Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms and Conditions or other written agreement between AnansiTraps Ltd. ("AnansiTraps," "Processor") and the Client ("Controller") (together, the "Parties") governing the Client's use of the AnansiTraps cyber deception platform and associated services (the "Services").

This DPA applies wherever AnansiTraps processes Personal Data on behalf of the Client in the course of delivering the Services. It sets out the rights and obligations of each party with respect to such processing and is designed to comply with:

• Kenya Data Protection Act, 2019 (KDPA)
• EU General Data Protection Regulation 2016/679 (GDPR)
• UK General Data Protection Regulation (UK GDPR)
• South Africa Protection of Personal Information Act, 2013 (POPIA)
• California Consumer Privacy Act, 2018 (CCPA)

In the event of any conflict between this DPA and the Terms and Conditions with respect to the processing of Personal Data, this DPA takes precedence.

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that AnansiTraps processes on behalf of the Client in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, erasure, or destruction.
• "Controller" means the Client, who determines the purposes and means of processing Personal Data.
• "Processor" means AnansiTraps, who processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by AnansiTraps to process Personal Data in connection with the Services.
• "Data Subject" means the natural person to whom Personal Data relates.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Restricted Transfer" means a transfer of Personal Data to a country or territory outside the European Economic Area (EEA), UK, or other jurisdiction that has not been deemed to provide an adequate level of data protection.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission.
• "Threat Intelligence Data" means attacker behavioral data, TTPs, IOCs, and related telemetry captured by Deception Assets, which does not constitute Personal Data for the purposes of this DPA unless it can be used to identify a natural person.
• "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA.

3. Roles and Relationship of the Parties

3.1 Controller and Processor

The Client acts as the Controller of Personal Data processed in connection with the Services. AnansiTraps acts as the Processor of such Personal Data, processing it only on the documented instructions of the Client.

3.2 Independent Processing

Where AnansiTraps processes Personal Data for its own purposes (such as account management, billing, or platform improvement), AnansiTraps acts as an independent Controller in respect of such processing, which is governed by AnansiTraps' Privacy Policy.

3.3 CCPA Characterization

For the purposes of the CCPA, AnansiTraps acts as a "Service Provider" to the Client. AnansiTraps will not sell Personal Data, share Personal Data for cross-context behavioral advertising, or retain, use, or disclose Personal Data outside the scope of its Services engagement with the Client.

4. Details of Processing

4.1 Subject Matter

The subject matter of processing under this DPA is the provision of the AnansiTraps cyber deception platform and associated managed security services to the Client.

4.2 Duration

Processing continues for the duration of the Subscription Term and for any post-termination period during which AnansiTraps retains Client Data in accordance with Section 11 of this DPA.

4.3 Nature and Purpose of Processing

AnansiTraps processes Personal Data for the following purposes:

• Provisioning, operating, and maintaining the Platform and Services
• Delivering Managed Security Services where applicable
• Providing customer support and responding to Client incidents
• Monitoring Platform performance and security
• Compliance with legal obligations

4.4 Categories of Personal Data

The categories of Personal Data processed may include:

• Identity data of Authorized Users (name, job title)
• Contact data (email address, phone number)
• Authentication data (usernames, hashed passwords, MFA tokens)
• Usage and access logs (IP addresses, session data, feature usage)
• Security event data generated within the Client's environment that may incidentally contain Personal Data
• Any other Personal Data included in Client Data as determined by the Client

4.5 Categories of Data Subjects

Data Subjects may include:

• The Client's Authorized Users
• The Client's employees, contractors, and agents whose data appears in security event logs
• In Managed Security Service engagements, individuals whose activity is captured within the Client's monitored environment

4.6 Special Categories of Data

AnansiTraps does not intentionally process special categories of Personal Data (such as health data, biometric data, or criminal conviction data) in connection with the Services. The Client must notify AnansiTraps immediately if it becomes aware that special category data is being processed through the Platform, and the parties will agree appropriate additional safeguards.

5. AnansiTraps' Obligations as Processor

AnansiTraps shall:

5.1 Documented Instructions

Process Personal Data only on the documented instructions of the Client, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law. Where AnansiTraps is required by law to process Personal Data beyond the Client's instructions, AnansiTraps will inform the Client of that legal requirement before processing, unless prohibited by law.

5.2 Confidentiality

Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty.

5.3 Security

Implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Section 8 of this DPA.

5.4 Sub-processors

Engage Sub-processors only in accordance with Section 7 of this DPA and remain fully liable to the Client for the acts and omissions of Sub-processors in connection with their processing of Personal Data.

5.5 Data Subject Rights

Promptly notify the Client of any Data Subject request received directly by AnansiTraps and provide reasonable assistance to the Client in responding to such requests, taking into account the nature of the processing.

5.6 Assistance with Compliance

Provide reasonable assistance to the Client in ensuring compliance with its obligations under Applicable Data Protection Law with respect to security, breach notification, data protection impact assessments (DPIAs), and prior consultations with supervisory authorities, taking into account the nature of processing and information available to AnansiTraps.

5.7 Deletion and Return

Upon termination or expiry of the Services, delete or return all Personal Data to the Client in accordance with Section 11 of this DPA, unless retention is required by applicable law.

5.8 Audit and Cooperation

Make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Client or a mandated auditor, subject to reasonable advance notice, confidentiality obligations, and the scope limitations set out in Section 9.

6. Client's Obligations as Controller

The Client shall:

• Ensure that its instructions to AnansiTraps comply with Applicable Data Protection Law
• Ensure it has a valid lawful basis for processing Personal Data and for instructing AnansiTraps to process Personal Data on its behalf
• Ensure that Data Subjects have been provided with appropriate privacy notices regarding processing carried out through the Platform
• Ensure that the deployment of Deception Assets within its environment complies with applicable monitoring, employment, and privacy laws
• Promptly inform AnansiTraps of any changes to its instructions that may affect AnansiTraps' processing activities
• Be responsible for the accuracy, quality, and legality of Personal Data submitted to the Platform

7. Sub-processors

7.1 Authorized Sub-processors

The Client provides general written authorization for AnansiTraps to engage the Sub-processors listed in Schedule A to this DPA. AnansiTraps' current Sub-processors are:

Schedule A — Authorized Sub-processors

7.2 Changes to Sub-processors

AnansiTraps will provide the Client with at least thirty (30) days' prior written notice of any intended addition or replacement of Sub-processors by updating Schedule A and notifying the Client by email.

7.3 Objection to Sub-processors

The Client may object to a new Sub-processor on reasonable data protection grounds by providing written notice to AnansiTraps within fourteen (14) days of receiving notification. The parties will work in good faith to resolve the objection. If the objection cannot be resolved and the new Sub-processor is essential to the delivery of the Services, either party may terminate the affected Services with thirty (30) days' written notice without penalty.

7.4 Sub-processor Obligations

AnansiTraps shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA and shall remain liable to the Client for the performance of Sub-processors' obligations.

8. Security Measures

8.1 Technical and Organizational Measures

AnansiTraps implements and maintains the following security measures to protect Personal Data:

Access Controls:

• Role-based access control (RBAC) limiting Personal Data access to authorized personnel only
• Multi-factor authentication (MFA) enforced on all internal systems
• Privileged access management (PAM) for infrastructure-level access
• Regular access reviews and prompt revocation upon personnel changes

Encryption:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 or equivalent
• Encrypted backup storage

Network Security:

• Network segmentation isolating production environments
• Intrusion detection and prevention systems (IDS/IPS)
• Web application firewall (WAF) protection
• Continuous network monitoring via AnansiTraps' own deception platform

Operational Security:

• Formal information security policy reviewed annually
• Security awareness training for all personnel with access to Personal Data
• Background verification for personnel in sensitive roles
• Vendor security assessments for all Sub-processors

Resilience and Recovery:

• Regular automated backups with tested recovery procedures
• Business continuity and disaster recovery plans
• Defined recovery time objectives (RTOs) and recovery point objectives (RPOs) as specified in the applicable SLA

Vulnerability Management:

• Regular vulnerability scanning and patch management
• Annual third-party penetration testing
• Responsible disclosure program for security researchers

8.2 Security Reviews

AnansiTraps will review and update its security measures at least annually and following any significant change to the Platform or processing activities.

8.3 Personnel

AnansiTraps will ensure that personnel who process Personal Data on its behalf are subject to confidentiality obligations, receive appropriate data protection training, and process Personal Data only as necessary for their role.

9. Audits and Inspections

9.1 Audit Rights

The Client has the right to audit AnansiTraps' compliance with this DPA no more than once per calendar year, upon at least thirty (30) days' prior written notice, during normal business hours, and subject to:

• Execution of a confidentiality agreement acceptable to AnansiTraps
• The audit being conducted by the Client or a reputable independent third-party auditor that is not a competitor of AnansiTraps
• The scope being limited to AnansiTraps' processing of the Client's Personal Data

9.2 Audit Reports

In lieu of an on-site audit, AnansiTraps may provide the Client with its most recent independent security audit reports, penetration test summaries, or SOC 2 Type II report (where available) to satisfy the Client's audit requirements. The Client agrees to treat such reports as AnansiTraps Confidential Information.

9.3 Regulatory Audits

Where a supervisory authority or regulatory body with jurisdiction over the Client's processing activities requires an audit or inspection of AnansiTraps' facilities or records, AnansiTraps will cooperate with such authority subject to applicable legal requirements.

10. Personal Data Breach Notification

10.1 Notification to Client

In the event of a confirmed Personal Data Breach affecting Personal Data processed under this DPA, AnansiTraps will notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be provided to the Client's designated security or privacy contact and will include, to the extent then known:

• Nature of the Personal Data Breach, including categories and approximate number of Data Subjects and Personal Data records affected
• Name and contact details of AnansiTraps' data protection contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

10.2 Ongoing Updates

AnansiTraps will provide the Client with timely updates as additional information about the breach becomes available. Where full information is not available within 72 hours, AnansiTraps will provide an initial notification with available information and supplement it as soon as practicable.

10.3 Client Notification Responsibilities

The Client is solely responsible for notifying affected Data Subjects and relevant supervisory authorities as required by Applicable Data Protection Law. AnansiTraps will provide reasonable assistance to the Client in fulfilling these obligations.

10.4 Security Incidents

AnansiTraps will also notify the Client of any confirmed security incidents that materially affect the availability, integrity, or confidentiality of the Services, even where such incidents do not constitute a Personal Data Breach.

11. Data Retention and Deletion

11.1 Retention During Services

AnansiTraps retains Personal Data for the duration of the Subscription Term and as further specified in the Terms and Conditions.

11.2 Post-Termination

Upon termination or expiry of the Services:

• AnansiTraps will make Personal Data available for Client export for thirty (30) days following the termination date
• After this period, AnansiTraps will securely delete or anonymize all Personal Data unless retention is required by applicable law
• AnansiTraps will provide written confirmation of deletion upon request

11.3 Legal Retention Requirements

Where AnansiTraps is required by applicable law to retain certain Personal Data beyond the periods specified above, AnansiTraps will notify the Client, retain only the minimum data required, and isolate such data from active processing.

11.4 Backup Deletion

Personal Data contained in encrypted backups will be deleted in accordance with AnansiTraps' standard backup rotation schedule, which will not exceed ninety (90) days following the deletion of the primary data.

12. International Data Transfers

12.1 Transfer Mechanisms

Where the processing of Personal Data involves a Restricted Transfer, AnansiTraps will ensure that an appropriate transfer mechanism is in place, including one or more of the following:

• Standard Contractual Clauses (SCCs): The EU Commission-approved SCCs for Controller-to-Processor transfers are incorporated into this DPA by reference and apply to transfers from the EEA to countries without an adequacy decision
• UK Addendum: The UK International Data Transfer Addendum to the EU SCCs applies to transfers from the UK
• Adequacy Decisions: Where the destination country has received an adequacy decision from the relevant authority
• KDPA Transfer Mechanisms: For transfers from Kenya, in accordance with the requirements of the Kenya Data Protection Act and applicable regulations issued by the Office of the Data Protection Commissioner

12.2 Sub-processor Transfers

AnansiTraps ensures that all Restricted Transfers to Sub-processors are covered by appropriate transfer mechanisms, including SCCs or equivalent safeguards imposed on Sub-processors by contract.

12.3 Transfer Impact Assessments

Where required by Applicable Data Protection Law or where the Client requests, AnansiTraps will cooperate in good faith with the Client to conduct a transfer impact assessment in respect of any Restricted Transfer.

13. Data Protection Impact Assessments

Where the Client is required to conduct a Data Protection Impact Assessment (DPIA) under Applicable Data Protection Law in connection with its use of the Services, AnansiTraps will provide reasonable assistance, including making available relevant information about the Platform's processing activities, security measures, and Sub-processors. The Client remains solely responsible for conducting and documenting any required DPIA.

14. Data Protection Officer and Contact

14.1 AnansiTraps Privacy Contact

For all matters relating to this DPA, including data subject requests, breach notifications, and audit requests, please contact:

AnansiTraps Ltd.
Attn: Privacy & Data Protection
Nairobi, Kenya

Email: privacy@anansitraps.com
Response time: Within 72 hours for breach notifications; within 30 days for all other requests

14.2 Data Protection Officer

Where required by Applicable Data Protection Law, AnansiTraps will appoint a Data Protection Officer (DPO) or equivalent. Details of the DPO will be provided to Clients upon request and updated in Schedule A as applicable.

15. Term and Termination

This DPA is effective from the date the Client first uses the Services and remains in force for the duration of the Terms and Conditions or any applicable Order Form. This DPA automatically terminates upon the expiry or termination of all active Service agreements between the parties. Obligations under Sections 8, 10, 11, and 12 survive termination for the periods specified therein.

16. Governing Law

This DPA is governed by the laws of Kenya. Where the Client is located in the EU or UK, the applicable SCCs and their governing law provisions apply to the extent required by Applicable Data Protection Law. In the event of any conflict between the governing law of this DPA and the governing law provisions of the SCCs, the SCCs shall prevail with respect to Restricted Transfers from the EEA or UK.

17. Entire Agreement

This DPA, together with Schedule A and any applicable SCCs, constitutes the entire agreement between the parties with respect to the processing of Personal Data in connection with the Services and supersedes all prior agreements, understandings, and representations relating to such processing.