Last Updated: March 27, 2026

This Data Processing Addendum ("DPA") forms part of the applicable customer agreement between DIAMWALL, LDA ("DiamWall") and the customer entity accepting the Agreement ("Customer"), including the DiamWall Self-Serve Subscription Agreement, to the extent DiamWall processes Customer Personal Data on behalf of Customer in connection with the Services.

1. Order of Precedence

If there is any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Customer Personal Data. Nothing in this DPA reduces Customer's or DiamWall's obligations under applicable Data Protection Law.

2. Definitions

"Applicable Data Protection Law" means Regulation (EU) 2016/679 ("GDPR"), Portuguese Law no. 58/2019, Portuguese Law no. 41/2004 where applicable, and any other applicable law relating to the processing of personal data under the Agreement.

"Customer Personal Data" means personal data processed by DiamWall on behalf of Customer in connection with the Services. "Sub-processor" means any processor engaged by DiamWall to process Customer Personal Data on behalf of Customer.

3. Roles of the Parties

Customer acts as controller, or as processor on behalf of another controller, for Customer Personal Data. DiamWall acts as processor, or where applicable as sub-processor, for Customer Personal Data.

DiamWall may separately act as an independent controller for account administration, billing, fraud prevention, legal compliance, and security of DiamWall's own services and business operations. Such processing is outside the scope of this DPA and is governed by the Agreement and DiamWall's Privacy Policy.

4. Customer Instructions

DiamWall shall process Customer Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law. The Agreement, Customer's use of the Services, dashboard configuration, API calls, support requests, and other documented communications from Customer constitute Customer's documented instructions.

Customer is responsible for ensuring that its instructions comply with applicable Data Protection Law and that it has all necessary rights and lawful bases to provide the Customer Personal Data to DiamWall for processing.

If DiamWall considers that an instruction from Customer infringes applicable Data Protection Law, DiamWall shall inform Customer without undue delay, to the extent not prohibited by applicable law.

5. Confidentiality and Security

DiamWall shall ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

DiamWall shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR. DiamWall may update such measures from time to time provided that the overall level of security is not materially diminished.

6. Sub-processors

Customer grants DiamWall a general written authorisation to engage sub-processors in accordance with this DPA. As of the Effective Date, DiamWall does not currently engage any sub-processor to process Customer Personal Data under this DPA unless expressly identified to Customer in writing. If DiamWall appoints any sub-processor in the future, DiamWall shall maintain and make available an up-to-date sub-processor list and shall impose data protection obligations on each such sub-processor that are not less protective than those set out in this DPA, to the extent applicable.

If Customer reasonably objects to a new sub-processor on data protection grounds, the parties shall work in good faith to make available a commercially reasonable change in the Services or configuration. If no such change is reasonably available, Customer may terminate the affected Service on written notice.

7. Assistance, Breaches, and Audits

Taking into account the nature of the processing and the information available to DiamWall, DiamWall shall provide reasonable assistance to Customer in responding to data subject requests, meeting security and breach-notification obligations, carrying out data protection impact assessments where required, and demonstrating compliance with this DPA.

DiamWall shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and shall provide information reasonably necessary for Customer to meet its obligations under applicable law.

DiamWall shall make available information reasonably necessary to demonstrate compliance with this DPA. Where such information is insufficient for Customer's reasonable compliance needs, Customer may request an audit on reasonable prior notice and subject to reasonable confidentiality, security, and access controls.

8. Deletion or Return of Data

Upon termination or expiry of the Agreement, DiamWall shall, at Customer's choice and subject to the functionality of the Services and applicable law, delete or return Customer Personal Data and delete existing copies, unless applicable law requires storage.

9. International Transfers

DiamWall operates a global anycast and edge network. For customers who select EEA-only data handling, TLS termination and content decryption for protected traffic are restricted to the EEA. In such configurations, non-EEA points of presence may still be used for encrypted packet delivery, routing, volumetric mitigation, and related edge network functions, but not for application-layer inspection of decrypted customer content.

To the extent Customer Personal Data is transferred outside the EEA, Switzerland, or the United Kingdom to a country not recognised as providing an adequate level of protection, DiamWall shall ensure that such transfer is subject to an appropriate transfer mechanism under applicable law, which may include the European Commission's Standard Contractual Clauses. Where DiamWall receives Customer Personal Data as processor from Customer as controller, the controller-to-processor module (Module Two) shall apply. Where DiamWall engages a sub-processor to process Customer Personal Data on Customer's behalf, the processor-to- processor module (Module Three) shall apply. DiamWall shall implement supplementary measures where required by applicable law.

10. Annex 1 - Details of Processing

• Subject matter: Provision of DiamWall CDN, reverse proxy, security, anti-DDoS, anti-bot, caching, network performance, and related support services.
• Duration: For the term of the Agreement and any period during which DiamWall processes Customer Personal Data on behalf of Customer.
• Nature and purpose: Receipt, transmission, routing, filtering, inspection (where configured by Customer), storage, analysis, logging, and other processing necessary to provide, secure, maintain, support, and improve the Services; prevent abuse; and comply with documented customer instructions.
• Data subjects: Customer personnel, account administrators and authorised users, support contacts, end users of Customer websites, applications, APIs, and networks, and any other data subjects whose personal data is included in Customer Content or network traffic submitted to the Services.
• Categories of personal data: Account and contact details, billing details, authentication and account identifiers, IP addresses, request and response metadata, security and event logs, configuration data, support communications, and any personal data contained in Customer Content or submitted traffic.
• Special categories: Not intentionally required for the Services and prohibited unless expressly agreed in writing and supported by appropriate safeguards.

11. Annex 2 - Technical and Organisational Measures

• Access controls, least-privilege permissions, strong authentication, and administrative logging.
• Network segmentation, traffic filtering, DDoS mitigation, and security monitoring.
• Encryption in transit and, where applicable, encryption at rest.
• Controls over production access and change management.
• Incident detection, response, escalation, and remediation procedures.
• Resilience, backup, and disaster recovery measures appropriate to the Services.

12. Annex 3 - Sub-processors

As of the date of this DPA, DiamWall does not currently engage any sub-processors to process Customer Personal Data under this DPA, unless expressly notified to Customer in writing.

If DiamWall appoints any sub-processor in the future, DiamWall shall maintain an up-to-date sub-processor list and make it available to Customer upon written request sent toprivacy@diamwall.com. Customer may send any objection to a proposed new sub-processor to the same address in accordance with Section 6.

If Customer accepts the Agreement electronically, that acceptance also constitutes acceptance of this DPA.