DATA PROCESSING ADDENDUM

Last updated April 28, 2026

This Data Processing Addendum ('DPA') is entered into between District Tech Group Incorporated ('DTG', 'we', 'us', or 'our') and you, the customer or business entity ('Controller' or 'you'), and is incorporated into and forms part of the Terms of Service between DTG and you.

This DPA applies where and to the extent that DTG processes Personal Data on your behalf in connection with the Services. It is intended to satisfy the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable U.S. state privacy laws.

Questions? Contact our privacy team at info@districttechgroup.com.

TABLE OF CONTENTS

  1. DEFINITIONS
  2. ROLES AND SCOPE
  3. DTG'S OBLIGATIONS AS PROCESSOR
  4. YOUR OBLIGATIONS AS CONTROLLER
  5. SUB-PROCESSORS
  6. SECURITY MEASURES
  7. DATA SUBJECT RIGHTS
  8. PERSONAL DATA BREACH NOTIFICATION
  9. DATA RETENTION AND DELETION
  10. INTERNATIONAL DATA TRANSFERS
  11. AUDITS AND COMPLIANCE
  12. LIABILITY AND INDEMNIFICATION
  13. TERM AND TERMINATION
  14. GOVERNING LAW
  15. CONTACT AND AMENDMENTS
  16. SCHEDULE 1 — DETAILS OF PROCESSING
  17. SCHEDULE 2 — APPROVED SUB-PROCESSORS

1. DEFINITIONS

In this DPA, the following terms have the meanings set out below:

  • 'Personal Data' means any information relating to an identified or identifiable natural person that DTG processes on your behalf in connection with the Services.
  • 'Processing' means any operation performed on Personal Data, including collection, storage, use, disclosure, erasure, or destruction.
  • 'Controller' means the entity that determines the purposes and means of Processing Personal Data — in this context, you.
  • 'Processor' means the entity that processes Personal Data on behalf of the Controller — in this context, DTG.
  • 'Sub-Processor' means any third party engaged by DTG to process Personal Data on your behalf.
  • 'Data Subject' means the natural person to whom Personal Data relates.
  • 'Security Incident' or 'Personal Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • 'Applicable Data Protection Law' means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, UK GDPR, CCPA/CPRA, and applicable U.S. state privacy laws.
  • 'Services' has the meaning given in the Terms of Service.

2. ROLES AND SCOPE

2.1 Processor Relationship

To the extent DTG processes Personal Data on your behalf in connection with the Services, DTG acts as a Processor and you act as the Controller. DTG will process Personal Data only on your documented instructions and as described in this DPA and Schedule 1.

2.2 Independent Processing

Notwithstanding the above, DTG may also process certain Personal Data as an independent Controller for its own purposes (such as account management, billing, and fraud prevention) as described in DTG's Privacy Policy. That processing is not governed by this DPA.

2.3 Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Schedule 1.

3. DTG'S OBLIGATIONS AS PROCESSOR

DTG agrees to:

  • Process Personal Data only on your documented instructions, unless required to do so by applicable law — in which case DTG will inform you of that legal requirement before processing, unless prohibited by law;
  • Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
  • Implement and maintain appropriate technical and organizational security measures as described in Section 6;
  • Assist you in fulfilling your obligations to respond to Data Subject requests as described in Section 7;
  • Notify you without undue delay upon becoming aware of a Personal Data Breach as described in Section 8;
  • Delete or return all Personal Data to you upon termination of the Services, as described in Section 9, unless retention is required by law;
  • Make available to you all information necessary to demonstrate compliance with this DPA and cooperate with audits as described in Section 11;
  • Promptly inform you if, in DTG's opinion, any instruction infringes Applicable Data Protection Law.

4. YOUR OBLIGATIONS AS CONTROLLER

You agree to:

  • Comply with all Applicable Data Protection Laws in your capacity as Controller, including establishing a valid legal basis for each category of Personal Data processing;
  • Provide all necessary notices to and obtain all necessary consents from Data Subjects as required by Applicable Data Protection Law;
  • Ensure that your instructions to DTG comply with Applicable Data Protection Law;
  • Not instruct DTG to process Personal Data in a manner that would cause DTG to violate Applicable Data Protection Law;
  • Maintain accurate, up-to-date records of processing activities as required by Applicable Data Protection Law.

5. SUB-PROCESSORS

5.1 Authorization

You provide general authorization for DTG to engage Sub-Processors to assist in providing the Services. DTG's current approved Sub-Processors are listed in Schedule 2.

5.2 Notice of Changes

DTG will provide at least 14 days' prior written notice (via email or update to Schedule 2) before engaging a new Sub-Processor or making material changes to an existing Sub-Processor engagement. If you reasonably object to a new Sub-Processor on data protection grounds, you may notify DTG in writing within 10 days of the notice. DTG will work with you in good faith to resolve the objection; if unresolved, you may terminate the affected Services without penalty.

5.3 Sub-Processor Obligations

DTG will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA. DTG remains liable to you for the acts and omissions of its Sub-Processors to the same extent DTG would be liable if performing the services directly.

6. SECURITY MEASURES

DTG will implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include, at minimum:

  • Encryption: Encryption of Personal Data in transit (TLS 1.2+) and at rest using industry-standard algorithms;
  • Access controls: Role-based access controls, multi-factor authentication for privileged accounts, and least-privilege principles;
  • Monitoring: Continuous monitoring of systems for unauthorized access attempts, anomalies, and security events;
  • Vulnerability management: Regular vulnerability scanning, patch management, and penetration testing;
  • Incident response: A documented incident response plan for detecting, responding to, and recovering from Security Incidents;
  • Personnel training: Regular security awareness training for all personnel with access to Personal Data;
  • Physical security: Appropriate physical access controls for systems that store or process Personal Data;
  • Business continuity: Regular data backups and tested recovery procedures.

DTG will review and update these measures periodically and will notify you of any material reduction in security measures that may affect Personal Data.

7. DATA SUBJECT RIGHTS

DTG will, to the extent legally permitted, promptly notify you if DTG receives a request from a Data Subject to exercise rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). DTG will not respond to such requests directly unless instructed by you or required by law.

DTG will provide commercially reasonable assistance to help you fulfill Data Subject requests within the timeframes required by Applicable Data Protection Law, taking into account the nature of the processing and the information available to DTG.

8. PERSONAL DATA BREACH NOTIFICATION

In the event of a Personal Data Breach affecting Personal Data processed under this DPA, DTG will:

  • Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach;
  • Provide you with sufficient information to fulfill your own breach notification obligations under Applicable Data Protection Law, including: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and Personal Data records affected; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach;
  • Cooperate fully with you and take such reasonable steps as you direct to investigate, mitigate, and remediate the breach.

Notification under this section does not constitute an admission by DTG of fault or liability.

9. DATA RETENTION AND DELETION

DTG will retain Personal Data only for as long as necessary to provide the Services or as required by applicable law. Upon termination or expiration of the Services, or upon your written request, DTG will, at your election:

  • Securely delete or destroy all Personal Data processed on your behalf; or
  • Return all Personal Data to you in a commonly used, machine-readable format.

DTG will provide written confirmation of deletion upon request. Notwithstanding the above, DTG may retain Personal Data to the extent required by applicable law, provided that such data is isolated from further processing and protected by appropriate safeguards.

10. INTERNATIONAL DATA TRANSFERS

DTG primarily stores and processes Personal Data in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, and Personal Data is transferred to DTG in the United States or to any Sub-Processor in a country without an adequacy decision, DTG will ensure that such transfers are made in accordance with Applicable Data Protection Law, including through:

  • EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, where applicable;
  • UK International Data Transfer Agreements (IDTAs) or addenda, where applicable; or
  • Other appropriate transfer mechanisms approved under Applicable Data Protection Law.

Please contact us at info@districttechgroup.com to request a copy of our Standard Contractual Clauses or other applicable transfer mechanisms.

11. AUDITS AND COMPLIANCE

DTG will make available to you all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits and inspections conducted by you or a third-party auditor mandated by you, subject to the following conditions:

  • You provide DTG with at least 30 days' prior written notice of any audit;
  • Audits are conducted during normal business hours and in a manner that minimizes disruption to DTG's operations;
  • Any third-party auditor is subject to a confidentiality agreement acceptable to DTG;
  • Audits are conducted no more than once per calendar year, unless required by a supervisory authority or following a Security Incident;
  • You bear all costs associated with any audit unless the audit reveals a material breach of this DPA by DTG.

DTG may satisfy audit obligations by providing relevant third-party certifications, audit reports (such as SOC 2 Type II), or other documentation in lieu of on-site inspections.

12. LIABILITY AND INDEMNIFICATION

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability where such limitation is not permitted under Applicable Data Protection Law (for example, for intentional misconduct or gross negligence in connection with a Personal Data Breach).

Each party agrees to indemnify and hold harmless the other party from claims, fines, penalties, or regulatory action arising from that party's failure to comply with its obligations under this DPA or Applicable Data Protection Law.

13. TERM AND TERMINATION

This DPA takes effect on the date you first accept the Terms of Service and remains in force for as long as DTG processes Personal Data on your behalf. It terminates automatically upon expiration or termination of the Terms of Service, subject to Section 9 (Data Retention and Deletion) and any survival provisions in the Terms of Service.

14. GOVERNING LAW

This DPA is governed by and construed in accordance with the laws of the State of Maryland, consistent with the Terms of Service, except to the extent that Applicable Data Protection Law requires otherwise. For EU/UK data subjects, the applicable Standard Contractual Clauses will govern to the extent of any conflict with Maryland law.

15. CONTACT AND AMENDMENTS

DTG may update this DPA from time to time to reflect changes in Applicable Data Protection Law or DTG's processing practices. We will provide at least 30 days' notice of material changes. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

For questions about this DPA, data protection inquiries, or to submit a data subject access request, please contact:

District Tech Group Incorporated

Data Privacy Team

Email: info@districttechgroup.com

Website: https://www.districttechgroup.com

SCHEDULE 1 — DETAILS OF PROCESSING

Subject Matter

The provision of cybersecurity and technology support services by DTG to you, including endpoint protection, SOC monitoring, compliance advisory, and tech support services.

Duration

For the term of the Services as described in the Terms of Service, plus any retention period required by law.

Nature and Purpose of Processing

  • Delivery and management of cybersecurity services, including threat detection, incident response, and security monitoring;
  • Account management, authentication, and portal access;
  • Billing and payment processing;
  • Customer support and service delivery;
  • Security reporting and analytics.

Types of Personal Data

  • Identifiers: name, email address, phone number, IP address, device identifiers;
  • Account credentials and authentication data;
  • Billing and payment information (processed via Stripe);
  • Device telemetry and security event data (for cybersecurity service subscribers);
  • Communications and support correspondence.

Categories of Data Subjects

  • Your employees, contractors, and authorized users of the Services;
  • Individual subscribers (for consumer-facing services);
  • End users whose devices or data are protected by DTG services.

SCHEDULE 2 — APPROVED SUB-PROCESSORS

The following Sub-Processors are currently engaged by DTG in connection with the Services. DTG will update this schedule and provide notice as described in Section 5 when Sub-Processors are added or materially changed.

Sub-ProcessorPurposeLocation
Stripe, Inc.Payment processing and billingUnited States
Vercel, Inc.Web hosting and content deliveryUnited States
Google LLCAnalytics and productivity toolsUnited States

This list will be updated as sub-processors are added or removed. Last reviewed: April 28, 2026.