Data Processing Addendum

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data.

The Processor processes Personal Data on behalf of the Controller for the following purposes:

• Providing the Service, including processing queries through AI models
• Account management and authentication
• Billing and payment processing
• Service improvement and support

Categories of Personal Data:

• Account information (name, email)
• Content uploaded to projects (which may contain Personal Data)
• Query content and AI responses
• Usage and billing data

Categories of Data Subjects:

• Controller's authorized users
• Individuals referenced in Controller's uploaded content (if any)

The Controller represents and warrants that:

• It has obtained all necessary consents and authorizations for the Processing
• It will not upload Personal Data for which it lacks lawful basis to process
• It is responsible for the accuracy, quality, and legality of Personal Data provided
• It will comply with all applicable data protection laws

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process the data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Notify the Controller of any Personal Data breach without undue delay
• Delete or return Personal Data upon termination, at Controller's choice

The Processor engages the following Sub-processors:

The Processor will notify the Controller of any intended changes to Sub-processors, providing the Controller an opportunity to object.

The Processor implements the following security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security ensuring data isolation between customers
• Secure authentication with support for multi-factor authentication
• Regular security assessments and vulnerability scanning
• Access controls and logging of administrative actions
• Incident response procedures and breach notification processes

The Processor will assist the Controller in fulfilling Data Subject requests (access, correction, deletion, portability, restriction, objection) to the extent technically feasible and as required by applicable law. The Controller is responsible for verifying the identity of Data Subjects making requests.

Personal Data may be transferred to and processed in the United States and other countries where our Sub-processors operate. Such transfers are made in compliance with applicable data protection laws, utilizing Standard Contractual Clauses or other approved transfer mechanisms where required.

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach (where feasible). The notification will include:

• The nature of the breach
• Categories and approximate numbers of Data Subjects affected
• Likely consequences
• Measures taken or proposed to address the breach

Upon reasonable request, the Processor will make available information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, either directly or through an independent auditor, with reasonable advance notice and during normal business hours, provided such audits do not unreasonably interfere with the Processor's operations.

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, the Processor will, at the Controller's election, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law.

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

If you have questions about this DPA, please contact us:

• Email: privacy@modelcouncil.co
• Company: Latent Ventures LLC