Data Processing Addendum

• "Personal Data" means any information relating to an identified or identifiable natural person processed under this agreement.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by GaugeWell to process Personal Data on behalf of the Controller.
• "Data Protection Laws" means applicable data protection legislation including GDPR, CCPA, and other relevant regulations.

GaugeWell processes Personal Data only:

• As necessary to provide the contracted services
• In accordance with Controller's documented instructions
• In compliance with applicable Data Protection Laws

The types of Personal Data processed, categories of data subjects, and processing activities are defined in the applicable service agreement or statement of work.

The Controller warrants that:

• It has obtained all necessary consents and authorizations for the processing of Personal Data
• Its instructions to GaugeWell comply with applicable Data Protection Laws
• It will promptly notify GaugeWell of any changes affecting data processing requirements
• It maintains appropriate data minimization practices before sharing data with GaugeWell

GaugeWell agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Notify the Controller without undue delay upon becoming aware of a data breach
• Delete or return Personal Data upon termination, unless retention is required by law

GaugeWell may engage Sub-processors to assist in providing services. We maintain a list of current Sub-processors and will provide reasonable notice of any additions or changes.

Sub-processors are bound by data protection obligations no less protective than those in this DPA. GaugeWell remains liable for the acts and omissions of its Sub-processors.

GaugeWell implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Incident response and breach notification procedures
• Employee training on data protection practices

In the event of a Personal Data breach, GaugeWell will:

• Notify the Controller without undue delay (and in any event within 72 hours where feasible)
• Provide details of the breach, including categories and approximate number of affected records
• Describe likely consequences and measures taken or proposed to address the breach
• Cooperate with the Controller in meeting any regulatory notification obligations

When GaugeWell receives a request from a public authority (including law enforcement or government agencies) for Personal Data processed on behalf of the Controller:

• Legality Review: GaugeWell will review each request to verify it is legally valid, properly scoped, and issued by an authority with appropriate jurisdiction before any disclosure is made
• Challenge Provisions: GaugeWell will challenge any request it reasonably believes to be overbroad, legally deficient, or unlawful through appropriate legal channels, and will not comply unless compelled by a court of competent jurisdiction
• Data Minimization: Where disclosure is legally required, GaugeWell will limit the information disclosed to the minimum necessary to satisfy the specific lawful request
• Documentation: GaugeWell will document all government data requests, its responses, the legal reasoning applied, and the actors involved in the review process
• Controller Notification: Where legally permitted, GaugeWell will promptly notify the Controller of any government request for Personal Data processed under this DPA, and will redirect the requesting authority to the Controller where appropriate

GaugeWell supports data subject deletion requests in accordance with applicable Data Protection Laws:

• Data subjects may submit deletion requests via our Data Deletion Request Form or by emailing privacy@gaugewell.io
• Personal data will be deleted within 30 days of a verified request
• Connected third-party platform access will be revoked
• Data will be purged from backups within 90 days (standard retention cycle)
• GaugeWell will assist the Controller in fulfilling data subject deletion requests as required by Article 17 GDPR and equivalent provisions