Data Processing Addendum

This Data Processing Addendum ("DPA") governs the processing of personal data by StronglyAI, Inc. ("StronglyAI") on behalf of the customer ("Customer") under the Master Subscription and Services Agreement. The DPA ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy legislation. By accepting the MSSA, Customer acknowledges acceptance of this DPA.

1. Definitions

For purposes of this DPA, the following terms shall have the meanings set forth below:

"Controller" means the natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of Personal Data.

"Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) ("CCPA"), and any other applicable data protection, privacy, or consumer protection laws, regulations, or ordinances.

"Data Subject" means any identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

"Processing" or "Process" means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

"Processor" means the natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.

"Sub-processor" means any third-party engaged by StronglyAI to process Personal Data on behalf of Customer and subject to obligations equivalent to those imposed on StronglyAI under this DPA.

2. Roles and Scope

2.1 Controller and Processor Roles

Customer is the Controller of Personal Data contained in Customer Content processed through the Platform. StronglyAI is the Processor of such Personal Data and shall process it only on the documented instructions of Customer and for the purposes specified in this DPA and the MSSA.

2.2 Platform Usage Data Exclusion

Platform Usage Data (as defined in the MSSA) consists of information about Customer's use of the Platform, including login frequency, feature usage patterns, API call volumes, and aggregate system performance metrics. StronglyAI may process Platform Usage Data as an independent data controller for its own operational, analytical, and business purposes, including service improvement, performance monitoring, and compliance verification. Platform Usage Data is not considered Customer Personal Data subject to this DPA. StronglyAI shall implement appropriate technical and organizational measures to minimize the inclusion of Personal Data in Platform Usage Data through de-identification, aggregation, and pseudonymization techniques where practicable.

2.3 Scope of DPA

This DPA applies to StronglyAI's processing of Personal Data within Customer Content in connection with the provision of the Platform and the performance of obligations under the MSSA. This DPA does not apply to Platform Usage Data or to Personal Data that StronglyAI processes in its capacity as an independent Controller.

3. Processing Instructions

3.1 Processing Scope

StronglyAI shall process Personal Data only on Customer's documented instructions and only to the extent necessary to provide the Platform and fulfill StronglyAI's obligations under the MSSA. StronglyAI shall not process Personal Data for any purpose other than those authorized by this Section 3.

3.2 Permitted Processing Purposes

StronglyAI is authorized to process Personal Data for the following purposes:

• (a) Providing and operating the Platform, including maintaining system performance, security, and reliability;
• (b) Fulfilling StronglyAI's obligations under the MSSA, including providing customer support and managing the Customer account;
• (c) Complying with legal obligations, court orders, and government requests to which StronglyAI is subject.

3.3 Notification of Unlawful Instructions

If StronglyAI believes that a Customer instruction violates Data Protection Laws or other applicable law, StronglyAI shall promptly notify Customer of such concern and shall not execute the instruction until Customer provides clarification or alternative instruction.

4. Data Subject Rights

StronglyAI shall provide reasonable assistance to Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws, taking into account the nature of StronglyAI's processing, including rights to access, rectification, erasure, data portability, restriction of processing, and objection. Requests from Data Subjects must be responded to within the timeframes required by applicable Data Protection Laws. If StronglyAI receives a Data Subject request directed to it, StronglyAI shall forward the request to Customer without undue delay and shall not respond directly to the Data Subject unless legally required to do so.

5. Security Measures

5.1 Security Standards

StronglyAI shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures shall include:

• (a) Encryption of Personal Data in transit using TLS 1.2 or higher and at rest using AES-256;
• (b) Multi-factor authentication for all administrative and privileged access;
• (c) Role-based access controls and least-privilege principles;
• (d) Regular security testing, including vulnerability scanning and penetration testing, conducted at least annually;
• (e) Incident detection and response procedures;
• (f) Employee confidentiality obligations and mandatory security awareness training;
• (g) Physical and environmental security controls for StronglyAI-Hosted Dedicated Deployments.

5.2 Customer-Hosted Deployments

For Customer-Hosted Deployments, Customer is solely responsible for the security and protection of the infrastructure environment hosting the Platform. StronglyAI's security obligations under this Section 5 apply only to StronglyAI's components of the Platform.

5.3 Security Documentation

Upon Customer's written request, StronglyAI shall provide Customer with a summary of its security measures and controls.

6. Personal Data Breach Notification

6.1 Breach Notification Timeline

StronglyAI shall notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach.

6.2 Initial Notification Content

StronglyAI's initial notification shall include:

• (a) the nature and scope of the breach;
• (b) the categories and approximate number of Data Subjects affected;
• (c) the categories and approximate volume of Personal Data records affected;
• (d) the likely consequences; and
• (e) the measures taken or proposed to address and mitigate the breach.

6.3 Detailed Breach Report

StronglyAI shall provide Customer with a detailed written report within thirty (30) days including root cause analysis, timeline, remediation steps, and preventive measures.

6.4 Customer-Hosted Deployments

For Customer-Hosted Deployments, Customer is responsible for detecting Personal Data Breaches in its own infrastructure.

7. Sub-Processors

7.1 General Authorization

Customer grants StronglyAI general authorization to engage Sub-processors, subject to the requirements of this Section 7.

7.2 Sub-processor List

StronglyAI maintains a current and publicly available list of all Sub-processors at the Sub-Processor List page.

7.3 Sub-processor Changes

StronglyAI shall provide Customer with thirty (30) days' prior written notice of any intended addition or replacement. Customer may object in writing within fifteen (15) days on reasonable data protection grounds.

7.4 Sub-processor Obligations

StronglyAI shall impose equivalent data protection obligations on Sub-processors through written contract. StronglyAI remains fully liable to Customer for Sub-processor performance.

8. International Data Transfers

8.1 Transfer Restrictions

StronglyAI shall not transfer Personal Data to any country outside the EEA or to any non-adequate jurisdiction without Customer's prior written authorization and appropriate safeguards.

8.2 Transfer Mechanisms

Where transfers from the EEA are required, StronglyAI shall implement Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms permitted under GDPR.

8.3 Changes to Transfer Mechanisms

StronglyAI shall promptly inform Customer of any changes to applicable transfer mechanisms.

9. Retention and Deletion

9.1 Retention Period

StronglyAI shall retain Personal Data only for the duration of the MSSA Subscription Term.

9.2 Deletion Upon Termination

Upon expiration or termination, StronglyAI shall delete all Personal Data within the timeframes specified in MSSA Section 12.5 (30-day retrieval period followed by secure deletion).

9.3 Deletion Certification

Upon Customer's written request, StronglyAI shall provide written certification of deletion.

9.4 Anonymized Retention

StronglyAI may retain Personal Data in anonymized, de-identified, or aggregated form that cannot be linked to any individual.

10. Security Certifications

10.1 Certification Pursuits

StronglyAI is currently pursuing SOC 2 Type II and ISO 27001 certifications. Upon completion, StronglyAI shall provide relevant portions of audit reports upon written request.

10.2 Certification Limitations

The status of any certification does not alter StronglyAI's obligations under this DPA.

11. Audit Rights

11.1 Information Provision

StronglyAI shall provide information reasonably necessary to demonstrate compliance with this DPA.

11.2 Audit Conduct

StronglyAI shall permit audits no more than once per calendar year, upon at least thirty (30) days' notice, during normal business hours.

11.3 Audit Costs

Customer bears costs unless the audit reveals material non-compliance, in which case StronglyAI bears reasonable costs.

12. Data Protection Impact Assessments

StronglyAI shall provide reasonable assistance to Customer in conducting DPIAs and prior consultations with supervisory authorities as required under GDPR.

13. Records of Processing

StronglyAI shall maintain comprehensive records of processing activities as required by applicable Data Protection Laws and provide such records upon request.

14. DPO Contact

For any matters relating to this DPA, contact StronglyAI's legal team at legal@strongly.ai.

15. CCPA Provisions

15.1 Service Provider Status

StronglyAI shall process Personal Data as a "service provider" on behalf of Customer as the "business" under the CCPA.

15.2 Prohibited Uses

StronglyAI shall not:

• (a) Sell or share Customer's Personal Data;
• (b) Retain, use, or disclose Personal Data for any purpose other than the specific business purpose specified in the MSSA;
• (c) Combine Personal Data from Customer with data from other sources, except as permitted under the CCPA.

15.3 Certification

StronglyAI certifies compliance with the CCPA restrictions.

16. Liability

Each party's liability under this DPA is subject to the limitations in the MSSA. Nothing in this DPA shall limit liability for:

• (a) breaches causing material harm to Data Subjects; or
• (b) violations of Data Protection Laws resulting from gross negligence or willful misconduct.

This DPA is incorporated into and forms part of the Master Subscription and Services Agreement. Execution of the MSSA constitutes acceptance of this DPA by both parties.