Data Processing Addendum

Technical and Organizational Security Measure

Implementation

1. Governance and Security

Dataweavers maintains a formal information security governance framework, including:

• Documented information security policies, standards, and procedures aligned to ISO/IEC 27001

• Defined security roles and responsibilities, including executive oversight of security and risk

• Periodic risk assessments to identify and mitigate security risks

• Internal review and audit processes to assess the effectiveness of security controls

• Ongoing security awareness and training programs for personnel

2. Service Architecture and Tenancy Model

The Arc platform is deployed within the Customer’s Microsoft Azure tenant, or a Microsoft Azure tenant nominated and controlled by the Customer.

• Customer Data, including production data, remains within the Customer-controlled Azure environment

• Dataweavers does not operate Arc as a shared multi-tenant service for customer production data

• Customer Data is not commingled with data from other customers

• The Arc control plane processes and stores only limited operational metadata required for monitoring, deployment management, and support, and does not store Customer application or production data

3. Access Control and Identity Management

Access to Customer environments is restricted as follows:

• Access is granted only to authorized Dataweavers personnel on a least privilege and need-to-know basis

• Access is provisioned through the Customer’s Microsoft Entra ID tenant using mechanisms such as guest access or Azure Lighthouse delegation, subject to Customer approval

• Administrative access requires multi-factor authentication (MFA)

• Where enabled by the Customer, privileged access is subject to just-in-time (JIT) or time-bound activation through Privileged Identity Management (PIM)

• Access is limited to the specific subscriptions and resources required for service delivery

• Access rights are periodically reviewed and revoked promptly when no longer required

4. Application and Service Authentication

Dataweavers implements secure application and service authentication mechanisms, including:

• Application components access Azure resources using managed identities where supported

• Persistent credentials are minimized and not exposed in application code or configuration

• Service-to-service interactions use restricted permissions aligned to operational requirements

• Secrets and credentials are stored and managed using secure mechanisms (e.g. Azure Key Vault or equivalent)

• Direct access to Customer Data by support personnel is not enabled by default

5. Encryption and Transmission Security

Dataweavers applies encryption and transmission security controls, including:

• Customer Data is encrypted in transit using industry standard protocols (including TLS 1.2 or higher)

• Encryption at rest is implemented using Azure-native encryption capabilities (including AES-256 where supported)

• Encryption keys are managed in accordance with industry best practices, including secure storage and restricted access

• Where supported, Customer-managed key (CMK) configurations may be used within the Customer environment

6. Network and Infrastructure Security

Dataweavers applies defense-in-depth security principles, including:

• Network isolation and segmentation within the Customer Azure environment

• Use of firewalls, private endpoints, and restricted service access

• Web application and edge protection controls where applicable

• Secure configuration and hardening of infrastructure components

• Logical separation between production and non-production environments

7. Logging, Monitoring and Auditability

Dataweavers maintains logging, monitoring, and auditability capabilities, including:

• Administrative access and operational activities are logged using Azure-native logging capabilities

• Platform activity, telemetry, and security-relevant events are monitored for alerting, triage, and incident response

• Where applicable, logs can be also integrated with centralized monitoring or customer SIEM tooling

• Logs are protected against unauthorized modification and retained in accordance with defined retention policies

8. Vulnerability Management and Patching

Dataweavers maintains a vulnerability management program that includes:

• Regular security posture assessments and vulnerability scanning using industry-standard tools

• Identification, prioritization, and remediation of vulnerabilities based on severity

• Application of security patches and updates in accordance with defined timelines

• Critical vulnerabilities are addressed on an expedited basis appropriate to risk

• Periodic penetration testing may be conducted on platform components

9. Change Management and Secure Operations

Dataweavers applies controlled change management and secure operational practices, including:

• Production changes are subject to documented change control processes

• Changes are reviewed, risk-assessed, and approved prior to implementation

• Segregation of duties is applied where appropriate

• Emergency changes follow defined procedures and are retrospectively reviewed

• Operational activities are performed by authorized personnel in accordance with internal and Customer governance controls

10. Business Continuity and Disaster Recovery

Dataweavers maintains business continuity and disaster recovery measures, including:

• The Arc platform leverages Azure-native resilience, redundancy, and availability capabilities within the Customer Environment

• Backup and recovery processes are implemented where applicable to the deployed architecture

• Business continuity and disaster recovery measures are designed to support restoration of service within reasonable timeframes

• Recovery objectives (including RTO and RPO) are aligned to the Customer’s Azure configuration and service design

11. Personnel Security and Confidentiality

Dataweavers implements personnel security and confidentiality measures, including:

• Personnel with access to Customer Data are subject to confidentiality obligations

• All Personnel receive security and privacy training relevant to their roles

• Dataweavers takes reasonable steps to ensure the reliability of personnel, agents, contractors, and subprocessors

• Background checks may be conducted where permitted by applicable law

12. Incident Response

Dataweavers maintains incident detection and response capabilities, including:

• Detection, triage, escalation, investigation, containment, and remediation of security incidents

• Defined severity classification and response procedures

• Internal coordination of incident response activities

• Where a confirmed personal data breach affecting Customer Data occurs, notification is provided without undue delay and no later than 48 hours after becoming aware of the incident

13. Data Location, Retention and Deletion

Dataweavers applies the following data controls, including:

• Customer Data remains within the Customer’s Microsoft Azure tenant or a tenant nominated by the Customer

• Dataweavers systems retain only limited operational metadata, support records, and audit logs as required

• Retention is governed by documented policies and applicable legal requirements

• Upon termination or expiry of the agreement, Customer Data held outside the Customer environment (if any) is returned or securely deleted

• Secure deletion methods are applied to prevent data reconstruction

14. Data Minimization and Segregation

Dataweavers applies data minimization and segregation principles, including:

• Dataweavers processes only the minimum Customer Data necessary to deliver the Services

• Customer Data is logically and physically segregated within the Customer-controlled environment

• Access to Customer Data is restricted and not enabled by default

15. Secure Development Practices

Dataweavers applies secure development practices to its platform components, including:

• Dataweavers applies secure software development practices to platform components

• Code is subject to review and testing prior to release

• Security vulnerabilities are identified and remediated as part of the development lifecycle

• Industry standards (such as OWASP guidance) are considered in development practices

16. Physical Security

Dataweavers relies on secure physical infrastructure controls, including:

• Customer Data is hosted within Microsoft Azure data centers

• Physical security controls (including access control, surveillance, and environmental protections) are implemented and managed by Microsoft Azure

• Azure data centers maintain industry-recognized certifications (including ISO 27001 and SOC 2)

17. Subprocessor Controls

Dataweavers applies subprocessor governance and risk management controls, including:

• Dataweavers conducts due diligence on authorized subprocessors

• Subprocessors are contractually required to implement appropriate technical and organizational measures

• Subprocessors are subject to ongoing assessment under Dataweavers’ supplier risk management processes

18. Accountability and Continuous Improvement

Dataweavers maintain accountability and continuous improvement practices, including:

• Dataweavers maintains accountability for data protection through its ISO/IEC 27001 based ISMS framework

• Security controls and processes are continuously reviewed and improved

• Dataweavers monitors regulatory developments and adapts its practices where required

19. Data Portability and Erasure

Dataweavers supports data portability and erasure requirements, including:

• Dataweavers supports the return or deletion of Customer Data in accordance with contractual obligations

• Customer Data can be exported or removed from Dataweavers-controlled systems where applicable

• Requests are fulfilled within reasonable timeframes consistent with legal and contractual requirements