Data Processing Addendum

• Applicable Data Protection Law means the GDPR, the UK GDPR, the Swiss FADP, the CCPA / CPRA, and any other privacy or data protection law applicable to Provider's processing of Customer Personal Data under the MSA.
• Customer Personal Data means personal data within Customer Data that Provider processes on Customer's behalf as a processor / service provider.
• SCCs means the EU Standard Contractual Clauses approved by the European Commission in 2021/914, modules 2 (controller to processor) and 3 (processor to processor) as applicable.
• UK Addendum means the International Data Transfer Addendum to the SCCs issued by the UK ICO under section 119A of the Data Protection Act 2018.
• Other capitalized terms have the meaning given in the MSA or in Applicable Data Protection Law.

Customer is the controller(or, where applicable, the “business”) of Customer Personal Data. Provider is the processor(or “service provider”) acting on Customer's documented instructions. The MSA, Customer's use of the Services, and any written, mutually agreed instructions are Customer's documented instructions.

Provider processes Customer Personal Data only to provide the Services and to comply with law. Specifically, Provider shall not:

• access or use Customer Personal Data except as necessary for the Services or required by law;
• use Customer Personal Data to train, fine-tune, or improve any of Provider's models, products, or services;
• aggregate or commingle Customer Personal Data with other customers' data;
• sell or “share” (as defined under the CPRA) Customer Personal Data; or
• process Customer Personal Data outside the direct business relationship with Customer.

Provider certifies its understanding of these restrictions and will inform Customer if it determines it can no longer meet them.

Subject matter: the provision of the Services as set out in the MSA. Duration: the term of the MSA plus the retention periods in §6.6 of the MSA. Nature and purpose: hosting, storing, computing, and transmitting Customer Data on bare-metal Instances and the platform infrastructure. Categories of data subjects: as determined by Customer; typically Customer's end users, employees, and any individuals whose data is contained in Customer Data. Categories of personal data: as determined by Customer; may include identifiers, contact data, professional data, technical and behavioral data, and any data Customer chooses to process on the platform.

Customer authorizes Provider to engage sub-processors. Provider maintains a list of current sub-processors and the locations where each processes data. Provider notifies Customer of any intended changes to that list at least thirty (30) days before the change takes effect; Customer may object on reasonable data-protection grounds within fourteen (14) days. If the parties cannot agree on a remediation, Customer may terminate the affected Services with pro-rata refund of prepaid fees.

Each sub-processor is bound by a written agreement that imposes data-protection obligations no less protective than those in this DPA.

Provider implements and maintains the technical and organizational measures described in §6.5 of the MSA and on the security overview, including AES-256 encryption at rest, TLS 1.2+ in transit, MFA for administrative access, network segmentation, IDS/IPS, monthly vulnerability scanning, annual third-party penetration testing, background checks, and least-privilege access controls. Provider reviews these measures regularly and may update them, provided the level of protection is not materially diminished.

Provider notifies Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include the nature of the Breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Provider provides reasonable assistance to Customer in meeting Customer's own breach-notification obligations.

Provider shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligations to respond to data-subject requests under Applicable Data Protection Law. If Provider receives a request directly from a data subject, it will, where lawful, refer the data subject to Customer and not act on the request without Customer's instructions.

Provider makes available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including the most recent SOC 2 Type II report and a summary of the most recent third-party penetration test (under NDA). Customer may, at its expense and on reasonable prior notice, conduct an audit limited to information not already provided in the SOC 2 report; audits shall not unreasonably interfere with Provider's operations and shall be subject to confidentiality obligations. Provider notifies Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

Where Customer Personal Data subject to the GDPR is transferred from the EEA, Switzerland, or the UK to a country not benefiting from an adequacy decision, the parties incorporate the SCCs as follows:

• Module 2 (controller to processor) applies where Customer is a controller; Module 3 (processor to processor) applies where Customer is a processor.
• Clause 7 (Docking clause) is included.
• Clause 9 (Use of sub-processors): option 2 (general written authorization), with the notice period in §5 above.
• Clause 11(a) (Redress): the optional independent dispute resolution body is not selected.
• Clause 17 (Governing law): Republic of Ireland.
• Clause 18 (Forum): courts of Ireland.
• The Annexes to the SCCs are populated by Annex I (parties), Annex II (processing details), and Annex III (security measures) of this DPA.
• For UK transfers, the UK Addendum to the SCCs is incorporated; tables are completed by reference to this DPA.
• For Swiss transfers, references to the GDPR include the Swiss FADP and references to EU member states include Switzerland.

To the extent Provider processes Personal Information (as defined under CPRA) of California residents, Provider acts as a Service Provider. Provider:

• shall not sell or share Personal Information; shall not retain, use, or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than the Business Purposes specified in the MSA;
• certifies its understanding of these restrictions;
• shall provide the same level of privacy protection as is required of businesses by the CPRA;
• shall promptly notify Customer if Provider determines it can no longer meet its obligations and, in such case, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use; and
• shall enable Customer to comply with consumer requests under the CPRA, including requests to know, delete, correct, and limit use of sensitive personal information.

On expiration or termination of the Services, Customer has seven (7) days to retrieve Customer Personal Data, after which Provider will delete it using commercially reasonable methods. Enterprise customers may contract for an extended retrieval period (up to thirty (30) days) and NIST SP 800-88 certified deletion with written certification.

Each party's liability under this DPA is subject to the limitations of liability in §10 of the MSA. In case of conflict between this DPA and the MSA, this DPA controls with respect to the processing of Customer Personal Data; in case of conflict between this DPA and the SCCs, the SCCs control.

Data exporter / controller: the Customer identified in the MSA. Data importer / processor: IFORELS Inc., 101 Jefferson Drive, Menlo Park, CA 94025, USA. DPO contact: dpo@iframe.ai.

Categories of data subjects, categories of personal data, sensitive data, frequency, nature, purpose, retention, and onward transfers: as set out in §3, §4, §5, §10, and §12 of this DPA.

Competent supervisory authority: the Irish Data Protection Commission (Ireland) for EEA exports; the UK ICO for UK exports; the FDPIC for Swiss exports.

The technical and organizational measures applied by Provider are described in §6 of this DPA, in §6.5 of the MSA, and on the security overview. Provider may update these measures from time to time, provided the level of protection is not materially diminished.

Provider's current list of sub-processors, including the processing activities each performs and the countries in which each operates, is published at cloud.iframe.ai/legal/subprocessors. Customers receive thirty (30) days' advance notice of changes via the platform and via email to the primary administrator on the Account.

Privacy questions: privacy@iframe.ai. DPA execution and data-protection inquiries: dpo@iframe.ai. Postal address: IFORELS Inc., 101 Jefferson Drive, Menlo Park, CA 94025, USA.