This Data Protection Addendum (“Addendum”) amends and forms part of the Master License and Services Agreement between the contracting party identified on the Order Form (“Client”) and Tractian Technologies Inc. (“Tractian”) (the “Agreement”). Clientand Tractianare individually referred to as a Party and collectively as the Parties. In the event of a conflict between the Agreement and this Addendum, the more stringent terms shall govern. All capitalized terms not specifically defined in this Addendum shall be read to have the meaning given to those terms in the Agreement. In consideration of the mutual obligations set forth herein, the Parties hereby agree that the terms and conditions set forth below shall be added as an Addendum to the Agreement.
1. Definitions
1.1. “Applicable Data Protection Law(s)” means all international, federal, state, local, and provincial data privacy and security laws and regulations applicable to the Processing of Personal Information, including but not limited to U.S. Omnibus Privacy Laws, Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), and the GDPR, inclusive of all applicable implementing regulations, as adopted.
1.2. "Business Purpose(s)” shall have the same meaning as “business purpose” under any Applicable Data Protection Laws.
1.3. “CCPA” means the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, as amended, and all applicable regulations related thereto.
1.4. “Client Data” Any data provided by Client to Tractian in connection with the Services or Business Purpose, including any Personal Information contained therein.
1.5. “Controller” shall have the same meaning as “controller” or “business” under any Applicable Data Protection Laws.
1.6. “Data Security Incident” means actual unauthorized access to, destruction of, loss of, alteration of, exfiltration of, theft of, or disclosure of Personal Information transmitted, collected, stored, controlled, or otherwise in the possession of Tractian and used for Processing under the Agreement and this Addendum.
1.7. “Data Subject” shall have the same meaning as “data subject” or “consumer” under any Applicable Data Protection Laws.
1.8. “De-Identified Data” shall have the same meaning as “de-identified data,” “deidentified data,” “deidentified information” and other similar terms under Applicable Data Protection Laws.
1.9. “EU-SCCs” has the meaning set forth in Section 8.2.1.
1.10. “GDPR” means the EU General Data Protection Regulation 2016/679 with respect to Data Subjects in the European Economic Area, the Federal Data Protection Act with respect to Data Subjects in Switzerland, and the Data Protection Act 2018 with respect to Data Subjects in the United Kingdom.
1.11. “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject and includes “personal information”, “personal data”, or similarly defined terms under Applicable Data Protection Laws.
1.12. “Process,” “Processed,” or “Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, automated or manual, including, but not limited to, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.13. “Processor” shall have the same meaning as “processor”, “service Tractian”, “contractor”, or non “third party” under any Applicable Data Protection Laws.
1.14. “Sale”, “Sell”, and “Share” shall have the same meaning as “sale”, “sell”, and “share” under any Applicable Data Protection Laws.
1.15. “SCC” means the EU-SCCs, the UK-SCCs, or the standard contractual clause mechanism related to Switzerland as provided in this Addendum, in each case as applicable.
1.16. “Services” shall mean the services provided by Tractian to Client pursuant to the Agreement.
1.17. “Sub-Processor” means any person (including any third party, but excluding an employee of Tractian) appointed on behalf of Tractian to Process Personal Information.
1.18. “UK-SCCs” has the meaning set forth in Section 8.2.3.
1.19. “U.S. Omnibus Privacy Laws” shall mean, where applicable, any applicable U.S. privacy law, including the CCPA, Colorado Privacy Act, , Connecticut Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, New Hampshire Consumer Data Privacy Act, New Jersey Consumer Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and all applicable regulations.
2. Services Provided / Scope of Addendum
2.1. In the course of providing Services to Client, Tractian may be asked from time to time by Client, or on Client’s behalf, to Process Personal Information. Personal Information may be provided to Tractian from Client, Client’s affiliates or partners, Client’s clients or other third parties on Client’s behalf for the limited and specific Business Purposes set forth in the Agreement between Tractian and Client.
2.2. Each Party shall comply with requirements set out in Applicable Data Protection Law for processing Deidentified data, including by:
i. Not attempting to re-identify any such data, except that a Party may attempt to re-identify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of Applicable Data Protection Law;
ii. Using Security and Privacy Controls to prevent any re-identification or re-association of any such data;
iii. Publicly committing both to maintain and use the Deidentified data in de-identified form and not to attempt to re-identify any such data.
3. Roles of the Parties
3.1. In the course of providing Services to Client, Tractian may be asked from time to time by Client, or on Client’s behalf, to Process Personal Information. Personal Information may be provided to Tractian from Client, Client’s affiliates or partners, or other third parties on Client’s behalf for the limited and specific purposes set forth in the Agreement.
3.2. The Parties acknowledge and agree that Client will either operate as a Controller or main Processor for Personal Information provided or made available to Tractian under this Agreement, and Tractian in all cases will operate as a Processor to Client or as a Sub-Processor to Client. Client is and will at all relevant times remain duly and effectively authorized to give instructions to Tractian concerning the Processing of Personal Information pursuant to the Agreement and this Addendum. Tractian expressly agrees to follow the instructions of Client when Processing Personal Information, which shall include the required processing to provide the Services.
4. Data Protection Law Compliance
4.1. Tractian agrees to comply with all Applicable Data Protection Laws as it relates to its Processing of Personal Information under the Agreement and this Addendum. For the avoidance of doubt, and to the extent applicable, Tractian agrees to comply with all applicable obligations under the CCPA and provide the same level of privacy protections to applicable Personal Information as required under the CCPA.
4.2. Tractian must promptly and without undue delay notify Client of its inability to meet its obligations under Applicable Data Protection Laws.
4.3. Client shall have the right to take reasonable and appropriate steps to ensure that Tractian and any Sub-Processor is treating Personal Information consistent with Client’s obligations under Applicable Data Protection Laws. Upon reasonable written notice, Client shall be permitted to take reasonable and appropriate steps to stop and remediate any unauthorized or unlawful Processing of Personal Information.
5. Processing of Personal Information
5.1. Instructions
5.1.1. Tractian shall only Process Personal Information for the purpose of carrying out the Business Purposes set forth in the Agreement and in accordance with Client’s documented instructions. The type of Personal Information processed by Tractian is listed in Schedule 1 of this Addendum.
5.1.2. Client hereby instructs Tractian to Process Personal Information in accordance with the Agreement and this Addendum in order to carry out the stated Business Purposes, and to comply with all documented instructions provided by Client where such instructions are consistent with the terms of the Agreement, this Addendum, and Applicable Data Protection Laws.
5.1.3. To the extent Tractian considers an instruction from Client to infringe upon any Applicable Data Protection Laws, Tractian shall immediately notify Client of the same.
5.2. Details of Processing and Express Processing Limitations
5.2.1 Details of processing required under Applicable Data Protection Laws, including the categories of Data Subjects and Personal Data, the nature of the Processing, and the purpose for the Processing, are provided in Annex 1 of this Addendum.
5.2.2. The Parties agree that any transfer, disclosure, or making available of Personal Information by Client to Tractian under the Agreement and this Addendum is not intended to be a Sale or Sharing of Personal Information.
5.2.3. Tractian is prohibited from Selling or Sharing Personal Information it receives or has access to under the Agreement and this Addendum. Tractian is further prohibited from retaining, using, disclosing, or sharing Personal Information it receives from Client for any purpose other than to perform the Services and to carry out the Business Purposes.
5.2.4. Tractian is prohibited from combining any Personal Information it receives or has access to under the Agreement and this Addendum with any other Personal Information received from third-party sources, or collected directly from individuals. Notwithstanding this restriction, Tractian may combine Personal Information with other forms of Personal Information if Tractian is required to do so in order to perform the Services under the Agreement and fulfill the Business Purposes set forth in the Agreement.
5.2.5. Tractian certifies it understands and will comply with the restrictions set forth in this section.
5.3. Sub-Processors
5.3.1. Tractian may engage Sub-Processors in connection with the provision of the Services, including but not limited to for the Processing of Personal Information. Tractian has or shall enter into an agreement with each Sub-Processor containing obligations no less protective than those in this Addendum. 5.3.2. To the extent required by an Applicable Data Protection Law, Vendor shall inform the Client of any intended changes concerning the addition or replacement of other processors, thereby giving the Client the opportunity to reasonably object to such change. In the event Client objects to the change, the parties shall cooperate to seek a resolution without the use of the respective Sub-Processor rejected by Client.
6. Personnel
6.1. Tractian agrees to take all reasonable steps to ensure that persons authorized to Process Personal Information under the Agreement and this Addendum: (i) are bound by appropriate contractual obligations or are under appropriate obligations of confidentiality; and (ii) Process Personal Information only upon the instructions of Client, unless otherwise required under Applicable Data Protection Laws.
7. Security Measures
7.1. Tractian will maintain and enforce appropriate administrative, technical, and physical safeguards to prevent the unauthorized access, acquisition or disclosure, destruction, alteration, accidental loss, misuse, or damage of Client Data.
7.2. Tractian will not retain any Client Data for any period longer than necessary for Tractian to fulfill its obligations under this Agreement. Except where retention is required or permitted under Applicable Data Protection Laws, as soon as Tractian no longer needs to retain such Client Data in order to perform its duties under this Agreement, Tractian will promptly return or destroy or erase all originals and copies of such Client Data.
8. International Data Transfers
8.1. Data Transfer Obligations. Tractian may access and Process Personal Information on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Information may be transferred to and Processed in the United States and to other jurisdictions where Tractian’s Sub-Processors have operations. Wherever Personal Information is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
8.2 Standard Contractual Clauses
8.2.1. EEA Transfers. If Client transfers Personal Information originating in the European Economic Area (EEA) to Tractian in a country that has not been found to provide an adequate level of protection under Applicable Data Protection Laws, the Parties agree that the transfer shall be governed by the SCC’s promulgated by Commission Implementing Decision (EU) 2021/914, Module Two (Transfer Controller to Processor), as can be found at be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (“EU-SCCs”), subject to the following modifications:
(a) Client is the “data exporter” and Tractian is the “data importer”;
(b) the Module Two terms apply to the extent the Tractian is also is a Controller and the Module Three terms apply to the extent the Client is a Processor;
(c) in Clause 7, the optional docking clause applies;
(d) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA;
(e) in Clause 11, the optional language is deleted;
(f) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the EU-SCCs will be determined in accordance with the governing law section in the Agreement, or, if such section does not specify an EU Member State, the Republic of Ireland;
(g) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in this DPA;
(h) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and
(i) if and to the extent the EU-SCCs conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
8.2.2. Switzerland Transfers. If Client transfers Personal Information originating in Switzerland to Tractian in a country that has not been found to provide an adequate level of protection under Applicable Data Protection Laws, the Parties agree that the transfer shall be governed by the EU-SCCs, as amended as follows: a new Clause 1(e) is added to the EU-SCCs which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the parties’ processing of personal data that is subject to the applicable data protection laws of Switzerland. Where applicable, (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss Federal Data Protection Act and its Ordinance; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".
8.2.3. UK Transfers. To the extent the Applicable Data Protection Laws apply to the transfer of Personal Information from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of such Applicable Data Protection Laws, Tractian and Client hereby incorporate the unmodified Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 and attached as Schedule 2 (“UK-SCCs”). The UK-SCCs, as applicable, will be incorporated by reference and form part of the Agreement as follows:
(a) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement;
(b) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and
(c) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
9. Data Security Incident
9.1. Tractian will promptly notify Client in writing of any Security Incident. For avoidance of doubt, the parties acknowledge that Tractian is not required to provide notice to Client for pings, broadcast attacks on firewalls, port scans, unsuccessful logon attempts, probes, and reconnaissance scans that do not result in unauthorized access, use, or disclosure of Client Data. Tractian will provide Client with information concerning the Security Incident upon reasonable written request by Client, and subject to applicable law and protections.
10. Data Protection Impact Assessment
10.1. Upon reasonable written request, Tractian shall provide full and prompt cooperation with and assistance to Client with respect to any legal obligation in connection with Processing of Personal Information, including but not limited to, Client’s undertaking of any data protection impact assessments as required under the Applicable Data Protection Laws.
11. Audit
11.1. Audit Right. Tractian shall maintain a written record of all Processing of Personal Information carried out on behalf of Client under this Addendum and shall allow for, and contribute to, reasonable audits and inspections by Client or the Client’s designated auditor to demonstrate Tractian’s compliance with this Addendum, once per year unless otherwise required under Applicable Data Protection Laws.
11.2. Audit Costs. Client shall be fully responsible for any costs and/or fees associated with any auditor appointed by Client to execute an audit under this section.
11.3. Audit Results. Client shall promptly notify Tractian, and no later than fourteen (14) calendar days following the close of an audit under this section, about any alleged non-compliance with the Agreement and/or this Addendum discovered during the course of the audit.
11.4. Alternative Third-Party Certifications. If the requested audit scope is addressed in a third-party audit or certification of Tractian’s privacy and security controls reasonably acceptable to Client (“Third Party Audit”) issued within the prior twelve (12) months and Tractian provides such report to Client confirming there are no known material changes in the controls audited, then Client agrees to accept the findings presented in the Third Party Audit in lieu of requesting an audit of the same controls covered by the Third Party Audit. Any Third Party Audit shall constitute confidential information consistent with the Agreement and this Addendum.
11.5. Audit Limitations. (i) audits may only be conducted upon reasonable prior written notice; (ii) the scope of audits must be limited to what is necessary to verify compliance with this Addendum; (iii) audits shall take place exclusively during the Vendor’s normal business hours and in a manner that does not unreasonably interfere with its operations; and (iv) both the Client and any designated auditors shall be bound by appropriate confidentiality obligations. These limitations ensure predictability, mitigate operational impacts, and maintain proportionality in the exercise of audit rights, thereby preserving the Vendor’s business continuity and operational security.
12. Data Subject Requests
12.1. Tractian agrees to reasonably cooperate with Client upon written request, to respond to any request by a Data Subject, to the extent and within the timeframes required under Applicable Data Protection Law(s).
12.2. Tractian shall not respond directly to any request from a Data Subject relating to the exercise of data protection rights, except with Client’s prior written authorization or where required by Applicable Data Protection Laws.
13. Term and Termination
13.1. Upon Client’s request, at the latest, however, upon termination or expiration of the Agreement, Tractian shall, at the choice of Client, while respecting data protection and security measures, delete or return to Client all Client Data and delete all existing copies unless the country’s laws to which the Tractian is subject to require a longer retention period.
Annex 1 - Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
The Personal Data transferred concerns the following categories of Data Subjects:
- Authorized employees, agents, contractors, or other personnel of the Client (who is a legal entity) that are designated to access and use the Tractian cloud-based platform;
- Individuals acting on behalf of the Client in administrative, operational, or technical roles, including platform administrators and support contacts.
Such Data Subjects are registered exclusively in their professional capacity for purposes of enabling access to the Services under the Master Service Agreement (MSA).
Categories of Personal Data Transferred
The Personal Data transferred is limited to business contact information necessary for user identification, account management, and Service delivery, including:
- Full name (first name and surname);
- Corporate email address;
- Corporate telephone or mobile number;
- Account identifiers, authentication credentials, and role-based access information associated with the Tractian platform.
Tractian applies data minimization principles and does not require additional personal information beyond what is strictly necessary for contractual performance.
Sensitive Data transferred and applied restrictions or safeguards
No Special Categories of Personal Data (as defined in Article 9 GDPR), nor any sensitive personal data under the LGPD, are intended to be processed or transferred under this Agreement.
The Client shall not provide such data to Tractian. In the exceptional event that Special Categories of Personal Data are inadvertently included, Tractian will apply enhanced safeguards, including:
- Restriction of access on a strict need-to-know basis;
- Encryption in transit and at rest;
- Incident response and containment procedures;
- Prompt notification to the Client where required under applicable law.
Frequency of the transfer
Transfers occur on an ongoing and continuous basis, as necessary to provide the Services, including:
- Initial user registration and onboarding;
- Ongoing platform access, authentication, and authorization;
- Service management, technical support interactions, and operational communications;
- System maintenance, monitoring, and security activities.
Transfers are limited to what is required for the secure and effective operation of the platform.
Nature of the Processing
The nature of the processing activities carried out by Tractian as Processor includes:
- Collection, recording, structuring, and storage of Personal Data;
- User account creation, authentication, and access control enforcement;
- Hosting and processing within AWS cloud infrastructure;
- Provision of technical support and Client service functions;
- Implementation of security monitoring, audit logging, backup, and business continuity measures;
- Compliance with contractual and legal obligations related to the provision of Services.
Processing is performed strictly in accordance with the Client's documented instructions and the terms of the Agreement.
Purpose of the transfer and further processing
The transfer and processing of Personal Data is carried out exclusively for the following purposes:
- Performing Tractian’s obligations and delivering the Services under the Master Service Agreement (MSA);
- Enabling Client-authorized users to securely access and administer the platform;
- Providing operational communications and technical support requested by the Client;
- Maintaining the security, integrity, availability, and resilience of the Services.
Tractian does not process Personal Data for advertising, profiling, or any independent commercial purposes, and does not sell Personal Data as defined under applicable U.S. privacy laws.
Period for which Personal Data will be retained
Personal Data will be retained only for the minimum period necessary to fulfill the purposes set out in this Annex, namely the provision of the Services under the Master Service Agreement (MSA), and in accordance with applicable data protection laws, including the GDPR, LGPD, and relevant U.S. privacy regulations.
Tractian shall process and store Personal Data for the duration of the contractual relationship with the Client, unless:
- a longer retention period is required to comply with applicable legal, regulatory, accounting, or contractual obligations; or
- the data must be retained for the establishment, exercise, or defense of legal claims.
Upon termination or expiration of the Services, Tractian will, at the Client's choice and in accordance with the terms of the Agreement, delete or return all Personal Data within a reasonable period, unless continued storage is required by applicable law.
Any retained Personal Data will remain subject to the safeguards and security measures set forth in this Addendum until deletion.
Annex 2 - Security Measures
We currently implement the following Security Measures:
a) Access Control
Access to Tractian’s systems and the Platform is restricted to authorized personnel on a need-to-know basis, following least-privilege and role-based access control. Authentication is enforced with strong password requirements and multi-factor authentication (MFA) where applicable, with access provisioning/deprovisioning tied to HR/IT processes. Administrative access to production environments is limited and logged; access reviews are performed periodically. Segregation of duties is applied where feasible, and Client' data access by support personnel is limited to the minimum required to provide support and fulfill contractual obligations.
b) Transmission Control
Data transmitted between users, Client' environments, and Tractian services is protected using industry-standard encryption in transit (e.g., TLS/HTTPS). Secure channels are used for API communications and integrations. Network protections (such as security groups/firewall rules and segmentation) are applied to reduce exposure and restrict inbound/outbound traffic to required services only. Connections and relevant security events are monitored and logged to support detection and response.
c) Input Control
Tractian implements controls to ensure that data is entered, modified, and deleted only by authorized users and systems. Application-level authorization checks and validation are used to reduce unauthorized or incorrect input. Logging and audit trails are maintained for security-relevant actions (such as authentication events and privileged operations) to support traceability and investigations. Changes to production systems follow change management practices (including review and testing) to reduce the risk of unauthorized or unintended data alterations.
d) Availability Control
Tractian operates the Platform in AWS and applies measures to maintain service availability, including redundancy, monitoring, alerting, and capacity management. Backup and recovery processes are implemented to support restoration of systems and data in case of incidents. The infrastructure is designed to support fault tolerance within the selected AWS region, and incident response processes are in place to detect, respond to, and remediate availability-impacting events. Access to availability-impacting administration functions is restricted and logged.
Annex 3 - Sub-Processors
A current list of our sub-processors can be found at https://trust.tractian.com/subprocessors.