Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Cograph, Inc. ("Cograph," "Processor," "we," or "us") and the customer agreeing to these terms ("Customer," "Controller," or "you").

This DPA applies to the extent that Cograph processes Personal Data on behalf of Customer in connection with the provision of Services as described in the Agreement. This DPA is effective as of the date you accept the Agreement.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data processing matters.

2. Definitions

In this DPA, the following terms have the meanings set forth below:

• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including GDPR, UK GDPR, CCPA, and other applicable privacy laws.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "Personal Data" means any information relating to a Data Subject that is Processed by Cograph on behalf of Customer in connection with the Services.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Processing" (and its cognates) means any operation performed on Personal Data, whether or not by automated means.
• "Processor" means an entity that Processes Personal Data on behalf of the Controller.
• "Services" means the Cograph offboarding intelligence platform and related services provided under the Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.
• "Sub-processor" means any third party engaged by Cograph to Process Personal Data on behalf of Customer.

3. Scope and Processing Roles

3.1 Scope of Processing

This DPA applies to all Processing of Personal Data by Cograph in connection with the Services, including:

• Employee data from connected integrations
• Communication metadata and patterns (with consent, content)
• Document ownership and collaboration data
• Knowledge transfer records and captured content
• Usage data and activity logs

3.2 Roles

Customer is the Controller of Personal Data. Cograph is the Processor acting on Customer's behalf. Customer determines the purposes and means of Processing; Cograph Processes Personal Data only according to Customer's documented instructions.

3.3 Customer Obligations

Customer warrants that:

• It has lawful grounds to provide Personal Data to Cograph
• It has provided all required notices to Data Subjects
• It has obtained all necessary consents where required
• Its instructions to Cograph comply with Applicable Data Protection Laws

4. Details of Processing

4.1 Subject Matter and Duration

Cograph Processes Personal Data for the purpose of providing the Services as described in the Agreement. Processing continues for the duration of the Agreement and any applicable retention period thereafter.

4.2 Nature and Purpose of Processing

The nature and purpose of Processing includes:

• Analyzing workplace data to identify knowledge and expertise
• Generating risk assessments for employee departures
• Facilitating knowledge transfer between employees
• Creating and maintaining knowledge graphs
• Providing analytics and reporting

4.3 Categories of Data Subjects

Categories of Data Subjects include:

• Customer's employees (current and departing)
• Customer's contractors and consultants
• Individuals who interact with Customer's employees

4.4 Categories of Personal Data

Categories of Personal Data Processed include:

• Identification data: Names, email addresses, employee IDs, job titles
• Employment data: Department, manager, tenure, role
• Communication metadata: Email/message timestamps, participants, frequency
• Document metadata: File names, ownership, access patterns
• Collaboration data: Project involvement, code contributions
• Content data: (only when enabled) Message content, document content

5. Processor Obligations

5.1 Processing Instructions

Cograph will Process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country, unless required by applicable law. In such case, Cograph will inform Customer of that legal requirement before Processing, unless prohibited by law.

5.2 Confidentiality

Cograph will ensure that persons authorized to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Cograph will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience
• Processes for regularly testing, assessing, and evaluating effectiveness of security measures
• Access controls and authentication mechanisms
• Incident detection and response procedures

Detailed security measures are described in Annex II and our Security & Compliance documentation.

5.4 Sub-processing

Customer authorizes Cograph to engage Sub-processors to Process Personal Data. Cograph will:

• Maintain a list of current Sub-processors at getmeridian.net/security/subprocessors
• Notify Customer at least 30 days before adding or replacing Sub-processors
• Ensure Sub-processors are bound by data protection obligations equivalent to this DPA
• Remain fully liable for Sub-processor compliance

Customer may object to a new Sub-processor within 14 days of notification. If objection cannot be resolved, Customer may terminate affected Services.

5.5 Assistance

Taking into account the nature of Processing, Cograph will assist Customer:

• In responding to Data Subject requests to exercise their rights
• In ensuring compliance with Customer's obligations regarding security, breach notification, impact assessments, and prior consultation

6. Data Subject Rights

6.1 Assistance

Cograph will assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, data portability, restriction, and objection.

6.2 Response Process

If Cograph receives a request directly from a Data Subject, Cograph will promptly inform Customer and will not respond to the request directly unless authorized by Customer or required by law.

6.3 Self-Service Features

The Services include features allowing Customer to respond to Data Subject requests, including:

• Data export functionality
• Data deletion capabilities
• Access logs and audit trails

7. Personal Data Breach

7.1 Notification

Cograph will notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

7.2 Breach Information

Notification will include, to the extent known:

• Description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
• Contact details for further information
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

7.3 Cooperation

Cograph will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. International Data Transfers

8.1 Transfer Mechanisms

Cograph may transfer Personal Data to countries outside the EEA, UK, or Switzerland only when appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries with adequate data protection (EU-US Data Privacy Framework)
• Standard Contractual Clauses: SCCs approved by the European Commission (incorporated by reference)
• Binding Corporate Rules: Where applicable to Sub-processors

8.2 Additional Measures

Cograph implements supplementary measures to protect transferred data, including:

• Encryption in transit and at rest using industry-standard protocols
• Data minimization and pseudonymization where appropriate
• Access controls limiting who can access Personal Data
• Regular security assessments and audits

8.3 Government Access Requests

If Cograph receives a government request for access to Personal Data, Cograph will:

• Notify Customer promptly (unless legally prohibited)
• Challenge requests that are overly broad or legally invalid
• Provide only the minimum data legally required

9. Audits and Compliance

9.1 Demonstration of Compliance

Cograph will make available to Customer information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

9.2 Audit Rights

Customer (or an independent auditor) may conduct audits of Cograph's compliance with this DPA, subject to:

• Reasonable advance notice (at least 30 days)
• Conducting audits during normal business hours
• Taking reasonable measures to minimize disruption
• Confidentiality obligations regarding audit findings

9.3 Certifications

Cograph maintains the following certifications and attestations:

• Hosted on SOC 2 Type II certified infrastructure (Railway)
• AES-256 encryption at rest
• Annual penetration testing

Copies of certifications and audit reports are available upon request under NDA.

10. Data Deletion and Return

10.1 Upon Termination

Upon termination of the Agreement, Cograph will, at Customer's choice:

• Return all Personal Data to Customer in a standard format
• Delete all Personal Data (except as required by law)

Customer has 30 days after termination to export data. After this period, Cograph will delete Personal Data within 90 days.

10.2 Certification of Deletion

Upon request, Cograph will certify in writing that Personal Data has been deleted in accordance with this DPA.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement, except that:

• Neither party limits its liability for breaches of confidentiality obligations
• Neither party limits its liability for willful misconduct
• Neither party limits liability to the extent prohibited by Applicable Data Protection Laws

12. General Provisions

12.1 Amendments

Cograph may update this DPA to reflect changes in Applicable Data Protection Laws or our practices. Material changes will be notified to Customer at least 30 days in advance.

12.2 Governing Law

This DPA is governed by the laws specified in the Agreement. For GDPR-related matters, the laws of Ireland apply.

12.3 Survival

Provisions of this DPA that should survive termination (including confidentiality, data deletion, and liability) will remain in effect.

Annexes

Annex I: Processing Details

Detailed description of processing activities, categories of data, and retention periods are available in the downloadable DPA PDF.

Annex II: Security Measures

Technical and organizational security measures are described in our Security & Compliance documentation and the downloadable DPA PDF.

Annex III: Sub-processor List

Current list of Sub-processors is maintained at getmeridian.net/security/subprocessors.

Annex IV: Standard Contractual Clauses

The EU Commission's Standard Contractual Clauses (2021/914) are incorporated by reference. Module Two (Controller to Processor) applies.

13. Contact

For questions about this DPA or to exercise rights under it, contact: