Data Processing Agreement

1. DEFINITIONS

For purposes of this Data Processing Agreement:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means an identified or identifiable natural person
• "Applicable Data Protection Laws" means GDPR, CCPA, HIPAA (where applicable), and other relevant data protection regulations
• "Sub-processor" means any third party engaged by Processor to process Personal Data
• "Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data

2. SUBJECT MATTER AND DURATION

2.1 Scope

This DPA applies to all Personal Data processed by Aureum Intelligence LLC on behalf of its customers through the Aureum Intelligence platform, including but not limited to:

• User account information
• Authentication credentials
• Usage analytics and logs
• Customer data processed by AI agents
• Integration data from enterprise systems

2.2 Duration

This DPA shall remain in effect for the duration of the Customer's use of the Aureum Intelligence services and shall continue until all Personal Data has been returned or deleted and certified as such, in accordance with Section 8 of this DPA.

3. NATURE AND PURPOSE OF PROCESSING

3.1 Processing Activities

Processor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law.

3.2 Purpose Limitation

Personal Data shall be processed only for the following purposes:

• Providing and maintaining the Aureum Intelligence platform
• Delivering AI security and governance capabilities
• Technical support and service management
• Compliance with legal obligations
• Legitimate business interests as permitted by Applicable Data Protection Laws

4. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

4.1 Types of Personal Data

The Personal Data processed may include:

• Identification Data: Names, email addresses, job titles
• Technical Data: IP addresses, device information, browser types
• Usage Data: Platform interactions, feature usage, session information
• Authentication Data: Login credentials, access tokens, security keys
• Business Data: Customer content processed by AI agents (as directed by Controller)

4.2 Categories of Data Subjects

• Customer employees and authorized users
• Customer representatives and contacts
• End users of Controller's applications
• Other individuals whose data is processed through the platform

5. PROCESSOR OBLIGATIONS

5.1 Processing on Instructions

Processor shall:

• Process Personal Data only on documented instructions from Controller
• Not process Personal Data for any purpose outside the scope of the Master Service Agreement
• Notify Controller immediately if instructions received are in violation of Applicable Data Protection Laws

5.2 Confidentiality

Processor shall ensure that:

• All persons authorized to process Personal Data have committed themselves to confidentiality
• Access to Personal Data is restricted to those with a legitimate need to know
• Confidentiality obligations survive termination of this DPA

5.3 Security Measures

Processor shall implement appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

• Encryption of data in transit (TLS 1.3 or higher)
• Encryption of data at rest (AES-256)
• Multi-factor authentication for platform access
• Regular security assessments and penetration testing
• Network segmentation and access controls
• Logging and monitoring of security events
• Regular backup and disaster recovery procedures

Organizational Measures:

• Employee security training and awareness programs
• Access control policies and procedures
• Incident response and notification procedures
• Vendor management and due diligence
• Regular security audits and compliance reviews

5.4 Sub-processors

5.4.1 Authorized Sub-processors

Processor may engage the following categories of sub-processors:

• Cloud infrastructure providers (AWS, Azure, GCP)
• Communication and collaboration services
• Security and monitoring services
• Customer support and helpdesk platforms
• Analytics and logging services

5.4.2 Notification and Objection

Processor shall:

• Maintain a current list of sub-processors available to customers
• Notify Controller of any changes to sub-processors
• Provide Controller with the opportunity to object to new sub-processors
• Enter into written agreements with sub-processors containing data protection obligations

5.5 Assistance to Controller

Processor shall assist Controller in fulfilling its obligations to respond to data subject rights requests, including:

• Right of access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restriction of processing
• Right to data portability
• Right to object to processing

5.6 Security Incident Notification

Processor shall notify Controller without undue delay upon becoming aware of a Security Incident, including:

• Description of the nature of the incident
• Categories and approximate number of data subjects concerned
• Categories and approximate number of Personal Data records concerned
• Likely consequences of the incident
• Measures taken or proposed to address the incident

6. DATA TRANSFERS

6.1 International Transfers

Where Personal Data is transferred from the European Economic Area (EEA) to countries outside the EEA, Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules (where applicable)

6.2 EU-U.S. Data Privacy Framework

For transfers to the United States, Processor relies on the EU-U.S. Data Privacy Framework (DPF), as adopted by the European Commission in July 2023, and shall make its compliance certifications publicly available. In the event the DPF is invalidated, Processor shall rely on Standard Contractual Clauses or other lawful transfer mechanisms.

6.3 UK International Data Transfers

For transfers of Personal Data from the United Kingdom, Processor shall ensure compliance through the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office, or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

7. AUDITS AND INSPECTIONS

7.1 Right to Audit

Controller shall have the right to:

• Obtain written information demonstrating compliance with this DPA
• Conduct audits of Processor's facilities and systems (with reasonable notice)
• Engage an independent third-party auditor to verify compliance

7.2 Audit Frequency

Audits shall be conducted:

• Upon reasonable request by Controller
• No more than once per year, unless required by law or triggered by a Security Incident
• At Controller's expense, unless the audit reveals material non-compliance

7.3 Alternative Compliance Evidence

Processor may demonstrate compliance through:

• Third-party audit reports (SOC 2 Type II, ISO 27001)
• Security certifications and attestations
• Compliance documentation and policies

8. DATA RETENTION AND DELETION

8.1 Retention Period

Processor shall retain Personal Data only for as long as necessary to:

• Provide the services to Controller
• Comply with legal obligations
• Resolve disputes and enforce agreements

8.2 Deletion and Return

Upon termination of the Master Service Agreement, Processor shall:

• Return all Personal Data to Controller within thirty (30) days
• Delete all copies of Personal Data within ninety (90) days
• Provide written certification of deletion upon request
• Retain data only as required by law

9. COMPLIANCE WITH LAWS

9.1 Regulatory Compliance

Processor shall comply with all applicable data protection laws, including:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• Health Insurance Portability and Accountability Act (HIPAA) - where applicable
• Other applicable federal, state, and local data protection laws

9.2 Industry Standards

Processor maintains compliance with industry standards including:

• SOC 2 Type II
• ISO 27001
• NIST Cybersecurity Framework
• HIPAA Security Rule (for healthcare customers)

10. LIABILITY AND INDEMNIFICATION

10.1 Liability

Each party's liability for breaches of this DPA shall be governed by the terms of the Master Service Agreement, except that Processor shall be liable for damages resulting from its failure to comply with its obligations under this DPA.

10.2 Indemnification

Processor shall indemnify and hold harmless Controller from any claims, damages, or losses arising from:

• Processor's breach of this DPA
• Unauthorized processing of Personal Data by Processor
• Security Incidents caused by Processor's negligence or willful misconduct

11. TERMINATION

11.1 Termination for Cause

Either party may terminate this DPA upon material breach by the other party if such breach is not cured within thirty (30) days of written notice.

11.2 Effect of Termination

Upon termination:

• All obligations regarding Personal Data shall survive
• Processor shall return or delete Personal Data as specified in Section 8
• Confidentiality obligations shall continue indefinitely

12. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by and construed in accordance with the laws of the State of Ohio, United States, without regard to its conflict of law principles. Any disputes arising under this DPA shall be resolved in the courts of Columbus, Ohio.

13. AMENDMENTS

13.1 Modifications

This DPA may only be amended by written agreement of both parties. Processor may update this DPA to reflect:

• Changes in applicable law
• Changes to services or processing activities
• Industry best practices

13.2 Notice of Changes

Processor shall provide at least thirty (30) days' notice of any material changes to this DPA.

14. CONTACT INFORMATION

Data Protection Officer: Aureum Intelligence LLC 5256 Bethel Reed Park, Suite 3 Columbus, Ohio 43220 Email: privacy@aureumintelligence.com

For Data Protection Inquiries: privacy@aureumintelligence.com

For Security Incidents: security@aureumintelligence.com

15. SIGNATURES

By accepting the Master Service Agreement, Controller agrees to the terms of this Data Processing Agreement.

Aureum Intelligence LLC

Effective Date: January 1, 2026

This Data Processing Agreement is incorporated by reference into the Master Service Agreement between Aureum Intelligence LLC and its customers. In the event of any conflict between this DPA and the Master Service Agreement regarding Personal Data processing, the terms of this DPA shall prevail.

ANNEX I — DESCRIPTION OF PROCESSING

ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Processor implements the following measures to protect Personal Data. These measures are described in detail in the Aureum Intelligence Security Policy.

Technical Measures:

• Encryption of data in transit (TLS 1.3 or higher)
• Encryption of data at rest (AES-256)
• Multi-factor authentication for all platform access
• Role-based access controls with least-privilege principle
• Network segmentation and firewall protection
• Intrusion detection and prevention systems (IDS/IPS)
• Regular vulnerability scanning and penetration testing
• Automated security monitoring and anomaly detection (24/7)
• Encrypted backup and disaster recovery procedures
• Secure key management via Hardware Security Modules (HSMs)
• AI-specific protections: prompt injection mitigation, adversarial input detection, output validation

Organizational Measures:

• Security awareness training for all employees upon onboarding and annually
• Background checks for employees with access to Personal Data
• Formal access control policies and access review procedures (quarterly)
• Incident response plan with defined escalation and notification procedures
• Vendor risk management and due diligence for all sub-processors
• Regular internal and external security audits (SOC 2 Type II, ISO 27001-aligned)
• Clean desk and secure disposal policies
• Data classification framework (Public, Internal, Confidential, Restricted)

ANNEX III — APPROVED SUB-PROCESSORS

The following categories of sub-processors are authorized as of the effective date. A current named list is available to customers upon request at privacy@aureumintelligence.com.

Controller will be notified at least thirty (30) days in advance of any addition or replacement of sub-processors. Controller may object to a new sub-processor per Section 5.4.2.

SIGNATURE BLOCK

Controller:

Processor: Aureum Intelligence LLC