DATA PROCESSING AGREEMENT

Last updated: 12/17/2025 • Version 1.0

DATA PROCESSING AGREEMENT

Between: Superagent Technologies, Inc., 1111B S Governors Ave STE 3232, Dover, DE 19904, United States ("Processor")

and

[Subscriber Name], [Address] ("Controller")

Effective Date: [Date of Services Agreement]

RECITALS

Subscriber and Processor have entered into a Services Agreement for AI-powered security services. In providing these Services, Processor may process Personal Data on behalf of Subscriber. This Data Processing Agreement ("DPA") governs such processing in compliance with applicable Data Protection Laws including GDPR.

1. DEFINITIONS AND SCOPE

1.1 Definitions

Capitalized terms used in this DPA have the meanings set forth below or in the Services Agreement. Terms defined in GDPR (such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject") have their GDPR meanings.

Data Protection Laws: All applicable data protection and privacy laws, including GDPR, UK GDPR, Swiss FADP, and US state privacy laws.

Personal Data: Information relating to an identified or identifiable natural person that Subscriber submits to the Processor API, as specified in Appendix A.

Services: Processor's API-based security capabilities (Guard, Verify, Redact) as described in the Services Agreement.

Sub-processor: Third party engaged by Processor to process Personal Data on behalf of Subscriber.

Transient Processing: Processing that occurs in system memory for 500-5,000 milliseconds (maximum 60 seconds) with immediate deletion upon API response completion.

1.2 Scope and Integration

This DPA applies exclusively to Personal Data submitted to the Processor API for security processing. It does NOT cover Subscriber's user account data or dashboard activities, which are governed by Processor's Privacy Policy as a separate Controller-to-Controller relationship.

This DPA forms part of and is incorporated into the Services Agreement. In case of conflict, this DPA prevails regarding Personal Data processing.

1.3 Transient Processing Model

Processing Duration: Personal Data is processed transiently in memory only. Typical duration is 500-5,000ms per API request, never exceeding 60 seconds.

Immediate Deletion: Upon API response, Personal Data content is immediately deleted from system memory through automated scrubbing procedures.

What Is Logged: Metadata only (timestamp, endpoint, status code, latency, error codes, capability type, hashed session IDs).

What Is NOT Logged: API payload content, response content, any actual Personal Data values, or processing outputs.

Log Retention: Metadata logs retained until account deletion or upon written request. No fixed retention period.

No Persistent Storage: Processor maintains no database, file storage, or persistent storage containing Subscriber Data from API processing.

2. PROCESSOR OBLIGATIONS

2.1 Processing Instructions

Processor shall process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required by applicable law. Processor shall immediately inform Controller if instructions violate Data Protection Laws.

2.2 Confidentiality

Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.3 Security Measures

Processor implements appropriate technical and organizational measures to ensure security appropriate to the risk, as detailed in Appendix C. These measures include:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls with multi-factor authentication
  • Regular security testing through Sub-processor programs and external assessments
  • Incident response procedures
  • SOC 2 certification (in process, target within 12 months)

Security measures may be updated to maintain or enhance protection levels without Contract amendment.

2.4 Sub-processors

Current Sub-processors: Processor currently uses three Sub-processors (detailed in Appendix B): Vercel Inc. (infrastructure), Fireworks.ai (model inference), and Convex, Inc. (dashboard infrastructure).

Authorization: Controller provides general authorization for Processor to engage Sub-processors listed in Appendix B.

New Sub-processors: Processor shall notify Controller at least 30 days before adding or replacing Sub-processors. Controller may object within 15 days on reasonable grounds relating to data protection. If parties cannot resolve the objection, Controller may terminate the affected Services and receive a pro-rata refund.

Sub-processor Requirements: Processor ensures Sub-processors are bound by data protection obligations equivalent to those in this DPA, particularly regarding security and confidentiality. Processor remains fully liable to Controller for Sub-processor performance.

2.5 Data Subject Rights

Basic Assistance (no additional charge): Processor shall, taking into account the nature of processing, assist Controller by providing:

  • Confirmation of whether Personal Data is processed
  • API documentation for self-service data access
  • Technical information about processing capabilities
  • Standard response within 5 business days

Enhanced Assistance (chargeable): Upon Controller's request, Processor shall provide additional assistance including:

  • Custom data extraction or formatting
  • Complex technical investigations
  • Direct communication with data subjects
  • Extended technical support beyond standard assistance Charged at Processor's then-current professional services rates with advance written estimate.

Given the transient processing model (500-5,000ms duration, immediate deletion, no persistent storage), certain data subject rights have practical limitations. Processor does not maintain searchable records of API payload contents and cannot retrieve Personal Data after request completion.

2.6 Controller Assistance

Processor shall assist Controller in:

  • Ensuring compliance with security obligations under Data Protection Laws
  • Responding to data protection impact assessments
  • Consulting with Supervisory Authorities where required
  • Responding to Personal Data Breach incidents

Processor shall provide Basic Assistance at no charge. Complex or time-intensive assistance may be chargeable at Processor's professional services rates.

2.7 Personal Data Breaches

Processor shall notify Controller without undue delay and in any event within 36 hours of becoming aware of a Personal Data Breach. Notification shall include:

  • Nature of the breach and affected data categories
  • Likely consequences
  • Measures taken or proposed to address the breach
  • Contact point for further information

Processor shall provide reasonable cooperation to Controller in breach investigations and remediation.

2.8 Data Deletion and Return

Upon termination or expiry of Services, Processor shall, at Controller's choice:

  • Delete all Personal Data and metadata logs, OR
  • Return Personal Data to Controller in a commonly used format

Exception: Processor may retain Personal Data to the extent and for such period as required by applicable law, subject to continued confidentiality obligations.

Given transient processing (immediate deletion of API payloads), deletion primarily applies to metadata logs retained until account deletion.

2.9 Audits and Inspections

Processor shall make available to Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Controller or an auditor mandated by Controller.

Standard Audit: Processor provides annual SOC 2 reports (when available) and questionnaire responses at no charge.

On-site Audits: Controller may conduct on-site audits upon 30 days' written notice:

  • Maximum once per year unless for cause
  • During business hours
  • Subject to Processor's confidentiality and security requirements
  • Processor may charge reasonable costs for on-site audits exceeding one day

2.10 Data Protection Impact Assessments

Where required by Data Protection Laws, Processor shall provide reasonable assistance to Controller in conducting data protection impact assessments, taking into account the nature of processing and information available to Processor.

2.11 GDPR Article 28(3) Compliance Checklist

This DPA satisfies GDPR Article 28(3) requirements as follows:

| Requirement | Location in DPA | |------------|----------------| | Process only on documented instructions | Clause 2.1 | | Ensure personnel confidentiality | Clause 2.2 | | Implement appropriate security measures | Clauses 2.3, Appendix C | | Respect Sub-processor conditions | Clause 2.4, Appendix B | | Assist with data subject rights | Clause 2.5 | | Assist with Controller obligations | Clause 2.6, 2.10 | | Delete or return data after services | Clause 2.8 | | Make information available and allow audits | Clause 2.9 | | Immediately inform if instructions violate law | Clause 2.1 |

3. CONTROLLER OBLIGATIONS

Controller represents and warrants that:

Legal Basis: Controller has a valid legal basis for processing Personal Data and for instructing Processor to process it.

Compliance: Controller's processing instructions comply with applicable Data Protection Laws.

Permissions: Controller has obtained all necessary consents, authorizations, and provided required notices to data subjects.

Special Categories: Controller shall NOT submit special category Personal Data (Article 9 GDPR) or criminal convictions data (Article 10 GDPR) to Processor's Services without prior express written permission. Processor may immediately suspend processing if special category data is detected.

Data Quality: Controller is responsible for the accuracy, quality, and legality of Personal Data submitted to Services.

4. INTERNATIONAL DATA TRANSFERS

4.1 Transfer Mechanism

Where Processor processes Personal Data originating from the EEA, UK, or Switzerland in countries without an adequacy decision, the parties shall execute Standard Contractual Clauses (SCCs) appropriate for the jurisdictions involved:

  • EU SCCs (Commission Decision 2021/914)
  • UK International Data Transfer Addendum
  • Swiss SCC annexures

4.2 Module Selection and Roles

The parties shall use Module 2 (Controller to Processor) of the SCCs, with:

  • Controller as "data exporter"
  • Processor as "data importer"
  • Appendix A of this DPA satisfying Annex I of the SCCs
  • Appendix B of this DPA satisfying Annex II of the SCCs
  • Appendix C of this DPA satisfying Annex III of the SCCs

4.3 Supplementary Measures and Transfer Impact Assessment

Processor has conducted a Transfer Impact Assessment regarding U.S. processing and implemented supplementary measures to ensure data protection essentially equivalent to EEA standards:

Technical Measures:

  • Transient processing architecture (500-5,000ms, no persistent storage) minimizes exposure
  • End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
  • Access controls and authentication requirements

Organizational Measures:

  • Strict need-to-know access principles
  • Confidentiality obligations for all personnel
  • Data minimization in logging (metadata only)

Legal Measures:

  • Commitment to challenge disproportionate government access requests
  • Notification to Controller of government requests (unless legally prohibited)
  • No backdoor access provisions

Transfer Impact Assessment: Processor maintains a detailed Transfer Impact Assessment summary document that Controllers may request as a reference for their own TIA obligations. This optional document is available upon written request to privacy@superagent.sh.

4.4 Regional Processing Options

Controller may select processing regions:

  • U.S. Region (default): Washington, DC area (iad1)
  • EU Region (available): Frankfurt, Germany

Selection is made at account setup or upon written request. Processing remains in the selected region's infrastructure.

5. LIABILITY AND INDEMNITY

5.1 Liability Under Data Protection Laws

Each party's liability under or in connection with this DPA (whether in contract, tort, or otherwise) shall be subject to the limitations and exclusions set out in the Services Agreement.

Where GDPR or other Data Protection Laws impose liability on Processor, Processor shall be liable only for damage caused by processing that violates obligations specifically directed to processors under those laws, or where Processor acted outside or contrary to lawful Controller instructions.

5.2 Indemnification

Each party shall indemnify and hold harmless the other party from and against any claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from that party's breach of its obligations under this DPA or applicable Data Protection Laws.

6. TERM AND TERMINATION

6.1 Term

This DPA takes effect on the Effective Date and continues for the duration of the Services Agreement or until all Personal Data processing under the Services Agreement has ceased, whichever is later.

6.2 Effect of Termination

Upon termination or expiry:

  • Processor shall cease all processing except as necessary to comply with legal obligations
  • Processor shall delete or return Personal Data per Clause 2.8
  • Obligations regarding confidentiality, security of retained data, and audit rights shall survive

7. GENERAL PROVISIONS

7.1 Amendments

Processor may update this DPA to reflect changes in Data Protection Laws, regulatory guidance, or business practices. Material changes shall be notified to Controller with at least 30 days' notice.

7.2 Order of Precedence

In case of conflict or inconsistency:

  1. Standard Contractual Clauses (if applicable)
  2. This DPA
  3. Services Agreement
  4. Processor's Privacy Policy

7.3 Governing Law

This DPA is governed by the laws specified in the Services Agreement. For SCC-governed transfers, the SCCs are governed by the laws of Ireland (for EU SCCs) or as specified in the respective SCC modules.

7.4 Dispute Resolution

Disputes arising from this DPA shall be resolved per the Services Agreement, except where SCCs apply, in which case data subjects have the rights and Controller has the obligations specified in the applicable SCCs.

7.5 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full effect and the parties shall negotiate in good faith to replace the invalid provision with a valid provision achieving a similar purpose.

7.6 Entire Agreement

This DPA, together with the Services Agreement and applicable SCCs, constitutes the entire agreement regarding Personal Data processing, superseding prior agreements or communications on the subject.

APPENDIX A: SPECIFICATION OF DATA PROCESSING

A.1 Subject Matter and Duration

Subject Matter: Processing of Personal Data through Processor's API-based security services (Guard, Verify, Redact).

Duration: Duration of Services Agreement.

A.2 Nature and Purpose

Nature: Transient API processing involving content analysis, validation, and redaction.

Purpose: Provide AI-powered security capabilities to detect prohibited content, verify outputs, and redact sensitive information from text submitted by Controller.

A.3 Categories of Data Subjects

Data subjects whose Personal Data Controller submits to Services, potentially including:

  • Controller's customers or end-users
  • Controller's employees or contractors
  • Third parties whose data Controller processes

Specific categories depend entirely on Controller's use of Services.

A.4 Categories of Personal Data

Scope: Limited to data Controller submits via API for security processing.

Potential Categories (depending on Controller's use):

  • Names and identifiers
  • Contact information
  • Professional information
  • User-generated content
  • Technical identifiers

Special Categories: Controller shall NOT submit special category data (Article 9 GDPR) without express written permission.

A.5 Processing Operations

  • Reception: Receive Personal Data via API request
  • Analysis: Apply security algorithms (content filtering, validation, redaction)
  • Temporary Storage: Hold in memory during processing (500-5,000ms)
  • Response Generation: Create security response (allowed/blocked, verified/not verified, redacted output)
  • Deletion: Immediate deletion from memory upon response
  • Logging: Retain metadata (not payload content) until account deletion

APPENDIX B: SUB-PROCESSORS

Processor currently engages the following Sub-processors:

B.1 Vercel Inc.

Service: Cloud infrastructure and API hosting Location: United States (Washington, DC region - iad1) Certifications: SOC 2 Type II, penetration testing by Schellman Purpose: Host Processor's API infrastructure and manage request routing Website: vercel.com

B.2 Fireworks.ai

Service: AI model inference Location: United States Certifications: SOC 2 Type II (in process) Purpose: Execute AI model inference for security capabilities Website: fireworks.ai

B.3 Convex, Inc.

Service: Real-time database and backend infrastructure for dashboard Location: United States (Oregon) / European Union (Frankfurt region available) Certifications: SOC 2 Type II (in progress) Purpose: Store and sync API keys and customer-specific configurations Website: convex.dev

B.4 Sub-processor Changes

Processor shall notify Controller at least 30 days before adding or replacing Sub-processors. Current Sub-processor list is maintained in this Appendix B and will be updated with each amendment to this DPA.

APPENDIX C: TECHNICAL AND ORGANIZATIONAL MEASURES

C.1 Access Control and Authentication

API Access:

  • API keys required for all API requests
  • Keys are 256-bit cryptographically random strings
  • Keys transmitted only over encrypted connections
  • Key rotation capability available to Controller

Dashboard Access (account management only, NOT API processing):

  • Multi-factor authentication (TOTP/authenticator apps)
  • Role-based access control (Owner, Admin, Member)
  • Session management with secure timeout policies

Infrastructure Access:

  • Principle of least privilege
  • Separate staging and production environments
  • Access logging and monitoring

C.2 Encryption

In Transit:

  • TLS 1.3 (with TLS 1.2 backward compatibility)
  • Valid certificates from trusted Certificate Authorities
  • Perfect Forward Secrecy ensuring unique session keys
  • No self-signed certificates in production

At Rest:

  • AES-256 encryption for metadata logs
  • Encryption keys managed separately from encrypted data
  • Regular key rotation per infrastructure provider practices

API Payloads:

  • Not applicable (no persistent storage of payload content)

C.3 Data Organization and Minimization

Separation:

  • Logical separation of Controller environments
  • Data tagged with Controller identifiers

Minimization:

  • Only metadata logged (not payload content)
  • Logs limited to operational necessity
  • Immediate deletion of API payload content post-response

Data Quality:

  • Controller responsible for data accuracy
  • Processor provides validation capabilities through Services

C.4 Network and Transmission Security

Firewalls and Segmentation:

  • Network segmentation between components
  • Firewall rules restricting unauthorized access
  • Regular security rule reviews

Monitoring:

  • Continuous monitoring for security events
  • Automated alerting for suspicious activity
  • Log aggregation and analysis

DDoS Protection:

  • Distributed denial-of-service mitigation via infrastructure provider
  • Rate limiting and request throttling

C.5 Physical and Environmental Security

Processor relies on Sub-processor data centers (Vercel) which maintain:

  • 24/7 physical security with surveillance
  • Biometric and badge access controls
  • Environmental controls (power, cooling, fire suppression)
  • Redundant power and connectivity

Processor has no physical servers; all infrastructure is cloud-based.

C.6 Incident Response and Business Continuity

Incident Response:

  • Designated security response team (CTO responsible)
  • 24-hour response time for security incidents
  • 36-hour notification for Personal Data Breaches
  • Post-incident review and remediation

Business Continuity:

  • Infrastructure redundancy via Sub-processor
  • Automated failover capabilities
  • Regular backup of configuration (not Personal Data, which is transient)

Disaster Recovery:

  • Recovery time objective: 24 hours
  • Recovery point objective: Minimal (transient processing means no persistent data loss)

C.7 System Development and Maintenance

Secure Development:

  • Code review requirements
  • Dependency scanning (Dependabot)
  • Security testing in deployment pipeline

Change Management:

  • Documented change control procedures
  • Staging environment testing before production
  • Rollback capabilities

Vulnerability Management:

  • Regular dependency updates
  • Security patch application
  • Vulnerability scanning via automated tools

C.8 Security Testing and Certification

Current State:

  • Sub-processor security testing (Vercel: Schellman penetration testing; Fireworks: SOC 2 in process)
  • External security assessments available upon request
  • Automated vulnerability scanning

In Progress:

  • SOC 2 Type II certification (target within 12 months)

No Internal Penetration Testing Tool:

  • Processor does NOT maintain an internal penetration testing tool
  • Relies on Sub-processor security programs and external assessments

C.9 Personnel Security

Training:

  • Security training required for all personnel
  • Formal training program expanding as team grows
  • Regular security awareness updates

Access Management:

  • Background checks implemented as team expands
  • Confidentiality agreements required
  • Access provisioning and deprovisioning procedures
  • Regular access reviews

C.10 Supplier Management

Sub-processor Assessment:

  • Due diligence before Sub-processor engagement
  • Contract requirements for data protection and security
  • Regular review of Sub-processor certifications

Monitoring:

  • Track Sub-processor security certifications
  • Review Sub-processor security incidents
  • Assess Sub-processor security practices

END OF DATA PROCESSING AGREEMENT

Signature Page

SUPERAGENT TECHNOLOGIES, INC.

By: ________________________ Name: Alan Zabihi Title: Chief Executive Officer Date: ______________________

[SUBSCRIBER NAME]

By: ________________________ Name: ______________________ Title: ______________________ Date: ______________________