End User License Agreement

Gatekeeper Beta - Station 70, Inc.
Effective as of June 2026

Please read this End User License Agreement ("EULA") carefully before using the Gatekeeper Beta Service offered by Station 70, Inc. ("Station70"). By accepting this EULA, clicking a box indicating acceptance, or otherwise accessing or using the Beta Solution (defined below), you ("Customer") agree to be bound by this EULA (together with Station70's Privacy Policy, and, to the extent applicable to Customer's processing of personal data, the Data Processing Addendum, each as may be updated or amended from time to time, which are hereby incorporated by reference, the "Agreement") to the exclusion of all other terms. If the terms of this Agreement are considered an offer, acceptance is expressly limited to such terms. If Customer does not agree to all of this Agreement, do not use or access the Beta Solution.

If the individual accepting this Agreement is accepting on behalf of a company or other legal entity, such individual represents that they have the authority to bind such entity and its affiliates to this Agreement, in which case the term "Customer" shall refer to such entity and its affiliates. If the individual accepting this Agreement does not have such authority, or does not agree with these terms and conditions, such individual must not accept this Agreement and may not use the Beta Solution.

Customer acknowledges that Gatekeeper is a pre-release beta offering provided for evaluation purposes only. The Beta Solution is provided without any service level commitments, may contain bugs, errors, or security vulnerabilities, and is not recommended for use with high-value, sensitive, or mission-critical accounts or data.

1. Beta Solution

Definition

Gatekeeper, Station70's pre-release policy-evaluated credential layer for autonomous AI agents, which intercepts tool calls and evaluates them against policy, securely injecting credentials inside a trusted execution environment before forwarding to downstream services. This prevents AI agents from accessing the underlying credentials and includes a human approval escrow mechanism for flagged actions, together with any related software, applications, and documentation.

License

Subject to Customer's compliance with this Agreement, Station70 grants Customer a nonexclusive, revocable, limited, nonsublicensable, nontransferable right and license to access and use the Beta Solution during the Beta Term (defined in Section 9) solely for the internal business purposes of evaluating the Beta Solution and providing Feedback to Station70, only as provided herein and only in accordance with Station70's applicable official user documentation.

Designated Environments

Customer shall use the Beta Solution only in connection with non-production, staging, or evaluation accounts and tenants by default. Customer shall not use the Beta Solution with production administrator, break-glass, or other high-privilege accounts without Station70's prior written consent. Customer is solely responsible for designating which of its accounts and tenants are connected to the Beta Solution and for limiting use to the designated scope.

Authorized Users

Customer may designate authorized users to access the Beta Solution through Customer's Gatekeeper account. Station70 may impose reasonable limits on the number of authorized users during the Beta Term, which limits will be communicated to Customer through the Gatekeeper product or by email. Customer shall maintain an accurate list of authorized users in its Gatekeeper account and shall promptly revoke access through the Gatekeeper account when access should no longer be granted.

User Responsibility

Customer shall be responsible for the acts or omissions of any person who accesses the Beta Solution using the access procedures provided to or created by Customer, including any authorized users with whom Customer shares access through the Beta Solution. Customer is solely responsible for determining which accounts and credentials it chooses to manage through the Beta Solution.

No Service Level Commitment

The Beta Solution is provided on an "as available" basis without any service level agreement, uptime commitment, or support obligation of any kind.

2. Beta Nature of the Service

Pre-Release Status

Customer acknowledges that the Beta Solution is pre-release, experimental, and under active development. The Beta Solution may be incomplete, unstable, may contain defects, errors, or security vulnerabilities, and may be modified, suspended, or discontinued in whole or in part by Station70 at any time, in its sole discretion, without notice or liability.

Not for Sensitive Accounts

Customer is strongly advised not to use the Beta Solution to manage credentials or authentication for accounts involving financial assets, sensitive personal data, regulated data, healthcare information, or any other high-risk or mission-critical account. Customer assumes all risk arising from its choice of accounts to use with the Beta Solution.

Backup Access

Customer is solely responsible for maintaining independent backup access (including recovery codes and alternative 2FA methods) for any account used with the Beta Solution. Station70 shall have no liability for lockouts, loss of access, or any other consequence resulting from Customer's reliance on the Beta Solution as a sole means of access.

Customer Security Contact

Customer shall designate, through its Gatekeeper account settings, a security contact for receipt of security-related notices and shall keep this designation current.

Vulnerability Reporting

Customer shall report any suspected security vulnerabilities in the Beta Solution to security@station70.com without undue delay and, in any event, within seventy-two (72) hours of discovery, and shall reasonably cooperate with Station70's investigation.

Incident Notification

Station70 shall notify Customer's designated security contact without undue delay of any confirmed security incident affecting Customer Data in the Beta Solution, and in any event within seventy-two (72) hours after Station70's confirmation of such incident.

3. Updates; Modifications

From time to time, Station70 may provide upgrades, patches, enhancements, or fixes for the Beta Solution ("Updates"), and such Updates will become part of the Beta Solution and subject to the terms of this Agreement; provided that Station70 shall have no obligation to provide any such Updates. Station70 reserves the right to modify, discontinue, or cease supporting any version or release of the Beta Solution at any time in its sole discretion, with or without notice.

4. Ownership; Feedback

Station70 IP

As between the parties, Station70 retains all right, title, and interest in and to the Beta Solution and all software, products, works, and other intellectual property and moral rights related thereto or created, used, or provided by Station70 for the purposes of this Agreement, including any copies and derivative works of the foregoing. No rights or licenses are granted except as expressly and unambiguously set forth in this Agreement.

Feedback

Customer acknowledges that providing Feedback (defined below) is a material purpose of this Agreement. All suggestions, comments, input, bug reports, test results, information, or other feedback provided by Customer to Station70 hereunder (collectively, "Feedback") will be the property of Station70, and Customer shall and hereby does assign any rights in such Feedback to Station70. Customer agrees to assist Station70 in obtaining intellectual property protection for such Feedback, as Station70 may reasonably request. Nothing in this Agreement will impair Station70's right to develop, acquire, license, market, promote, or distribute products, software, or technologies that perform the same or similar functions as, or otherwise compete with, any products, software, or technologies that Customer may develop, produce, market, or distribute.

Feedback Cadence

Customer agrees to provide good-faith Feedback on usability, performance, security, and fit-for-purpose through the channels Station70 makes available, which may include in-product feedback, scheduled review calls, shared messaging channels, or written reports as agreed between the parties.

5. Customer Data

Definition; Ownership

"Customer Data" means any data, information, credentials, authentication secrets, or other material provided, uploaded, submitted, or generated by Customer in the course of using the Beta Solution. Notwithstanding anything to the contrary, Customer shall retain all right, title, and interest in and to the Customer Data, including all intellectual property rights therein.

License to Station70

Customer hereby grants to Station70 a worldwide, non-exclusive, royalty-free license during the term of this Agreement to use, copy, access, process, reproduce, perform, display, modify, distribute, transmit, operate, maintain, and prepare derivative works of Customer Data solely for the purposes of providing the Beta Solution to Customer and related support, troubleshooting, and product improvement activities.

General Knowledge

Customer agrees that Station70 is free to disclose aggregate measures of usage and performance, and to reuse all general knowledge, experience, know-how, works, and technologies (including ideas, concepts, processes, and techniques) acquired during provision of the Beta Solution hereunder ("General Knowledge"), provided that Station70 shall not disclose General Knowledge in a manner that identifies Customer or its Confidential Information.

Data Residency

Customer Data will be processed in the United States and in such other jurisdictions where Station70 or its subprocessors operate.

Restricted Data

Customer shall not submit or expose any special categories of personal data (as defined under the GDPR or equivalent law), payment card data, protected health information, or other regulated data to the Beta Solution, except as expressly agreed in writing by Station70.

Personal Data Subject to GDPR

If Customer's use of the Beta Solution involves the Processing of Personal Data of Data Subjects in the European Economic Area, the United Kingdom, or Switzerland, or Personal Data otherwise subject to the EU GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection, the Data Processing Addendum (the "DPA") is hereby incorporated into and forms part of this Agreement and shall apply to such Processing. In the event of any conflict between the DPA and this Agreement, the DPA shall prevail solely with respect to its subject matter.

6. Fees

The Beta Solution is provided to Customer without charge during the Beta Term. Station70 reserves the right, upon conclusion of the Beta Term or conversion of the Beta Solution to a generally available offering, to require payment of fees for continued use, which fees (if any) shall be set forth in a separate written agreement or order form executed by the parties. For the avoidance of doubt, no obligation to pay fees arises under this Agreement unless and until such a separate writing is executed.

7. Restrictions

Except as expressly set forth in this Agreement, Customer shall not (and shall not permit any third party to), directly or indirectly:

  1. sell or re-sell the Beta Solution to a third party;
  2. reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Beta Solution (except to the extent applicable laws specifically prohibit such restriction);
  3. modify, translate, or create derivative works based on the Beta Solution;
  4. copy, rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Beta Solution;
  5. remove or otherwise alter any proprietary notices or labels from the Beta Solution or any portion thereof;
  6. use the Beta Solution to build an application, service, product, or other offering that is competitive with any Station70 product or service;
  7. interfere or attempt to interfere with the proper working of the Beta Solution or any activities conducted on the Beta Solution;
  8. bypass any measures Station70 may use to prevent or restrict access to the Beta Solution (or other accounts, computer systems, or networks connected to the Beta Solution);
  9. use the Beta Solution to access, share, or authenticate to any third-party account or service in violation of such third party's terms of service or any applicable law;
  10. publicly disclose any benchmarking, performance, or security testing results relating to the Beta Solution without Station70's prior written consent; or
  11. attempt to circumvent or defeat the policy evaluation, credential isolation (including the trusted execution environment), or human approval escrow mechanisms of the Beta Solution.

8. Third Party Services

Customer acknowledges and agrees that the Beta Solution operates on, with, or using application programming interfaces (APIs) and/or other services operated or provided by third parties ("Third Party Services"), including the third-party accounts and identity providers for which Customer shares credentials or authentication access through the Beta Solution. Station70 is not responsible for the operation of any Third Party Services nor the availability or operation of the Beta Solution to the extent such availability and operation is dependent upon Third Party Services. Customer is solely responsible for procuring any and all rights necessary for it to access Third Party Services and for complying with any applicable terms or conditions thereof. Station70 does not make any representations or warranties with respect to Third Party Services or any third party providers. Any exchange of data or other interaction between Customer and a third party provider is solely between Customer and such third party provider and is governed by such third party's terms and conditions.

9. Google API Services User Data

Station70's Gatekeeper product accesses Google user data through the Google OAuth 2.0 authorization framework. The following disclosures apply specifically to Google user data accessed via Gatekeeper.

  • What we access: Depending on the Google services you authorize, Gatekeeper may access data from Google Drive (files and metadata), Gmail (messages and metadata), and Google Calendar (events and metadata), as authorized by you at the time of OAuth consent.
  • How we use it: Google user data accessed through Gatekeeper is used solely to fulfill the specific actions you request — for example, reading a Drive file or sending a Gmail message on your behalf. We do not use Google user data to market Station70 products, serve advertisements, or for any purpose unrelated to the service you requested.
  • Storage: OAuth tokens (access tokens and refresh tokens) are stored in encrypted form and are used only to authenticate subsequent requests on your behalf.
  • Sharing: Google user data is not sold, transferred, or disclosed to third parties except as necessary to fulfill your requested action or as required by law. Google user data is never shared with advertising partners.
  • Prohibited uses: Station70 does not use Google user data for targeted advertising, AI model training, data brokering, or any other purpose prohibited by the Google API Services User Data Policy.
  • Retention and deletion: OAuth tokens are retained for as long as your account is active or until you revoke access. You may revoke Gatekeeper's access to your Google account at any time via Google's security settings.

Station70's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

10. Term and Termination

Beta Term

This Agreement commences on the date that Customer accepts this Agreement or first uses the Beta Solution, whichever comes first, and continues until the earlier of:

  1. termination by either party for any or no reason at any time, effective upon notice;
  2. Station70's general release of Gatekeeper as a commercial product; or
  3. Station70's discontinuation of the Beta Solution (the "Beta Term").

Effect of Termination

Upon termination or expiration, Customer's access to the Beta Solution shall immediately cease and all licenses granted to Customer hereunder shall immediately terminate. Customer shall, at Station70's option, return or destroy all copies of Station70 Confidential Information in its possession. Station70 may delete Customer Data from its systems following termination, and Customer is responsible for exporting or backing up any Customer Data it wishes to retain prior to termination. All terms of this Agreement which by their nature should survive termination shall survive, including, without limitation, ownership provisions, warranty disclaimers, indemnity, limitations of liability, and confidentiality.

11. Representations and Warranties

Customer represents and warrants to Station70 that:

  1. it is duly organized and validly existing under the laws of the jurisdiction in which it is organized (or, if an individual, is at least the age of majority in its jurisdiction);
  2. it has full power and authority, and has obtained all approvals, permissions, and consents necessary, to enter into this Agreement, to perform its obligations, and to grant the rights hereunder;
  3. this Agreement is legally binding upon it and enforceable in accordance with its terms;
  4. the execution, delivery, and performance of this Agreement does not and will not conflict with any agreement, instrument, judgment, or understanding, oral or written, to which it is a party or by which it may be bound;
  5. it shall use the Beta Solution in compliance with all applicable local, state, national, and foreign laws, treaties, and regulations in connection with Customer's use of the Beta Solution (including those related to data privacy, international communications, export laws, and the transmission of technical or personal data laws);
  6. it shall not use the Beta Solution in a manner that violates any third party intellectual property, contractual, or other proprietary rights;
  7. it has obtained all consents and authorizations from any authorized users or account holders whose credentials or authentication secrets it shares through the Beta Solution; and
  8. it is solely responsible for configuring all security policies, controls, and approval workflows within the Beta Solution and for ensuring such configurations are adequate for Customer's compliance and security requirements.

12. Confidentiality

Each party agrees that the business, technical, and financial information that is designated in writing as confidential, or is disclosed in a manner that a reasonable person would understand the confidentiality of the information disclosed, shall be the confidential property of the disclosing party and its licensors ("Confidential Information"). The Beta Solution itself, including its features, performance, and any related documentation, is Station70's Confidential Information. Confidential Information does not include information that:

  1. is previously rightfully known to the receiving party without restriction on disclosure,
  2. is or becomes known to the general public, through no act or omission on the part of the receiving party,
  3. is disclosed to the receiving party by a third party without breach of any separate nondisclosure obligation, or
  4. is independently developed by the receiving party.

Except as expressly and unambiguously allowed herein, the receiving party will hold in confidence and not use or disclose any Confidential Information and shall similarly bind its employees, consultants, and independent contractors. Upon the disclosing party's request, all of the Confidential Information (including any copies) will be returned to the disclosing party, and the receiving party will make no further use of such materials. If required by law, the receiving party may disclose Confidential Information of the disclosing party, but will give adequate prior notice of such disclosure to the disclosing party to permit the disclosing party to intervene and to request protective orders or other confidential treatment therefor. The parties acknowledge and agree that there can be no adequate remedy at law for any breach of such party's obligations under this Section, which breach may result in irreparable harm to the non-breaching party, and therefore, that upon any such breach or any threat thereof, the non-breaching party shall be entitled to appropriate equitable relief, without the requirement of posting a bond, in addition to whatever remedies it might have at law.

Confidentiality of Beta Participation

Without limiting the foregoing, Customer shall not publicly disclose its participation in the beta program, performance benchmarks, or security findings relating to the Beta Solution without Station70's prior written consent. Customer may disclose its participation on a need-to-know basis to its employees, affiliates, and professional advisors who are bound by confidentiality obligations at least as protective as those in this Agreement.

13. Indemnification

Customer shall defend, indemnify, and hold harmless Station70, its affiliates, and each of the foregoing entities' employees, agents, partners, contractors, directors, suppliers, and representatives from all liabilities, claims, and expenses paid or payable to an unaffiliated third party (including reasonable attorneys' fees) that arise from or relate to:

  1. Customer's use of the Beta Solution;
  2. Customer's violation of this Agreement;
  3. Customer's violation of any applicable law, rule, or regulation;
  4. Customer's violation of any other party's rights, including without limitation any privacy or intellectual property rights (including any claim of infringement or misappropriation of third-party intellectual property or proprietary rights relating to Customer's use of the Beta Solution);
  5. Customer's sharing of third-party credentials or authentication secrets through the Beta Solution in violation of the terms of service of any third-party account or service; or
  6. the Customer Data (except to the extent such claim would not have arisen but for Station70's use of the Customer Data in a manner not permitted under the Agreement).

14. Disclaimer

To the maximum extent permitted by applicable law, the Beta Solution and all related information, recommendations, technology, and services provided by or on behalf of Station70 are provided "as is" and "as available" and are without warranty of any kind, express or implied, including, but not limited to, the implied warranties of title, non-infringement, merchantability, accuracy, completeness, security, and fitness for a particular purpose, and any warranties implied by any course of performance, usage of trade, or course of dealing, all of which are expressly disclaimed. Without limiting the generality of the foregoing, Station70 does not warrant that:

  1. access to the Beta Solution will be uninterrupted, timely, or error free;
  2. the Beta Solution will meet Customer's needs or expectations;
  3. data or credentials will not be lost, corrupted, or exposed;
  4. the Beta Solution will prevent unauthorized access to Customer's third-party accounts; or
  5. the Beta Solution is free of viruses, vulnerabilities, or other harmful components.

Customer acknowledges that the Beta Solution has not been fully security-tested and uses it at its own risk.

15. Limitation of Liability

In no event shall Station70, its affiliates, or any of the foregoing entities' employees, agents, partners, contractors, directors, suppliers, or representatives be liable under contract, tort, strict liability, negligence, or any other legal or equitable theory with respect to the subject matter of this Agreement:

  1. for any lost profits, data loss, loss of access to any third-party account, cost of procurement of substitute goods or services, or special, indirect, incidental, punitive, or consequential damages of any kind whatsoever (however arising);
  2. for any bugs, viruses, trojan horses, or the like (regardless of the source of origination); or
  3. for any direct damages in excess of, in the aggregate, one hundred U.S. dollars (US$100).

The parties acknowledge that, because the Beta Solution is provided without charge, the foregoing limitations reflect a reasonable allocation of risk and are a fundamental basis of the bargain between the parties.

16. Miscellaneous

Entire Agreement; Amendments

This Agreement represents the entire agreement between Customer and Station70 with respect to the subject matter hereof, and supersedes all prior or contemporaneous communications and proposals (whether oral, written, or electronic) between Customer and Station70 with respect thereto. Station70 reserves the right to amend, modify, or change this Agreement at any time and will use commercially reasonable efforts to notify Customer of the same. If Customer uses the Beta Solution in any way after such changes are effective, then Customer will be deemed to have agreed to all of the changes.

Governing Law; Venue

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, excluding its conflicts of law rules, and the parties consent to exclusive jurisdiction and venue in the state and federal courts located in the State of Delaware.

Notices

All notices to Station70 under this Agreement shall be in writing and shall be deemed to have been duly given when received, if sent by email to security@station70.com or to such other address as Station70 designates in writing. Notices to Customer may be sent to the email address associated with Customer's Gatekeeper account and shall be deemed received upon transmission.

Publicity

Station70 shall not use Customer's name, logo, or trademarks in any marketing, promotional, or customer-list materials without Customer's prior written consent.

Force Majeure

Station70 shall not be liable for any failure to perform its obligations hereunder where such failure results from any cause beyond Station70's reasonable control, including, without limitation, the elements; fire; flood; severe weather; earthquake; vandalism; accidents; sabotage; power failure; denial of service attacks or similar attacks; Internet failure; acts of God and the public enemy; acts of war; acts of terrorism; riots; civil or public disturbances; strikes, lock-outs, or labor disruptions; any laws, orders, rules, regulations, acts, or restraints of any government or governmental body or authority, civil or military, including the orders and judgments of courts.

Assignment

Customer may not assign any of its rights or obligations hereunder without Station70's consent. Station70 may freely transfer, assign, or delegate this Agreement and its rights and obligations thereunder without consent. Any purported transfer or assignment in violation of the foregoing is void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the parties and their successors and assigns.

Relationship; Attorneys' Fees; Severability; Waiver

No agency, partnership, joint venture, or employment relationship is created as a result of this Agreement, and neither party has any authority of any kind to bind the other in any respect. In any action or proceeding to enforce rights under this Agreement, the prevailing party shall be entitled to recover costs and attorneys' fees. If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. The failure of either party to act with respect to a breach of this Agreement by the other party shall not constitute a waiver and shall not limit such party's rights with respect to such breach or any subsequent breaches.


Data Processing Addendum

Station 70, Inc.

Please read this Data Processing Addendum ("DPA") carefully. This DPA is incorporated by reference into the End User License Agreement (the "Agreement"), and applies automatically to any processing of Personal Data subject to Applicable Data Protection Law (as defined below) arising in connection with Customer's use of the Solution. By accepting the Agreement, Customer agrees to be bound by this DPA with respect to such processing. Capitalized terms not defined herein have the meanings given in the Agreement or in the GDPR (as defined below).

This DPA is entered into between Station 70, Inc. ("Station70" or "Processor") and the Customer that accepts this DPA ("Customer" or "Controller").

1. Definitions

"Applicable Data Protection Law" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including:

  1. Regulation (EU) 2016/679 (the "EU GDPR");
  2. the EU GDPR as incorporated into United Kingdom law (the "UK GDPR") and the Data Protection Act 2018; and
  3. the Swiss Federal Act on Data Protection (collectively, the "GDPR").

"Control," "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," "Special Categories of Personal Data," and "Supervisory Authority" have the meanings given in the GDPR.

"Standard Contractual Clauses" or "SCCs" means:

  1. the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by European Commission Decision (EU) 2021/914 of 4 June 2021, as amended from time to time (the "EU SCCs"); and
  2. the International Data Transfer Addendum issued by the UK Information Commissioner's Office (the "UK Addendum"), as applicable.

"Subprocessor" means any third party engaged by Station70 to process Personal Data on Customer's behalf.

2. Roles and Scope

Roles

The parties acknowledge and agree that, with respect to the Processing of Personal Data under the Agreement, Customer is the Controller and Station70 is the Processor. Each party shall comply with its respective obligations under Applicable Data Protection Law.

Scope

Station70 shall Process Personal Data only to the extent, and in such a manner, as is necessary to provide the Solution in accordance with the Agreement and Customer's documented instructions. The subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data are described in Annex I.

Customer Instructions

Customer's instructions to Station70 for Processing Personal Data are set forth in the Agreement, this DPA, and any additional written instructions given by Customer and acknowledged by Station70. Station70 shall notify Customer if, in its opinion, an instruction violates Applicable Data Protection Law.

3. Confidentiality

Station70 shall ensure that persons authorized to Process Personal Data on its behalf are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4. Security

Technical and Organizational Measures

Station70 shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Annex II.

Beta-Stage Acknowledgment

Customer acknowledges that the Solution is a pre-release offering and that the security controls listed in Annex II represent Station70's current controls, which may evolve as the Solution matures. Station70 shall promptly notify Customer of any material changes that reduce the protection of Personal Data.

5. Personal Data Breach Notification

Station70 shall notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notice shall include, to the extent known, a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

6. Subprocessing

General Authorization

Customer provides general authorization for Station70 to engage Subprocessors to Process Personal Data. A current list of Subprocessors is available at trust.station70.com/subprocessors and is summarized in Annex III.

Changes

Station70 shall provide at least thirty (30) days' prior notice of the addition or replacement of any Subprocessor by updating the list at the URL above and, where Customer has subscribed to Subprocessor change notifications, by email to Customer's designated contact. Customer may object to such change on reasonable data protection grounds by notifying Station70 in writing within that notice period. If the parties cannot resolve the objection, Customer may terminate the Agreement with respect to the affected services.

Subprocessor Obligations

Station70 shall impose on each Subprocessor, by written contract, data protection obligations substantially equivalent to those set out in this DPA. Station70 shall remain liable to Customer for the acts and omissions of its Subprocessors.

7. Data Subject Rights

Taking into account the nature of the Processing, Station70 shall provide reasonable assistance to Customer, insofar as possible, by appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects to exercise their rights under the GDPR. If Station70 receives a request directly from a Data Subject, Station70 shall (unless prohibited by law) forward the request to Customer without undue delay and shall not respond to the request except on Customer's documented instructions or as required by applicable law.

8. Data Protection Impact Assessment and Prior Consultation

Station70 shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Articles 35 or 36 of the GDPR, to the extent relating to the Processing of Personal Data under the Agreement and taking into account the nature of the Processing and the information available to Station70.

9. International Data Transfers

Transfers

Customer acknowledges that Station70 is established in the United States and that Personal Data may be transferred to and Processed in the United States and in such other countries where Station70 or its Subprocessors operate.

EU Transfers

For transfers of Personal Data from the European Economic Area to a country not subject to an adequacy decision, the parties shall be deemed to have entered into the EU SCCs, Module Two (Controller-to-Processor), which are incorporated by reference and completed as follows:

  1. the optional docking clause in Clause 7 applies;
  2. Option 2 in Clause 9(a) applies, with a general authorization and the notice period set forth in Section 6 of this DPA;
  3. in Clause 11(a), the optional language does not apply;
  4. in Clause 17, the governing law is the law of Ireland;
  5. in Clause 18(b), the chosen forum is the courts of Ireland; and
  6. Annexes I, II, and III to this DPA serve as the corresponding annexes to the EU SCCs.

UK Transfers

For transfers subject to the UK GDPR, the parties shall be deemed to have entered into the UK Addendum, with the EU SCCs completed as described above and the tables in the UK Addendum completed consistently with this DPA and its Annexes.

Swiss Transfers

For transfers subject to Swiss data protection law, the EU SCCs shall apply with references to the GDPR deemed to refer to the Swiss Federal Act on Data Protection, and references to Supervisory Authorities deemed to refer to the Swiss Federal Data Protection and Information Commissioner.

10. Audits

Customer agrees that audit rights shall be satisfied by Station70 providing a copy of its most recent third-party security audit report (e.g., SOC 2, Type II). Only if such report does not provide sufficient information to verify compliance, or if a Data Protection Authority requires it, shall Customer have the right to request a further audit, limited to a review of relevant documentation.

11. Return or Deletion of Personal Data

Upon termination or expiration of the Agreement, Station70 shall, at Customer's option and written request, return or delete all Personal Data Processed on behalf of Customer, unless retention is required by applicable law. Where retention is required, Station70 shall continue to protect the Personal Data in accordance with this DPA.

12. Liability

Each party's liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA limits any right of a Data Subject under Clause 12 of the EU SCCs.

13. Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to its subject matter. In the event of any conflict between the SCCs and any other term of this DPA or the Agreement, the SCCs shall prevail to the extent required by Applicable Data Protection Law.

14. Term

This DPA shall remain in force for so long as Station70 Processes Personal Data on behalf of Customer under the Agreement.


Annex I — Description of Processing

A. List of Parties. Controller: Customer as identified through the in-app acceptance event for this DPA. Processor: Station 70, Inc.

B. Categories of Data Subjects. Customer's authorized users and their designated delegates who access third-party accounts via the Solution.

C. Categories of Personal Data. Name, business email address, unique user identifiers, authentication secrets (including TOTP seeds or equivalents), one-time passcodes, authentication approval events, session metadata, IP address, device identifiers, user-agent, and audit log data.

D. Special Categories of Personal Data. None. Customer shall not submit Special Categories of Personal Data to the Solution.

E. Frequency of Processing. Continuous during the Beta Term.

F. Nature and Purpose of Processing. Provision of the Solution, including storage and transmission of authentication secrets, generation and delivery of one-time passcodes, authentication approval workflows, audit logging, and support activities.

G. Duration. For the term of the Agreement, plus any period during which return or deletion is pending under Section 11 of this DPA.

H. Competent Supervisory Authority. The Irish Data Protection Commission, for purposes of the EU SCCs, unless the Data Subject's Member State designates otherwise under Clause 13 of the EU SCCs.


Annex II — Technical and Organizational Measures

Station70 implements the following technical and organizational measures, which may be updated from time to time in accordance with Section 4 of this DPA:

  1. Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent industry-standard encryption. Authentication secrets are stored in a dedicated key management system with hardware-backed key protection.
  2. Access Control. Role-based access controls, least-privilege principles, mandatory multi-factor authentication for all personnel, and logging of access to systems containing Personal Data.
  3. Network Security. Segregated production environments, firewall and intrusion detection controls, and regular vulnerability scanning.
  4. Personnel. Background checks where legally permitted, security awareness training, and confidentiality obligations for all personnel with access to Personal Data.
  5. Incident Response. Documented incident response procedures, 24/7 on-call coverage for production systems, and post-incident review.
  6. Resilience. Regular backups, documented disaster recovery procedures, and periodic restoration testing.
  7. Secure Development. Code review requirements, dependency scanning, and pre-release security testing.
  8. Audit and Logging. Immutable audit logs of authentication events and administrative actions, retained for the duration required by applicable law and this DPA.
  9. Physical Security. Personal Data is hosted in facilities operated by reputable cloud providers with SOC 2 Type II or ISO 27001 certification.

Annex III — Subprocessors

Station70 maintains a current, up-to-date list of authorized Subprocessors at trust.station70.com/subprocessors. The list at that URL is incorporated by reference into this Annex III and constitutes the authoritative list of Subprocessors for purposes of this DPA. The list identifies, for each Subprocessor, the corporate name, the service or function provided, and the location(s) at which Personal Data is processed.

Customer may subscribe to email notifications of Subprocessor changes by following the instructions at the URL above.