Data Processing Addendum.

1. Preamble

This Data Processing Addendum (the "DPA") forms part of, and is incorporated by reference into, the master services agreement, statement of work, or other written engagement document (the "Agreement") entered into between:

• ZaraAI LLC, a limited liability company organized in the United States, acting as the "Processor"; and
• the customer or client identified in the Agreement, acting as the "Controller".

Each is a "Party" and together the "Parties". This DPA reflects the Parties' agreement on the Processing of Personal Data in connection with the services described in the Agreement. In the event of a conflict between this DPA and the Agreement on a matter related to data protection, this DPA controls.

2. Definitions

Capitalized terms used but not otherwise defined in this DPA have the meanings given to them in Article 4 of Regulation (EU) 2016/679 (the "GDPR") or, where context requires, the analogous definitions under applicable U.S. state privacy laws. For convenience:

Personal Data

Any information relating to an identified or identifiable natural person (the Data Subject) that is Processed by the Processor on behalf of the Controller under the Agreement.

Processing

Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, retrieval, use, disclosure, transmission, alignment, restriction, erasure, or destruction.

Data Subject

The identified or identifiable natural person to whom Personal Data relates.

Controller

The Party that determines the purposes and means of the Processing of Personal Data.

Processor

The Party that Processes Personal Data on behalf of the Controller.

Subprocessor

Any third party engaged by the Processor to Process Personal Data on the Controller's behalf in connection with the Agreement.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

Standard Contractual Clauses

The standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 (the "SCCs"), as updated from time to time.

Applicable Data Protection Law

All laws and regulations relating to the Processing of Personal Data that apply to a Party in its role under the Agreement, including the GDPR, the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and analogous U.S. state privacy laws.

3. Scope and Purpose of Processing

The Processor will Process Personal Data solely for the purpose of providing the services described in the Agreement and only in accordance with the Controller's documented instructions. Documented instructions include the Agreement, this DPA, configuration choices made by the Controller within the services, and any subsequent written instructions reasonably issued by the Controller.

The Processor will not Process Personal Data for its own commercial purposes, will not sell or share Personal Data within the meaning of the CCPA/CPRA, and will not combine Personal Data received from the Controller with personal data the Processor receives from, or collects on behalf of, any other party, except as strictly necessary to provide the services.

4. Roles of the Parties

The Parties acknowledge that, with respect to the Processing of Personal Data under the Agreement:

• the Controller is the controller of the Personal Data and determines the purposes and means of Processing;
• the Processor is a processor acting on behalf of the Controller and Processes Personal Data only on documented instructions;
• where the Controller is itself a processor for an upstream controller, the Processor is a Subprocessor, and the obligations of this DPA flow accordingly.

This Section is intended to satisfy the requirements of GDPR Article 28 and the equivalent provisions of Applicable Data Protection Law.

5. Subject Matter and Duration of Processing

Subject matter. The subject matter of Processing is the provision of advisory, automation, and security services described in the Agreement.

Duration. Processing will continue for the term of the Agreement and any post-termination period required to return or delete Personal Data as set out in Section 14 of this DPA.

Nature of Processing. Collection, storage, retrieval, organization, transmission, analysis, and deletion of Personal Data as required to deliver the services.

Purpose. To enable the Controller to receive the services described in the Agreement, and for no other purpose.

6. Categories of Personal Data and Data Subjects

The Processor will Process the following categories of Personal Data, where applicable to the services:

• Identification and contact data (name, email address, phone number, business address);
• Professional data (job title, employer, role, working hours, calendar entries);
• Account and authentication data (usernames, hashed credentials, multi-factor tokens);
• Technical and log data (IP addresses, device identifiers, audit logs, telemetry);
• Content data shared with the services in the course of an engagement (documents, communications, prompts, model outputs);
• Other categories of Personal Data the Controller chooses to provide to the Processor in the course of receiving the services.

Categories of Data Subjects may include the Controller's employees, contractors, customers, prospects, partners, and other individuals whose Personal Data the Controller chooses to share with the Processor.

The Parties do not anticipate the Processing of special categories of Personal Data within the meaning of GDPR Article 9 unless expressly agreed in the Agreement. The Controller is responsible for ensuring that the Personal Data it provides is appropriate for the services.

7. Processor Obligations

The Processor will:

• Process on documented instructions. Process Personal Data only on the Controller's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law; in that case, the Processor will inform the Controller of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
• Ensure confidentiality. Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
• Implement security measures. Implement and maintain the technical and organizational measures described in Section 11 of this DPA, in compliance with GDPR Article 32.
• Assist with Data Subject requests. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
• Assist with compliance. Assist the Controller in ensuring compliance with its obligations under GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of Processing and the information available to the Processor.
• Notify of unlawful instructions. Inform the Controller without undue delay if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.
• Provide information. Make available to the Controller information reasonably necessary to demonstrate compliance with the obligations of this DPA.

8. Subprocessors

The Controller grants the Processor general written authorization to engage Subprocessors for the Processing of Personal Data, subject to the conditions in this Section.

Before engaging any Subprocessor, the Processor will:

• conduct reasonable due diligence to confirm the Subprocessor can provide a level of protection consistent with this DPA;
• impose contractual obligations on the Subprocessor that are no less protective than those set out in this DPA, including obligations of confidentiality, security, and assistance with Data Subject rights; and
• remain fully liable to the Controller for the performance of the Subprocessor's obligations.

A current list of Subprocessors is maintained by the Processor and made available to the Controller on request. The Processor will give the Controller at least thirty (30) days' prior written notice of the addition or replacement of any Subprocessor that materially affects the Processing of Personal Data. The Controller may object to such a change on reasonable data protection grounds within that notice period, in which case the Parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Controller may terminate the affected portion of the services without penalty, with refund of any prepaid fees attributable to the unused portion of the term.

9. International Transfers

The Processor is based in the United States and may Process Personal Data in the United States and in other jurisdictions where it or its Subprocessors operate.

Where Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not been recognized as providing an adequate level of protection, the Parties agree that the Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable) are incorporated into this DPA by reference and apply to such transfers. The UK Addendum to the SCCs and the Swiss equivalent apply, as applicable, to transfers from the United Kingdom and Switzerland respectively.

The Processor will assist the Controller in performing transfer impact assessments where reasonably required by Applicable Data Protection Law.

10. Data Subject Rights

The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of Processing, data portability, and objection.

If the Processor receives a request directly from a Data Subject regarding Personal Data Processed under the Agreement, the Processor will, unless legally prohibited, promptly forward the request to the Controller and will not respond to the Data Subject directly, except to confirm receipt and to direct the Data Subject to the Controller.

The Parties will cooperate in good faith to respond to Data Subject requests within the timelines required by Applicable Data Protection Law.

11. Security Measures

The Processor implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including, where appropriate:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (industry-standard algorithms);
• Access controls based on the principle of least privilege, with role-based access provisioning and timely deprovisioning;
• Multi-factor authentication for administrative and remote access to systems Processing Personal Data;
• Network and endpoint protection, including firewalls, anti-malware, and patch management;
• Logging and monitoring of access to systems Processing Personal Data, with retention of audit logs sufficient to investigate security events;
• Secure software development lifecycle practices, including code review, dependency scanning, and separation of development, test, and production environments;
• Personnel measures, including background checks where permitted by law, confidentiality obligations, and regular security and privacy training;
• Vendor risk management for Subprocessors and other third parties with access to Personal Data;
• Incident response and business continuity plans, tested on a periodic basis;
• Backup and recovery procedures designed to restore the availability of and access to Personal Data in a timely manner.

These measures are reviewed periodically and updated as appropriate to reflect changes in risk, technology, and the services provided. The Processor will not materially decrease the overall security of the services during the term of the Agreement.

12. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per twelve-month period, on at least thirty (30) days' prior written notice, during normal business hours, and in a manner that does not unreasonably interfere with the Processor's business operations. The Controller is responsible for the costs of any audit it requests, except where the audit reveals a material breach of this DPA.

The Parties acknowledge that, where applicable, current third-party assurance reports (such as a SOC 2 Type II report, ISO/IEC 27001 certification, or equivalent), as well as written responses to a reasonable security questionnaire, will satisfy the Controller's audit rights under this DPA, except where Applicable Data Protection Law or a regulator requires otherwise.

An audit must not require the Processor to disclose information about other clients, trade secrets, or information whose disclosure would violate the Processor's obligations to third parties or Applicable Data Protection Law.

13. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event no later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller. The notification will include, to the extent then known:

• a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
• the name and contact details of a point of contact for further information;
• a description of the likely consequences of the Personal Data Breach;
• a description of the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects.

Where the information cannot be provided at the same time, it will be provided in phases without undue further delay. The Processor will reasonably cooperate with the Controller in investigating, mitigating, and remediating the Personal Data Breach. Notification of, or response to, a Personal Data Breach is not, by itself, an admission of fault or liability.

14. Data Return and Deletion

On termination or expiry of the Agreement, the Processor will, at the choice of the Controller, return all Personal Data to the Controller or delete all Personal Data within thirty (30) days, and will delete existing copies, unless retention is required by Applicable Data Protection Law. Where the Controller does not specify a choice within thirty (30) days of termination, the Processor will delete the Personal Data.

Backup copies and data retained for compliance with legal obligations will be deleted in the ordinary course of the Processor's documented retention schedules and will continue to be protected by the security and confidentiality obligations of this DPA until deleted.

15. Liability and Indemnification

The liability of each Party arising out of or in connection with this DPA is governed by, and subject to, the limitations and exclusions of liability set out in the Agreement. This DPA does not create separate or additional financial obligations between the Parties beyond those set out in the Agreement.

Nothing in this DPA limits or excludes a Party's liability where such limitation or exclusion is prohibited by Applicable Data Protection Law, including liability to Data Subjects for material or non-material damage.

16. Governing Law

This DPA is governed by the laws of the United States and, unless otherwise agreed in writing in the Agreement, the laws of the state specified in the Agreement, without regard to conflict of laws principles. Where Applicable Data Protection Law requires the application of the laws of an EEA member state, the United Kingdom, or another jurisdiction in respect of specific provisions (including the SCCs), those laws apply to the extent required.

17. Effective Date and Execution

This DPA is effective on the date the Agreement is executed by the Parties, or, where this DPA is countersigned separately, on the date of last signature.

This DPA is incorporated by reference into the Agreement. Acceptance of the Agreement constitutes acceptance of this DPA. Where the Controller requires a wet-signed or separately executed copy for procurement purposes, the Controller may request one from the Processor.