Data Processing Agreement

This Data Processing Agreement ("Agreement") will form part of the Service Agreement between CouldAI ("Data Processor") and the customer entity that accepts this Agreement ("Company" or "Data Controller"). By using CouldAI's services, the Company agrees to be bound by the terms of this Data Processing Agreement.

For questions regarding this Data Processing Agreement or to exercise any rights hereunder, please contact [email protected].

1. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person.
• "Customer Personal Data": Any Personal Data processed by the Data Processor or its Sub-processor on behalf of on documented instructions of the Company in connection with the Services.
• "Processing": Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
• "Data Subject": An individual whose Personal Data is processed.
• "Sub-processor": Any third party engaged by the Data Processor to process Personal Data on behalf of the Company.
• "Data Protection Laws": Collectively, (i) EU GDPR, UK GDPR and any implementing or supplementary legislation; (ii) the EU–US Data Privacy Framework and its UK/Swiss extensions; and (iii) all U.S. federal or state privacy statutes in force during the Term together with other national laws governing the Processing of Personal Data under this Agreement.
• "EU Data Protection Laws": EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and any EU or Member-State law that implement or supplement the GDPR.
• "GDPR": EU General Data Protection Regulation 2016/679.
• "CCPA": The California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder. When used in the context of the CCPA, the terms "business," "business purpose," "commercial purpose," "contractor," "sell," "service provider," and "share" shall have the respective meanings given thereto in the CCPA.
• "U.S. Privacy Laws": The collective privacy, data protection, and data security laws and regulations issued by a governmental authority of any US state jurisdiction applicable to the Processing of Customer Personal Data under this Agreement, including the CCPA.
• "Data Transfer": (a) A transfer of Company Personal Data from the Company to a Contracted Processor; or (b) an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws.
• "EU SCCs": The standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
• "UK SCCs": The EU SCCs, as amended by the UK Addendum.
• "UK Addendum": The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.
• "ex-EEA Transfer": The transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
• "ex-UK Transfer": The transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
• "Personal Data Breach": A breach of the Data Processor's security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in the Data Processor's possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
• "Service Data": Any data relating to the use, support and/or operation of the Services, which is collected directly by the Data Processor from and/or about users of the Services and/or the Company's use of the Service for use for the Data Processor's own purposes.

2. Subject Matter and Duration

CouldAI shall Process Customer Personal Data only on the Company's documented instructions (including those contained in this Agreement and the Service Agreement) and shall promptly notify the Company if an instruction, in CouldAI's reasonable opinion, violates Applicable Law. CouldAI may refuse, suspend, or propose commercially reasonable alternatives to any instruction it reasonably believes would breach Applicable Law or materially compromise the security, confidentiality, availability, or performance of the Services. This Agreement shall remain in effect for the duration of the Service Agreement.

2.1 Service-Specific Data Retention

The Data Processor shall retain Customer Data transmitted through the Service for a maximum of ninety (90) days, after which it will be deleted, except where the Data Processor is required to retain copies under applicable laws, in which case the Data Processor will isolate and protect that Customer Data from any further processing except to the extent required by applicable laws. Data retention periods for other services shall be as specified in the applicable Service Description or Order Form.

2.2 Records of Processing Activities

The Data Processor shall maintain complete and accurate records of all Processing activities carried out on behalf of the Company as required under Article 30(2) of the GDPR. Such records shall be made available to the Company upon reasonable request and shall include, at minimum:

• The name and contact details of the Data Processor and the Company
• The categories of processing carried out on behalf of the Company
• Details of any transfers to third countries and safeguards applied
• A general description of the technical and organizational security measures implemented

3. Nature and Purpose of Processing

3.1 General Processing Activities

The Processing comprises the hosting, storage, compilation, scanning, indexing, static and dynamic analysis, AI-assisted generation, and deployment of software-development artifacts (including source code, configuration files, commit history, tickets, comments, and user-profile data) in order to provide, secure, maintain, monitor, and improve the Services

3.2 Processing Relationship

It is the parties' intent that:

• The Company determines the means and processing of Customer Personal Data subject to this Agreement.
• For EU Personal Data, the Company acts as a controller and the Data Processor acts as a processor.
• For U.S. Personal Data the Company is "business," CouldAI is "service provider/contractor," and CouldAI shall not "sell" or "share" such data nor combine it for cross-contextual advertising, consistent with the CPRA
• For UK Personal Data, the Company acts as a Controller and the Data Processor acts as a Processor as defined under the UK GDPR.

The parties expressly acknowledge and agree that:

• This Agreement does not establish a joint controllership arrangement under Article 26 of the GDPR
• Each party remains solely responsible for its own compliance with Data Protection Laws in respect of its separate processing activities.
• The Data Processor processes Customer Personal Data solely on behalf of and under the instructions of the Company.
• CouldAI may process Service Data, Aggregated Data, and de-identified data as an independent Controller solely for analytics, security, billing, and product-development purposes.
• CouldAI does not engage in automated decision-making with legal or similarly significant effects on Data Subjects.

3.3 US Privacy Law Compliance

To the extent the Data Processor's Processing of Customer Personal Data under the Agreement is subject to U.S. Privacy Laws:

The Parties acknowledge that the Data Processor's retention, use and disclosure of personal information authorized by the Company's instructions stated in this Agreement are integral to the Services and the business relationship between the Parties.

The Data Processor:

• Acknowledges that personal information is disclosed by the Company only for limited and specified purposes
• Shall comply with applicable obligations under U.S. Privacy Laws and shall provide the same level of privacy protection as is required of a "service provider" or "contractor" under each applicable U.S. Privacy Law
• Acknowledges that the Company may take reasonable and appropriate steps designed to ensure that the Data Processor's use of personal information is consistent with the Company's obligations under U.S. Privacy Laws
• Shall notify the Company without undue delay if the Data Processor determines it cannot meet its obligations under U.S. Privacy Laws
• Acknowledges that the Company may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information

The Data Processor shall not:

• Sell or share any personal information
• Retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by U.S. Privacy Laws
• Retain, use or disclose the personal information outside of the direct business relationship between the Data Processor and the Company
• Combine the personal information received from the Company with personal information received from or on behalf another person, or personal information the Data Processor collects from its own interaction with the consumer, except as otherwise permitted by U.S. Privacy Laws
• De-identify or aggregate Customer Personal Data for its own use unless (A) the de-identification meets the CPRA's § 1798.140(h) and GDPR/UK GDPR Recital 26 standard, and (B) the output cannot reasonably be re-identified.

4. Types of Personal Data and Categories of Data Subjects

Types of Personal Data: Customer Personal Data may include account identifiers such as names, business-email addresses, usernames, UUIDs and organization IDs; authentication and security information such as hashed passwords, access tokens, multi-factor-authentication status, IP addresses and user-agent strings; development artefacts such as source-code files, commit metadata, pull-request comments, issue-tracker records and attachment filenames; operational telemetry such as build and deployment logs, error traces, performance metrics and usage analytics; collaboration content such as chat threads, review notes, code annotations and other free-text fields supplied by users; and support material, including tickets or diagnostic dumps, voluntarily provided to CouldAI support. Payment data, end-user personally identifiable information or marketing lists are neither required nor expected for normal use of the Services and should not be supplied unless the parties expressly agree otherwise in writing.

Categories of Data Subjects: Developers, engineers, project managers, external contributors or contractors authorized by the Company, and individuals whose personal data is incidentally embedded in code comments, configuration files or other artifacts.

Prohibited Data: The Company shall not upload or provide special-category data under GDPR Article 9, biometric identifiers, children's data below the applicable age threshold, sensitive personal information as defined by the CPRA (e.g., Social-Security numbers or precise geolocation), data governed by sector-specific regimes such as HIPAA, GLBA or PCI-DSS, content subject to export-control or sanctions laws, or any other data whose possession or transfer is unlawful in the relevant jurisdiction, unless CouldAI has given prior written consent and the parties have documented a lawful basis.

5. Obligations of the Data Processor

The Data Processor agrees to:

a. Process Personal Data only on documented instructions from the Company, including with regard to international data transfers, unless required by law. If CouldAI believes an instruction violates Applicable Law or materially degrades the security or performance of the Services, it will notify the Company and may suspend the relevant Processing until the matter is resolved

b. Not provide the Company with remuneration in exchange for Personal Data from the Company. The parties acknowledge and agree that the Company has not "sold" (as such term is defined by applicable Data Protection Laws) Personal Data to the Data Processor.

c. Not "sell" (as such term is defined by U.S. Privacy Laws) or "share" (as such term is defined by the CCPA) Personal Data, except for internal operations such as security, debugging, or service improvement expressly permitted by Cal. Civ. Code § 1798.140(ad)(2)(A) or equivalent statutes.

d. Not combine any Personal Data with personal data that the Data Processor receives from or on behalf of any other third party or collects from the Data Processor's own interactions with individuals, provided that the Data Processor may combine Personal Data for a purpose permitted under applicable Data Protection Laws if directed to do so by the Company or as otherwise permitted by applicable Data Protection Laws.

e. Ensure that individuals authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

f. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

• Pseudonymization and encryption of Personal Data.
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

g. Assist the Company in fulfilling its obligation to respond to Data Subjects' requests to exercise their rights under the GDPR and other applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, objection, and automated decision-making. The Data Processor shall:

• Promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data
• Ensure that it does not respond to that request except on the documented instructions of the Company or as required by applicable laws
• Provide the Company with commercially reasonable assistance to facilitate the handling of such requests within thirty (30) calendar days of receiving the request
• CouldAI may invoice documented, reasonable costs for manual assistance that exceeds two (2) person-hours per request
• Forward any ambiguous or unclear Data Subject requests to the Company for clarification without attempting to interpret or respond independently
• Maintain a log of all Data Subject requests received and actions taken

h. Assist the Company in ensuring compliance with obligations concerning the security of processing, notification of Personal Data breaches, data protection impact assessments, and prior consultation with supervisory authorities.

i. Upon termination of this Agreement and at the choice of the Company, delete or return all Personal Data to the Company and delete existing copies, unless applicable law requires storage of the Personal Data, in accordance with Section 10 of this Agreement.

j. CouldAI shall make available compliance documentation, upon request. On-site or remote audits: (i) no more than once in any rolling twelve-month period; (ii) on at least thirty (30) days' written notice; (iii) during normal business hours; (iv) subject to mutually agreed confidentiality terms; and (v) at the Company's expense, including CouldAI's reasonable internal costs. The Company may use an independent, third-party auditor that is not a direct competitor of CouldAI.

Nothing in this Section 5 obliges CouldAI to take actions that (i) would violate Applicable Law, (ii) require disclosure of trade secrets or confidential information of third parties, or (iii) exceed the limitation-of-liability caps set forth in Section 14.

6. Data Breach Notification

a. The Data Processor shall notify the Company without undue delay, and in any event within seventy-two (72) hours after confirming that a Personal Data Breach has occurred and constitutes a notifiable breach under Applicable Law. "Confirming" means the point at which CouldAI has sufficient evidence to conclude that (i) a breach of security has occurred and (ii) Customer Personal Data has been compromised. Such notification shall include, at a minimum:

• The nature of the breach.
• The categories and approximate number of Data Subjects concerned.
• The categories and approximate number of Personal Data records concerned.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach.
• Contact details of the data protection officer or other contact point.
• Whether the breach is subject to any law-enforcement hold or confidentiality restriction.

b. The Data Processor shall cooperate with the Company and take commercially reasonable steps the Company directs to investigate, mitigate and remediate the breach. Any bespoke assistance exceeding eight (8) person-hours per event is chargeable at CouldAI's then-current professional-services rates, unless prohibited by Applicable Law.

c. The Data Processor shall document all Personal Data Breaches, including the facts of the breach, its effects, and the remedial action taken.

d. The Data Processor's notification of or response to a Personal Data Breach shall not be construed as the Data Processor's acknowledgement of any fault or liability with respect to the Personal Data Breach.

e. If the Company determines to notify any governmental entity, Data Subject(s), the public or others of a Personal Data Breach, to the extent such notice directly or indirectly refers to or identifies the Data Processor, where permitted by applicable laws, the Company agrees to:

• Notify the Data Processor in writing in advance; and
• In good faith, consult with the Data Processor and consider any clarifications or corrections the Data Processor may reasonably recommend or request to any such notification, which: (i) relate to the Data Processor's involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.

f. Enhanced Incident Response: Following any Personal Data Breach, the Data Processor shall:

• Conduct a root cause analysis within 30 days of discovering the breach
• Provide the Company with a written report detailing:
  • The root cause of the breach
  • Remediation actions taken
  • Measures implemented to prevent recurrence
  • Timeline for resolution of any outstanding security issues
• Implement all reasonable remediation measures within 90 days or such other timeframe as agreed with the Company
• CouldAI will update Company upon material investigation milestones or upon written request no more than once per week.

CouldAI may delay notice to the Company if a competent law-enforcement agency determines that immediate disclosure would impede a criminal investigation, provided CouldAI notifies the Company as soon as the restriction is lifted.

7. Sub-processing

a. The Data Processor shall not engage another processor (Sub-processor) without prior specific or general written authorization of the Company. In the case of general written authorization, the Data Processor shall inform the Company of any intended changes concerning the addition or replacement of other processors, giving the Company ten (10) business days to object to such changes.

b. The Data Processor may continue to use those Sub-processors already engaged by the Data Processor as of the date of this Agreement.

c. The Data Processor maintains an up-to-date list of all Sub-processors engaged in processing Personal Data as set forth in Annex IV of this Agreement (the "Sub-processor List"). This list is updated at least annually and available upon request to [email protected].

d. In the event that the Company does not wish to consent to the use of a new Sub-processor, the Company may notify the Data Processor that the Company does not consent within five (5) business days on reasonable grounds relating to the protection of Personal Data by contacting [email protected]. In such cases, the Company and the Data Processor shall work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Company may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to the Data Processor and receive a refund of any prepaid fees under the Agreement.

e. Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the Company, the same data protection obligations as set out in this Agreement shall be imposed on that other processor by way of a contract.

f. Where that other processor fails to fulfill its data protection obligations, the Data Processor shall remain fully liable to the Company for the performance of that other processor's obligations.

8. International Data Transfers

a. The Data Processor shall not transfer Personal Data to a third country or international organization unless:

• The transfer is to a country or organization that has been deemed to provide an adequate level of protection by the European Commission or applicable regulatory authority;
• The transfer is covered by appropriate safeguards such as binding corporate rules, standard data protection clauses, approved codes of conduct, or certification mechanisms; or
• The Company has given its explicit consent to the transfer after having been informed of the potential risks.

b. For ex-EEA Transfers, the parties agree that such transfers are made pursuant to the EU SCCs, which are deemed incorporated into this Agreement by reference and completed as follows:

• Module Two (Controller to Processor) of the EU SCCs apply when the Company is a controller, and the Data Processor is processing Personal Data for the Company as a processor.
• Module Three (Processor to Sub-Processor) of the EU SCCs apply when the Company is a processor, and the Data Processor is processing Personal Data on behalf of the Company as a sub-processor.

c. For ex-UK Transfers, the parties agree that such transfers are made pursuant to the UK SCCs, which are deemed incorporated into this Agreement by reference, and amended and completed in accordance with the UK Addendum.

d. The Data Processor represents and warrants that:

• As of the date of this Agreement, it has not received any formal legal requests from any government intelligence or security service for access to Company Personal Data ("Government Agency Requests");
• If, after the date of this Agreement, the Data Processor receives any Government Agency Requests, it shall attempt to redirect the law enforcement or government agency to request that data directly from the Company and shall give the Company reasonable notice of the demand, unless legally prohibited from doing so.

e. If any transfer mechanism relied upon becomes invalid or is enjoined, the parties will cooperate in good faith to promptly implement an alternative lawful mechanism. CouldAI may suspend the affected transfers (and related processing) until such mechanism is in place, without this constituting a breach of the Agreement.

9. Audit Rights

a. Upon reasonable notice of at least 14 days, the Data Processor shall allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company regarding the processing of the Company's Personal Data by the Data Processor. Audits requiring on-site inspection, or more than one audit per twelve (12)-month period, are subject to CouldAI's reasonable fees and reimbursement of out-of-pocket costs.

b. The Company shall conduct audits in a manner designed to minimize disruption to the Data Processor's business operations and may be conducted no more than once per year, unless required by a regulatory authority or following a Personal Data Breach.

c. The Data Processor shall make available to the Company all information necessary to demonstrate compliance with the obligations laid down in this Agreement and shall allow for and contribute to such audits, including inspections. All auditors must execute a non-disclosure agreement acceptable to CouldAI. CouldAI may redact or withhold information that (i) is subject to attorney–client or work-product privilege, (ii) identifies another customer, (iii) constitutes trade secrets, or (iv) is not strictly necessary to verify compliance.

d. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2 or similar audit report performed by a qualified third-party auditor within twelve (12) months of the Company's audit request ("Audit Report") and the Data Processor has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), the Company agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.

e. The Data Processor need not give access to its premises for the purposes of such an audit:

• Where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 9(d);
• To any individual unless they produce reasonable evidence of their identity;
• To any auditor whom the Data Processor has not approved in advance (acting reasonably);
• To any individual who has not entered into a non-disclosure agreement with the Data Processor on terms acceptable to the Data Processor;
• Outside normal business hours at those premises; or
• On more than one occasion in any calendar year during the term of the Agreement.

f. The Company bears all of its own audit costs. CouldAI may charge (i) reasonable fees for on-site inspections, bespoke document production, or manual assistance that exceeds two (2) person-hours, and (ii) reimbursement of any out-of-pocket expenses. These fees will be invoiced at CouldAI's standard professional-services rates unless prohibited by Applicable Law.

10. Return and Deletion

Upon the cessation of all Services involving the Processing of Customer Personal Data (the "Cessation Date"), the Data Processor shall immediately discontinue all Processing activities other than secure storage or any Processing expressly permitted under this Agreement. Within thirty (30) days after the Cessation Date the Company may instruct the Data Processor, in writing, to return or delete all Customer Personal Data then in the Data Processor's possession or control. If no such instruction is received within that period, the Data Processor may, at its discretion, permanently delete or irreversibly anonymize the data in accordance with its documented retention schedule. Following a valid deletion or return instruction, the Data Processor will complete deletion from active systems within ninety (90) days and from immutable or encrypted backup media within three-hundred-sixty-five (365) days, unless a longer retention period is mandated by Applicable Law. Notwithstanding the foregoing, the Data Processor may retain a minimal log of the deletion event and any Customer Personal Data strictly necessary to establish, exercise, or defend legal claims, provided such data remains subject to the confidentiality and security obligations set forth herein. Where manual data-export or bespoke deletion work exceeds two (2) person-hours, the Data Processor may charge the Company its reasonable, documented costs at the then-current professional-services rates, except to the extent such charges are prohibited by Applicable Law. The provisions of this Section 10, together with Sections 11 and 14 (Limitation of Liability), shall survive termination of this Agreement for so long as the Data Processor retains any Customer Personal Data.

11. Governing Law and Jurisdiction

This Agreement, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of Ireland, without regard to conflict-of-law principles. Any dispute that relates primarily to the interpretation or enforcement of EU Data Protection Laws shall be submitted to the exclusive jurisdiction of the courts of Ireland. Any dispute that relates primarily to UK Data Protection Laws may, at either party's option, be submitted to the courts of England and Wales. For all other disputes, the Data Processor may elect, by written notice, either (i) the state or federal courts located in Delaware, USA, or (ii) final and binding arbitration under the Rules of Arbitration of the International Chamber of Commerce, seated in London, conducted in English before a single arbitrator experienced in data-protection law. The parties agree to resolve all disputes solely on an individual basis and waive any right to bring or participate in a class, consolidated, or representative action. Nothing in this Section 11 limits either party's right to seek urgent injunctive or equitable relief in any competent court to protect its Confidential Information or intellectual-property rights.

12. Company Obligations

a. The Company represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Personal Data to the Data Processor and to authorize the Data Processor to use, disclose, retain and otherwise process Personal Data as contemplated by this Agreement, the Service Agreement and/or other processing instructions provided to the Data Processor.

b. The Company shall comply with all applicable Data Protection Laws.

c. The Company shall reasonably cooperate with the Data Processor to assist the Data Processor in performing any of its obligations with regard to any requests from the Company's data subjects and will reimburse CouldAI for any reasonable, documented costs CouldAI incurs when assistance exceeds the two (2) person-hour allowance set out in Section 5(g).

d. Without prejudice to the Data Processor's security obligations in this Agreement, the Company acknowledges and agrees that it, rather than the Data Processor, is responsible for certain configurations and design decisions for the services and that the Company, and not the Data Processor, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws.

e. The Company shall not provide Personal Data to the Data Processor except through agreed mechanisms. For example, the Company shall not include Personal Data other than technical contact information in technical support tickets or transmit Personal Data to the Data Processor by email, except where expressly authorized. Without limitation to the foregoing, the Company represents, warrants and covenants that it shall only transfer Personal Data to the Data Processor using secure, reasonable and appropriate mechanisms, to the extent such mechanisms are within the Company's control.

f. The Company shall not take any action that would (i) render the provision of Personal Data to the Data Processor a "sale" under U.S. Privacy Laws or a "share" under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render the Data Processor not a "service provider" under the CCPA or "processor" under U.S. Privacy Laws.

g. The Company agrees that, without limiting the Data Processor's obligations under Section 5 (Obligations of the Data Processor), the Company is solely responsible for its use of the Services, including:

• Making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data
• Securing the account authentication credentials, systems and devices the Company uses to access the Services
• Securing the Company's systems and devices that the Data Processor uses to provide the Services
• Backing up Customer Personal Data

h. The Company agrees that the Service, the Security Measures described in Exhibit B, and the Data Processor's commitments under this Agreement are adequate to meet the Company's needs, including with respect to any security obligations of the Company under applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data. Accordingly, to the fullest extent permitted by law, the Company releases and will defend, indemnify, and hold harmless CouldAI from any claim, fine, or loss arising out of the Company's failure to implement or maintain the security controls under this Section.

i. The Company shall indemnify and hold harmless CouldAI against any third-party claim, regulatory investigation, or fine arising from (a) the Company's provision of Prohibited Data identified in Section 4.3, (b) the Company's failure to obtain a valid legal basis for Processing, or (c) any instructions that infringe Applicable Law.

j. The Company shall give CouldAI at least thirty (30) days' prior written notice of any change in its processing activities that is likely to increase the risk to Data Subjects or materially alter the categories or volume of Customer Personal Data.

13. Service Data

a. The Company acknowledges and agrees that the Data Processor may collect, use and disclose Service Data for its own business purposes, such as for accounting, tax, billing, audit, and compliance purposes; to provide, improve, develop, optimize and maintain the Services; to investigate fraud, spam, wrongful or unlawful use of the Services; training or tuning proprietary machine-learning models used to deliver the Services; and/or as otherwise permitted or required by applicable law.

b. In respect of any such Processing described in Section 13(a), the Data Processor:

• Independently determines the purposes and means of such Processing
• Shall comply with applicable Data Protection Laws (if and as applicable in the context)
• Where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures

c. For the avoidance of doubt, Service Data is not "Customer Personal Data" and the obligations set out in this DPA do not apply to CouldAI's Processing of Service Data. The Data Processor may retain Service Data for as long as it has a legitimate business need, may disclose Service Data to its Affiliates and Sub-processors for the purposes set out in Section 13(a), and may create, commercialize, and publish anonymized, aggregated, or de-identified data from Service Data, provided that such data does not identify the Company or any individual Data Subject. The Data Processor warrants that any de-identification will meet the standard for "de-identified data" under the CPRA and comparable laws.

d. The Company acknowledges that no royalty, fee, or other remuneration is due for CouldAI's Processing of Service Data under this Section 13, and the Company has no right to opt out of such Processing so long as it remains a customer of the Services.

14. Indemnity

The Company shall defend, indemnify and hold harmless CouldAI and its affiliates from any third-party claim, investigation, fine, loss, or reasonable legal cost that arises from (i) the Company's instructions or configurations, (ii) failure to secure a lawful basis or required consents, (iii) provision of Prohibited Data, or (iv) any breach of this DPA or applicable data-protection laws. CouldAI will give prompt written notice and reasonable cooperation; the Company may control the defense but may not settle any matter that admits fault or imposes non-monetary obligations on CouldAI without CouldAI's prior written consent.

15. Miscellaneous

a. In the event of inconsistencies between the provisions of this Agreement and the Service Agreement, the provisions of this Agreement shall prevail.

b. If any provision of this Agreement is held invalid or unenforceable, the remaining provisions will remain in full force, and the Parties shall replace the invalid provision with a valid one that most closely reflects the Parties' original intent.

c. No amendment or modification of this Agreement shall be valid or binding unless made in writing and duly executed by authorized representatives of both Parties, except that CouldAI may update this Agreement as reasonably necessary to comply with changes in Applicable Data Protection Laws by giving at least thirty (30) days' written notice. If the Company objects in writing within that period and the Parties cannot reconcile the objection, either Party may terminate the affected Services without penalty.

d. The Parties agree that this Agreement constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior agreements or understandings, whether written or oral.

e. The exchange of Customer Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

f. The Data Processor may on notice vary this Agreement to the extent that (acting reasonably) it considers necessary to address the requirements of applicable Data Protection Laws from time to time.

g. To the maximum extent permitted by Applicable Law, the total aggregate liability of CouldAI arising out of or in connection with this DPA (including its Annexes), whether in contract, tort (including negligence), strict liability, indemnity or otherwise, shall under no circumstances exceed the lower of: (a) any aggregate liability cap or limitation set out in the Service Agreement; or (b) an amount equal to the fees actually paid and payable by Customer to CouldAI under the Service Agreement during the twelve (12) month period immediately preceding the event first giving rise to liability. In no event shall either Party be liable to the other for any loss of profits, revenue, goodwill, business interruption, loss or corruption of data, or for any indirect, special, incidental, punitive, exemplary, or consequential damages of any kind, even if advised of the possibility of such loss or damage and regardless of the theory of liability. The foregoing limitations and exclusions apply (i) in the aggregate across this DPA and the Service Agreement, (ii) irrespective of the number or nature of claims, and (iii) notwithstanding any failure of essential purpose of any limited remedy. Nothing in this Section limits or excludes liability that cannot be limited or excluded under Applicable Law.

ANNEX I: DETAILS OF PROCESSING

This Annex I provides a standardized description of the processing activities carried out by the CouldAI Incorporated. ("CouldAI") on behalf of Data Exporter ("Controller/Company") in accordance with Applicable Data Protection Laws.

A. LIST OF PARTIES

Data Exporter:

Name: [___________________________]

Address: [_________________________]

Contact: [__________________________]

Role: Controller

Data Importer:

Name: CouldAI Incorporated

Contact: [email protected]

Role: Processor

Nature and Purpose of Processing: The Data Processor will process Personal Data as necessary to perform the Services under the Service Agreement, specifically for providing AI-powered software development services, including managing code repositories, project data, user interactions, and development workflows to enhance application development and deployment services.

Duration of Processing: For the duration of the Service Agreement and for a period 180 days after termination to allow for secure deletion or return of data, unless longer retention is required by law.

Categories of Data Subjects:

• Developers and engineers using the Company's services
• Project managers and team leaders
• Employees, contractors, and agents of the Company who use the services
• Third-party collaborators and contributors
• End users of applications developed using the platform

Categories of Personal Data:

• User account information (names, email addresses, usernames)
• Authentication credentials and access tokens
• Code repositories and version control data
• Project metadata and configuration data
• Development activity logs and timestamps
• Collaboration and communication data
• API usage data and analytics
• Any other data provided during use of the development platform

Special Categories of Data (if applicable): none anticipated; Controller agrees not to provide such data.

Processing Operations: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.

Frequency of transfer: Ongoing – as initiated by the Company in and through its use, or use on its behalf, of the Services.

Recipients / onward transfers: Sub-processors listed in Annex IV of this Agreement

Competent Supervisory Authority: For transfers originating in the EEA, the competent supervisory authority shall be the Irish Data Protection Commission.

ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Annex sets forth the technical and organizational security measures implemented and maintained by the Processor to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and any other unlawful form of processing. These measures are designed to ensure a level of security appropriate to the risks presented by the processing, consistent with the nature of the personal data and the obligations under Applicable Data Protection Laws. The Processor shall regularly assess, test, and update these measures to address evolving threats and comply with legal and contractual requirements.

1. Measures for pseudonymization and encryption of personal data

• Encryption of all Personal Data at rest using AES-256 encryption
• TLS 1.3 or higher for all data in transit
• Pseudonymization of datasets where feasible for processing purposes
• Encrypted storage of sensitive authentication credentials

2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• Role-based access control systems with least privilege principles
• Multi-factor authentication for all administrative access
• Redundant infrastructure with high availability configurations
• Regular security assessments and penetration testing
• Container isolation for multi-tenant environments
• Code scanning and vulnerability detection systems

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Continuous backups of all production datastores
• Real-time replication to geographically distributed locations
• Regular testing of backup restoration procedures
• Documented and tested disaster recovery procedures
• Recovery time objective (RTO) of less than 4 hours
• Recovery point objective (RPO) of less than 1 hour

4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

• Annual third-party security audits (SOC 2 Type 2)
• Quarterly internal security reviews
• Continuous monitoring of security systems and logs
• Automated vulnerability scanning and management
• Regular security training for all personnel

5. Measures for user identification and authorization

• Unique user IDs for all personnel
• Multi-factor authentication for system access
• OAuth 2.0 and SAML support for single sign-on
• Regular access rights review process
• Automated provisioning/de-provisioning procedures
• Session management and timeout controls

6. Measures for protecting data during transmission

• TLS 1.3 or higher for all data transmission
• Certificate pinning for mobile applications
• Secure file transfer protocols (SFTP/SCP)
• VPN for remote administrative access
• API security with OAuth 2.0 authentication
• Web Application Firewall (WAF) protection

7. Measures for protecting data during storage

• Database encryption with key management
• Secure storage architecture with data segregation
• Encrypted file systems
• Secure deletion procedures using data wiping
• Hardware security modules (HSM) for key storage

8. Measures for ensuring physical security

• SOC 2 certified data center facilities
• 24/7 physical security personnel
• Biometric access controls
• Environmental controls (fire suppression, cooling, power)
• Video surveillance with 90-day retention
• Secure disposal of hardware

9. Measures for events logging

• Centralized logging of all system events
• Tamper-proof audit logs with integrity verification
• Real-time monitoring of security-relevant events
• Log retention policies (minimum 1 year)
• SIEM integration for threat detection
• Automated alerting for suspicious activities

10. Measures for ensuring data minimization

• Data collection limited to specified purposes
• Automated data retention enforcement
• Regular data cleansing procedures
• Privacy by design principles in system development
• Data anonymization capabilities
• User-controlled data export and deletion

11. Organizational management

• Dedicated security team with CISSP/CISA certifications
• Information Security Management System (ISMS)
• Regular risk assessments and threat modeling
• Change management with security review gates
• 24/7 incident response team
• Vendor security assessment program
• Security awareness training program
• Background checks for all personnel with data access
• Non-disclosure agreements for all staff and contractors

12. Development security

• Secure software development lifecycle (SSDLC)
• Code review requirements for all changes
• Static and dynamic application security testing
• Dependency scanning and management
• Container security scanning
• Infrastructure as code security reviews

By using CouldAI's services, the Company agrees to be bound by the terms of this Data Processing Agreement.

Annex III: EU Standard Contractual Clauses (Module 2: Controller to Processor)

SCCs (Module 3) per Decision (EU) 2021/914 are incorporated.

Section I: Purpose and Scope

• Ensure GDPR compliance for third-country transfers.
• Apply to Annex I processing.

Section II: Obligations of the Parties

Data Exporter (Controller): Provide lawful, documented instructions and ensure accuracy and legal basis for processing.

Data Importer (Processor): Shall process personal data only as instructed by the Controller, maintain technical and organizational safeguards per Annex II, and notify the Controller within five (5) business days of any instruction it reasonably believes is unlawful.

Data Subject Rights: Both Parties shall assist each other in responding to access, deletion, and other data subject requests within thirty (30) days, and promptly (within five (5) business days) forward any request received directly from a data subject.

Sub-processors: Both Parties may engage Sub-processors under general authorization, must provide ten (10) business days' notice of changes, and ensure all Sub-processors are bound by equivalent contractual and SCC-based data protection obligations.

Security: Both parties must implement and regularly update security measures described in Annex II and notify the other Party of any actual or suspected personal data breach within seventy-two (72) hours.

Sensitive Data: Both Parties shall apply strong encryption and strict access controls to sensitive data (e.g., financial, or account-related information), ensuring access is limited only to authorized personnel.

Compliance: Both Parties shall maintain records of processing, make them available upon request, and allow audits or assessments per Section 4.9 to verify compliance with this DPA and applicable laws.

Section III: Local Laws

• Data Importer warrants local laws (e.g., FISA 702) allow GDPR compliance.
• Use supplementary measures (e.g., encryption).
• Notify the Controller within five business days of legal changes.

Section IV: Final Provisions

• Governing Law: Irish law.
• Forum: Dublin courts.
• Termination: Data Exporter may terminate for Data Importer's breach, with data return/deletion per Section 4.8.

Annex IV: Sub-processor List

ANNEX IV: LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

Name of Sub-processor	Description of Processing	Location of Processing
Google Cloud Platform (GCP)	Cloud infrastructure for customer applications and databases (Cloud SQL, Firestore, App Engine)	United States
OpenAI	AI/ML processing of customer prompts, generated code, and AI interactions	United States
Anthropic	AI/ML processing of customer prompts, generated code, and AI interactions (Claude)	United States
Google Gemini	AI/ML processing of customer AI prompts and responses	United States
Supabase	Database and authentication services for customer data and user authentication	United States
GitHub	Code repository hosting for customer source code and potentially customer data in repositories	United States
Cloudflare	Content delivery network services, caching of customer web content	United States, United Kingdom, Belgium
Sentry	Error monitoring service processing application errors that may contain customer data	United States

Note: This list includes only third-party service providers that process personal data on behalf of the data importer. Internal business tools that do not process customer data are excluded.

UK International Data-Transfer Addendum

(to the EU Commission Standard Contractual Clauses 2021/914)

Version B1.0 – in force 21 March 2022

Effective Date: _______________________

Part 1 – Addendum Details

1. Parties

Data Exporter (Controller)
Name: _____________________
Address: ________________________________
Contact: Privacy / Legal – [email + telephone]
Activities relevant to the transfer: provision of Customer Personal Data to CouldAI for hosting, collaboration-platform and related support services
Role: Controller

Data Importer (Processor)
Name: CouldAI, Inc.
Contact: Data Protection Officer – [email protected]
Activities relevant to the transfer: processing Customer Personal Data to supply the CouldAI developer-experience platform and ancillary services
Role: Processor

2. Selected SCC Options

• The Addendum attaches to the EU Commission Standard Contractual Clauses (EU 2021/914) entered into by the Parties on the Effective Date.
• Modules used: Module 2 (Controller → Processor)
• Clause 7 Docking: Included.
• Clause 9(a) Sub-processors: Option 2 – prior notice with a five (5) business-day objection period.
• Clause 11 Redress: Not included.
• Clause 17 Governing law: Irish law.
• Clause 18 Forum: Courts of Ireland.

3. Appendix Information References

• Annex I (A-B) – Parties and Description of Transfer: Annex A to the CouldAI DPA (as updated).
• Annex I (C) – Supervisory Authority: Irish Data Protection Commission.
• Annex II – Technical & Organizational Measures: Annex B to the CouldAI DPA (as updated).
• Sub-processor List: See Annex IV of this Agreement.

4. Addendum Update Settings

• Party that may terminate under Section 19: Data Exporter.
• Notice period to terminate: 30 days.
• SCC version referenced: EU 2021/914.
• Automatic application of future revised UK Addendum versions: Yes – a revised Addendum published by the ICO will apply automatically unless the Exporter terminates within the 30-day notice period stated above.

Part 2 – Mandatory Clauses

The Mandatory Clauses of the UK International Data-Transfer Addendum issued by the UK ICO under s. 119A DPA 2018 (Version B1.0, 21 March 2022) are incorporated in full and form part of this Addendum.

Part 3 – Additional Clauses

(None – intentionally left blank.)

Swiss Addendum to the EU Standard Contractual Clauses

(Adapting the Clauses to the revised Swiss Federal Act on Data Protection, in force 1 September 2023)

Parties and Scope. This Addendum applies solely to transfers of personal data that are subject to Swiss law.

Data Exporter (Controller)
Name: [COMPANY LEGAL NAME]
Address: [COMPANY ADDRESS]
Contact: Privacy / Legal – [email + telephone]

Data Importer (Processor)
Name: CouldAI, Inc.
Contact: Data Protection Officer – [email protected]

Incorporation of the EU SCCs. The text of the Commission Implementing Decision (EU) 2021/914, Module 2 for Controller-to-Processor transfers, is incorporated verbatim except as modified below. Throughout the Clauses, references to "EU", "Member State", "Union law", "GDPR", or "supervisory authority" are read as references to Switzerland, Swiss law, the revised Federal Act on Data Protection ("rev-FADP"), and the Swiss Federal Data Protection and Information Commissioner ("FDPIC") respectively. The term personal data includes sensitive personal data as defined in article 5 rev-FADP.

Clause-specific modifications.

• Clause 13 (Supervision): the competent authority is the FDPIC.
• Clause 17 (Governing law): replace with "These Clauses are governed by Swiss law."
• Clause 18 (Forum): replace with "Disputes are subject to the ordinary courts of Zurich, Switzerland. Data subjects may also sue in their habitual residence in Switzerland."
• Clause 14 and Annex I-C (Local laws): the transfer-impact assessment must consider Swiss law and any foreign legislation applicable to the importer that could undermine the protection guaranteed by the rev-FADP.
• Clause 16 (Termination): on termination the importer shall return or delete data in accordance with Section 10 of the attached DPA.

Updates and supplementary measures. The importer will maintain the supplementary technical and organizational measures described in Annex II of the DPA and adjust them if Swiss authorities or courts require stronger protection.

Precedence. In the event of conflict, Swiss mandatory law prevails, followed (in descending order) by this Swiss Addendum, the EU SCCs, and the main DPA or Service Agreement.

Execution and entry into force. This Swiss Addendum is deemed signed by the parties on the Effective Date of the DPA and takes effect immediately for all transfers of personal data subject to the rev-FADP.