Data Processing Agreement

• "Personal Data" has the meaning given in Article 4 of the GDPR.
• "Processing" means any operation performed on Personal Data as defined by the GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.

The Processor processes Personal Data solely to provide the lakesight.io Service as described in the Terms of Service. The nature of the processing involves:

• Storing Customer account information
• Using Workspace Credentials (URL + PAT) to query the Databricks REST API on behalf of the Customer
• Displaying cost and usage analytics within the platform

Processing shall be carried out only on documented instructions from the Controller.

• Employees or representatives of the Customer
• End users of the Customer's Databricks workspace (indirectly, via metadata)

• Professional email addresses, names, job titles
• Databricks workspace URL and PAT tokens
• Job/run/cluster metadata (names, timestamps, cost data) — which may incidentally contain identifiers

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures per Article 32 GDPR
• Not engage sub-processors without prior written authorization from the Controller
• Assist the Controller in responding to data subject rights requests
• Delete or return all Personal Data upon termination of the agreement
• Make available all information necessary to demonstrate compliance

The Customer authorizes lakesight.io to engage sub-processors for the purposes of hosting, payment processing, and analytics. A current list of sub-processors is available upon request at legal@lakesight.io. The Processor shall notify the Customer of any intended changes to sub-processors at least 30 days in advance.

The Processor implements the following measures (Article 32 GDPR):

• Encryption of data in transit (TLS 1.2 or higher)
• Storage of Workspace Credentials exclusively in Microsoft Azure Key Vault
• Access control and authentication mechanisms
• Regular security assessments
• Procedures for testing, assessing, and evaluating security effectiveness

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach. The notification shall include the nature of the breach, the categories and approximate number of individuals concerned, and the measures taken to address it.

The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests. Requests should be submitted to: legal@lakesight.io

Any transfer of Personal Data to a third country shall only occur in compliance with Chapter V of the GDPR, including where appropriate the use of Standard Contractual Clauses.

Upon termination of the Terms of Service, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days. Copies retained for legal compliance purposes will be maintained confidentially and deleted once the retention obligation expires.

This DPA is governed by French law and the GDPR. Any dispute shall be resolved before the competent French courts.