DATA PROCESSING ADDENDUM

1.1 Parties and incorporation. This Data Processing Addendum (the “DPA”) is incorporated by referenceinto, and forms part of, the Terms of Service (the “Terms”) between ASPEEN, INC. (the “Provider”) andthe counterparty to the Terms (the “Customer”). This DPA applies to all Processing of Customer PersonalData in connection with the Service.

1.2 Relationship to the Terms and definitions. Capitalised terms not defined in this DPA have themeanings given in the Terms. As set out in the Terms (including Section 9), Customer acts ascontroller/business and Provider acts as processor/service provider in respect of Customer Personal Data.Provider acts as an independent controller for Account Data and Operational Telemetry described in theTerms.

1.3 Effective date and term. This DPA takes effect on the earlier of: (a) the Effective Date accepted viathe click-through mechanism described in the Terms; or (b) the date Provider first Processes CustomerPersonal Data for Customer. It remains in force for the Term of the Terms of Service and until completionof export and deletion activities described in this DPA and the Terms.

1.4 Precedence. In the event of a conflict between this DPA and the Terms regarding Processing ofCustomer Personal Data, this DPA prevails. For international transfers, the applicable EU StandardContractual Clauses, UK Addendum, and Swiss addendum prevail over this DPA to the extent of conflict.The Terms govern all other matters.

1.5 Acceptance and updates. Acceptance of this DPA follows the same explicit click-through mechanismsas the Terms. Updates and versioning of this DPA follow the notice and archival procedures in the Terms(including the “Material Change” regime). Subprocessor List updates and any related objection rights aregoverned by the “Subprocessors” section of this DPA. For the avoidance of doubt, publication of this DPAalone does not constitute acceptance or form a contract. Acceptance occurs only via the explicit clickthrough acceptance of the Terms. Continued use without such renewed acceptance is not permitted.

1.6 Scope. This DPA governs Provider’s Processing of Customer Personal Data strictly in accordance withCustomer’s documented instructions for the purpose of delivering the Service, and sets out the security,confidentiality, incident-response, subprocessing, international transfer, data subject request, and deletionobligations applicable to such Processing. It does not apply to Processing where Provider acts as anindependent controller as described in the Terms.

1.7 Incorporated schedules and documents. The following form part of this DPA: (A) EU StandardContractual Clauses (appropriate module(s)) and any supplementary measures; (B) the UK Addendum; (C)the Swiss FDPIC adaptation; (D) Schedule B: CCPA/CPRA Service Provider Terms; (E) Schedule C:Details of Processing; and (F) the current Subprocessor List (via URL), each as versioned and notifiedunder the Terms.

1.8 Notices and contacts. Legal notices and privacy/security communications under this DPA follow thenotice mechanics in the Terms. Security incident notifications are provided as set out in the “SecurityIncidents” section of this DPA and coordinated with relevant provisions of the Terms.

Capitalised terms not defined here have the meanings in the Terms.

2.1 “Applicable Data Protection Law” means, to the extent applicable to the Processing of CustomerPersonal Data: the EU GDPR, UK GDPR and Data Protection Act 2018, the Swiss FADP, U.S. state privacylaws (including the CCPA/CPRA), and other substantially similar laws (including Brazil’s LGPD) asamended.

2.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” have themeanings in the EU GDPR. “Business”, “Service Provider”, “Consumer”, “Sell”, “Share” have themeanings in the CCPA/CPRA.

2.3 “Customer Personal Data” means Personal Data Processed by Provider on behalf of Customer via theService under Customer’s documented instructions. It excludes Account Data and Operational Telemetrydescribed in the Terms.

2.4 “Account Data” means Provider’s own account, billing, fraud-prevention, and compliance data for thecommercial relationship, for which Provider acts as an independent controller, as described in the Terms.

2.5 “Operational Telemetry” means usage and technical logs collected to operate, secure, bill, andimprove the Service, for which Provider acts as an independent controller, as described in the Terms.

2.6 “Customer Content” and “Outputs” have the meanings in the Terms.

2.7 “BYOK Secrets” means Customer-supplied credentials, keys, tokens, and similar secrets used to accessRestricted Sources, as described in the Terms.

2.8 “Restricted Sources” means sources that require credentials, paid subscriptions, or technical accesscontrols, as described in the Terms.

2.9 “Processing” or “Process” means any operation performed on Customer Personal Data, whether ornot by automated means.

2.10 “Documented Instructions” means the instructions set out in this DPA, the Terms, and Customer’sconfiguration and written directions (including through the Service UI or API), in each case within thescope of the Service.

2.11 “Security Incident” means a confirmed unauthorised or unlawful access to, or destruction, loss,alteration, or disclosure of, Customer Personal Data in Provider’s systems. Security Incident excludesunsuccessful events that do not compromise confidentiality, integrity, or availability (for example, blockedmalware, port scans, denied login attempts, or other thwarted attacks).

2.12 “Subprocessor” means any third party engaged by Provider to Process Customer Personal Data onProvider’s behalf in delivering the Service.

2.13 “Data Provider” means any third-party data or enrichment provider that Customer elects to routeTasks to, as described in the Terms; Data Providers are independent controllers (or Customer’s processorsunder Customer’s separate contracts) and are not Provider’s Subprocessors; Provider does not impose orflow down processor obligations on Data Providers.

2.14 “International Transfer” means a transfer of Customer Personal Data that would require a transfermechanism under Applicable Data Protection Law.

2.15 “SCCs” means the Standard Contractual Clauses issued pursuant to Commission ImplementingDecision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data tothird countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council(available as of the DPA effective date at
‍https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj or anysubsequent link published by the competent EU authorities). “UK Addendum” means the ICOInternational Data Transfer Addendum. “Swiss Addendum” means the adaptation required under the Swiss FADP.

2.16 “Technical and Organisational Measures” or “TOMs” means the security controls described inSection 7 and the Terms.

2.17 “Aggregated/De-identified Data” means data derived from Operational Telemetry or limited taskexecution metadata that does not identify Customer or any Data Subject and is created and used inaccordance with the Terms, without re-identification.

2.18 “Sensitive Data” means: special categories of Personal Data under Article 9 GDPR; data on criminalconvictions/offences; children’s data; precise geolocation; financial account numbers; health or biometricidentifiers; government IDs; and any other category designated as sensitive under Applicable DataProtection Law, each unless expressly permitted in this DPA or an order form.

3.1 Roles. For Customer Personal Data, Customer acts as controller/business and Provider acts asprocessor/service provider. For Account Data and Operational Telemetry, Provider acts as an independentcontroller. This DPA does not govern Processing where Provider is an independent controller.

3.2 Permitted Purpose. Provider will Process Customer Personal Data solely to provide, maintain, secure,and support the Service; to generate billing and security telemetry necessary for the Service; to perform itsobligations under the Terms; and to comply with law or a binding order. No other purpose is permittedwithout written instructions from Customer.

3.3 No sale/share; CCPA. Provider will not Sell or Share Customer Personal Data, will not combine itwith Personal Data from other customers except to perform the Permitted Purpose, and will not use it forcross-context behavioral advertising or for any purpose outside the direct business relationship withCustomer.

3.4 Details of Processing. The subject matter, duration, nature and purpose of Processing, the categoriesof Data Subjects and Personal Data, and the frequency of Processing are set out in Schedule C (Details ofProcessing).

3.5 Customer responsibilities. Customer is solely responsible for: (a) establishing a lawful basis andproviding required notices/consents; (b) determining the scope and configuration of Processing; (c)ensuring Personal Data provided is limited to what is necessary; and (d) not submitting Sensitive Dataunless expressly permitted in this DPA or an order form.

3.6 Prohibited data. Unless expressly agreed in writing, Customer will not submit: special categories ofPersonal Data, children’s data, criminal-records data, precise geolocation, government IDs, full financialaccount numbers, health or biometric identifiers, or payment card data except via Provider’s designatedpayment processor.

3.7 BYOK Secrets and Restricted Sources. Where Customer instructs Processing that requires access toRestricted Sources, Customer will supply and manage BYOK Secrets and necessary rights. Provider willuse such secrets solely to execute Customer’s instructions and will not circumvent access controls.

3.8 Data Providers. Where Customer elects to route data to a third-party Data Provider, Provider acts onlyas a conduit to transmit requests and responses under Customer’s instructions. Data Providers areindependent controllers (or Customer’s processors under Customer’s separate contracts) and are notProvider’s Subprocessors.

3.9 Locations and transfers. Provider and its Subprocessors may Process Customer Personal Data in thelocations disclosed in the Subprocessor List. Any International Transfer will comply with Section 10 andSchedule A (SCCs/UK Addendum/Swiss Addendum).

3.10 Inability to comply. If Provider cannot comply with this DPA or Applicable Data Protection Law,Provider will notify Customer without undue delay. Customer may instruct Provider to cease the affectedProcessing; Provider may suspend the relevant Processing pending instructions. Provider will not berequired to act on instructions that are unlawful or outside the Service’s documented capabilities.

4.1 Lawful, documented instructions only. Provider will Process Customer Personal Data solely onCustomer’s documented instructions set out in this DPA, the Terms, and Customer’s configurations andwritten directions through the Service UI or API.

4.2 Form of instructions. Customer’s instructions may be given by: (a) this DPA and the Terms; (b)selections, toggles, runtime parameters, and API calls made by Customer; and (c) written directionsreferencing the relevant account, feature, or Task. Customer is responsible for the accuracy and lawfulnessof all instructions.

4.3 Conflicts. If Customer’s instruction conflicts with this DPA, the Terms, or Applicable Data ProtectionLaw, Provider may suspend the instruction and request clarification. Provider will promptly notifyCustomer if, in Provider’s opinion, an instruction infringes Applicable Data Protection Law.

4.4 No expansion of purpose. Provider will not Process Customer Personal Data for purposes other thanproviding, maintaining, securing, and supporting the Service, generating necessary billing/securitytelemetry, performing its obligations under the Terms or complying with law or a binding order.

4.5 No sale/share; no cross-context advertising. Provider will not Sell or Share Customer Personal Data,use it for cross-context behavioral advertising, or combine it with Personal Data from other customersexcept to perform the permitted purposes.

4.6 Data minimisation. Customer will ensure that Customer Personal Data provided or made accessible islimited to what is necessary for the intended Task. Provider may flag obvious over-collection and, wherefeasible, offer configuration guidance without assuming controller responsibilities.

4.7 Sensitive Data. Customer will not instruct Processing of Sensitive Data unless expressly permitted inthis DPA or an order form. Provider may suspend Processing that appears to include Sensitive Data outsidethe agreed scope.

4.8 Restricted Sources and BYOK. Where instructions require access to Restricted Sources, Customerwill supply and manage BYOK Secrets and necessary rights. Provider will use such secrets only to executeCustomer’s instructions and will not circumvent access controls.

4.9 Outputs and caching. Provider will not build or maintain a shared or persistent cache of Task results,and will retain only transient artifacts or minimal logs as required to operate and secure the Service, subjectto this DPA and the Terms. Provider may use Aggregated/De-identified Data strictly in accordance with theTerms without attempting re-identification.

4.10 Illegal or infeasible instructions. Provider is not obligated to act on instructions that are unlawful,technically infeasible, or outside the documented capabilities of the Service. Provider will notify Customerand await revised instructions; Customer may issue lawful alternative instructions or disable the affectedfeature.

4.11 Changes to instructions. Customer may modify instructions through configuration or writtendirections. Provider may charge reasonable fees for material effort caused by non-standard changes, to theextent permitted by the Terms.

4.12 Record of instructions. Provider may maintain minimal audit logs evidencing the timing and sourceof instructions (including UI actions and API calls) for security, compliance, and dispute-resolutionpurposes, consistent with this DPA. Such logs may include timestamps, account identifiers, API endpointsinvoked, and high-level task metadata, but exclude task outputs except where strictly necessary for incidentresponse.

5.1 Subject matter. Processing of Customer Personal Data as necessary to provision, operate, secure,support, meter, and bill the Service under Customer’s configurations, with no shared or persistent cache ofTask results.

5.2 Duration. For the Term of the Terms of Service and the Export Window, plus limited post-terminationperiods needed for lawful retention, backups, and legal hold as set out below.

5.3 Nature of operations. Collection (transit), receipt, parsing, structuring, transmission, routing, storage(transient), retrieval, viewing (only as strictly necessary for support/incident response), deletion, andlogging as described in the Terms.

5.4 Purpose. Deliver, maintain, secure, and support the Service; generate necessary billing and securitytelemetry; comply with law or binding orders; and execute Customer’s documented instructions. No otherpurpose.

5.5 Frequency. Continuous or ad hoc, as determined by Customer’s UI/API instructions, schedules, andtriggers.

5.6 Categories of Data Subjects. Customer’s prospects, customers, suppliers, end users,employees/contractors, and other individuals whose Personal Data Customer instructs Provider to Processvia the Service.

5.7 Categories of Personal Data. Contact identifiers; professional/firmographic data; online identifiersand technical headers received during Task execution; fields Customer maps into Outputs; limitedaccount/role metadata for Authorized Users; and any other Personal Data Customer submits or makesaccessible via the Service. Payment card data is excluded except via Provider’s designated paymentprocessor. Government IDs, children’s data, health/biometric data, criminal-offence data, precisegeolocation, and similar Sensitive Data are excluded unless expressly agreed.

5.8 Special categories. Not intended to be Processed. Prohibited unless expressly permitted in this DPA oran order form with appropriate safeguards.

5.9 Sources and destinations. Customer-designated sources and destinations under Customer’s control.For “Restricted Sources,” access occurs only via BYOK Secrets supplied by Customer; Provider will notcircumvent access controls. Data Providers are independent controllers or Customer’s processors underCustomer’s separate contracts, not Provider’s Subprocessors.

5.10 Storage and locations. Provider and authorized Subprocessors Process in the regions disclosed in theSubprocessor List; no shared or persistent result cache; only transient artifacts and minimal operational logsare retained as described below.

5.11 Retention and deletion.

5.12 Technical and Organisational Measures. As described in Section 7 and in the security section of theTerms (encryption in transit/at rest, least-privilege, secret scoping, network isolation, logging, vulnerabilitymanagement, BCDR).

5.13 Access controls and confidentiality. Access to Customer Personal Data is restricted to personnel witha need to know and subject to confidentiality obligations, with prompt revocation on role change orseparation.

6.1 Personnel. Provider ensures that all personnel and contractors who access Customer Personal Data are(a) subject to written confidentiality obligations; (b) trained on data protection; and (c) granted accessstrictly on a need-to-know, least-privilege basis, with prompt revocation on role change or separation.

6.2 Permitted recipients. Provider may disclose Customer Personal Data only to: (a) Subprocessorsengaged under this DPA; (b) its professional advisers (legal, audit, insurance) under confidentiality; and (c)as required by law or binding order, subject to Section 6.5. No disclosure to Data Providers except as strictlynecessary to transmit Customer’s requests and responses under Customer’s instructions.

6.3 BYOK Secrets. Provider treats Customer-supplied credentials, keys, and tokens as confidential, usesthem solely to execute Customer’s documented instructions, applies segregation, encryption in transit andat rest, and access logging, and will not circumvent access controls for Restricted Sources.

6.4 No public disclosures. Provider will not publicly disclose Customer Personal Data, Customer Content,or Outputs. Support interactions and incident investigations are conducted under confidentiality and limitedto the minimum necessary. Viewing of Customer Personal Data occurs only where strictly necessary todiagnose an incident at Customer’s request or to enforce the AUP.

6.5 Legal demands. If Provider receives a subpoena, court order, or similar demand seeking CustomerPersonal Data, Provider will notify Customer before disclosure unless legally prohibited, seek to narrowthe request, and, where feasible, direct the requester to Customer as controller/business. Provider maypreserve minimal logs for evidentiary purposes. Provider may recover reasonable, documented costs forextraordinary assistance in narrowing or redirecting legal process to Customer, consistent with Section 8.8.

6.6 Aggregation and de-identification. Provider may use Aggregated/De-identified Data that does notidentify Customer or any Data Subject, created and used in accordance with the Terms and this DPA,without attempting re-identification.

6.7 Confidentiality survival. The confidentiality obligations in this Section survive termination untilCustomer Personal Data has been deleted from active systems and backups in accordance with this DPAand the Terms.

7.1 Security programme and governance. Provider maintains a written, risk-based information securityprogramme appropriate to the Service, with policies, standards, training, ownership, and periodic review.

7.2 Access control and authentication. Workforce access to production systems is least-privilege andneed-to-know, with strong authentication for privileged roles, logging of admin actions, and promptrevocation on role change or separation.

7.3 Encryption and key management. Customer Personal Data and BYOK Secrets are protected byencryption in transit and at rest, with key-management controls and secret scoping per Customer/Taskwhere technically feasible.

7.4 Secrets management and misuse prevention. BYOK Secrets are segregated, access-logged, and usedonly to execute Customer’s documented instructions. Runtime is instrumented to detect and block suspectedsecret misuse or exfiltration; execution may be terminated on suspicion. Debug artifacts that could exposesecrets may be redacted.

7.5 Network and platform security. Layered controls include segmentation, managed firewalls/WAF,hardened images, baseline telemetry, DDoS protections, and rate-limiting/queuing/blocking to preserveintegrity.

7.6 Logging, monitoring, and audit. Provider maintains baseline telemetry and minimal audit logs forsecurity, billing, and abuse prevention (e.g., task IDs, timestamps, targeted domains, HTTP/error codes,triggering signals). Logs may be preserved for legal matters.

7.7 Vulnerability and patch management. Assets are inventoried and remediated on a risk-based scheduleconsidering exploitability, exposure, and business impact. Cryptography and protocol baselines (e.g., TLSminimums) may be rotated/deprecated with notice where practicable.

7.8 Secure development and change management. Provider applies SDLC controls includingdependency management/supply-chain hygiene, code review, change approval, environment segregation,and deployment logging.

7.9 Business continuity and disaster recovery. Documented BCDR plans exist and are tested periodically.Recovery time/point objectives, if any, are governed exclusively by the SLA.

7.10 Data minimisation, retention, and deletion. No shared or persistent result cache. Only transientprocessing artifacts and minimal operational logs are retained per Section 5 and the Terms; backups purgeon standard cycles; legal hold may extend retention.

7.11 Customer destinations and webhooks. Customer is responsible for its outbound destinations.Provider may require domain verification, mutual auth or signing, reject unsigned/unverified callbacks, andlimit egress to verified domains.

7.12 Configuration enforcement. Provider may enforce baseline security settings (e.g., MFA, SSO, IPallow-listing, webhook verification, event signing, ASN/region/domain deny-lists) and suspend noncompliant Tasks/features after notice.

7.13 Subprocessors. Provider binds infrastructure Subprocessors to protections no less protective thanthose in this DPA and the Terms, performs proportionate due diligence, and may replace/add Subprocessorssubject to the DPA notice/objection workflow.

7.14 Testing constraints. No penetration tests, scans, scraping or traffic-generation tests against the Servicewithout Provider’s prior written consent and defined scope. No implied authorisation or bug-bounty absentan agreed safe-harbour.

7.15 Legal process and narrowing. Upon lawful process seeking Customer Content/Personal Data,Provider follows the Terms’ notification and narrowing procedures and, where feasible, directs the requesterto Customer as controller/business.

7.16 Documentation and evidence. Upon reasonable request, Provider may provide summaries of controlsand third-party reports/attestations to demonstrate compliance, subject to confidentiality and reasonable feerecovery for extraordinary efforts.

7.17 Updates to TOMs. Provider may update these TOMs to reflect evolving risks, technologies, or legalrequirements. Protections will not be materially reduced during the Term, and updates will follow theTerms’ notice/versioning model. Provider will give reasonable advance notice of material TOM changesthat require Customer configuration changes, where practicable

8.1 Definition. “Security Incident” has the meaning in Section 2.11 of this DPA. Unsuccessful events thatdo not compromise confidentiality, integrity, or availability (e.g., blocked malware, denied logins, orthwarted scans) are excluded.

8.2 Notification. Provider will notify Customer without undue delay and in any event within seventy-two(72) calendar hours after confirmation of a Security Incident within Provider’s systems affecting CustomerPersonal Data. The initial notice will describe, to the extent known at the time: (a) the nature of the SecurityIncident; (b) categories of affected Personal Data and Data Subjects; (c) approximate volume of records;(d) likely consequences; (e) measures taken or proposed to address and mitigate; and (f) a point of contact.Provider will provide updates as more information becomes available. Notices do not admit fault or liability.

8.3 Cooperation. Provider will promptly take reasonable steps to contain, investigate, and remediate theSecurity Incident and will cooperate with Customer’s reasonable requests for information, assistance, andrecords necessary to fulfil Customer’s legal obligations, including regulator and Data Subjectcommunications where Customer is controller.

8.4 Forensics and preservation. Provider may preserve minimal audit logs and related artifacts forevidentiary purposes and to investigate the Security Incident, consistent with retention limits in this DPAand the Terms. Upon request, Provider will share summaries of relevant logs and findings to the extent theyrelate to Customer Personal Data and do not disclose Provider confidential information or third-party data.

8.5 Public disclosures. Customer and Provider will coordinate on any public statements about the SecurityIncident relating to the Service. Customer will not attribute fault to Provider or disclose Providerconfidential details without Provider’s prior written approval, except where legally required. Nothingdelays statutory notifications by Customer.

8.6 Legal process. If the Security Incident involves governmental or third-party legal process seekingdisclosure of Customer Personal Data, Provider will follow the notification and narrowing mechanics inthe Terms and, where feasible, direct the requester to Customer as controller/business.

8.7 Scope limits. Provider’s obligations apply only to Security Incidents within Provider’s systems.Incidents in Customer environments, Customer-designated destinations, BYOK credentials outsideProvider’s control, or at Data Providers are outside scope; Provider will provide reasonable assistancewhere technically feasible.

8.8 Cost recovery for extraordinary assistance. Provider may recover reasonable, documented costs forout-of-scope or extraordinary assistance (e.g., e-discovery, forensic imaging, regulator inquiries) not causedby Provider’s breach, as permitted in the Terms.

8.9 Records. Provider will document Security Incidents and corrective actions taken and retain such recordsin accordance with this DPA’s retention rules and the Terms.

9.1 General authorisation. Customer grants Provider a general authorisation to engage Subprocessors toProcess Customer Personal Data for the Service, subject to this Section 9.

9.2 Subprocessor List and notice. Provider will maintain a public Subprocessor List identifying currentSubprocessors and their locations. Provider will give at least thirty (30) days’ advance notice of any additionor replacement, where practicable, via the Subprocessor List and the notice mechanisms in the Terms.

9.3 Objection right. Customer may object on reasonable, data-protection grounds by written notice withinfifteen (15) days after the notice in 9.2. Upon a timely objection, Provider will, in good faith, propose acommercially reasonable alternative such as: (a) reconfiguration to avoid the Subprocessor; (b) disablingor providing an alternative for the affected feature; or (c) regional/tenant isolation. If no alternative isfeasible, either Party may terminate the affected Service scope only, with a pro-rata refund of prepaid,unused Fees for that scope. No other remedy or damages apply.

9.4 Flow-down and liability. Provider will (a) engage Subprocessors under written contracts imposingdata-protection obligations no less protective than this DPA and the security controls in the Terms; and (b)remain responsible for each Subprocessor’s performance to the extent Provider would be responsible ifperforming directly. Provider’s responsibility for Subprocessors is limited to obligations applicable toProvider as processor under this DPA and does not extend to Data Providers or Customer-designatedrecipients.

9.5 International transfers. Where a Subprocessor’s Processing involves an International Transfer,Provider will ensure a valid transfer mechanism (e.g., SCCs Module 3, UK Addendum, Swiss addendum)is in place with that Subprocessor, with supplementary measures as needed.

9.6 Due diligence. Provider will assess the Subprocessor’s security, privacy, and compliance postureproportionate to the risk before engagement and at reasonable intervals thereafter, and will monitor materialchanges relevant to this DPA.

9.7 Emergency engagement. For urgent continuity, security, or legal reasons, Provider may engage areplacement Subprocessor on shorter notice. Provider will notify Customer promptly thereafter and honourthe objection process in 9.3; remedies apply from the date of notice.

9.8 Scope limitation. Subprocessors may Process Customer Personal Data only to deliver the subcontractedportion of the Service under Provider’s instructions and may not Sell or Share Customer Personal Data, useit for cross-context advertising, or for purposes outside the direct business relationship.

9.9 Information on Subprocessors. Upon reasonable request, Provider will provide a summary descriptionof the Subprocessor’s role, locations, and the transfer mechanism used, and—where available—summaryaudit reports or certifications, subject to confidentiality.

9.10 Records. Provider will maintain records of Subprocessor engagements sufficient to demonstratecompliance with this Section and applicable transfer requirements and will make them available toCustomer on reasonable request, subject to confidentiality.

10.1 Mechanisms. Provider will make any International Transfer only under a valid mechanism, in thisorder of precedence: (a) an adequacy decision covering the destination; (b) the EU Standard ContractualClauses (SCCs) with any required supplementary measures; and, for the UK and Switzerland, (c) the UKAddendum and the Swiss addendum, respectively. If Provider participates in an approved certificationrecognised as adequate (e.g., an EU/UK/Swiss data-transfer framework), that certification may serve as themechanism for the covered flows; if it ceases to apply, SCCs and addenda automatically replace it.

10.2 SCC modules and incorporation. The parties incorporate the SCCs by reference with the followingmapping: Module 2 (Controller → Processor) for transfers from Customer to Provider; Module 3 (Processor→ Processor) for onward transfers from Provider to Subprocessors. The SCC annexes are completed by:Annex I(A)-(C) = the parties and Details of Processing in Schedule C; Annex II = the TOMs in Section 7;Annex III = the Subprocessor List. The optional docking clause applies.

10.3 Supplementary measures. Provider will apply technical, contractual, and organisationalsupplementary measures appropriate to the transfer risk, including encryption in transit and at rest, accesscontrols, secret scoping, logging, and data-minimisation. Where feasible, Customer may select EU/EEA10regional processing options offered by Provider. Where regional processing is offered and selected byCustomer, Provider will configure Processing to the selected region for in-scope data flows, subject todocumented product limits.

10.4 Transfer impact assessments. Provider will assess, at reasonable intervals, whether laws andpractices at the destination may impinge on the effectiveness of the mechanism and measures. On request,Provider will provide a summary of its assessment sufficient for Customer’s own analysis, subject toconfidentiality.

10.5 Government access requests. Provider will: (a) carefully review the legality of any governmentaccess demand; (b) challenge unlawful or disproportionate demands where reasonable; (c) disclose onlythe minimum required; (d) notify Customer before disclosure unless legally prohibited; and (e) keep recordsenabling verification of compliance with the SCCs/addenda.

10.6 Onward transfers. Provider will not permit Subprocessors to make onward transfers except under amechanism and protections equivalent to this Section 10 (including SCCs Module 3, UK Addendum, andSwiss addendum, as applicable) and only for the subcontracted Processing.

10.7 Inability to comply. If Provider determines it cannot comply with the SCCs, an addendum, or theagreed supplementary measures, Provider will notify Customer without undue delay. Customer may instructsuspension of the affected Processing; if compliance cannot be restored within a reasonable period, eitherparty may terminate the affected scope. Provider will refund prepaid, unused Fees for the terminated scopeon a pro-rata basis.

10.8 Records and audits of transfer safeguards. Provider will maintain records demonstrating themechanisms and measures applied to International Transfers and, upon reasonable request, will provideCustomer with summaries or third-party attestations sufficient to verify compliance, subject toconfidentiality and reasonable fee recovery for extraordinary efforts.

10.9 Precedence. In case of conflict, the SCCs, UK Addendum, or Swiss addendum control for theirrespective transfers. All other matters remain governed by this DPA and the Terms.

11.1 Reports and information. Upon reasonable request, Provider will make available summaries of itssecurity controls and third-party reports or attestations (e.g., SOC/ISO) sufficient to demonstratecompliance with this DPA, subject to confidentiality.

11.2 Audit right (last resort). If the materials in 11.1 are insufficient, Customer may conduct a targetedaudit of Provider’s Processing of Customer Personal Data once every twelve (12) months, or morefrequently if required by law or following a confirmed Security Incident impacting Customer Personal Data.

11.3 Scope and method. Audits are limited to systems and records that Process Customer Personal Datafor the Service. No source code, unrelated environments, or other customers’ data. Audits use mutuallyagreed procedures and may be remote document reviews or on-site inspections during normal businesshours. Pen-tests or scans of the Service require Provider’s prior written consent and defined scope.

11.4 Notice and coordination. Customer will give at least thirty (30) days’ prior written notice (or shorterwhere legally required), propose scope and objectives, and avoid undue disruption. The Parties willcoordinate to narrow scope, schedule, and format.

11.5 Auditors. Audits are performed by Customer or an independent, qualified third party bound by writtenconfidentiality obligations no less protective than this DPA. Provider may object to auditors for reasonableconflict-of-interest or security reasons and Customer will appoint an alternative.

11.6 Confidentiality and safety. Audit access is subject to Provider’s facility and security rules. Customerwill treat all non-public information obtained in an audit as Provider Confidential Information and will notuse it for any purpose other than verifying compliance.

11.7 Findings and remediation. Customer will share a copy of any audit report with Provider. The Partieswill agree remediation plans for material findings within a reasonable period considering severity andfeasibility.

11.8 Costs. Each Party bears its own audit costs. Provider may charge reasonable, documented Fees fortime and materials spent on audits beyond the provision of reports in 11.1 or for extraordinary efforts (e.g.,bespoke evidence, regulator-driven work), as permitted by the Terms.

11.9 Audits do not include live forensics, source code access, memory dumps, or intrusive scans ofproduction. Unless required by law or following a confirmed Security Incident, audits occur no more thanonce in any rolling twelve-month period.

12.1 Export on demand and at end of Term. During the Term and for thirty (30) calendar days aftertermination (the “Export Window”), Provider will make commercially reasonable self-service toolsavailable for Customer to export then-existing Outputs and configuration artefacts in standard formats (e.g.,JSON/CSV/Parquet). No SLA applies to export features.

12.2 Deletion on request. At any time, Customer may request deletion of Customer Personal Data thatProvider Processes as processor/service provider. Provider will delete such data from active systemswithout undue delay and in any event within thirty (30) days of a valid written request, subject to 12.4-12.7.Upon a valid deletion request or termination, Provider will schedule revocation and purge of BYOK Secretsfrom active systems without undue delay and will apply the same to backups on standard cycles. Wheretechnically feasible, Provider will return a confirmation of revocation consistent with Section 12.5.

12.3 Post-termination deletion. After the Export Window, Provider will delete Customer Personal Dataremaining in active systems; backups purge on standard rolling cycles; restoration from backups after thepurge point is not performed.

12.4 Transient artefacts and logs. Transient processing artefacts are purged by default within seventy-two(72) hours of Task completion. Minimal operational telemetry/audit logs (e.g., task IDs, timestamps,targeted domains, HTTP/error codes, abuse/block signals, instruction acknowledgements) may be retainedfor up to one hundred eighty (180) days for security, billing, abuse prevention, and support, and longerwhere required by law or legal hold.

12.5 Certificates of deletion. Upon Customer’s written request, Provider will provide written confirmationthat deletion under 12.2–12.4 has been completed for active systems and that backups will purge onstandard cycles.

12.6 Legal holds and compliance. Provider may retain Customer Personal Data or related logs as requiredby law, court order, governmental request, regulator inquiry, or legal hold. Provider will limit retention tothe minimum necessary and will delete once the basis ends.

12.7 Customer destinations and third parties. Deletion obligations here do not extend to Customerdesignated destinations, Customer environments, or third-party Data Providers. Customer remainsresponsible for deletions in those locations and for any recall requests issued by Data Providers or platformowners.

12.8 Aggregated/De-identified Data. Deletion does not require removal of Aggregated/De-identified Datathat does not identify Customer or any Data Subject and is maintained in accordance with this DPA and theTerms.

12.9 No reconstruction or re-execution. Provider is not required to reconstruct data obtainable only fromRestricted Sources or Data Providers, to re-run Tasks, or to retrieve third-party materials.

12.10 Non-standard assistance. Provider may charge reasonable, documented fees for out-of-scopedeletion/export work (e.g., bespoke search across archives, regulator-driven evidence gathering) to theextent permitted by the Terms.

13.1 If Provider receives any requests from Data Subjects seeking to exercise any rights afforded to themunder Applicable Data Protection Laws regarding their Personal Data, and to the extent legally permitted,will promptly notify Customer or refer the Data Subjects to Customer for handling. Such requests relatedto Personal Data may include: access, rectification, restriction of Processing, erasure (“right to beforgotten”), data portability, objection to the Processing, or to not be subject to automated individualdecision making (each, a "Data Subject Request").

13.2 Provider will not respond to such Data Subject Requests itself, and Customer authorizes Provider toredirect the Data Subject Request as necessary to Customer for handling. If Customer is unable to directlyrespond to a Data Subject Request made by a Data Subject itself, Provider will, upon Customer’s writtenrequest, provide commercially reasonable efforts to assist Customer in responding to the Data SubjectRequest, to the extent Provider is legally permitted to do so and the response to such Data Subject Requestis required under Applicable Data Protection Laws.

13.3 To the extent legally permitted, Customer will be responsible for any costs arising from Provider'sprovision of this additional support to assist Customer with a Data Subject Request.

13.4 Identity verification; misdirected requests; limitations. Provider will reasonably verify the identityof any requester before forwarding a Data Subject Request. If a request reasonably appears misdirected,Provider may either reject it or refer the requester to Customer. Provider’s assistance is limited toinformation available in Provider’s systems as processor and does not include searches of Customerdestinations, Data Providers, backups beyond standard cycles, or reconstruction of data. Time spent on outof-scope assistance may be charged per Section 8.8.

14.1 Upon reasonable written request, Provider will provide proportionate assistance with Customer’s dataprotection impact assessments, prior consultations with supervisory authorities, and responses to regulatorinquiries that relate to Provider’s Processing as processor. Assistance is limited to information about theService and TOMs. Out-of-scope or extraordinary efforts (e.g., bespoke evidence packages, regulatordriven workshops) may be charged on a time-and-materials basis as permitted in the Terms.

15.1 Mutual representations. Each Party represents that it is duly organised, validly existing, and has fullpower and authority to enter into and perform this DPA; and will comply with Applicable Data ProtectionLaw when performing hereunder.

15.2 Provider warranties. Provider warrants that it will: (a) Process Customer Personal Data only onCustomer’s Documented Instructions and for the Permitted Purpose; (b) implement and maintain theTOMs; (c) bind personnel to confidentiality; (d) enter into written contracts with Subprocessors imposingprotections no less protective than this DPA and remain responsible for them; and (e) maintain anappropriate transfer mechanism for any International Transfer.

15.3 Customer warranties. Customer warrants and represents that it: (a) acts as controller/business forCustomer Personal Data and determines the purposes and means of Processing; (b) has provided all notices,obtained all consents, and established all lawful bases required under Applicable Data Protection Law; (c)will not instruct unlawful or infeasible Processing and will not submit Sensitive Data except as expresslypermitted in this DPA or an order form; and (d) will provision and manage BYOK Secrets and rights forany Restricted Sources it instructs Provider to access.

15.4 Disclaimer. Except as expressly stated in this DPA, Provider gives no other warranties, express orimplied, including merchantability, fitness for a particular purpose, or non-infringement. The disclaimersand exclusive remedies in the Terms apply to this DPA. This DPA does not enlarge the caps or exclusionsin the Terms.

15.5 Severability. If any provision of this DPA is held invalid, the remainder will remain in effect. TheParties will replace the invalid provision with a valid one that most closely reflects the original intent andrisk allocation.

15.6 No third-party beneficiaries. There are no third-party beneficiaries to this DPA, except to the limitedextent the SCCs, UK Addendum, or Swiss addendum grant third-party rights to Data Subjects.

15.7 Assignment. Assignment follows the Terms. Any assignment inconsistent with the Terms is void.

15.8 Notices. Notices under this DPA follow the notice mechanics in the Terms and must reference thisDPA.

15.9 Entire agreement on Processing. This DPA (including its Schedules and the incorporated SCCs/UKAddendum/Swiss addendum) is the Parties’ entire agreement on Processing of Customer Personal Data andsupersedes prior data-processing terms for the Service.

15.10 Precedence and conflicts. Conflicts are resolved per Section 1.4 of this DPA; for transfers, theSCCs/UK Addendum/Swiss addendum prevail. Nothing in this DPA limits mandatory rights of DataSubjects or supervisory authorities.

15.11 Survival. The following survive termination: Sections 3.4, 5.11, 6, 7, 8, 10, 11, 12, 15, and theSchedules; plus any terms which by their nature should survive.

15.12 Governing law and forum. Governing law, venue, and dispute resolution are as set out in the Terms,except that the law governing the SCCs/UK Addendum/Swiss addendum is as specified in thoseinstruments for their purposes.

15.13 Counterparts; electronic acceptance. This DPA may be executed in counterparts and acceptedelectronically. Electronic records and copies are deemed originals.

15.14 No conflict with Terms. Nothing in this DPA expands Provider’s liability caps, exclusions, orexclusive remedies set out in the Terms; in case of conflict on liability allocation, the Terms control.

1. Incorporation by reference. The parties incorporate the European Commission Standard ContractualClauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679,Commission Implementing Decision (EU) 2021/914 (the “SCCs”), as amended from time to time. ThisSchedule A supplements Section 10 of the DPA and prevails for cross-border transfers in case of conflict.

2. Applicable SCC Modules and Options.
2.1 Module 2 (Controller to Processor): transfers from Customer to Provider.
2.2 Module 3 (Processor to Processor): transfers from Provider to Subprocessors.
2.3 Clause 7 (Docking clause): applies.
2.4 Optional clauses: as permitted, the parties adopt supplementary safeguards described in Section 7.

3. Completion of SCC Annexes.
Annex I(A)-(C): Parties, description of processing, and competent supervisory authority are taken fromSchedule C and the DPA.
Annex II: Technical and organizational measures are set out in Section 7.
Annex III: Authorized Subprocessors are listed in Schedule D.

4. UK Addendum. The “International Data Transfer Addendum to the EU Commission StandardContractual Clauses” issued by the UK ICO (as in force on the Effective Date) is incorporated.
4.1 Table 1 (Parties): as Annex I to the SCCs.
4.2 Table 2 (Selected SCCs, Modules, Clauses): Module 2 and Module 3, as above.
4.3 Table 3 (Appendix Information): Details of Processing per Schedule C; TOMs per Section 7;Subprocessors per Section 7.
4.4 Table 4 (Affected Addendum changes): Option A1 (automatic amendments), unless overridden in anOrder.

5. Swiss Addendum. For transfers subject to the Swiss Federal Act on Data Protection (FADP), the SCCsapply mutatis mutandis with these adaptations: references to the GDPR are read as references to the FADP;“Member State” means Switzerland; the competent authority is the FDPIC; data subjects include Swissresidents.

6. Supplementary Measures. The parties adopt encryption in transit and at rest, key management, accessminimization, network isolation, logging, employee access controls, government request handling, andother safeguards described in Section 7.

7. Transfer Impact Assessments and Government Requests. Provider conducts and documents transferrisk assessments for relevant jurisdictions and, where lawful, notifies Customer of government accessrequests and challenges unlawful or disproportionate requests.

1. Role. For California Personal Information, Provider acts as a “Service Provider” under the CCPA/CPRAand processes such information solely to provide the Services to Customer on documented instructions.

2. No Sale or Sharing. Provider does not “Sell” or “Share” Personal Information (as defined in theCCPA/CPRA), including for cross-context behavioral advertising.

3. Limited Purpose. Provider will not retain, use, or disclose Personal Information for any purpose otherthan providing the Services, including maintaining or improving their quality and security, or as otherwisepermitted by the CCPA/CPRA. Provider will not combine Personal Information from different customersexcept as necessary for the permitted purposes or in de-identified/aggregated form.

4. Subprocessors. Provider may engage Subprocessors under written contracts imposing obligations noless protective than those in this DPA. Subprocessors may not Sell or Share Personal Information.

5. Consumer Requests. Provider promptly forwards Consumer requests it receives to Customer andprovides reasonable assistance to enable Customer to respond, to the extent technically feasible and legallyrequired.

6. Audits/Attestations. Upon request and subject to confidentiality, Provider will make available relevantattestations or summaries of audits relating to the Services. If such materials are insufficient, a focusedaudit may be performed as described in Section 11 of the DPA.

7. Deletion/Return. Upon termination or on written request, Provider will delete or return PersonalInformation as described in Section 12 of the DPA, subject to legal retention requirements.

8. Certification. Provider certifies it understands and will comply with the obligations set out in thisSchedule B.

1. Subject matter. Processing of Customer Personal Data to provide, operate, secure, support, meter, andbill the Services under Customer-configured workflows. Provider does not maintain a general or persistentcache of task outputs.

2. Duration. For the Term of the Terms and any export window specified in the DPA, plus minimal periodsfor logs and backups as required by law and described herein.

3. Nature and Processing Activities. Ingestion, transmission, parsing, transformation, routing, ephemeralstorage, selective human review for support/security incidents, deletion, and logging.

4. Purpose(s). Provision, maintenance, secure and protection of the Services; customer support; billing andfraud prevention; compliance with applicable law and legally binding requests. Any other purpose requiresprior written instructions from Customer.

5. Frequency. Continuous and/or ad hoc, triggered by Customer’s use of the Services via UI or API andCustomer schedules.

6. Categories of Data Subjects. Customer’s end users; Customer’s customers, leads, suppliers, andcontacts; Customer personnel and contractors; any other individuals whose data Customer submits to theServices.

7. Categories of Personal Data. Identifiers, business contact data, online identifiers and technical metadatagenerated during Task execution, fields mapped by Customer into Outputs, and limited account/rolemetadata for Authorized Users. Payment card data is excluded except where handled by Provider’s paymentprocessor. Special categories are not intended without a separate written agreement.

8. Sensitive Data / Special Categories. Not intended or required. Customer must not submit specialcategories or similarly sensitive data unless expressly agreed in writing and protected by additionalmeasures.

9. Sources and Destinations. As configured by Customer. Access to Restricted Sources requires Customerprovided secrets/credentials; Provider will not circumvent access controls. Routing to third-party dataproviders occurs under those providers’ terms; such providers are independent controllers/processorsengaged by Customer, not Provider’s Subprocessors.

10. Locations of Processing. Data centers and Subprocessors listed at the Subprocessor List in Section 7.No persistent cache of outputs; only ephemeral artifacts and minimal logs retained per this Schedule.

11. Retention and Deletion.

Technical and Organizational Measures. As described in Section 7.

1. Subprocessor List is available at: https://crona.ai/subprocessors.
‍
2. Subprocessor Changes; Objection Window; Sole Remedies.