Data Processing Addendum

"Agreement" means the LinuxGuard Software License and Service Agreement between LinuxGuard Ltd and the Customer, as available at /legal/license.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data.

"Customer Personal Data" means any Personal Data that LinuxGuard processes on behalf of the Customer as a Processor in the course of providing the Services under the Agreement.

"Data Protection Laws" means all applicable data protection and privacy laws, including (as applicable): the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU) 2016/679, the EU ePrivacy Directive 2002/58/EC, and any national implementing legislation.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" has the meaning given in the applicable Data Protection Laws and means any information relating to a Data Subject.

"Processor" means the entity that processes Personal Data on behalf of the Controller.

"Processing" (and "process") has the meaning given in the applicable Data Protection Laws.

"Security Incident" means any accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data.

"Sub-processor" means any Processor engaged by LinuxGuard to assist in fulfilling its obligations under this DPA.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.

2.1 Scope. This Data Processing Addendum ("DPA") applies to the Processing of Customer Personal Data by LinuxGuard on behalf of the Customer in the course of providing the Services under the Agreement. This DPA forms part of and is incorporated into the Agreement.

2.2 Roles. With respect to Customer Personal Data, the Customer acts as the Controller and LinuxGuard acts as the Processor. Where applicable, the Customer may itself act as a Processor on behalf of its own customers (Sub-processor relationship), in which case the Customer warrants that it has the relevant Controller's authorisation for LinuxGuard's Processing.

2.3 Details of Processing. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex 1 of this DPA.

2.4 Instructions. LinuxGuard shall process Customer Personal Data only on the documented instructions of the Customer (as set out in the Agreement, this DPA, or as otherwise agreed in writing), unless required to do so by applicable law. LinuxGuard shall promptly notify the Customer if, in its opinion, an instruction would infringe Data Protection Laws.

3.1 Confidentiality. LinuxGuard shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2 Security. LinuxGuard shall implement and maintain appropriate technical and organisational measures as described in Annex 2 to protect Customer Personal Data against Security Incidents and to ensure a level of security appropriate to the risk.

3.3 Sub-processors. LinuxGuard shall not engage Sub-processors to Process Customer Personal Data without general or specific prior written authorisation from the Customer. LinuxGuard shall maintain a list of Sub-processors (as set out in Annex 3) and shall notify the Customer of any intended changes (additions or replacements). The Customer may object to new Sub-processors on reasonable grounds within 14 days of notification.

3.4 Data Subject Rights. LinuxGuard shall assist the Customer (by appropriate technical and organisational measures) in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, taking into account the nature of the Processing.

3.5 Security Assistance. LinuxGuard shall assist the Customer in ensuring compliance with its security obligations under Data Protection Laws, taking into account the nature of the Processing and the information available to LinuxGuard.

3.6 Data Protection Impact Assessment. LinuxGuard shall provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by Data Protection Laws.

3.7 Security Incidents. LinuxGuard shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Customer Personal Data. Notification shall include: (a) description of the Security Incident; (b) categories and approximate number of Data Subjects and Personal Data records affected; (c) likely consequences of the Security Incident; and (d) measures taken or proposed to address the Security Incident.

3.8 Deletion or Return. Upon termination of the Agreement or upon written request of the Customer, LinuxGuard shall delete or return all Customer Personal Data (and copies thereof) in accordance with the Agreement, unless applicable law requires continued storage.

3.9 Audit Rights. LinuxGuard shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Customer or a mandated auditor, subject to reasonable notice and confidentiality obligations. LinuxGuard may satisfy audit requests through provision of third-party audit reports (e.g. ISO 27001, SOC 2) where available.

4.1 Instructions. The Customer shall provide lawful instructions to LinuxGuard regarding the Processing of Customer Personal Data and shall ensure that such instructions comply with Data Protection Laws.

4.2 Accuracy and Lawfulness. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired it. The Customer warrants that it has all necessary rights, consents, and lawful bases to provide Customer Personal Data to LinuxGuard for Processing under this DPA.

4.3 Compliance. The Customer shall comply with all applicable Data Protection Laws in its own processing activities and in its use of the Services.

5.1 Restricted Transfers. LinuxGuard shall not transfer Customer Personal Data outside the UK or EEA (a "Restricted Transfer") unless an appropriate transfer mechanism is in place.

5.2 Transfer Mechanisms. Where LinuxGuard makes a Restricted Transfer, it shall ensure that one of the following mechanisms applies: (a) the destination country has been deemed adequate by the relevant authority; (b) standard contractual clauses approved by the relevant Supervisory Authority are in place; (c) the transfer is subject to binding corporate rules; or (d) another recognised lawful transfer mechanism applies.

5.3 Sub-processor Transfers. LinuxGuard shall ensure that any Sub-processors engaged outside the UK or EEA are bound by appropriate transfer mechanisms consistent with this section.

6.1 Liability. Each party's liability under this DPA is subject to the limitations set out in the Agreement. However, nothing in this DPA limits either party's liability under applicable Data Protection Laws.

6.2 Customer Indemnity. The Customer shall indemnify and hold harmless LinuxGuard against any claims, liabilities, penalties, fines, or expenses (including reasonable legal fees) arising from the Customer's breach of this DPA or of applicable Data Protection Laws.

6.3 LinuxGuard Indemnity. LinuxGuard shall indemnify and hold harmless the Customer against any claims, liabilities, penalties, fines, or expenses (including reasonable legal fees) arising directly from LinuxGuard's breach of this DPA or of applicable Data Protection Laws.

7.1 Term. This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon termination of the Agreement.

7.2 Survival. Sections 3.7 (Security Incidents), 3.8 (Deletion or Return), and 6 (Liability and Indemnity) of this DPA shall survive termination.

8.1 Hierarchy. In the event of a conflict between the terms of this DPA and the Agreement with respect to data protection matters, this DPA shall prevail.

8.2 Governing Law. This DPA is governed by the laws of England and Wales.

8.3 Amendments. LinuxGuard may update this DPA from time to time to reflect changes in Data Protection Laws or its processing activities. LinuxGuard shall provide at least 30 days prior written notice of any material changes.

8.4 Entire Agreement. This DPA, together with the Agreement and its annexes, constitutes the entire agreement between the parties with respect to the Processing of Customer Personal Data.

Last Updated: 24 February 2026 | Version 1.0

LinuxGuard Ltd | Company number: 16581101 | Kemp House, 152–160 City Road, London, EC1V 2NX

Subject Matter: Processing of Personal Data in the course of providing the LinuxGuard Platform and Agent Software services.

Nature and Purpose: Collection, storage, analysis, and reporting of server telemetry and identity data to enable security monitoring, identity visibility, least privilege enforcement, and compliance reporting for Customer's Linux server infrastructure.

Duration: For the duration of the Agreement, after which Customer Personal Data shall be deleted or returned in accordance with Section 3.8.

Types of Personal Data: Username and account identifiers; SSH key fingerprints and metadata; Sudo rule assignments and privilege data; Login timestamps and session data; IP addresses and network identifiers; Process execution records; File access and audit log entries; System configuration data.

Categories of Data Subjects: Customer's employees, contractors, and service accounts that interact with Linux servers monitored by the Agent Software.

LinuxGuard implements and maintains the following technical and organisational security measures:

1. Access Control. Role-based access control (RBAC) for all Platform components. Multi-factor authentication enforced for administrative access. Principle of least privilege applied to all systems and personnel.

2. Encryption. All Customer Data encrypted in transit using TLS 1.2 or higher. Customer Data encrypted at rest using AES-256 or equivalent. Encryption keys managed using AWS KMS with customer-level isolation.

3. Network Security. Platform hosted in isolated VPC environments. Network segmentation between application, data, and management tiers. Intrusion detection and prevention systems in place.

4. Vulnerability Management. Regular vulnerability scanning of Platform components and Agent Software. Penetration testing conducted at least annually by independent third parties. Prompt patching of critical vulnerabilities.

5. Incident Response. Documented Security Incident response plan. Dedicated security team on-call for incident response. Security Incident notification procedures as described in Section 3.7.

6. Logging and Monitoring. Comprehensive audit logging of access to Customer Data. Real-time monitoring and alerting for anomalous activity. Logs retained for a minimum of 12 months.

7. Personnel Security. Background checks conducted on personnel with access to Customer Data (where permitted by law). Security awareness training for all personnel. Confidentiality obligations in employment contracts.

8. Physical Security. Platform infrastructure hosted in SOC 2 or ISO 27001-certified data centres. Physical access controls including biometric authentication and CCTV.

9. Business Continuity. Regular backups of Customer Data with tested restoration procedures. Disaster recovery plan with defined recovery time and recovery point objectives. Geographic redundancy for critical services.

10. Vendor Management. Security assessments of Sub-processors before engagement. Contractual security obligations imposed on all Sub-processors. Regular review of Sub-processor security posture.

11. Data Minimisation. Collection of only the Personal Data necessary for the provision of the Services. Regular review of data collection practices to ensure continued minimisation.

LinuxGuard engages the following Sub-processors to assist in providing the Services. All Sub-processors are subject to data processing agreements consistent with this DPA.

LinuxGuard may update this list of Sub-processors from time to time. The Customer will be notified of any changes in accordance with Section 3.3 of this DPA.