Data Processing Agreement

Key Points:

• Customer acts as Controller with respect to Personal Data
• Secured AI acts as Processor on Customer's behalf
• Processing activities are limited to those necessary to provide the Services

2.1 Instructions

• Secured AI will process Personal Data only on documented instructions from Customer
• The Agreement and this DPA constitute Customer's complete instructions
• Additional instructions require written agreement

2.2 Purpose

• Processing is limited to providing the Services
• We do not process Personal Data for our own purposes
• We do not sell Personal Data

2.3 Categories of Data

| Category | Examples |
|----------|----------|
| Personal identifiers | Names, email addresses, phone numbers |
| Professional information | Job titles, company names |
| Content data | Text submitted for processing |
| Technical data | IP addresses, device information |

2.4 Data Subjects

• Customer's employees
• Customer's customers
• Other individuals whose data is processed through the Service

Technical Measures:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Access controls and authentication
• Network security and firewalls
• Intrusion detection and prevention
• Regular vulnerability scanning

Organizational Measures:

• Security policies and procedures
• Employee training and awareness
• Background checks for personnel
• Incident response procedures
• Business continuity planning

Certifications:

• SOC 2 Type II (alignment in progress)

Authorization:

• Customer authorizes the use of subprocessors listed in Annex B
• Secured AI will notify Customer before adding new subprocessors

Notification Process:

• Advance notice of new subprocessors
• Customer may object to new subprocessors
• If objection cannot be resolved, Customer may terminate

Subprocessor Obligations:

• Subprocessors are bound by data protection obligations equivalent to this DPA
• Secured AI remains liable for subprocessor compliance

Data Subject Assistance:

• We will notify Customer of data subject requests
• We provide reasonable assistance in responding to requests
• Customer is responsible for responding to data subjects
• Assistance includes: access, rectification, erasure, portability, restriction, objection

Incident Process:

• Notification within a reasonable timeframe of becoming aware
• Notification includes: nature of breach, categories affected, likely consequences, measures taken
• Cooperation in investigation and mitigation
• Assistance with regulatory notifications

Assistance Areas:

• Data protection impact assessments
• Prior consultation with supervisory authorities
• Audit and inspection rights
• Compliance documentation and evidence

Transfer Mechanisms:

• Standard Contractual Clauses (EU Commission approved)
• UK Addendum to Standard Contractual Clauses
• Supplementary measures as needed
• Data residency options (Enterprise)

Retention Terms:

• Content data: Not retained by default (processed in real-time)
• Audit logs: Retained per Customer configuration
• Upon termination: Deletion or return within a reasonable period
• Certification of deletion available upon request

Audit Options:

• SOC 2 Type II report available upon completion of certification
• Security questionnaire responses
• On-site audits with reasonable notice (Enterprise)
• Third-party audit reports