Data Processing Agreement

Last updated on November 20, 2025.

This Data Processing Agreement (this “DPA”) is incorporated into the agreement between Alfalfa and Customer referencing this Data Processing Agreement (the “Agreement”). Capitalized terms used but not defined in this DPA (or in another document referenced by this DPA) will be understood to have the meanings given to them in the Agreement.

1. Data Processing, Subject Matter, and Roles.

1.1. Data Processing.

In the course of providing the Services to Customer pursuant to the Agreement, Alfalfa may Process Customer Data that constitutes “personal data,” “personal information,” “personally identifiable information,” or an analogous term under applicable law (“Customer Personal Data”). The Parties agree to comply with this DPA and all privacy and data protection laws applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act or “CCPA”) (collectively, “Data Protection Laws”).

1.2. Subject Matter.

The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of “Data Subjects” (as such term is defined under applicable Data Protection Laws) are set out in Annex I, which is an integral part of this DPA.

1.3. Roles.

Customer is a “Controller” or “Business” (as such terms are defined under applicable Data Protection Law) and appoints Alfalfa as a “Processor” or “Service Provider” (as such terms are defined under applicable Data Protection Law) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers and Businesses. If Customer is a Processor on behalf of a Controller for which Customer is a Processor (“Third-Party Controller”), then Customer (i) is the single point of contact for Alfalfa, (ii) must obtain all necessary authorizations from such Third-Party Controller, and (iii) undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2. Processing Instructions.

Alfalfa shall Process Customer Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the DPA, Agreement, and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

3. Personnel.

Alfalfa will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

4. CCPA Limitations on Processing.

Except as permitted by applicable Data Protection Law, the Addendum, or this DPA, Alfalfa is prohibited from: (a) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer’s documented instructions; (b) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties; (c) combining Customer Personal Data with Customer Personal Data obtained from, or on behalf of, sources other than Customer; and (d) “Selling” or “Sharing” (as such terms are defined under applicable Data Protection Laws) Customer Personal Data.

5. Security and Security Incident.

5.1. Security.

Alfalfa will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Customer Personal Data in accordance with (a) the measures set forth in Annex II and (b) SOC-2, ISO-27001, NIST 800-53 or a substantially equivalent standard during the Term.

5.2. Security Incident Notification.

Alfalfa will notify Customer without undue delay and within 72 hours after becoming aware of any actual or reasonably suspected unauthorized access to, or other Processing of, Customer Personal Data (“Security Incident”). If Alfalfa’s notification of a Security Incident is delayed, it will be accompanied by reasons for the delay.

5.3. Security Incident Response.

Alfalfa will take reasonable measures in response to a Security Incident, including (i) taking measures designed to mitigate any Security Incident and prevent the recurrence of the Security Incident, (ii) providing Customer with reasonable information relating to the Security Incident known to Alfalfa, and (iii) providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws.

5.4. Vulnerability Testing.

Alfalfa will perform vulnerability scanning of Alfalfa’s software-as-a-service platform used to provide the Services.

5.5. Encryption.

Alfalfa will encrypt Customer Personal Data in accordance with industry accepted standards, strong encryption techniques, and current security protocols.

6. Subprocessing.

6.1. Subprocessors.

Customer hereby authorizes Alfalfa to engage any Processor that processes Customer Personal Data on behalf of Alfalfa (“Subprocessor”). A list of Alfalfa’s current Subprocessors is listed inAnnex III.

6.2. Subprocessor Agreements.

Alfalfa will enter into a written agreement with all Subprocessors which imposes substantially similar obligations on the Subprocessors as the obligations imposed on Alfalfa under this DPA.

6.3. Subprocessor Changes.

Alfalfa will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds that the appointment of such Subprocessor will result in a material violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Alfalfa’s notification of the intended change. Customer and Alfalfa will work together in good faith to address Customer’s objection. If Alfalfa chooses to retain such new Subprocessor, Alfalfa will inform Customer at least thirty (30) days before authorizing such Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services that uses such Subprocessor, as applicable, and may terminate the relevant parts of the Services that uses such Subprocessor within thirty (30) days.

7. Assistance.

Taking into account the nature of the Processing, and the information available to Alfalfa, Alfalfa will provide reasonable assistance, including in connection with implementing appropriate technical and organizational measures, to Customer designed comply with Data Subject or “Consumer” (as such term is defined under applicable Data Protection Laws) requests, reply to inquiries, complaints, and investigations, and conduct data protection impact assessments, data protection assessments, and prior consultations with regulators.

8. Audit.

Upon Customer’s reasonable written request, Alfalfa will permit Customer, at Customer’s expense, to audit Alfalfa’s applicable controls and compliance with this DPA (an “Audit”), provided such Audit is (a) conducted by Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Alfalfa, (b) Customer and Alfalfa mutually agree on reasonable details of the Audit, including the start date, scope and duration of, and security and confidentiality controls applicable to, such audit, and (c) a similar Audit has not already been conducted less than twelve (12) months prior, unless it is required by a supervisory authority or other regulatory authority responsible for the enforcement of Data Protection Law. Customer will pay all costs and expenses incurred by Alfalfa in connection with any such Audit. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and confirming compliance with the requirements of the DPA.

9. International Data Transfers.

9.1. European Data Transfers.

Alfalfa will obtain Customer’s specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission (“International Data Transfer”). Customer hereby authorizes Alfalfa to conduct International Data Transfers outside the EEA or Switzerland:

• to any country subject to a valid adequacy decision of the European Commission;
• on the basis of an organization’s binding corporate rules approved by EEA Supervisory Authorities; and
• to any data importer with whom Alfalfa has entered into standard contractual clauses (“SCCs”).

9.2. European Transfer Mechanisms.

Customer and Alfalfa conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Alfalfa; the optional docking clause in Clause 7 is implemented; Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to the SCCs are Annex I, II and III to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3. UK Data Transfers.

Customer hereby authorizes Alfalfa to perform International Data Transfers outside the UK subject to the requirements:

• to any country subject to a valid adequacy decision issued by the UK Government;
• on the basis of an organization’s binding corporate rules approved by the UK Information Commissioner; and
• to any data importer with whom Alfalfa has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.

9.4. UK Transfer Mechanism.

Customer and Alfalfa conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Alfalfa, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), II, and III to the “Approved EU SCCs” are Annex I, II, and III to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

10. Return and Deletion.

Following the date of expiration or earlier termination of this Addendum, Alfalfa will promptly return or delete all Customer Personal Data; provided, however, that that Alfalfa may retain copies of Customer Personal Data as expressly agreed by the parties or as required by applicable law or contained in standard backups that will remain subject to the protections of this Addendum.

ANNEX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

• Name: Customer (as defined above)
• Activities relevant to the data transferred under these Clauses: Customer receives Alfalfa’s services as described in the Agreement and Customer provides Personal Data to Alfalfa in that context.
• Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

• Name: Alfalfa (as defined above)
• Activities relevant to the data transferred under these Clauses: Alfalfa provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
• Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

• Categories of Data Subjects whose Customer Personal Data is transferred:
  • Customer’s customers
  • Customer’s personnel, staff and contractors
• Categories of Customer Personal Data transferred:
  • Name
  • Contact details
• Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
• N/A
• The frequency of the International Data Transfer (e.g. whether the Customer Personal Data is transferred on a one-off or continuous basis):
  • On a continuous basis
• Nature of the processing:
  • The Customer Personal Data will be processed and transferred as described in the Agreement.
• Purpose(s) of the International Data Transfer and further Processing:
  • The Customer Personal Data will be transferred and further processed for the provision of the services as described in the Agreement.
• The period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
  • Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
• For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing:
  • For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

• The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
• The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
• The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Alfalfa will implement security safeguards designed to protect Customer Personal Data from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage in accordance with the SOC 2, ISO 27001, NIST 800-53 or a substantially equivalent standard.

ANNEX III

LIST OF SUBPROCESSORS

Customer authorizes Alfalfa to engage the following Subprocessors: