Data Processing Addendum

Updated on

March 30, 2026

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement (the "Agreement") between Zluri, Inc. ("Zluri") and Customer (as defined in the Agreement) for the purchase of services provided by Zluri to Customer, including but not limited to subscription services, IGA buying services and consulting services (identified either as "Services" or otherwise in the Agreement, and hereinafter defined as "Services" or "Zluri Services") to reflect the parties' agreement with regard to the Processing of Personal Data.

In the course of providing the Zluri Services to Customer pursuant to the Agreement, Zluri will Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules. This DPA supersedes all prior and contemporaneous data processing agreements or data processing terms in any agreements, proposals or representations, written or oral, concerning the Processing of Personal Data. Capitalized terms not defined herein have the meanings set forth in the Agreement.

INSTRUCTIONS ON HOW TO EXECUTE THIS DPA WITH ZLURI

This DPA has been pre-signed on behalf of Zluri.

Customer must complete the information in the signature box and sign on the signature page.

Customer must send the completed and signed DPA to Zluri via email, indicating the Customer's full entity name (as set out on the applicable Zluri Order Form or invoice) in the body of the email to legal@zluri.com. Upon receipt of the validly completed DPA by Zluri at the above email address, this DPA shall come into effect and legally bind the parties.

If Customer makes any deletions or revisions to this DPA, such deletions or revisions are hereby rejected and invalid unless agreed in writing by Zluri. Customer's signatory represents and warrants that they have the authority to bind Customer to this DPA.

APPLICATION OF THIS DPA

If the Customer entity signing this DPA is a party to the Agreement, then this DPA is an addendum to, and forms part of, the Agreement.

If the Customer entity signing this DPA has executed an Order Form with Zluri pursuant to the Agreement, but is not itself a party to the Agreement, then this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the Zluri entity that is a party to such Order Form is a party to this DPA.

By entering into the Agreement, Customer agrees to this DPA on behalf of itself and its Authorized Affiliates to the extent Zluri Processes Personal Data for which such affiliates act as Controller. For purposes of this DPA, "Customer" includes its Authorized Affiliates unless otherwise stated.

If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, then this DPA is not valid and therefore is not legally binding. Such an entity should request that the Customer entity who is a party to the Agreement executes this DPA.

1. DEFINITIONS

"Authorized Affiliate" means any of Customer's Affiliate(s) which (i) is subject to the Data Protection Laws and Regulations of any jurisdiction that requires a data processing agreement between a Controller and a Processor for the Processing of Personal Data under this Agreement, and (ii) is permitted to use the Zluri Services pursuant to the Agreement between Customer and Zluri but has not signed its own Order Form with Zluri.

"Controller" means the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the scope, purposes, and means of the Processing of Personal Data.

"Customer Data" refers to the information defined in the Agreement as "Customer Data".

"Data Protection Laws and Regulations" means all current and future laws and regulations (as may be amended or updated from time to time) applicable to the Processing of Personal Data under the Agreement, including laws of the European Union or any Member State (which shall include, but not limited to GDPR) or any other applicable laws of any other country, province, state or jurisdiction to which the Processing of the Personal Data is subject.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including equivalent terms under Data Protection Laws and Regulations such as "Consumer".

"Data Subject Right" means any right afforded to a Data Subject under Data Protection Laws and Regulations.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"Personal Data" means any information relating to an identified or identifiable natural person, including equivalent terms under Data Protection Laws and Regulations such as "Personal Information", where such data is Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as but not limited to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as, including but not limited to, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, retention, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means a natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of the Controller and as set forth in the written instructions of the latter.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Zluri or its Sub-processors of which Zluri becomes aware.

"Security, Privacy and Architecture Datasheet" means the Security, Privacy and Architecture Datasheet for the Zluri Services, as updated from time to time.

"Sub-processor" means any Processor engaged by Zluri or its Affiliates engaged in the Processing of Personal Data.

"Third Country" means any country or jurisdiction outside of the country of origin or the European Economic Area ("EEA").

2. PROCESSING OF PERSONAL DATA

2.1 Details of the Processing. The parties acknowledge and agree that (i) with regard to the Processing of Personal Data, Customer is the Controller, Zluri is the Processor (ii) Zluri or its Affiliates engaged in the Processing of Personal Data will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below. The subject-matter of Processing of Personal Data by Zluri is the performance of the Zluri Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA. The parties shall exercise their rights hereunder acting in good faith and in a reasonable manner.

2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Zluri Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Upon entering into this DPA, this DPA, the Agreement and any applicable Order Form(s), are Customer's documented instructions to Zluri for the Processing of Personal Data. Any additional or alternate instructions must be reasonable and consistent with the terms of this DPA and the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data.

2.3 Zluri's Processing of Personal Data. Zluri shall only Process Personal Data in accordance with Customer's documented instructions pursuant to Section 2.2 above, and for the following purposes: (i) Processing in accordance with the Agreement, applicable Order Form(s) and Data Protection Laws and Regulations; and (ii) Processing initiated by Users in their use of the Zluri Services (collectively the "Business Purpose"). Zluri shall not Process Personal Data for any purpose other than the Business Purpose or outside of the direct business relationship with the Customer. Zluri shall, in its provision of the Zluri Services, Process Personal Data in accordance with Data Protection Laws and Regulations, provided that Zluri shall not be in violation of this contractual obligation in the event that Zluri's Processing of Personal Data in non-compliance with Data Protection Laws and Regulations arises from Customer's use of the Zluri Services in violation of the Agreement. Zluri shall not Sell or Share Personal Data.

3. RIGHTS OF DATA SUBJECTS

3.1 Data Subject Requests. To the extent legally permitted and upon identifying that the request originates from a Data Subject whose Personal Data was submitted to the Zluri Services by the Customer, Zluri shall promptly notify the Customer if it receives a Data Subject Request related to the exercise of any Data Subject Right. Zluri will acknowledge to the Data Subject that it has forwarded the request to the Customer, while refraining from directly handling or executing the Data Subject Request.

3.2 Taking into account the nature of the Processing, Zluri shall assist Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

4. ZLURI PERSONNEL

4.1 Confidentiality. Zluri shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Zluri shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Zluri shall treat Personal Data as Confidential Information.

4.2 Reliability. Zluri shall take commercially reasonable steps to ensure the reliability of any Zluri personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access. Zluri shall ensure that Zluri's access to Personal Data is limited to those personnel performing Zluri Services in accordance with the Agreement.

4.4 Data Protection Officer. Zluri has appointed a data protection officer for Zluri and its Affiliates. The appointed person may be reached at dpo@Zluri.com.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that Zluri and Zluri's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Zluri Services. Zluri or a Zluri Affiliate has entered into a written agreement with each Sub-processor containing, in substance, the same data protection obligations as in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.

5.2 List of Current Sub-processors and Notification of New Sub-processors. Attached hereto as Schedule 3 is a link to the current list of Sub-processors for the Zluri Services. Schedule 3 shall include information related to the identities of those Sub-processors, their country of location as well as a description of the processing they perform. Zluri will notify Customer of a new Sub-processor(s) at least thirty (30) calendar days before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Zluri Services. The notification shall include an updated Schedule 3 which is the information necessary to enable the Customer to exercise its right to object. Such notification shall be provided via email, and if the Customer does not raise any objection or concern within the thirty (30) day notice period, the Customer shall be deemed to have approved the addition of the new Sub-processor(s) and Zluri shall be entitled to proceed accordingly.

5.3 Objection Right for New Sub-processors. Customer may object to Zluri's use of a new Sub-processor by notifying Zluri promptly in writing within ten (10) calendar days after receipt of Zluri's notice in accordance with Section 5.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Zluri will use reasonable efforts to make available to Customer a change in the Zluri Services or recommend a commercially reasonable change to Customer's configuration or use of the Zluri Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Zluri is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) solely with respect to those Zluri Services that cannot be provided without the use of the objected-to new Sub-processor. In the event of such termination, Zluri will refund to Customer a pro-rata portion of any prepaid fees attributable to the terminated Zluri Services for the unused portion of the applicable Order Form term, calculated from the effective date of termination. Such refund shall be Customer's sole and exclusive remedy with respect to Customer's objection to the new Sub-processor, and no additional penalty shall apply to such termination.

5.4 Liability for Sub-processors. Zluri shall be liable for the acts and omissions of its Sub-processors to the same extent as if such acts or omissions were performed by Zluri, provided that Zluri shall not be liable for any failure of a Sub-processor to the extent such failure results from circumstances outside Zluri's reasonable control, including failures of underlying infrastructure providers, where Zluri has exercised reasonable diligence in the selection, appointment, and oversight of such Sub-processor.

Any liability arising from the acts or omissions of Sub-processors shall remain subject to the limitations of liability set forth in the Agreement, unless otherwise required by applicable Data Protection Laws.

6. SECURITY

6.1 Controls for the Protection of Customer Data. Zluri shall maintain appropriate technical and organizational measures for protection of the security (including protection against Personal Data Breach), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Datasheet attached hereto as Schedule 2. Zluri regularly monitors compliance with these measures. Customer is responsible for reviewing the information made available by Zluri relating to data security and making an independent determination as to whether the Zluri Services meet Customer's requirements and legal obligations under Data Protection Laws and Regulations. Customer acknowledges that the security measures described within the Security, Privacy and Architecture Datasheet are subject to technical progress and development and that Zluri may update or modify such document from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Zluri Services during a Subscription Term. For transparency and to support Customer's review of Zluri's technical and organizational controls, Zluri also makes available up-to-date security and compliance documentation, certifications, and audit reports via its Trust Vault (available at https://trust.zluri.com/).

6.2 Personal Data Incident Management and Notification. Zluri maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Datasheet and its documented incident response plan described in Schedule 2, and shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Zluri shall provide information to Customer necessary to enable Customer to comply with its obligations under Data Protection Laws and Regulations in relation to such Personal Data Breach. The content of such communication to Customer will (i) include the nature of Processing and the information available to Zluri, and (ii) take into account that under applicable Data Protection Laws and Regulations, Customer may need to notify regulators or individuals of the following: (a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of Personal Data records concerned; (b) a description of the likely consequences of the Personal Data Breach; and (c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Zluri shall make commercially reasonable efforts, based on its expertise, to identify the cause of such Personal Data Breach and take remediation actions in accordance with its documented incident response plan described in Schedule 2, where such Personal Data Breach materially affects the security, confidentiality, or integrity of Personal Data processed by Zluri. Zluri shall implement reasonable corrective measures within its control to remediate the cause of such Personal Data Breach, to the extent the remediation is within Zluri's reasonable control. The obligation to remediate the cause of a Personal Data Breach shall not apply to Personal Data Breaches that are caused by Customer or Customer's Users.

7. RETURN AND DELETION OF CUSTOMER DATA

The Zluri Services allow export and deletion of Customer Data during the Subscription Term. At the termination or expiration of the Agreement, Zluri shall return Customer Data by enabling Customer to export its Customer Data as set forth in the Agreement and shall delete Customer Data, in accordance with this DPA, the Agreement, applicable Data Protection Laws and Regulations and the Documentation. Upon request from the Customer, Zluri will provide a certificate of deletion once Customer Data has been deleted from the Zluri Services.

8. AFFILIATES

8.1 Relationship between Zluri and Customer's Authorized Affiliates. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing an independent DPA between Zluri and each such Authorized Affiliate, subject to the provisions of the Agreement and this Section 8 and Section 9. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For sake of clarity, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to this DPA. All access to and use of the Zluri Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

8.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Zluri under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates and Authorized Affiliates.

8.3 Data Controller Rights of Affiliates and Authorized Affiliates. Any Affiliate or Authorized Affiliate shall, to the extent required under applicable Data Protection Laws and Regulations, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

Except where applicable Data Protection Laws and Regulations require the Affiliate or Authorized Affiliate to exercise a right or seek any remedy under this DPA against Zluri directly by itself, the parties agree that:

(i) solely the Customer that is the contracting party to the Agreement shall exercise any such right (including any Audit right) or seek any such remedy on behalf of such Affiliate or Authorized Affiliate,

(ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate or Authorized Affiliate individually but in a combined manner for all of its Affiliates and Authorized Affiliates together, and

(iii) when carrying out an on-site Audit, Customer shall take all reasonable measures to limit any impact on Zluri and its Sub-Processors by combining, to the extent reasonably possible, several Audit requests carried out on behalf of different Affiliates and Authorized Affiliates in one single Audit.

For the purpose of this Section 8.3, an Affiliate signing an Order Form with Zluri is not deemed "Customer".

9. LIMITATION OF LIABILITY

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Zluri, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

10. COOPERATION

10.1 Upon Customer's request, Zluri shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligations under Data Protection Laws and Regulations, including with regards to data privacy impact assessments and consultations with supervisory authorities, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zluri. Cooperation may include the provision of appropriate technical and organizational measures, where possible, through the Zluri Services and/or as outlined in the Documentation.

10.2 Zluri shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws and Regulations.

10.3 Where required under Data Protection Laws and Regulations, Zluri shall notify Customer if Zluri is no longer able to comply with its Processing obligations under such Data Protection Laws and Regulations. Customer agrees to exercise any resulting remediation rights under Data Protection Laws and Regulations acting in good faith and in a proportionate manner, and where appropriate, taking into account Zluri's expertise.

11. LEGAL REQUESTS FOR ACCESS TO THE CUSTOMER'S PERSONAL DATA

11.1 In the event Zluri is requested or required under the Data Protection Laws and Regulations or regulatory obligations to conduct certain Processing operations (including but not limited to disclosure to public authorities) relating to the Customer's Personal Data, Zluri hereby expressly undertakes to: (i) inform the Customer of such request or requirement without undue delay (subject to compliance with legal provisions which may prevent it from informing the Customer) in order to obtain the Customer's express and written consent to such Processing operations; (ii) reject invalid legal requests or (iii) allow, if possible, the Customer (if it so decides) to participate in any action undertaken to oppose such Processing operations.

11.2 Whenever EU GDPR is applicable and such access request is made in a country that does not provide a level of protection of Personal Data equivalent to that guaranteed in the EU regarding mass surveillance laws and surveillance measures, where legally permitted, Zluri shall use commercially reasonable efforts to challenge any disproportionate or unlawful request for access to Customer's Personal Data and shall not disclose encryption keys or provide direct access to encrypted data unless legally compelled to do so.

11.3 In support of the above, Zluri may provide Controller's basic contact information to the third country authority in order to redirect the request.

12. AUDIT RIGHT

Zluri shall allow for and contribute to audits and inspections ("Audits"), not more than once per year. Zluri's contribution shall consist of Zluri's reasonable cooperation and making relevant Zluri employees available to Customer. Such Audit may be conducted by Customer or Customer's independent, third-party auditor that is not a competitor of Zluri and that is subject to confidentiality obligations substantially similar to those set forth in the Agreement, at Customer's own cost:

(i) by Zluri providing information regarding Zluri's processing activities in the form of a copy of Zluri's then most recent third-party audit or certification set forth in the Security, Privacy and Architecture Datasheet, as applicable, that Zluri makes available to its customers generally and through its Documentation;

(ii) to the extent required by Data Protection Laws and Regulations, by Zluri allowing Customer to perform an On-Site Audit. "On-site Audits" shall be performed as follows: (a) an Audit of facilities operated by Zluri, carried out during normal business hours, (b) such Audit shall not exceed one (1) business day; (c) Customer will provide Zluri with at least three-weeks' written notice prior to such Audit, (d) before the commencement of any such Audit, Customer and Zluri shall mutually agree upon the scope, cost and timing of the Audit; (e) Customer shall promptly notify Zluri with information regarding any non-compliance discovered during the course of an Audit; and (f) Customer may perform an On-site Audit up to once per year.

13. TRANSFERS OF CUSTOMER PERSONAL DATA TO THIRD COUNTRIES

13.1 To the extent that Zluri processes Personal Data subject to the GDPR or other applicable Data Protection Laws requiring appropriate safeguards for transfers to a Third Country, the European Commission's Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs") are hereby incorporated by reference and form part of this DPA. The SCCs are deemed executed by the parties upon execution of the Agreement.

13.2 For purposes of the SCCs:

(a) Module Two (Controller to Processor) applies;

(b) Module Three (Processor to Processor) applies to onward transfers to Sub-processors;

(c) Annex I (List of Parties and Description of Transfer) is completed using Schedule 1 of this DPA and the parties' details set forth in the Agreement;

(d) Annex II (Technical and Organisational Measures) is satisfied by Schedule 2 (Security, Privacy and Architecture Datasheet); and

(e) The full text of the SCCs is available at Zluri's Trust Center.

13.3 For transfers subject to the UK GDPR, the SCCs shall be deemed amended in accordance with the UK International Data Transfer Addendum. For transfers subject to Swiss data protection law, the SCCs shall apply with the modifications required under Swiss law.

13.4 Zluri shall conduct and document transfer impact assessments as required under applicable Data Protection Laws and Regulations and shall implement supplementary technical and organizational measures where necessary to ensure an adequate level of protection.

13.5 In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail solely with respect to the relevant Restricted Transfer.

14. NO SELLING OF PERSONAL DATA

Zluri acknowledges and confirms that it does not receive any Personal Data as consideration for any Services or other items that Zluri provides to the Customer. The Customer retains all rights and interests in its Personal Data. Zluri agrees to refrain from taking any action that would cause any transfers of Personal Data to or from the Customer to qualify as selling Personal Data under Data Protection Laws and Regulations.

The parties' authorized signatories have duly executed this DPA.

SCHEDULE 1 — DETAILS OF THE PROCESSING

1. Nature and Purpose of Processing

Zluri will process Personal Data as necessary to perform the Zluri Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by the Customer in its use of the Zluri Services. The Zluri Services comprise of Zluri Platform that enables organizations to manage user identities, access rights, and compliance processes through a unified dashboard, thereby enhancing efficiency, security, and automation.

2. Duration of Processing

Subject to Section 7 of the DPA, Zluri will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

3. Categories of Data Subjects

End Users of the Cloud Products, in addition to individuals whose personal data is supplied by End Users of the Cloud Products.

4. Categories of Personal Data

The personal data transferred may include the following categories of data:

· Direct identifying information (e.g., name, email address).

· Indirect identifying information (e.g., job title).

· Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).

5. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Zluri does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (Sensitive data)

6. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The data will be transferred on need basis, to enable Supplier to provide the Services specified in the Agreement during its term

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Retention of personal data is as required (i) during the term of this agreement (ii) Section 7 of this DPA and (iii) as per Applicable Laws

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Zluri is engaged to provide services to Customer which involve the processing of Customer Personal Data. The scope of the services is set out in the Agreement. Customer Personal Data will be processed by Zluri and also by sub-processor's engaged by Zluri to deliver those Services and to comply with the terms of the Agreement and this DPA.

SCHEDULE 2 — ZLURI SECURITY, PRIVACY, AND ARCHITECTURE DATASHEET

(updated in March 2025; as updated from time to time in accordance with Section 6.1 of the DPA)

Introduction

The goal of this document is to provide high-level information to our customers regarding Zluri's commitment to security and data protection.

Zluri's Corporate Trust Commitment

Zluri is committed to achieving and maintaining the trust of our customers. Our goal is to be as transparent as possible with our customers in offering state-of-the-art security and protections to meet and exceed expectations in today's modern computing world.

1. Policy Ownership

The Security Officer is responsible for the design, development, maintenance, dissemination, and enforcement of the items contained in this policy. At minimum on an annual basis, a security and/or compliance committee composed of senior management and key personnel discuss, evaluate and document the company's security program, ensuring strategic goals and objectives are continually being developed. At a minimum on an annual basis, all policies are reviewed, modified and/or edited to meet necessary security standards. All policies are signed and approved by authorized personnel. Policies and/or procedures are accessible to employees for review at all times via the compliance automation module within the Zluri Platform. Policies pertaining to positions are reviewed and signed upon hire and on an annual basis by all employees. Requests for any exceptions to any policies included within the security program are approved by Executive Management. Any approved exceptions are reviewed annually.

2. Zluri Infrastructure

Zluri owns or controls access to the infrastructure that Zluri uses to host service data.

Zluri hosts the Zluri Services with Amazon Web Services in US Region

3. Audits, Certifications, and Regulatory Compliance

Zluri is ISO 27001 certified, GDPR and SOC 2 compliant. Zluri also enters into the EU Standard Contractual Clauses with its Customers that require it.

Security Measures

4. Access control to premises and facilities:
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

· Access control system
· ID reader, magnetic card, chip card
· (Issue of) keys
· Door locking (electric door openers etc.)
· Surveillance facilities
· Alarm system, video/CCTV monitor
· Logging of facility exits/entries

The services are hosted on AWS (aws.amazon.com). The physical servers are located within AWS's data centers and access to them is managed by Amazon. For additional information on the security of AWS, visit Cloud Security – Amazon Web Services (AWS).

5. Access control to systems:
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

· Password procedures (incl. special characters, minimum length, forced change of password from time to time)
· No access for guest users or anonymous accounts
· Central management of system access
· Access to IT systems subject to approval from HR management and IT system administrators

6. Access control to data:
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:

· Differentiated access rights
· Access rights defined according to duties
· Automated log of user access via IT systems
· Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment

7. Disclosure control:
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

· Compulsory use of encrypted private networks for all data transfers
· Encryption using a VPN for remote access, transport and communication of data.
· Creating an audit trail of all data transfers

8. Input control:
Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:

· Logging user activities on IT systems
· Maintaining technical system which is able to verify and establish to whose personal data have been or may be transmitted or made available using data communication equipment
· Maintaining technical system which is able to verify and establish personal data that has been received as an input into automated data-processing systems and when and by whom the data have been input

9. Job control:
Measures should be put in place to ensure that data is processed strictly in compliance include:

· Unambiguous wording of contractual instructions
· Monitoring of contract performance

10. Availability control:
Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:

· Installed systems may, in the case of interruption, be restored
· Systems are functioning, and those that are at faults are reported
· Stored personal data cannot be corrupted by means of a malfunctioning of the system
· Uninterruptible power supply (UPS)
· Business Continuity procedures
· Remote storage
· Anti-virus/firewall systems

11. Segregation control:
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include:

· Restriction of access to data stored for different purposes according to staff duties.
· Segregation of business IT systems

12. Measures of ensuring event logging:
Measures are put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures include:

· Logging user activities on IT systems
· Maintaining technical system which is able to verify and establish to whose personal data have been or may be transmitted or made available using data communication equipment
· Maintaining technical system which is able to verify and establish personal data that has been received as an input into automated data-processing systems and when and by whom the data have been input

13. Measures of pseudonymization and encryption of personal data:
Zluri uses Amazon's Key Management Service for creating, maintaining, and rotating all symmetric encryption keys. Zluri does not store or maintain cleartext private key material on disk or in-memory; instead the extremely sensitive data is stored in AWS Secret Manager. All data in transmission is securely transmitted over HTTPS. All user data at rest is secured by AES 256 industry-standard encryption.

14. Measures of ensuring ongoing confidentiality, integrity, availability and resilience of processing system and services:
Measures are put in place to allow data collected for different purposes to be processed separately. These measures include:

· Restriction of access to data stored for different purposes according to staff duties.
· Segregation of business IT systems
· Segregation of IT testing and production environments

15. Business Continuity Plan:
As per Zluri policy:

· A plan and process for business continuity, including the backup and recovery of systems and data, is defined and documented.
· The Business Continuity Plan is simulated and tested at least once a year. Metrics are measured and identified recovery enhancements are filed to improve the process.
· Security controls and requirements are maintained during all Business Continuity Plan activities.

16. Process of regular testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Penetration Testing

Penetration testing is performed regularly by either a certified penetration tester on Zluri's security team or an independent third party.

Findings from a vulnerability scan and/or penetration test are analyzed by the Security Officer, together with IT and Engineering as needed, and reported through the process defined in the next section.

Reporting a Finding

Upon identification of a vulnerability (including vulnerability in software, system, or process), a Jira ticket is created.

The description of the Finding includes further details, without any confidential information, and a link to the source.

The Findings are given a priority level in Jira.

Critical: 7 days or less
High: 30 days
Medium: 60 days
Low: 180 days

17. Measures for the protection of data during transmission:
Measures are taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures include:

· Compulsory use of encrypted private networks for all data transfers
· Encryption using a VPN for remote access, transport and communication of data.
· Creating an audit trail of all data transfers
· We restrict the data flow using AWS Web Application Firewalls & other technologies like Subnet & security gateways. The data flows are permitted using only specific rules in AWS using NAT gateways & security groups. The communication between the application & the user's browser is secured with HTTPS using TLS v1.2 or above.

18. Measures for the protection of data during storage:
Measures are taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures include:

· Differentiated access rights
· Access rights defined according to duties
· Automated log of user access via IT systems
· Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment

Zluri uses MongoDB Atlas and AWS Redshift for storing dynamic data. All file data and backups are stored by Amazon's S3 service (Simple Storage Service). All these solutions are configured to store data in encrypted form using the industry-standard AES-256 symmetric encryption algorithm for the database, backups, snapshots, and logs. Content stored in S3 is also encrypted at rest via server-side encryption integration with AWS KMS.

19. Measures for ensuring system configuration, including default configuration:
The Processor's system configuration is based on the Security Technical Implementation Guides (STIG). System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. Deviations will be fixed automatically and reported to our SOC.

20. Measures for ensuring Data Minimisation:
We collect only the minimal metadata necessary to provide administrators with accurate insights into SaaS usage, identity and access management activities within their organization.

21. Measures for Data Quality:
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include:

· Restriction of access to data stored for different purposes according to staff duties.
· Segregation of business IT systems
· Segregation of IT testing and production environments

22. Measures for ensuring limited data retention:
Customer data is retained for as long as the account is in active status. Data enters an "expired" state when the account is voluntarily closed. Expired account data will be retained for 180 days. After this period, the account and related data will be removed or anonymized. Customers that wish to voluntarily close their account should download their data manually, via API, or by reaching out to service team, prior to closing their account.

If a customer account is involuntarily suspended, then there is a 90 days grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations.

If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 90 days, the suspended account will be closed, and the data will enter the "expired" state. It will be permanently removed or anonymized beyond recognition, 180 days thereafter (except when required by law to retain).

23. Measures for ensuring accountability:
All of the data processed is provided by the Controller. Zluri does not assess the quality of the data provided by the Controller. Zluri provides reporting tools within its product to help the Controller understand and validate the data that is stored. Zluri also uses a third-party managed Web Application firewall - Cloudflare, in front of the server infrastructure which checks data for potential threats and blocks requests as required.

SCHEDULE 3 — LIST OF SUB-PROCESSORS

Information on Sub-processors, including their contact details and available notification mechanisms, can be found at http://zluri.com/subprocessors/.

SCHEDULE 4 — US STATE PRIVACY LAWS

To the extent that Zluri Processes Personal Data that constitutes "Personal Information" under applicable US State Privacy Laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA"), the parties agree to the following:

1. Role of the Parties

Customer is the "Business" (or equivalent term) and Zluri is the "Service Provider" or "Processor" (as applicable) with respect to Personal Information Processed under the Agreement.

2. Business Purpose

Zluri shall Process Personal Information solely for the Business Purpose specified in the Agreement and this DPA, and in accordance with Customer's documented instructions.

3. No Sale or Sharing of Personal Information

Zluri shall not Sell or Share Personal Information (as those terms are defined under applicable US State Privacy Laws).

4. Restrictions on Use and Disclosure

Zluri shall not retain, use, or disclose Personal Information for any purpose other than the Business Purpose set forth in the Agreement and this DPA, except as permitted by applicable law.

5. Consumer Requests

Taking into account the nature of the Processing, Zluri shall provide reasonable assistance to Customer in responding to Consumer requests to exercise their rights under applicable US State Privacy Laws.

6. Sensitive Personal Information

To the extent Sensitive Personal Information is Processed, Zluri shall Process such information only for the limited and specified purposes described in the Agreement and in compliance with applicable US State Privacy Laws.

7. Compliance

Zluri shall comply with obligations applicable to Service Providers or Processors under applicable US State Privacy Laws and shall notify Customer if it determines it can no longer meet such obligations.

8. No Combining of Personal Information

Zluri shall not combine Personal Information received from or on behalf of Customer with Personal Information received from or on behalf of another person or collected from Zluri's own interactions with individuals, except as permitted under applicable US State Privacy Laws and as necessary to perform the Business Purpose specified in the Agreement.

691, S Milipitas Blvd, St 217 Milpitas 95035

Security

Recognition

Products

SaaS Management
Access Management
Access Reviews

Platform

Open APIs
Integrations
Desktop Agents
Browser Extensions

Industries

Gaming
Biotech

Company

Our Story
Careers
We're Hiring
Events
Pricing
Contact Us
Press kit
Partner with Zluri
Security & Compliance
Trust Center

Resources

Blog
Case Studies
White Papers
SaaS Whispers
Integrations Catalog
Self-Guided Demos
Community
Webinars
Resource Hub for CIOs
Sitemap

Compare

SaaS Management
Zluri vs Torii
Zluri vs Zylo
Zluri vs Productiv
Access Management
Zluri vs Lumos
Access Reviews
Zluri vs Okta
Zluri vs Sailpoint

Compliance Readiness

SOC 2
HIPAA
ISO 27001
PCI DSS
SOX ITGC
RBI Cyber Resilience
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms

Data Processing Addendum

Updated on
March 30, 2026
Table of Contents

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement (the "Agreement") between Zluri, Inc. ("Zluri") and Customer (as defined in the Agreement) for the purchase of services provided by Zluri to Customer, including but not limited to subscription services, IGA buying services and consulting services (identified either as "Services" or otherwise in the Agreement, and hereinafter defined as "Services" or "Zluri Services") to reflect the parties' agreement with regard to the Processing of Personal Data.

In the course of providing the Zluri Services to Customer pursuant to the Agreement, Zluri will Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules. This DPA supersedes all prior and contemporaneous data processing agreements or data processing terms in any agreements, proposals or representations, written or oral, concerning the Processing of Personal Data. Capitalized terms not defined herein have the meanings set forth in the Agreement.

INSTRUCTIONS ON HOW TO EXECUTE THIS DPA WITH ZLURI

This DPA has been pre-signed on behalf of Zluri.

Customer must complete the information in the signature box and sign on the signature page.

Customer must send the completed and signed DPA to Zluri via email, indicating the Customer's full entity name (as set out on the applicable Zluri Order Form or invoice) in the body of the email to legal@zluri.com. Upon receipt of the validly completed DPA by Zluri at the above email address, this DPA shall come into effect and legally bind the parties.

If Customer makes any deletions or revisions to this DPA, such deletions or revisions are hereby rejected and invalid unless agreed in writing by Zluri. Customer's signatory represents and warrants that they have the authority to bind Customer to this DPA.

APPLICATION OF THIS DPA

If the Customer entity signing this DPA is a party to the Agreement, then this DPA is an addendum to, and forms part of, the Agreement.

If the Customer entity signing this DPA has executed an Order Form with Zluri pursuant to the Agreement, but is not itself a party to the Agreement, then this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the Zluri entity that is a party to such Order Form is a party to this DPA.

By entering into the Agreement, Customer agrees to this DPA on behalf of itself and its Authorized Affiliates to the extent Zluri Processes Personal Data for which such affiliates act as Controller. For purposes of this DPA, "Customer" includes its Authorized Affiliates unless otherwise stated.

If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, then this DPA is not valid and therefore is not legally binding. Such an entity should request that the Customer entity who is a party to the Agreement executes this DPA.

1. DEFINITIONS

"Authorized Affiliate" means any of Customer's Affiliate(s) which (i) is subject to the Data Protection Laws and Regulations of any jurisdiction that requires a data processing agreement between a Controller and a Processor for the Processing of Personal Data under this Agreement, and (ii) is permitted to use the Zluri Services pursuant to the Agreement between Customer and Zluri but has not signed its own Order Form with Zluri.

"Controller" means the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the scope, purposes, and means of the Processing of Personal Data.

"Customer Data" refers to the information defined in the Agreement as "Customer Data".

"Data Protection Laws and Regulations" means all current and future laws and regulations (as may be amended or updated from time to time) applicable to the Processing of Personal Data under the Agreement, including laws of the European Union or any Member State (which shall include, but not limited to GDPR) or any other applicable laws of any other country, province, state or jurisdiction to which the Processing of the Personal Data is subject.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including equivalent terms under Data Protection Laws and Regulations such as "Consumer".

"Data Subject Right" means any right afforded to a Data Subject under Data Protection Laws and Regulations.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"Personal Data" means any information relating to an identified or identifiable natural person, including equivalent terms under Data Protection Laws and Regulations such as "Personal Information", where such data is Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as but not limited to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as, including but not limited to, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, retention, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means a natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of the Controller and as set forth in the written instructions of the latter.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Zluri or its Sub-processors of which Zluri becomes aware.

"Security, Privacy and Architecture Datasheet" means the Security, Privacy and Architecture Datasheet for the Zluri Services, as updated from time to time.

"Sub-processor" means any Processor engaged by Zluri or its Affiliates engaged in the Processing of Personal Data.

"Third Country" means any country or jurisdiction outside of the country of origin or the European Economic Area ("EEA").

2. PROCESSING OF PERSONAL DATA

2.1 Details of the Processing. The parties acknowledge and agree that (i) with regard to the Processing of Personal Data, Customer is the Controller, Zluri is the Processor (ii) Zluri or its Affiliates engaged in the Processing of Personal Data will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below. The subject-matter of Processing of Personal Data by Zluri is the performance of the Zluri Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA. The parties shall exercise their rights hereunder acting in good faith and in a reasonable manner.

2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Zluri Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Upon entering into this DPA, this DPA, the Agreement and any applicable Order Form(s), are Customer's documented instructions to Zluri for the Processing of Personal Data. Any additional or alternate instructions must be reasonable and consistent with the terms of this DPA and the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data.

2.3 Zluri's Processing of Personal Data. Zluri shall only Process Personal Data in accordance with Customer's documented instructions pursuant to Section 2.2 above, and for the following purposes: (i) Processing in accordance with the Agreement, applicable Order Form(s) and Data Protection Laws and Regulations; and (ii) Processing initiated by Users in their use of the Zluri Services (collectively the "Business Purpose"). Zluri shall not Process Personal Data for any purpose other than the Business Purpose or outside of the direct business relationship with the Customer. Zluri shall, in its provision of the Zluri Services, Process Personal Data in accordance with Data Protection Laws and Regulations, provided that Zluri shall not be in violation of this contractual obligation in the event that Zluri's Processing of Personal Data in non-compliance with Data Protection Laws and Regulations arises from Customer's use of the Zluri Services in violation of the Agreement. Zluri shall not Sell or Share Personal Data.

3. RIGHTS OF DATA SUBJECTS

3.1 Data Subject Requests. To the extent legally permitted and upon identifying that the request originates from a Data Subject whose Personal Data was submitted to the Zluri Services by the Customer, Zluri shall promptly notify the Customer if it receives a Data Subject Request related to the exercise of any Data Subject Right. Zluri will acknowledge to the Data Subject that it has forwarded the request to the Customer, while refraining from directly handling or executing the Data Subject Request.

3.2 Taking into account the nature of the Processing, Zluri shall assist Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

4. ZLURI PERSONNEL

4.1 Confidentiality. Zluri shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Zluri shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Zluri shall treat Personal Data as Confidential Information.

4.2 Reliability. Zluri shall take commercially reasonable steps to ensure the reliability of any Zluri personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access. Zluri shall ensure that Zluri's access to Personal Data is limited to those personnel performing Zluri Services in accordance with the Agreement.

4.4 Data Protection Officer. Zluri has appointed a data protection officer for Zluri and its Affiliates. The appointed person may be reached at dpo@Zluri.com.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that Zluri and Zluri's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Zluri Services. Zluri or a Zluri Affiliate has entered into a written agreement with each Sub-processor containing, in substance, the same data protection obligations as in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.

5.2 List of Current Sub-processors and Notification of New Sub-processors. Attached hereto as Schedule 3 is a link to the current list of Sub-processors for the Zluri Services. Schedule 3 shall include information related to the identities of those Sub-processors, their country of location as well as a description of the processing they perform. Zluri will notify Customer of a new Sub-processor(s) at least thirty (30) calendar days before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Zluri Services. The notification shall include an updated Schedule 3 which is the information necessary to enable the Customer to exercise its right to object. Such notification shall be provided via email, and if the Customer does not raise any objection or concern within the thirty (30) day notice period, the Customer shall be deemed to have approved the addition of the new Sub-processor(s) and Zluri shall be entitled to proceed accordingly.

5.3 Objection Right for New Sub-processors. Customer may object to Zluri's use of a new Sub-processor by notifying Zluri promptly in writing within ten (10) calendar days after receipt of Zluri's notice in accordance with Section 5.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Zluri will use reasonable efforts to make available to Customer a change in the Zluri Services or recommend a commercially reasonable change to Customer's configuration or use of the Zluri Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Zluri is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) solely with respect to those Zluri Services that cannot be provided without the use of the objected-to new Sub-processor. In the event of such termination, Zluri will refund to Customer a pro-rata portion of any prepaid fees attributable to the terminated Zluri Services for the unused portion of the applicable Order Form term, calculated from the effective date of termination. Such refund shall be Customer's sole and exclusive remedy with respect to Customer's objection to the new Sub-processor, and no additional penalty shall apply to such termination.

5.4 Liability for Sub-processors. Zluri shall be liable for the acts and omissions of its Sub-processors to the same extent as if such acts or omissions were performed by Zluri, provided that Zluri shall not be liable for any failure of a Sub-processor to the extent such failure results from circumstances outside Zluri's reasonable control, including failures of underlying infrastructure providers, where Zluri has exercised reasonable diligence in the selection, appointment, and oversight of such Sub-processor.

Any liability arising from the acts or omissions of Sub-processors shall remain subject to the limitations of liability set forth in the Agreement, unless otherwise required by applicable Data Protection Laws.

6. SECURITY

6.1 Controls for the Protection of Customer Data. Zluri shall maintain appropriate technical and organizational measures for protection of the security (including protection against Personal Data Breach), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Datasheet attached hereto as Schedule 2. Zluri regularly monitors compliance with these measures. Customer is responsible for reviewing the information made available by Zluri relating to data security and making an independent determination as to whether the Zluri Services meet Customer's requirements and legal obligations under Data Protection Laws and Regulations. Customer acknowledges that the security measures described within the Security, Privacy and Architecture Datasheet are subject to technical progress and development and that Zluri may update or modify such document from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Zluri Services during a Subscription Term. For transparency and to support Customer's review of Zluri's technical and organizational controls, Zluri also makes available up-to-date security and compliance documentation, certifications, and audit reports via its Trust Vault (available at https://trust.zluri.com/).

6.2 Personal Data Incident Management and Notification. Zluri maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Datasheet and its documented incident response plan described in Schedule 2, and shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Zluri shall provide information to Customer necessary to enable Customer to comply with its obligations under Data Protection Laws and Regulations in relation to such Personal Data Breach. The content of such communication to Customer will (i) include the nature of Processing and the information available to Zluri, and (ii) take into account that under applicable Data Protection Laws and Regulations, Customer may need to notify regulators or individuals of the following: (a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of Personal Data records concerned; (b) a description of the likely consequences of the Personal Data Breach; and (c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Zluri shall make commercially reasonable efforts, based on its expertise, to identify the cause of such Personal Data Breach and take remediation actions in accordance with its documented incident response plan described in Schedule 2, where such Personal Data Breach materially affects the security, confidentiality, or integrity of Personal Data processed by Zluri. Zluri shall implement reasonable corrective measures within its control to remediate the cause of such Personal Data Breach, to the extent the remediation is within Zluri's reasonable control. The obligation to remediate the cause of a Personal Data Breach shall not apply to Personal Data Breaches that are caused by Customer or Customer's Users.

7. RETURN AND DELETION OF CUSTOMER DATA

The Zluri Services allow export and deletion of Customer Data during the Subscription Term. At the termination or expiration of the Agreement, Zluri shall return Customer Data by enabling Customer to export its Customer Data as set forth in the Agreement and shall delete Customer Data, in accordance with this DPA, the Agreement, applicable Data Protection Laws and Regulations and the Documentation. Upon request from the Customer, Zluri will provide a certificate of deletion once Customer Data has been deleted from the Zluri Services.

8. AFFILIATES

8.1 Relationship between Zluri and Customer's Authorized Affiliates. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing an independent DPA between Zluri and each such Authorized Affiliate, subject to the provisions of the Agreement and this Section 8 and Section 9. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For sake of clarity, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to this DPA. All access to and use of the Zluri Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

8.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Zluri under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates and Authorized Affiliates.

8.3 Data Controller Rights of Affiliates and Authorized Affiliates. Any Affiliate or Authorized Affiliate shall, to the extent required under applicable Data Protection Laws and Regulations, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

Except where applicable Data Protection Laws and Regulations require the Affiliate or Authorized Affiliate to exercise a right or seek any remedy under this DPA against Zluri directly by itself, the parties agree that:

(i) solely the Customer that is the contracting party to the Agreement shall exercise any such right (including any Audit right) or seek any such remedy on behalf of such Affiliate or Authorized Affiliate,

(ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate or Authorized Affiliate individually but in a combined manner for all of its Affiliates and Authorized Affiliates together, and

(iii) when carrying out an on-site Audit, Customer shall take all reasonable measures to limit any impact on Zluri and its Sub-Processors by combining, to the extent reasonably possible, several Audit requests carried out on behalf of different Affiliates and Authorized Affiliates in one single Audit.

For the purpose of this Section 8.3, an Affiliate signing an Order Form with Zluri is not deemed "Customer".

9. LIMITATION OF LIABILITY

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Zluri, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

10. COOPERATION

10.1 Upon Customer's request, Zluri shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligations under Data Protection Laws and Regulations, including with regards to data privacy impact assessments and consultations with supervisory authorities, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zluri. Cooperation may include the provision of appropriate technical and organizational measures, where possible, through the Zluri Services and/or as outlined in the Documentation.

10.2 Zluri shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws and Regulations.

10.3 Where required under Data Protection Laws and Regulations, Zluri shall notify Customer if Zluri is no longer able to comply with its Processing obligations under such Data Protection Laws and Regulations. Customer agrees to exercise any resulting remediation rights under Data Protection Laws and Regulations acting in good faith and in a proportionate manner, and where appropriate, taking into account Zluri's expertise.

11. LEGAL REQUESTS FOR ACCESS TO THE CUSTOMER'S PERSONAL DATA

11.1 In the event Zluri is requested or required under the Data Protection Laws and Regulations or regulatory obligations to conduct certain Processing operations (including but not limited to disclosure to public authorities) relating to the Customer's Personal Data, Zluri hereby expressly undertakes to: (i) inform the Customer of such request or requirement without undue delay (subject to compliance with legal provisions which may prevent it from informing the Customer) in order to obtain the Customer's express and written consent to such Processing operations; (ii) reject invalid legal requests or (iii) allow, if possible, the Customer (if it so decides) to participate in any action undertaken to oppose such Processing operations.

11.2 Whenever EU GDPR is applicable and such access request is made in a country that does not provide a level of protection of Personal Data equivalent to that guaranteed in the EU regarding mass surveillance laws and surveillance measures, where legally permitted, Zluri shall use commercially reasonable efforts to challenge any disproportionate or unlawful request for access to Customer's Personal Data and shall not disclose encryption keys or provide direct access to encrypted data unless legally compelled to do so.

11.3 In support of the above, Zluri may provide Controller's basic contact information to the third country authority in order to redirect the request.

12. AUDIT RIGHT

Zluri shall allow for and contribute to audits and inspections ("Audits"), not more than once per year. Zluri's contribution shall consist of Zluri's reasonable cooperation and making relevant Zluri employees available to Customer. Such Audit may be conducted by Customer or Customer's independent, third-party auditor that is not a competitor of Zluri and that is subject to confidentiality obligations substantially similar to those set forth in the Agreement, at Customer's own cost:

(i) by Zluri providing information regarding Zluri's processing activities in the form of a copy of Zluri's then most recent third-party audit or certification set forth in the Security, Privacy and Architecture Datasheet, as applicable, that Zluri makes available to its customers generally and through its Documentation;

(ii) to the extent required by Data Protection Laws and Regulations, by Zluri allowing Customer to perform an On-Site Audit. "On-site Audits" shall be performed as follows: (a) an Audit of facilities operated by Zluri, carried out during normal business hours, (b) such Audit shall not exceed one (1) business day; (c) Customer will provide Zluri with at least three-weeks' written notice prior to such Audit, (d) before the commencement of any such Audit, Customer and Zluri shall mutually agree upon the scope, cost and timing of the Audit; (e) Customer shall promptly notify Zluri with information regarding any non-compliance discovered during the course of an Audit; and (f) Customer may perform an On-site Audit up to once per year.

13. TRANSFERS OF CUSTOMER PERSONAL DATA TO THIRD COUNTRIES

13.1 To the extent that Zluri processes Personal Data subject to the GDPR or other applicable Data Protection Laws requiring appropriate safeguards for transfers to a Third Country, the European Commission's Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs") are hereby incorporated by reference and form part of this DPA. The SCCs are deemed executed by the parties upon execution of the Agreement.

13.2 For purposes of the SCCs:

(a) Module Two (Controller to Processor) applies;

(b) Module Three (Processor to Processor) applies to onward transfers to Sub-processors;

(c) Annex I (List of Parties and Description of Transfer) is completed using Schedule 1 of this DPA and the parties' details set forth in the Agreement;

(d) Annex II (Technical and Organisational Measures) is satisfied by Schedule 2 (Security, Privacy and Architecture Datasheet); and

(e) The full text of the SCCs is available at Zluri's Trust Center.

13.3 For transfers subject to the UK GDPR, the SCCs shall be deemed amended in accordance with the UK International Data Transfer Addendum. For transfers subject to Swiss data protection law, the SCCs shall apply with the modifications required under Swiss law.

13.4 Zluri shall conduct and document transfer impact assessments as required under applicable Data Protection Laws and Regulations and shall implement supplementary technical and organizational measures where necessary to ensure an adequate level of protection.

13.5 In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail solely with respect to the relevant Restricted Transfer.

14. NO SELLING OF PERSONAL DATA

Zluri acknowledges and confirms that it does not receive any Personal Data as consideration for any Services or other items that Zluri provides to the Customer. The Customer retains all rights and interests in its Personal Data. Zluri agrees to refrain from taking any action that would cause any transfers of Personal Data to or from the Customer to qualify as selling Personal Data under Data Protection Laws and Regulations.

The parties' authorized signatories have duly executed this DPA.

SCHEDULE 1 — DETAILS OF THE PROCESSING

1. Nature and Purpose of Processing

Zluri will process Personal Data as necessary to perform the Zluri Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by the Customer in its use of the Zluri Services. The Zluri Services comprise of Zluri Platform that enables organizations to manage user identities, access rights, and compliance processes through a unified dashboard, thereby enhancing efficiency, security, and automation.

2. Duration of Processing

Subject to Section 7 of the DPA, Zluri will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

3. Categories of Data Subjects

End Users of the Cloud Products, in addition to individuals whose personal data is supplied by End Users of the Cloud Products.

4. Categories of Personal Data

The personal data transferred may include the following categories of data:

· Direct identifying information (e.g., name, email address).

· Indirect identifying information (e.g., job title).

· Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).

5. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Zluri does not knowingly collect (and Customer or End Users shall not submit or upload) any special categories of data (Sensitive data)

6. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The data will be transferred on need basis, to enable Supplier to provide the Services specified in the Agreement during its term

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Retention of personal data is as required (i) during the term of this agreement (ii) Section 7 of this DPA and (iii) as per Applicable Laws

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Zluri is engaged to provide services to Customer which involve the processing of Customer Personal Data. The scope of the services is set out in the Agreement. Customer Personal Data will be processed by Zluri and also by sub-processor's engaged by Zluri to deliver those Services and to comply with the terms of the Agreement and this DPA.

SCHEDULE 2 — ZLURI SECURITY, PRIVACY, AND ARCHITECTURE DATASHEET

(updated in March 2025; as updated from time to time in accordance with Section 6.1 of the DPA)

Introduction

The goal of this document is to provide high-level information to our customers regarding Zluri's commitment to security and data protection.

Zluri's Corporate Trust Commitment

Zluri is committed to achieving and maintaining the trust of our customers. Our goal is to be as transparent as possible with our customers in offering state-of-the-art security and protections to meet and exceed expectations in today's modern computing world.

1. Policy Ownership

The Security Officer is responsible for the design, development, maintenance, dissemination, and enforcement of the items contained in this policy. At minimum on an annual basis, a security and/or compliance committee composed of senior management and key personnel discuss, evaluate and document the company's security program, ensuring strategic goals and objectives are continually being developed. At a minimum on an annual basis, all policies are reviewed, modified and/or edited to meet necessary security standards. All policies are signed and approved by authorized personnel. Policies and/or procedures are accessible to employees for review at all times via the compliance automation module within the Zluri Platform. Policies pertaining to positions are reviewed and signed upon hire and on an annual basis by all employees. Requests for any exceptions to any policies included within the security program are approved by Executive Management. Any approved exceptions are reviewed annually.

2. Zluri Infrastructure

Zluri owns or controls access to the infrastructure that Zluri uses to host service data.

Zluri hosts the Zluri Services with Amazon Web Services in US Region

3. Audits, Certifications, and Regulatory Compliance

Zluri is ISO 27001 certified, GDPR and SOC 2 compliant. Zluri also enters into the EU Standard Contractual Clauses with its Customers that require it.

Security Measures

4. Access control to premises and facilities:
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

· Access control system
· ID reader, magnetic card, chip card
· (Issue of) keys
· Door locking (electric door openers etc.)
· Surveillance facilities
· Alarm system, video/CCTV monitor
· Logging of facility exits/entries

The services are hosted on AWS (aws.amazon.com). The physical servers are located within AWS's data centers and access to them is managed by Amazon. For additional information on the security of AWS, visit Cloud Security – Amazon Web Services (AWS).

5. Access control to systems:
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

· Password procedures (incl. special characters, minimum length, forced change of password from time to time)
· No access for guest users or anonymous accounts
· Central management of system access
· Access to IT systems subject to approval from HR management and IT system administrators

6. Access control to data:
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:

· Differentiated access rights
· Access rights defined according to duties
· Automated log of user access via IT systems
· Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment

7. Disclosure control:
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

· Compulsory use of encrypted private networks for all data transfers
· Encryption using a VPN for remote access, transport and communication of data.
· Creating an audit trail of all data transfers

8. Input control:
Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:

· Logging user activities on IT systems
· Maintaining technical system which is able to verify and establish to whose personal data have been or may be transmitted or made available using data communication equipment
· Maintaining technical system which is able to verify and establish personal data that has been received as an input into automated data-processing systems and when and by whom the data have been input

9. Job control:
Measures should be put in place to ensure that data is processed strictly in compliance include:

· Unambiguous wording of contractual instructions
· Monitoring of contract performance

10. Availability control:
Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:

· Installed systems may, in the case of interruption, be restored
· Systems are functioning, and those that are at faults are reported
· Stored personal data cannot be corrupted by means of a malfunctioning of the system
· Uninterruptible power supply (UPS)
· Business Continuity procedures
· Remote storage
· Anti-virus/firewall systems

11. Segregation control:
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include:

· Restriction of access to data stored for different purposes according to staff duties.
· Segregation of business IT systems

12. Measures of ensuring event logging:
Measures are put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures include:

· Logging user activities on IT systems
· Maintaining technical system which is able to verify and establish to whose personal data have been or may be transmitted or made available using data communication equipment
· Maintaining technical system which is able to verify and establish personal data that has been received as an input into automated data-processing systems and when and by whom the data have been input

13. Measures of pseudonymization and encryption of personal data:
Zluri uses Amazon's Key Management Service for creating, maintaining, and rotating all symmetric encryption keys. Zluri does not store or maintain cleartext private key material on disk or in-memory; instead the extremely sensitive data is stored in AWS Secret Manager. All data in transmission is securely transmitted over HTTPS. All user data at rest is secured by AES 256 industry-standard encryption.

14. Measures of ensuring ongoing confidentiality, integrity, availability and resilience of processing system and services:
Measures are put in place to allow data collected for different purposes to be processed separately. These measures include:

· Restriction of access to data stored for different purposes according to staff duties.
· Segregation of business IT systems
· Segregation of IT testing and production environments

15. Business Continuity Plan:
As per Zluri policy:

· A plan and process for business continuity, including the backup and recovery of systems and data, is defined and documented.
· The Business Continuity Plan is simulated and tested at least once a year. Metrics are measured and identified recovery enhancements are filed to improve the process.
· Security controls and requirements are maintained during all Business Continuity Plan activities.

16. Process of regular testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Penetration Testing

Penetration testing is performed regularly by either a certified penetration tester on Zluri's security team or an independent third party.

Findings from a vulnerability scan and/or penetration test are analyzed by the Security Officer, together with IT and Engineering as needed, and reported through the process defined in the next section.

Reporting a Finding

Upon identification of a vulnerability (including vulnerability in software, system, or process), a Jira ticket is created.

The description of the Finding includes further details, without any confidential information, and a link to the source.

The Findings are given a priority level in Jira.

Critical: 7 days or less
High: 30 days
Medium: 60 days
Low: 180 days

17. Measures for the protection of data during transmission:
Measures are taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures include:

· Compulsory use of encrypted private networks for all data transfers
· Encryption using a VPN for remote access, transport and communication of data.
· Creating an audit trail of all data transfers
· We restrict the data flow using AWS Web Application Firewalls & other technologies like Subnet & security gateways. The data flows are permitted using only specific rules in AWS using NAT gateways & security groups. The communication between the application & the user's browser is secured with HTTPS using TLS v1.2 or above.

18. Measures for the protection of data during storage:
Measures are taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures include:

· Differentiated access rights
· Access rights defined according to duties
· Automated log of user access via IT systems
· Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment

Zluri uses MongoDB Atlas and AWS Redshift for storing dynamic data. All file data and backups are stored by Amazon's S3 service (Simple Storage Service). All these solutions are configured to store data in encrypted form using the industry-standard AES-256 symmetric encryption algorithm for the database, backups, snapshots, and logs. Content stored in S3 is also encrypted at rest via server-side encryption integration with AWS KMS.

19. Measures for ensuring system configuration, including default configuration:
The Processor's system configuration is based on the Security Technical Implementation Guides (STIG). System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. Deviations will be fixed automatically and reported to our SOC.

20. Measures for ensuring Data Minimisation:
We collect only the minimal metadata necessary to provide administrators with accurate insights into SaaS usage, identity and access management activities within their organization.

21. Measures for Data Quality:
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include:

· Restriction of access to data stored for different purposes according to staff duties.
· Segregation of business IT systems
· Segregation of IT testing and production environments

22. Measures for ensuring limited data retention:
Customer data is retained for as long as the account is in active status. Data enters an "expired" state when the account is voluntarily closed. Expired account data will be retained for 180 days. After this period, the account and related data will be removed or anonymized. Customers that wish to voluntarily close their account should download their data manually, via API, or by reaching out to service team, prior to closing their account.

If a customer account is involuntarily suspended, then there is a 90 days grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations.

If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 90 days, the suspended account will be closed, and the data will enter the "expired" state. It will be permanently removed or anonymized beyond recognition, 180 days thereafter (except when required by law to retain).

23. Measures for ensuring accountability:
All of the data processed is provided by the Controller. Zluri does not assess the quality of the data provided by the Controller. Zluri provides reporting tools within its product to help the Controller understand and validate the data that is stored. Zluri also uses a third-party managed Web Application firewall - Cloudflare, in front of the server infrastructure which checks data for potential threats and blocks requests as required.

SCHEDULE 3 — LIST OF SUB-PROCESSORS

Information on Sub-processors, including their contact details and available notification mechanisms, can be found at http://zluri.com/subprocessors/.

SCHEDULE 4 — US STATE PRIVACY LAWS

To the extent that Zluri Processes Personal Data that constitutes "Personal Information" under applicable US State Privacy Laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA"), the parties agree to the following:

1. Role of the Parties

Customer is the "Business" (or equivalent term) and Zluri is the "Service Provider" or "Processor" (as applicable) with respect to Personal Information Processed under the Agreement.

2. Business Purpose

Zluri shall Process Personal Information solely for the Business Purpose specified in the Agreement and this DPA, and in accordance with Customer's documented instructions.

3. No Sale or Sharing of Personal Information

Zluri shall not Sell or Share Personal Information (as those terms are defined under applicable US State Privacy Laws).

4. Restrictions on Use and Disclosure

Zluri shall not retain, use, or disclose Personal Information for any purpose other than the Business Purpose set forth in the Agreement and this DPA, except as permitted by applicable law.

5. Consumer Requests

Taking into account the nature of the Processing, Zluri shall provide reasonable assistance to Customer in responding to Consumer requests to exercise their rights under applicable US State Privacy Laws.

6. Sensitive Personal Information

To the extent Sensitive Personal Information is Processed, Zluri shall Process such information only for the limited and specified purposes described in the Agreement and in compliance with applicable US State Privacy Laws.

7. Compliance

Zluri shall comply with obligations applicable to Service Providers or Processors under applicable US State Privacy Laws and shall notify Customer if it determines it can no longer meet such obligations.

8. No Combining of Personal Information

Zluri shall not combine Personal Information received from or on behalf of Customer with Personal Information received from or on behalf of another person or collected from Zluri's own interactions with individuals, except as permitted under applicable US State Privacy Laws and as necessary to perform the Business Purpose specified in the Agreement.

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
platform
IRIS
Universal Identity Connector
products
Identity Visibility and Intelligence
Access Requests
Access Management
Access Reviews
Segregation of Duties
Identity Security Posture Management
SaaS management
Compliance Readiness
SOC2
ISO 27001
HIPAA
SOX ITGC
PCI DSS
Why Zluri
Customer Stories
Product Tours
ROI Calculator
© 2026 Zluri, All Rights Reserved
MSA T&C
  -  
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms