Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the agreement between [EDIT: Legal entity name, e.g., "Marshal, Inc., a Delaware corporation"] ("Marshal") and the customer identified in the underlying agreement (the "Customer") governing Customer's use of the Marshal platform (the "Service"). Capitalized terms not defined here have the meaning given in the Terms of Service.

This DPA applies whenever Marshal processes Personal Data (defined below) on behalf of Customer in connection with the Service. In the event of a conflict between this DPA and any other terms between the parties regarding the processing of Personal Data, this DPA controls.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws (including GDPR Article 4(1) and California Civil Code § 1798.140(v)).
• "Customer Personal Data" means Personal Data that Customer or its authorized users submit to or process through the Service, including investigation intake materials, witness statements, interview memos, documents and exhibits, timeline entries, allegations, findings, reports, and chat messages, in each case where such content includes information relating to an identifiable person.
• "Data Protection Laws" means all applicable laws governing the processing of Personal Data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq., the "CCPA"), and other analogous federal, state, and international privacy and data-protection laws as applicable.
• "Controller," "Processor," "Data Subject," "Process," and "Processing" have the meanings given in the GDPR. For CCPA purposes, Marshal is a "service provider" and Customer is a "business."
• "Sub-processor" means any third party engaged by Marshal to Process Customer Personal Data on Customer's behalf in connection with the Service.
• "Standard Contractual Clauses" or "SCCs" means the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
• "UK IDTA" means the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office in effect from 21 March 2022.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

2. Roles of the parties

For Customer Personal Data, Customer is the Controller and Marshal is the Processor. Marshal Processes Customer Personal Data solely on documented instructions from Customer, including with respect to transfers to third countries, except where required by law (in which case Marshal will inform Customer of that legal requirement before Processing, unless prohibited by law from doing so).

Customer is responsible for: (a) determining the lawful basis on which it Processes Personal Data through the Service; (b) issuing any required notices to and obtaining any required consents from Data Subjects; (c) configuring the Service in accordance with its own legal obligations; and (d) the accuracy, quality, and legality of Customer Personal Data.

Marshal acts as a Controller in limited respects, only with regard to Account Data (defined in the Privacy Policy) — administrator names, billing contacts, sign-in credentials, audit telemetry, and similar operational metadata that Marshal collects to operate the Service. The Privacy Policy governs Marshal's Controller-side Processing of that data.

3. Documented instructions

The parties agree that Customer's instructions for Marshal's Processing of Customer Personal Data include the following:

• providing the Service in accordance with the Terms of Service and this DPA;
• providing AI-assisted drafting, extraction, summarization, synthesis, and indexing features the Customer activates;
• responding to Customer support requests as documented in the support process;
• retention, deletion, and return of Customer Personal Data as described in Section 11 and Annex II;
• providing such assistance as Customer requires to respond to Data Subject requests and supervisory authorities;
• processing for security, fraud prevention, and integrity purposes as described in Annex II.

Marshal will inform Customer if, in Marshal's opinion, an instruction infringes Data Protection Laws.

4. Subject matter, duration, and purpose of processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex I (Processing Activities) below.

5. Personnel and confidentiality

Marshal will ensure that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and that access to Customer Personal Data is granted on a need-to-know basis.

6. Security measures

Marshal will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in Annex II (Security Measures) below and at marshal.to/trust. Marshal may update those measures from time to time, provided the updates do not materially diminish the protection of Customer Personal Data.

7. Sub-processors

Customer provides general authorization to Marshal to engage Sub-processors. The current list of authorized Sub-processors is maintained at marshal.to/trust/sub-processors and is incorporated as Annex III (Sub-processors).

Marshal will provide Customer with at least thirty (30) days' prior written notice (by email to the address Customer designates, or by update to the sub-processors page combined with the notification mechanism described at marshal.to/trust) before authorizing any new Sub-processor. Customer may object on reasonable data-protection grounds within that thirty-day notice period by notifying legal@marshal.to. If the parties cannot resolve the objection in good faith, Customer may, as its sole remedy, terminate the affected Service-component agreement on the effective date of the Sub-processor change, with a pro-rata refund of prepaid fees for the unused portion of the term.

Marshal remains liable to Customer for the acts and omissions of its Sub-processors as if they were Marshal's own.

Marshal will impose on each Sub-processor data-protection obligations no less protective than those in this DPA, including confidentiality, security, and breach-notification commitments.

8. International data transfers

Marshal is established in [EDIT: jurisdiction of incorporation — Delaware, USA, or otherwise], and its primary processing infrastructure is hosted in [EDIT: primary AWS / Vercel region for Customer data — currently us-east-1 unless customer requests otherwise]. Customer Personal Data may be transferred to and Processed in the United States and in any other country where Marshal or its Sub-processors operate, as identified in Annex III.

EEA transfers

Where Customer Personal Data originating in the European Economic Area is transferred to Marshal in a country not recognized by the European Commission as providing an adequate level of protection, the parties agree the SCCs apply and are incorporated by reference, as follows:

• Module Two (Controller to Processor) applies where Customer is the Controller and Marshal is the Processor.
• Module Three (Processor to Processor) applies where Customer is itself a Processor (e.g., processing on behalf of its own customer) and Marshal is a Sub-processor.
• The optional Clause 7 docking clause is incorporated.
• For Clause 9 (engagement of Sub-processors), Option 2 (general written authorization) is selected, with the notice period in Section 7 above.
• For Clause 11 (independent redress), the optional language is not incorporated.
• For Clause 17 (governing law) and Clause 18 (forum), the law and courts of [EDIT: EU Member State of Customer's choice (commonly Ireland or the Netherlands)] apply.
• Annexes I, II, and III to the SCCs are completed by reference to Annexes I, II, and III to this DPA.

UK transfers

Where Customer Personal Data originating in the United Kingdom is transferred to Marshal in a country not recognized as adequate by the UK government, the UK IDTA is incorporated and supplements the SCCs. The UK IDTA Tables 1–4 are completed by reference to this DPA and its Annexes.

Swiss transfers

For transfers originating in Switzerland, the SCCs apply with the modifications recommended by the Federal Data Protection and Information Commissioner (FDPIC), including treating references to the GDPR as also covering the Swiss FADP and naming the FDPIC as the competent supervisory authority where applicable.

Data Privacy Framework

[EDIT: If Marshal certifies under the EU-US Data Privacy Framework and/or its UK and Swiss extensions: insert certification status, date, and replace the SCCs reliance above with DPF reliance where applicable. If not certified, leave this section as a placeholder and rely on SCCs.]

9. Personal Data Breaches

Marshal will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include:

• the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
• the likely consequences of the Personal Data Breach;
• the measures Marshal has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
• the contact point at Marshal for further information.

Marshal will provide reasonable assistance to Customer in fulfilling Customer's own notification obligations to supervisory authorities and affected Data Subjects under GDPR Articles 33 and 34 and analogous laws. Marshal's notification of, or response to, a Personal Data Breach under this Section will not be construed as an acknowledgment by Marshal of any fault or liability with respect to the Personal Data Breach.

10. Assistance with Data Subject requests, DPIAs, and consultations

Taking into account the nature of the Processing and the information available to Marshal, Marshal will reasonably assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligation to respond to requests by Data Subjects exercising their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection).

Marshal provides administrative tooling — including a Data Subject Access Request workflow described at marshal.to/privacy — that Customer's administrators can use directly. If Customer requires additional assistance, Marshal will provide it on reasonable terms taking into account the nature of the request, the volume of Customer Personal Data, and Marshal's ability to respond. Marshal may charge a reasonable fee for assistance that materially exceeds standard service operations.

Marshal will, taking into account the nature of the Processing and the information available to Marshal, reasonably assist Customer with Customer's obligations under GDPR Articles 32 to 36 (data protection impact assessments and prior consultations with supervisory authorities).

11. Return and deletion of Customer Personal Data

Upon termination of the Service for any reason, Customer may, within the export window described in the Terms of Service, retrieve Customer Personal Data through the self-service export tools Marshal provides, or request Marshal's assistance in doing so.

Following expiration of the export window, Marshal will delete Customer Personal Data from active systems within [EDIT: e.g., "thirty (30) days"], except to the extent retention is required by applicable law, by the integrity requirements of the Audit Log described in the Privacy Policy (which Marshal retains as a permanent legal record under GDPR Article 17(3)(e) — exercise or defense of legal claims), or by ordinary backup cycles (which roll over within [EDIT: backup retention window — e.g., "thirty-five (35) days"]).

Marshal will, on Customer's written request and after the deletion is complete, provide written certification that the Customer Personal Data has been deleted in accordance with this Section, identifying any categories of Personal Data Marshal continues to retain on the bases described above.

12. Audits

Marshal will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to the following:

• On Customer's request, Marshal will provide the most recent third-party audit reports it maintains (including, when available, SOC 2 Type II and any successor reports), and Customer agrees to treat them as Confidential Information of Marshal.
• Customer may conduct an on-site or remote audit at Marshal's premises (or, where applicable, virtual access to Marshal's systems) no more frequently than once per twelve (12) month period, on at least thirty (30) days' prior written notice, during business hours, in a manner that does not unreasonably interfere with Marshal's operations, and at Customer's expense. A supervisory authority audit may proceed on the timeline that authority requires.
• Marshal may require Customer to enter into a reasonable non-disclosure agreement before any audit.
• The parties will agree on the scope, duration, and methodology of each audit in advance.

13. CCPA-specific terms

With respect to Customer Personal Data of California residents, Marshal is a "service provider" as that term is defined in the CCPA, and Customer is the "business." Marshal will not:

• sell or share (as those terms are defined in the CCPA) Customer Personal Data;
• retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer, or for any purpose other than the specific purpose of performing the services identified in the Terms of Service and this DPA;
• combine Customer Personal Data with personal data Marshal receives from, or on behalf of, another business or person, except as expressly permitted by the CCPA Regulations.

Marshal certifies that it understands and will comply with the restrictions in CCPA § 1798.140(ag)(1) and § 1798.140(j)(1) and the accompanying regulations.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service. For the avoidance of doubt, the SCCs do not limit each party's statutory liability under Data Protection Laws.

15. Term and termination

This DPA enters into force on the effective date of the Terms of Service between the parties and continues for the duration of Marshal's Processing of Customer Personal Data on behalf of Customer. The obligations in this DPA survive termination of the Terms of Service for so long as Marshal retains Customer Personal Data.

16. Order of precedence

In the event of any conflict between this DPA, the Terms of Service, and the SCCs (where incorporated), the order of precedence is: (i) the SCCs, (ii) this DPA, (iii) the Terms of Service.

17. Updates to this DPA

Marshal may update this DPA from time to time. Material updates affecting Customer's rights will be communicated as described in Section 7 (sub-processors) and the Terms of Service. Continued use of the Service after the effective date of an updated DPA constitutes acceptance, except where the updates require Customer's express agreement under applicable law, in which case Marshal will obtain that agreement.

Annex I — Processing activities

A. List of parties

• Data exporter: Customer (as identified in the Order Form or signup record). Role: Controller (or Processor, as applicable). Contact: as specified in Customer's account.
• Data importer: [EDIT: Legal entity name and registered address — e.g., "Marshal, Inc., 1234 Example St., San Francisco, CA 94110, USA"]. Role: Processor. Contact: privacy@marshal.to.

B. Description of transfer

Categories of Data Subjects: Customer's employees, contractors, and other individuals who are the subjects of workplace investigations conducted by Customer, including complainants, respondents, witnesses, managers, HR business partners, and any other individuals named in investigation materials.

Categories of Personal Data: identification and contact data (names, work email addresses, job titles); employment data (department, manager, hire date, tenure); content of complaint intake materials, witness statements, interview memos, documents and exhibits, timeline entries, allegation summaries, finding rationales, and reports; metadata about investigation activity (assignments, due dates, status); communications between Customer users and Marshal support.

Sensitive data: investigation content may, by its nature, include "special category" Personal Data under GDPR Art. 9 (e.g., information revealing health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious beliefs, trade-union membership) and information relating to criminal offenses under GDPR Art. 10, depending on the subject matter of the investigation. Customer is responsible for the lawful basis on which such data is processed.

Frequency of transfer: continuous, as Customer users submit and update investigation content during the term.

Nature of processing: hosting; storage; retrieval; AI-assisted extraction, summarization, drafting, and synthesis; export and report generation; access logging and audit trail; backup; deletion on termination or per retention policy.

Purpose of processing: enabling Customer to conduct internal workplace investigations using the Service.

Retention period: for the term of Customer's subscription, plus the post-termination export window described in the Terms of Service; the Audit Log is retained as a permanent legal record per GDPR Art. 17(3)(e); ordinary backups roll over within [EDIT: backup retention window — e.g., "thirty-five (35) days"].

C. Competent supervisory authority

For SCC Module Two and Module Three: [EDIT: EU Member State of Customer's choice — commonly the supervisory authority of the Member State where Customer's main establishment is located, or otherwise the Member State Customer designates in the Order Form].

Annex II — Security measures

Marshal implements and maintains the technical and organizational measures described below. The current implementation is also summarized at marshal.to/trust and updated from time to time without diminution of overall protection.

• Tenant isolation: All Customer Personal Data rows carry a tenant identifier and are protected by row-level security policies that deny cross-tenant access at the database layer. Isolation is verified by an automated cross-tenant test suite executed before production deployments.
• Authentication and access control: Email and password with optional Single Sign-On (SAML 2.0) and optional mandatory multi-factor authentication via time-based one-time passcodes. Per-tenant session-idle timeout policies are configurable by Customer administrators. SCIM 2.0 deprovisioning is supported.
• Encryption: All Customer Personal Data is encrypted in transit using TLS 1.2 or higher, and at rest using industry-standard symmetric encryption managed by Marshal's infrastructure providers.
• Audit logging: Every material action on Customer Personal Data is recorded in an append-only audit log secured by a per-tenant cryptographic hash chain. Direct UPDATE and DELETE on the audit log are blocked at the database trigger layer. Daily attestations of each tenant's chain tip are recorded in a dedicated append-only table and pushed to an AWS S3 Object Lock bucket configured in compliance mode for additional tamper-evidence.
• AI processing controls: Customer Personal Data sent to AI sub-processors is processed in accordance with contractual zero-retention terms — providers do not retain inputs or outputs beyond the response cycle and do not use Customer Personal Data to train models. AI outputs are surfaced as drafts and recommendations only; the Customer's investigator retains decision authority. AI-attributed actions are linked in the audit log to a generation record capturing model, prompt version, input hash, and output.
• Retention and legal hold: Customer administrators can configure tenant-wide retention policies for closed cases and place per-case legal holds that suspend retention sweeps. Lifting a hold requires an administrator.
• DSAR workflow: Customer administrators can execute Data Subject Access Requests and erasure requests through the Service, with a curated exemption catalog referencing GDPR Article 17(3) and CCPA § 1798.105(d) bases for preservation. Each fulfillment produces a certificate of action.
• Vulnerability disclosure: A documented vulnerability disclosure policy is published at marshal.to/trust/security with safe-harbor terms for good-faith research.
• Personnel: All personnel with access to Customer Personal Data are bound by written confidentiality obligations and access is limited to the data they need to perform their role.
• Incident response: Marshal maintains a written incident response runbook covering detection, containment, eradication, recovery, and notification, with periodic tabletop reviews.
• Backups and disaster recovery: Marshal's infrastructure providers maintain encrypted backups with point-in-time recovery for the retention window described above. Marshal periodically tests recovery procedures.
• Supplier diligence: Marshal evaluates each Sub-processor's security and privacy posture before engagement and on ongoing basis.
• Certifications and audits: [EDIT: e.g., "SOC 2 Type II audit scheduled with [firm] for [quarter/year]; report will be made available to Customer on request under NDA upon completion." If certified, replace with current certification status.]

Annex III — Sub-processors

The authorized Sub-processors for the Service, including each Sub-processor's processing purpose, the categories of Personal Data they Process, and their location, are listed and maintained at marshal.to/trust/sub-processors. That page is incorporated into this DPA by reference and constitutes Annex III for purposes of the SCCs.

Signature

This DPA is executed by Customer's acceptance of the Terms of Service or by a separately signed copy where required by Customer's procurement process. [EDIT: If a signed copy is required, insert a signature block here with Marshal signatory name, title, date, and a matching block for Customer.]

Contact

Questions, requests for signed copies, sub-processor objections, and audit inquiries: legal@marshal.to.