GDPR Compliance - Data Processing Addendum (DPA)

This DPA is incorporated into the MSSA and applies when Provider processes Personal Data on behalf of Client (acting as Controller).

1. Definitions Personal Data: Any data relating to an identified or identifiable natural person. Processing: Any operation on Personal Data (collect, store, use, etc.).

2. Processing Details Item Details Subject Matter Delivery of AI Agents, Teams, and Orchestrations, SaaS and Services Duration Term of MSA + 30 days Nature/Purpose Generate marketing campaigns using Client Data Data Subjects Client’s customers, leads, employees Data Types Name, email, behavior, preferences

3. Controller Obligations Client warrants: Lawful basis for processing (e.g., consent, legitimate interest) Transparency with data subjects Honors data subject rights (DSARs)

4. Processor Obligations Provider shall: Process Personal Data only on documented instructions (MSA, SOW, Order Form) Ensure personnel are bound by confidentiality Implement technical and organizational measures (per Annex I) Assist with DSARs, breaches, DPIAs (at Client’s cost) Notify Client of breach without undue delay (max 48 hrs) Delete/return data at term end Allow audits (with 30-day notice, max 1/year)

5. International Transfers Data stored in EU or US (AWS Frankfurt / Oregon) Transfers protected by: EU Standard Contractual Clauses (SCCs) (2021/914) UK Addendum (if applicable)

6. Annex I – Security Measures Encryption: AES-256 at rest, TLS 1.3 in tra