CDA.SECURITY, LLC SERVICES PRIVACY POLICY

Version 1.0

Effective Date: 2026-01-01

This Services Privacy Policy (“Privacy Policy”) describes how CDA.Security, LLC (“CDA.Security,” “we,” “us”) collects, uses, and discloses information in connection with the delivery of our professional cybersecurity services (the “Services”). This policy is incorporated by reference into the CDA.Security Master Services Agreement (the “Agreement”) and applies to Customer Data and any personal information contained therein. This policy does not apply to our marketing activities or website visitors.

1. INFORMATION WE PROCESS

In the course of providing the Services, we process information provided by our Customer or collected at our Customer’s direction (“Customer Data”). Customer Data may include technical information such as IP addresses, log files, system configurations, and network traffic data. It may also include personal information of Customer’s employees or users if such information is present in the systems or data we are authorized to access. We process this data solely as a “data processor” or “service provider” on behalf of our Customer, who is the “data controller.”

2. HOW WE USE INFORMATION

We use Customer Data for one purpose only: to provide the Services to the Customer as described in the applicable Mission Order. This includes:

• Performing the security analysis and testing requested by the Customer.
• Generating reports and other Deliverables for the Customer.
• Communicating with the Customer about the Services.
• Complying with our legal obligations and enforcing our agreement terms.

We do not sell Customer Data or use it for marketing, advertising, or any other commercial purpose.

3. INFORMATION SHARING AND DISCLOSURE

We do not share Customer Data with third parties except in the following limited circumstances:

• With Consent: We may share information with Customer’s explicit consent and at their direction.
• Service Providers: We may engage third-party companies or individuals as service providers or sub-processors to support the delivery of our Services (e.g., secure cloud hosting providers). These providers are contractually obligated to protect Customer Data and are prohibited from using it for any other purpose. A list of current sub-processors is available upon request.
• Legal Compliance: We may disclose Customer Data if we believe that disclosure is reasonably necessary to comply with a law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, Customer Data may be transferred. We will provide notice before Customer Data is transferred and becomes subject to a different privacy policy.

4. DATA SECURITY

We implement and maintain robust administrative, technical, and physical security measures designed to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure.

5. DATA RETENTION

We retain Customer Data for the duration necessary to complete the Services described in the relevant Mission Order and for a limited period thereafter as required for our legal and compliance obligations. Following this period, we will securely delete or anonymize Customer Data in accordance with our data retention policies, unless a longer retention period is required by law.

6. CUSTOMER’S ROLE AND RESPONSIBILITIES

Our Customer, as the data controller, is solely responsible for ensuring that it has a lawful basis for processing any personal data contained within the Customer Data and for providing all necessary notices and obtaining all necessary consents from individuals.

7. CONTACT

For any questions about this Services Privacy Policy, please contact legal@cda.security.