1. Scope

This Security Program Addendum (“SPA”) summarises the technical and organisational measures Power Accelerate BV (“Power Accelerate”) applies to the PowerAccelerate Service. It forms part of the Agreement and is referenced in Section 2.2 of the Terms of Service (“TOS”). The SPA in force at the Effective Date of each Order applies to that Order.

This SPA describes Power Accelerate’s standard security program. Any additional security requirements specific to Customer (custom questionnaires beyond what is published here, penetration testing, bespoke controls, on-site audits, custom reporting, SIEM integration, code escrow, custom certifications) are available only under a separate Professional Services or Premium Support Order.

2. Deployment Model

The PowerAccelerate extraction component runs entirely within Customer’s own network, on infrastructure Customer controls. In ordinary operation:

• Customer Data is read from Customer’s source systems and written only to Customer-controlled storage.
• The Service makes no outbound connections to Power Accelerate or any third party.
• Power Accelerate does not host, transmit, or store Customer Data.

Power Accelerate personnel have access to Customer Data only in the limited support scenarios set out in the Data Processing Addendum.

A full architectural description is available in the PowerAccelerate – Security & Data Handling document, available on request.

3. Measures

3.1 Personnel

• Confidentiality obligations in writing for all personnel and contractors.
• Security awareness training at onboarding and periodically thereafter.
• Background checks where permitted by applicable law.
• Access to Customer environments is revoked promptly on termination of employment or close of engagement, ordinarily within one business day.

3.2 Product

• Single-file executable with no runtime package resolution.
• SHA-256 checksum published for each release.
• Software Bill of Materials (SBOM) available on request.
• Dependencies are reviewed for known vulnerabilities as part of Power Accelerate’s release process.
• No telemetry, crash reporting, or call-home.
• Offline license validation.

3.3 Credentials

Credentials supplied by Customer (passwords, tokens, license keys) are held in process memory only and are not written to disk, logs, or any output artefact.

3.4 Encryption

• Encryption at rest of Customer Data is Customer’s responsibility in its Extraction Environment (full-disk encryption recommended).
• Power Accelerate does not operate internet-facing endpoints in connection with Service operation.

3.5 Change Management

Source changes are version-controlled and peer-reviewed. Each release is assigned a version identifier and checksum; older releases remain reproducible from source.

3.6 Corporate Systems

Power Accelerate selects corporate cloud providers (for source code, email, ticketing) that maintain recognised security certifications appropriate to the service they provide.

4. Sub-processors

Power Accelerate uses no sub-processor to operate the Service itself. A list of corporate service providers that may incidentally process Customer Confidential Information (source-code hosting, email, ticketing) is available on request. Power Accelerate will give not less than thirty (30) days’ notice before engaging a new sub-processor that would Process Customer Data.

5. Security Incident Notification

Power Accelerate will notify Customer without undue delay, and in any event within seventy-two (72) hours, after confirming a Security Incident affecting Customer Data in Power Accelerate’s custody. The notification will contain the information then available regarding the nature of the incident, the categories and approximate volume of data affected, the likely consequences, and the measures taken. Updates will be provided as the investigation progresses.

Power Accelerate will not make public disclosures about a Security Incident without Customer’s prior consent, except where required by law.

6. Audit and Verification

Once per calendar year, upon at least thirty (30) days’ prior written notice and subject to a mutually acceptable confidentiality agreement, Customer may request either:

(a) a written response to a standard security questionnaire (for example, SIG Lite or CAIQ) that Customer provides and Power Accelerate completes; or

(b) a thirty (30)-minute architectural walkthrough of the Service by a Power Accelerate engineer, delivered remotely.

Any additional audit activity — including on-site audits, penetration testing, custom questionnaires, or independent third-party reviews — is available only under a separate Order at Customer’s cost. Power Accelerate is not obliged to provide raw logs, source code, internal policies, or access to Power Accelerate personnel or systems beyond what is described in this Section 6.

7. Changes and Version History

Power Accelerate may update this SPA by publishing a revised version at the URL above. Updates that materially reduce the protections afforded to Customer Data will not apply to Customer’s then-active Orders without Customer’s consent. Previous versions of this SPA are available on request.

Power Accelerate BV — Emiel Van Hammestraat 12, 2570 Duffel, Belgium — info@poweraccelerate.com