Data Processing Addendum.

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement ("MSA") between Scottship Solutions LLC ("preventionOS", "we") and the customer organization ("Customer", "you"). The DPA applies whenever preventionOS Processes Personal Data on behalf of the Customer in connection with the Service. This DPA is referenced in MSA Section 8(b).

Customer Data means any data, including Personal Data, that the Customer or its authorized users submit to or generate within the Service. Personal Data, Data Subject, Data Controller, Data Processor, Sub-processor, and Processing have the meanings given to them under applicable Data Protection Law. Data Protection Law means the privacy and data protection laws applicable to the Customer's use of the Service, which may include United States state privacy laws (CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA, and similar laws), the EU General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018. Service has the meaning given in the MSA.

For Personal Data Processed under this DPA, the Customer is the Data Controller and preventionOS is the Data Processor. The Customer determines the purposes and means of Processing. preventionOS Processes Personal Data only on documented instructions from the Customer, including those set out in the MSA, this DPA, and the configurations the Customer makes within the Service.

preventionOS Processes Customer Data for the purpose of providing, securing, and supporting the Service, and for any additional purposes the Customer instructs in writing. Categories of Personal Data and Data Subjects vary by Customer use case, but typically include training participants, facilitators, partner-organization staff, coalition members, and Customer staff. Special-category data may be present where Customers configure it (for example, demographic fields used in funder reporting). Processing duration matches the subscription term plus the retention windows in Section 13.

preventionOS personnel authorized to Process Customer Data are bound by written confidentiality obligations or are under appropriate statutory obligations of confidentiality. Access is limited to those with a business need and is reviewed regularly.

preventionOS implements and maintains the technical and organizational measures described in Annex A. These include encryption of Customer Data in transit and at rest, role-based access controls, audit logging, vulnerability management, secure software development practices, employee security training, and a documented incident response process. preventionOS will update Annex A from time to time, and any update will provide protection at least equivalent to the level in effect when the Customer subscribed.

preventionOS engages Sub-processors to deliver portions of the Service. The list of current Sub-processors is in Annex B. preventionOS will give the Customer at least thirty (30) days' advance notice of new Sub-processors by posting an updated Annex B and notifying the Customer's designated administrators. The Customer may object in writing within fifteen (15) days for legitimate, well-documented data protection reasons. preventionOS will work in good faith to address the objection. If a resolution is not reached, the Customer may terminate the affected Service for the remainder of the then-current term, with a pro-rata refund of prepaid fees for the remaining term.

preventionOS may update this DPA from time to time. Material updates will be communicated to the Customer at least thirty (30) days before they take effect, and will be governed by MSA Section 8(b). Any update will not retroactively reduce Customer protections for Personal Data already collected, and Customers will retain the DPA terms in effect at the start of their then-current term until renewal. Non-material updates that do not reduce Customer rights (clarifications, contact updates, formatting changes) may take effect on posting.

preventionOS will, taking into account the nature of the Processing, assist the Customer through appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law. The Service exposes self-service controls for Customer administrators to access, export, correct, and delete Personal Data within their tenant. preventionOS will pass through any Data Subject request received directly to the relevant Customer without responding on the Customer's behalf.

preventionOS will notify the Customer without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include the information reasonably available at the time, including the nature of the Personal Data Breach, the likely consequences, and the measures taken or proposed. preventionOS will provide updates as additional information becomes available.

On reasonable written notice and not more than once per calendar year, the Customer may request information reasonably necessary to demonstrate preventionOS's compliance with this DPA, including third-party audit reports, security questionnaires, and copies of relevant policies. The Customer agrees to treat any such information as confidential. preventionOS may, in its discretion, satisfy an audit request by providing a recent third-party audit report or completed security questionnaire.

Customer Data is hosted in the United States by default. Where required by Data Protection Law for cross-border transfers, the Customer and preventionOS agree to rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, the United Kingdom Addendum to the SCCs, or other valid transfer mechanisms in effect at the time of transfer. The Customer authorizes preventionOS to enter into the SCCs on its behalf with Sub-processors as needed.

On termination or expiration of the MSA, preventionOS will, at the Customer's written election, return Customer Data in a commonly used machine-readable format or delete it. Self-service export remains available throughout the subscription term. After termination, preventionOS will delete Customer Data within ninety (90) days, except for backups retained on the standard backup rotation, which are deleted within an additional one hundred eighty (180) days, or as otherwise required by applicable law.

Each party's liability under this DPA is subject to the limitations of liability set forth in the MSA. Nothing in this DPA varies or modifies those limits.

preventionOS implements the following measures, at minimum. (a) Encryption: Customer Data encrypted in transit using TLS 1.2 or higher and encrypted at rest using industry-standard algorithms. (b) Access control: role-based access enforced through the Service; administrator access to production limited to authorized personnel using individual accounts with multi-factor authentication. (c) Logging and monitoring: production access and security-relevant events logged and reviewed; alerts configured for anomalous activity. (d) Network security: production segregated from non-production; perimeter controls maintained at the cloud provider layer. (e) Application security: secure coding practices, dependency review, and pre-release testing. (f) Vulnerability management: third-party dependencies monitored; patches applied on a documented schedule. (g) Personnel: background checks where lawful; confidentiality agreements; security and privacy training. (h) Incident response: documented runbook with defined severity levels, notification timelines, and post-incident review.

preventionOS uses the following Sub-processors. Amazon Web Services (cloud infrastructure, United States): hosting, storage, networking, identity, content delivery. Email-delivery provider (transactional email): outbound transactional email sent from the Service. AI provider: where the Customer enables optional AI features within the Service, an AI model provider Processes the prompt and response data necessary to generate the requested output. Customer support tooling: limited Customer Data may be Processed by support and ticketing tools to respond to Customer requests. The current list of named Sub-processors and the regions in which they operate is published with this DPA and refreshed when the list changes.

Questions about this DPA can be sent to security@preventionos.org. Privacy-specific requests can be sent to the same address.