Data Processing Addendum

Terms used in this DPA have the meanings given to them in the GDPR or, where relevant, the CCPA/CPRA. In particular:

Customer / Controller

The legal entity that signed up for the product and that accepts the Terms of Service and this DPA.

Processor

Tibly, Inc..

Subprocessor

Any third party engaged by the Processor to process Customer Personal Data — the published list is in section 4.

Customer Personal Data

Personal data the Customer (or its users) submits to the product and that the Processor processes on the Customer's behalf to provide the product.

Data Protection Laws

All laws and regulations applicable to the processing of personal data under this DPA, including the GDPR, the UK GDPR, the CCPA/CPRA, and the comparable laws of any other jurisdiction in which the Customer or its users reside.

The Customer is the controller of Customer Personal Data; Tibly is the processor. Tibly processes Customer Personal Data only on documented instructions from the Customer — primarily the instructions implicit in the Customer's use of the product as offered through the application interface, plus any further written instructions the Customer provides. Tibly will inform the Customer if it believes a Customer instruction infringes Data Protection Laws.

Tibly uses the subprocessors listed in section 5 of the Privacy Policy at /privacy. The published list is the authoritative version; this DPA incorporates it by reference. The Customer authorises the use of these subprocessors. Tibly will give the Customer at least 30 days' advance notice (by email to the customer's account email) before adding or replacing a subprocessor, during which time the Customer may object on reasonable grounds related to data protection. If the Customer's objection cannot be resolved, the Customer may terminate the affected portion of the agreement without penalty.

Tibly remains fully liable to the Customer for the performance of each subprocessor's obligations.

Taking into account the nature of the processing, Tibly will assist the Customer with appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligations to respond to requests from data subjects exercising their rights under Data Protection Laws. Most of those rights are fulfillable by the Customer itself through the product's settings. For requests we receive directly from the Customer's data subjects, Tibly will forward them to the Customer without undue delay.

Tibly also operates a direct data-subject-request flow at /privacy/data-subject-rights for third-party individuals whose business contact information appears in the cached Reveal results (a "controller" surface, not a "processor" surface — those records originate from public construction records plus Tibly's own licensed enrichment providers and do not belong to any one Customer). Deletion requests received through that flow remove the cached contact across the entire Customer base; the affected Customers may see Reveal results return fewer rows for the relevant company after the deletion runs. Tibly will not log a record of which Customers had previously surfaced the deleted contact.

Tibly implements appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The current measures are described on the Security page at /security, which forms Annex II of this DPA. Tibly may update those measures over time, provided that the updated measures do not materially reduce the level of security.

All personnel with access to Customer Personal Data are bound by appropriate confidentiality obligations.

Tibly will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any actual or reasonably suspected personal-data breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

On termination of the agreement, Tibly will, at the Customer's choice, delete or return all Customer Personal Data within 30 days, subject to the legal retention exceptions described in the Privacy Policy (tax records, fraud prevention, encrypted-backup rotation). Where Customer Personal Data persists in encrypted backups beyond that window, Tibly will protect it from active processing until it ages out in the ordinary backup rotation.

Tibly will make available to the Customer the information necessary to demonstrate compliance with this DPA. The primary form this takes is the publicly maintained Security page (/security), supplemented by responses to reasonable written questionnaires the Customer may send no more than once per year. For Customers with a contractual right to a full audit, the audit may be performed at the Customer's expense, on at least 30 days' notice, during normal business hours, in a manner that does not unreasonably interfere with our operations, and subject to a confidentiality agreement.

Customer Personal Data is processed in the United States, on infrastructure operated by Railway. For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, the parties rely on the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference. Tibly applies supplementary measures (encryption in transit, encryption at rest, scoped access) appropriate to the destination. Tibly is not currently targeting EU or UK customers and does not knowingly process personal data of EU/UK data subjects in the ordinary course; Customers whose user base includes EU/UK individuals should contact us before relying on the product for processing those individuals' personal data.

For Customer Personal Data subject to the CCPA/CPRA, the Customer is a "business" and Tibly is a "service provider" (Cal. Civ. Code § 1798.140(ag)). Tibly certifies that it understands the restrictions in § 1798.140(ag)(1) and will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the agreement; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship; or (d) combine Customer Personal Data with personal information received from or on behalf of any other person, except as permitted by the CCPA.

Each party's total liability under this DPA, taken together with its total liability under the main Terms of Service, is subject to the limitation of liability set out in those Terms.

For a counter-signed copy of this DPA, or for any DPA-related question, email legal@tibly.ai (commercial) or privacy@tibly.ai (data-protection officer). Where the Customer requires a counter-signed copy, this published version is the standing offer; the counter-signed document will reproduce these terms without material change.