Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between Feanor Services LLC ("Feanor", "Processor") and the customer identified in the relevant order form or that has otherwise accepted the Agreement ("Customer", "Controller") for the provision of the Feanor service ("Service"). This DPA reflects the parties' agreement on the processing of Personal Data by Feanor on behalf of Customer in accordance with applicable Data Protection Laws.

1. Parties and scope

This DPA applies to the processing of Personal Data by Feanor on Customer's behalf in connection with the Service. To the extent of any conflict between the Agreement and this DPA, this DPA controls with respect to the processing of Personal Data.

2. Definitions

Capitalised terms used and not otherwise defined have the meanings given in the Agreement or applicable Data Protection Laws.

• "Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK Data Protection Laws"), the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable US state privacy laws.
• "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach" and "Sub-processor" have the meanings given in GDPR; in respect of US state laws, equivalent terms (such as "Business", "Service Provider", "Consumer", "Sale" and "Share") have the meanings given in those laws.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "UK IDTA" means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner.

3. Roles and processing

For Personal Data within Customer Data: Customer is the Controller (or, where Customer acts as a Processor for a third-party Controller, Customer warrants that it is authorised to instruct Feanor on the third-party Controller's behalf), and Feanor is the Processor. Feanor will process Personal Data only as a Processor on documented instructions from Customer, including with regard to international transfers, except where required to do otherwise by applicable law (in which case Feanor will inform Customer unless that law prohibits notification on important grounds of public interest).

Under CCPA/CPRA, Feanor is a Service Provider acting on behalf of Customer (the Business). Feanor will not (a) sell or share Personal Data, (b) retain, use or disclose Personal Data outside the direct business relationship between the parties or for a purpose other than providing the Service or as otherwise permitted by CCPA/CPRA, or (c) combine Personal Data with personal information received from other sources, except as expressly permitted by CCPA/CPRA. Feanor certifies that it understands and will comply with these restrictions.

4. Customer instructions

Customer's complete and final instructions regarding processing are set out in this DPA, the Agreement and Customer's use of the Service. Customer instructs Feanor to process Personal Data as necessary to (i) provide and secure the Service, (ii) comply with reasonable instructions communicated through the Service or in writing, and (iii) comply with applicable law. Customer is responsible for ensuring that its instructions, and the data it submits, comply with applicable Data Protection Laws.

5. Confidentiality of personnel

Feanor will ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and have received adequate privacy and security training.

6. Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Feanor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures are described in Annex II. Customer acknowledges that these measures are subject to technical progress and development, and Feanor may update them provided the level of security is not materially decreased.

7. Sub-processors

Customer provides general authorisation for Feanor to engage Sub-processors, subject to this section. Feanor:

• maintains a current list of Sub-processors in Annex III;
• imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA;
• remains liable for the acts and omissions of its Sub-processors to the same extent as for its own; and
• provides at least 30 days' notice of any new or replacement Sub-processor by updating Annex III or by other reasonable means. Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service in accordance with the Agreement.

8. Data subject rights and assistance

Taking into account the nature of the processing, Feanor will assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, objection and rights regarding automated decision-making). If Feanor receives such a request directly from a Data Subject, it will, without responding on the substance, promptly forward the request to Customer.

9. Personal data breach

Feanor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include the information reasonably available to Feanor that Customer needs to comply with its own breach-notification obligations. Feanor will take reasonable steps to investigate and mitigate the breach and will keep Customer informed of material developments.

10. DPIAs and prior consultation

To the extent required by applicable Data Protection Laws, Feanor will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the information available to Feanor.

11. Return and deletion

On termination of the Agreement, Feanor will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf, and delete existing copies, unless retention is required by applicable law. Standard back-up retention applies and is subject to ongoing protection under this DPA until eventual deletion in the ordinary course.

12. Audits

Feanor will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including summaries of independent third-party audit reports (where available). On reasonable prior written notice, no more than once per year (and more frequently if required by Data Protection Laws or following a confirmed Personal Data Breach), Customer or its independent auditor (subject to confidentiality undertakings and excluding competitors of Feanor) may conduct an audit limited to the information necessary to verify compliance with this DPA, during business hours, in a manner that does not unreasonably disrupt Feanor's operations. The parties will discuss in good faith the scope, timing and reasonable costs of any such audit.

13. International transfers

Where Customer's transfer of Personal Data to Feanor (or Feanor's onward transfer to a Sub-processor) is a "restricted transfer" under Data Protection Laws, the parties agree that:

• The EU SCCs are incorporated by reference and form part of this DPA. Module Two (Controller to Processor) applies where Customer is a Controller. Module Three (Processor to Sub-processor) applies where Customer is itself a Processor and Feanor is acting on behalf of a third-party Controller. The optional docking clause in Clause 7 applies. Clause 9(a), Option 2 (general written authorisation for Sub-processors) applies, with notice period of 30 days. Clause 11(a) optional language is not selected. Clause 17 is governed by the law of Ireland. Clause 18 venue is the courts of Ireland. Annexes I, II and III correspond to Annex I, Annex II and Annex III below.
• For transfers subject to UK Data Protection Laws, the UK IDTA is incorporated by reference, with the EU SCCs (as completed above) as the "Approved EU SCCs" and the information required by the UK IDTA populated from this DPA and the Agreement.
• For transfers subject to the Swiss FADP, the EU SCCs apply with the modifications described in the FADP guidance issued by the Swiss FDPIC, including reading references to GDPR as references to the FADP and recognising the FDPIC as the competent supervisory authority for Swiss-only transfers.

Feanor will implement supplementary measures, where necessary, to ensure that the level of protection guaranteed by Data Protection Laws is not undermined.

14. Miscellaneous

If a court or supervisory authority finds any provision of this DPA to be invalid or unenforceable, the remaining provisions remain in effect. The provisions of the Agreement on liability, governing law and disputes apply to this DPA. Where the SCCs apply and conflict with this DPA, the SCCs prevail.

Annex I — Processing details

A. List of parties

Data exporter (Controller): Customer, as identified in the Agreement.
Data importer (Processor): Feanor Services LLC, New Mexico, United States. Contact: [email protected].

B. Description of transfer

Categories of data subjects	Customer's authorised users; individuals whose Personal Data appears in Customer's connected sources, such as employees, contractors, customers, prospects and counterparties.
Categories of personal data	Identifiers (name, work email, role, employer); communications content where authorised by Customer (messages, tickets, documents, calendar metadata); usage and log data; account credentials. Customer controls which sources are connected and which fields are ingested.
Sensitive data	Not requested by Feanor. If sensitive categories appear in Customer-connected sources, Customer is responsible for applying redaction or exclusion controls provided by the Service.
Frequency of transfer	Continuous, on a near-real-time basis.
Nature of processing	Ingestion, normalisation, structuring, storage, indexing, generation of skill files and audit metadata, and provision of the Service to Customer.
Purpose of processing	To enable Customer to operate the Service and produce executable skill files for use by Customer's authorised AI systems.
Retention period	For the term of the Agreement, plus the periods described in section 11 of this DPA. Specific retention may be configured by Customer.
Sub-processor transfers	For each Sub-processor in Annex III: the same subject matter, nature, purpose, categories of data subjects and personal data, frequency and retention as set out above, limited to what is necessary for the Sub-processor's role.

C. Competent supervisory authority

For EU SCCs Module Two/Three: where Customer is established in an EU Member State, the supervisory authority of that Member State; where Customer is not established in the EU but has appointed an Article 27 representative, the supervisory authority of the Member State where the representative is established; otherwise, the Irish Data Protection Commission.

Annex II — Technical and organisational security measures

Feanor implements measures appropriate to the risk, including:

• Pseudonymisation and encryption: encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent) for Personal Data stored in production systems. Pseudonymisation of identifiers where appropriate.
• Confidentiality, integrity, availability and resilience: production systems hosted in reputable cloud environments; logical separation of customer data; redundant infrastructure; monitoring and alerting on availability and integrity.
• Restoration: regular automated back-ups with documented restore procedures, tested periodically.
• Testing and evaluation: regular vulnerability scanning, periodic penetration testing, security code review, and review of organisational measures.
• Access control: role-based access; least-privilege principle; multi-factor authentication for administrative access; centralised identity management; audit logs for access to production systems.
• Network security: firewalls, segmentation, secrets management, hardened build pipelines, infrastructure-as-code review.
• Application security: secure-by-default configurations, dependency scanning, security review of changes affecting Personal Data.
• Personnel: background checks where lawful and appropriate; written confidentiality obligations; security and privacy training on hire and periodically thereafter.
• Vendor management: due diligence on Sub-processors; contractual data-protection commitments; periodic review.
• Incident response: documented incident-response plan, on-call rotation, breach-notification procedures aligned with this DPA.
• Privacy by design: data-minimisation reviews, redaction controls, and configurable retention.
• Physical security: reliance on the physical security controls of the cloud providers identified in Annex III.

The current list of measures is maintained internally and updated as the Service evolves. A summary is available on request from [email protected].

Annex III — Sub-processors

The current list of authorised Sub-processors used to provide the Service is available on request from [email protected]. Each Sub-processor is engaged for a defined purpose (such as cloud hosting, error monitoring, customer support, communications, or analytics), is bound by written contract, and is subject to the obligations of section 7 of this DPA. Feanor will provide notice of changes to this list as set out in section 7.