Feb 18, 2026

ANNEX C: DATA PROCESSING ADDENDUM

ANNEX C: DATA PROCESSING ADDENDUM

ANNEX C: DATA PROCESSING ADDENDUM

ANNEX C: DATA PROCESSING ADDENDUM

ANNEX C: DATA PROCESSING ADDENDUM

This Annex C "Data Processing Addendum" (the "DPA") forms part of the GTC and any Order Form(s) executed thereunder, including the relevant Schedule(s), concluded between Service Provider and Customer. 

Under the Agreement, Service Provider will Process Personal Data on behalf of Customer. With this DPA, the Parties intend to govern this Processing for the purposes of the Swiss DPA and, where applicable, the GDPR, including any transfer of Personal Data to a non-whitelisted country and any Processing of Personal Data for Service Provider's own purposes.

  1. DEFINITIONS

In this DPA, the following defined terms are used. Additionally, the terms "Personal Data", "Processing", "Processor", "Sub-Processor", "Controller" and "Data Subjects" shall have the meanings ascribed to them in the Swiss DPA and, where applicable, the GDPR.

"Affiliate" means any legal entity, which is directly or indirectly controlled by a Party, which directly or indirectly controls a Party, or which is directly or indirectly under the control of the same legal entity as a Party.

"Clause" refers to a clause of the EU SCC. 

"Country with an Adequate Level of Data Protection" means a country or territory whose legislation ensures an adequate level of data protection according to both an adequacy decision by the European Commission and a corresponding assessment by the FDPIC or the Federal Council (as the case may be).

"EEA" means the European Economic Area.

"EU SCC" mean the standard contractual clauses as approved by the Decision of the European Commission of June 4, 2021 [C(2021)3972 final].

"FDPIC" means the Federal Data Protection and Information Commissioner.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

"Swiss DPA" means the Swiss Federal Act on Data Protection, as amended from time to time, including its ordinances.

  1. PROCESSING

  1. Scope and Characteristics of the Processing

This DPA governs the Processing of Personal Data by Service Provider as a Processor or Sub-Processor of Customer acting as a Controller or Processor in the performance of the Agreement. 

Where Customer itself acts as a Processor (e.g., for a customer), it alone shall be responsible for communicating with the controller and Service Provider may consider its instructions as those of the controller and assume that it is always acting on its authorization. 

All Personal Data received by Service Provider from Customer, an Affiliate of Customer, or a third party, or created by Service Provider itself in the course of Processing, shall be included. 

The subject matter, duration, nature and purpose of the Processing, as well as the types of Personal Data Processed and the categories Data Subjects, are specified in the relevant Schedule(s) of the Agreement.

  1. Obligations of Customer

Customer undertakes and guarantees vis-à-vis Service Provider that:

  1. the processing by, the engagement of and instructions to Service Provider are in compliance with the Swiss DPA and, where applicable, the GDPR and any other applicable data protection legislation and otherwise remain lawful during the term of the DPA;

  2. the technical and organizational measures in accordance with Exhibit A (Technical and Organizational Measures) are appropriate for processing and the associated risks and will remain appropriate during the term of the DPA; 

  3. it has made or obtained all notifications, registrations, regulatory approvals, and consents from Data Subjects that are necessary for the lawful Processing of Personal Data by Service Provider as a Processor according to the Swiss DPA and, where applicable, the GDPR and other applicable data protection law; and

  4. it shall respond in a lawful and appropriate manner to all requests from Data Subjects exercising their rights under applicable data protection laws, as well as from supervisory authorities and other third parties.

  1. Processing of Personal Data by Service Provider

    1. Obligations of Service Provider

Service Provider undertakes to Customer:

  1. to Process Personal Data, unless otherwise agreed, only for the purposes of Customer and in each case only for the purpose of fulfilling the Agreement and in accordance with the documented instructions of Customer; the Agreement, including this DPA, as well as the services agreed upon by the Parties and the configurations and options chosen by Customer and the instructions provided for in the Agreement are the final and binding instructions of Customer, unless otherwise agreed. If Customer wishes to adapt these provisions, it shall propose this to Service Provider; if the Agreement provides for no special process for contract amendments, Service Provider shall examine the request for adaptation in good faith; if the Parties cannot agree on an adaptation within thirty (30) days, Customer may extraordinarily terminate the Processing and the performance of the Agreement affected thereby, insofar as it shows that the requested contract amendment is necessary under data protection law;

  2. not to disclose or transfer any Personal Data abroad, except:

    1. to Customer itself, its Affiliates or to third parties in fulfillment of an instruction of Customer or as provided in the Agreement (this does not apply to transfers to Sub-Processors of Service Provider or other third parties engaged by Service Provider);

    2. to a recipient in a Country with an Adequate Level of Data Protection, unless a stricter provision is agreed in the Agreement;

    3. to a recipient not located in a Country with an Adequate Level of Data Protection, provided that the conditions required under the Swiss DPA and, where applicable, the GDPR for a lawful disclosure or transfer of Personal Data have been met, unless a stricter provision is agreed in the Agreement; or 

    4. if this is agreed with Customer in the Agreement or otherwise;

  3. to implement and maintain the technical and organizational measures provided in Exhibit A (Technical and Organizational Measures) to ensure the confidentiality, integrity, and availability of Personal Data and the traceability of their processing in accordance with the requirements of the applicable data protection regulations at all times and to protect Personal Data against unauthorized Processing, unauthorized access or unauthorized disclosure, as well as against accidental or unlawful falsification, destruction or loss, whereby it is further agreed between the parties with regard to the traceability of the processing that Customer shall ensure that any logging obligations incumbent on the Parties (such as in particular those under Article 4 of the Swiss Data Protection Ordinance, where applicable) are complied with; Service Provider may adapt these measures if necessary, provided that the overall level of protection is substantially maintained; in such cases, it shall adapt Exhibit A (Technical and Organizational Measures) and notify Customer in an appropriate manner; 

  4. to entrust the Processing of Personal Data only to employees and other auxiliary persons (including all third parties working on the instructions of Service Provider and falling under Article 29 GDPR) who are contractually or legally bound to confidentiality when Processing Personal Data; 

  5. to delegate the Processing of Personal Data to third parties (other than employees and other auxiliary persons who meet the requirements of Section II.C.1.e) above) only with the prior written consent of Customer and only to a Sub-Processor that has undertaken to Process the Personal Data in accordance with the requirements of the Swiss DPA and, where applicable, in accordance with Article 28(3) of the GDPR. Consent shall be deemed to have been granted in general for all Sub-Processors on the list of Sub-Processors included in the Service Provider's list provided at https://www.hashgraph-group.com/contracts/sub-processors at the time of this DPA; if Service Provider wishes to extend or adjust the list to include further Sub-Processors, it shall notify Customer in text form in an appropriate manner at least sixty (60) days in advance (e.g. by means of an e-mail or notification function in case of adjustments to the list, insofar as it is made available on the Internet). Customer may object in writing within fifteen (15) days to an extension or adjustment of the list; it shall do so only for justified reasons under data protection law; if the Parties cannot agreement within fifteen (15) days, Customer may extraordinarily terminate the Processing and the service of the Agreement affected thereby, provided it shows that the objection is necessary under data protection law; stricter provisions regarding the involvement of Sub-Processors for the benefit of Customer in the Agreement remain reserved;

  6. to notify Customer promptly at the email address provided by Customer (and in the absence of such an address, at the contact address provided in the Order Form(s) of the Agreement) of any data breach (as defined in the GDPR), with the information pursuant to Article 33(3) GDPR and the corresponding provisions of the Swiss DPA as is reasonably available to Service Provider; 

  7. to assist Customer, upon its request, in complying with the GDPR, the Swiss DPA and other applicable data protection laws, taking into account the nature of the Processing and the information available to Service Provider, in particular in complying with its obligations (i) towards Data Subjects exercising their rights under applicable data protection laws (including Chapter III of the GDPR and the corresponding provisions of the Swiss DPA and other applicable data protection laws), and (ii) pursuant to Articles 32 to 36 of the GDPR and the corresponding provisions of the Swiss DPA and other applicable data protection laws;

  8. to inform Customer promptly if, in its opinion, an instruction from Customer violates applicable data protection laws or other applicable laws; 

  9. to provide Customer with all information necessary to demonstrate Service Provider's compliance with this Section II.C.1. and to permit and assist in audits and inspections by Customer or by audit firms commissioned by Customer for this purpose; Customer agrees that it shall exercise this audit right, to the extent possible, only by relying on the review of any certifications and audit reports of independent audit firms provided by Service Provider; and

  10. to return all or certain Personal Data to Customer, at Customer's choice, subject to any applicable legal retention obligations, or to delete such Personal Data without retaining a copy upon termination of the Agreement or upon request of Customer, and to confirm such deletion to Customer.

  1. Special expenses, indemnification

Unless otherwise agreed in the individual case, Customer shall reimburse Service Provider for the costs and expenses incurred by Service Provider in providing Customer with support services pursuant to Section II.C.1. or in otherwise assisting Customer in complying with the Swiss DPA, the GDPR, if applicable, and other applicable data protection laws, in each case to the extent that Customer cannot prove that these expenses were caused by Service Provider itself or are not to be borne by Customer pursuant to an express provision in the Agreement.

Customer shall indemnify and hold Service Provider harmless from and against any and all claims of third parties based on a breach of this DPA (including any agreed Section III) or applicable data protection laws. Such indemnification shall apply in particular to any damages, costs, administrative sanctions, claims or expenses incurred by Service Provider as a result of such violations. It, as well as any potential claims for damages by Service Provider and its Affiliates, shall not be subject to any limitation or exclusion of liability agreed in the Agreement, unless expressly agreed otherwise with respect to this Section. 

  1. TRANSFERS TO NON-WHITELISTED COUNTRIES

Insofar as Customer is not in Country with an Adequate Level of Data Protection, the Parties agree to the application of this Section III. In the event of a conflict, the provisions of this Section III shall prevail over the provisions of Section II.

  1. Application of the EU SCC

If and to the extent that Customer is not in a Country with an Adequate Level of Data Protection, the EU SCC as agreed and compiled below shall apply to the transfer of Personal Data to Customer as a Controller in accordance with the relevant Schedule(s) of the Agreement, with Service Provider being the "data exporter" and Customer being the "data importer":

  1. Clauses 1-6;

  2. Clause 8 with the provisions for "Module Four", including the introductory paragraph;

  3. Clauses 10-12 with the provisions for "Module Four", including Clause 11(a), but without the provisions of the "Option" of Clause 11(a);

  4. Clauses 14-15 with the provisions for "Module Four", if and to the extent that Service Provider combines the Personal Data received from Customer with Personal Data collected by the Services Provider in the EEA or in Switzerland in the course of the Processing; Service Provider may be reimbursed by Customer for its efforts and expenses in connection with Clauses 14-15 and their fulfilment in accordance with the provision in Section II.C.2.; the Parties agree that the Client shall provide the documentation required under Clause 14(d) and submit it to Service Provider upon first request; Customer shall also be responsible for any further transfer impact assessments required due to the onward transfer of data collected in the EEA or in Switzerland and shall prove to Service Provider upon first request that it has fulfilled this responsibility;

  5. Clause 16 with the provisions for "Module Four";

  6. Clause 17 with the provisions for "Module Four", whereby Swiss law shall be deemed to be the law agreed by the Parties for the purposes of Clause 17;

  7. Clause 18 with the provisions for "Module Four", whereby the courts of Switzerland shall be deemed the competent courts for the purposes of Clause 18; 

  8. To the extent that a transfer is subject to the Swiss DPA, the following adjustments to the above agreed Clauses of the EU SCC shall also apply (for the purposes of the GDPR, these adjustments shall have no effect):

  1. References to "Regulation (EU) 2016/679" or "this Regulation" are to be understood as references to the Swiss DPA, to the extent applicable;

  2. References to "Regulation (EU) 2018/1725" shall be omitted;

  3. The terms "Union", "EU" and "EU Member State" are to be understood as reference to Switzerland.

  1. Content of the Annexes 

For the EU SCC Annexes referred to in the Clauses of the previous paragraph, the following applies:

  1. Annex I.A. shall consist of:

  1. the information in the relevant Order Form(s) of the Agreement, with Service Provider as the "Data Exporter" acting as the "Processor", and Customer as the "Data Importer" acting as the "Controller";

  2. the contact information of Customer and Service Provider as set forth in the relevant Order Form(s) of the Agreement;

  3. the Processing activities as defined in the relevant Schedule(s) of the Agreement or in the list reference therein;

  1. Annex I.B. shall consist of the relevant information regarding (i) the Processing and (ii) any sub-Processing, as defined in the relevant Schedule(s) of the Agreement; 

  2. Annex II shall consist of Exhibit A (Technical and Organizational Measures) to this DPA.

  1. Additional Provisions

    1. The Parties confirm that they are in possession of the EU SCC and therefore do not need to attach them in duplicate to this DPA;

    2. Customer shall support Service Provider in complying with the Swiss DPA and, where applicable, the GDPR and other applicable data protection laws in connection with transfers to recipients that are not located in a Country with an Adequate Level of Data Protection, appropriately and at its own expense upon first request.

IV. CONTROLLER-TO-CONTROLLER CLAUSES

If and to the extent that the Parties have agreed in the relevant Schedule(s) of the Agreement to the application of this Section, the following applies. In the event of a conflict, the provisions of this Section IV shall prevail over the provisions of Section II.

  1. Application of the EU SCC

If for the purposes of, or in connection with, the performance of the Agreement, Service Provider Processes Personal Data from Customer as a Controller, and Customer does not have its seat in a Country with an Adequate Level of Data Protection, then the EU SCC as agreed and compiled below shall apply to any transfer of Personal Data by Service Provider as a Controller to Customer as another Controller, with Service Provider being the "data exporter" and Customer being the "data importer":

  1. Clauses 1-6;

  2. Clause 8 with the provisions for "Module One", including the introductory paragraph;

  3. Clause 10 with the provisions for "Module One";

  4. Clause 11 with the provisions for "Module One", including Clause 11(a), but without the provisions of the "Option" of Clause 11(a);

  5. Clause 12 with the provisions for "Module One";

  6. Clause 13 with the provisions for "Module One"; if one of the three cases described in Clause 13(a) applies, only the corresponding text is applicable; if none of the three cases described in Clause 13(a) apply to the data exporter in the particular case, the provisions provided for the first case in Clause 13(a) shall apply accordingly;

  7. Clauses 14-15 with the provisions for "Module One"; for the purposes of Clause 15(1)(a), in case of government access requests, Provider shall (only) notify Company, with Provider's obligation to notify the data subjects being delegated to Company;

  8. Clause 16 with the provisions for "Module One";

  9. Clause 17 with the provisions for "Module One" and "Option 1", with the law agreed by the Parties for the purposes of Clause 17 being the same as in Section III.A.f) above; 

  10. Clause 18 with the provisions for "Module One", with the competent courts for the purposes of Clause 18 being the same as in Section III.A.g) above.

  11. To the extent that a transfer is subject to the Swiss DPA, the following adjustments to the above agreed Clauses of the EU SCC shall also apply (for the purposes of the GDPR, these adjustments shall have no effect):

  1. References to "Regulation (EU) 2016/679" or "this Regulation" are to be understood as references to the Swiss DPA, to the extent applicable;

  2. References to "Regulation (EU) 2018/1725" shall be omitted;

  3. The terms "Union", "EU" and "EU Member State" are to be understood as reference to Switzerland.

  1. Content of the Annexes 

For the EU SCC Annexes referred to in the Clauses of the previous paragraph, the following applies:

  1. Annex I.A. shall consist of:

  1. the information in the relevant Order Form(s) of the Agreement, with Service Provider as the "Data Exporter" acting as the "Controller", and Customer as the "Data Importer" acting as the "Controller";

  2. the contact information of Customer and Service Provider as set forth in the relevant Order Form(s) of the Agreement;

  3. the Processing activities as defined in the relevant Schedule(s) of the Agreement or in the list reference therein;

  1. Annex I.B. shall consist of the relevant information regarding (i) the Processing and (ii) any sub-Processing, as defined in the relevant Schedule(s) of the Agreement; 

  2. Annex II shall consist of Exhibit A (Technical and Organizational Measures) to this DPA.

V. Professional Secrecy

Service Provider acknowledges that the Processing of Personal Data and other Customer Data (as defined in the Agreement) may be subject to official, professional and other statutory secrecy obligations (e.g., for Switzerland Art. 320 et seqq. Swiss Penal Code) (the "Secrecy Laws"). Service Provider will keep Customer Data that is subject to Secrecy Laws confidential for as long as required by such Secrecy Laws (even after the term of the Agreement) and use it only as necessary to perform the Agreement, including this DPA, and will not disclose it to any third party, except as necessary to comply with Customer's instructions, the obligations of the Agreement, including this DPA, or a valid and binding order of a competent governmental body (such as a subpoena, warrant, or court order). In the event that Service Provideris confronted with an order to grant access to, or produce, Customer Content, Service Provider will, in addition to its other obligations, before complying with such order, at the cost and risk of Customer and unless instructed otherwise by Customer, (a) if legally permitted inform Customer (and if not attempt to obtain permission to inform) and permit Customer to challenge and limit such request and obtain confidential treatment, and (b) itself use all lawful efforts to challenge and limit such request on the basis of any legal deficiencies of the law of the requesting party, other applicable law and the principles of international comity and any conflicts with the law of Customer including Secrecy Laws, and in any event produce only the minimum Customer Data required to satisfy the order. Service Provider will impose upon its staff and subcontractors at least materially similar obligations as in this clause to the extent they may have access to Customer Data in clear text. All provisions in this DPA shall apply mutatis mutandis so to also protect Customer Data that is subject to Secrecy Laws. 

VI. OTHER PROVISIONS

Furthermore, the Parties agree as follows:

  1. Each Party shall bear its own costs for implementing this DPA, unless expressly agreed otherwise in connection with or in this DPA.

  2. Each Party shall fulfill its obligations in accordance with the data protection provisions applicable to it, in particular the provisions of the Swiss DPA and, to the extent applicable, the GDPR. This shall apply in particular if Service Provider Processes Personal Data received from Customer or otherwise obtained in connection with the Agreement as a Controller. In this respect, Customer allows Service Provider to Process Personal Data and other data for (i) the purposes of the Agreement and the rights and obligations arising therefrom (e.g. for the provision of the services and invoicing), (ii) the improvement of Service Provider's products and services, (iii) non-personal purposes (e.g. statistical evaluations), provided that no personal data is published or disclosed to third parties who are not obliged to maintain confidentiality, and (iv) compliance with statutory and self-regulatory obligations. Upon request, Customer shall inform the Data Subjects of Service Provider's privacy notice, insofar as Service Provider does not do so itself. Insofar as Customer provides Service Provider with Personal Data for Processing as Controller (e.g. information on service recipients), Customer warrants that it may do so and that Service Provider may Process this Personal Data in accordance with the Parties' DPAs.

  3. Amendments to this DPA must be made in writing and duly signed by authorized representatives of the Parties. However, Service Provider may at any time request an amendment to this DPA to the extent that the Swiss DPA, the GDPR or other reasons of data protection, data security, or confidentiality require this according to its reasonable assessment; Customer shall not refuse such an amendment without good reason.

  4. All prior DPAs between the Parties regarding Processing of Personal Data are deemed superseded by this DPA as of its effective date. 

  5. In the event of a conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail if and to the extent that they relate to the Processing of Personal Data by Service Provider under the Agreement.

  6. The provisions of this DPA shall survive the termination of the Agreement, and shall remain in effect as long as Service Provider is in possession of or has access to the Personal Data covered by this DPA. 

  7. This DPA shall be governed by Swiss substantive law, excluding the Federal Act on Private International Law (IPRG) and the United Nations Convention on Contracts for the International Sale of Goods (Vienna Sales Convention/CISG). The exclusive place of jurisdiction for all disputes arising from or in connection with this FSA is Pfäffikon SZ, Switzerland.

February 2026

EXHIBIT A: TECHNICAL AND ORGANIZATIONAL MEASURES

  1. Introduction

The Hashgraph Group depends on Office 365 for its productivity and collaboration requirements. Therefore, it is crucial to establish a comprehensive security strategy to safeguard sensitive data and ensure compliance with relevant regulations.

  1. Objectives

  • Protect sensitive data from unauthorized access and breaches.

  • Ensure compliance with industry regulations and standards.

  • Maintain business continuity and minimize downtime.

  • Educate employees on security best practices.

  1. Key Components

    1. Identity and Access Management

To enhance our identity and access management controls, we have implemented and recommend adopting the following guidelines.

  • Multi-Factor Authentication (MFA): Implement MFA for all users to add an additional layer of security.

  • Conditional Access Policies: Utilize conditional access to enforce policies based on user location, device, and risk level.

  • Role-Based Access Control (RBAC): Assign permissions based on user roles to limit access to sensitive information.

  1. Data Protection

To strengthen our data protection efforts, we have established and encourage the adoption of the following guidelines.

  • Data Loss Prevention (DLP): Configure DLP policies to prevent the sharing of sensitive information outside the organization.

  • Encryption: Employ encryption for data at rest and in transit to safeguard sensitive information.

  • Information Rights Management (IRM): Implement IRM to control access and usage of documents and emails.

  1. Threat Protection

We have made significant investments in managing our data workflows by establishing and promoting the adoption of the following guidelines.

  • Advanced Threat Protection (ATP): Utilize ATP features to defend against phishing, malware, and other threats.

  • Safe Links and Safe Attachments: Activate Safe Links and Safe Attachments to scan and protect users from malicious content.

  • Security Alerts and Monitoring: Establish alerts for suspicious activities and regularly monitor security logs.

  1. Compliance and Governance

We are committed to ensuring that our internal ecosystem governance adheres to best practices by taking a proactive approach.

  • Compliance Center: Leverage the Microsoft Compliance Center to manage compliance requirements and assess risks.

  • Audit Logs: Enable audit logging to track user activities and changes within Office 365.

  • Retention Policies: Implement retention policies to manage data lifecycle and ensure compliance with legal requirements.

  1. User Education and Awareness

  • Security Training: Provide regular training sessions for employees on security best practices and phishing awareness.

  • Simulated Phishing Attacks: Conduct simulated phishing attacks to evaluate employee awareness and response.

  • Security Resources: Distribute resources and guidelines on how to recognize and report security threats.

  1. Implementation Plan

Our internal strategy will consistently undergo assessment and oversight. To ensure alignment with our business developments, we are continually updating our controls and security protocols.

  1. Assessment: Conduct a comprehensive security assessment to identify vulnerabilities and areas for improvement.

  2. Policy Development: Develop and document security policies and procedures.

  3. Deployment: Implement security measures and tools as outlined in the strategy.

  4. Monitoring and Review: Continuously monitor security posture and review policies regularly to adapt to emerging threats.

  1. Conclusion

Establishing a robust security strategy is essential for safeguarding the data of our THG Organization and ensuring compliance with regulations. By prioritizing key areas such as identity management, data protection, threat defense, compliance, and user education, organizations can greatly improve their security posture in the cloud.

About

Products

Projects

Ventures

News

Contact us

About

Products

Projects

Ventures

News

About

Products

Projects

Ventures

News