Legal · DPA · Enterprise template

Data Processing Agreement (Enterprise Negotiated Template)

Effective: On Customer countersignature (or Principal Agreement acceptance, whichever is earlier) Last updated: May 29, 2026 Version: 2.1 Contact: legal@aictrlnet.com
Source of truth: The canonical version of this document lives at editions/enterprise/docs/DATA_PROCESSING_AGREEMENT.md in the AICtrlNet platform repository. This page is the public-facing rendering and may be updated separately. In the event of inconsistency, the published canonical version controls for contractual purposes.

Document ID: DPA-ENT-2026-001

This is Bodaty’s Enterprise-tier negotiated DPA template, used for procurement-driven engagements that require on-site audit rights, custom data residency commitments, regulatory-fines indemnification, and countersigned execution. The Effective Date is the date Customer accepts this DPA, either by countersignature or by acceptance of the Principal Agreement (whichever is earlier).

Looking for the Business-tier click-through DPA (most subscribers)? See /legal/dpa/. Looking for the Community free-tier DPA? See /legal/community-dpa/.

PARTIES

This Data Processing Agreement (“DPA” or “Agreement”) is entered into by and between:

BODATY LLC (“Processor”, “AICtrlNet”, “Bodaty”, “we”, “us”, or “our”) An Illinois Limited Liability Company 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 United States Email: privacy@aictrlnet.com

AND

[CUSTOMER LEGAL NAME] (“Controller”, “Customer”, or “you”) [Customer Address] [Customer Contact Email]

Collectively referred to as the “Parties” and individually as a “Party.”

RECITALS

WHEREAS, Controller has entered into a Master Services Agreement, Enterprise License Agreement, or other applicable agreement (the “Principal Agreement”) with Processor for the provision of the AICtrlNet/HitLai Enterprise platform and related services (the “Services”);

WHEREAS, the provision of the Services involves the Processing of Personal Data on behalf of the Controller;

WHEREAS, the Parties wish to ensure compliance with applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”), and other applicable privacy regulations;

WHEREAS, Article 28 of the GDPR requires that Processing by a Processor be governed by a contract that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects;

NOW, THEREFORE, in consideration of the mutual obligations set forth herein, the Parties agree as follows:

1. DEFINITIONS

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Principal Agreement or applicable Data Protection Laws.

1.1 Core Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” means direct or indirect ownership or control of more than 50% of the voting interests of such entity.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; for purposes of this DPA, the Customer.

“Data Protection Laws” means all applicable laws and regulations relating to data protection, data privacy, data security, or the Processing of Personal Data, including without limitation:

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“EEA” means the European Economic Area, consisting of the member states of the European Union plus Iceland, Liechtenstein, and Norway.

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

“Processing” (and its cognates “Process,” “Processed,” “Processes”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller; for purposes of this DPA, Bodaty LLC operating the AICtrlNet/HitLai platform.

“Services” means the AICtrlNet/HitLai Enterprise platform, workflow automation services, AI governance tools, and any related services provided by Processor to Controller under the Principal Agreement.

“Special Categories of Personal Data” (also known as “Sensitive Personal Data”) means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission, as may be amended, superseded, or replaced from time to time.

“Sub-processor” means any Processor engaged by the Processor (or by any other Sub-processor of the Processor) who agrees to receive from the Processor (or from any other Sub-processor) Personal Data exclusively intended for the Processing activities to be carried out on behalf of the Controller in accordance with this DPA.

“Supervisory Authority” means an independent public authority which is established by an EU/EEA Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory authority under other applicable Data Protection Laws.

1.2 AI-Specific Definitions

“AI System” means any machine-learning-based or artificial intelligence system that is part of the Services, including but not limited to workflow prediction models, natural language processing features, automated decision-support systems, and risk assessment algorithms.

“Automated Decision-Making” means any decision based solely on automated Processing, including profiling, which produces legal effects concerning a Data Subject or similarly significantly affects them.

“Model Training Data” means any data, including Personal Data, that is used to train, fine-tune, validate, or improve AI Systems.

“Profiling” means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

2. SCOPE AND NATURE OF PROCESSING

2.1 Subject Matter

This DPA applies to all Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Services under the Principal Agreement.

2.2 Nature and Purpose of Processing

The Processor shall Process Personal Data only as necessary to:

(a) Provide the AICtrlNet/HitLai Enterprise platform Services as described in the Principal Agreement;

(b) Operate, maintain, and support the workflow automation and AI governance features;

(c) Enable user authentication, access control, and audit logging;

(d) Perform analytics to improve service performance (subject to Controller’s instructions);

(e) Ensure security and prevent fraud, abuse, or unauthorized access;

(f) Comply with applicable legal obligations; and

(g) Respond to Controller’s documented instructions consistent with the Principal Agreement.

2.3 Processing Operations

The Processing operations include but are not limited to:

3. DURATION OF PROCESSING

3.1 Term

This DPA shall remain in effect for the duration of the Principal Agreement and shall continue until all Personal Data has been deleted or returned in accordance with Section 13 (Data Return and Deletion).

3.2 Survival

The obligations of confidentiality and data protection under this DPA shall survive the termination or expiration of the Principal Agreement and shall remain in effect until all Personal Data has been deleted or returned, or until such obligations are no longer required by applicable Data Protection Laws.

4. TYPES OF PERSONAL DATA PROCESSED

4.1 Categories of Personal Data

The following categories of Personal Data may be Processed under this DPA:

Account and Identity Data:

Contact and Communication Data:

Technical and Usage Data:

Workflow and Business Process Data:

AI Governance and Compliance Data:

4.2 Special Categories of Personal Data

The Processor does not require, request, or intentionally collect Special Categories of Personal Data. However, Controller acknowledges that:

(a) Such data may be incidentally included in workflow content or file attachments uploaded by Controller or its users;

(b) If Special Categories of Personal Data are Processed, Controller is solely responsible for ensuring a valid legal basis under Article 9 of the GDPR or equivalent provisions under other Data Protection Laws;

(c) Controller shall notify Processor in writing if the Services will be used to Process Special Categories of Personal Data, so that appropriate additional safeguards may be implemented.

4.3 Children’s Data

The Services are not directed at children under 16 years of age, and Controller warrants that it will not use the Services to Process Personal Data of children without appropriate parental consent and legal basis as required by applicable Data Protection Laws.

5. CATEGORIES OF DATA SUBJECTS

5.1 Data Subject Categories

Personal Data Processed under this DPA relates to the following categories of Data Subjects:

5.2 Controller Responsibility

Controller is solely responsible for determining which categories of Data Subjects’ Personal Data is submitted to the Services and for ensuring that such Processing is lawful under applicable Data Protection Laws.

6. OBLIGATIONS OF THE PROCESSOR

6.1 Processing Instructions

6.1.1 Documented Instructions Only

Processor shall Process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which the Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

6.1.2 Controller Instructions

Controller’s instructions for Processing are set forth in:

6.1.3 Additional Instructions

If Controller provides instructions that Processor reasonably believes to be in violation of applicable Data Protection Laws, Processor shall promptly notify Controller. Processor may suspend the relevant Processing until Controller confirms or modifies its instructions.

6.2 Confidentiality Obligations

6.2.1 Personnel Confidentiality

Processor shall ensure that all personnel authorized to Process Personal Data:

(a) Are bound by confidentiality obligations (whether contractual or statutory) with respect to the Personal Data;

(b) Have received appropriate training on data protection requirements;

(c) Process Personal Data only as necessary to perform their job functions; and

(d) Are aware of the confidential nature of the Personal Data and the security requirements under this DPA.

6.2.2 Access Limitations

Processor shall limit access to Personal Data to those personnel who require access to perform the Services and shall implement appropriate access controls based on the principle of least privilege.

6.3 Security Measures

6.3.1 Technical and Organizational Measures

Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR and other applicable Data Protection Laws. These measures are described in detail in Annex B (Technical and Organizational Measures) and include, at a minimum:

(a) Pseudonymization and encryption of Personal Data where appropriate;

(b) Ability to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;

(c) Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of Processing.

6.3.2 Security Standards

Processor maintains security certifications and attestations including:

6.3.3 Security Updates

Processor shall regularly review and update its security measures to address evolving threats and maintain compliance with industry standards and best practices.

6.4 Sub-processor Management

6.4.1 Authorization

Controller hereby provides general authorization for Processor to engage Sub-processors to Process Personal Data on Controller’s behalf, subject to the requirements of this Section 6.4.

6.4.2 Current Sub-processors

The list of Sub-processors currently engaged by Processor as of the Effective Date is set forth in Annex C (Sub-processors List).

6.4.3 Sub-processor Notification

Processor shall provide Controller with prior notice of any intended changes to its Sub-processors (additions or replacements):

(a) AI Sub-Processors. For any addition, replacement, or material expansion of an AI Sub-Processor (defined as any Sub-processor that processes Controller Personal Data using machine-learning inference or training infrastructure, including Foundation Model Providers such as Anthropic, OpenAI, Google (Gemini), AWS Bedrock, Cohere, Azure OpenAI, HuggingFace, DeepSeek, and Mistral), Processor shall provide at least fifteen (15) days’ prior notice. The shorter notice period reflects the higher cadence of change in the AI vendor ecosystem. Customer-controlled or self-hosted Foundation Model runtimes that Customer configures (e.g., Ollama or vLLM running on Customer infrastructure) are not AI Sub-Processors under this DPA because Processor does not engage them on Controller’s behalf.

(b) Other Sub-Processors. For any other Sub-processor change, Processor shall provide at least thirty (30) days’ prior notice.

(c) Notification Channels. Notification shall be provided via:

6.4.4 Objection Right

Controller may object to the engagement of a new Sub-processor on reasonable data protection grounds by providing written notice to Processor within fifteen (15) days of receiving notification. If Controller objects:

(a) Processor shall work with Controller in good faith to address Controller’s concerns;

(b) If the Parties cannot resolve the objection within thirty (30) days, Controller may terminate the affected Services without penalty by providing written notice to Processor;

(c) Controller shall not be entitled to a refund of any prepaid fees unless required by applicable law.

6.4.5 Sub-processor Agreements

Processor shall:

(a) Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those imposed on Processor under this DPA;

(b) Remain fully liable to Controller for the performance of each Sub-processor’s obligations; and

(c) Ensure that each Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.

6.5 Assistance with Data Subject Rights

6.5.1 Data Subject Requests

Processor shall, taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller’s obligation to respond to requests by Data Subjects exercising their rights under applicable Data Protection Laws, including:

6.5.2 Request Notification

If Processor receives a request from a Data Subject directly, Processor shall promptly (and in any event within five (5) business days) notify Controller and shall not respond to the Data Subject directly unless authorized by Controller or required by applicable law.

6.5.3 Assistance Scope

Processor shall provide Controller with:

(a) Self-service tools within the Services to facilitate data access, export, and deletion;

(b) Technical assistance to locate and retrieve Personal Data upon reasonable request;

(c) Documentation of Processing activities relevant to Data Subject requests;

(d) Assistance in responding to regulatory inquiries related to Data Subject rights.

6.5.4 Costs

Processor shall provide reasonable assistance at no additional charge. If Controller’s requests are excessive, repetitive, or manifestly unfounded, Processor may charge a reasonable fee based on administrative costs or refuse to act on the request.

6.6 Personal Data Breach Notification

6.6.1 Breach Notification Timeline

In the event of a Personal Data Breach affecting Controller’s Personal Data, Processor shall:

(a) Notify Controller without undue delay, and in any event within forty-eight (48) hours after becoming aware of the Personal Data Breach;

(b) Provide initial notification via email to Controller’s designated security contact and through the in-platform notification system;

(c) Provide follow-up information as it becomes available if complete information cannot be provided within the initial notification period.

6.6.2 Breach Notification Content

The notification shall include, to the extent known:

(a) A description of the nature of the Personal Data Breach, including where possible:

(b) The name and contact details of Processor’s data protection officer or other contact point;

(c) A description of the likely consequences of the Personal Data Breach;

(d) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

6.6.3 Breach Cooperation

Processor shall:

(a) Cooperate with Controller and provide reasonable assistance to investigate the Personal Data Breach;

(b) Take immediate steps to contain and mitigate the Personal Data Breach;

(c) Preserve evidence related to the Personal Data Breach for forensic analysis;

(d) Not communicate with any third party (including regulators, media, or affected Data Subjects) about the Personal Data Breach without Controller’s prior written approval, unless required by applicable law.

6.6.4 Controller Obligations

Controller acknowledges that:

(a) Controller is responsible for determining whether a Personal Data Breach is notifiable to Supervisory Authorities and/or Data Subjects under applicable Data Protection Laws;

(b) Controller shall make such notifications within the timeframes required by applicable law (e.g., 72 hours under GDPR Article 33);

(c) Processor’s notification to Controller does not constitute an admission of fault or liability.

6.7 Data Protection Impact Assessments

Processor shall, taking into account the nature of Processing and the information available to Processor, provide reasonable assistance to Controller with any data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities that Controller is required to carry out under Articles 35 and 36 of the GDPR or equivalent requirements under other Data Protection Laws.

6.8 Audit Rights

6.8.1 Audit Information

Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

6.8.2 Audit Scope

Audits may include:

(a) Review of Processor’s documented policies, procedures, and security controls;

(b) Review of certifications, attestations, and third-party audit reports;

(c) On-site inspections of Processor’s facilities (with reasonable advance notice);

(d) Interviews with Processor’s relevant personnel;

(e) Technical testing (subject to Processor’s security policies).

6.8.3 Audit Procedures

(a) Controller shall provide Processor with at least thirty (30) days’ prior written notice of any audit, unless a shorter timeframe is required by a Supervisory Authority or in connection with a Personal Data Breach investigation;

(b) Audits shall be conducted during normal business hours and shall not unreasonably interfere with Processor’s business operations;

(c) Controller and its auditors shall comply with Processor’s reasonable security and confidentiality requirements;

(d) Audit findings shall be treated as Confidential Information;

(e) Controller shall limit on-site audits to no more than one (1) per twelve-month period, unless required by applicable law or triggered by a Personal Data Breach.

6.8.4 Third-Party Audit Reports

Processor shall make available:

(a) SOC 2 Type II report (or equivalent) upon Controller’s written request, subject to confidentiality obligations;

(b) Summaries of penetration test results (redacted as necessary for security purposes);

(c) Other certifications and attestations maintained by Processor.

6.8.5 Audit Costs

Controller shall bear its own costs associated with conducting audits. If an audit reveals a material non-compliance by Processor with this DPA, Processor shall bear the reasonable costs of the audit and shall promptly remediate the non-compliance at Processor’s expense.

7. OBLIGATIONS OF THE CONTROLLER

7.1 Lawfulness of Processing

Controller represents and warrants that:

(a) Controller has the authority to bind its Affiliates to this DPA;

(b) Controller’s instructions to Processor, and Controller’s own Processing of Personal Data in connection with the Services, comply with all applicable Data Protection Laws;

(c) Controller has obtained all necessary consents or has another valid legal basis for the Processing of Personal Data through the Services;

(d) Controller shall not provide Personal Data to Processor in violation of applicable Data Protection Laws or in a manner that would cause Processor to violate applicable Data Protection Laws.

7.2 Documented Instructions

Controller shall provide documented instructions to Processor regarding the Processing of Personal Data. Controller acknowledges that Processor relies on Controller to determine that all instructions are lawful and appropriate.

7.3 Data Accuracy

Controller is responsible for the accuracy, quality, and integrity of Personal Data provided to Processor. Controller shall ensure that appropriate procedures are in place to maintain data accuracy and to update or correct Personal Data as necessary.

7.4 Security Cooperation

Controller shall:

(a) Implement appropriate security measures within its own systems and processes;

(b) Ensure that authorized users maintain the confidentiality of their authentication credentials;

(c) Configure the Services in accordance with security best practices and Processor’s recommendations;

(d) Promptly notify Processor of any security incidents that may affect the Services.

7.5 Data Subject Communications

Controller is responsible for providing appropriate privacy notices to Data Subjects and for responding to Data Subject requests. Controller shall coordinate with Processor as necessary to fulfill these obligations.

8. SUB-PROCESSORS

8.1 Sub-processor List

The current list of Sub-processors is set forth in Annex C (Sub-processors List) and is also available at [Processor’s privacy portal URL].

8.2 Sub-processor Categories

Processor engages Sub-processors in the following categories:

8.3 Sub-processor Due Diligence

Before engaging any Sub-processor, Processor conducts due diligence to ensure that the Sub-processor:

(a) Can provide appropriate data protection and security guarantees;

(b) Has relevant certifications or attestations (e.g., SOC 2, ISO 27001);

(c) Will comply with data localization requirements applicable to Controller;

(d) Has appropriate contractual commitments in place.

8.4 Controller-Specific Sub-processors

Controller may request that Processor engage specific Sub-processors for Controller’s Processing activities. Such requests shall be subject to Processor’s approval and may incur additional fees.

9. INTERNATIONAL DATA TRANSFERS

9.1 Data Location

Processor stores and Processes Personal Data primarily in data centers located in:

Controller may select its preferred data residency region where supported by the Services.

9.2 Transfers Outside EEA/UK

When Personal Data is transferred from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the European Commission (or UK equivalent), Processor shall ensure that such transfers are made in compliance with applicable Data Protection Laws through one or more of the following mechanisms:

9.2.1 Standard Contractual Clauses

(a) The Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission Decision 2021/914/EU are hereby incorporated by reference into this DPA;

(b) For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated by reference;

(c) For transfers from Switzerland, the applicable transfer mechanism recognized under the Swiss Federal Act on Data Protection (FADP) shall apply;

(d) See Annex D for Standard Contractual Clauses reference and completion details.

9.2.2 Additional Safeguards

Processor implements the following additional safeguards for international transfers:

(a) Encryption of Personal Data in transit and at rest;

(b) Access controls limiting data access to authorized personnel;

(c) Policies prohibiting voluntary disclosure to government authorities except as required by law;

(d) Procedures to challenge government data access requests to the extent permitted by law;

(e) Transparency reporting on government data requests (where permitted).

9.2.3 Adequacy Decisions

Where applicable, Processor may rely on adequacy decisions issued by the European Commission, the UK, or other competent authorities.

9.2.4 Data Privacy Framework

Where applicable, Processor and/or its Sub-processors may participate in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework, as certified by the U.S. Department of Commerce.

9.3 Transfer Impact Assessments

Upon Controller’s reasonable request, Processor shall cooperate in conducting transfer impact assessments to evaluate whether the legal framework in the destination country provides adequate protection for Personal Data.

10. LIABILITY AND INDEMNIFICATION

10.1 Liability Allocation

Each Party shall be liable for damages caused by Processing that infringes applicable Data Protection Laws, subject to the limitations set forth in the Principal Agreement.

10.2 Processor Liability

Processor shall be liable for damages caused by Processing only where:

(a) Processor has not complied with obligations of Data Protection Laws specifically directed to Processors; or

(b) Processor has acted outside of or contrary to lawful instructions of Controller.

10.3 Controller Liability

Controller shall be liable for damages arising from:

(a) Controller’s instructions that infringe applicable Data Protection Laws;

(b) Controller’s failure to fulfill its obligations as Controller under applicable Data Protection Laws;

(c) Controller’s Processing of Personal Data outside the scope of this DPA.

10.4 Indemnification

10.4.1 Processor Indemnification

Processor shall indemnify, defend, and hold harmless Controller from and against any third-party claims, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising from:

(a) Processor’s material breach of this DPA;

(b) Processor’s Processing of Personal Data in violation of applicable Data Protection Laws;

(c) Any Personal Data Breach caused by Processor’s failure to implement appropriate security measures.

10.4.2 Controller Indemnification

Controller shall indemnify, defend, and hold harmless Processor from and against any third-party claims, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising from:

(a) Controller’s instructions that cause Processor to violate applicable Data Protection Laws;

(b) Controller’s failure to obtain necessary consents or legal basis for Processing;

(c) Controller’s breach of its obligations under this DPA.

10.5 Limitation of Liability

(a) The limitations of liability set forth in the Principal Agreement shall apply to this DPA, except as otherwise required by applicable Data Protection Laws;

(b) Neither Party excludes or limits liability for damages arising from: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) willful misconduct or gross negligence; or (iv) any liability that cannot be limited by applicable law.

11. TERM AND TERMINATION

11.1 Term

This DPA shall become effective on the Effective Date and shall remain in effect until the termination or expiration of the Principal Agreement, unless earlier terminated in accordance with this Section 11.

11.2 Termination for Breach

Either Party may terminate this DPA upon written notice if the other Party materially breaches this DPA and fails to cure such breach within thirty (30) days of receiving written notice thereof.

11.3 Effect of Termination

Upon termination or expiration of this DPA:

(a) Processor shall cease all Processing of Personal Data, except as necessary to comply with Section 13 (Data Return and Deletion);

(b) The provisions of this DPA that by their nature should survive termination shall survive, including but not limited to confidentiality obligations, liability provisions, and data return/deletion obligations.

12. AI-SPECIFIC DATA PROCESSING TERMS

12.1 AI System Transparency

12.1.1 AI Feature Disclosure

Processor shall provide clear documentation of all AI Systems used within the Services, including:

(a) A description of the AI functionality and its purpose;

(b) The types of data used as inputs to the AI System;

(c) The outputs produced by the AI System;

(d) Any limitations or known biases of the AI System;

(e) Human oversight mechanisms in place.

12.1.2 Explainability

For AI-powered features that significantly affect Data Subjects or Controller’s business processes, Processor shall:

(a) Provide meaningful information about the logic involved in automated decision-making;

(b) Offer explanations of AI-generated recommendations or decisions upon request;

(c) Document the factors and weightings used in AI models (to the extent possible without revealing trade secrets).

12.2 Model Training Opt-Out

12.2.1 Customer Content Exclusion

Processor shall not, and shall contractually require its Sub-processors not to, use Controller Personal Data, Controller Confidential Information, prompts, or AI System outputs (“Controller Inputs and Outputs”) to:

(a) train, fine-tune, or otherwise improve any general-purpose AI model owned by Processor or any Sub-processor;

(b) develop new AI models;

(c) benchmark or evaluate AI models for purposes other than providing the Services to Controller; or

(d) deliver services to other customers.

The foregoing prohibition applies by default and persists unless Controller affirmatively opts in via the in-Service controls or a separately executed AI Improvement Addendum. Processor shall ensure that all AI Sub-processor agreements include a substantively equivalent prohibition with no-training-by-default flowed down through the inference chain.

12.2.2 Default Position

By default, Controller’s data is:

(a) NOT used for training Processor’s foundation models or general AI systems;

(b) NOT shared with third parties for AI training purposes;

(c) NOT used to improve Services for other customers;

(d) Used ONLY to provide the Services to Controller as documented in this DPA.

12.2.3 Opt-In for AI Improvement

If Controller wishes to contribute to AI model improvement, Controller may opt-in through:

(a) Written consent specifying the scope of data that may be used;

(b) Configuration settings within the Services (where available);

(c) A separate AI training addendum executed by the Parties.

12.2.4 Aggregated and Anonymized Data

Notwithstanding the above, Processor may use aggregated and anonymized data (which does not constitute Personal Data) for:

(a) Service improvement and optimization;

(b) Security and threat detection;

(c) Benchmarking and analytics;

(d) Research and development.

12.3 Automated Decision-Making

12.3.1 Scope

The Services may include automated decision-making features, including:

(a) Workflow routing and task assignment recommendations;

(b) Risk scoring and compliance assessments;

(c) Anomaly detection and security alerts;

(d) Predictive analytics for business processes.

12.3.2 Human Oversight Requirements

For any Automated Decision-Making that produces legal effects or similarly significantly affects Data Subjects:

(a) Controller shall ensure human oversight of such decisions;

(b) Processor provides tools and features to enable human review and override of AI recommendations;

(c) Controller is responsible for configuring appropriate approval workflows;

(d) Processor shall not implement fully automated decisions with significant effects without Controller’s explicit configuration and consent.

12.3.3 Data Subject Rights for Automated Decisions

Where Automated Decision-Making is used, Controller shall ensure that Data Subjects can:

(a) Obtain human intervention;

(b) Express their point of view;

(c) Contest the decision.

Processor shall provide technical capabilities to support these rights within the Services.

12.4 AI Governance Controls

12.4.1 Controller Configuration

Controller may configure the following AI governance controls within the Services:

(a) AI Feature Toggles: Enable or disable specific AI features;

(b) Confidence Thresholds: Set minimum confidence levels for AI recommendations;

(c) Approval Workflows: Require human approval for AI-generated actions;

(d) Audit Logging: Track all AI-assisted decisions;

(e) Bias Monitoring: Enable bias detection and reporting.

12.4.2 AI Audit Trail

Processor maintains comprehensive audit logs for AI-related Processing, including:

(a) Inputs provided to AI Systems;

(b) Outputs generated by AI Systems;

(c) Human overrides or modifications;

(d) Configuration changes to AI features.

12.5 Regulatory Compliance for AI

12.5.1 EU AI Act Compliance

Where applicable, Processor shall:

(a) Classify AI Systems according to risk categories under the EU AI Act;

(b) Implement appropriate risk management measures;

(c) Maintain technical documentation as required;

(d) Provide transparency information to Controller;

(e) Support Controller’s compliance obligations as a deployer of AI Systems.

12.5.2 Evolving AI Regulations

Processor shall monitor evolving AI regulations globally and shall:

(a) Update the Services as necessary to maintain compliance;

(b) Notify Controller of material regulatory changes affecting the AI features;

(c) Provide reasonable assistance to Controller in meeting AI regulatory obligations.

12.5.3 Colorado AI Act

For decisions falling within the scope of the Colorado Artificial Intelligence Act (effective June 30, 2026), where Controller is a deployer subject to the Act, Processor shall provide the technical and procedural support reasonably necessary for Controller’s compliance, including pre-use notice generation, adverse-action notice generation, and risk-assessment documentation. Controller is the deployer and bears primary compliance responsibility.

12.5.4 EU AI Act Full Applicability

The EU AI Act becomes fully applicable on August 2, 2026 (with high-risk AI provisions effective on that date and General-Purpose AI Model obligations already in force since August 2, 2025). Processor’s obligations under Section 12.5.1 shall be interpreted in light of the full set of obligations applicable as of the Effective Date of this DPA.

12.6 AI Output Ownership

As between the Parties, Controller owns all right, title, and interest in and to AI System outputs (“Outputs”) generated from Controller Inputs through the Services. Processor receives no rights in Outputs except a limited, revocable license to host, transmit, store, and process Outputs solely as necessary to provide the Services. Processor shall not:

(a) use Outputs to train AI models;

(b) sell or license Outputs to third parties;

(c) use Outputs to deliver services to other customers; or

(d) retain Outputs beyond the period necessary to provide the Services to Controller, subject to Section 13 (Data Return and Deletion).

12.7 Cross-Border AI Inference

Controller acknowledges that AI Sub-Processors may host inference infrastructure in regions different from the data residency region selected by Controller. When Controller’s prompts or AI inputs are routed to an AI Sub-Processor’s inference endpoint outside the EEA, UK, or Switzerland (as applicable), such routing constitutes an international data transfer.

Processor relies on:

(a) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework where the relevant AI Sub-Processor is certified, with continuing certification verifiable at dataprivacyframework.gov/list; and

(b) the EU Standard Contractual Clauses (Module Two: Controller-to-Processor; Module Three: Processor-to-Processor) as the contractual fallback in all cases, including where the AI Sub-Processor is not DPF-certified.

Controller may select an in-region AI Sub-Processor where the Services support such selection, subject to availability of the requested model in the requested region. Where Controller has selected an in-region AI Sub-Processor and the routing nonetheless results in cross-border inference (e.g., model failover), Processor shall promptly notify Controller and document the basis under (a) or (b) above.

13. DATA RETURN AND DELETION

13.1 Data Export

At any time during the term of the Principal Agreement, Controller may export Personal Data from the Services using:

(a) Self-service export tools within the Services;

(b) API access for programmatic data extraction;

(c) Processor’s data export assistance (subject to reasonable fees for extensive requests).

13.2 Post-Termination Options

Upon termination or expiration of the Principal Agreement, Controller shall have the option to:

13.2.1 Data Return

Request that Processor return all Personal Data in a commonly used, machine-readable format (such as JSON or CSV) within thirty (30) days of termination;

13.2.2 Data Deletion

Request that Processor delete all Personal Data within thirty (30) days of termination, or upon completion of data return if requested;

13.2.3 Default Action

If Controller does not provide instructions within thirty (30) days of termination, Processor shall delete all Personal Data.

13.3 Deletion Certification

Upon request, Processor shall provide written certification confirming that all Personal Data has been deleted in accordance with this Section 13.

13.4 Retention Exceptions

Processor may retain Personal Data (or portions thereof) after termination only where:

(a) Required by applicable law or regulation;

(b) Required for backup and disaster recovery purposes (in which case data shall be deleted upon normal backup rotation cycles);

(c) Necessary to resolve pending disputes or legal proceedings.

Processor shall inform Controller of any such retention and the legal basis therefor.

13.5 Deletion Standards

Processor shall delete Personal Data using methods that render the data irretrievable, in accordance with industry standards such as NIST SP 800-88.

14. GENERAL PROVISIONS

14.1 Relationship to Principal Agreement

This DPA is incorporated into and forms part of the Principal Agreement. In the event of any conflict between the terms of this DPA and the Principal Agreement, the terms of this DPA shall prevail with respect to data protection matters.

14.2 Entire Agreement

This DPA, together with its Annexes and the Principal Agreement, constitutes the entire agreement between the Parties regarding its subject matter and supersedes all prior agreements, understandings, and communications, whether written or oral, regarding data protection.

14.3 Amendments

This DPA may be amended only by a written instrument signed by both Parties. Notwithstanding the foregoing, Processor may update the Annexes to this DPA (including the Sub-processor list and security measures) from time to time to reflect changes in the Services or regulatory requirements, provided that such updates do not materially diminish the protections afforded to Personal Data.

14.4 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the Parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the original intent.

14.5 Assignment

Neither Party may assign this DPA without the prior written consent of the other Party, except that Processor may assign this DPA to an Affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets.

14.6 Notices

Notices under this DPA shall be sent to:

To Processor: Bodaty LLC Attn: Privacy Team 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 United States Email: privacy@aictrlnet.com

To Controller: [As specified in the Principal Agreement or as updated in writing]

14.7 Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Principal Agreement, provided that:

(a) Where the GDPR applies, the governing law shall not affect Data Subjects’ rights under the GDPR to bring claims in the Member State of their habitual residence;

(b) Disputes regarding data protection compliance may be referred to the competent Supervisory Authority.

14.8 Dispute Resolution

Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Principal Agreement.

14.9 No Third-Party Beneficiaries

Except for Data Subjects’ rights under applicable Data Protection Laws and as provided in the Standard Contractual Clauses, this DPA does not confer any rights on third parties.

14.10 Order of Precedence

In the event of a conflict between documents, the following order of precedence shall apply:

  1. Standard Contractual Clauses (where applicable)
  2. This DPA
  3. The Principal Agreement
  4. Any other referenced documents

SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the Effective Date.

BODATY LLC (Processor)

Signature: ____________

Name: ____________

Title: ____________

Date: ____________

Signature: ____________

Name: ____________

Title: ____________

Date: ____________

ANNEX A: DESCRIPTION OF PROCESSING

A.1 Subject Matter of Processing

Processing of Personal Data in connection with the provision of the AICtrlNet/HitLai Enterprise platform and related services.

A.2 Duration of Processing

From the Effective Date of the Principal Agreement until termination or expiration thereof, plus any additional period required for data return, deletion, or legal retention.

A.3 Nature and Purpose of Processing

Purpose Description
Service Provision Providing workflow automation, AI governance, and enterprise collaboration features
User Management Account creation, authentication, authorization, and access control
Workflow Processing Executing workflows, task assignments, approvals, and notifications
AI Features Risk assessment, predictive analytics, compliance monitoring, and intelligent automation
Security Operations Authentication, access logging, threat detection, and security monitoring
Integration Processing Data synchronization with Controller’s authorized third-party systems
Support Services Technical support, troubleshooting, and incident response
Analytics Service performance monitoring and usage analytics (subject to Controller configuration)
Compliance Audit logging, compliance reporting, and regulatory support
Backup and Recovery Data backup, disaster recovery, and business continuity

A.4 Types of Personal Data

Category Data Elements
Identity Data Names, usernames, employee IDs, job titles, profile photos
Contact Data Email addresses, phone numbers, business addresses
Account Data User credentials (hashed), authentication tokens, account settings
Technical Data IP addresses, device identifiers, browser data, session information
Usage Data Feature usage logs, interaction data, preferences
Workflow Data Task data, approvals, comments, attachments, business process data
Communication Data In-platform messages, notifications, collaboration content
Audit Data Access logs, change logs, compliance records
AI Processing Data Inputs to AI systems, outputs and recommendations, feedback data

A.5 Categories of Data Subjects

Category Description
Controller’s Employees Individuals employed by Controller who use the Services
Controller’s Contractors Independent contractors and consultants engaged by Controller
Business Partners Third-party users authorized by Controller (vendors, suppliers, partners)
Customers/Clients Controller’s customers or clients whose data is processed through workflows
Job Applicants Candidates (if HR workflows are utilized)
Other Individuals Any other individuals whose data is submitted to the Services by Controller

A.6 Processing Operations

Operation Description
Collection Receiving Personal Data from Controller, users, and integrated systems
Storage Storing Personal Data in secure cloud infrastructure
Organization Structuring and indexing data for efficient retrieval
Retrieval Accessing Personal Data to provide Services
Use Processing Personal Data to execute workflows and deliver features
Disclosure Sharing with authorized Sub-processors; providing access to authorized users
Combination Linking data from multiple sources within the Services
Erasure Deleting Personal Data upon request or termination
Backup Creating and maintaining backup copies for disaster recovery
Transfer Transmitting Personal Data between systems and data centers

A.7 Special Categories of Personal Data

Type Processing Status
Health Data Not intentionally processed; may be incidentally included in workflow content
Biometric Data Not processed
Genetic Data Not processed
Political Opinions Not processed
Religious/Philosophical Beliefs Not processed
Trade Union Membership Not processed
Sexual Orientation/Life Not processed
Criminal Convictions Not processed

Note: If Controller’s use case requires Processing of Special Categories of Personal Data, Controller must notify Processor in advance and ensure appropriate legal basis and safeguards are in place.

A.8 AI Processing Specifics

AI Feature Data Processed Purpose Human Oversight
Workflow Prediction Historical workflow data, user behavior Suggest optimal workflow routing Controller-configurable thresholds
Risk Assessment Workflow content, compliance data Identify compliance risks Required human review
Anomaly Detection Usage patterns, access logs Security threat detection Alert-based review
NLP Processing Text content from workflows Content classification, extraction Optional review
Recommendation Engine User preferences, usage data Personalized suggestions User-controllable

ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES

B.1 Overview

Processor implements and maintains the following technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR and industry best practices. These measures are regularly reviewed and updated to address evolving threats and maintain compliance with security standards.

B.2 Organizational Security Measures

B.2.1 Information Security Management

Measure Description
Security Program Formal information security program aligned with ISO 27001 and SOC 2 frameworks
Security Policies Comprehensive policies covering data protection, access control, incident response, and more
Security Team Dedicated security team responsible for security operations and compliance
Risk Assessment Regular risk assessments to identify and mitigate security threats
Security Governance Executive oversight of security program with regular reporting

B.2.2 Personnel Security

Measure Description
Background Checks Pre-employment screening for personnel with access to Personal Data
Confidentiality Agreements All personnel sign confidentiality/NDA agreements
Security Training Mandatory security awareness training upon hire and annually thereafter
Role-Based Training Additional training for personnel in sensitive roles
Termination Procedures Prompt access revocation and exit procedures for departing personnel

B.2.3 Third-Party Management

Measure Description
Vendor Assessment Security assessment of all vendors and Sub-processors
Contractual Requirements Data protection and security requirements in all vendor contracts
Ongoing Monitoring Regular review of vendor security posture and compliance
Incident Notification Contractual requirements for prompt security incident notification

B.3 Physical Security Measures

Measure Description
Data Center Security Enterprise-grade data centers (AWS/GCP) with SOC 2 and ISO 27001 certifications
Physical Access Controls Multi-factor authentication for physical facility access
Surveillance 24/7 video monitoring of data center facilities
Environmental Controls Fire suppression, climate control, and power redundancy
Secure Disposal Secure destruction of physical media containing Personal Data

B.4 Technical Security Measures

B.4.1 Access Control

Measure Description
Authentication Multi-factor authentication (MFA) required for all user accounts
Single Sign-On SAML 2.0 / OIDC integration for enterprise SSO
Role-Based Access Control Granular permissions based on job function and need-to-know
Least Privilege Access limited to minimum necessary for job functions
Access Reviews Quarterly access certification and recertification
Session Management Automatic session timeout and concurrent session controls
Password Policy Strong password requirements; password hashing using bcrypt/Argon2

B.4.2 Encryption

Measure Description
Encryption in Transit TLS 1.2+ for all data transmission; HTTPS enforced
Encryption at Rest AES-256 encryption for all stored Personal Data
Key Management Hardware Security Modules (HSMs) for encryption key management
Certificate Management Automated certificate renewal; certificate pinning where applicable

B.4.3 Network Security

Measure Description
Firewalls Web Application Firewall (WAF) and network firewalls
Network Segmentation Isolation of production, development, and administrative environments
Intrusion Detection Network and host-based intrusion detection/prevention systems
DDoS Protection Distributed denial-of-service mitigation
VPN Encrypted VPN for administrative access

B.4.4 Application Security

Measure Description
Secure Development Secure Software Development Lifecycle (SSDLC) practices
Code Review Mandatory security code review for all changes
Static Analysis Automated static application security testing (SAST)
Dynamic Analysis Regular dynamic application security testing (DAST)
Dependency Scanning Automated scanning for vulnerable dependencies
Penetration Testing Annual third-party penetration testing
Bug Bounty Responsible disclosure program for security researchers

B.4.5 Data Protection

Measure Description
Data Classification Classification system for Personal Data sensitivity levels
Data Minimization Collection and retention of only necessary Personal Data
Pseudonymization Pseudonymization techniques where appropriate
Data Masking Masking of sensitive data in non-production environments
Secure Deletion Cryptographic erasure and secure deletion procedures

B.5 Availability and Resilience

B.5.1 Business Continuity

Measure Description
Redundancy Multi-region deployment with automatic failover
High Availability 99.9% uptime SLA with redundant infrastructure
Load Balancing Distributed load balancing across availability zones
Auto-Scaling Automatic scaling to handle traffic spikes

B.5.2 Backup and Recovery

Measure Description
Backup Frequency Daily full backups; continuous incremental backups
Backup Encryption All backups encrypted at rest
Geographic Distribution Backups stored in geographically separate location
Recovery Testing Quarterly disaster recovery testing
RTO/RPO Recovery Time Objective: 4 hours; Recovery Point Objective: 1 hour

B.5.3 Incident Management

Measure Description
Incident Response Plan Documented incident response procedures
Incident Team Dedicated security incident response team
24/7 Monitoring Round-the-clock security monitoring
Incident Classification Severity-based incident classification and escalation
Post-Incident Review Root cause analysis and remediation for all incidents

B.6 Monitoring and Logging

Measure Description
Comprehensive Logging Logging of all security-relevant events
Log Protection Tamper-evident logging with integrity verification
Log Retention Security logs retained for minimum 12 months
SIEM Security Information and Event Management system
Alerting Real-time alerting for security anomalies
Audit Trails Complete audit trails for compliance and investigation

B.7 Vulnerability Management

Measure Description
Vulnerability Scanning Weekly automated vulnerability scanning
Patch Management Risk-based patching with critical patches within 72 hours
Threat Intelligence Subscription to threat intelligence feeds
Security Updates Regular security updates for all systems

B.8 Compliance and Certification

Certification/Standard Status
SOC 2 Type II Certified; annual renewal
ISO 27001 Certified; triennial renewal with annual surveillance audits
GDPR Compliance Compliant
CCPA/CPRA Compliance Compliant
HIPAA Available upon request (BAA required)
PCI DSS Level 1 Service Provider (for payment processing components)

B.9 Measure Updates

Processor reserves the right to update these Technical and Organizational Measures from time to time to reflect improvements in security practices and technology, provided that such updates do not materially diminish the overall security of Personal Data.

ANNEX C: SUB-PROCESSORS LIST

C.1 Current Sub-processors

As of the Effective Date, Processor engages the following Sub-processors for the Processing of Personal Data. The current authoritative list is maintained at aictrlnet.com/legal/sub-processors; in the event of inconsistency between this Annex and the published list, the published list controls.

C.1.1 Infrastructure and Hosting

Sub-processor Purpose Data Processed Location Transfer Mechanism
Amazon Web Services, Inc. Cloud infrastructure, computing, and storage All Personal Data US (primary); EU (upon request) DPF (verify) + SCCs Module Two
Google Cloud Platform Secondary cloud infrastructure; AI/ML services Workflow data, AI inputs/outputs US; EU DPF (verify) + SCCs Module Two

C.1.0 AI Sub-Processors (subject to Section 6.4.3(a) 15-day notice)

The following Foundation Model Providers are engaged where Customer enables the corresponding adapter through the Service. Each is contractually committed (or otherwise represented) to no-default-training of Controller data. Adapters reside under editions/community/src/adapters/implementations/ai/ (Community tier) and editions/business/src/business_adapters/implementations/ai/ (Business tier).

Sub-processor Purpose Edition tier Data Processed Location Transfer Mechanism
Anthropic, PBC Claude Foundation Model inference Community+ Customer prompts and Outputs (no training) US DPF (verify) + SCCs Module Three
OpenAI, LLC GPT Foundation Model inference Community+ Customer prompts and Outputs (no training, commercial/API tier) US DPF (verify) + SCCs Module Three
HuggingFace, Inc. HuggingFace Inference API for hosted open-source models Community+ Customer prompts and Outputs (no training) US; EU DPF (verify) + SCCs Module Three
DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) DeepSeek Foundation Model inference (where Customer enables) Community+ Customer prompts and Outputs China-based provider; Controller should review transfer-impact assessment before enabling SCCs Module Three; supplementary measures required
Google LLC (Gemini) Gemini Foundation Model inference Business+ Customer prompts and Outputs (no training) US; EU DPF (verify) + SCCs Module Three
Amazon Web Services, Inc. (Bedrock) Multi-model Foundation Model gateway (Anthropic, Meta, Mistral, Cohere, and others as Customer selects) Business+ Customer prompts and Outputs (no training) US (primary); EU (where supported) DPF (verify) + SCCs Module Three
Cohere, Inc. Cohere Foundation Model inference Business+ Customer prompts and Outputs (no training) US; Canada SCCs Module Three
Microsoft Corporation (Azure OpenAI) OpenAI Foundation Models via Azure regional deployment Business+ Customer prompts and Outputs (no training) Customer-selected Azure region DPF (verify) + SCCs Module Three

Customer-controlled / self-hosted runtimes. Customer may configure the Service to use locally hosted Foundation Model runtimes such as Ollama or vLLM. When operated on Customer-controlled infrastructure, these are not AI Sub-Processors under this DPA and Processor does not engage them on Controller’s behalf. When operated on Processor-controlled infrastructure for the Service, inference occurs within the infrastructure footprint already disclosed in Section C.1.1 (no separate sub-processor relationship is created).

Provider terms references. Customer should consult each enabled provider’s current data-processing terms before transmitting Personal Data through that adapter. Bodaty does not warrant the contents of third-party Foundation Model Provider terms beyond what is contractually flowed through Bodaty’s own agreements with those providers.

C.1.2 Database and Storage

Sub-processor Purpose Data Processed Location
MongoDB Atlas Database services Workflow data, user data US; EU
Redis Labs Caching and session management Session data, temporary data US; EU
Amazon S3 Object storage for file attachments File attachments, documents US; EU

C.1.3 Security Services

Sub-processor Purpose Data Processed Location
Cloudflare, Inc. CDN, DDoS protection, WAF IP addresses, request data Global (edge locations)
Auth0 (Okta) Identity and access management Authentication data US; EU
Datadog, Inc. Infrastructure monitoring System logs, performance data US; EU

C.1.4 Communication Services

Sub-processor Purpose Data Processed Location
Twilio SendGrid Transactional email delivery Email addresses, notification content US
Twilio SMS notifications (optional) Phone numbers, message content US

C.1.5 Analytics and Support

Sub-processor Purpose Data Processed Location
Mixpanel Product analytics Usage data (anonymized/pseudonymized) US
Zendesk Customer support ticketing Support ticket content, contact data US; EU
Intercom In-app messaging and support User identifiers, message content US

C.1.6 AI and Machine Learning

The current AI Sub-Processor inventory is set forth in Section C.1.0 above. The shorter list previously appearing in this section has been consolidated into C.1.0 to align with the live adapter inventory in the codebase.

Note: AI Sub-processors are only engaged when Controller enables the corresponding adapter or feature. Controller may disable AI features and adapters to prevent data sharing with AI Sub-Processors. For Customer-controlled or self-hosted Foundation Model runtimes (Ollama, vLLM), see the note at the end of Section C.1.0.

C.2 Sub-processor Data Protection Agreements

All Sub-processors have entered into data processing agreements with Processor that:

C.3 Sub-processor Updates

Processor maintains an up-to-date list of Sub-processors at:

URL: [https://www.aictrlnet.com/legal/sub-processors]

Controller may subscribe to notifications of Sub-processor changes at:

Email: privacy@aictrlnet.com (subscription request) Portal: [https://www.aictrlnet.com/privacy-portal]

C.4 Controller-Specific Sub-processors

Controller may request the engagement of additional Sub-processors specific to Controller’s deployment. Such requests are subject to Processor’s approval and may incur additional fees.

C.5 Data Center Locations

Provider Region Location Certification
AWS us-east-1 Virginia, USA SOC 2, ISO 27001
AWS us-west-2 Oregon, USA SOC 2, ISO 27001
AWS eu-west-1 Ireland SOC 2, ISO 27001
AWS eu-central-1 Frankfurt, Germany SOC 2, ISO 27001
GCP us-central1 Iowa, USA SOC 2, ISO 27001
GCP europe-west1 Belgium SOC 2, ISO 27001

ANNEX D: STANDARD CONTRACTUAL CLAUSES REFERENCE

D.1 Applicability

This Annex D applies when Personal Data is transferred from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to countries that have not received an adequacy decision from the relevant authority.

D.2 EU Standard Contractual Clauses

D.2.1 Incorporation

The Parties agree that the Standard Contractual Clauses adopted by the European Commission Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) are hereby incorporated by reference into this DPA.

D.2.2 Module Selection

For transfers from Controller (data exporter) to Processor (data importer):

Module Two: Transfer Controller to Processor applies.

D.2.3 Clause Selections

Clause Selection
Clause 7 (Docking Clause) Included - allows additional parties to accede
Clause 9 (Sub-processors) Option 2 (General Written Authorization) selected
Clause 11 (Redress) Option (a) - independent dispute resolution not required
Clause 17 (Governing Law) Laws of Ireland (for EEA transfers)
Clause 18 (Forum) Courts of Ireland (for EEA transfers)

D.2.4 Annex Completion

Annex I.A - List of Parties:

Annex I.B - Description of Transfer:

Annex I.C - Competent Supervisory Authority:

Annex II - Technical and Organizational Measures:

Annex III - Sub-processors:

D.3 UK International Data Transfer Addendum

D.3.1 Incorporation

For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), issued by the UK Information Commissioner’s Office and laid before Parliament on 2 February 2022, is hereby incorporated by reference.

D.3.2 Table Completion

Table Selection
Table 1: Parties As specified in Section D.2.4 above
Table 2: Selected SCCs Module Two, as specified in Section D.2.2
Table 3: Appendix Information As specified in Annexes A, B, and C of this DPA
Table 4: Ending the Addendum Neither Party may end the UK Addendum as set out in Section 19

D.3.3 Governing Law

The UK Addendum shall be governed by the laws of England and Wales.

D.4 Swiss Data Transfer Provisions

D.4.1 Applicability

For transfers of Personal Data from Switzerland, the EU SCCs apply with the following modifications:

D.5 Additional Safeguards

D.5.1 Supplementary Measures

In addition to the SCCs, Processor implements the following supplementary measures to protect Personal Data transfers:

Technical Measures:

Organizational Measures:

Contractual Measures:

D.5.2 Transfer Impact Assessment Support

Upon reasonable request, Processor shall cooperate with Controller in conducting transfer impact assessments to evaluate:

D.6 Alternative Transfer Mechanisms

D.6.1 Data Privacy Framework

Where Processor and/or its Sub-processors have certified to the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Data Privacy Framework, Controller may rely on such certification as an alternative transfer mechanism.

D.6.2 Adequacy Decisions

Where the European Commission, UK, or Swiss authorities have issued an adequacy decision for a particular country, transfers to that country may rely on the adequacy decision.

D.6.3 Binding Corporate Rules

Where applicable, transfers may rely on approved Binding Corporate Rules.

D.7 Updates to Transfer Mechanisms

If any transfer mechanism relied upon under this Annex D is invalidated or superseded by a court decision or regulatory guidance, the Parties shall cooperate in good faith to implement an alternative lawful transfer mechanism.

EXECUTION PAGE

This Data Processing Agreement is executed as of the date last signed below (the “Effective Date”).

BODATY LLC

By: ____________

Name: ____________

Title: ____________

Date: ____________

Address: ____________

Email: ____________

By: ____________

Name: ____________

Title: ____________

Date: ____________

Address: ____________

Email: ____________

This Data Processing Agreement has been prepared in accordance with GDPR Article 28 requirements and incorporates best practices from leading technology companies’ data processing agreements. For questions or clarifications, please contact privacy@aictrlnet.com.