Apeironix Data Processing Addendum

Data Processing Addendum (DPA)

Exhibit C to the Master Services Agreement

Effective Date: October 27, 2025

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement or equivalent agreement (the “Agreement”) between Apeironix Inc. (“Apeironix,” “Processor,” “we,” or “us”) and the Customer entity that is party to the Agreement (“Customer”).

By accessing or using the Services, Customer acknowledges that it has read, understood, and agrees to be bound by this DPA.

1. Purpose & Scope.

This DPA governs the Processing of Personal Data in connection with the Services. Apeironix may Process Personal Data as Processor (or Subprocessor if Customer is a Processor). Applies to Personal Data under Applicable Data Protection Laws (e.g., CCPA, PIPEDA).

2. Roles of the Parties

• Customer as Controller, Apeironix as Processor; or
• Customer as Processor, Apeironix as Subprocessor.

Apeironix Processes Personal Data only on Customer’s documented lawful instructions, unless required by law.

3. Processing Details

4. Processor Obligations

Apeironix will:
(a) Process per Customer’s instructions
(b) Ensure confidentiality of authorized personnel
(c) Maintain security per Exhibit B
(d) Engage Subprocessors per Section 5
(e) Assist with data subject rights
(f) Assist with DPIAs/regulator consultations
(g) Notify of Personal Data Breach without undue delay
(h) Delete/return Personal Data post-services, subject to legal holds

5. Subprocessors.

Customer authorizes Subprocessors. Provider maintains and provides Subprocessor list upon request. Subprocessor agreements as protective as this DPA; Provider liable for Subprocessor acts.

6. International Transfers.

For data transfers between the United States and Canada, Apeironix complies with Applicable Data Protection Laws (e.g., PIPEDA). Additional safeguards implemented as needed for cross-border transfers.

7. Security Measures

Aligned with SOC 2 Type II, audited annually. Measures include:

• Vetted personnel
• Secure development
• Penetration/vulnerability testing
• AWS cloud with isolation
• Encryption at rest/transit
• Third-party app/infra security tests

8. Data Subject Rights.

Apeironix assists with data subject requests (e.g., access, rectification, deletion, restriction, portability, objection) under Applicable Data Protection Laws (e.g., CCPA, PIPEDA).

9. Audit Rights

Upon request, Apeironix provides SOC 2 Type II reports/summaries. Onsite audits:

• Once yearly
• 30 days’ notice
• Business hours
• Non-disruptive
• At Customer’s expense
• Subject to confidentiality agreement

10. Liability.

Subject to MSA limitations.

11. Electronic Notices and Communications.

Customer consents to receive any agreements, notices, disclosures, and other communications (collectively, “Notices”) from Apeironix electronically, including via email or by posting on the Platform or website. Customer agrees that all Notices provided electronically satisfy any legal requirement that such communications be in writing. Customer is responsible for maintaining a valid email address and ensuring delivery of Notices. Unless otherwise specified, Notices will be deemed given when sent by email or posted online.

12. No Agency or Employment Relationship.

Nothing in this DPA creates any agency, partnership, joint venture, employer-employee, or franchisor-franchisee relationship between the Parties. Neither Party is authorized to act on behalf of the other or bind the other to any obligation.

13. Contacting Us.

If Customer has any questions about this DPA or data processing under the Agreement, please contact:

Apeironix Inc.
Email: legal@apeironix.com
Phone: (888) 508-9495
Address: 6195 Ridgeview Ct., Suite F, Reno, NV 89519

By accessing or using the Services, Customer acknowledges that it has read, understood, and agrees to be bound by this DPA.