Data Processing Addendum

You, as a customer agreeing to this Data Processing Addendum, including its applicable appendices, (this “Data Protection Addendum” or “DPA”), has entered into the Starhive Cloud Terms of Service (the “Agreement” as amended from time to time) with Starhive AB, a Swedish limited liability company with registration number 559362-7648, (“Starhive”, “we” or “us”) under which you have subscribed for or otherwise ordered one or more of our hosted or cloud-based solutions (defined as “Products” under the Agreement).

This Data Protection Addendum will be effective for any processing of personal data within the meaning of Applicable Data protection Laws (as defined below) within the features or functionality of our Product made available to you and your Users or otherwise in connection with the Agreement.

This DPA forms part of the Agreement. Any capitalized term used but not otherwise defined in this DPA shall have the meaning provided to it in the Agreement.

1.1 Definitions

1.1. For purposes of this Addendum, the terms below shall have the following meaning. Any capitalized terms that are used but not otherwise defined in this Addendum shall have the meaning provided to it in the Agreement.

“Applicable Data Protection Laws” means all data protection laws and regulations applicable to the processing of personal data or personal information under this DPA, including but not limited to GDPR.

“Customer Personal Data” means any personal data or personal information of data subjects contained within the data provided by you or your Users, or on behalf of you or your Users in connection with the use or providence of the Products.

“EU-US Data Privacy Framework” means the Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, including the UK Government’s adequacy decision creating a UK extension to the EU-US Data Privacy Framework.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), (as may be amended, updated, or superseded from time to time).

“Security Incident” means a breach of our security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in our possession, custody or control. “Security Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Sub-processors” means third parties authorized under this DPA to process Customer Personal Data in relation to the Products or the use thereof.

“UK Data Protection Law” means the United Kingdom Data Protection Act 2018 and its implementation of the GDPR (as may be amended, updated, or superseded from time to time).

The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, “supervisory authority”, “personal information”, “business” and “service provider” as used in this DPA have the meanings given in the Applicable Data Protection Laws, as applicable.

2. Processing of personal data/personal information

2.1. Processing of Customer Personal Data. This DPA only applies to the extent that we are processing Customer Personal Data on behalf of you. To the extent Applicable Protection Laws apply to the processing of Customer Personal Data, the parties acknowledge and agree that:

2.1.1. the subject matter and details of the processing are described in Appendix 1, as amended from time to time;

2.1.2. we are a processor of, and/or, as applicable, a service provider with respect to, that Customer Personal Data;

2.1.3 you are either a controller or processor of, and/or, as applicable, a business with respect to, that Customer Personal Data; and

2.1.4 each party will comply with the obligations applicable to it under the Applicable Data Protection Laws with respect to the processing of that Customer Personal Data.

2.2 Your instructions. You instruct us to process Customer Personal Data only in accordance with Applicable Data Protection Laws: (a) to provide the features and functionality of our Products; (b) as authorized by the Agreement, including this DPA; and (c) as further documented in any other written instructions given by you and acknowledged in writing by us as constituting instructions for purposes of this DPA.

2.3 Compliance with your instructions. We will only process Customer Personal Data in accordance with your instructions described in Section 2.2 (including with regard to data transfers) unless Applicable Data Protection Laws that we are subject to requires other processing of Customer Personal Data by us.

2.4 Authorization by third party controller. When you are a processor, you warrant to us that your instructions and actions with respect to that Customer Personal Data, including your appointment of us as another processor and your consent to our onward transfers of Customer Personal Data to our Sub-processors, have been authorized by the relevant controller.

2.5 Processing of personal data by us as a controller. To the extent Applicable Protection Laws apply to the processing of personal data or personal information by us as a controller, we will process such personal data or information in compliance with Applicable Data Protection Laws and only for the purposes that are compatible with those described in Appendix 1 as amended from time to time.

2.6 Amendment of Appendix 1. We may amend and update the descriptions of processing in Appendix 1 from time to time to reflect new products, features or functionality comprised within the Products. You can always find our latest version of Appendix 1.

3. Data transfers

3.1. Data storage and processing facilities. We may, subject to Section 3.2, store and process Customer Personal Data anywhere we or our Sub-processors maintains facilities.

3.2. Data transfers out of the EEA.

3.2.1. Our transfer obligations. If the storage and/or processing of Customer Personal Data (as set out in Section 3.1 involves transfers of Customer Personal Data out of the European Economic Area (“EEA”), we will only do so in compliance with Applicable Data Protection Laws in Europe, which in essence means transfer (i) to a receiver in a country that has been declared having “adequate level of protection” by the European Commission, (ii) to a receiver in the USA participating in the EU-US Data Privacy Framework or (iii) to a receiver in Canada that is subject to their legislation for protection of personal data in the private sector. You agree, notwithstanding anything to the contrary in the Agreement or this DPA, that we may make any amendments to the choice of transfer solution and/or any other amendments as we deem necessary to implement any replacement or changes directed by the applicable data protection authorities by notifying you of any such amendments in writing and such amendments shall be effective upon such notice.

3.2.2. Your transfer obligations. You, or your Users, may not use our Products in a way that involves transfer of Customer Personal Data out of the EEA from us or our Sub-processors to a receiver outside the scope of Section

above, without a proper transfer solution in place in compliance with Applicable Data Protection Laws in Europe (e.g. the, so called, standard contractual clauses). If we reasonably require you to use another transfer solution and we reasonably requests that you take any action (which may include execution of documents) required to give full effect to such solution, you will do so.

4. Security and Security Incidents

4.1. Security. We and, to the extent required und the Agreement, you must implement appropriate technical and organizational measures in accordance with Applicable Data Protection Laws, e.g. Article 32 of GDPR, to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. Our current technical and organizational measures are described in Appendix 2 (“Security Measures”). You acknowledge and accepts that the Security Measures are subject to technical progress and development and that we may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Products.

4.2. Security Incidents. Upon becoming aware of a Security Incident, we will notify you without undue delay and provide timely information (taking into account the nature of processing and the information available to us) relating to the Security Incident as it becomes known or as is reasonably requested by you to allow you to fulfill your data breach reporting obligations under Applicable Data Protection Laws. We will further take reasonable steps to contain, investigate and mitigate the effects of the Security Incident. Our notification of or response to a Security Incident in accordance with this Section 4.2 will not be construed as an acknowledgement by us of any fault or liability with respect to the Security Incident.

4.3. Your security assessment. You are solely responsible for reviewing the Security Measures and evaluating for yourself whether the Products, the Security Measures and our commitments under this Section 4 will meet your needs, including with respect to any security obligations of yourself under Applicable Data Protection Laws. You acknowledge and agree that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by us as set out in this Section 4 provide a level of security appropriate to the risk in respect of the Customer Personal Data.

5. Sub-processing

5.1. Sub-processors. You consent to us engaging Sub-processors to process Customer Personal Data, provided that we maintain an up-to-date list of our Sub-processors. Up-to-date information about Sub-processors, including their functions and locations, is available in Appendix 3 (as may be updated by us from time to time). We will (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Applicable Data Protection Laws (and, in substance, to the same standard provided by this DPA) and (ii) remain liable to you if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under the Agreement.

5.2. Changes to Sub-processors. We will notify you of any intended changes through the addition or replacement of Sub-processors at least two weeks in advance. You may object in writing to our addition or replacement of a Sub-processor within two weeks from our notice, provided that such objection is based on reasonable grounds relating to data protection. If the parties are not able to reach a solution to such objection, you may, as your sole and exclusive remedy, terminate the applicable subscription of Products. If you do not object within the prescribed time frame, we will deem you to have authorized the new Sub-processor.

6. Deletion and export of data

6.1. Prior to the expiration of the Subscription Term, you have the possibility to export Your Data, including Customer Personal Data, as set forth in the Agreement using the functionality of the Products. Unless otherwise set forth in the Agreement, upon expiration of the Subscription Term, we will delete any remaining Customer Personal Data (including existing copies) from our systems as soon as reasonably practicable, unless applicable law prevents us from deleting such data. To the extent that you are bound by laws or regulations that would require us to retain Customer Personal

6.2. Data after expiration of the Subscription Term and you do not inform us of such retention obligations prior to the expiration of the Subscription Term, you shall be solely liable for any deletion of such data by us.
This DPA will terminate simultaneously and automatically upon deletion of the Customer Personal Data in accordance with Section 6.1.

7. Right of data subjects

7.1. If we receive any request from a data subject in relation to Customer Personal Data, we will, at our sole discretion, (i) advise you of the request, (ii) advise the data subject to submit the request to you, and/or (iii) notify the data subject that the request has been forwarded to you. You will be responsible for responding to any such request.

7.2. We will, taking into account the nature of the processing under this DPA, support you, as controller or in assisting the controller as the case may be, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subjects’ rights laid down in

7.3. Applicable Data Protection Laws, including Chapter III of the GDPR.
We reserve the right, to the extent permitted by Applicable Data Protection Laws, to charge you for any such support beyond providing self-service features included as part of the Products and other reasonable minor assistance at our then current professional services rates.

8. Demonstration of compliance

8.1. Audits. You may, through a mutually agreed third-party auditor, audit our compliance with our obligations under this DPA up to once per year or as frequent as required under Applicable Data Protection Laws or by your supervisory authority. We will contribute to such audits by providing you or your supervisory authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Products. We reserve the right to object to the auditor if the auditor is, in our reasonable opinion, not suitably qualified or independent, a competitor of us, or otherwise manifestly unsuitable. Such objection by us will require you to appoint another auditor.

8.2. Request for Audit. To request an audit, you must submit a detailed proposed audit plan to us at least one month in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. We will review the proposed audit plan and provide you with any concerns or questions (for example, any request for information that could compromise our security, privacy, employment or other relevant policies). We will work cooperatively with you to agree on a final audit plan.

8.3. Audit reports. If the requested audit scope is addressed in an audit report (in line with industry standard) performed by a qualified independent third-party auditor within twelve (12) months of your audit request and we confirm there are no known material changes in the controls audited, you agree to accept those findings in lieu of requesting an audit of the controls covered by the report.

8.4. Conditions of audit. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan, and may not unreasonably interfere with our business activities. You will promptly notify us of any non-compliance discovered during the course of an audit and provide us with any audit reports generated in connection with any audit under this Section 8, unless prohibited by Applicable Data Protection Laws or otherwise instructed by a supervisory authority. You may use the audit reports only for the purposes of meeting your regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports and any of our information shared during the audit process are confidential information of the parties to the extent permissible by

Applicable Data Protection Laws, and may only be used by or disclosed to persons or entities who have a need to know in connection with the performance of the audit requested. We reserve the right to require you and/or the third-party auditor to enter into an applicable non-disclosure agreement with us before the start of an audit.

8.5. Expenses of audit. Any audits are at your expense. You shall reimburse us for any time expended by us or our Sub-processors in connection with any audits or inspections under this Section 8 at our then-current professional services rates. You will be responsible for any fees charged by any auditor appointed by you to execute any such audit.

8.6. Law enforcement. If a law enforcement agency sends us a demand for Customer Personal Data, e.g. a subpoena or court order, we will attempt to redirect the law enforcement agency to request that data directly from you. As part of this effort, we may provide your contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then we will give you reasonable notice of the demand to allow you to seek a protective order or other appropriate remedy, to the extent we are legally permitted to do so.

9. Liability

The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this DPA and the Standard Contractual Clauses combined will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement, except that nothing of the foregoing will affect any party’s liability to data subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by Applicable Data Protection Laws in Europe.

10. Miscellaneous

10.1. Notices. Any notices required or permitted to be given by us to you may be given in accordance with the notice clause of the Agreement.

10.2. Hierarchy. Except as explicitly set out in this DPA, the Agreement remains unchanged and in full force and effect. The order of precedence in case of any conflict, exclusivity in relation to the processing of personal data or personal information under this DPA, will be, in the order or priority: (i) this DPA and iii) the Agreement.

10.3. Governing law. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provision in the Agreement, unless required otherwise by Applicable Data Protection Laws.

APPENDIX 1

SUBJECT MATTER AND DETAILS OF THE PROCESSING OF PERSONAL DATA

This Appendix 1 is incorporated into the Data Processing Addendum.

The parties acknowledge that our processing of personal data will include all personal data submitted or uploaded to our Products (within the functionality of our Products) by you or your Users from time to time, for the purposes of, or otherwise in connection with, your or your Users use of the Products we provide to you.

Set out below are descriptions of the processing and transfers of personal data as contemplated as of the date of this DPA. Such descriptions are subject to change or may be amended from time to time pursuant to Section 2.1 of the DPA.

Starhive Products and account profiles

Categories of data subjects whose personal data is transferred	Customers and its users
Categories of personal data transferred	Starhive account data, Starhive usage data, and customer personal data.
Sensitive data transferred	Starhive account data and Starhive usage data do not contain data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) relating to criminal convictions and offences (altogether “Sensitive Data”). Customers or its users may upload content to the Products, which may include sensitive data, the extent of which is determined and controlled solely by the customer.
Duration of the processing	During the Subscription Term, customers and its users may, through the features of the Products, access, retrieve or delete Customer Personal Data. Following the expiration or termination of the Subscription, Starhive must delete all Customer Personal Data. Notwithstanding the foregoing, Starhive may retain Customer Personal Data (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Starhive will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Personal Data and not further process it except as required by Applicable Data Protection Law.
Nature of the processing	Starhive will process Personal Data in order to provide the Products and related support and advisory services in accordance with the Agreement, including this DPA.
Purpose(s) of the data transfer and further processing	Starhive will process Personal Data in order to provide the Products and related support services in accordance with the Cloud Terms of Service, including this DPA
The frequency of the transfer	Continuously
Sub-Processors	See Appendix 3

APPENDIX 2

SECURITY MEASURES

This Appendix 2 is incorporated into the Data Processing Addendum.

We will implement and maintain the technical and organizational Security Measures set out at below. We may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Products.

The following table provides more information regarding the technical and organizational Security Measures set forth below:

SECURITY MEASURES
Measures of pseudonymisation and encryption of personal data	Encryption of data at rest and in transit
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	We use security-in-depth solutions for all our systems and services. We use separate monitoring, logging, and audit trail systems to ensure integrity.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Encrypted backups are stored separately in case of disaster recovery.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Incident Management process is in place.
Measures for user identification and authorization	We use Identity Provider solutions via AWS and Google
Measures for the protection of data during transmission	Encryption of data in transit via TLS1.2 and above
Measures for the protection of data during storage	Encryption of data at rest
Measures for ensuring physical security of locations at which personal data are processed	Physical access to data is managed by our sub-processors. We do not store any data on-premise.
Measures for ensuring events logging	Starhive events are kept for 30 days Infrastructure events are kept for 90 days
Measures for ensuring system configuration, including default configuration	System configurations are immutable. Infrastructure components are available as IaC(Infrastructure as Code)
Measures for internal IT and IT security governance and management	The application is designed and built according to security best practices to protect the integrity and availability of customers’ data.
Measures for ensuring data minimisation	We retain only the user data necessary to ensure the application's functionality and operational reliability. All data that is no longer relevant to fulfill it's intended purpose is automatically purged after a period of 30 days.
Measures for ensuring data quality	Data provided by Customers are not quality assured by us.
Measures for ensuring accountability	All user data is displayed in the user's profile, and the right to be forgotten is fulfilled by enabling the user to delete their account.
Technical and organizational measures to be taken by the (sub-) processor	See Appendix 3

APPENDIX 3

THIRD-PARTY SUB-PROCESSORS

Starhive uses the third-party entities below (each, a “sub-processor”) to process personal data on behalf of Starhive customers and in accordance with contract terms between Starhiveand the sub-processor to uphold Starhive’s commitments in Starhive Data Processing Addendum.

This Appendix 3 is incorporated into the Data Processing Addendum.

Sub-processor	Nature and purpose of processing	Categories of personal data	Location of processing	Security measures
Amazon Web Services, Inc.	Cloud hosting provider	Personal data contained in user account information and text or files created by customers and stored in Starhive	EEA (Sweden)	AWS Compliance Programs
Atlassian Pty, Ltd.	Customer service and technical support	Personal data contained in user account information and text or files created by customers and shared during Starhive support communications.	EEA (Sweden, Ireland and Germany)	Atlassian Security and Compliance
HubSpot, Inc.	Cloud hosting provider and communication technology provider for market communication	Personal data contained in account information and provided by customers in website forms.	EEA	HubSpot Trust Center
Stripe, Inc.	Payment provider	Personal data contained in account information provided by customers upon payment to Starhive.	EEA (Ireland)	Stripe Data Privacy Framework
Google LLC	Cloud hosting provider, analytics, and collaboration technology provider	Personal data contained in user account information and text or files created by customers and shared during Starhive support communications. Location data submitted when using the location attribute. The location attribute is integrated with the Google Maps Platform.	EEA	Google Compliance
Peaberry Software, Inc.	Marketing automation and analytics	Personal data contained in account information and provided by customers in website forms.	EEA	Customer.io Trust Center
Amplitude, Inc.	Product analytics	Personal data created by customer and stored in Starhive.	EEA	Amplitude Trust Centre
Buility Technology AB	Surveys	Personal data provided by customers in surveys	EEA	Konvolo Privacy Policy
n8n GmbH	Workflow automation	Personal data contained in user account information and provided by customers in website forms.	EEA (Germany)	n8n Trust Center

Features

Integrations

Asset management

Reports and dashboards

Lifecycle management

Maintenance tracking

Kit management

AI

Configuration

Flexible database

Asset relationships

Automations

Imports

Templates

User experience

Views

Forms

Branded interfaces

More

See all Starhive features →

Lansweeper

Atlassian Jira

Imports

Channels

IT asset management

Facilities management

Inventory management

Industrial assets

Leased assets

All Starhive solutions

Partner directory

Become a partner

Custom client apps

Resources

Getting started with Starhive

Starhive Academy

Templates

Documentation

Blog

Customer stories

Starhive blog

Expert guides

Ultimate no-code guide for IT

Starhive vs

About us

Pledge 1%

Careers

Data Processing Addendum