Data Processing Addendum (DPA)

Effective August 4, 2025

This Data Processing Addendum (“DPA”) supplements and incorporates the Subscription Agreement (the “MSA”) entered into by and between Customer and Statsig. Any terms not defined in this DPA will have the meaning set forth in the MSA.

1. DEFINITIONS

“Customer Personal Data” means the personal data contained within Customer Data.

“Data Breach” means a confirmed breach of Statsig’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

“Data Protection Laws” means the data protection or privacy laws and regulations directly applicable to the processing of Customer Personal Data under this DPA, including: (a) US state privacy laws, including the California Consumer Privacy Act (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, (b) the General Data Protection Regulation (Regulation (EU) 2016/679) ( “GDPR”), (c) the Swiss Federal Act on Data Protection (“FADP”), and (d) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018.

"SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 for transfers of personal data to third countries pursuant to GDPR, including as incorporated into the International Data Transfer Addendum adopted by the UK Information Commissioner’s Office.

“Sub-Processors List” means the list of sub-processors available at https://statsig.com/legal/subprocessors/.

The terms “controller”, “data subject”, “data subject request”, “personal data”, “processing”, “processor”, “sub-processor”, and “supervisory authority” will have the meanings set forth in the Data Protection Laws.

2. SCOPE OF PROCESSING

This DPA applies only to the extent that Statsig processes Customer Personal Data in providing the Services under the MSA. The parties agree that Statsig is a processor and Customer is a controller with respect to the processing of Customer Personal Data. Customer is solely responsible for (a) the accuracy, quality, and legality of Customer Personal Data, including the means by which Customer acquires Customer Personal Data and the instructions it provides to Statsig regarding the processing of Customer Personal Data, (b) ensuring that no sensitive or special categories of personal data is provided to Statsig, and (c) complying with applicable law in its use of the Services. Customer will not provide or make available to Statsig any Customer Personal Data in violation of the MSA, this DPA, or Data Protection Laws, and shall indemnify Statsig from all claims and losses in connection therewith. Statsig will process Customer Personal Data in accordance with the MSA, this DPA, and Customer’s reasonable written instructions that are consistent with the MSA and this DPA. If there is a conflict between this DPA and the MSA, this DPA will control. Any claims brought in connection with this DPA will be subject to the MSA. Statsig will promptly inform Customer if it becomes aware that Customer’s instructions violate Data Protection Laws.

3. CCPA

With respect to the CCPA, Statsig is a service provider and receives Customer Personal Data to provide the Services pursuant to the MSA and this DPA, which constitutes a business purpose. Statsig will not sell Customer Personal Data or disclose Customer Personal Data except to sub-processors as necessary for the specific purpose of performing the Services.

4. RETURN OR DESTRUCTION

Following completion of the Services, at Customer’s choice, Statsig will return or delete Customer Personal Data, unless further storage is required for archival purposes or authorized by Data Protection Laws. If return or destruction is impracticable or prohibited by law or regulation, Statsig will take reasonable measures to block such Customer Personal Data from any further processing (except to the extent necessary for archival purposes or as otherwise required by law or regulation) and will continue to appropriately protect the Customer Personal Data in its possession.

5. SECURITY

Statsig will ensure that any person it authorizes to process Customer Personal Data has agreed to appropriate confidentiality obligations. Statsig will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. Information about Statsig’s technical and organizational measures is available at https://statsig.com/trust/security (“Security Statement").

6. SUB-PROCESSORS

Customer generally authorizes Statsig to engage sub-processors and approves Statsig’s use of sub-processors listed in the Sub-Processors List, as may be updated by Statsig from time to time. Statsig will update the Sub-Processors List before appointing a new sub-processor and provide Customer with a mechanism to receive notifications of new sub-processors (“Sub-Processor Notice”). Customer may object to new sub-processors on reasonable security grounds by sending an email to privacy@statsig.com. Such email shall detail the legitimate, good-faith objection within 10 days of a Sub-Processor Notice. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Statsig from offering the Services to Customer. To the extent Customer objects as provided herein, Statsig will use reasonable efforts to address Customer’s objection or suggest a commercially reasonable change of Services to avoid processing of Customer Personal Data by the objected-to sub-processor. If Customer does not provide a timely objection, Customer will be deemed to have authorized Statsig’s use of the sub-processor and to have waived the right to object. Statsig will enter into a written agreement with the sub-processors on the Sub-processors List imposing data protection obligations similar to those imposed under this DPA. Statsig remains liable for its sub-processors’ performance under this DPA to the same extent Statsig would be liable if performing the Services directly.

7. DATA SUBJECTS

If Statsig receives a data subject request, Statsig will, to the extent permitted by Data Protection Laws: (a) advise the data subject to submit the request directly to Customer, and (b) promptly notify Customer of the request. Statsig will, upon Customer’s written request, provide reasonable assistance to Customer in fulfilling the data subject request to the extent required by Data Protection Laws and Customer is unable to do so on its own through use of the Services.

8. DATA BREACH

Statsig will notify Customer without undue delay after becoming aware of a Data Breach. To the extent practicable, Statsig’s notification to Customer will include information on the nature of the Data Breach, the measures taken to respond to and mitigate the Data Breach, and information relating to Statsig’s point of contact with respect to the Data Breach. Statsig will promptly take all actions it deems necessary and advisable to identify and remediate the cause of the Data Breach. Statsig’s notification of or response to a Data Breach will not constitute an acknowledgment of fault or liability with respect to the Data Breach. The obligations contained in this section do not apply to Data Breaches that are caused by Customer or otherwise due to Customer’s breach of the MSA or DPA. Except to the extent required by Data Protection Laws, Customer will not notify a supervisory authority, regulator, data subject, or the public of a Data Breach. To the extent such notification by Customer is required under Data Protection Laws, Customer will provide Statsig with advance copies of any notices and an opportunity for Statsig to provide any clarifications or corrections.

9. DATA PRIVACY IMPACT ASSESSMENTS & AUDITS

Statsig will, taking into account the nature of the processing and information available to it, provide Customer with reasonable cooperation and assistance if required for Customer to comply with its obligations under Data Protection Laws to conduct a data protection impact assessment. To the extent legally permitted, Customer will be responsible for any costs and expenses arising from any such assistance by Statsig. Upon Customer’s written request, Customer may request a written audit of Statsig’s compliance with the terms of this DPA (“Audit"). Except as otherwise required under Data Protection Laws: (a) Customer must provide 30 days’ prior written notice of the Audit; (b) Customer may not perform more than 1 Audit in any 12 month period; (c) Customer agrees that to the extent the scope of the Audit is addressed in the Security Statement or an audit report by Statsig’s third-party auditor (“Audit Report”), Customer will accept the Audit Report in lieu of the Audit; (d) Audits do not extend to any of Statsig’s sub-processors; (e) Customer and Statsig must mutually agree on the Audit scope in advance; and (f) Customer must promptly disclose to Statsig any Audit reports, findings, and results, all of which shall be considered Statsig’s Proprietary Information.

10. DATA TRANSFERS

The parties acknowledge transfers of Customer Personal Data to Statsig that are subject to an applicable adequacy decision do not require a separate approved transfer mechanism. Where a transfer is made from the EEA and no adequacy decision applies, Module Two (Controller to Processor) of the SCCs are hereby incorporated into this DPA and apply as follows: (a) the optional docking clause in Clause 7 does not apply; (b) in Clause 9, Option 2 (general written authorization) applies, and the minimum period for prior notice of sub-processor changes shall be as set forth in Section 4 of this DPA; (c) the optional language in Clause 11 does not apply; (d) in Clause 17 Option 1, the SCCs will governed by Irish law; (e) in Clause 18(b), disputes will be resolved before the courts in Dublin, Ireland; (f) Exhibit A to this DPA contains the information required in Annex I of the SCCs, (g) the Security Statement contains the information required in Annex II of the SCCs; and (h) the Sub-Processors List contains the information required in Annex III of the SCCs. Where a transfer is made from the UK and no adequacy decision applies, the SCCs shall apply. Where a transfer is made from Switzerland and no adequacy decision applies, the SCCs as incorporated into this DPA and shall apply, except that: (x) references to “member state” in the SCCs refer to Switzerland; (y) references to GDPR in the SCCs refer to the FADP (as amended or replaced); and (z) data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland.

EXHIBIT A

1. PARTIES

Data exporter/Controller: Customer. Data importer/Processor: Statsig, Inc. Each party’s contact details are set forth in the MSA.

2. DESCRIPTION OF TRANSFER

• Categories of data subjects whose personal data is transferred: The data subjects are determined by Customer in its use of the Services. Data subjects may include Customer’s employees, customers, vendors, and end users.
• Categories of personal data transferred: The categories of personal data are determined by the Customer in its use of the Services. Categories may include device information, browser information, IP address, and usernames.
• Sensitive data transferred: No sensitive data is transferred.
• The frequency of the transfer: Continuous basis.
• Nature of the processing: The provision of the Services as described in the MSA, DPA, and Statsig’s documentation.
• Purposes of the data transfer: For Statsig to provide, support, and improve the Services.
• Period for which personal data will be retained: As necessary for Statsig to fulfill the purposes of the data transfer.
• For transfers to sub-processors, the subject matter, nature, and duration of processing: Personal data is transferred to sub-processors as necessary for Statsig to provide, support, and improve the Services as agreed upon in the MSA.

3. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority determined in accordance with Data Protection Laws.