Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Isorun BV ("Isorun", "Processor") and the customer ("Customer", "Controller") and applies to the extent Isorun processes personal data on behalf of Customer in the course of providing the Services. This DPA reflects the requirements of Article 28 of Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the European Commission's Standard Contractual Clauses ("SCCs") for transfers of personal data to third countries.

Capitalised terms not defined here have the meaning given in the Terms of Service or in the GDPR.

1. Roles and Subject Matter

For personal data that Customer or Customer's end users submit to the Services ("Customer Personal Data"), Customer is the Controller and Isorun is the Processor. Isorun processes Customer Personal Data only on documented instructions from Customer, which include the instructions set out in the Terms of Service, this DPA, and Customer's use of the Services through the dashboard, API, and SDKs.

The subject matter of processing is the provision of sandbox compute services. The duration of processing is the term of the Terms of Service plus any post-termination retention period required by law. The nature and purpose of processing is the operation, security, and support of the Services. The categories of data subjects are Customer's authorised users and any individuals whose personal data Customer chooses to process within sandboxes.

2. Categories of Personal Data

Category	Examples
Account data	Email address, name, OAuth identifiers, team and project identifiers
Usage metadata	API call timestamps, sandbox identifiers, resource consumption metrics, exit codes
Billing data	Billing address, invoice history (payment card data is processed by Stripe, not stored by Isorun)
Customer Content	Code, files, prompts, and any other material Customer submits to the Services. Isorun does not inspect or log the contents of sandboxes.

Isorun does not require, and discourages, the processing of special categories of personal data (GDPR Article 9) within sandboxes. Customer is responsible for ensuring it has a lawful basis for any such processing.

3. Isorun's Obligations as Processor

Isorun shall:

1. process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by EU or Member State law to which Isorun is subject (in which case Isorun will inform Customer of that legal requirement before processing, unless prohibited from doing so);
2. ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality;
3. implement the technical and organisational measures described in Section 7 to ensure a level of security appropriate to the risk;
4. respect the conditions for engaging Sub-processors set out in Section 5;
5. assist Customer, taking into account the nature of the processing and the information available to Isorun, in fulfilling Customer's obligations to respond to requests by data subjects exercising their rights under Chapter III of the GDPR. Where Customer cannot reasonably fulfil a data subject request using the Services' available functionality, Isorun may charge Customer on a time-and-materials basis for assistance, except where the request arises from Isorun's breach of this DPA;
6. assist Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments);
7. not reidentify, attempt to reidentify, or direct any third party to reidentify Customer Personal Data that has been deidentified, anonymised, or aggregated;
8. at Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Services and delete existing copies, unless EU or Member State law requires storage of the personal data; and
9. make available to Customer all information necessary to demonstrate compliance with this Article 28 DPA and allow for and contribute to audits as described in Section 8.

4. Customer Obligations

Customer warrants and agrees that, in respect of any personal data Customer or its end users submit to the Services, Customer shall:

1. comply with applicable data protection law in its use of the Services, including the GDPR and the CCPA where applicable;
2. establish and maintain a lawful basis under Article 6 of the GDPR (and, where relevant, an additional condition under Article 9) for all processing carried out through the Services;
3. obtain and maintain all necessary consents, notices, and authorisations from data subjects required to permit Isorun's processing of Customer Personal Data as a Processor;
4. not submit to the Services, and not request that Isorun process, any special category of personal data within the meaning of GDPR Article 9 (including data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), or any data relating to criminal convictions and offences within the meaning of GDPR Article 10. Customer is solely responsible for any consequences of submitting such data in breach of this clause;
5. provide accurate contact information for data protection notices and keep that information up to date in Customer's account; and
6. respond promptly to any communications from Isorun regarding the processing of Customer Personal Data.

5. Sub-processors

Customer grants Isorun general authorisation to engage Sub-processors to assist in providing the Services, subject to Isorun's obligation to ensure that any Sub-processor is bound by data protection obligations no less protective than those in this DPA. Isorun's current Sub-processors are:

Sub-processor	Purpose	Location
Auth0 (Okta, Inc.)	Authentication and identity management	EU / United States
Stripe Payments Europe, Ltd.	Payment processing	EU / United States
Cloudflare, Inc.	Edge network, CDN, DNS, and Workers compute	Global edge / United States
Plausible Insights OÜ	Cookie-free website analytics	European Union
Latitude.sh LLC	Bare-metal infrastructure for runner servers	European Union (Amsterdam) / United States (Chicago, Dallas)

Isorun will give Customer at least 30 days' prior notice of any intended additions to or replacements of Sub-processors, by email or by updating this page. Customer may object in writing to a new Sub-processor on reasonable data-protection grounds within that 30-day period. If Customer objects and the parties cannot reach a resolution, either party may terminate the affected portion of the Services without penalty.

6. International Transfers

Isorun stores and processes Customer Personal Data primarily in the European Union. Where Customer Personal Data is transferred outside the European Economic Area to a country that is not the subject of an adequacy decision by the European Commission, the transfer is made under the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor or Module Three: Processor to Processor, as applicable), which are incorporated into this DPA by reference. The SCCs are available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

For the purposes of the SCCs:

• The data exporter is the Customer (or its EU affiliate, where applicable).
• The data importer is Isorun BV.
• Clause 7 (Docking Clause) is included.
• Clause 9(a) Option 2 (general written authorisation) applies, with the 30-day notice period set out in Section 5 above.
• Clause 11(a) optional language (independent dispute resolution body) is not included.
• Clause 17 Option 1 applies and the governing law is the law of the Netherlands.
• Clause 18(b) supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
• Annex I (List of Parties, Description of Transfer, Competent Supervisory Authority), Annex II (Technical and Organisational Measures), and Annex III (List of Sub-processors) are populated by reference to Sections 1, 2, 5, and 7 of this DPA.

For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner. For transfers from Switzerland, the parties incorporate the SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.

7. Technical and Organisational Measures

Isorun implements the following technical and organisational measures designed to ensure a level of security appropriate to the risk:

• Encryption in transit: TLS 1.3 for all customer-facing endpoints; modern cipher suites only.
• Encryption at rest: Disk-level encryption on all storage holding customer or operational data.
• Compute isolation: Each sandbox runs in its own dedicated virtual machine with hardware-virtualised separation. Sandboxes do not share an operating system kernel with each other or with the host control plane.
• Network isolation: Sandboxes operate on a deny-by-default network with explicit allow-listing.
• Access control: Role-based access to production systems; multi-factor authentication required for all Isorun personnel; least-privilege defaults.
• Audit logging: Tamper-evident logging of administrative actions; logs are retained for at least one year.
• Vulnerability management: Regular dependency scanning, security review of changes to production code, and a public vulnerability disclosure policy with safe harbor.
• Incident response: Documented incident response procedures, including roles, escalation paths, and customer notification commitments described in Section 9.
• Personnel: All Isorun personnel sign confidentiality agreements and receive security and data-protection training.
• Backups and recovery: Operational data (account, billing, configuration) is backed up; sandbox content is ephemeral by design and is not backed up.

Isorun reviews these measures periodically and may update them as the state of the art evolves, provided that the level of security is not reduced.

8. Audits

Isorun shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA. Where Isorun has obtained independent third-party audit reports or certifications relevant to the Services (including, where applicable, SOC 2 Type II reports, ISO/IEC 27001 certificates, or equivalent), Isorun will provide a copy of the most recent such reports to Customer on written request, subject to confidentiality. The parties agree that such reports satisfy Customer's audit rights under applicable data protection law where they are reasonably sufficient.

Where third-party audit reports are not reasonably sufficient, or where an audit is required by a competent supervisory authority, Customer may, no more than once per calendar year and at Customer's expense, request an on-site or documentary audit by submitting a written request to privacy@isorun.ai at least 30 days in advance. The parties will agree in advance on the scope, timing, and conditions of the audit. Audits must be conducted in a manner that does not unreasonably interfere with Isorun's business operations and must not provide access to data of other customers. Customer's auditor must sign a confidentiality undertaking acceptable to Isorun before the audit begins.

9. Personal Data Breach Notification

Isorun will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe, to the extent then known: the nature of the breach including the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects. Isorun will provide Customer with timely updates as the investigation progresses.

10. Return or Deletion of Personal Data

On termination or expiry of the Services, Isorun will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless EU or Member State law requires storage. Customer may request return or deletion at any time by emailing privacy@isorun.ai. By default, Isorun deletes account data within 30 days of account closure. Billing records are retained for 7 years to comply with Dutch tax law.

11. California Consumer Privacy Act (CCPA)

To the extent Isorun processes personal information of California residents on behalf of Customer, Isorun is a "Service Provider" (and not a "Third Party") as those terms are defined in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA"). Isorun shall not: (a) Sell or Share (as those terms are defined in the CCPA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Isorun and Customer or for any purpose other than performing the Services and the business purposes specified in the Terms of Service; (c) combine Customer Personal Data with personal information received from or on behalf of any other person, except as permitted by the CCPA; or (d) use Customer Personal Data for cross-context behavioural advertising or targeted advertising. Isorun certifies that it understands and will comply with these restrictions.

12. Regulatory Fines

Each party is responsible for any administrative fines or penalties imposed directly on it by a competent supervisory authority under Article 83 of the GDPR or equivalent provisions of applicable data protection law. Neither party will indemnify the other for fines imposed directly on the other party. Notwithstanding the foregoing, where a fine is imposed on Customer that results directly from Isorun's documented breach of its obligations under this DPA, Isorun shall be liable for that fine, subject to the limitation of liability set out in the Terms of Service.

13. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a data subject's rights under the GDPR.

14. Conflict

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

15. Governing Law

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the courts of the Netherlands, except as required by the SCCs or by mandatory provisions of the GDPR.

16. Contact

Isorun BV — Data Protection
Email: privacy@isorun.ai
Netherlands

For supervisory authority complaints, Customer and data subjects may contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.