Data Processing Addendum

Preamble

This Data Processing Addendum (“DPA”) is entered into between Proactive Vigilance LLC, a Maryland limited liability company doing business as ProVigil AI (“Processor”), and the Customer identified on the signature page (“Controller” or “Customer”), and forms part of and is subject to the Terms of Service available at provigilai.com/terms (the “Agreement”).

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the subject matter herein.

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person that is submitted by or on behalf of Customer to the ProVigil AI service.
• “Process” or “Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, and deletion.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Subprocessor” means a third party engaged by Processor to Process Personal Data on Processor’s behalf in connection with the ProVigil AI service.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• “Applicable Data Protection Laws” means data protection laws and regulations applicable to the Processing of Personal Data under this DPA, including without limitation the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable state, federal, or international data protection laws.

2. Subject Matter, Duration, and Scope

Processor shall Process Personal Data on behalf of Customer solely to provide the ProVigil AI service as described in the Agreement. This DPA applies for the duration of the Agreement and survives termination for as long as Processor retains Personal Data on Customer’s behalf, subject to the deletion obligations in Section 11.

Details of the Processing — categories of Personal Data, categories of Data Subjects, nature and purpose of Processing, and retention — are set out in Schedule 1.

3. Roles of the Parties

Customer is the Controller (or, where Customer is itself a processor for an upstream controller, the processor acting on that controller’s instructions). Processor is a processor acting on behalf of Customer with respect to Customer Personal Data.

4. Customer Instructions

Processor shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Agreement and this DPA constitute Customer’s complete and final documented instructions to Processor for the Processing of Personal Data. Additional instructions outside the scope of the Agreement require prior written agreement between the parties.

Processor shall immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

5. Personnel and Confidentiality

Processor shall ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory, and receive appropriate training on data protection obligations.

6. Subprocessors

Customer provides general authorization for Processor to engage Subprocessors listed in Processor’s public Subprocessor list (the “Subprocessor List”).

Processor will provide Customer with notice (which may be by posting an update to the Subprocessor List together with at least 30 days’ advance notification to enterprise Customers) before adding or replacing any Subprocessor. If Customer has a legitimate objection on data-protection grounds, Customer must communicate the objection in writing within 14 days of receiving notice. The parties will then work in good faith to address the concern; if no resolution is reached, Customer may terminate the affected portion of the Agreement on written notice without penalty, subject to a pro-rata refund of any prepaid fees for unused services.

Processor shall remain fully liable for the acts and omissions of its Subprocessors in connection with the Processing of Personal Data and shall impose on each Subprocessor data protection obligations no less protective than those set out in this DPA.

7. Security Measures

Processor shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and accidental loss, destruction, damage, or disclosure. Such measures are summarized in Schedule 2 (Technical and Organizational Measures).

Customer acknowledges that the security measures are subject to technical progress and development; Processor may update the measures from time to time provided the level of security is not materially decreased.

8. Data Subject Requests

Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer’s obligation to respond to requests for the exercise of Data Subject rights under Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection).

If Processor receives a request directly from a Data Subject relating to Customer Personal Data, Processor shall promptly forward such request to Customer and shall not respond except on Customer’s instructions or as required by applicable law.

9. Personal Data Breach

Processor shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include, to the extent reasonably available at the time:

• The nature of the Personal Data Breach;
• The categories and approximate number of Data Subjects and Personal Data records affected;
• The likely consequences of the Personal Data Breach;
• The measures Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Processor shall cooperate with Customer and provide reasonable assistance in Customer’s investigation of and response to the Personal Data Breach.

10. Data Protection Impact Assessments

Upon reasonable request and taking into account the nature of the Processing and the information available to Processor, Processor shall provide Customer with reasonable assistance for any data protection impact assessment and prior consultations with supervisory authorities as required under Applicable Data Protection Laws.

11. Deletion and Return of Personal Data

Upon termination or expiry of the Agreement, Processor shall, at Customer’s written election, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law. Customer may export Customer Personal Data through the ProVigil AI portal at any time prior to such election.

In the absence of Customer instructions, Processor will delete Personal Data within 90 days after termination, subject to lawful retention obligations.

12. Audits

Processor shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA. On request and no more than once per twelve-month period (unless required by a supervisory authority or following a Personal Data Breach), Processor shall, to the extent permitted by law:

• Provide Customer with a copy of its then-current audit reports, certifications, or attestations (e.g., SOC 2, ISO 27001) that are available, where applicable; and
• Respond to reasonable written questionnaires regarding security and data protection practices.

Customer shall bear its own costs for any audit or assessment. On-site audits, where permitted, shall be conducted during business hours with reasonable advance notice and shall not unreasonably interfere with Processor’s operations.

13. International Data Transfers

Where the Processing of Personal Data involves a transfer to a country outside the jurisdiction(s) of the applicable Data Protection Law without an adequacy decision, the parties agree to incorporate the European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) or other recognized transfer mechanisms (e.g., the UK Addendum to the EU SCCs, Swiss data transfer requirements) as appropriate, by reference and as supplemented by this DPA.

Processor will implement supplementary measures where required to ensure an essentially equivalent level of protection for transferred Personal Data.

14. Liability

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Maryland, United States, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Laws require otherwise. Disputes arising from or related to this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.

16. Entire Agreement; Order of Precedence

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to Processor’s Processing of Customer Personal Data. In the event of any conflict, the order of precedence is: (1) this DPA, (2) the Agreement, and (3) any other documents incorporated by reference.

Schedule 1 — Details of Processing

Schedule 2 — Technical and Organizational Measures

Processor maintains the following measures, which may be updated from time to time provided the overall level of security is not materially decreased:

• Encryption in transit: TLS 1.2+ for all customer-facing endpoints.
• Encryption at rest: AES-256 for all stored Customer data at the cloud-infrastructure layer.
• Access control: Role-based access control (RBAC) for Customer users; least-privilege access for Processor personnel; logged administrative access.
• Tenant isolation: Logical separation of Customer data by tenant identifier on every read/write operation; security rules enforced at the database layer.
• Authentication: Federated identity (Google SSO) and password-based authentication with industry-standard hashing; optional single sign-on for enterprise Customers.
• Network security: Cloud-provider managed network controls, regional isolation, and managed identity for service-to-service communication.
• Monitoring and logging: Centralized application and audit logs with retention sufficient to support incident investigation.
• Backup and disaster recovery: Cloud-managed regional redundancy; documented recovery procedures.
• Personnel: Background checks for Processor personnel with production access; documented onboarding and offboarding procedures; confidentiality obligations.
• Subprocessor diligence: Pre-engagement security review of Subprocessors; flow-down of obligations equivalent to this DPA.
• Incident response: Documented incident response procedures including the 72-hour breach notification commitment in Section 9.
• Data lifecycle: Documented retention and deletion procedures aligned with Section 11.

Execution

By executing the underlying Agreement and acknowledging this DPA, the parties agree to be bound by its terms. For a countersigned, executable copy on company letterhead suitable for procurement records, contact legal@provigilai.com.