DATA PROCESSING ADDENDUM

Last Updated: February 25, 2026

This Data Processing Addendum ("DPA") forms part of and is governed by the Terms of Service or any other agreement ("Agreement") executed by and between Baseshift, Inc. or any of its subsidiaries or affiliated companies (“Baseshift” or “Company”) and the Customer, as such terms are defined in the Agreement. Baseshift and Customer shall each be referred to as “party” and collectively as “parties”. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

WHEREAS, Baseshift provides Customer access to the Platform and related Services as defined under the Agreement; and

WHEREAS, the Services may require Baseshift to Process Customer Data, that includes Personal Data (as such terms are defined below) on Customer's behalf, subject to the terms and conditions of this DPA and applicable Data Protection Laws.

  1. DEFINITIONS
    1. "Adequate Country" is a country that received an adequacy decision from the European Commission or other applicable data protection authority.
    2. The terms "Business", "Business Purpose", "Consumer", "Controller", "Data Subject", “Database Owner”, "Personal Data", "Personal Data Breach", "Personal Information", "Processing" (and "Process"), "Processor", "Holder", "Service Provider", "Sale", "Sell" and "Share", "Special Categories of Personal Data", "Sensitive Data" and "Supervisory Authority", shall all have the same meanings as ascribed to them under the applicable Data Protection Laws. Further, under this DPA: "Data Subject" shall also mean and refer to a "Consumer", "Personal Data" shall also mean and refer to "Personal Information" and "Special Categories of Data" or "Highly Sensitive Data" shall also mean and refer to "Sensitive Data".
    3. "Customer Data" means Customer Data containing Personal Data (or the equivalent term) Processed by Baseshift in the course of providing the Platform and Services, all as detailed in Annex I attached herein. In the On-Prem Model, this excludes data that is masked or anonymized within Customer's infrastructure prior to any transfer to Baseshift's SaaS systems.
    4. "Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law, the U.S. Data Protection Laws, and any other applicable laws as may be amended or superseded from time to time).
    5. “EEA” means the European Economic Area.
    6. “European Data Protection Law” means, collectively, the laws and regulations of the European Union, the EEA, their member states, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable): (i) “EU Data Protection Laws”- EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); Regulation 2018/1725; and the e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) “UK Data Protection Laws” - the Data Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended (“UK GDPR” and collectively with the EU GDPR shall be referred to herein as the “GDPR”); (iii) “Swiss Data Protection Laws” or “FADP” - the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) and the Ordinance on the Federal Act on Data Protection (“FODP”); (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any amendment or legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.
    7. “Instructions” means the written, documented instructions provided by the Customer to Baseshift directing Baseshift to perform a specific or general action with regard to Customer Data.
    8. “Israeli Data Protection Laws” means, collectively, the: (i) Israeli Protection of Privacy Law, 5741-1981 (as amended under Amendment 13); (ii) the regulations promulgated pursuant thereto, including the Israeli Protection of Privacy (Data Security) Regulations, 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing; and (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.
    9. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
    10. “Standard Contractual Clauses” or “SCCs” means: (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found: here and incorporated herein by reference (“EU SCC”); (ii) the UK “International Data Transfer Addendum to the European Commission Standard Contractual Clauses” available at: https://ico.org.uk/media2/migrated/4019538/international-data-transfer-agreement.pdf  and incorporated herein by reference (“UK SCC”); or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
    11. “US Data Protection Laws” means any and all applicable federal and state privacy laws and regulations applicable to the Baseshift Processing activities of Customer Data under this DPA, and any implementing regulations and amendment thereto, all as amended or superseded from time to time.

  1. ROLES AND DETAILS OF PROCESSING
    1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, Baseshift is acting as a Data Processor (or Sub-processor, as applicable) and Customer is acting as a Data Controller (or Processor, as applicable). Notwithstanding the above, Baseshift is the owner and Data Controller of the Usage Data (as defined in the Agreement) and certain Customer Account information, such as contact information, transactions and other commercial information which is used to manage the customer relationship, provide support, repair bugs, facilitate security, optimize the user experience, provide maintenance and carry out core business functions such as accounting, billing, and filing taxes.
    2. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. The Customer shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of Customer Data, including by obtaining any required consent and providing any required disclosures under applicable Data Protection Laws. Baseshift shall act on such Instructions as provided by the Customer.
    3. Customer warrants that it has all the necessary rights to provide the Customer Data to Baseshift for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the applicable Data Protection Laws support the lawfulness of the Processing. To the extent required by the applicable Data Protection Law, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in the applicable Data Protection Law supports the lawfulness of the Processing, that any necessary Data Subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Baseshift, and Baseshift will act pursuant to Customer's Instructions as seems appropriate.
    4. The subject matter and duration of the Processing carried out by Baseshift on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
    5. Product Models and Processing Flows. The Services may be provided in different deployment models, and the scope of Customer Data Processed by Baseshift depends on Customer's configuration and Instructions as further detailed in Annex I. SaaS Model: snapshotting/masking may run in Baseshift's cloud environment; clone artifacts are made available; query logging and query-derived reporting/PR-gates are part of the Services. On-Prem Model: Baseshift software is deployed within Customer's environment and is managed via the SaaS control plane; control-plane connectivity and operational telemetry are not optional; uploading recorded query logs from Customer-hosted clones to Baseshift's SaaS is optional and controlled by Customer configuration. Customer controls masking rules as Customer Instructions and is responsible for configuring masking policies and proxy settings.
    6. If any Sensitive Data or Special Categories of Personal Data or Highly Sensitive Data is processed (as those terms are defined under Data Protection Laws), or any Personal Data that is deemed by regulatory authorities as meriting sensitive treatment under applicable Data Protection Law, it is Customer's responsibility to inform Baseshift of such processing, and ensure additional contractual obligations are met, if needed and applicable. For avoidance of doubt, Baseshift does not access or review Customer Data except as necessary to provide the Platform and Services (including automated processing and analysis as configured by Customer) and to comply with applicable law, and may not be aware of any sensitivity within Customer Data. Customer acknowledges that Baseshift relies on Customer-configured masking policies and does not independently verify that Customer Data is properly masked or anonymized.
  2. PROCESSING OF PERSONAL DATA
    1. Baseshift represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Platform and the Services (including automated analysis, reporting, and similar features as configured by Customer), all in accordance with Customer's Instructions. Notwithstanding the above, in the event Baseshift is required under applicable laws, including Data Protection Law, to Process Customer Data other than as instructed by Customer, it shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.
    2. Baseshift hereby certifies it understands the rules, requirements and definitions under applicable Data Protection Law, and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; (iii) receive or Process any Personal Information as consideration for any Services it provides to the Customer; or (iv) combine Customer Data with other customer data in a manner that identifies Customer or any individual. Notwithstanding the foregoing, Baseshift may create and use aggregated and/or de-identified data derived from Customer Data for purposes of operating, maintaining, securing, and improving the Platform and Services, provided that such data does not identify, and cannot reasonably be used to identify, any individual or Customer, and Baseshift will not attempt to re-identify such data.
    3. Baseshift shall comply with the requirements set forth under applicable Data Protection Law with regards to processing of de-identified data.
    4. Baseshift shall inform Customer without undue delay in the event that, according to Baseshift's reasonable discretion, any of Customer's Instructions infringes applicable laws, and Baseshift shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.
    5. Baseshift shall notify the Customer if it determines that it can no longer meet its obligations under this DPA or applicable Data Protection Law.
    6. Baseshift shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws, provided that, Baseshift shall only be required to assist as for information which is reasonably available to Baseshift and Customer does not have reasonable access to such information.
    7. Where applicable, Baseshift shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is processing is inaccurate or has become outdated.
    8. Baseshift shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may access or Process Customer Data; and (ii) that the staff or any other person authorized to Process Customer Data has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  1. DATA SUBJECTS RIGHTS AND REQUESTS
    1. It is agreed that where Baseshift receives a data subject request or a request from a regulator or authority in respect to Customer Data, where applicable, Baseshift will notify the Customer of such request promptly and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject's or the applicable authority's request, unless otherwise required under applicable laws or prohibited.
    2. Baseshift will reasonably cooperate and assist Customer in responding to such request, provided that the Customer cannot reasonably fulfill such obligations independently with help of available in the documentation, the website or any other self-service feature provided by Baseshift.
  2.      SUB-PROCESSING
    1. The Customer acknowledges that Baseshift may transfer Customer Data to and otherwise interact with third party data Processors ("Sub-Processor"). The Customer hereby authorizes Baseshift to engage and appoint such Sub-Processors as listed in Annex III to process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Baseshift may continue to use those Sub-Processors already engaged by it or to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a thirty (30) days prior notice of its intention to do so to the Customer (via email correspondence or through Customer account). In case the Customer has not objected to the adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, within such notice period, Baseshift may, under Baseshift's sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement where the Platform and Services cannot be reasonably provided under such circumstances, without liability to Customer.
    2. Baseshift shall, where it engages any Sub-Processor, impose, through a legally binding contract between Baseshift and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. Baseshift shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.
    3. Baseshift shall remain responsible to the Customer for the performance of the SubProcessor's obligations in accordance with this DPA.
  3. TECHNICAL AND ORGANIZATIONAL MEASURES
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Baseshift hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful Processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
    2. Current technical and organizational measures implemented and maintained by Baseshift are further detailed in Annex II to this DPA, as updated from time to time (provided that any such amendments will not have a material negative effect on the level of protection provided to Customer Data). 
    3. Shared Responsibility for On-Prem Deployment. Customer acknowledges that where the Platform is deployed in Customer's own cloud environment (the "On-Prem Model"), Baseshift does not host, store, or control the physical or logical security of the underlying infrastructure where database snapshots and clones reside. In the On-Prem Model: (a) Baseshift's security obligations under this DPA apply solely to the Baseshift SaaS control plane, the security of the software code provided by Baseshift, and any Customer Data transmitted to and stored within Baseshift's SaaS systems (e.g., metadata, schemas, and query logs if enabled); and (b) Customer is solely responsible for the security, access controls, and configuration of its cloud environment (including storage, registries, networking, and credential management) and for the secure configuration of masking policies applied within Customer's environment.
  4. SECURITY INCIDENT
    1. Baseshift will notify the Customer without undue delay (and no later than 48 hours) upon becoming aware of any Security Incident concerning Customer Data and will take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause. Upon Customer's request, Baseshift will reasonably co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, or mitigation of the Security Incident.
    2. Baseshift will notify the Customer in writing and will keep the Customer informed of any material developments in connection with the Security Incident. Baseshift's notification or compliance with its obligations under this Section shall not be construed as an acknowledgment by Baseshift of any fault or liability with respect to the Security Incident.
  5. AUDIT RIGHTS
    1. Baseshift shall maintain accurate written records of any and all the Processing activities carried out under this DPA and shall make such records available to the Customer upon 30-day prior written request, and not more than once per twelve (12) months during the Term of the Agreement (“Audit Reports”). Information provided through Customer’s questionnaire shall be defined as a sufficient Audit Report.  The Audit Report provided shall be considered Baseshift's Confidential Information and shall be subject to confidentiality obligations.
    2. In the event the records and documentation provided subject to Section 8.1 above are reasonably determined as not sufficient for the purpose of demonstrating compliance, Customer may audit Baseshift compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001 certificate) or a comparable certification or other security certification of an audit conducted by a third-party auditor, within twelve (12) months as of the date of Customer's request.
    3. Alternatively, in the event the records and documentation provided subject to Section 8.1 and 8.2 above are not sufficient for the purpose of demonstrating compliance, Baseshift shall make available, solely upon prior reasonable written notice (at least thirty (30) days) and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA and Data Protection Laws, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data within Baseshift's systems (and, in the On-Prem Model, limited to metadata/control plane data transmitted to Baseshift and Baseshift's processing thereof) ("Audit") in accordance with the terms and conditions hereunder. Audits under this Section are available only to Customers with annual fees exceeding US$10,000; lower-tier Customers may request Audit Reports but not on-site or third-party audits. The auditor shall be subject to standard confidentiality obligations (including third parties). Baseshift may object to an auditor appointed by the Customer in the event Baseshift reasonably believes the auditor is not suitably qualified or is a competitor of Baseshift. Customer shall bear all expenses related to the Audit. Any Audit shall be conducted during normal business hours, with at most one (1) Audit per year, limited to two (2) business days, and Customer shall (and ensure that each of its auditors shall) avoid causing any damage, injury, or disruption to Baseshift's premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
    4. Nothing in this DPA will require Baseshift to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) data related to  other customers or partners; (ii) Baseshift's internal accounting or financial information; (iii) any trade secret of Baseshift or its Affiliates; (iv) any information that, in Baseshift's reasonable opinion, could compromise the security of any Baseshift's systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer's obligations under the Data Protection Laws. No access to any part of Baseshift’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.
    5. Without derogating from the generality of the aforesaid, subject to Customer request, Baseshift will provide the Customer with a report on the fulfillment of its obligations under the Data Protection Laws and this DPA, and at least annually.

  1. CROSS BORDER PERSONAL DATA TRANSFERS 
    1. Customer acknowledges and agrees that for the provisions of the Platform and the Services, Baseshift may Process, including transfer, Customer Data to various jurisdictions where Baseshift, its affiliates or Sub-Processors operate. Baseshift will ensure that transfers are made in compliance with Data Protection Laws.  Transfers may include operational telemetry and metadata to Baseshift's EU-based systems (e.g., AWS eu-west-1), subject to Standard Contractual Clauses where required.
    2. Where European Data Protection Laws apply:
  1. Baseshift will not transfer Customer Data originating from the EEA, UK or Switzerland, unless it takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Laws. Such measures may include (without limitation): (i) transferring such Customer Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.
  2. When Customer and Baseshift rely on the SCC to facilitate a transfer to a third country the following shall apply:
  1. For Transfer of Customer Data from the EEA the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply for the Sub-Processors listed in the Sub-Processors list and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of the Republic of Ireland; (6) In Clause 18(b) the parties choose the competent courts of the Republic of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, Baseshift is the Data Importer, the parties' contact details are as completed under the Agreement; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority Republic of Ireland; (8) Annex II of the EU SCC is deemed completed with the information as set out in Annex II of this DPA; (9) Annex III of the EU SCC shall be completed with the list of Sub-Processors set out in Annex III of this DPA.
  2. For transfer of Customer Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (a)(7) above; (2) Table 2 shall be completed as set forth in Section (a)(1) - (a)(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (a)(7) above; Annex 1B shall be completed with relevant information as set out in Annex I of this DPA; Annex II shall be completed with relevant information as set out in Annex II of this DPA; Annex III shall be completed with the list of Sub-Processors set out in Annex III of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
  3. For transfer of Customer Data from Switzerland, the Swiss SCC shall apply in with following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland”.

  1. TERM, TERMINATION AND CONFLICT 
    1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as Baseshift Processes Customer Data.
    2. Baseshift shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s Instructions or this DPA infringe applicable legal requirements, provided Customer did not provide updated Instructions to cure such infringement within ten (10) days from receiving applicable notice from Baseshift. Alternately, Baseshift may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without liability to the Customer and without prejudice to any fees incurred by Customer prior to suspension date.
    3. Following the termination or expiration of this DPA, Baseshift shall, upon Customer's written request, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that Baseshift continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer's choice shall be provided in writing to Baseshift, following effect of termination. Notwithstanding the foregoing, Baseshift may retain Customer Data (i) as required by applicable laws; or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Baseshift will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Data and not further Process it except as required by Data Protection Law. With respect to the On-Prem Model, Customer acknowledges that Baseshift's deletion and certification obligations apply solely to Customer Data within Baseshift's systems (including metadata and logs stored in the SaaS control plane) and not to data residing exclusively within Customer's infrastructure or Customer-hosted components.
    4. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect as between Customer and Baseshift.

ANNEX I - DETAILS OF PROCESSING

This Annex I includes certain details of the Processing of Personal Data as required under the Data Protection Laws.

Details On-Prem Model (Customer-Hosted Components) SaaS Model
Categories of Data Subjects Individuals whose Personal Data is contained in Customer Data, including end users, employees, contractors, and other persons reflected in database content, schema metadata, or query logs, as applicable.
Categories of Personal Data or Special Categories of Personal Data Customer Data may include required service metadata and configuration (including schema metadata necessary to configure masking policies), telemetry and operational logs, and support information. If enabled by Customer, Customer Data may also include query logs and diagnostics (including SQL text/parameters and related stack traces) captured by Customer-hosted clones and transmitted to the SaaS control plane. Any category of Personal Data made available through Customer Data, including database content provided for snapshotting/masking, clone artifacts, schema metadata, and query logs and diagnostics (including SQL text/parameters and related stack traces).
Nature of the Processing Remote management of Customer-hosted components (control plane) and Processing of required configuration, schema metadata, telemetry, and operational logs. Snapshotting/masking and generation of clone artifacts occur within Customer’s environment. If enabled, receipt and storage of query logs/diagnostics for reporting and analysis. Collection, storage, organization, communication, transfer, hosting and other Processing to provide the Platform and Services, including snapshotting/masking, creating clone artifacts, and storing and analyzing schema metadata and query logs/diagnostics for reporting, PR gates, troubleshooting and security.
Purpose(s) of Processing To provide the Platform and Services, including snapshotting/masking, clone creation, reporting, PR gates and automated analysis, troubleshooting, security, and customer support, as configured by Customer.
Retention Period For as long as necessary to provide the Platform and Services, subject to Customer configuration and deletion requests, and provided there is no legal obligation to retain the Customer Data post-termination.
Process Frequency Continuous or control plane/telemetry; ad hoc for support; optionally query logs/diagnostics continuous if enabled. Continuous basis (including query logging/reporting features).

ANNEX II - TECHNICAL OPERATIONAL MEASURES

  1. Baseshift implements, and throughout the term of this DPA will maintain, a comprehensive information security program which shall take into account the nature, scope and purposes of Processing, the risks to the rights and freedoms of natural persons, the establishment and maintenance of technical, physical, and administrative safeguards to: (i) ensure the security, availability, and confidentiality of Customer Data; (ii) protect against any foreseeable threats or hazards to the security or integrity of Customer Data; (iii) protect against any willful, negligent, accidental  or unlawful access, acquisition, use, alteration, disclosure, loss or destruction of Customer Data; and (iv) ensure secure and appropriate disposal of Customer Data (“Information Security Program”). Baseshift further represents that it implements the following security measures as a part of Information Security Program:
    1. Baseshift shall establish a procedure for allowing access to Personal Data and restriction of such access. Baseshift shall ensure that access to Personal Data is strictly limited to those individuals who "need to know" or need to access the Personal Data and as strictly necessary for the purpose of providing the Platform and Services and shall keep record of the persons authorized to access the Personal Data subject of the Agreement. 
    2. Baseshift shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and written security protocols.
    3. Baseshift shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.
    4. Baseshift shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to Baseshift’s system's infrastructure, data processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer Personal Data or to Customer’s systems. 
    5. Baseshift shall act in accordance with an appropriate written information security policy and working procedures that comply with the security requirements under this Annex and Data Protection Law, including with respect to backup and recovery procedures. Baseshift shall review its security policies and operating procedures periodically, and when material changes to the systems or Processing are made, all in order to amend them, if required.
    6. Baseshift shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.
    7. Baseshift shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. Baseshift shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them. Control records shall be maintained for a minimum of 24 months. 
    8. Baseshift will perform periodic security risk surveys to systems containing Personal Data.
    9. Baseshift will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.
    10. Baseshift maintains ISO 27001 and SOC 2 Type II certifications, with reports available upon request under Section 8.

ANNEX III - SUB-PROCESSORS

As of the effective date above, Baseshift Inc. uses the following sub-processors: 

Name Description of the Processing
Amazon Web Services Cloud infrastructure hosting for the Platform and Services (compute, storage, networking, backups, and related security controls), including storage/processing of Customer Data in the SaaS model and receipt/storage of control-plane data/telemetry (and optional query logs, if enabled) for on-prem deployments.
Sentry Application monitoring and error reporting for the Platform and Services (e.g., crash reports, diagnostics, performance traces). May process limited Customer Data incidentally included in logs (such as identifiers and snippets) depending on Customer configuration and system behavior.
Notion Internal documentation and operational knowledge management. May process Customer Data only if Customer Data is intentionally shared with Baseshift for support or troubleshooting and is included in support materials or internal documentation.
Google Workspace (Google LLC) Business productivity and communications (email, calendar, document storage) used for internal operations and customer communications/support. May contain Customer contact information and Customer Data shared by Customer for support/troubleshooting (e.g., screenshots, logs, excerpts).
Slack Technologies (Salesforce, Inc.) Internal communications and incident/support collaboration. May contain Customer contact information and limited Customer Data shared for support/troubleshooting (e.g., error reports, log excerpts) depending on Customer communications and internal workflows.
Stripe Payment processing for subscription fees and billing. Processes Customer billing/payment information; does not process Customer Data.