Data Processing Addendum

LimaCharlie DPA

Effective: November 1, 2025

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) sets forth the terms and conditions governing the privacy, security and Processing of Customer Personal Information. This DPA is incorporated into and forms a part of the Refraction Point, Inc. Terms and Conditions (“Agreement”). Except as modified below, the Agreement’s terms shall remain in full force and effect.

HOW AND WHEN THIS DPA APPLIES

  • If and as provided for in the terms and conditions of the Agreement, this DPA is automatically incorporated into and forms a binding and effective part of that Agreement on and from the Addendum Effective Date.

  • This DPA applies only if and to the extent Privacy and Data Security Laws govern Refraction Point’s Processing of Customer Personal Information in performance of the Services as a ‘processor’, ‘service provider’ or similar role defined under Privacy and Data Security Laws.

  • Accordingly, this DPA does not apply to Refraction Point’s Processing of any Personal Information for its own business/customer relationship administration purposes, its own marketing or service analytics (e.g., involving data collected by Refraction Point relating to Authorized Users’ use of the Services), its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.

  1. DEFINITIONS

    1. In this DPA (including the explanatory notes above) the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

      1. Addendum Effective Date” means the effective date of the Agreement.

      2. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder. The CCPA, to the extent applicable, shall be considered a Privacy and Data Security Law.

      3. Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information, including, as applicable, any “business” as that term is defined by Privacy and Data Security Laws.

      4. Data Subject” means the identified or identifiable natural person to whom Customer Personal Information relates.

      5. Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Privacy and Data Security Laws in respect of Customer Personal Information and the Processing thereof.

      6. “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”). GDPR, to the extent applicable, shall be considered a Privacy and Data Security Law.

      7. Personal Information Breach” means a breach of Refraction Point’s (or its Sub-Processor’s) security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Information in Refraction Point’s possession, custody or control. For clarity, Personal Information Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).

      8. Personnel” means a person’s employees, agents, consultants, contractors or other staff.

      9. Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Information on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by Privacy and Data Security Laws.

      10. Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Information to any person located in: (i) in the context of the EU GDPR, any country or territory outside the European Economic Area (the “EEA”), which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.

      11. SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.

      12. Sub-Processor” means any third party appointed by or on behalf of Refraction Point to Process Customer Personal Information.

      13. Supervisory Authority”: means any entity with the authority to enforce Privacy and Data Security Laws.

      14. UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

    2. Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.

  2. APPLICATION OF THIS DATA PROCESSING ADDENDUM

    1. The front-end of this DPA applies generally to Refraction Point’s Processing of Customer Personal Information under the Agreement.

    2. Annex 2 (California Annex) applies only if and to the extent Refraction Point’s Processing of Customer Personal Information on behalf of Customer under the Agreement is subject to the CCPA.

    3. Annex 3 (European Annex) applies only if and to the extent Refraction Point’s Processing of Customer Personal Information under the Agreement is subject to the GDPR.

  3. PROCESSING OF CUSTOMER PERSONAL DATA

    1. The Parties acknowledge and agree that the details of Refraction Point’s Processing of Customer Personal Information (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.

    2. Refraction Point shall not Process Customer Personal Information other than: (a) on Customer’s instructions; or (b) as required by applicable laws provided that, in such circumstances, Refraction Point shall inform Customer in advance of the relevant legal requirement requiring such Processing if and to the extent Refraction Point is: (i) required to do so by Privacy and Data Security Laws; and (ii) permitted to do so in the circumstances. Customer instructs Refraction Point to Process Customer Personal Information to (a) provide the Services to Customer and in accordance with the Agreement; (b) perform its obligations under the Agreement; and (c) exercise its rights under the Agreement. The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Refraction Point only pursuant to any written amendment to this DPA signed by both Parties. Where required by Privacy and Data Security Laws, if Refraction Point receives an instruction from Customer that, in its reasonable opinion, infringes Privacy and Data Security Laws, Refraction Point shall notify Customer.

    3. The Parties acknowledge that Refraction Point’s Processing of Customer Personal Information authorized by Customer’s instructions stated in this DPA is integral to the Services and the business relationship between the Parties. Access to Personal Information does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

  4. REFRACTION POINT PERSONNEL

    Refraction Point shall take commercially reasonable steps designed to ascertain the reliability of any Refraction Point Personnel who Process Customer Personal Information. Refraction Point shall ensure its Personnel who are authorized to Process Customer Personal Information are subject to appropriate contractual confidentiality obligations in the event that they are not otherwise subject to professional or statutory obligations of confidentiality.

  5. SECURITY

    1. Refraction Point shall implement and maintain technical and organizational measures in relation to Customer Personal Information designed to protect Customer Personal Information against Personal Information Breaches as described in Annex 4 (Security Measures) (the “Security Measures”).

    2. Refraction Point may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Information.

  6. DATA SUBJECT REQUESTS

    1. Refraction Point, taking into account the nature of the Processing of Customer Personal Information, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Refraction Point receives a Data Subject Request, Customer will be responsible for responding to any such request.

    2. Refraction Point shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Privacy and Data Security Laws.

  7. PERSONAL DATA BREACH

    1. Refraction Point shall notify Customer without undue delay upon Refraction Point’s confirmation of a Personal Information Breach affecting Customer Personal Information. Refraction Point shall provide Customer with information (insofar as such information is within Refraction Point’s possession and knowledge and does not otherwise compromise the security of any Personal Information Processed by Refraction Point) designed to allow Customer to meet its obligations under the Privacy and Data Security Laws to report the Personal Information Breach. Refraction Point’s notification of or response to a Personal Information Breach shall not be construed as Refraction Point’s acknowledgement of any fault or liability with respect to the Personal Information Breach.

    2. Customer is solely responsible for complying with applicable laws (including notification laws) and fulfilling any third-party notification obligations related to any Personal Information Breaches.

    3. If Customer determines that a Personal Information Breach must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Privacy and Data Security Laws or otherwise, to the extent such notice directly or indirectly refers to or identifies Refraction Point, where permitted by applicable laws, Customer agrees to: (a) notify Refraction Point in advance; and (b) in good faith, consult with Refraction Point and consider any clarifications or corrections Refraction Point may reasonably recommend or request to any such notification, which: (i) relate to Refraction Point’s involvement in or relevance to such Personal Information Breach; and (ii) are consistent with applicable laws.

  8. SUB-PROCESSING

    1. Customer generally authorizes Refraction Point to appoint Sub-Processors in accordance with this Section 8. Information about Refraction Point’s Sub-Processors, including their functions and locations is as shown in the Sub-Processor list shown at https://trust.limacharlie.io/ , as may be updated from time to time, or any successor page (the “Sub-Processor Site”). Without limitation, Customer authorizes the engagement of the Sub-Processors listed on the Sub-Processor Site, as may be updated from time to time.

    2. Where required by Privacy and Data Security Laws:

      1. In the event Refraction Point proposes any new or additional Sub-Processor after the Addendum Effective Date, Refraction Point shall give Customer prior written notice of such appointment, including reasonable details of the Processing to be undertaken by the Sub-Processor by updating the Sub-Processor Site and providing a means by which Customers may subscribe to receive notice of such updates or otherwise providing written notice. Customer agrees that Customer is solely responsible for ensuring that it subscribes to receive notice of any such updates to the Sub-Processor Site.

      2. If, within fourteen (14) days of receipt of a notice from Refraction Point under Section 8.2(a), Customer notifies Refraction Point in writing of any objections (on reasonable grounds related to protection of Customer Personal Information) to the proposed appointment, Refraction Point shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor. Where: (i) such a change cannot be made within thirty (30) days from Refraction Point’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then Customer may terminate that portion of the Agreement that would require use of the proposed Sub-Processor by written notice to Refraction Point as its sole and exclusive remedy, provided that all fees due to Refraction Point up to the point of such termination shall still be owed by Customer to Refraction Point. If Customer does not object to Refraction Point’s appointment of a Sub-Processor during the objection period referred to in this Section 8.2, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor. With respect to each Sub-Processor, Refraction Point shall maintain a written contract between Refraction Point and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Information as those set out in this DPA. Refraction Point shall remain liable for any breach of this DPA caused by a Sub-Processor.

  9. COMPLIANCE REVIEW

    1. Refraction Point shall make available to Customer on request, such information as Refraction Point (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA and its performance of its obligations under this DPA is consistent with Refraction Point’s obligations under Privacy and Data Security Laws.

    2. Subject to Sections 9.3 to 9.6, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Refraction Point pursuant to Section 9.1 is not sufficient in the circumstances to demonstrate Refraction Point’s compliance with this DPA, Refraction Point shall allow for and contribute to audits, including on-premise inspections of Refraction Point’s facilities, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Information by Refraction Point.

    3. Customer shall give Refraction Point reasonable notice of any audit or inspection to be conducted under Section 9.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Refraction Point’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Refraction Point’s other customers or the availability of Refraction Point’s services to such other customers).

    4. Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Refraction Point will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Refraction Point security, privacy, employment or other relevant policies). Refraction Point will work cooperatively with Customer to agree on a final audit plan.

    5. If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Refraction Point has confirmed in writing that there have been no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Refraction Point shall provide copies of any such Audit Reports to Customer upon request; provided that they shall constitute the confidential information of Refraction Point, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Privacy and Data Security Laws.

    6. Refraction Point need not give access to its premises for the purposes of such an audit or inspection: (a) where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 9.5; (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Refraction Point has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Refraction Point on terms acceptable to Refraction Point; (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer is required to carry out by a Supervisory Authority. Nothing in this DPA shall require Refraction Point to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 9 shall be construed to obligate Refraction Point to breach any duty of confidentiality.

  10. RETURN AND DELETION

    1. Upon expiration or earlier termination of the Agreement, Refraction Point shall return and/or delete all Customer Personal Information in Refraction Point’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Personal Information expressed in the Agreement. To the extent that deletion of any Customer Personal Information contained in any back-ups maintained by or on behalf of Refraction Point is not technically feasible within the timeframe set out in Customer’s instructions, Refraction Point shall (a) securely delete such Customer Personal Information in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Refraction Point’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Customer Personal Information beyond use.

    2. Notwithstanding the foregoing, Refraction Point may retain Customer Personal Information where required by applicable laws, provided that Refraction Point shall Process the Customer Personal Information only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.

  11. CUSTOMER’S RESPONSIBILITIES

    1. Customer agrees that, without limiting Refraction Point’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Information.

    2. Customer shall ensure, and is solely responsible for ensuring, that (a) there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Refraction Point of Customer Personal Information in accordance with this DPA and the Agreement; and (b) all Data Subjects have: (i) been presented with all required notices and statements; and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Refraction Point of Customer Personal Information.

    3. Customer agrees that the Services, the Security Measures, and Refraction Point’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Privacy and Data Security Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Information.

    4. Customer shall not provide or otherwise make available to Refraction Point any Customer Personal Information that contains any biometric information or identifiers. Customer will use reasonable efforts not to provide or otherwise make available to Refraction Point any Customer Personal Information that contains (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) passwords to any online accounts not relevant for use of the Service; (e) credentials to any financial accounts; (f) Personal Information of children under 16 years of age; or (g) data relating to criminal convictions and offenses (together, “Restricted Data”).

    5. Except to the extent prohibited by Privacy and Data Security Laws, Customer shall compensate Refraction Point at Refraction Point’s then-current professional services rates for, and reimburse any costs reasonably incurred by Refraction Point in the course of providing, cooperation, information, or assistance requested by Customer in respect of this DPA (including pursuant to Sections 6, 7 and 9 of this DPA and Paragraph 1 of Annex 3 (European Annex), beyond providing self-service features included as part of the Service.

  12. LIABILITY

    The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under relevant third-party beneficiary provisions of Privacy and Data Security Laws (if and as they apply).

  13. VARIATION

    Refraction Point may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Privacy and Data Security Laws from time to time (including by varying or replacing the SCCs in the manner described in Paragraph 2.5 of Annex 3 (European Annex)) and/or to reflect any relevant changes in the Services and its Processing of Personal Information as part thereof.

  14. INCORPORATION AND PRECEDENCE

    1. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any SCCs entered into pursuant to Paragraph 2 of Annex 3 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.


1. Data Processing Details

Note: this Annex 1 (Data Processing Details) to the DPA includes certain details of the Processing of Customer Personal Information as required: (a) by Article 28(3) GDPR; and (b) to populate the Appendix to the SCCs in the manner described in Paragraph 2.2(d) of Annex 3 (European Annex).

REFRACTION POINT DETAILS

Name:Refraction Point, Inc.
Address:440 N Barranca Ave #5258, Covina, CA 91723, United States
Contact Details for Data Protection:Role: Chief Operating Officer Email: legal@refractionpoint.com
Refraction Point Activities:Refraction Point provides a cloud-based security infrastructure as a service (IaaS) platform that helps organizations secure and monitor their systems.
Role:Processor

CUSTOMER DETAILS

Name:The entity or other person who is a counterparty to the Agreement.
Address:Customer’s address is the address shown in or determined by the Agreement (including in any Order Form); or if no such address is contained within the Agreement, Customer’s principal business trading address – unless otherwise notified to Refraction Point’s contact point noted above.
Contact Details for Data Protection:Refraction Point’s primary point of contact with Customer; or any other email notified by Customer for the purpose of providing it with Data Protection-related communications or alerts. (Customer agrees that it is solely responsible for ensuring that such contact details are valid and up-to-date and will direct relevant communications to the appropriate individual within its organization.)
Customer Activities:Customer’s activities relevant to this DPA are the use and receipt of the Services as part of its ongoing business operations under and in accordance with the Agreement.
Role:Controller – in respect of any Processing of Customer Personal Information in respect of which Customer is a Controller in its own right; and/or Processor – in respect of any Processing of Customer Personal Information in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates, if and where applicable).

DETAILS OF PROCESSING

Name:Details of Processing
Categories of Data Subjects:Any individuals whose Customer Personal Information is comprised within data submitted to the Services by or on behalf of Customer under the Agreement, which will depend upon the nature of the use/deployment of those Services and any systems, platforms or technologies with which Customer integrates the Services and the configuration(s) of such integration(s) – but may include: Customer’s own employees, customers, clients, (sub-)licensees. Website visitors. End-users and other users of Customer’s products and services. Individuals whose data is contained in any databases / systems connected to the Services or otherwise Processed or made available to the Services. Where any of the above is a business or organization, it includes their Personnel or other relevant natural persons. Each category includes current, past and prospective Data Subjects.
Categories of Personal Information:Any Customer Personal Information comprised within data submitted or made available to the Services by or on behalf of Customer under the Agreement, which will depend upon the nature of the use/deployment of those Services and any systems, platforms or technologies with which Customer integrates the Services and the configuration(s) of such integration(s) – but may include: Personal details – for example, any information that identifies the Data Subject and their personal characteristics, name, age, date of birth and username. Contact details – for example, home and/or business address, email address, telephone details and other contact information. Technological details – for example, internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses. Web activity/log data – for example, information concerning a Data Subject’s computer use, including files accessed/downloaded. Any other details – for example any Personal Information relating to relevant Data Subjects included in text fields or contained in any documents or databases submitted or made available to the Services or otherwise Processed by Refraction Point to perform the Services, or made available by or on behalf of the Customer to the Services.
Sensitive Categories of Data, and associated additional restrictions/safeguards:Categories of sensitive data: The categories of sensitive data that may be made available to Refraction Point by or on behalf of Customer are in Customer’s discretion – but may include, for example, race or ethnicity, religious or philosophical beliefs, government identifiers, trade union membership, and precise geolocation. Additional safeguards for sensitive data: See Annex 4
Frequency of transfer:Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing:Processing operations required in order to provide the Services in accordance with the Agreement and as permitted under Section 3.2 of this DPA.
Purpose of the Processing:Customer Personal Information will be processed as permitted under Section 3.2 of this DPA.
Duration of Processing / Retention Period:For the period determined in accordance with the Agreement and DPA, including Section 10 of the DPA.
Transfers to (sub-) processors:Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor Site (as may be updated from time to time in accordance with Section 8 of the DPA).


2. California Annex

  1. In this Annex 2, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Information that constitutes “personal information” as defined in and that is subject to the CCPA.

  2. The business purposes and services for which Refraction Point is Processing personal information are for Refraction Point to provide the services to and on behalf of Customer and as otherwise set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details) to the DPA.

  3. It is the Parties’ intent that with respect to any personal information, Refraction Point is a service provider. Refraction Point (a) acknowledges that personal information is disclosed by Customer only for limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under and subject to Section 9 (Compliance Review) of the DPA to help ensure that Refraction Point’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Refraction Point that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

  4. Refraction Point shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Refraction Point and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Refraction Point’s own interaction with any consumer to whom such personal information pertains.

  5. Refraction Point shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 5 (Security Measures) of the DPA.

  6. When Refraction Point engages any Sub-Processor, Refraction Point shall notify Customer of such Sub-Processor engagements in accordance with Section 8 (Sub-Processing) of the DPA and that such notice shall satisfy Refraction Point’s obligation under the CPRA to give notice of such engagements.

  7. Refraction Point agrees that Customer may conduct audits, in accordance with Section 9 of the DPA, to help ensure that Refraction Point’s use of personal information is consistent with Refraction Point’s obligations under the CCPA.

  8. The Parties acknowledge that Refraction Point’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the Agreement and DPA are integral to Refraction Point’s provision of the Services and the business relationship between the Parties.

3. European Annex

  1. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

    Refraction Point, taking into account the nature of the Processing and the information available to Refraction Point, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Information by Refraction Point.

  2. RESTRICTED TRANSFERS

    1. Entry into Transfer Mechanisms

      1. EEA Restricted Transfers. To the extent that any Processing of Customer Personal Information under this DPA involves an EEA Restricted Transfer from Customer to Refraction Point, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) populated in accordance with Section 2.2 of this Annex 3 (European Annex); and (ii) entered into by the Parties and incorporated by reference into this DPA.

      2. UK Restricted Transfers. To the extent that any Processing of Customer Personal Information under this DPA involves a UK Restricted Transfer from Customer to Refraction Point, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i) varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Sections 2.2 and 2.3 of this Annex 3 (European Annex); and (ii) entered into by the Parties and incorporated by reference into this DPA.

    2. Population of SCCs

      1. Signature of SCCs. Where the SCCs apply in accordance with Paragraph 2.1(a) and/or Paragraph 2.1(b) of this Annex 3 (European Annex), each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

      2. Modules of SCCs. As and where relevant: Module Two of the SCCs applies to any EEA Restricted Transfer involving Processing of Personal Information in respect of which Customer is a Controller in its own right; and/or Module Three of the SCCs applies to any EEA Restricted Transfer involving Processing of Personal Information in respect of which Customer is a Processor.

      3. Population of body of SCCs. As and where applicable to the relevant Module and the Clauses thereof: (i) in Clause 7: the ‘Docking Clause’ is not used; (ii) in Clause 9: ‘Option 2: General Written Authorisation’ applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 8.2 of the DPA; (iii) in Clause 11: the optional language is not used; (iv) in Clause 13: all square brackets are removed and all text therein is retained; (v) in Clause 17: ‘OPTION 1’ applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer; and (vi) in Clause 18(b): the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland.

      4. Population of Appendix to SCCs. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Customer being ‘data exporter’ and Refraction Point being ‘data importer’; and Part C to that Annex 1 is populated with: the competent Supervisory Authority shall be determined as follows: (i) where Customer is established in an EU Member State: the competent Supervisory Authority shall be the Supervisory Authority of that EU Member State in which Customer is established; and (ii) where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EEA Representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which Customer’s EEA Representative relevant to the Processing hereunder is based (from time-to-time), which Customer shall notify to Refraction Point in writing – Customer agrees that it is solely responsible for making such notification and its accuracy. Annex II shall be populated with reference to the information contained in or determined by Section 2.3 of the DPA (including the Security Measures).

    3. UK Restricted Transfers

      1. UK Transfer Addendum. Where relevant in accordance with Section 2.1(b) of this Annex 3 (European Annex), the SCCs apply to any UK Restricted Transfers as varied by the UK Transfer Addendum in the following manner: (i) ’Part 1 to the UK Transfer Addendum’: (A) the Parties agree: Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and Section 2.2 of this Annex 3 (European Annex); and (B) Table 4 to the UK Transfer Addendum is completed with ‘Data Importer’ only; and (ii) ‘Part 2 to the UK Transfer Addendum’: the Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum and that the SCCs shall apply to any UK Restricted Transfers as varied in accordance with those Mandatory Clauses.

      2. Interpretation. As permitted by section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner determined by 2.3(a) of this Annex 3 (European Annex); provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in section 3 of the UK Mandatory Clauses). In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in this Section 2.3 of this Annex 3 (European Annex).

    4. Operational Clarifications

      1. When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect Refraction Point’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.

      2. Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Refraction Point to notify any third-party Controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.

      3. For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

      4. The terms and conditions of Section 8 of the DPA apply in relation to Refraction Point’s appointment and use of Sub-Processors under the SCCs. Any approval by Customer of Refraction Point’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to that Section 8 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs.

      5. The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9 of the DPA.

      6. Certification of deletion of Personal Information as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer’s written request.

      7. In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request; accompanied by suitable supporting evidence of the relevant request), Refraction Point shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with relevant provisions of this DPA in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Privacy and Data Security Laws.

    5. Adoption of new transfer mechanism

Refraction Point may on notice vary this DPA and replace the relevant SCCs with: (a) any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR (if/where applicable)); or (b) another transfer mechanism other than the SCCs, which enables the lawful transfer of Customer Personal Information by Customer to Refraction Point under this DPA in compliance with Chapter V of the GDPR.



4. Security Measures

As from the Addendum Effective Date, Refraction Point will implement and maintain the Security Measures as set out in this Annex 4.

  1. Compliance with SOC 2, Type II or substantially similar standard.

  2. Organizational management and staff responsible for the development, implementation and maintenance of Refraction Point’s information security program.

  3. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Refraction Point’s organization, monitoring and maintaining compliance with Refraction Point’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

  4. Data security controls which include at a minimum logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Information.

  5. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.

  6. Password controls designed to manage and control password strength and usage.

  7. System audit or event logging and related monitoring procedures to proactively record user access and system activity.

  8. Physical and environmental security of production resources relevant to the Services is maintained by the relevant Sub-Processor(s) (and their vendors) engaged from time-to-time by Refraction Point to host those resources. Refraction Point takes steps to ensure that such Sub-Processors provide appropriate assurances and certifications that evidence such physical and environmental security – including security of data centre, server room facilities and other areas containing Customer Personal Information designed to: (a) protect information assets from unauthorized physical access; (b) manage, monitor and log movement into and out of Sub-Processor facilities; and (c) guard against environmental hazards such as heat, fire and water damage.

  9. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Refraction Point’s possession.

  10. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Refraction Point’s technology and information assets.

  11. Incident management procedures designed to allow Refraction Point to investigate, respond to, mitigate and notify of events related to Refraction Point’s technology and information assets.

  12. Network security controls that provide for the use of enterprise firewalls and systems designed to protect systems from intrusion and limit the scope of any successful attack.

  13. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

  14. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Refraction Point may freely update or modify these Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of Services and/or relevant Customer Personal Information.

440 N Barranca Ave #5258
Covina, CA 91723

5307 Victoria Drive #566
Vancouver, BC V5P 3V6

Stay up-to-date on all things LimaCharlie with our monthly newsletter.

Use Case Catalog

EDR / XDR

SIEM / Log Analytics

Incident Response

SOAR / Automation

SecOps Engineering

Cloud Security

Blog

Case Studies

Data Sheets

Webinars

Events

Community

Podcast

Defender Fridays

Documentation

About Us

Careers

News & Press

Contact Us

Status

Trust

Terms of Service

Privacy Policy

Copyright © LimaCharlie 2025