For the purposes of this Data Processing Agreement ("DPA"), the following definitions apply:

"Controller" means the Customer who determines the purposes and means of processing Personal Data by using the Service.

"Processor" means the Operator (Hex Proxies), which processes Personal Data on behalf of the Controller in connection with the provision of the Service.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Subprocessor" means any third party engaged by the Processor to assist in the processing of Personal Data on behalf of the Controller.

"Applicable Privacy Law" means all privacy laws governing the Parties' agreement, including applicable provisions of the GDPR, UK GDPR, Australian Privacy Act, and (where applicable) U.S. state privacy statutes.

"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

"Standard Contractual Clauses (SCCs)" means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

This DPA applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the provision of proxy infrastructure services under the main service agreement.

Types of Personal Data processed: - IP addresses (both source and assigned proxy addresses) - Access timestamps and session duration - Bandwidth usage metrics - Account identifiers and authentication tokens

Categories of Data Subjects: Data subjects include the Controller's end users whose network traffic is routed through the Service. This may include employees, contractors, or customers of the Controller.

Nature and purpose of processing: Processing is limited to the transmission, routing, and temporary forwarding of network traffic as necessary to provide the proxy infrastructure service. The Processor keeps connection-level and assignment metadata required for operation, billing, security, and abuse prevention. It does not inspect or persist full request/response payload content for analytics, profiling, or advertising as a standard practice; any payload processing occurs only where strictly required for security, abuse response, or lawful requests.

The Processor may also process limited cookie-consent and security telemetry records needed for lawful operation and security.

Duration of processing: Processing continues for the duration of the service agreement between the Controller and the Processor, unless otherwise specified in writing.

The Processor shall, with respect to the processing of Personal Data on behalf of the Controller:

a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

b) Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 of this DPA.

d) Not engage another processor (subprocessor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, as detailed in Section 6.

e) Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights (including access, rectification, erasure, restriction, data portability, and objection).

f) Assist the Controller in ensuring compliance with obligations related to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to the Processor.

g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.

h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller shall:

a) Ensure that a lawful basis for processing exists under Applicable Privacy Law (for example, contract performance, legal obligation, legitimate interests, or consent where required) prior to instructing the Processor to process Personal Data.

b) Provide the Processor with documented instructions regarding the processing of Personal Data. Such instructions shall be consistent with applicable data protection law and the terms of the main service agreement.

c) Ensure the accuracy of Personal Data provided to the Processor and promptly inform the Processor of any corrections or updates required.

d) Respond to Data Subject requests (including access, rectification, erasure, and portability requests) within the statutory timeframes prescribed by Applicable Privacy Law.

e) Promptly notify the Processor of any Data Subject requests received that relate to Personal Data processed by the Processor, to the extent that the Processor's assistance is required to fulfill such requests under this DPA and Applicable Privacy Law.

f) Ensure that any instructions given to the Processor comply with applicable data protection law and do not cause the Processor to violate its own legal obligations.

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage:

Technical Measures: - Transport security (TLS) for dashboard and API access where available - At-rest encryption provided by hosting providers where supported - Firewall protection and network segmentation to isolate processing environments - DDoS mitigation and network security controls - Security patching and vulnerability management across systems - Access logging and monitoring of systems handling Personal Data

Organizational Measures: - Role-based access control (RBAC) ensuring that only authorized personnel with a legitimate need can access Personal Data - Confidentiality agreements executed by staff with access to Personal Data - Documented security incident response procedures with defined escalation paths - Security awareness training for personnel involved in processing operations - Vendor risk assessments conducted for subprocessors and third-party service providers

The Processor reviews and updates these measures periodically to ensure continued effectiveness against evolving threats. The Controller may request a summary of the current security measures at any time. These controls are designed to support GDPR security obligations and the security requirements expected under the Australian Privacy Principles.

Current subprocessors are summarized on the Transparency Report page (or available on request). This list includes the identity, location, and processing activities of each subprocessor.

Notification of changes: The Processor will provide advance notice of intended additions or replacements of subprocessors where feasible (typically 30 days). Notification will be provided via email to the Controller's registered account address.

Right to object: The Controller may object to the appointment of a new subprocessor within 14 days of receiving notification. The objection must be made in writing and must state reasonable grounds related to data protection.

Resolution of objections: If the Controller's objection cannot be reasonably resolved within 30 days, the Controller may request termination of the affected services. The Processor will provide reasonable assistance in migrating the Controller's data where applicable.

Processor liability: The Processor remains fully liable to the Controller for the performance of each subprocessor's obligations. Where a subprocessor fails to fulfill its data protection obligations, the Processor shall be liable to the Controller for the acts and omissions of the subprocessor as if they were the Processor's own.

Subprocessor agreements: The Processor ensures that each subprocessor is bound by data protection obligations no less protective than those set out in this DPA, by way of a written contract in accordance with Article 28(4) of the GDPR.

Personal Data may be transferred outside the region of collection where necessary for service delivery. Transfers are documented and supported by an appropriate mechanism under Applicable Privacy Law.

EU/EEA and UK - Standard contractual instruments (including SCCs under current EU/UK transfer frameworks) or adequacy arrangements where available - Transfer Impact Assessments (where required by the legal framework for the specific transfer) - Transfer of records and security posture documentation for Controller audit on request

United States (where state privacy regimes apply) - Controller-designated sub-processors and hosting locations are listed in the service records and Transparency Report - Transfers outside U.S. jurisdiction are documented in subprocessor contracts and subject to contractual security, access, and audit obligations - No transfer to a third country occurs in a way that would remove the Controller’s operational controls over lawful-use boundaries

Australia (APP 8) - Cross-border disclosures are documented and only made to jurisdictions that provide equivalent protections or when another lawful basis under the APP framework is documented in the relevant processing record - The Controller is notified of each external destination where personal information is disclosed outside Australia in a material way

The Processor will promptly notify the Controller if the legal basis for a transfer changes or if the destination country framework changes in a way that affects the transfer mechanism.

The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

The notification shall include, to the extent available:

- A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned - The name and contact details of the Processor's data protection contact point from whom further information may be obtained - A description of the likely consequences of the Data Breach - A description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including measures to mitigate its possible adverse effects

Ongoing obligations: Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

The Processor shall cooperate with and assist the Controller in fulfilling the Controller's breach notification obligations to supervisory authorities (Article 33 GDPR) and to affected Data Subjects (Article 34 GDPR), and as otherwise required by Applicable Privacy Law.

The Processor shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation shall be made available to the Controller upon request.

Where applicable under Applicable Privacy Law, the Processor will support the Controller in meeting authority notification and individual notification timeframes.

The Controller, or an independent third-party auditor appointed by the Controller, has the right to conduct audits to verify the Processor's compliance with this DPA and applicable data protection law.

Audit procedures:

- The Controller shall provide at least 30 days written notice prior to conducting an audit - Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations - The Processor shall provide reasonable cooperation and access to relevant facilities, systems, and documentation - The Controller's auditor may be required to execute a confidentiality agreement before accessing the Processor's premises or systems

Audit scope: Audits may cover the Processor's technical and organizational security measures, subprocessor management, data processing records, and any other matter relevant to compliance with this DPA.

Audit costs: Audit costs shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs of the audit and shall promptly remedy the non-compliance at its own expense.

Alternative evidence: The Processor may satisfy audit requirements by providing the Controller with relevant third-party audit reports (such as SOC 2 or ISO 27001 certifications, if available) or other evidence of compliance, subject to the Controller's reasonable acceptance.

Effective date: This DPA takes effect on the date the Controller begins using the Service and remains in effect for the duration of the main service agreement.

Post-termination obligations: Upon termination or expiration of the service agreement, the Processor shall, at the Controller's election:

a) Return — Return all Personal Data to the Controller in a commonly used, machine-readable format (such as CSV or JSON), within a reasonable time (typically within 30 days) of receiving the Controller's written request.

b) Delete — Securely delete all Personal Data, including all copies, from the Processor's systems within a reasonable time (typically within 30 days) of termination, and provide the Controller with written certification of deletion.

Where the Processor is required by applicable law to retain any Personal Data beyond the termination of the service agreement, the Processor shall inform the Controller of such requirement and shall continue to protect the retained data in accordance with this DPA.

Survival: The following provisions shall survive termination of this DPA: definitions (Section 1), confidentiality obligations, data breach notification obligations (Section 8), audit rights (Section 9) to the extent necessary to verify post-termination compliance, and liability provisions (Section 11).

Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set forth in the main service agreement between the Controller and the Processor.

Exceptions to limitation: Nothing in this DPA or the main service agreement shall limit or exclude either party's liability for:

- Willful or intentional breach of data protection obligations under this DPA - Liability that cannot be limited or excluded under applicable data protection law - Obligations to pay fines, penalties, or compensation imposed by a supervisory authority or court in respect of a party's own breach of the GDPR

Indemnification: Each party shall indemnify and hold harmless the other party from and against any losses, damages, costs, and expenses (including reasonable legal fees) arising from the indemnifying party's breach of this DPA or applicable data protection law, subject to the liability limitations in the main service agreement.

Apportionment: Where both parties are responsible for damage caused by processing, each party shall be liable for its share of responsibility in accordance with Article 82 of the GDPR.

This DPA shall be governed by and construed in accordance with the laws applicable to the main service agreement between the Controller and the Processor.

EU/UK precedence: For Data Subjects located in the European Economic Area or UK, the provisions of GDPR or UK GDPR shall take precedence over any conflicting terms in this DPA or the main service agreement.

Australia: Where Australian Privacy Act requirements apply, the parties will cooperate to meet APP obligations and any complaint processes under Australian law.

Dispute resolution: Any dispute arising out of or in connection with this DPA that cannot be resolved amicably shall be referred to:

- The competent supervisory authority, where the dispute concerns the exercise of rights by a Data Subject or the interpretation of GDPR provisions - The competent courts of the jurisdiction specified in the main service agreement, for all other disputes

Amendments: This DPA may be amended only by written agreement between both parties. The Processor may update the technical and organizational measures described in Section 5 from time to time, provided that such updates do not materially reduce the level of protection afforded to Personal Data.

Entire agreement: This DPA, together with the main service agreement and any applicable Standard Contractual Clauses, constitutes the entire agreement between the parties with respect to the processing of Personal Data.