NAMESPACE DATA PROCESSING ADDENDUM

Valid as of: January 22, 2026

This Data Processing Addendum (this “Addendum”) is incorporated into and forms part of the Terms of Service (the “Agreement”) entered into between the Customer, as defined in the Agreement, and Namespace Labs, Inc a Delaware corporation located at 2261 Market Street #5037 San Francisco, CA 94114 (“Namespace”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the effective date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

Customer Personal Data” means Personal Data Processed by Namespace as Processor on behalf of Customer pursuant to the performance of the Services and as described in Section 2.2.

Business,Controller,Processor,Data Subject,Personal Data,Processing”, “Sell”, “Share”, “Service Provider, and “Supervisory Authority” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process,Processes” and “Processed” shall have corresponding meanings);

“Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy as applicable to the parties and/or to the Processing of Personal Data under the Agreement, including without limitation, United States data protection and privacy laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and other applicable U.S. state privacy laws, as amended from time to time; the EU General Data Protection Regulation 2016/679 (“EU GDPR”); the EU GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR” and together with the EU GDPR “GDPR”); the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection of 25 September 2020 (“Swiss FADP”) and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time;

“EU Controller to Processor Standard Contractual Clauses” means the Annex to the European Commission’s decision of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries which do not ensure an adequate level of data protection pursuant to the EU GDPR, with “Module 2” selected (which covers transfers of Personal Data from a Controller to a Processor);

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data;

“Services” means the services provided by Namespace pursuant to the Agreement;

“Sub-Processor” means any vendor, supplier or subcontractor of Namespace authorized to Process Customer Personal Data on behalf of Namespace;

“UK International Data Transfer Addendum” means the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR

2. Data Processing Details and Compliance

2.1. The Parties acknowledge that in respect of Customer Personal Data, Namespace is a Processor Processing Personal Data on behalf of Customer as Controller. Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

2.2. Details of Customer Personal Data Processed by Namespace under the Agreement are set out in Annex 1.

2.3. Namespace shall be an independent Controller and Business with respect to its Processing of Personal Data in connection with the execution and administration of the Agreement (including contact details of Customer personnel/representatives); Namespace’s creation and maintenance of user accounts on Namespace platforms; and the processing of Personal Data and platform usage data for analytics and improvement of Namespace products and services. The Parties agree that the Personal Data described under this Section 2.3 does not form part of Customer Personal Data.

3. Processing of Customer Personal Data

3.1. Customer represents and warrants that, in connection with its use of the Services, transfer of Customer Personal Data to Namespace and provision of instructions to Namespace as Processor of Customer Personal Data: (a) Customer has provided or will provide all necessary notices to all Data Subjects of Customer Personal Data as required under Data Protection Laws; (b) Customer has received all necessary permissions, consents, or approvals and otherwise secured a valid legal basis of Processing to facilitate Namespace’s Processing of Customer Personal Data in accordance with the terms of the Agreement and Data Protection Laws; and (c) Namespace’s Processing of Customer Personal Data in accordance with Customer’s instructions will not cause Namespace to violate any applicable law.

3.2. Namespace shall Process Customer Personal Data only on the written instructions of Customer (including as set out in the Agreement) unless Namespace is required to otherwise Process Customer Personal Data by applicable laws. Namespace is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. Where Namespace is required by applicable laws to Process Customer Personal Data other than in accordance with Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, Namespace shall notify Customer in writing of that legal requirement prior to Processing Customer Personal Data.

3.3. Namespace shall promptly inform Customer if Namespace becomes aware of a written instruction given by Customer under this Section 3 that, in Namespace’s reasonable opinion, infringes Data Protection Laws. Namespace shall be entitled to suspend the relevant Processing until Customer has confirmed or modified the instruction to ensure compliance with Data Protection Laws.

3.4. Namespace shall not (a) retain, use, or disclose Customer Personal Data other than as provided for in this Addendum, the Agreement, or as otherwise permitted by Data Protection Laws; (b) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Namespace, including by combining Customer Personal Data with Personal Data Namespace receives from third party source, except as permitted by Data Protection Laws; or (c) Sell or Share Customer Personal Data. Customer has the right to take reasonable and appropriate steps to help ensure that Namespace uses Customer Personal Data in a manner consistent with Namespace’s obligations under Data Protection Laws. Namespace shall notify Customer if it makes a determination that it can no longer meet its obligations under Data Protection Laws and Customer has the right, upon reasonable notice to Namespace, to take reasonable and appropriate steps to stop and remediate any unauthorised use of Customer Personal Data.

4. Namespace Personnel and Sub-Processors

4.1. Namespace shall ensure that all Namespace personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2. Customer authorizes Namespace to engage the Sub-Processors included in the Sub-Processor list set out in Annex 2 (“Sub-Processor List”). Where Namespace intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, Namespace shall notify Customer of the proposed engagement of the Sub-Processor giving Customer the opportunity to object. Customer shall be entitled to make a written objection to the proposed engagement (with respect to confidentiality and data protection compliance concerns) within 15 business days of Namespace providing notice to Customer under this Section. If no objection is received within the timeframe under this Section, Customer is deemed to have authorized the engagement of such Sub-Processor.

4.3. Where Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with this Section, Namespace may, at its option: (a) use its reasonable endeavours to remedy the situation giving rise to the reasonable objection; or (b) propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Section 4.2 of this Addendum, provided that, in the event that Namespace is unable to remedy the situation or propose an alternative Sub-Processor, Namespace shall be entitled to terminate the Services without penalty or liability effective immediately on written notice to Customer and Customer shall pay Namespace any fees due for the Services performed prior to termination.

4.4. Namespace shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with Namespace that imposes obligations substantially equivalent to the obligations imposed on Namespace as a Processor under this Addendum. Namespace shall remain liable to Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.

5. Transfers

5.1. The Parties acknowledge that Namespace is located in, and will process Customer Personal Data in, the United States of America. With respect to Namespace’s Processing of Customer Personal Data subject to the GDPR and Swiss FADP, to the extent an appropriate transfer safeguard is required under Data Protection laws:

  • (a) For Customer Personal Data subject to the EU GDPR, the Parties agree to comply with the provisions of the EU Controller to Processor Standard Contractual Clauses (“EU SCCs”) which are incorporated into this Addendum by reference and modified as follows for this purpose: (i) Annexes I of the EU SCCs, details of the parties will include Customer (as data exporter) and Namespace (as data importer), contact information will be as provided by the Parties from time to time, description of the transfers shall be completed with the corresponding details as set out in Section 2.2 of this Addendum, transfers are “continuous” and the competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs; (ii) Annex II to the EU SCCs, the technical and organizational measures shall be completed with the relevant information as set out in Annex 3 of this Addendum; (b) Clause 7 (Docking Clause), which is optional, is included; (c) Clause 9 (Sub-processors), option 1 shall apply and the time period for notification of a proposed Sub-Processor will be as set out in Section 4.2 of this Addendum; (d) Clause 11 (Redress) contains an optional clause which is excluded; (e) Clause 13 (Supervision) provides for three alternative options and the option applicable to the relevant data transfers under this Addendum is selected; (f) Clause 17 (Governing law) shall be the laws of Ireland; (g) Clause 18 (Choice of forum and jurisdiction) is amended so that the courts that have jurisdiction are the courts of Ireland. \

  • (b) For Customer Personal Data subject to the Swiss FADP, the Parties agree to comply with the provisions of the EU SCCs as set out and modified by Section 5.1(a) of this Addendum and as further amended as follows: (i) the term “Member State” according to Clause 18 (c) of the EU SCCs shall not be interpreted in a such a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence; (ii) any references to EU legislation, EU authorities and the EU Member States in the EU SCCs are amended to reflect corresponding Switzerland legislation, Switzerland authorities and Switzerland as appropriate; (iii) the Supervisory Authority selected for the purposes of Clause 13 (Supervision) of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iv) Clause 17 (Governing law) of the EU SCCs shall refer to the law of Switzerland as the governing law and Clause 18 (Choice of forum and jurisdiction) shall refer to the Swiss courts as the proper forum and jurisdiction for disputes and legal proceedings arising.\

  • (c) For Customer Personal Data subject to the UK GDPR, the Parties agree to comply with the provisions of the UK International Data Transfer Addendum (“UK IDTA”) which are incorporated into this Addendum by reference and modified as follows for this purpose: (a) the date to be included in Table 1 of the UK IDTA is the Effective Date of this Addendum; (ii) for Table 1 and Table 3 of the UK IDTA, the parties’ details, description of the transfer and technical and organizational measures are completed with the relevant information referenced in Section 5.1(a) of this Addendum; (ii) for Table 2 of the UK IDTA, information about the version of the EU Standard Contractual Clauses, modules and selected clauses which the UK IDTA is appended to shall reference the EU Controller to Processor Standard Contractual Clauses as modified by Section 5.1(a) of this Addendum; (c) for Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with its terms; and (d) Part 2 (Mandatory Clauses) of the UK IDTA shall be deemed completed with the following provision “Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses”.

6. Security and Personal Data Breach Notification

6.1. Namespace shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, including as set out in Annex 3.

6.2. Namespace shall notify Customer without undue delay on becoming aware of a Personal Data Breach and provide Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, the details of the Personal Data Breach provided shall include:

  • (a) the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;

  • (b) the name and contact details of the data protection officer or other contact point where more information can be obtained;

  • (c) description of the likely consequences of the Personal Data Breach; and

  • (d) description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

7. Assistance

7.1. To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to Namespace), Namespace shall at Customer’s cost, promptly provide Customer with reasonable assistance:

  • (a) using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;

  • (b) to enable Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority on such assessments where Customer is required to do so under Data Protection Laws;

  • (c) in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data; and

  • (d) in complying with its obligation to notify a Personal Data Breach to a Supervisory Authority or to a Data Subject as applicable.

8. Deletion or Return of Data

8.1 If not instructed otherwise in writing by the Customer and unless legally required to keep the Customer Personal Data, Namespace shall delete and destroy the Customer Personal Data processed hereunder the latest within ninety (90) days' of the termination of the Agreement or after the maximum data retention period permitted by the technology of the relevant Services. In case the Customer demands that the Customer Personal Data are returned to the Customer or to a third party, the Customer will pay Namespace for any additional costs and expenses arising out of such return of the Customer Personal Data.

9. Information Requests and Audits

9.1. Namespace shall, on reasonable request from Customer, make available to Customer all information necessary to demonstrate Namespace’s compliance with its obligations under this Addendum. Namespace shall allow for audits (including inspections), at Customer’s cost, conducted by Customer or designated independent auditor agreed between the Parties, for the purpose of demonstrating Namespace’s compliance with its obligations under this Addendum. For the avoidance of doubt such audits shall be limited to once per calendar year except as required by a Supervisory Authority and the scope of any audit will be limited to Namespace’s policies, procedures, systems and controls relevant to the Processing of Customer Personal Data.

9.2. Namespace’s obligations under Section 9.1 of this Addendum are subject to Customer:

  • (a) giving Namespace reasonable prior notice of such information requests, audits and/or inspections being required by Customer, provided that such notice shall be no less than 30 business days, except where a shorter period is required by a Supervisory Authority;

  • (b) ensuring that all information obtained or generated by Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and

  • (c) ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to Namespace’s business and the business of other customers of Namespace.

10. Liability

10.1. Customer acknowledges that Namespace is reliant on Customer for direction as to the extent to which Namespace is entitled to Process Customer Personal Data on behalf Customer in the provision of the Services. Consequently the Namespace will not be liable under the Agreement or this Addendum for any claim arising from any action or omission, to the extent that such action or omission resulted directly from Customer’s instructions or from Customer’s failure to comply with its obligations under applicable Data Protection Laws.

10.2. Notwithstanding any provisions to the contrary included in this Addendum, each Party’s liability under or in connection with this Addendum will be limited in accordance with the liability provisions of the Agreement.

Annex 1

DETAILS OF PROCESSING

Details of Customer Personal Data Processed by Namespace under the Agreement are as follows:

  1. Subject Matter, Nature and Purpose of Processing. Namespace’s provision of the Services under the Agreement.
  2. Duration of Processing. Processing of Customer Personal Data by Namespace shall be for the term of the Agreement and in accordance with Namespace’s retention obligations under the Agreement and this Addendum.

  3. Personal Data in Scope:

    1. Full name.
    2. Title, position.
    3. Email address.
    4. GitHub username

  4. Category of Data Subjects:

    1. Prospects, customers, business partners, and vendors of the Customer (who are natural persons).
    2. Employees or contact persons of the Customer’s prospects, customers, business partners and vendors.

Annex 2

Sub-Processor list

See up to date list in trust center.

Annex 3

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Please see trust center for a description of Namespace’s technical and organizational measures.