PATHLOCK PRIVACY POLICY

Version 2.4

Copyright Notice

©2025 Pathlock, Inc. All Rights Reserved.

The information in this document is provided for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Pathlock, Inc. Pathlock assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.

Except as permitted by license, no part of this document may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means — electronic, mechanical, recording, or otherwise — without the prior written permission of Pathlock, Inc.

Printed in the U.S.A.

CAUTION

This document contains proprietary, confidential information that is the exclusive property of Pathlock, Inc. If you do not have a valid contract with Pathlock for the use of this document or have not signed a non-disclosure agreement with Pathlock, then you received this document in an unauthorized manner and are not legally entitled to possess or read it.

Use, duplication, and disclosure are subject to restrictions stated in your contract with Pathlock, Inc. Use, duplication, and disclosure by the Government are subject to restrictions for commercial software and shall be deemed to be Restricted Rights software under Federal Law.

Revision History

The following table provides the release history information.

Release Version	Release Date	Description
1.0	September 16, 2019	Initial version for cloud applications
2.0	October 7, 2020	Updated
2.1	November 2021	Review and Refresh
2.2	February 15, 2023	Periodic review and Refresh
2.3	February 5, 2024	Annual Review
2.4	September 15, 2025	Comprehensive update for enhanced compliance with GDPR, CCPA, ISO 27001, SOC, and TISAX frameworks

Governance

Release Version	Approval Date	Approvers
1.0	December 2019	Guru Deshpande (VP of Engineering)
2.0	October 2020	Guru Deshpande (VP of Engineering)
2.1	November 2021	Guru Deshpande (VP of Engineering)
2.2	February 2023	Guru Deshpande (VP of Engineering and Technology)
2.3	February 2024	Guru Deshpande (VP of Engineering and Technology)
2.4	September 2025	JB Slivka (VP of IT and DevOps)

Table of Contents

1. Purpose and Scope
2. How We Obtain Information
3. How We Use Information
4. How We Share Information Collected
5. International Transfers
6. Security and Breach Notification
7. Retention
8. Your Privacy Rights
9. California Privacy Rights
10. Data Protection Framework Compliance
11. General
12. Contact Information

1. Purpose and Scope

Pathlock, Inc., including its subsidiaries and affiliates (collectively, “Pathlock,” “we,” or “us”) respects the privacy of its customer data and is committed to protecting personal information in accordance with applicable data protection laws and industry standards.

This Services Privacy Policy (“Services Notice”) covers our privacy practices with respect to the collection, use, and disclosure of information obtained in connection with the purchase and use of our hosted software applications (the “Pathlock Cloud Platform”) and related support services (“Support Services”), as well as expert services, including professional services, training, and certification (the “Expert Services”) that we provide to Customers (defined below). In this Privacy Statement, the Pathlock Cloud Platform, Support Services, and the Expert Services are collectively referred to as the “Service.” This Service Privacy Policy also covers information processed by Pathlock for customer and partner account management purposes, including customer address and billing information collected for processing Customer’s purchase of Pathlock’s Service.

This Services Policy does not cover a customer’s use or disclosure of any information it stores in the Pathlock Cloud Platform. This Services Policy also does not cover any information or data collected by Pathlock for other purposes outside of the Service. This Services Notice also does not cover the use or disclosure of any information stored in the Pathlock Cloud Platform when hosted by the Customer.

For the purposes of this Services Policy:

“Customer” means the entity that purchases our Service.

“Customer Data” means the electronic data uploaded into the Pathlock Cloud Platform by or for Customer or its Users.

“Mobile Applications” means applications downloaded by an authorized user of our hosted software applications to a mobile device.

“User” means an individual authorized by the Customer or Partner to access and use the Pathlock Cloud Platform.

“Partner” means an entity that sells Pathlock products and services or provides services or technology to Pathlock customers.

“Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. How We Obtain Information

As further described below, we collect several types of information from and about our Customers and Partners in the course of providing and supporting our Service.

Customers process Customer Data in the normal course of using our Service. Our use and access of Customer Data processed is limited to providing and supporting the Service and in accordance with the definitive agreement between Customer and Pathlock pursuant to which the Customer purchased access to the Pathlock Cloud Platform (the “Customer Agreement”) and our Data Processing Addendum (“DPA”).

We host and process Customer Data at the direction of and pursuant to the instructions of our Customers. We also collect several types of information from our Customers, including:

Information and correspondence our Customers and Users submit to us in connection with Expert Services or other requests related to our Service.

Information we receive from our business partners in connection with use of the Service or in connection with services provided by our business partners, including configuration of the Pathlock Cloud Platform.

Server logs in support of the Pathlock Cloud Platform.

Information collected via our Mobile Applications.

We also collect several types of information from and about our Customers and partners as a data controller, including:

General information, including a Customer or Partner’s company name and address, credit card information, and the Customer or Partner representative’s contact information (“General Information”).

Quantitative data derived from our Customers and Users use of the Pathlock Cloud Platform, for example and without limitation, the number of active roles within a Customer’s instance. All data collected, used, and disclosed will be in aggregate form only and will not identify Customer or its Users.

Service Data relating to the use, support and operation of the Services, which is collected directly by Pathlock from and about users of the Services and Customer’s use of the Service for use for its own purposes, certain of which may constitute Personal Data.

3. How We Use Information

We may use Customer Data to provide and support the Service, including updating and maintaining the Pathlock Cloud Platform and providing Support and Expert Services. We will not use, disclose, review, share, distribute, transfer, or reference any Customer Data except as permitted in the Customer Agreement, as set forth in our DPA, or as required by law.

We may use information we collect about our customers and partners for billing and contracting purposes, to improve our services, for security and fraud prevention, and to comply with legal obligations.

We process Personal Data as a Processor on behalf of our Customers who are the Controllers of such data. Our processing activities are limited to those necessary to provide the Services as instructed by our Customers and in accordance with our DPA.

4. How We Share Information Collected

We may disclose personal information that our Customers, Partners, and Users provide to us to the following categories of recipients:

To our subsidiaries and affiliates (including those located outside the European Economic Area, United Kingdom, and Switzerland) as necessary to support provision of the Service to the Customer and operate our partner program.

To our contractors, business partners and service providers we use to support our Service, including Sub-Processors as identified in our Sub-Processor List available at https://www.pathlock.com/dpa-annex, and business partners who provide services on behalf of our Customers.

To a potential buyer (and its agents and advisors) in connection with any proposed merger, acquisition, or any form of sale or transfer of some or all of our assets (including in the event of a reorganization, dissolution or liquidation), in which case personal information held by us about our Customers and Partners will be among the assets transferred to the buyer or acquirer.

To any competent law enforcement body, regulatory, government agency, court or other third party to: (i) comply with any court order, a request from any competent law enforcement agency, or any other legal obligation; (ii) enforce or apply the terms of the Customer Agreement; (iii) enforce or apply the terms of the agreement for partnership with our Partners; and (iv) protect the rights, property, or safety of Pathlock, our Customers, Users, or others.

In accordance with Customer instructions as documented in the Customer Agreement and DPA.

5. International Transfers

We store and process Customer Data in: (i) any country where we have facilities, and (ii) any country in which we engage service providers, including Sub-Processors.

For international transfers of personal information from the European Economic Area (EEA), United Kingdom (UK), and Switzerland, we implement appropriate safeguards to ensure adequate protection for the transferred Customer Data. These safeguards include:

For EEA transfers, we utilize the European Commission’s Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914, as incorporated into our DPA.

For UK transfers, we utilize the UK Transfer Addendum to the SCCs, as approved by the UK Information Commissioner’s Office and incorporated into our DPA.

For Swiss transfers, we implement appropriate safeguards as required under Swiss data protection law.

We maintain a current list of countries where Customer Data may be processed, which is available upon request. All international transfers are conducted in accordance with Chapter V of the GDPR and equivalent provisions in other applicable data protection laws.

Our Sub-Processors who may process Customer Data internationally are bound by contractual obligations that provide equivalent levels of data protection as those set out in our DPA and applicable SCCs.

6. Security and Breach Notification

We maintain a comprehensive information security program designed to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Our security measures are aligned with industry standards and best practices, including those required for ISO 27001, SOC 1 Type 2, SOC 2 Type 2, and TISAX compliance.

Our technical and organizational security measures include:

Organizational management with dedicated staff responsible for the development, implementation and maintenance of our information security program.

Data security controls including logical segregation of data, role-based access controls, monitoring, and utilization of industry-standard encryption technologies for Customer Personal Data both in transit and at rest.

Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, with multi-factor authentication where appropriate.

Regular security assessments, vulnerability scanning, and penetration testing to identify and address potential security risks.

Incident response procedures designed to investigate, respond to, mitigate and notify of security events.

Physical security controls for data centers and facilities where Customer Data is processed.

Regular security awareness training for all personnel with access to Customer Data.

The Pathlock Cloud Platform allows Customers to implement and configure their use of the platform and enforce their security requirements, including user access controls and encryption.

Pathlock has a dedicated team responsible for monitoring and responding to security incidents. In the event of a Personal Data Breach, we will notify affected Customers without undue delay and in accordance with the requirements set forth in our Customer Agreement and DPA. Our notification will include sufficient information to allow Customers to meet their own obligations under applicable data protection laws, while not compromising the security of other Customer Data.

We maintain certifications and undergo regular audits for ISO 27001, SOC 1 Type 2, and SOC 2 Type 2 compliance. Audit reports are available to Customers upon request and subject to appropriate confidentiality agreements. For customers in the automotive sector requiring TISAX compliance, we implement additional controls to protect confidential automotive industry information in accordance with VDA ISA requirements.

7. Retention

We retain Customer Data according to the timeframes set forth in the Customer Agreement and DPA. Specifically:

During the term of the Service, we retain Customer Data as necessary to provide the Services.

Upon termination or expiration of the Service, we provide a post-cessation storage period of fourteen (14) days during which Customers may request return or deletion of their Customer Data.

After the post-cessation storage period, if no instruction is received, we will delete or irreversibly anonymize Customer Data to the fullest extent technically possible.

We may retain Customer Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that we maintain the confidentiality of all such Customer Personal Data and process it only as necessary for the purpose specified in the applicable law.

We retain General Information where we have an ongoing legitimate business need to do so, for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements.

Retention periods may vary based on the nature of the data and applicable legal requirements. We regularly review our retention practices to ensure compliance with applicable data protection laws.

8. Your Privacy Rights

Since each Customer is in control of what information, including any personal information, it collects from its Users, how that information is used and disclosed, and how that information can be changed, Users of the Pathlock Cloud Platform must contact the applicable Customer administrator with any inquiries about how the Customer uses and discloses personal information.

Users should contact their Customer administrator to exercise rights to access, rectify, correct, delete, and port personal information contained in Customer Data as well as object to or restrict the processing of personal information contained in Customer Data.

We provide you with certain choices regarding the General Information you provide to us. In particular:

To access, correct, update, or request deletion of any personal information Customer or Partner provided us as part of the General Information, please contact your account representative or Pathlock relationship manager or, where possible, use our portals you have access to (for example, our partner portal) to carry out these requests.

Certain jurisdictions, including the European Economic Area, United Kingdom, and California, provide their residents specific privacy rights under applicable law. We will process requests to exercise such rights, including objection to and restriction of processing and requests for portability of personal information contained in General Information, in accordance with applicable data protection laws.

Under the GDPR, data subjects have the right to lodge a complaint with a supervisory authority if they believe their personal data has been processed in violation of applicable data protection laws.

You may send us an email at [email protected] or using the contact details under the “Contact Information” heading below.

We will respond to such requests in accordance with the requirements of applicable data protection laws. Please note that in order to fulfill your request, we may need you to provide certain information to verify your identity.

9. California Privacy Rights

This section applies to California residents whose personal information is processed by Pathlock pursuant to the California Consumer Privacy Act of 2018 (“CCPA”).

California residents have specific rights regarding their personal information under the CCPA. These rights include:

The right to know what personal information we collect, use, disclose, and sell.

The right to request deletion of personal information we have collected, subject to certain exceptions.

The right to opt-out of the sale of personal information. Pathlock does not sell personal information as defined by the CCPA.

The right to non-discrimination for exercising your privacy rights.

The right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom we share personal information.

With respect to Customer Personal Data processed on behalf of our Customers, Pathlock acts as a Service Provider as defined in the CCPA. We certify that we understand our obligations under the CCPA and will comply with them. We will not retain, use, or disclose personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Service, or outside of the direct business relationship between Pathlock and Customer.

To exercise any of these rights, California residents may contact us at [email protected] or call us at our toll-free number which will be provided upon request. We will verify your identity before processing your request, which may include requesting additional information from you.

We will respond to verifiable consumer requests within the timeframes required by the CCPA. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

10. Data Protection Framework Compliance

Pathlock maintains compliance with multiple data protection and security frameworks to ensure the highest standards of data protection:

GDPR Compliance: We comply with the General Data Protection Regulation requirements including lawful basis for processing, data subject rights, data protection by design and default, and maintaining records of processing activities. Our DPA incorporates Standard Contractual Clauses for international transfers.

ISO 27001 Certification: We maintain an Information Security Management System certified to ISO 27001 standards, demonstrating our commitment to systematic security risk management and continuous improvement of our security controls.

SOC 1 Type 2 and SOC 2 Type 2 Reports: We undergo regular independent audits resulting in SOC 1 Type 2 and SOC 2 Type 2 reports, which evaluate the design and operating effectiveness of our controls relevant to security, availability, processing integrity, confidentiality, and privacy.

TISAX Readiness: For automotive sector customers, we implement controls aligned with TISAX (Trusted Information Security Assessment Exchange) requirements, including protection of confidential information, data classification, and secure information exchange protocols as specified in VDA ISA standards.

CCPA Compliance: We comply with California Consumer Privacy Act requirements as a Service Provider, including contractual commitments not to sell personal information and to process data only for specified purposes.

Customers may request evidence of our compliance certifications and audit reports subject to appropriate confidentiality agreements. These frameworks inform our ongoing security and privacy practices and are regularly reviewed and updated.

11. General

11.1 Pathlock Applications for Third-Party Services

We may provide applications and integrations hosted by third party services (for example, messenger applications) for mutual customers that we have with such third-party service providers. These applications and integrations will interact with the Pathlock Cloud Platform and our collection, use, and disclosure of information will be in accordance with this Services Privacy Statement and our Customer Agreement with the Customer. This Services Privacy Statement does not cover such third-party service stores where we make our applications available. The use of any data you make available to such a third party is subject to that party’s privacy policy and your agreements, if any.

11.2 Third Party Websites and Applications

Customers, Partners and other third parties, including our consultants, may develop applications (including Mobile Applications) or provide services to you or other third parties using our Service. This Services Notice does not apply to information collected by Customers, our business partners, and other third parties or third-party applications (including Mobile Applications) or services, even if this information is collected using our Service.

11.3 Changes to this Services Privacy Statement

We reserve the right to update or change this Services Privacy Statement from time to time. If we make material changes to this Services Privacy Policy, we will notify our Customers through an appropriate online notice and obtain their consent where required by applicable law. For clarity, any update or change to this Services Notice will not change or modify the agreement between Pathlock and Customer. The most current version of this Privacy Policy will be posted on our website at https://www.pathlock.com with the effective date clearly marked.

11.4 Data Processing Addendum

This Privacy Policy should be read in conjunction with our Data Processing Addendum, which provides additional details about our processing of Customer Personal Data and incorporates Standard Contractual Clauses for international data transfers. The DPA forms part of our Customer Agreement and takes precedence over this Privacy Policy in case of any conflict.

11.5 Sub-Processors

We engage certain third-party Sub-Processors to assist in providing the Services. A current list of our Sub-Processors is maintained at https://www.pathlock.com/dpa-annex and is updated in accordance with the notification procedures set forth in our DPA.

12. Contact Information

If you have questions or comments about this Services Privacy Statement and our privacy practices or if you are a Customer and need to update, change, or remove information from the Service, please log a ticket through our customer support portal.

For privacy-specific inquiries, including requests to exercise your data protection rights, please contact our Data Protection Officer at:

Email: [email protected]

For written inquiries, you may contact us at:

Pathlock, Inc.
US Operations — Headquarters
1200 17th Street
Denver, CO 80202
USA

For European data protection inquiries:
Email: [email protected]

Document Classification: Public
Last Updated: December 2024
Next Review Date: December 2025