Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") supplements the Terms of Service or other agreement (the "Agreement") between Kaz 916 LLC (Sherpa.sh) and Customer for Sherpa.sh's cloud deployment, hosting, and related services ("Services"). This DPA governs Sherpa.sh's processing of Personal Data on behalf of Customer.

This DPA becomes legally binding upon Customer entering into the Agreement and applies to all Personal Data processed by Sherpa.sh in connection with the Services.

2. Definitions

"Applicable Data Protection Laws" means all applicable privacy laws including GDPR, UK GDPR, CCPA, PIPEDA, and the Australian Privacy Act.

"Customer Data" means Personal Data that Sherpa.sh processes on behalf of Customer through the Services.

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Applicable Data Protection Laws.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Security Incident" means any confirmed unauthorized access to, or disclosure of, Customer Data. This excludes unsuccessful attempts such as failed logins, port scans, or denial of service attacks.

"Subprocessor" means any third party authorized by Sherpa.sh to process Customer Data.

3. Roles and Responsibilities

3.1 Relationship of the Parties

Customer acts as the controller (or processor) and Sherpa.sh acts as processor with respect to Customer Data. Sherpa.sh will process Customer Data only in accordance with Customer's documented instructions.

3.2 Customer Responsibilities

Customer is responsible for: (a) obtaining all necessary consents and providing all required notices to data subjects; (b) ensuring it has a lawful basis to transfer Personal Data to Sherpa.sh; and (c) complying with Applicable Data Protection Laws in its use of the Services.

3.3 Sherpa.sh Responsibilities

Sherpa.sh will: (a) process Customer Data only as instructed by Customer or as required by law; (b) ensure personnel with access to Customer Data are bound by confidentiality obligations; (c) implement appropriate security measures; and (d) assist Customer in responding to data subject requests. Sherpa.sh's obligations under this DPA are subject to commercially reasonable efforts and Customer's timely cooperation.

4. Subprocessors

Customer authorizes Sherpa.sh to engage Subprocessors to process Customer Data. Sherpa.sh will: (a) enter into written agreements with Subprocessors imposing data protection obligations substantially similar to this DPA; and (b) exercise reasonable care in selecting Subprocessors.

A current list of Subprocessors is available at Sherpa.sh/legal/subprocessors. If Customer objects to a new Subprocessor within 30 days of notice, the parties will discuss the concerns in good faith. If the parties cannot resolve the objection, Customer's sole remedy is to terminate the affected Services.

5. Security Measures

5.1 Technical and Organizational Measures

Sherpa.sh implements appropriate technical and organizational measures to protect Customer Data, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
• Access controls based on least privilege principles
• Regular security assessments

5.2 Security Incident Notification

Upon becoming aware of a Security Incident, Sherpa.sh will notify Customer without undue delay (and where feasible within 72 hours) and provide reasonable information about the incident and steps taken to mitigate it. Customer remains responsible for any notifications required under Applicable Data Protection Laws.

6. Data Subject Rights

Sherpa.sh will provide reasonable assistance to Customer in responding to data subject requests (access, rectification, erasure, portability, etc.) where Customer cannot fulfill such requests using the self-service features of the Services. If Sherpa.sh receives a request directly from a data subject, it will direct them to Customer. Sherpa.sh may charge reasonable fees for assistance that is excessive, repetitive, or manifestly unfounded.

7. Data Retention and Deletion

Sherpa.sh will retain Customer Data unless Customer requests its deletion by opening a support request. Upon termination of the Agreement, Sherpa.sh will delete all Customer Data within 30 days, unless retention is required by law.

8. International Data Transfers

Customer acknowledges that Sherpa.sh may transfer and process Customer Data in the United States and other countries where Sherpa.sh or its Subprocessors operate.

9. California-Specific Terms

For purposes of the CCPA, Sherpa.sh is a "service provider." Sherpa.sh will not: (a) sell Customer Data; (b) retain, use, or disclose Customer Data except as necessary to provide the Services; or (c) combine Customer Data with data from other sources except as permitted by the CCPA.

10. Limitation of Liability

Sherpa.sh's total liability under this DPA shall not exceed the fees paid by Customer in the 12 months preceding the claim. In no event shall Sherpa.sh be liable for indirect, consequential, special, or punitive damages, or for loss of data, revenue, or profits, even if advised of the possibility of such damages.

11. Customer Security Responsibilities

Customer is solely responsible for: (a) the security of Customer's own systems and accounts; (b) the lawfulness of Customer Data and its collection; (c) implementing appropriate security measures for data before transmission to Sherpa.sh; and (d) maintaining backups of Customer Data. Sherpa.sh shall not be liable for any Security Incident caused by Customer's failure to maintain adequate security measures.

12. Disclaimer

THE DATA PROCESSING SERVICES ARE PROVIDED "AS IS." SHERPA.SH MAKES NO WARRANTIES REGARDING THE SECURITY OR INTEGRITY OF CUSTOMER DATA BEYOND THE MEASURES EXPRESSLY STATED HEREIN.

13. General Provisions

This DPA is incorporated into and forms part of the Agreement. In the event of conflict between this DPA and the Agreement, this DPA prevails. This DPA terminates automatically upon deletion of all Customer Data.

14. Customer Indemnification

Customer shall indemnify, defend, and hold harmless Sherpa.sh and its officers, directors, employees, and owners from any claims, damages, losses, or expenses (including reasonable attorney fees) arising from: (a) Customer's violation of Applicable Data Protection Laws; (b) Customer's instructions that violate any law; (c) the content, accuracy, or legality of Customer Data; or (d) claims by Customer's end users or data subjects.

15. Prohibited Data Types

Customer shall not process through the Services any: (a) health or medical data subject to HIPAA; (b) payment card data subject to PCI-DSS; (c) data from children under 16; (d) biometric data; (e) government-issued identifiers (such as Social Security numbers or passport numbers); or (f) data subject to heightened security requirements under any law, unless expressly agreed in writing. Sherpa.sh shall have no liability for any such prohibited data processed in violation of this section.

16. Personal Liability

In no event shall any officer, director, employee, or owner of Sherpa.sh be personally liable for any obligations, claims, or damages arising under this DPA.

17. Force Majeure

Sherpa.sh shall not be liable for any failure or delay in performance caused by circumstances beyond its reasonable control, including but not limited to natural disasters, war, terrorism, pandemics, labor disputes, utility or telecommunications failures, cyberattacks by third parties, government actions, or failures of third-party service providers or Subprocessors.

18. Third-Party Claims

Sherpa.sh shall have no liability to Customer's end users, data subjects, or any other third parties. Customer is solely responsible for its relationships with such parties and any claims they may bring.

19. Claims and Disputes

Any claim arising under this DPA must be brought within one (1) year of the event giving rise to the claim, or be forever waived. Customer must provide written notice of any claim within 30 days of discovery.

EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL IN CONNECTION WITH ANY DISPUTE ARISING UNDER THIS DPA. Customer agrees not to bring or participate in any class, collective, or representative action against Sherpa.sh.

This DPA shall be governed by the laws of the State of Florida without regard to conflict of laws principles. Any disputes shall be resolved exclusively in the state or federal courts located in Hillsborough County, Florida.

20. Modifications

Sherpa.sh may modify this DPA at any time by posting the revised version on its website. Continued use of the Services after any such modification constitutes acceptance of the modified terms.

21. Insurance

Sherpa.sh makes no representations or warranties regarding cyber liability insurance or any other insurance coverage.

Schedule 1: Processing Details

Processing details are specified in your service agreement.

Contact Information

• Privacy Inquiries: support+privacy@Sherpa.sh
• DPA Requests: support+dpa@Sherpa.sh