---

title: "Data Processing Agreement" company: "Enigma Labs BV" effective_date: "January 22, 2026" last_updated: "January 28, 2026" version: "1.1" sections:

• id: "summary" title: "Plain Language Summary"
• id: "definitions" title: "Definitions"
• id: "scope" title: "Scope and Roles"
• id: "instructions" title: "Processing Instructions"
• id: "obligations" title: "Processor Obligations"
• id: "security" title: "Security Measures"
• id: "sub-processors" title: "Sub-processors"
• id: "data-subject-rights" title: "Data Subject Rights"
• id: "security-incidents" title: "Security Incidents"
• id: "dpia" title: "Data Protection Impact Assessments"
• id: "transfers" title: "International Data Transfers"
• id: "audits" title: "Audit Rights"
• id: "retention" title: "Data Retention and Deletion"
• id: "liability" title: "Liability"
• id: "term" title: "Term and Termination"
• id: "general" title: "General Provisions"
• id: "contact" title: "Contact Information"
• id: "execution" title: "Execution"
• id: "annex-1" title: "Annex 1: Description of Processing"
• id: "annex-2" title: "Annex 2: Technical and Organizational Measures"
• id: "annex-3" title: "Annex 3: Approved Sub-processors"
• id: "annex-4" title: "Annex 4: EU Standard Contractual Clauses"
• id: "document-info" title: "Document Information"

---

Data Processing Agreement

This Data Processing Agreement ("DPA") is a legal contract between Enigma Labs BV and our customers that governs how we handle personal data on behalf of our customers when providing our cybersecurity services.

What this means in simple terms:

• You (our customer) are the "Controller" — you decide what personal data is processed and why.
• We (Enigma Labs) are the "Processor" — we process personal data only according to your instructions to deliver our services.
• This agreement ensures we meet all requirements of the EU General Data Protection Regulation (GDPR).

Key commitments we make:

| Commitment | Details | |------------|---------| | Processing Limitations | We only process personal data to provide our cybersecurity services | | Security | We implement strong security measures to protect your data | | Breach Notification | We notify you within 48 hours if there's a security breach | | Data Subject Rights | We help you respond to data subject requests within 5 business days | | Data Deletion | We delete your data within 90 days after our agreement ends | | Sub-processors | We use carefully vetted sub-processors and notify you 7 days before any changes |

This DPA works together with our Terms of Service and Privacy Policy. If there's any conflict between these documents regarding data protection, this DPA takes precedence.

---

For the purposes of this Data Processing Agreement, the following terms have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the Principal Agreement.

| Term | Definition | |------|------------| | "Agreement" | This Data Processing Agreement, including all Annexes attached hereto. | | "Applicable Data Protection Law" | All laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the GDPR, the UK GDPR, and any implementing or supplementary national legislation. | | "Controller" | The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer acts as the Controller. | | "Customer" | The entity that has entered into the Principal Agreement with Enigma Labs BV to use the Services. | | "Customer Data" | All Personal Data processed by Enigma Labs on behalf of the Customer in connection with the provision of the Services. | | "Data Subject" | An identified or identifiable natural person to whom Personal Data relates. | | "DPA" | This Data Processing Agreement. | | "DPO" | Data Protection Officer. | | "EEA" | The European Economic Area. | | "GDPR" | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). | | "Personal Data" | Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR. | | "Personal Data Breach" | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. | | "Principal Agreement" | The Terms of Service or other master agreement between Enigma Labs and the Customer governing the provision of Services. | | "Processing" | Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. | | "Processor" | A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Enigma Labs acts as the Processor. | | "Security Incident" | Any actual or suspected unauthorized access to, acquisition of, use of, disclosure of, or destruction of Customer Data, or any other event that compromises the security, confidentiality, or integrity of Customer Data. This includes, but is not limited to, ransomware attacks, unauthorized data access, data exfiltration, malware infections affecting Customer Data, and accidental data exposure. | | "Services" | The cybersecurity services provided by Enigma Labs to the Customer as described in the Principal Agreement, including but not limited to AI-powered threat detection, network monitoring, vulnerability scanning, identity and access management, and compliance reporting. | | "SCCs" | The EU Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021. | | "Sub-processor" | Any Processor engaged by Enigma Labs to process Customer Data on behalf of the Customer. | | "Supervisory Authority" | An independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR. | | "UK GDPR" | The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. |

---

2.1 Role of the Parties

The parties acknowledge and agree that:

(a) Customer as Controller: The Customer acts as the Controller of Customer Data. The Customer determines the purposes and means of processing Customer Data and is responsible for ensuring that it has a valid legal basis for such processing under Applicable Data Protection Law.

(b) Enigma Labs as Processor: Enigma Labs acts as the Processor of Customer Data. Enigma Labs shall process Customer Data only on documented instructions from the Customer, including as set forth in this DPA, the Principal Agreement, and as necessary to provide the Services.

(c) Scope of Processing: This DPA applies to all processing of Customer Data by Enigma Labs in connection with the provision of the Services, regardless of where such processing occurs.

2.2 Principal Agreement Reference

This DPA is incorporated into and forms an integral part of the Principal Agreement between the parties. In the event of any conflict between the provisions of this DPA and the Principal Agreement regarding the protection of Personal Data, the provisions of this DPA shall prevail.

2.3 Enigma Labs as Controller

Nothing in this DPA affects Enigma Labs' status as a Controller with respect to its own customer contact information (such as account information, billing details, and business communications), which is processed in accordance with Enigma Labs' Privacy Policy.

---

3.1 Documented Instructions

Enigma Labs shall process Customer Data only on documented instructions from the Customer, including with regard to transfers of Customer Data to third countries or international organizations, unless required to do so by Applicable Data Protection Law or the law of the Netherlands.

3.2 Deemed Instructions

The Customer's instructions to Enigma Labs for the processing of Customer Data are deemed to be given through:

(a) This Data Processing Agreement;

(b) The Principal Agreement (Terms of Service);

(c) The Customer's use of the Services and platform features in accordance with the documentation;

(d) Any written instructions provided by the Customer to Enigma Labs through authorized channels.

3.3 Instruction Compliance

Enigma Labs shall promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, unless Enigma Labs is prohibited from notifying the Customer on important grounds of public interest.

3.4 Lawfulness of Instructions

The Customer warrants and represents that:

(a) It has obtained all necessary consents and/or has another valid legal basis for the processing of Customer Data as required by Applicable Data Protection Law;

(b) Its instructions to Enigma Labs for processing Customer Data comply with Applicable Data Protection Law;

(c) It has provided appropriate information to Data Subjects about the processing of their Personal Data as required by Applicable Data Protection Law.

3.5 Additional Instructions

If the Customer requires Enigma Labs to process Customer Data in a manner that falls outside the scope of the deemed instructions set forth in Section 3.2, the Customer shall provide such additional instructions in writing. Enigma Labs shall assess whether it can comply with such additional instructions and shall notify the Customer of any additional costs or technical requirements within a reasonable timeframe.

---

Enigma Labs agrees to comply with the obligations set forth in Article 28(3) of the GDPR and shall:

4.1 Process Only on Documented Instructions

Process Customer Data only on documented instructions from the Customer, including with regard to transfers of Customer Data to third countries or international organizations, except where required to do so by Applicable Data Protection Law.

4.2 Ensure Personnel Confidentiality

Take reasonable steps to ensure the reliability of any personnel who have access to Customer Data and ensure that all such personnel:

(a) Are bound by confidentiality obligations with respect to Customer Data;

(b) Have received appropriate training on data protection and security;

(c) Access Customer Data only on a need-to-know basis.

4.3 Implement Appropriate Security Measures

Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex 2 (Technical and Organizational Measures).

4.4 Respect Sub-processor Conditions

Not engage another Processor (Sub-processor) without prior specific or general written authorization of the Customer, in accordance with Section 6 (Sub-processors).

4.5 Assist with Data Subject Rights

Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising Data Subjects' rights under Chapter III of the GDPR.

4.6 Assist with Security, Breach Notification, and DPIAs

Taking into account the nature of the processing and the information available to Enigma Labs:

(a) Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR concerning security of processing, data breach notification, and data protection impact assessments;

(b) Provide the Customer with all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR;

(c) Allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in accordance with Section 11 (Audit Rights).

4.7 Delete or Return Data After Services End

At the choice of the Customer, delete or return all Customer Data to the Customer after the end of the provision of Services relating to processing, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data, in accordance with Section 12 (Data Retention and Deletion).

4.8 Inform Controller of Non-Compliance

Immediately inform the Customer if, in Enigma Labs' opinion, an instruction infringes Applicable Data Protection Law or other provisions of EU or Member State law.

---

5.1 General Security Obligation

Enigma Labs shall implement and maintain appropriate technical and organizational security measures to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall ensure a level of security appropriate to the harm that might result from such events and the nature of the Customer Data to be protected.

5.2 Technical and Organizational Measures

The specific technical and organizational measures implemented by Enigma Labs are set forth in detail in Annex 2 (Technical and Organizational Measures). These measures include, but are not limited to:

(a) Access controls and authentication mechanisms;

(b) Encryption of data in transit and at rest;

(c) Network security and monitoring;

(d) Application security practices;

(e) Data protection and minimization;

(f) Security event logging and monitoring;

(g) Physical security controls;

(h) Business continuity and disaster recovery measures.

5.3 Regular Testing and Evaluation

Enigma Labs shall regularly test, assess, and evaluate the effectiveness of its technical and organizational measures for ensuring the security of the processing. This includes:

(a) Regular vulnerability assessments and penetration testing;

(b) Security audits and compliance reviews;

(c) Incident response testing and drills;

(d) Review and updating of security policies and procedures.

5.4 Personnel Security

Enigma Labs shall ensure that all personnel with access to Customer Data:

(a) Undergo background checks where permitted by law and appropriate for their role;

(b) Receive regular security awareness and data protection training;

(c) Are bound by confidentiality obligations (contractual or statutory).

5.5 Security Documentation

Enigma Labs shall maintain documentation of its security measures and make such documentation available to the Customer upon request, subject to the confidentiality obligations set forth in the Principal Agreement.

5.6 Security Certifications

Enigma Labs is pursuing the following security certifications to demonstrate its commitment to information security:

| Certification | Status | Target Timeline | |---------------|--------|-----------------| | ISO 27001 (Information Security Management) | In Progress | 2026 | | ISO 27017 (Cloud Security Controls) | In Progress | 2026 | | ISO 27018 (Cloud Privacy) | In Progress | 2026 |

Upon achieving certifications, certificates and relevant audit reports will be made available to Customers under appropriate confidentiality obligations.

---

6.1 General Authorization

The Customer provides general authorization for Enigma Labs to engage Sub-processors to process Customer Data on the Customer's behalf. The current list of approved Sub-processors is set forth in Annex 3 (Approved Sub-processors).

6.2 Sub-processor Requirements

Enigma Labs shall ensure that any Sub-processor:

(a) Is bound by a written contract that imposes on the Sub-processor the same data protection obligations as are imposed on Enigma Labs under this DPA;

(b) Processes Customer Data only to the extent necessary to perform the services subcontracted to it;

(c) Implements appropriate technical and organizational security measures;

(d) Complies with Applicable Data Protection Law.

6.3 Sub-processor Monitoring

Enigma Labs conducts periodic security assessments of Sub-processors to ensure ongoing compliance with security and data protection requirements. This includes:

(a) Review of Sub-processor security certifications and audit reports;

(b) Assessment of Sub-processor security practices and controls;

(c) Monitoring of Sub-processor compliance with contractual obligations.

6.4 Sub-processor Changes

(a) Advance Notice: Enigma Labs shall provide the Customer with at least seven (7) days' advance written notice before engaging any new Sub-processor to process Customer Data.

(b) Notification Method: Such notice shall be provided via email to the Customer's designated contact and by updating the Sub-processor list available at https://enigmalabs.nl/legal/sub-processors.

(c) Objection Right: The Customer may object to the engagement of a new Sub-processor by providing written notice to Enigma Labs within seven (7) days of receiving notice of the proposed engagement.

(d) Resolution Process: If the Customer objects to a new Sub-processor, the parties shall discuss the objection in good faith. If the parties cannot reach a mutually acceptable resolution within fourteen (14) days of Enigma Labs receiving the objection, the Customer may terminate the affected Services by providing thirty (30) days' written notice to Enigma Labs.

6.5 Liability for Sub-processors

Enigma Labs shall remain fully liable to the Customer for the performance of any Sub-processor's obligations under this DPA. Any act or omission of a Sub-processor shall be deemed an act or omission of Enigma Labs for the purposes of this DPA.

6.6 Current Sub-processors

The Sub-processors currently engaged by Enigma Labs and authorized by the Customer are listed in Annex 3 (Approved Sub-processors).

---

7.1 Assistance with Data Subject Requests

Taking into account the nature of the processing, Enigma Labs shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

(a) Right of access (Article 15);

(b) Right to rectification (Article 16);

(c) Right to erasure / "right to be forgotten" (Article 17);

(d) Right to restriction of processing (Article 18);

(e) Right to data portability (Article 20);

(f) Right to object (Article 21);

(g) Rights related to automated decision-making, including profiling (Article 22).

7.2 Notification of Direct Requests

If Enigma Labs receives a request directly from a Data Subject relating to Customer Data, Enigma Labs shall:

(a) Not respond to such request without the Customer's prior written authorization;

(b) Promptly (within 48 hours) forward the request to the Customer;

(c) Provide the Customer with reasonable cooperation and assistance in responding to the request.

7.3 Technical Measures

Enigma Labs shall implement appropriate technical measures to enable the Customer to respond to Data Subject requests, including:

(a) Providing functionality to export, modify, or delete Customer Data as applicable;

(b) Maintaining accurate records of processing activities;

(c) Ensuring data is stored in a structured, commonly used, and machine-readable format where appropriate.

7.4 Response Timeline and Costs

(a) Response Timeline: Enigma Labs shall respond to Customer requests for assistance with Data Subject rights within five (5) business days of receiving the request.

(b) Costs: Enigma Labs shall provide reasonable assistance to the Customer in responding to Data Subject requests at no additional cost, provided that such requests do not exceed a reasonable frequency or volume (generally, up to 10 requests per month).

(c) Excess Requests: If the volume or complexity of requests requires disproportionate effort, the parties may agree on appropriate cost-sharing arrangements.

---

8.1 Definition of Security Incident

A "Security Incident" means any actual or reasonably suspected:

(a) Unauthorized access to, acquisition of, use of, disclosure of, or destruction of Customer Data;

(b) Event that compromises the security, confidentiality, or integrity of Customer Data;

(c) Personal Data Breach as defined under the GDPR.

Examples of Security Incidents include, but are not limited to:

• Ransomware attacks affecting systems containing Customer Data
• Unauthorized access to Customer Data by internal or external actors
• Data exfiltration or theft of Customer Data
• Malware infections affecting systems processing Customer Data
• Accidental exposure or disclosure of Customer Data
• Loss or theft of devices containing Customer Data

8.2 Security Incident Notification

(a) Timeline: Enigma Labs shall notify the Customer without undue delay and in any case within forty-eight (48) hours after becoming aware of a Security Incident affecting Customer Data.

(b) Notification Method: Notification shall be provided via email to the Customer's designated security contact. If no security contact has been designated, notification shall be sent to the Account Administrator.

(c) Content of Notification: The notification shall include, to the extent available:

(i) A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(ii) The likely consequences of the Security Incident;

(iii) The measures taken or proposed to be taken by Enigma Labs to address the Security Incident, including measures to mitigate its possible adverse effects;

(iv) Contact details for more information (including both legal@enigmalabs.nl and dpo@enigmalabs.nl).

(d) Ongoing Updates: Enigma Labs shall provide updates to the Customer as new information becomes available that is relevant to the Security Incident, at least every 24 hours during active incident response and as appropriate thereafter.

8.3 Notification Limitations

Enigma Labs' obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgment by Enigma Labs of any fault or liability with respect to the Security Incident.

8.4 Cooperation and Remediation

Enigma Labs shall:

(a) Cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each Security Incident;

(b) Implement appropriate measures to prevent recurrence of similar Security Incidents;

(c) Provide the Customer with information reasonably requested to enable the Customer to comply with its notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 of the GDPR.

8.5 Documentation and Records

Enigma Labs shall maintain records of all Security Incidents affecting Customer Data, including:

(a) Facts relating to the Security Incident;

(b) Effects of the Security Incident;

(c) Remedial action taken.

Such records shall be made available to the Customer upon request and to Supervisory Authorities upon request.

---

9.1 Assistance with DPIAs

Taking into account the nature of the processing and information available to Enigma Labs, Enigma Labs shall assist the Customer with any data protection impact assessment ("DPIA") that the Customer is required to conduct under Article 35 of the GDPR, including by providing:

(a) Information about the Services and how Customer Data is processed;

(b) Information about the technical and organizational security measures implemented;

(c) Information about Sub-processors and their processing activities;

(d) Any other information reasonably necessary for the Customer to conduct its DPIA.

9.2 Prior Consultation

If a DPIA indicates that the processing would result in a high risk to the rights and freedoms of Data Subjects in the absence of measures taken by the Customer to mitigate the risk, and the Customer is required to consult with a Supervisory Authority under Article 36 of the GDPR, Enigma Labs shall provide reasonable assistance to the Customer for such consultation.

9.3 Information Provision

Enigma Labs shall respond to reasonable requests for information in connection with DPIAs within a reasonable timeframe, not to exceed fifteen (15) business days from receipt of the request.

---

10.1 EU Hosting Commitment

Enigma Labs hosts Customer Data within the European Union using Scaleway cloud infrastructure located in Paris, France, and Amsterdam, Netherlands. Unless otherwise agreed in writing, all Customer Data shall be stored and processed within the EEA.

10.2 Transfers Outside the EEA

Where Enigma Labs transfers Customer Data to a country outside the EEA (a "Third Country"), such transfer shall be made only in compliance with Applicable Data Protection Law and pursuant to one of the following transfer mechanisms:

(a) An adequacy decision by the European Commission pursuant to Article 45 of the GDPR;

(b) The EU Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR;

(c) Binding Corporate Rules approved by a competent Supervisory Authority pursuant to Article 46(2)(b) of the GDPR;

(d) Any other valid transfer mechanism recognized under Applicable Data Protection Law.

10.3 Standard Contractual Clauses

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA and form an integral part hereof. The SCCs are attached as Annex 4 and shall apply to any transfer of Customer Data to Sub-processors located outside the EEA.

10.4 Transfer Impact Assessments

Enigma Labs shall conduct transfer impact assessments (TIAs) for any transfer of Customer Data to Sub-processors outside the EEA, taking into account the circumstances of the transfer and the laws and practices of the destination country. The results of such assessments shall be made available to the Customer upon request, subject to confidentiality obligations.

10.5 Supplementary Measures

Where required by Applicable Data Protection Law or the outcome of a TIA, Enigma Labs shall implement appropriate supplementary measures to ensure an essentially equivalent level of protection for Customer Data transferred outside the EEA.

10.6 Conflict Resolution

In the event of any conflict between the provisions of the SCCs and other provisions of this DPA, the provisions of the SCCs shall prevail.

---

11.1 Documentation and Compliance Evidence

Enigma Labs shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

11.2 Primary Audit Method: Third-Party Reports

As the primary means of demonstrating compliance, Enigma Labs shall provide the Customer with:

(a) Copies of ISO 27001, ISO 27017, and ISO 27018 certificates (once obtained);

(b) Copies of SOC 2 Type II reports (once obtained);

(c) Responses to reasonable security questionnaires (up to 100 questions annually);

(d) Evidence of compliance upon reasonable request.

Enigma Labs is currently pursuing ISO 27001, ISO 27017, and ISO 27018 certifications, with expected completion in 2026.

11.3 On-Site Audits

On-site audits of Enigma Labs' facilities and operations shall be permitted only if:

(a) The information provided under Section 11.2 is insufficient to demonstrate compliance with this DPA;

(b) Following a confirmed Security Incident affecting Customer Data;

(c) Required by Applicable Data Protection Law or a regulatory authority.

11.4 On-Site Audit Conditions

Any on-site audit shall be subject to the following conditions:

(a) Advance Notice: The Customer shall provide at least thirty (30) days' advance written notice of the proposed audit;

(b) Timing: The audit shall be conducted during Enigma Labs' normal business hours;

(c) Confidentiality: The Customer and its auditors shall be bound by confidentiality obligations with respect to any proprietary or confidential information of Enigma Labs accessed during the audit;

(d) Cost Allocation: The Customer shall bear all costs associated with the audit, unless the audit reveals material non-compliance by Enigma Labs with its obligations under this DPA, in which case Enigma Labs shall bear its own costs;

(e) Scope: The scope of the audit shall be limited to those processing activities relevant to Customer Data;

(f) Frequency: Except for audits triggered by a Security Incident or required by law, the Customer may conduct no more than one (1) on-site audit per calendar year.

11.5 Audit Reports

Enigma Labs shall provide the Customer with a written report of any audit conducted by Enigma Labs or a third party that is relevant to the processing of Customer Data, subject to confidentiality obligations.

11.6 Cooperation

Enigma Labs shall cooperate reasonably with the Customer and its auditors during any audit, including by:

(a) Providing access to relevant personnel;

(b) Providing access to relevant documentation and records;

(c) Answering questions and providing explanations.

---

12.1 Duration of Processing

Enigma Labs shall process Customer Data only for the duration of the Principal Agreement, unless otherwise instructed by the Customer or required by Applicable Data Protection Law.

12.2 Data Export Period

Upon termination or expiry of the Principal Agreement, or upon the Customer's written request, the Customer shall have thirty (30) days to export or retrieve Customer Data from the Services.

12.3 Data Deletion

(a) Timeline: Following the expiration of the export period under Section 12.2, Enigma Labs shall delete all Customer Data within ninety (90) days, unless:

(i) The Customer requests earlier deletion;

(ii) Applicable Data Protection Law requires retention of the Personal Data;

(iii) The data has been anonymized or aggregated such that it no longer constitutes Personal Data.

(b) Method: Deletion shall be performed using industry-standard secure deletion methods that render the data irretrievable.

(c) Exceptions: Enigma Labs may retain Customer Data beyond the deletion period to the extent required by Applicable Data Protection Law, including for:

(i) Compliance with legal obligations;

(ii) Establishment, exercise, or defense of legal claims;

(iii) Anonymized analytics and statistical purposes.

12.4 Deletion Confirmation

Upon the Customer's written request, Enigma Labs shall provide written confirmation that Customer Data has been deleted in accordance with this Section, provided that such request is made within sixty (60) days of the deletion date.

12.5 Return of Data

At the Customer's written request prior to termination, Enigma Labs shall return Customer Data to the Customer in a structured, commonly used, and machine-readable format, instead of or in addition to deletion.

---

13.1 Liability Cap

Subject to Section 13.2, each party's aggregate liability arising out of or relating to this DPA, whether in contract, tort, or under any other theory of liability, shall be limited to the same extent as set forth in the Principal Agreement. For clarity, the liability cap under the Principal Agreement is twelve (12) months of Fees paid by the Customer to Enigma Labs under the Principal Agreement in the twelve (12) months preceding the event giving rise to liability.

13.2 Exclusions from Liability Cap

The liability cap in Section 13.1 shall not apply to:

(a) Either party's gross negligence or willful misconduct;

(b) Breaches of confidentiality obligations;

(c) Indemnification obligations;

(d) Violations that cannot be limited under Applicable Data Protection Law, including the GDPR;

(e) Death or personal injury caused by negligence;

(f) Fraud or fraudulent misrepresentation.

13.3 Allocation of Regulatory Fines

(a) Each party shall be solely responsible for any fines, penalties, or other sanctions imposed by a Supervisory Authority or other regulatory body arising from its own violations of Applicable Data Protection Law.

(b) The Customer shall indemnify and hold harmless Enigma Labs from and against any fines, penalties, or sanctions imposed on Enigma Labs arising from:

(i) The Customer's unlawful instructions;

(ii) The Customer's failure to comply with its obligations as a Controller under Applicable Data Protection Law;

(iii) The Customer's failure to provide appropriate information to Data Subjects.

(c) Enigma Labs shall indemnify and hold harmless the Customer from and against any fines, penalties, or sanctions imposed on the Customer arising from Enigma Labs' failure to comply with its obligations as a Processor under this DPA and Applicable Data Protection Law.

13.4 Indemnification for Data Subject Claims

(a) The Customer shall indemnify and defend Enigma Labs against any claims, damages, and expenses (including reasonable legal fees) brought by Data Subjects or third parties arising from:

(i) The Customer's instructions to Enigma Labs;

(ii) The Customer's failure to comply with its obligations under Applicable Data Protection Law.

(b) Enigma Labs shall indemnify and defend the Customer against any claims, damages, and expenses (including reasonable legal fees) brought by Data Subjects or third parties arising from Enigma Labs' breach of its obligations under this DPA.

13.5 No Indemnification for Regulatory Penalties

Notwithstanding any other provision of this DPA, neither party shall indemnify the other for regulatory fines or penalties imposed by a Supervisory Authority for violations of the GDPR or other Applicable Data Protection Law.

---

14.1 Effective Date

This DPA shall become effective on the earlier of:

(a) The date the Principal Agreement is executed by both parties;

(b) The date the Customer first uses the Services.

14.2 Duration

This DPA shall remain in effect for the duration of the Principal Agreement and shall automatically terminate upon termination or expiry of the Principal Agreement, except for provisions that by their nature should survive termination.

14.3 Surviving Provisions

The following provisions shall survive termination of this DPA:

(a) Section 12 (Data Retention and Deletion);

(b) Section 13 (Liability);

(c) Section 15 (General Provisions);

(d) Any other provisions that by their nature should survive termination.

14.4 Effect on Principal Agreement

Termination of this DPA shall not affect the Principal Agreement, which shall continue in full force and effect according to its terms. However, if the Customer terminates this DPA due to Enigma Labs' material breach that cannot be cured, the Customer may also terminate the Principal Agreement for cause.

---

15.1 Entire Agreement

This DPA, together with the Principal Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, relating to such subject matter.

15.2 Amendments

No amendment, modification, or waiver of any provision of this DPA shall be effective unless in writing and signed by authorized representatives of both parties. Enigma Labs may update this DPA from time to time to reflect changes in Applicable Data Protection Law or the Services. The Customer shall be notified of material changes at least thirty (30) days before they take effect.

15.3 Severability

If any provision of this DPA is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable, or if such modification is not possible, such provision shall be deemed severed from this DPA, and the remaining provisions shall continue in full force and effect.

15.4 No Third-Party Beneficiaries

This DPA is for the benefit of the parties hereto and their respective successors and permitted assigns. Nothing in this DPA shall be construed to create any rights or obligations in any third party, including Data Subjects, except as expressly provided herein.

15.5 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and:

(a) The Principal Agreement: The provisions of this DPA shall prevail with respect to data protection matters;

(b) The SCCs (Annex 4): The provisions of the SCCs shall prevail.

15.6 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law principles.

15.7 Dispute Resolution

Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be finally resolved by arbitration in accordance with the Arbitration Rules of the Netherlands Arbitration Institute (NAI). The arbitral tribunal shall consist of one arbitrator. The seat of arbitration shall be Amsterdam, the Netherlands. The language of the arbitration shall be English.

15.8 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the waiving party. No failure or delay by either party in exercising any right, power, or remedy under this DPA shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power, or remedy preclude any other or further exercise thereof.

15.9 Assignment

Enigma Labs may assign this DPA to any affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. The Customer may not assign this DPA without the prior written consent of Enigma Labs, except to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets.

15.10 Notices

All notices under this DPA shall be in writing and delivered to the addresses set forth in Section 16 (Contact Information) or to such other address as either party may designate by written notice. Notices shall be deemed given:

(a) When delivered personally;

(b) Three (3) business days after being sent by registered mail;

(c) One (1) business day after being sent by email with confirmation of receipt.

---

16.1 DPA Inquiries

For questions or inquiries regarding this Data Processing Agreement, please contact:

Email: legal@enigmalabs.nl

Postal Address: Enigma Labs BV Attn: Legal Department Korte Lijnbaanssteeg 1 1012SL Amsterdam Netherlands

16.2 Data Protection Officer

Enigma Labs has voluntarily appointed a Data Protection Officer who can be contacted for matters related to data protection:

Email: dpo@enigmalabs.nl

Postal Address: Enigma Labs BV Attn: Data Protection Officer Korte Lijnbaanssteeg 1 1012SL Amsterdam Netherlands

16.3 Customer Designated Contact

The Customer shall designate a primary contact for DPA-related matters, including Security Incident notifications and Sub-processor change notifications. The Customer shall provide Enigma Labs with the name and email address of this contact and promptly notify Enigma Labs of any changes.

16.4 Alternative Contacts

For urgent matters, the following contacts are available:

| Purpose | Contact | |---------|---------| | Security Incidents | security@enigmalabs.nl | | General Support | support@enigmalabs.nl | | Privacy Inquiries | privacy@enigmalabs.nl |

---

17.1 Binding Agreement

This DPA is entered into and becomes legally binding upon the earlier of:

(a) The Customer's electronic acceptance of this DPA through the Services;

(b) The Customer's execution of a Principal Agreement (Terms of Service or other master agreement) that incorporates this DPA by reference;

(c) The Customer's first use of the Services after this DPA is made available.

17.2 No Physical Signature Required

No physical signature is required for this DPA to be legally binding. Electronic acceptance, including clicking "I Accept" or similar acknowledgment, or using the Services after this DPA is made available, constitutes valid acceptance under Dutch law and applicable EU electronic commerce regulations.

17.3 Counterparts

If the parties choose to execute this DPA in counterparts (for example, in connection with an Order Form or enterprise agreement), each counterpart shall be deemed an original, and all counterparts together shall constitute one and the same agreement.

17.4 Authority

Each party represents and warrants that:

(a) It has the legal power and authority to enter into this DPA;

(b) The person accepting this DPA on behalf of the party is authorized to do so;

(c) This DPA constitutes a legal, valid, and binding obligation.

---

This Annex 1 describes the processing of Customer Data as required by Article 28(3) of the GDPR.

A1.1 Subject Matter

The subject matter of the processing is the provision of Enigma Labs' cybersecurity SaaS platform services to the Customer, including AI-powered threat detection, network monitoring, vulnerability scanning, identity and access management, compliance reporting, and related services.

A1.2 Duration

The duration of the processing is the term of the Principal Agreement (Terms of Service), including any renewal periods, plus the data retention period specified in Section 12 of this DPA.

A1.3 Nature and Purpose of Processing

| Element | Details | |---------|---------| | Nature of Processing | Collection, storage, analysis, alerting, reporting, and deletion of security-related data. | | Purpose of Processing | To provide the cybersecurity services described in the Principal Agreement, including: threat detection and response, network monitoring and analysis, vulnerability assessment, identity and access management, compliance reporting, and security operations center automation. |

A1.4 Types of Personal Data

The following types of Personal Data may be processed in connection with the Services:

| Category | Examples | |----------|----------| | Employee Identifiers | Names, usernames, employee IDs, email addresses, job titles, department information | | Network Identifiers | IP addresses, device IDs, MAC addresses, hostnames, network session identifiers | | Authentication Data | Login timestamps, logout timestamps, session information, authentication tokens, multi-factor authentication status | | Security Event Data | Access logs, threat alerts, anomaly detection data, security incident records, audit trails | | Identity and Access Management Data | User roles, permissions, group memberships, access rights, privilege levels |

A1.5 Categories of Data Subjects

The Personal Data processed relates to the following categories of Data Subjects:

| Category | Description | |----------|-------------| | Customer's Employees | Employees of the Customer who use systems or networks monitored by the Services | | Customer's Contractors and Consultants | Third-party contractors, consultants, and temporary workers with access to Customer systems | | Customer's End-Users | End-users of Customer's products or services, if applicable | | Network Users | Any individuals whose data transits Customer's monitored network |

A1.6 Controller's Obligations

The Customer (Controller) shall:

(a) Ensure that it has a valid legal basis for the processing of Customer Data under Applicable Data Protection Law;

(b) Provide appropriate information to Data Subjects about the processing of their Personal Data;

(c) Ensure that its instructions to Enigma Labs comply with Applicable Data Protection Law;

(d) Obtain any necessary consents or authorizations for the processing of Customer Data;

(e) Comply with all other obligations applicable to Controllers under Applicable Data Protection Law.

A1.7 Processor's Obligations

Enigma Labs (Processor) shall:

(a) Process Customer Data only on documented instructions from the Customer;

(b) Implement appropriate technical and organizational security measures;

(c) Ensure the confidentiality of personnel with access to Customer Data;

(d) Engage Sub-processors only in accordance with Section 6 of this DPA;

(e) Assist the Customer in responding to Data Subject requests;

(f) Assist the Customer with security obligations, breach notification, and DPIAs;

(g) Delete or return Customer Data at the end of the provision of Services;

(h) Provide information to demonstrate compliance with Article 28 of the GDPR;

(i) Allow for and contribute to audits and inspections.

---

This Annex 2 describes the technical and organizational security measures implemented by Enigma Labs to protect Customer Data, as required by Article 32 of the GDPR.

A2.1 Organizational Measures

| Measure | Implementation | |---------|----------------| | Information Security Policies | Enigma Labs maintains comprehensive information security policies aligned with ISO 27001 standards, covering areas such as access control, asset management, cryptography, physical security, operations security, communications security, and incident management. | | Security Roles and Responsibilities | Clear security roles and responsibilities are defined, including a designated Information Security Officer responsible for overseeing the information security program. | | Employee Background Checks | Background checks are conducted on employees with access to Customer Data, where permitted by applicable law and appropriate for their role. | | Security Awareness Training | All employees with access to Customer Data receive regular security awareness and data protection training, including training on phishing, password security, and incident reporting. | | Confidentiality Agreements | All employees and contractors with access to Customer Data are bound by confidentiality obligations, either contractual or statutory. | | Incident Response Procedures | Documented incident response procedures are in place to detect, respond to, and recover from Security Incidents. Regular testing and drills are conducted. | | Business Continuity Planning | Business continuity and disaster recovery plans are maintained and regularly tested to ensure the availability of the Services and protection of Customer Data. | | Vendor Risk Management | A vendor risk management program is in place to assess and monitor the security practices of Sub-processors and other third-party service providers. | | Regular Security Assessments | Regular security assessments, including vulnerability scans and penetration tests, are conducted to identify and address security weaknesses. |

A2.2 Technical Measures

Access Control

| Control | Implementation | |---------|----------------| | Role-Based Access Control (RBAC) | Access to Customer Data is granted based on job roles and responsibilities, following the principle of least privilege. | | Principle of Least Privilege | Users are granted only the minimum access rights necessary to perform their job functions. | | Multi-Factor Authentication (MFA) | MFA is required for all administrative access to systems containing Customer Data. | | Unique User IDs | Each user has a unique identifier for accessing systems and applications. | | Access Reviews | Regular access reviews are conducted to ensure that access rights remain appropriate and to remove access for terminated employees or changed roles. | | Privileged Access Management | Enhanced controls are in place for privileged accounts, including additional monitoring and approval workflows. |

Encryption

| Control | Implementation | |---------|----------------| | Data in Transit | All data transmitted between the Customer and Enigma Labs' systems is encrypted using TLS 1.2 or higher. | | Data at Rest | Customer Data stored by Enigma Labs is encrypted using AES-256 or equivalent encryption. | | Key Management | Encryption keys are securely managed using industry-standard practices, including key rotation and secure storage. | | Certificate Management | SSL/TLS certificates are properly managed, monitored for expiration, and renewed as needed. |

Network Security

| Control | Implementation | |---------|----------------| | Firewalls | Network firewalls are deployed to control and monitor network traffic. | | Intrusion Detection/Prevention | Intrusion detection and prevention systems (IDS/IPS) are in place to identify and block malicious activity. | | Network Segmentation | Networks are segmented to isolate critical systems and limit the potential impact of security incidents. | | DDoS Protection | DDoS protection measures are in place to maintain service availability. | | VPN for Administrative Access | VPN is required for remote administrative access to production systems. |

Application Security

| Control | Implementation | |---------|----------------| | Secure SDLC | Security is integrated throughout the software development lifecycle, including security requirements, design reviews, and security testing. | | Code Reviews | Code reviews are conducted to identify and remediate security vulnerabilities. | | Vulnerability Scanning | Regular vulnerability scanning is performed on applications and infrastructure. | | Penetration Testing | Penetration testing is conducted periodically by qualified security professionals. | | Web Application Firewall (WAF) | WAF is deployed to protect web applications from common attacks. | | Input Validation | Input validation is implemented to prevent injection attacks and other input-based vulnerabilities. |

Data Protection

| Control | Implementation | |---------|----------------| | Data Classification | Data classification policies are in place to identify and protect sensitive data appropriately. | | Data Minimization | Only data necessary for the provision of Services is collected and retained. | | Pseudonymization | Pseudonymization techniques are used where appropriate to reduce privacy risks. | | Secure Deletion | Secure deletion methods are used when data is no longer needed, ensuring data is irretrievable. |

Monitoring and Logging

| Control | Implementation | |---------|----------------| | Security Event Logging | Security events are logged, including access to Customer Data, administrative actions, and system changes. | | Log Integrity Protection | Log integrity is protected to prevent tampering or unauthorized modification. | | Anomaly Detection | Anomaly detection systems are in place to identify suspicious activity. | | 24/7 Monitoring | Security monitoring is conducted 24/7 to detect and respond to security incidents. |

Physical Security

| Control | Implementation | |---------|----------------| | Data Center Access Controls | Physical access to data centers (via Scaleway) is strictly controlled, with multi-factor authentication, security personnel, and surveillance systems. | | Environmental Controls | Environmental controls are in place to protect equipment from fire, flood, and other hazards. | | Equipment Security | Equipment containing Customer Data is physically secured and disposed of securely when no longer needed. |

Availability

| Control | Implementation | |---------|----------------| | Redundant Infrastructure | Redundant infrastructure is deployed to ensure service availability. | | Automated Backups | Automated backups are performed regularly to enable data recovery. | | Disaster Recovery | Disaster recovery procedures are in place and regularly tested. | | Failover Capabilities | Failover capabilities are implemented to minimize service disruption. |

---

This Annex 3 lists the Sub-processors currently engaged by Enigma Labs to process Customer Data on behalf of the Customer. The Customer provides general authorization for the use of these Sub-processors.

A3.1 List of Approved Sub-processors

| Sub-processor | Legal Entity | Address | Processing Activities | Data Location | |---------------|--------------|---------|----------------------|---------------| | Scaleway | Scaleway SAS | 8 rue de la Ville l'Evêque, 75008 Paris, France | Cloud infrastructure, data hosting, compute, storage | EU (Paris, Amsterdam) | | Microsoft | Microsoft Ireland Operations Limited | One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland | Business email, productivity tools (internal communications) | EU (with EU Data Boundary) | | Intercom | Intercom R&D Unlimited Company | 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Ireland | Customer support platform, chat, ticketing | EU | | Highlight.io | Highlight Run, Inc. | 2261 Market Street #4242, San Francisco, CA 94114, USA | Application monitoring, error tracking, performance analytics | EU |

A3.2 Sub-processor Details

Scaleway

| Field | Details | |-------|---------| | Purpose | Primary cloud infrastructure provider for all customer data processing | | Data Location | EU (Paris, France and Amsterdam, Netherlands) | | Entity Country | France | | Transfer Mechanism | N/A (EU-based) | | Note | All Customer Data is hosted on Scaleway infrastructure within the EU. |

Microsoft

| Field | Details | |-------|---------| | Purpose | Business email and productivity tools for internal communications | | Data Location | EU (configured for EU Data Boundary) | | Entity Country | Ireland (EU establishment) | | Transfer Mechanism | EU Data Boundary commitment; SCCs where applicable | | Note | Microsoft 365 is configured for EU data residency. Customer data may be referenced in support communications. |

Intercom

| Field | Details | |-------|---------| | Purpose | Customer support platform for chat and ticketing | | Data Location | EU | | Entity Country | Ireland (EU establishment) | | Transfer Mechanism | N/A (EU data hosting) | | Note | Intercom is configured for EU data residency. Processes customer support interactions which may include limited personal data. |

Highlight.io

| Field | Details | |-------|---------| | Purpose | Application monitoring and error logging | | Data Location | EU | | Entity Country | US (EU data hosting) | | Transfer Mechanism | SCCs for company access; data stored in EU | | Note | Used for platform monitoring; may process limited technical identifiers. Configured for EU data hosting. |

A3.3 Excluded Services

The following services are not considered Sub-processors under this DPA because they do not process Customer Data:

| Service | Purpose | Reason for Exclusion | |---------|---------|---------------------| | Vercel | Website hosting | Hosts only the marketing website; no Customer Data is processed | | Plausible Analytics | Website analytics | Self-hosted by Enigma Labs; does not process personal data |

A3.4 Current Sub-processor List

The current and complete list of Sub-processors is always available at: https://enigmalabs.nl/legal/sub-processors

A3.5 Sub-processor Changes

Enigma Labs will provide seven (7) days' advance notice before engaging any new Sub-processor in accordance with Section 6.4 of this DPA.

---

A4.1 Incorporation by Reference

The EU Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "SCCs"), are incorporated by reference into this DPA and form an integral part hereof.

The SCCs are available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

A4.2 Applicable Modules

The following modules of the SCCs apply to transfers under this DPA:

| Transfer Scenario | Applicable Module | |-------------------|-------------------| | Controller to Processor transfers | Module Two | | Processor to Processor transfers | Module Three |

A4.3 SCC Appendices

Annex I.A: List of Parties

Data Exporter (Controller):

| Field | Details | |-------|---------| | Name | Customer (as defined in the Principal Agreement) | | Address | As provided in the Principal Agreement | | Contact person | As designated by the Customer | | Activities | Use of Enigma Labs' cybersecurity services | | Signature and date | By execution of the Principal Agreement or use of the Services | | Role | Controller |

Data Importer (Processor):

| Field | Details | |-------|---------| | Name | Enigma Labs BV | | Address | Korte Lijnbaanssteeg 1, 1012SL Amsterdam, Netherlands | | Contact person | Data Protection Officer, dpo@enigmalabs.nl; Legal Department, legal@enigmalabs.nl | | Activities | Provision of cybersecurity SaaS services | | Signature and date | By execution of the Principal Agreement or provision of the Services | | Role | Processor |

Annex I.B: Description of Transfer

The description of the transfer is as set forth in Annex 1 (Description of Processing) to this DPA.

Annex I.C: Competent Supervisory Authority

The competent supervisory authority for the purposes of Clause 13 of the SCCs is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

| Field | Details | |-------|---------| | Address | Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands | | Phone | +31 70 888 8500 | | Website | https://autoriteitpersoonsgegevens.nl |

Annex II: Technical and Organizational Measures

The technical and organizational measures implemented by the Data Importer are as set forth in Annex 2 (Technical and Organizational Measures) to this DPA.

Annex III: List of Sub-processors

The list of Sub-processors authorized to process Personal Data under the SCCs is as set forth in Annex 3 (Approved Sub-processors) to this DPA.

A4.4 SCC Clause Elections

The following elections are made for the purposes of the SCCs:

| Clause | Election | |--------|----------| | Clause 7 (Docking Clause) | Optional clause included | | Clause 9(a) (Sub-processor general authorization) | General authorization for sub-processors | | Clause 9(b) (Sub-processor notice period) | 7 days | | Clause 11(a) (Redress) | Optional clause included | | Clause 17 (Governing Law) | Netherlands | | Clause 18 (Choice of Forum) | Courts of Amsterdam, Netherlands |

A4.5 Conflict Resolution

In the event of any conflict between the provisions of the SCCs and other provisions of this DPA, the provisions of the SCCs shall prevail.

---

| Field | Details | |-------|---------| | Document Title | Data Processing Agreement | | Company | Enigma Labs BV | | Legal Entity | Besloten Vennootschap (Dutch Private Limited Company) | | Registered Address | Korte Lijnbaanssteeg 1, 1012SL Amsterdam, Netherlands | | KvK Number | 99568322 | | Country of Incorporation | The Netherlands | | Website | https://enigmalabs.nl | | DPA URL | https://enigmalabs.nl/dpa | | Sub-processor List URL | https://enigmalabs.nl/legal/sub-processors | | Privacy Policy URL | https://enigmalabs.nl/privacy | | Terms of Service URL | https://enigmalabs.nl/terms | | DPA Contact Email | legal@enigmalabs.nl | | DPO Email | dpo@enigmalabs.nl | | Security Contact Email | security@enigmalabs.nl | | Data Hosting Location | European Union (Scaleway, Paris/Amsterdam) | | Effective Date | January 22, 2026 | | Last Updated | January 28, 2026 | | Version | 1.1 |

Related Documents

| Document | URL | Description | |----------|-----|-------------| | Privacy Policy | https://enigmalabs.nl/privacy | How Enigma Labs processes personal data as a Controller | | Terms of Service | https://enigmalabs.nl/terms | General terms governing use of the Services | | Cookie Policy | https://enigmalabs.nl/cookies | How Enigma Labs uses cookies on its website | | Sub-processor List | https://enigmalabs.nl/legal/sub-processors | Current list of approved Sub-processors |

---

This Data Processing Agreement is designed to ensure compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. For questions or concerns, please contact us at legal@enigmalabs.nl or dpo@enigmalabs.nl.

© 2026 Enigma Labs BV. All rights reserved.