Locktera.com
Locktera.com

LOCKTERA DATA PROCESSING ADDENDUM

Last Updated: March 8, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Locktera Terms of Service, Master Services Agreement, or other written or electronic agreement governing Customer’s use of the Services (the “Agreement”), and is entered into between Locktera, Inc., a Texas corporation (“Locktera,” “Processor,” “Service Provider,” “we,” “us,” or “our”), and the entity that is a party to the Agreement (“Customer,” “Controller,” “Business,” “you,” or “your”).

This DPA applies to the extent that Locktera processes Personal Data on behalf of Customer in connection with Customer’s access to and use of Locktera’s services, including the Locktera CORE API, Locktera Share, encryption services, cryptographic container services, SDKs, authorization systems, and related infrastructure (collectively, the “Services”).

This DPA establishes the parties’ respective rights and obligations regarding the Processing of Personal Data and is intended to ensure compliance with applicable Data Protection Laws, including but not limited to:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
  • The UK GDPR and UK Data Protection Act 2018
  • The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
  • And other applicable privacy and data protection laws and regulations

For purposes of this DPA:

  • Customer acts as the Controller (or “Business” as defined under applicable Data Protection Laws); and
  • Locktera acts as the Processor (or “Service Provider” as defined under applicable Data Protection Laws).

This DPA applies solely to Personal Data processed by Locktera on behalf of Customer in its capacity as a Processor or Service Provider and does not apply to data processed by Locktera in its capacity as an independent Controller, if any.

This DPA is incorporated into and forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

By executing the Agreement or accessing or using the Services, Customer agrees to be bound by the terms of this DPA.

1. DEFINITIONS

For purposes of this Data Processing Addendum (“DPA”), the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given in the Agreement.

1.1 Personal Data

“Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Locktera on behalf of Customer in connection with the Services. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

For purposes of the CCPA and CPRA, “Personal Data” includes “Personal Information” as defined under those laws.

1.2 Data Protection Laws

“Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and information security governing the Processing of Personal Data under the Agreement, including, without limitation:

  • Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”);
    • The UK GDPR and UK Data Protection Act 2018;
    • The Swiss Federal Act on Data Protection (“FADP”), where applicable;
    • The California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”);
    • Any other applicable federal, state, national, or international privacy or data protection laws and regulations.

1.3 Controller

“Controller” means the entity that alone or jointly with others determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer acts as the Controller (or “Business,” where applicable under CCPA/CPRA).

1.4 Processor

“Processor” means the entity that Processes Personal Data on behalf of a Controller. For purposes of this DPA, Locktera acts as the Processor (or “Service Provider” or “Contractor,” where applicable under CCPA/CPRA).

1.5 Subprocessor

“Subprocessor” means any third-party processor engaged by Locktera to Process Personal Data on behalf of Customer in connection with the Services.

1.6 Processing

“Processing” or “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction.

1.7 Data Subject

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

1.8 Security Incident

“Security Incident” means any confirmed or reasonably suspected unauthorized access to, acquisition of, disclosure of, alteration of, or destruction of Personal Data Processed by Locktera on behalf of Customer. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, port scans, denial-of-service attacks, or other network attacks that do not result in unauthorized access.

1.9 Restricted Transfer

“Restricted Transfer” means a transfer of Personal Data that is subject to restrictions under Data Protection Laws, including transfers of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to a country that has not been recognized as providing an adequate level of data protection by applicable regulators.

1.10 Standard Contractual Clauses (SCCs)

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to Implementing Decision (EU) 2021/914, or any successor clauses approved by the European Commission or the UK Information Commissioner’s Office for the transfer of Personal Data to third countries, as amended or replaced from time to time.

2. ROLES OF THE PARTIES

2.1 Controller and Processor Relationship

The parties acknowledge and agree that, with respect to the Processing of Personal Data under the Agreement:

(a) Customer acts as the Controller (or “Business,” as defined under applicable Data Protection Laws) and determines the purposes and means of the Processing of Personal Data;

(b) Locktera acts as the Processor (or “Service Provider” or “Contractor,” as defined under applicable Data Protection Laws) and Processes Personal Data solely on behalf of and in accordance with Customer’s documented instructions;

(c) Locktera shall Process Personal Data only for the limited and specific purposes of providing, securing, maintaining, and supporting the Services in accordance with the Agreement and this DPA.

Locktera shall not sell Personal Data or share Personal Data for cross-context behavioral advertising, and shall not retain, use, or disclose Personal Data for any purpose other than the limited and specified purposes set forth in the Agreement and this DPA, except as required by applicable law.

2.2 Customer Processing Instructions

Customer instructs Locktera to Process Personal Data as necessary to:

(a) provide the Services in accordance with the Agreement;

(b) secure, authenticate, authorize, and enforce access controls for cryptographic containers and protected data;

(c) maintain, support, and improve the reliability, integrity, and security of the Services;

(d) comply with applicable law, legal process, or binding governmental request; and

(e) perform other Processing activities authorized by Customer through its configuration and use of the Services.

Customer may provide additional documented instructions consistent with the Agreement.

If Locktera believes that a Customer instruction violates applicable Data Protection Laws, Locktera shall promptly inform Customer unless prohibited by law.

2.3 Locktera Processing Limitations

Locktera shall not:

(a) determine the purposes or means of the Processing of Personal Data;

(b) access, use, or disclose Personal Data except as necessary to provide, secure, maintain, or support the Services, or as required by applicable law;

(c) access Personal Data except through authorized and controlled mechanisms necessary for service operation, security, maintenance, or support; or

(d) process Personal Data for its own commercial purposes.

Locktera shall not retain, use, or disclose Personal Data outside the direct business relationship between Locktera and Customer, except as permitted under applicable Data Protection Laws.

Customer acknowledges that Locktera’s cryptographic container architecture enforces access controls and authorization policies configured by Customer, and that Locktera does not control or determine Customer authorization policies governing access to Personal Data.

2.4 Customer Responsibilities as Controller

Customer is solely responsible for:

(a) determining whether Personal Data is submitted to, encrypted within, or processed using the Services;

(b) determining the categories and types of Personal Data processed;

(c) determining the purposes and lawful bases for Processing Personal Data;

(d) determining which users, systems, or third parties are authorized to access Personal Data;

(e) configuring authorization policies, access controls, and permissions governing Personal Data; and

(f) ensuring that Customer’s Processing of Personal Data complies with applicable Data Protection Laws.

Customer represents and warrants that it has obtained all necessary rights, permissions, and lawful bases required to Process Personal Data and to instruct Locktera to Process Personal Data on Customer’s behalf.

3. PROCESSING OF PERSONAL DATA

3.1 Processing Scope and Instructions

Locktera shall Process Personal Data solely on behalf of Customer and only in accordance with:

(a) Customer’s documented instructions as reflected in the Agreement, this DPA, and Customer’s configuration and use of the Services;

(b) the purposes of providing, operating, securing, maintaining, and supporting the Services;

(c) applicable Data Protection Laws; and

(d) any lawful and binding request of a governmental authority, provided that Locktera shall, unless legally prohibited, promptly notify Customer of such request and provide reasonable assistance to enable Customer to challenge or limit the disclosure where permitted by law.

Locktera shall not Process Personal Data for any purpose other than those expressly authorized by Customer or required by applicable law.

3.2 Processing Limitations

Locktera shall not, and shall ensure that its personnel and Subprocessors do not:

(a) sell Personal Data;
(b) share Personal Data for cross-context behavioral advertising;
(c) retain, use, or disclose Personal Data outside the direct business relationship between Locktera and Customer, except as required by applicable law;
(d) retain Personal Data longer than necessary to provide the Services or comply with legal obligations;
(e) Process Personal Data for Locktera’s own commercial purposes;
(f) combine Personal Data with Personal Data obtained from other sources, except as necessary to provide the Services

For purposes of CCPA and CPRA, Locktera acts as a “Service Provider” and “Contractor.”

3.3 Limited Access to Personal Data

Locktera shall access Personal Data only to the extent necessary to:

(a) provide, operate, and maintain the Services;

(b) secure, authenticate, authorize, and enforce access controls;

(c) detect, prevent, and respond to security incidents;

(d) provide Customer support requested by Customer;

(e) comply with applicable legal obligations.

Locktera personnel access to Personal Data shall be limited to authorized personnel with a legitimate business need, granted access under the principle of least privilege, and subject to written confidentiality obligations.

3.4 Cryptographic Enforcement and Customer Control

Customer acknowledges that:

(a) Locktera’s Services utilize cryptographic container architecture designed to enforce access controls and authorization policies configured by Customer;

(b) Customer controls the configuration of access permissions and authorization policies governing Personal Data;

(c) Locktera does not independently determine which persons are authorized to access Personal Data;

(d) Locktera does not decrypt or access Personal Data except as authorized by Customer or required to provide the Services.

Locktera does not determine Customer authorization policies and shall not be responsible for access permissions configured by Customer.

Customer remains solely responsible for managing authorization policies governing access to Personal Data.

Locktera does not determine the content of Personal Data encrypted or stored by Customer.

3.5 Compliance with Customer Instructions

Locktera shall promptly notify Customer if, in Locktera’s reasonable opinion, Customer’s instructions violate applicable Data Protection Laws.

3.6 GDPR Article 28 Compliance

To the extent the GDPR or UK GDPR applies, this DPA is intended to satisfy the requirements of Article 28(3) of the GDPR and UK GDPR.

Locktera shall:

(a) process Personal Data only on documented instructions from Customer;

(b) ensure personnel authorized to process Personal Data are subject to confidentiality obligations;

(c) implement appropriate technical and organizational security measures;

(d) assist Customer in ensuring compliance with Customer’s obligations under Articles 32–36 of the GDPR, taking into account the nature of Processing and the information available to Locktera;

(e) delete or return Personal Data upon termination of the Services;

(f) make available information necessary to demonstrate compliance with this DPA; and

(g) ensure Subprocessors are subject to equivalent data protection obligations.

3.7 Nature, Purpose, and Duration of Processing

Nature of Processing:

Encryption, storage, transmission, authentication, authorization enforcement, access control enforcement, logging, and secure data management.

Purpose of Processing:

To provide secure encryption, cryptographic container enforcement, access control, audit logging, and related services.

Duration of Processing:

For the duration of the Agreement and as necessary to provide the Services and comply with legal obligations.

Categories of Data Subjects:

Customer employees, contractors, end users, customers, and other individuals whose Personal Data is included in Customer Data.

Categories of Personal Data:

Any Personal Data submitted by Customer, including identifiers, contact information, authentication credentials, device identifiers, IP addresses, and any other data encrypted or processed using the Services.

4. CUSTOMER OBLIGATIONS

4.1 Customer Responsibility as Controller

Customer represents, warrants, and agrees that, with respect to all Personal Data processed in connection with the Services, Customer has all necessary rights, authority, and lawful bases to collect, use, disclose, and otherwise Process Personal Data and to authorize Locktera to Process Personal Data on Customer’s behalf.

(a) Customer has all necessary rights, authority, and lawful basis to collect, use, disclose, and process Personal Data and to authorize Locktera to process Personal Data on Customer’s behalf;

(b) Customer has provided all required notices and obtained all necessary consents, permissions, and authorizations required under applicable Data Protection Laws;

(c) Customer’s processing of Personal Data complies with all applicable Data Protection Laws, including requirements relating to transparency, lawful basis, and data subject rights;

(d) Customer shall not instruct Locktera to process Personal Data in violation of applicable Data Protection Laws.

Customer shall be solely responsible for the accuracy, quality, legality, and appropriateness of Personal Data submitted to the Services.

4.2 Access Control and Authorization Responsibilities

Customer acknowledges and agrees that Customer is solely responsible for:

(a) determining which Personal Data is submitted to, encrypted within, or processed using the Services;

(b) configuring and managing access controls, authorization policies, and permissions governing access to Personal Data;

(c) determining which users, systems, devices, or third parties are authorized to access Personal Data;

(d) managing authentication credentials, encryption keys, and authorization mechanisms under Customer’s control;

(e) ensuring that access to Personal Data is limited to authorized persons.

Customer acknowledges that Locktera’s Services enforce access policies based on Customer-defined authorization and cryptographic enforcement mechanisms.

Locktera does not independently determine or override Customer authorization policies governing access to Personal Data.

4.3 Security Responsibilities of Customer

Customer shall implement and maintain appropriate administrative, technical, and organizational safeguards designed to protect Personal Data within Customer’s systems, including:

(a) securing Customer systems and infrastructure;

(b) protecting authentication credentials, API keys, encryption keys, and other access tokens;

(c) preventing unauthorized access to Customer accounts or systems;

(d) promptly revoking access for unauthorized or terminated users;

(e) promptly notifying Locktera of any suspected unauthorized access or security incidents involving the Services.

Locktera shall not be responsible for security incidents resulting from Customer’s failure to implement appropriate security controls or from Customer’s misconfiguration of access controls or authorization policies.

4.4 Compliance with Data Protection Laws

Customer is solely responsible for:

(a) determining whether the Services are appropriate for Customer’s intended Processing of Personal Data;

(b) complying with all legal and regulatory obligations applicable to Customer’s processing of Personal Data;

(c) responding to requests from Data Subjects and regulatory authorities;

(d) maintaining appropriate records of processing activities, where required by law.

4.5 Customer Instructions

Customer shall ensure that all instructions provided to Locktera comply with applicable Data Protection Laws and the Agreement. Customer shall not provide instructions that would cause Locktera to violate applicable Data Protection Laws.

5. SECURITY MEASURES

5.1 Implementation of Security Measures

Locktera shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, appropriate to the nature of the Personal Data and the risk presented by the Processing of Personal Data.

Such measures shall include safeguards designed to ensure the ongoing confidentiality, integrity, availability, and resilience of Locktera’s systems and Services.

5.2 Technical Safeguards

Locktera’s security measures shall include, as appropriate:

(a) encryption of Personal Data in transit using industry-standard cryptographic protocols;

(b) Encryption of Personal Data at rest using strong industry-standard encryption mechanisms;

(c) cryptographic container architecture enforcing access authorization through cryptographic controls;

(d) secure key generation, storage, rotation, and management procedures designed to protect cryptographic keys from unauthorized access;

(e) access control mechanisms designed to restrict access to authorized personnel and systems;

(f) authentication mechanisms designed to verify identity prior to granting access;

(g) system logging, audit logging, and monitoring designed to detect unauthorized access or anomalous activity;

(h) network security controls, including firewalls, segmentation, and access restrictions;

(i) infrastructure security controls designed to protect against unauthorized access and compromise;

(j) vulnerability management, security patching, and remediation processes designed to address identified security vulnerabilities.

5.3 Organizational Safeguards

Locktera shall implement organizational safeguards including:

(a) restricting access to Personal Data to authorized personnel with a legitimate business need and granted access under the principle of least privilege;

(b) requiring personnel with access to Personal Data to be subject to confidentiality obligations;

(c) implementing security policies and procedures governing access to and protection of Personal Data;

(d) implementing processes designed to detect, prevent, and respond to security incidents.

5.4 Cryptographic Enforcement Architecture

Customer acknowledges and agrees that Locktera’s Services utilize cryptographic container architecture designed to enforce access authorization through cryptographic mechanisms configured by Customer.

Locktera enforces authorization decisions based on Customer-defined policies but does not independently determine which users are authorized to access Personal Data.

Locktera shall not access or decrypt Personal Data except as necessary to provide, secure, maintain, or support the Services, or as required by applicable law.

Locktera does not independently determine or override Customer authorization policies governing access to Personal Data.

5.5 Customer Security Responsibilities

Customer acknowledges and agrees that Customer is responsible for:

(a) configuring and managing authorization policies governing access to Personal Data;

(b) managing authentication credentials, API keys, and access permissions;

(c) ensuring that access to Personal Data is granted only to authorized persons;

(d) protecting Customer systems, credentials, and access mechanisms.

Locktera shall not be responsible for security incidents resulting from Customer’s failure to implement appropriate security controls or from Customer’s misconfiguration of authorization policies, access controls, or credential management.

5.6 Security Measure Evolution

Customer acknowledges that Locktera may update or enhance its security measures from time to time, provided that such updates do not materially reduce the overall security of the Services or deviate from generally accepted industry security standards.

5.7 Customer-Controlled Cryptographic Protection

Customer acknowledges that Locktera’s cryptographic container architecture enables Customer to control access authorization and encryption policies based on Customer-defined policies. Locktera does not independently grant access to Personal Data except as authorized by Customer or required by applicable law.

6. SUBPROCESSORS

6.1 General Authorization

Customer provides general written authorization, subject to this Section 6, for Locktera to engage Subprocessors to Process Personal Data on Customer’s behalf in connection with the provision of the Services.

6.2 Subprocessor Obligations

Locktera shall ensure that each Subprocessor:

(a) is bound by a written agreement imposing data protection obligations substantially equivalent to those set forth in this DPA and required under applicable Data Protection Laws;

(b) is subject to confidentiality obligations;

(c) implements appropriate technical and organizational measures designed to protect Personal Data in accordance with applicable Data Protection Laws;

(d) processes Personal Data solely for the purpose of providing services to Locktera in connection with the Services.

6.3 Locktera Responsibility

Locktera shall remain fully responsible for the acts and omissions of its Subprocessors to the same extent as if Locktera were performing the services of the Subprocessor directly under this DPA.

6.4 Subprocessor List and Updates

Locktera shall maintain and make available to Customer a current list of Subprocessors upon request or through a publicly accessible webpage.

Locktera shall provide reasonable notice of any new Subprocessor engaged to process Personal Data.

6.5 Customer Objection Rights

Customer may object to the appointment of a new Subprocessor on reasonable data protection grounds that materially impact Customer’s compliance with Data Protection Laws by providing written notice within thirty (30) days.

In the event of a reasonable objection, the parties shall work in good faith to address Customer’s concerns.

If the parties are unable to resolve the objection within a reasonable period, Customer may terminate the affected portion of the Services without penalty, subject to the terms of the Agreement.

6.6 Cross-Border Transfers by Subprocessors

Where a Subprocessor Processes Personal Data outside of the European Economic Area (EEA), United Kingdom, Switzerland, or another jurisdiction providing an adequate level of data protection under applicable Data Protection Laws, Locktera shall ensure that appropriate safeguards are implemented, including execution of Standard Contractual Clauses or other legally recognized transfer mechanisms.

7. SECURITY INCIDENT NOTIFICATION

7.1 Notification Obligation

Locktera shall notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a confirmed Security Incident involving Personal Data processed on behalf of Customer.

Notification shall be made through reasonable written means, including email, the Services interface, or other direct communication methods.

For purposes of this Section, “Security Incident” has the meaning set forth in Section 1 of this DPA.

Security Incidents do not include unsuccessful attempts or activities that do not result in unauthorized access to Personal Data, including unsuccessful login attempts, port scans, denial-of-service attacks, or other network attacks that do not compromise Personal Data.

7.2 Incident Notification Content

To the extent reasonably available, Locktera’s notification shall include:

(a) a description of the nature of the Security Incident;

(b) the categories and approximate number of Data Subjects and volume of Personal Data affected;

(c) the likely consequences of the Security Incident, if known;

(d) the measures taken or proposed to address and mitigate the Security Incident;

(e) information regarding steps Customer may take to mitigate potential adverse effects.

Locktera may provide information in phases as additional information becomes available.

7.3 Incident Response and Mitigation

Locktera shall take commercially reasonable and appropriate measures to:

(a) contain, investigate, and mitigate the Security Incident;

(b) prevent recurrence of the Security Incident;

(c) restore the integrity and security of the Services.

Locktera shall cooperate with Customer by providing reasonable information necessary for Customer to meet its obligations under applicable Data Protection Laws.

7.4 Confidentiality and Security of Incident Information

Locktera shall not be required to disclose information that would reasonably compromise the security of the Services or other customers.

7.5 Customer Responsibilities

Customer acknowledges and agrees that Customer is responsible for determining whether a Security Incident triggers notification obligations under applicable Data Protection Laws and for complying with such obligations.

Locktera shall provide reasonable assistance to Customer in meeting such obligations.

7.6 Exclusions

Locktera shall not be responsible for Security Incidents caused by:

(a) Customer systems, infrastructure, applications, or third-party services not controlled by Locktera;

(b) Customer’s failure to properly configure authorization or access controls;

(c) compromise of Customer credentials;

(d) acts or omissions of Customer or Customer’s users.

8. DATA SUBJECT RIGHTS

8.1 Assistance with Data Subject Requests

To the extent required by applicable Data Protection Laws, Locktera shall provide reasonable assistance to Customer, upon Customer’s written request, in responding to requests from Data Subjects relating to Personal Data processed by Locktera on behalf of Customer.

Such assistance may include support in enabling Customer to respond to requests to:

(a) access Personal Data;

(b) correct or rectify Personal Data;

(c) delete or erase Personal Data;

(d) restrict or object to processing;

(e) export or transmit Personal Data in a structured, commonly used, and machine-readable format where technically feasible.

Such assistance shall be limited to Personal Data processed by Locktera in its capacity as a Processor and within the scope of the Services.

8.2 Customer Responsibility for Data Subject Requests

Customer acknowledges and agrees that Customer, as Controller, is solely responsible for:

(a) receiving and responding to Data Subject requests;

(b) verifying the identity of Data Subjects;

(c) determining whether a request is legally valid;

(d) fulfilling Data Subject requests in accordance with applicable Data Protection Laws.

Locktera shall not respond directly to Data Subject requests except as instructed by Customer or as required by applicable law.

8.3 Locktera Processing Limitations and Technical Scope

Customer acknowledges that Locktera processes Personal Data solely in accordance with Customer’s instructions and configuration of the Services.

Locktera does not independently determine the purposes or means of Processing Personal Data.

Customer is responsible for configuring authorization policies, access permissions, and cryptographic access controls governing Personal Data.

Locktera’s ability to assist with Data Subject requests may be limited to the functionality available within the Services and Locktera shall not be required to access, decrypt, or modify Personal Data beyond the functionality provided by the Services except as authorized by Customer or necessary to provide the Services.

8.4 Cooperation and Reasonable Assistance

Locktera shall provide such assistance as is reasonably necessary and technically feasible, taking into account:

(a) the nature of the processing;

(b) the functionality of the Services;

(c) Locktera’s role as Processor;

(d) applicable legal requirements.

Locktera may charge reasonable and documented fees for assistance that requires substantial engineering, operational, or administrative effort, where permitted under the Agreement.

8.5 Legal Requests

If Locktera receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, Locktera shall, where legally permitted, promptly notify Customer and refer the Data Subject to Customer.

Locktera shall not be obligated to respond directly to such requests unless required by applicable law.

8.6 Regulatory Cooperation

 

To the extent required by applicable Data Protection Laws, Locktera shall provide reasonable assistance to Customer, upon Customer’s written request, in responding to lawful requests, investigations, or inquiries from supervisory authorities relating to Personal Data processed under this DPA.

9. DATA RETENTION AND DELETION

9.1 Retention During Term

Locktera shall retain and Process Personal Data only for as long as necessary to provide the Services in accordance with the Agreement, this DPA, and applicable Data Protection Laws.

Customer acknowledges that Locktera processes Personal Data solely on Customer’s behalf and does not retain Personal Data for independent purposes.

9.2 Deletion or Return Upon Termination

Upon termination or expiration of the Agreement, and upon Customer’s written request made within a reasonable period following termination, Locktera shall, within a commercially reasonable period:

(a) delete Personal Data processed on behalf of Customer; or

(b) return Personal Data to Customer, where technically feasible; unless retention of such Personal Data is required by applicable law, regulatory obligation, or legal process.

Where applicable law requires retention, Locktera shall protect Personal Data in accordance with this DPA and applicable Data Protection Laws and shall delete such Personal Data upon expiration of the legally required retention period.

9.3 Deletion Scope and Limitations

Deletion obligations shall not apply to:

(a) Personal Data contained in encrypted containers controlled exclusively by Customer;

(b) Personal Data stored in Customer-controlled storage environments;

(c) Personal Data retained in backup or archival systems, provided such data remains securely isolated, protected from active processing, and deleted in accordance with Locktera’s data retention and deletion processes;

(d) Personal Data retained to comply with applicable law, regulatory requirements, legal process, or audit obligations.

9.4 Cryptographic Container Architecture and Customer Control

Customer acknowledges that Locktera’s Services utilize cryptographic container architecture designed to enable Customer control over Personal Data.

Customer is responsible for managing encrypted containers, including deletion, retention, and access policies configured by Customer.

Locktera does not control Customer’s authorization policies governing encrypted containers.

Locktera does not independently access, decrypt, or modify encrypted containers except as necessary to provide the Services.

9.5 Certification of Deletion

Locktera shall provide written certification that Personal Data subject to deletion under this Section has been deleted in accordance with Locktera’s data deletion procedures.

9.6 Continued Protection of Retained Data

Any Personal Data retained by Locktera pursuant to legal, regulatory, audit, or operational requirements shall remain subject to the confidentiality, security, and protection obligations set forth in this DPA.

10. INTERNATIONAL DATA TRANSFERS

10.1 Authorization of International Transfers

Customer acknowledges and agrees that Locktera may process Personal Data in the United States and other jurisdictions in which Locktera or its Subprocessors operate.

Customer authorizes Locktera to transfer Personal Data to such jurisdictions as necessary to provide the Services, subject to the safeguards set forth in this Section.

10.2 Compliance with Data Protection Laws

Locktera shall ensure that any transfer of Personal Data subject to Data Protection Laws is conducted in accordance with GDPR Chapter V and other applicable Data Protection Laws governing international data transfers.

10.3 Transfer Safeguards

Where Personal Data is transferred from the European Economic Area (“EEA”), United Kingdom, Switzerland, or other jurisdictions requiring lawful transfer mechanisms to a country not recognized as providing an adequate level of data protection, Locktera shall implement appropriate safeguards, which may include:

(a) execution of the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914, as amended or replaced;

(b) execution of the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or other legally recognized transfer mechanism;

(c) transfer to jurisdictions subject to an adequacy decision issued by the European Commission, UK authorities, or applicable regulatory authority;

(d) other lawful transfer mechanisms recognized under applicable Data Protection Laws.

The SCCs are hereby incorporated by reference into this DPA and shall apply where required by applicable Data Protection Laws.

10.4 Subprocessor Transfers

Locktera shall ensure that any Subprocessors processing Personal Data outside of Customer’s jurisdiction are subject to appropriate transfer safeguards consistent with this Section.

Locktera shall ensure that such Subprocessors are bound by contractual obligations providing protections no less protective than those set forth in this DPA.

10.5 Government Access Requests

Locktera shall implement reasonable technical and organizational measures designed to protect Personal Data from unlawful or disproportionate governmental access.

To the extent legally permitted, Locktera shall notify Customer of legally binding requests for access to Personal Data by governmental authorities.

Locktera shall challenge such requests where reasonable and legally permissible.

10.6 Continued Protection of Personal Data

Locktera shall ensure that Personal Data transferred internationally remains subject to the protections set forth in this DPA, regardless of the jurisdiction in which such Personal Data is processed.

11. STANDARD CONTRACTUAL CLAUSES

To the extent that Locktera processes Personal Data subject to Data Protection Laws that require appropriate safeguards for international data transfers, including the GDPR or UK GDPR, and such processing involves a Restricted Transfer, the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 (“Standard Contractual Clauses” or “SCCs”), set forth in Appendix I are hereby incorporated by reference into and form part of this DPA.

For purposes of the SCCs:

(a) Customer shall act as the Data Exporter (Controller); and
(b) Locktera shall act as the Data Importer (Processor).

The SCCs shall apply under Module Two (Controller to Processor).

The SCCs shall apply solely to the extent required by applicable Data Protection Laws and only with respect to Restricted Transfers of Personal Data.

In the event of any conflict between the SCCs and this DPA or the Agreement, the SCCs shall control solely to the extent required by applicable Data Protection Laws.

12. AUDIT RIGHTS

12.1 Compliance Documentation

Locktera shall make available to Customer, upon written request and subject to reasonable confidentiality obligations, information reasonably necessary to demonstrate Locktera’s compliance with this DPA and applicable Data Protection Laws.

Such information may include, where available:

(a) security and compliance documentation;

(b) summaries of Locktera’s technical and organizational security measures;

(c) independent third-party audit reports or certifications, such as SOC 2 reports or equivalent;

(d) other relevant compliance documentation reasonably necessary to demonstrate Locktera’s data protection and security practices.

12.2 Independent Third-Party Audits

Locktera may satisfy Customer’s audit and inspection rights by providing current independent third-party audit reports and certifications, where available.

Customer agrees that such independent third-party audit reports may be used to verify Locktera’s compliance in lieu of direct infrastructure access.

12.3 Restrictions on Direct Audits

Customer shall not conduct, and shall not permit any third party to conduct, penetration testing, vulnerability scanning, or security testing of Locktera systems, infrastructure, or Services without Locktera’s prior written consent.

Any approved audit shall:

(a) be conducted during normal business hours;

(b) be limited in scope to compliance with this DPA;

(c) be conducted in a manner that does not disrupt Locktera’s systems or Services;

(d) be subject to reasonable confidentiality and security restrictions.

Locktera may object to any auditor that, in Locktera’s reasonable opinion, is not suitably qualified or is a competitor of Locktera.

Customer shall provide at least thirty (30) days’ prior written notice of any requested audit.

Customer may conduct audits no more than once annually, unless required by applicable Data Protection Laws.

12.4 Protection of Confidential and Sensitive Information

Nothing in this DPA shall require Locktera to disclose information that would:

(a) compromise the security of Locktera’s systems or Services;

(b) compromise the security of other customers;

(c) disclose confidential security architecture, cryptographic container architecture, cryptographic implementation details, or proprietary technology;

(d) violate applicable law or contractual confidentiality obligations.

12.5 Audit Costs

Customer shall bear its own costs associated with any audit.

If Customer requests an audit that requires substantial Locktera personnel time or resources, Locktera may charge reasonable fees for such assistance.

12.6 No Direct Infrastructure Access

Customer shall not be granted access to Locktera production systems, infrastructure environments, source code, cryptographic key management systems, or other sensitive security environments.

Locktera’s provision of independent audit reports, certifications, and security documentation shall satisfy Locktera’s audit obligations under this DPA, unless otherwise required by applicable law.

13. CONFIDENTIALITY

13.1 Personnel Confidentiality Obligations

Locktera shall ensure that all personnel authorized to process Personal Data:

(a) are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional;

(b) are bound by written confidentiality agreements or obligations prior to accessing Personal Data;

(c) receive appropriate training regarding the secure handling and protection of Personal Data;

(d) access Personal Data only as necessary to perform their authorized job functions in connection with providing the Services.

13.2 Access Restrictions

Locktera shall implement reasonable measures designed to limit access to authorized personnel who have a legitimate business need and who are granted access under the principle of least privilege to access such Personal Data.

Locktera shall ensure that such personnel process Personal Data only in accordance with this DPA, the Agreement, and applicable Data Protection Laws.

13.3 Continuing Obligations

Confidentiality obligations shall survive termination of employment, contractor engagement, or other relationship with Locktera of Locktera personnel and shall survive termination or expiration of the Agreement and this DPA.

14. CCPA / CPRA PROVISIONS

14.1 Service Provider and Contractor Status

For purposes of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), Locktera acts as a “Service Provider” and “Contractor” with respect to Personal Data processed on behalf of Customer.

Locktera acknowledges that Personal Data is disclosed to Locktera solely for the limited and specified purposes of providing the Services.

14.2 Restrictions on Use of Personal Data

Locktera shall not:

(a) sell Personal Data;

(b) share Personal Data for cross-context behavioral advertising;

(c) retain, use, or disclose Personal Data for any purpose other than providing the Services, except as permitted by applicable Data Protection Laws;

(d) retain, use, or disclose Personal Data outside of the direct business relationship between Locktera and Customer;

(e) use Personal Data for its own commercial purposes.

14.3 Restrictions on Combining Data

Locktera shall not combine Personal Data received from Customer with Personal Data received from other sources, except as necessary to provide, secure, or maintain the Services or as permitted under applicable Data Protection Laws.

14.4 Compliance with CCPA / CPRA

Locktera shall:

(a) comply with applicable obligations under the CCPA and CPRA applicable to Service Providers and Contractors;

(b) provide the same level of protection for Personal Data as required under the CCPA and CPRA;

(c) notify Customer if Locktera determines it can no longer meet its obligations under applicable Data Protection Laws;

(d) cooperate with Customer to enable Customer to comply with its obligations under applicable Data Protection Laws.

14.5 Customer Rights to Take Reasonable Steps

Customer shall have the right, upon reasonable notice, to take reasonable and appropriate steps to verify that Locktera processes Personal Data in a manner consistent with Customer’s obligations under applicable Data Protection Laws to ensure that Locktera uses Personal Data in a manner consistent with Customer’s obligations under applicable Data Protection Laws.

15. LIMITATION OF LIABILITY

This DPA is subject to the limitation of liability, exclusions, and indemnification provisions set forth in the Agreement.

For clarity:

(a) Any claims arising out of or relating to this DPA shall be subject to the liability caps and exclusions set forth in the Agreement.

(b) Nothing in this DPA shall expand either party’s liability beyond the limitations set forth in the Agreement, except to the extent such limitation is not permitted by applicable Data Protection Laws.

(c) Where applicable Data Protection Laws impose mandatory liability that cannot be contractually limited, such liability shall apply only to the minimum extent required to comply with such applicable law.

16. ORDER OF PRECEDENCE

In the event of any conflict, inconsistency, or ambiguity between the provisions of this DPA and the Agreement:

(a) This DPA shall control with respect to the processing of Personal Data and the parties’ data protection obligations;

(b) The Agreement shall govern all other matters not relating to Personal Data processing.

Where Standard Contractual Clauses or other legally required transfer mechanisms apply, such clauses shall prevail over conflicting provisions solely to the extent required by applicable Data Protection Laws.

17. TERM

This DPA shall remain in effect for the duration of the Agreement and for as long as Locktera Processes Personal Data on behalf of Customer.

Termination or expiration of the Agreement shall not relieve either party of obligations under this DPA that, by their nature, are intended to survive termination, including obligations relating to confidentiality, security, deletion, and international data transfers.

18. GOVERNING LAW

Except where applicable Data Protection Laws or the Standard Contractual Clauses require otherwise, this DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to conflict of law principles.

Where Standard Contractual Clauses or other mandatory transfer mechanisms apply, the governing law specified therein shall apply solely for purposes of those clauses as required by applicable law.

19. ACCEPTANCE

This DPA is incorporated into and forms an integral part of the Agreement governing Customer’s use of the Services.

By executing an Order Form, accessing or using the Services, or otherwise agreeing to the Agreement, Customer agrees to be bound by the terms of this DPA.

If Customer enters into a separate written agreement with Locktera governing the Services, this DPA shall apply to the Processing of Personal Data under such agreement unless the parties expressly agree to a separate data processing addendum in writing.

 

 

APPENDIX I

STANDARD CONTRACTUAL CLAUSES

(Controller to Processor — Module Two)

This Appendix forms part of and is incorporated into the Locktera Data Processing Addendum (“DPA”).

These Clauses incorporate the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor).

The Standard Contractual Clauses are incorporated by reference and form part of this Appendix.

These Clauses apply where Personal Data is transferred from Customer to Locktera in jurisdictions requiring appropriate safeguards under applicable Data Protection Laws, including the GDPR and UK GDPR.

SCC CLAUSE ELECTIONS

For purposes of the Standard Contractual Clauses:

Clause 7 (Docking Clause) shall apply to permit additional parties to accede to the Standard Contractual Clauses.

Clause 9 (Use of Subprocessors): Option 2 (General Written Authorization) shall apply, and the time period for Customer to object to a new Subprocessor shall be thirty (30) days from notice. The time period for Customer to object to new Subprocessors shall be thirty (30) days.

Clause 17 (Governing Law): The governing law shall be the law of Ireland, which permits third-party beneficiary rights.

Clause 18 (Forum and Jurisdiction): The courts of Ireland shall have jurisdiction.

These Clauses apply solely to the extent that Personal Data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to Locktera in a jurisdiction that does not provide an adequate level of data protection as determined by applicable Data Protection Laws (“Restricted Transfer”).

ANNEX I — DETAILS OF PROCESSING

1. LIST OF PARTIES

Data Exporter (Controller)

Name:
Customer, as defined in the Agreement.

Address:
Customer’s address as provided in Customer’s account registration, Order Form, or Agreement.

Contact Person:
Customer’s designated contact person or account administrator.

Activities relevant to the data transferred:
Use of Locktera Services for secure encryption, containerization, storage, access control enforcement, and processing of Customer Data.

Role:
Controller

Signature and date:
Deemed executed electronically upon Customer’s acceptance of the Agreement.

Data Importer (Processor)

Name:
Locktera, Inc.

Address:
Locktera, Inc.
Dallas, Texas, United States

Contact Person:
Legal Department
legal@locktera.com
https://locktera.com

Activities relevant to the data transferred:
Provision of cryptographic container services, encryption services, access authorization services, audit logging, secure storage, and related infrastructure and support services.

Role:
Processor

Signature and date:
Accepted electronically through execution of the Agreement.

1. DESCRIPTION OF TRANSFER

Categories of Data Subjects

Personal Data transferred may concern the following categories of data subjects:

  • Customer employees
  • Customer contractors
  • Customer end users
  • Customer clients and customers
  • Authorized users of Customer applications
  • Individuals whose Personal Data is contained within Customer Data
  • Any other individuals whose Personal Data Customer submits to the Services

Categories of Personal Data

Personal Data transferred may include, but is not limited to:

  • Name
  • Email address
  • Username and authentication identifiers
  • Account information
  • Contact information
  • Files, documents, images, videos, and other digital content submitted by Customer
  • Metadata associated with encrypted containers
  • Access authorization records
  • Audit logs
  • Technical identifiers (such as IP addresses)
  • Any other Personal Data submitted by Customer through the Services

Locktera does not independently determine the categories of Personal Data submitted.

Special Data

Special categories of Personal Data (as defined under applicable Data Protection Laws) may be processed where submitted by Customer.

Customer is solely responsible for determining whether sensitive Personal Data is processed using the Services.

Locktera processes such data solely as instructed by Customer.

Appropriate technical and organizational safeguards, including encryption and access controls, are applied.

Frequency of Transfer

Personal Data is transferred on a continuous basis, as determined by Customer’s use of the Services.

Nature of Processing

Processing operations include:

  • encryption of Customer Data;
  • containerization of Customer Data into cryptographic containers;
  • secure storage and transmission;
  • cryptographic enforcement of access policies;
  • authorization validation;
  • audit logging;
  • authentication;
  • system operation and maintenance;
  • technical support and troubleshooting;
  • infrastructure and security monitoring.

Purpose of Processing

Personal Data is processed solely to:

  • provide the Services;
  • enforce access control policies cryptographically;
  • secure Customer Data;
  • maintain and operate the Services;
  • provide customer support;
  • comply with applicable legal obligations.

Locktera does not sell Personal Data or use Personal Data for advertising.

Duration of Processing

Personal Data shall be processed for the duration of the Agreement and until deletion in accordance with Customer instructions or the DPA.

Upon termination of the Services or upon Customer’s written request, Locktera shall delete or return Personal Data in accordance with Clause 8.5 of the Standard Contractual Clauses, unless retention is required by applicable law.

1. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.

Where applicable, the supervisory authority shall be the authority in the EU Member State where the Customer acting as Data Exporter is established.

 

 

ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Locktera implements technical and organizational measures designed to ensure an appropriate level of security, including:

Encryption and Cryptographic Protection

  • Encryption of Personal Data in transit using industry-standard cryptographic protocols
  • Encryption of Personal Data at rest
  • Cryptographic container architecture enforcing access authorization
  • Secure cryptographic key generation, storage, rotation, and management systems
  • Cryptographic access control enforcement mechanisms

Access Controls

  • Role-based access controls
  • Authentication and authorization systems
  • Access restriction to authorized personnel
  • Credential management safeguards

Infrastructure Security

  • Secure cloud infrastructure
  • Network security controls
  • Firewalls and network segmentation
  • Intrusion detection and prevention mechanisms
  • Physical security controls implemented by underlying cloud infrastructure providers

Monitoring and Logging

  • Audit logging of access and processing activity
  • Continuous security monitoring of systems and infrastructure
  • Event logging and analysis
  • Detection of unauthorized access attempts

Organizational Security

  • Personnel confidentiality obligations
  • Security training and awareness
  • Access restriction based on least privilege principles
  • Internal security policies and procedures
  • Background screening of personnel, where permitted by law;
  • Access to Personal Data limited to authorized personnel with a business need-to-know;
  • Personnel subject to written confidentiality obligations;
  • Periodic review of access rights.

Availability and Resilience

  • Infrastructure redundancy
  • Backup and recovery procedures
  • Disaster recovery mechanisms
  • Service continuity protections

Incident Response

  • Documented incident response procedures;
  • Designated security response personnel;
  • Defined escalation and reporting procedures;
  • Root cause analysis and remediation processes;
  • Testing of incident response procedures.

Security Testing and Evaluation

  • Periodic security risk assessments;
  • Vulnerability management processes;
  • Security patch management;
  • Regular evaluation of effectiveness of technical and organizational measures.

Data Minimization & Pseudonymization Reference

  • Processing limited to data necessary to provide the Services;
  • Logical and cryptographic separation of customer environments in multi-tenant infrastructure;
  • Where appropriate and technically feasible, pseudonymization techniques.

Government Access Requests

  • Review of governmental access requests for legality;
  • Disclosure only where legally required;
  • Disclosure limited to the minimum data required;
  • Challenge of overbroad or unlawful requests where legally permitted.

Authorization Enforcement Architecture

Locktera’s cryptographic container architecture enforces access policies through cryptographic authorization mechanisms.

Access to Personal Data requires valid authorization credentials issued in accordance with Customer-defined cryptographic access policies.

The measures described in this Annex are designed to ensure a level of security appropriate to the risk of the Processing of Personal Data in accordance with Article 32 of the GDPR and Clause 8.6 of the Standard Contractual Clauses.

 

ANNEX III — LIST OF SUBPROCESSORS

Locktera may engage Subprocessors to support the provision of the Services in accordance with Section 6 of the DPA.

Subprocessors may include, but are not limited to:

  • Cloud infrastructure providers
  • Hosting providers
  • Security monitoring providers
  • Support service providers

Locktera maintains a current list of Subprocessors at:

https://locktera.com/legal/subprocessors

Locktera shall ensure that each Subprocessor is bound by written contractual obligations that provide a level of data protection no less protective than those set forth in this DPA and the Standard Contractual Clauses.

APPENDIX ACCEPTANCE

This Appendix forms part of the Locktera Data Processing Addendum.

Execution of the Agreement constitutes acceptance of this Appendix and incorporation of the Standard Contractual Clauses where applicable.