan outlining roles, responsibilities, and procedures for recovery of systems and continuity of operations in the event of disruption.
   
2. Backups of production data are performed at least daily and retained in accordance with Monad’s Backup Policy and Data Retention Policy.
   
3. Backup restoration is tested on at least an annual basis to validate recovery capability.
   
4. Production workloads in Amazon EKS use Horizontal Pod Autoscaling (HPA) to automatically adjust application replica counts based on defined performance metrics within approved minimum and maximum limits.
   

10. Incident Response and Breach Notification

1. Monad maintains a documented Incident Response Plan defining roles, responsibilities, escalation paths, and communication protocols. The plan is reviewed periodically and updated based on lessons learned.
   
2. Incident.io is used as the incident response platform to support detection, diagnosis, and resolution of critical issues.
   
3. Security events are evaluated to determine whether they constitute an incident. Incidents are assigned a priority, categorized, documented, tracked, escalated, contained, eradicated, communicated, and resolved in accordance with company policies.
   
4. Monad will notify Controller without undue delay, and in any event within seventy-two (72) hours, of confirmed Personal Data Breaches affecting Controller’s Personal Data, as set out in Section 3.6 of this DPA.
   

11. Sub-Processor Management

1. Monad maintains a documented Vendor Management Policy governing third-party relationships through their entire lifecycle.
   
2. Due diligence is performed on high-risk vendors and service providers prior to contract execution and at least annually thereafter, with results and any action items documented.
   
3. Monad enters into written agreements with sub-processors that include security, confidentiality, and privacy requirements that are no less protective than those Monad owes Controller under this DPA.
   
4. Authorized sub-processors are listed in Annex III. Where AI-supported functionality is used, Monad configures the AI tools to ensure customer data is not used for training the underlying large language model.
   

12. Data Minimization, Quality, Retention, and Deletion

1. The Monad platform is designed to process Personal Data on a transient, streaming basis. Monad intentionally stores only the data necessary for a customer to access the platform (e.g., user email address and name) and routes Covered Data through pipelines to Controller-designated destinations rather than retaining it long-term.
   
2. Where optional AI-supported functionality is enabled by Controller, data processed by the AI component is subject to strict retention controls and is retained for no longer than seven (7) days before being automatically deleted.
   
3. Monad maintains a documented Data Classification Policy and Data Retention Policy, and documented policies and procedures for erasure or destruction of Personal Data identified for disposal.
   
4. Upon termination of the Agreement, Personal Data is returned or deleted in accordance with Section 6 of this DPA.
   

13. Compliance, Certification, and Audit

1. Monad’s security program is validated by independent third-party examinations:
   SOC 2 Type 1 (as of January 31, 2026) – completed;
   SOC 2 Type 2 – examination underway, with completion targeted for May 2026.
   
2. Reports and additional trust-related materials are made available at https://trust.monad.com, and copies of reports are made available to Controller upon reasonable request under a non-disclosure agreement.
   
3. A centralized asset register is maintained for physical, cloud, and other assets with attributes supporting accountability (owner, description, location, classification).
   

14. Government Access Requests

1. Monad will challenge government data access requests that are overbroad, unlawful, or inconsistent with applicable Data Protection Law.
   
2. Monad will notify Controller of any government request for access to Controller’s Personal Data unless legally prohibited from doing so, and will document each request, the response, and the authority involved.
   

15. Measures Required of Sub-processors

Each sub-processor engaged by Monad to Process Controller’s Personal Data is contractually required to implement technical and organisational measures that are at least as protective as those described in this Annex II with respect to the Personal Data Processed on Monad’s behalf, including with respect to encryption, access control, logging, breach notification, and assistance to Monad and Controller in responding to Data Subject requests and supervisory authority inquiries.
‍