Data Processing Agreement

Last updated: 06 July 2026

This Data Processing Agreement ("DPA") applies to Entire's processing of your Personal Data when you use Entire's services. The DPA is intended to supplement Entire's Terms of Service (the "Terms") and Privacy Policy (the "Privacy Policy"), however in the event of any conflict between this DPA and the Terms or Privacy Policy, the terms and conditions of this DPA shall prevail.

1. Definitions

A. "CCPA" means the California Consumer Privacy Act 2018.

B. "DPA" means this Data Processing Agreement.

C. "Data Protection Requirements" means the applicable obligations imposed on Entire by the GDPR, the CCPA, and any other applicable privacy, data protection and data security laws and regulations.

D. "Entire" means Entire Inc, registered in the State of Delaware, United States.

E. "GDPR" means:

(i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; and

(ii) Regulation (EU) 2016/679 as transposed into national law of the United Kingdom by the UK European Union (Withdrawal) Act 2018 (as may be amended from time to time).

F. "Entire's services" means any service or software that Entire provides you under a written and executed agreement.

G. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your Personal Data processed by Entire on your behalf.

H. "Standard Contractual Clauses" or "SCCs" means:

(i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs");

(ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum"); and

(iii) where the Swiss Data Protection Act ("Swiss DPA") applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC") (the "Swiss SCCs").

I. "Subprocessor" means a third-party Processor retained by Entire to process your data.

J. "Subprocessor List" means the list of Subprocessors identified on the Entire website at https://entire.io/subprocessors, or a successor location.

K. "Troubleshooting" means preventing, detecting, investigating, mitigating, and repairing problems, including Security Incidents and problems identified in the relevant products. Troubleshooting includes fixing software defects and otherwise keeping the Entire's services up to date and performant.

L. "you" or "your" means the individual accessing or using Entire's services (or the company or other legal entity on behalf of which you are accessing or using Entire's services, as applicable).

M. "Controller," "Data Subject," "Personal Data," "Process," and "Processor" have the meanings ascribed to them in the GDPR.

2. Processing Roles and Responsibilities

A. Roles. You are the Controller of your Personal Data, and Entire is the Processor of that data, unless:

(i) you are the Processor of your Personal Data. In that case, Entire is a Subprocessor; or

(ii) Entire is an independent Controller processing your Personal Data for the purposes listed in Section 2.C of this DPA.

B. Your Processing instructions to Entire. You instruct Entire to perform the following activities as Processor acting on your behalf:

(i) Provide Entire's services by:

a. providing and updating Entire's services as configured and used by you or your users, and to make ongoing personalized experiences and recommendations;

b. Troubleshooting; and

c. keeping Entire's services up to date and performant, and enhancing user productivity, reliability, efficacy, quality, privacy, accessibility and security.

(ii) Process your Personal Data as set out in:

a. the Privacy Policy;

b. Annex I to the Standard Contractual Clauses; and

c. any other documented instruction provided by you and acknowledged in writing by Entire as constituting instructions for purposes of this DPA.

C. Entire's Independent Processing of Data. Entire Processes some of your Personal Data as an independent Controller. Entire conducts such processing in compliance with Data Protection Requirements generally, and the GDPR specifically, and in a manner consistent with the purposes outlined in the Privacy Policy. Entire will not use or otherwise process your Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, (c) data selling or brokering, or (d) any other purpose, other than for the purposes set out in this section. You agree that Entire may conduct this Processing.

D. Lawfulness of instructions.

(i) It is your responsibility to ensure that your instructions comply with Data Protection Requirements. Entire is not responsible for determining what laws or regulations apply to your business, or for determining whether Entire's provision of services meets the requirements of such laws.

(ii) You will ensure that processing your Personal Data in accordance with your instructions will not cause Entire to violate any law or regulation, including Data Protection Requirements.

(iii) Entire will inform you if it becomes aware, or reasonably believes, that your instructions violate any applicable law or regulation.

E. Additional instructions. Any additional instructions outside the scope of the Terms, the Privacy Policy or this DPA must be agreed between you and Entire in writing.

F. Disclosure of your Personal Data.

(i) Entire will not disclose or provide access to any of your Personal Data unless it is:

a. in accordance with your instructions; or

b. as described in the Terms, the Privacy Policy or this DPA; or

c. required by law, in which case Annex IV to the SCCs will apply.

(ii) Entire will not disclose or provide access to any of your Personal Data to law enforcement unless required by law or compelled by legal process. Requests by law enforcement for your Personal Data will be directed to you where possible.

(iii) Entire will contact you if disclosure of your Personal Data is compelled and provide a copy of the legal process compelling the disclosure, unless Entire is legally prohibited from doing so.

G. Data Subject Rights. If Entire receives a request from one of your Data Subjects pertaining to Entire's services where Entire functions as your Processor or Subprocessor, Entire will redirect the Data Subject to you. Consistent with the functionality of Entire's services and Entire's role, Entire will cooperate with you and provide you the necessary means to respond. You are solely responsible for responding to these requests.

3. Security

Entire will implement and maintain appropriate technical and organizational measures and security safeguards as set out in Annex II to the SCCs.

4. Audit

Entire will provide you with security compliance reporting upon your request. Should you be required to respond to a regulatory or supervisory request that requires Entire's participation, and your obligations cannot reasonably be satisfied with Entire's standard security compliance reports, Entire will promptly respond to your additional instructions and requests for information, in accordance with the following terms and conditions:

A. Entire will provide access to relevant knowledgeable personnel, documentation, and application software.

B. You and Entire will agree in writing upon the scope, timing, duration, control, and evidence requirements.

C. Unless Entire is otherwise required by law or a supervisory authority of competent jurisdiction, Entire will provide such access:

(i) if the regulator or supervisory authority uses an independent and accredited third-party audit firm;

(ii) during regular business hours;

(iii) on 30 days advance written notice; and

(iv) only to your data and to those Entire systems or facilities involved in the relevant component of Entire's services. Neither you, your regulators, or your regulators' delegates shall have access to any data from Entire's other customers or to Entire systems or facilities not involved in Entire's services.

D. You will compensate Entire for the expenses incurred in the course of the above activities, including all out-of-pocket costs and reasonable costs and fees for time Entire expends, or services Entire provides, in connection with such cooperation.

E. Unless prohibited by law from doing so, you will share with Entire any reports, findings, or recommended actions pertaining to Entire.

5. Security Incidents

A. If Entire becomes aware of a Security Incident, Entire will without undue delay:

(i) notify you of the Security Incident, in accordance with the notice provisions in this DPA;

(ii) investigate the Security Incident and provide detailed information about it; and,

(iii) take reasonable steps to mitigate its effects and minimize any resulting damage.

B. Entire's notification of or response to a Security Incident under this section is not an acknowledgement of any fault or liability.

C. You are solely responsible for complying with your obligations under any incident notification laws. Entire will assist you to the extent required under applicable law in fulfilling your obligation to notify the relevant authorities and data subjects.

D. You must notify Entire promptly about any possible misuse of your accounts or authentication credentials, or any Security Incident related to Entire's service.

6. Data Transfers and Location

You appoint Entire to transfer your Personal Data to the United States or any other country in which Entire or its Subprocessors operate, and to store and process your Personal Data to provide Entire's services, subject to the safeguards below and described elsewhere in this DPA.

A. Entire may transfer and process your Personal Data to and in the United States, to third-party countries (including those outside of the European Economic Area ("EEA") without an adequacy statement from the European Commission), and to Subprocessors, Entire's subsidiary companies and professional advisors. Entire shall ensure that such transfers are made in compliance with Data Protection Requirements and this DPA. If you select and use Entire's services where certain data is stored at rest in a specific geographic area, Entire will store the applicable data based on that instruction.

B. Any transfer of your Personal Data subject to this DPA from member states of the EU, EEA, Switzerland, or the United Kingdom to any countries where the European Commission, the FDPIC, or the UK Information Commissioner's Office has not decided that the third country or more specified sectors within that third country ensures an adequate level of protection, shall be undertaken through the Standard Contractual Clauses.

C. For the Standard Contractual Clauses, the Parties agree:

(i) Controller to Controller Transfers. The SCCs shall apply to Personal Data that is protected by the GDPR and processed in accordance with Section 2.C of this DPA, completed as follows:

a. Module One will apply;

b. in Clause 7, the optional docking clause will apply;

c. in Clause 11, the optional language will not apply;

d. in Clause 17, Option 1 will apply, and the New EU SCCs will be governed by the law of Ireland; and,

e. in Clause 18(b), disputes shall be resolved before the courts of Ireland.

(ii) Controller to Processor/Processor to Processor Transfers. The SCCs shall apply to Personal Data that is protected by the GDPR and processed in accordance with Section 2.B of this DPA, completed as follows:

a. Module Two or Module Three will apply (as applicable);

b. in Clause 7, the optional docking clause will apply;

c. in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 8 of this DPA;

d. in Clause 11, the optional language will not apply;

e. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of Ireland; and,

f. in Clause 18(b), disputes shall be resolved before the courts of Ireland.

(iii) Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:

a. the SCCs shall also apply to transfers of such Personal Data, subject to sub-section (b) below;

b. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the SCCs, completed as set out in Section 6.B of this DPA, and the option "neither party" shall be deemed checked in Table 4; and,

c. The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.

(iv) Transfers from Switzerland. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply in accordance with Sections 6.B.(i)-(ii) with the following modifications:

a. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Federal Data Protection Act;

b. references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as applicable; and,

c. references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the FDPIC and competent courts in Switzerland, unless the SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Annexes I and II of this DPA.

7. Retention and Deletion

Following the completion of Entire's services, to the extent that Entire is a Processor and unless prohibited by law, Entire will use its best endeavors to:

A. delete or return all of your Personal Data to you, whichever you elect; and

B. delete existing copies in accordance with Entire's retention and deletion policy.

8. Subprocessors

A. Entire may hire Subprocessors of its choosing. The above authorization constitutes your prior written consent to Entire subcontracting the processing of Personal Data to any Subprocessor on the Subprocessor List.

B. From time to time, Entire may engage new Subprocessors. Entire will give you notice of such engagements by updating the Subprocessor List and providing you with notice of that update 30 days before providing that Subprocessor with access to your Personal Data.

C. If you do not approve of a new Subprocessor, you may terminate any subscription for the affected component of Entire's services without penalty by providing written notice of termination before the end of the relevant notice period. If the affected Entire service is part of a suite or purchased as part of a bundle, then any termination will apply to the entire suite or bundle.

D. Entire is responsible for Subprocessors' compliance with Entire's obligations in this DPA, and will engage such Subprocessors by written agreements compliant with the requirements of the GDPR governing the use of Subprocessors. Entire will oversee the Subprocessors to ensure that their contractual obligations are met.

9. CCPA

If and to the extent Entire is processing Personal Data within the scope of the CCPA on your behalf and in accordance with your documented instructions, Entire will not:

A. sell the Personal Data as the term "selling" is defined in the CCPA;

B. share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, the Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged;

C. retain, use, or disclose the Personal Data for any purpose other than for the business purposes specified in the Terms, the Privacy Policy or this DPA, or as otherwise permitted by the CCPA;

D. retain, use, or disclose the Personal Data outside of the direct business relationship with you; or

E. combine the Personal Data with personal information that it receives from or on behalf of a third party or collects from California residents, except that Entire may combine Personal Data to perform any business purpose as permitted by the CCPA or any regulations adopted or issued under the CCPA.

10. Educational Institutions

A. If you are an educational agency or institution subject to the regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), or similar state student or educational privacy laws (collectively "Educational Privacy Laws"), you shall not provide Personal Data covered by such Educational Privacy Laws to Entire without obtaining Entire's prior, written, and specific consent expressly reciting Entire's agreement to accept Personal Data subject to an Educational Privacy Law, and entering into a separate agreement with Entire governing the parties' rights and obligations with respect to the processing of such Personal Data by Entire in connection with Entire's services.

B. Without waiver of the above, or limiting Entire's remedies in the event of a breach of the above provision, if you breach the above provision by providing Entire any Personal Data covered by FERPA without such a separate agreement, you agree and acknowledge that, for the purposes of this DPA, Entire is a "school official" with "legitimate educational interests" in the Personal Data, as those terms have been defined under FERPA and its implementing regulations. you understand Entire may possess limited or no contact information for your students and students' parents. Consequently, you are responsible for obtaining any student or parental consent that may be required by applicable law for any end user's use of Entire's services and to convey notification on behalf of Entire to students (or a student's legal guardian when required) of any judicial order or lawfully issued subpoena requiring the disclosure of Personal Data in Entire's possession as may be required under applicable law.

11. Restricted Personal Data

Except with Entire's prior, written, and specific consent, you shall not provide Entire any Personal Data:

A. relating to criminal convictions and offenses or Personal Data collected or otherwise processed by you subject to or in connection with FBI Criminal Justice Information Services or the related Security Policy;

B. constituting protected health information governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) or by state health or medical privacy laws;

C. collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects; or

D. covered by state, federal, or foreign biometric privacy laws or otherwise constituting biometric information including information on an individual's physical, physiological, biological, or behavioral characteristics or information derived from such information that is used or intended to be used, singly or in combination with each other or with other information, to establish individual identity.

12. Breach

If you believe that Entire is in breach of its obligations under this DPA, you must provide Entire with notice of such breach and Entire shall have 14 business days to cure any such breach.

13. Notices

A. Notices to Entire. You will provide notices to Entire by email to legal@entire.io.

B. Notices to you. Entire may provide notices to you by any means of notifying your administrator(s), including email, that Entire selects. It is your obligation to maintain accurate contact information with Entire, and you will monitor any contact address provided to Entire so that you can receive and respond to such Notices.

DPA Attachment 1

ANNEX I to the Standard Contractual Clauses (EU/EEA)

A. LIST OF PARTIES

MODULE ONE: CONTROLLER TO CONTROLLER MODULE TWO: CONTROLLER TO PROCESSOR MODULE THREE: PROCESSOR TO PROCESSOR

Data exporter(s) for the above modules

Customer's Name and contact details:

Activities relevant to the data transferred under these Clauses: as set out in the Terms and the Privacy Policy.

Signature and date: Annex 1 is deemed to be executed on the date the transfer commenced or the date that the Agreement was executed, whichever is earlier.

Role: MODULE ONE: CONTROLLER, MODULE TWO: CONTROLLER, MODULE THREE: PROCESSOR

Data importer(s)

Name and contact details:

Entire, Inc.

PO Box # 40426
12400 SE 38th St
Bellevue, WA 98006-9899

Activities relevant to the data transferred under these Clauses: as set out in the Terms and the Privacy Policy.

Signature and date: Annex 1 is deemed to be executed on the date the transfer commenced or the date that the Agreement was executed, whichever is earlier.

Role: MODULE ONE: CONTROLLER, MODULE TWO: PROCESSOR, MODULE THREE: (SUB)PROCESSOR

B. Description of Transfer

MODULE ONE: CONTROLLER TO CONTROLLER MODULE TWO: CONTROLLER TO PROCESSOR MODULE THREE: PROCESSOR TO PROCESSOR

Categories of data subjects whose personal data is transferred:

Data subjects include the data exporter's representatives and end-users including employees, contractors, collaborators, and customers of the data exporter.

Categories of personal data transferred:

As set out in the Terms and the Privacy Policy.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Entire does not request or otherwise ask for sensitive data and receives such data only if and when customers or data subjects decide to provide it.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous as part of Entire's services.

Nature of the processing:

The personal data transferred will be subject to the following basic processing activities:

  • Duration and Object of Data Processing. The duration of data processing shall be for the term designated under contract between data exporter and the data importer. The objective of the data processing is the performance of Entire's services.

  • Personal Data Access. For the term designated under the applicable contract between data exporter and the data importer, data importer will, at its election and as necessary under applicable law, either: (1) provide data exporter with the ability to correct, delete, or block personal data, or (2) make such corrections, deletions, or blockages on its behalf.

  • Data Exporter's instructions. For Entire's services, data importer will only act upon data exporter's instructions or in accordance with the Terms or the Privacy Policy, as applicable.

Purpose(s) of the data transfer and further processing:

The scope and purpose of processing personal data is described in DPA Section 2 on Scope and Processing Roles. Processing may take place in any jurisdiction where data importer or its subprocessors operate such facilities in accordance with DPA Section 6 on Data Transfers and Locations.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal data will be retained under return or deletion of data in accordance with Section 7 of the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

In accordance with the DPA, the data importer may engage other companies to provide services on data importer's behalf. Any such subcontractors will be permitted to obtain personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using personal data for any other purpose. Unless a particular subcontractor is replaced ahead of time, the processing will be for the term designated under the applicable contract between data exporter and the data importer.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE ONE: CONTROLLER TO CONTROLLER MODULE TWO: CONTROLLER TO PROCESSOR MODULE THREE: PROCESSOR TO PROCESSOR

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 – i.e. the regulator of the EU member state where the data exporter is resident.

DPA Attachment 2

Annex II to the Standard Contractual Clauses (EU/EEA)

MODULE ONE: CONTROLLER TO CONTROLLER MODULE TWO: CONTROLLER TO PROCESSOR MODULE THREE: PROCESSOR TO PROCESSOR

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

  • Entire's personnel: Entire's personnel with access to personal data are bound by confidentiality obligations under contract.

  • In transit: all traffic encrypted with TLS (client-facing and service-to-service).

  • Logging and monitoring: System and application activity is logged and monitored.

  • Vulnerability management and secure development: Application code and dependencies undergo automated vulnerability scanning; changes are peer-reviewed before release; and development, staging, and production environments are kept separate.

  • Network security: Public-facing traffic is protected by a web application firewall, and internal networks are segmented to limit lateral access.

  • Business continuity and data recovery: Backups are encrypted at rest.

  • Physical and environmental security: Physical and environmental security of the underlying infrastructure is managed by Entire's cloud infrastructure providers, each of which maintains independently audited physical and environmental controls (for example, SOC 2 and ISO 27001).

ANNEX III — LIST OF SUB-PROCESSORS

to the Standard Contractual Clauses (EU/EEA)

MODULE ONE: CONTROLLER TO CONTROLLER MODULE TWO: CONTROLLER TO PROCESSOR MODULE THREE: PROCESSOR TO PROCESSOR

The Parties rely on general authorization under Clause 9a of the Standard Contractual Clauses (EU/EEA).

The list of Subprocessors is maintained on the Entire website at https://entire.io/subprocessors (or a successor location), and is updated in accordance with Section 8 of this DPA.

ANNEX IV to the Standard Contractual Clauses (EU/EEA) — Additional Safeguards Addendum

This Addendum to the Standard Contractual Clauses ("Addendum") by Entire provides extra safeguards and redress for data subjects linked to your personal data. It supplements but does not modify the Standard Contractual Clauses.

I. Challenges to Orders: If Entire receives an order demanding disclosure of personal data transferred under the Standard Contractual Clauses, Entire will:

a. Redirect the third party to request data from the Customer;

b. Inform the Customer unless legally prohibited, striving to waive this prohibition;

c. Challenge the disclosure order legally.

II. Indemnification of Data Subjects: Entire shall indemnify a data subject for damages caused by Entire's disclosure of their data in response to an order from a non-EU/EEA government body.

a. No Obligation to Indemnify:

i. If the data subject has already received compensation for the same damage, Entire has no obligation to indemnify.

ii. If Entire can prove the disclosure did not violate Chapter V of the GDPR, Entire has no obligation to indemnify.

b. Conditions of Indemnification: Indemnification depends on the data subject proving that:

i. Entire disclosed the data;

ii. This led to an official proceeding against them; and

iii. The disclosure directly caused damage.

c. Scope of Damages: Indemnification covers only damages defined in the GDPR, excluding consequential and other damages not due to Entire's GDPR infringement.

III. Exercise of Rights: Data subjects can enforce their rights under this Addendum against Entire irrespective of any restrictions in the Standard Contractual Clauses. Claims must be individual, not part of a collective action, and are non-transferable.

IV. Notice of Change: Entire warrants that the current legislation to which it is subject allows it to fulfill obligations under this Addendum and the Standard Contractual Clauses. If a legal change affecting these obligations occurs, Entire will notify the Customer, who can then suspend data transfer or terminate the contract.

V. Termination: This Addendum ends if a different lawful transfer mechanism is approved that covers the data transfers of the Standard Contractual Clauses, and doesn't require these additional safeguards.