Data Processing Agreement

Effective date: April 2026 — Version 1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between RAPID BI PTY LTD (ABN 50 639 508 857) (“Processor”, “we”, “us”), and the entity agreeing to the ControlHub for Sisense Terms of Service (“Controller”, “you”, “Customer”).

This DPA applies to the extent that we process Personal Data on your behalf in connection with the ControlHub for Sisense service (“Service”).

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• “Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), UK GDPR, the Australian Privacy Act 1988, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and any equivalent legislation in applicable jurisdictions (including US state privacy laws).
• “Processing” means any operation performed on Personal Data, including collection, storage, transfer, retrieval, erasure, or destruction.
• “Sub-processor” means any third party engaged by us to process Personal Data on your behalf.

2. Scope of Processing

2.1 Categories of Data Subjects

Personal Data processed under this DPA may relate to:

• Customer personnel who use the Service (account holders)
• Individuals whose data may be contained in CSV or Excel source files transferred during migrations

2.2 Types of Personal Data

Data Category	Examples	Retention
Customer account data	Name, business email, company name	Duration of account + 30 days
Audit log data	IP addresses, user actions, timestamps	365 days
Sisense asset metadata	Internal user OIDs (pseudonymised identifiers for asset ownership)	Duration of backup retention in your Git repository
Migration transit data	CSV/Excel file contents transferred between Sisense instances at your request	Not retained — exists in memory only during transfer

2.3 Purpose of Processing

We process Personal Data solely to provide the Service as described in the ControlHub for Sisense Terms of Service, including:

• Authenticating and managing your account
• Backing up Sisense asset definitions to your designated Git repository
• Transferring assets between Sisense instances during migrations you initiate
• Monitoring Sisense instance uptime and dashboard health
• Maintaining audit logs of Service operations
• Sending transactional and operational communications

3. Processor Obligations

We shall:

1. Process Personal Data only on your documented instructions, unless required by law.
2. Ensure that persons authorised to process Personal Data have committed to confidentiality.
3. Implement appropriate technical and organisational security measures (see Section 5).
4. Not engage a Sub-processor without your prior general authorisation (see Section 6).
5. Assist you in responding to data subject rights requests, to the extent reasonably possible.
6. Assist you in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and information available to us.
7. At your choice, delete or return all Personal Data upon termination of the Service, unless retention is required by law.
8. Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits and inspections (subject to reasonable notice and confidentiality).

4. Controller Obligations

You shall:

1. Ensure you have a lawful basis for any Personal Data you provide to or process through the Service.
2. Provide any required notices to, and obtain any required consents from, data subjects whose Personal Data may be transferred through the Service (e.g., in CSV/Excel files during migrations).
3. Ensure that your instructions to us comply with applicable Data Protection Laws.

5. Security Measures

We implement the following technical and organisational measures to protect Personal Data:

• Encryption at rest: All stored credentials are encrypted using Fernet symmetric encryption with keys managed via environment variables.
• No plaintext logging: Credentials and sensitive data are never written to log files or error outputs.
• Data minimisation: We back up only asset definitions and metadata. Sensitive fields (passwords, secrets, SSO certificates, user emails) are redacted before storage.
• De-identification: Optional column-level PII hashing is available for CSV/Excel files during migrations, applied to copies only.
• Multi-tenant isolation: All data queries are filtered by client ID. Unauthorised access returns 404 (not 403) to prevent information leakage.
• Bring-your-own repository: Customers may use their own Git server for backup storage, keeping data under their own access controls.
• Immutable audit logging: All significant actions are logged with user, action, timestamp, IP address, and impersonation context. Logs are retained for 365 days.
• Access control: Role-based access with support for two-factor authentication (TOTP).
• Transit security: Migration data (including connection credentials) is held in memory only for the duration of transfer and is never persisted to disk.

6. Sub-processors

You provide general authorisation for us to engage Sub-processors. We will notify you of any intended changes to Sub-processors, giving you reasonable opportunity to object.

Current Sub-processors

Sub-processor	Purpose	Location
Micron21	Application hosting and database storage (highly available infrastructure)	Australia (Melbourne)
Postmark (ActiveCampaign LLC)	Transactional email delivery	United States
Airwallex	Payment processing and billing	Australia / Global

Where Sub-processors are located outside the EEA/UK, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses or equivalent mechanisms).

7. International Transfers

RAPID BI PTY LTD is based in Australia. Where Personal Data originating in the EEA, UK, or Switzerland is transferred to Australia or other countries, such transfers are made in compliance with applicable Data Protection Laws, using one or more of the following mechanisms:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Agreement or Addendum, as applicable
• Adequacy decisions, where available
• Your explicit consent or instructions (e.g., when you initiate a migration between instances in different jurisdictions)

8. UK-Specific Provisions

To the extent that UK GDPR applies to the processing of Personal Data under this DPA:

• References to “GDPR” shall include the UK GDPR (the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
• References to “supervisory authority” shall include the UK Information Commissioner’s Office (ICO).
• Where Personal Data originating in the UK is transferred to Australia, such transfer is governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO. These transfer mechanisms are incorporated by reference into this DPA.
• In the event of conflict between this DPA and the IDTA or UK Addendum, the IDTA or UK Addendum shall prevail to the extent of the conflict.

9. US-Specific Provisions

To the extent that US state privacy laws apply to the processing of Personal Data under this DPA:

9.1 California (CCPA/CPRA)

Where the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), applies:

• We act as a Service Provider (as defined under CCPA) with respect to Personal Data we process on your behalf.
• We shall not sell or share (as defined under CCPA) Personal Data received from you.
• We shall not retain, use, or disclose Personal Data for any purpose other than performing the Service, as permitted under CCPA.
• We shall not combine Personal Data received from you with Personal Data received from other sources, except as permitted by CCPA to perform the Service.
• We certify that we understand and will comply with these restrictions.
• We will assist you in responding to verifiable consumer requests to the extent reasonably possible.
• You may, upon reasonable notice, take steps to verify our compliance with these obligations.

9.2 Other US State Privacy Laws

Where other US state privacy laws apply (including but not limited to the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and similar legislation):

• We act as a Processor (or equivalent designation under the applicable law) with respect to Personal Data we process on your behalf.
• We process Personal Data only in accordance with your instructions as set out in this DPA and the Terms of Service.
• We implement appropriate technical and organisational measures as described in Section 5 of this DPA.
• We will assist you in meeting your obligations under applicable state privacy laws, including responding to consumer rights requests.

9.3 EU-US Data Privacy Framework

Where Personal Data originating in the EEA is transferred to Sub-processors in the United States, we ensure such Sub-processors are certified under the EU-US Data Privacy Framework (DPF) or are subject to Standard Contractual Clauses, as applicable.

10. Data Subject Rights

If we receive a request from a data subject (or consumer, under US law) to exercise their rights under applicable Data Protection Laws (including access, rectification, erasure, restriction, portability, objection, or opt-out of sale/sharing), we will promptly notify you and assist you in responding, unless prohibited by law.

We will not independently respond to data subject or consumer requests unless instructed or authorised by you, except to direct the individual to you.

11. Data Breach Notification

In the event of a Personal Data breach, we will:

1. Notify you without undue delay and in any event within 72 hours of becoming aware of the breach (or within the timeframe required by applicable US state law, if shorter).
2. Provide sufficient information for you to meet your obligations to report the breach to supervisory authorities, state attorneys general, and/or affected data subjects or consumers, as applicable.
3. Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

12. Data Retention and Deletion

• Account data: Retained for the duration of your account. Upon account termination, deleted within 30 days unless retention is required by law.
• Audit logs: Retained for 365 days, then automatically purged.
• Backup data in Git: Stored in your designated Git repository (managed or self-hosted). You control retention and deletion. If using managed storage, data is deleted within 30 days of account termination.
• Migration transit data: Not retained. Exists in memory only during the transfer operation.

You may request deletion of your data at any time by contacting legal@controlhub.cloud.

13. Audits

Upon reasonable written request (no more than once per year, unless a breach has occurred), we will make available information necessary to demonstrate compliance with this DPA. Audits shall be conducted at your expense, during business hours, with reasonable advance notice, and subject to confidentiality obligations.

14. Limitation of Liability

1. Our total aggregate liability under or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the amount you have paid to us for the Service in the 12 months preceding the event giving rise to the claim.
2. We shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, data (except as specifically provided for in this DPA), business opportunity, or goodwill, even if advised of the possibility of such damages.
3. We shall not be liable for any loss or damage arising from:
   • Your failure to maintain adequate security measures for credentials or access to your Sisense instances or Git repositories;
   • Your instructions to process data in a manner that is not compliant with applicable Data Protection Laws;
   • Personal Data contained in CSV or Excel files that you choose to transfer via the migration feature, where you have not applied available de-identification measures;
   • Actions of third parties, including your Sisense instance provider, Git hosting provider, or Sub-processors, to the extent their actions are beyond our reasonable control;
   • Your failure to use the bring-your-own-repository option where your security policies require data to remain within your infrastructure.
4. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law, including liability for fraud or wilful misconduct.

15. Indemnification

You shall indemnify and hold us harmless from any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from:

1. Your breach of applicable Data Protection Laws in connection with your use of the Service;
2. Your failure to obtain necessary consents or provide required notices to data subjects whose Personal Data is processed through the Service;
3. Personal Data you provide or transfer through the Service in violation of your obligations under this DPA or applicable law.

16. Term and Termination

This DPA shall remain in effect for the duration of your use of the Service. Obligations relating to the processing and security of Personal Data survive termination of this DPA.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Victoria, Australia. The parties submit to the exclusive jurisdiction of the courts of Victoria. To the extent required by applicable Data Protection Laws, the provisions of those laws shall take precedence.

18. Contact

For questions about this DPA or to exercise your rights:

• Email: legal@controlhub.cloud
• Entity: RAPID BI PTY LTD, Australia