Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the K2A Terms of Service or any separately executed master services agreement (the "Agreement") between K2A Solutions LLC ("K2A," "Service Provider," or "Processor") and the customer identified in the Agreement ("Customer," "Business," or "Controller"). It governs K2A's processing of personal information on Customer's behalf.

1. Parties and roles

For the personal information processed under the Agreement, Customer is the "Business" (under the California Consumer Privacy Act, as amended) and the "Controller" (under the General Data Protection Regulation and equivalent laws). K2A is the "Service Provider" or "Processor" acting on Customer's documented instructions.

Customer represents and warrants that it has all rights and consents necessary to provide the personal information to K2A and to instruct K2A to process it as set out in the Agreement.

2. Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA"), the General Data Protection Regulation ("GDPR"), or other applicable privacy law.

• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, that Customer makes available to K2A under the Agreement.
• "Process" or "Processing" means any operation performed on Personal Information.
• "Sub-processor" means any third party engaged by K2A to Process Personal Information in connection with the Service.
• "Security Incident" means a confirmed unauthorized access, acquisition, disclosure, alteration, loss, or destruction of Personal Information processed by K2A.

3. Scope of processing

• Subject matter: K2A's provision of the Service as described in the Agreement.
• Duration: the term of the Agreement, plus any post-termination period required to return or delete data under Section 13 below.
• Nature: hosting, storing, transmitting, and processing Personal Information through the Service, including via large language model providers engaged as Sub-processors, in order to deliver the configured AI Operating System and consulting outputs.
• Purpose: to provide, maintain, and support the Service, to perform K2A's obligations under the Agreement, and to comply with applicable law.
• Customer instructions: the Agreement and this DPA constitute Customer's complete and final documented instructions to K2A. Additional instructions require written agreement.

4. Categories of personal information

K2A processes the following categories of Personal Information on Customer's behalf, as Customer determines them by what Customer places into the Service:

• Identifiers (name, email, phone, business identifiers)
• Customer or contact records of Customer's customers and prospects
• Commercial information (transactions, services, billing)
• Internet or network activity associated with Customer's use of the Service
• Professional, employment, or business records that Customer chooses to place into the Service
• Communications content sent through the Service
• Inferences derived from any of the above

Customer is responsible for not placing categories of data into the Service that are out of scope for the Service or that the Service is not configured to handle (including protected health information, payment cardholder data, and other regulated categories not covered by an addendum).

5. Categories of data subjects

• Customer's employees, contractors, and other personnel
• Customer's customers, leads, and prospects
• Customer's vendors and partners
• Other individuals about whom Customer chooses to place Personal Information into the Service

6. K2A's obligations as service provider

K2A will:

• Process Personal Information only on Customer's documented instructions, including with regard to international transfers, unless required by applicable law (in which case K2A will notify Customer of that legal requirement before processing, unless the law prohibits notification on important grounds of public interest).
• Provide the same level of privacy protection for Personal Information as is required of Customer under applicable law.
• Promptly notify Customer if K2A determines it can no longer meet its obligations under applicable privacy law or this DPA.
• Reasonably cooperate with Customer in responding to verified consumer rights requests directed at Customer.
• Maintain appropriate technical and organizational measures consistent with Section 11 (Security measures).

7. CCPA service provider certification

8. Prohibitions

K2A will not:

• Sell the Personal Information, as "sell" is defined in the CCPA;
• Share the Personal Information for cross-context behavioral advertising, as "share" is defined in the CCPA;
• Retain, use, or disclose the Personal Information for any purpose other than the specific business purpose of providing the Service to Customer or as otherwise permitted by the CCPA;
• Retain, use, or disclose the Personal Information outside the direct business relationship between Customer and K2A;
• Combine the Personal Information that K2A receives from or on behalf of Customer with personal information that K2A receives from or on behalf of any other person, or that K2A collects from any other interaction, except as needed to perform a business purpose for which K2A has been engaged;
• Use the Personal Information to train artificial intelligence models that are made available to other K2A customers or to the public.

9. Sub-processors

Customer authorizes K2A to engage the Sub-processors listed on K2A's Security page (the "Sub-processor List") to Process Personal Information.

K2A will: (a) maintain a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA; (b) remain responsible to Customer for the acts and omissions of its Sub-processors as if performed by K2A.

K2A will give Customer at least ten (10) business days' advance written notice (which may be by email or by updating the Sub-processor List with email notification) before engaging any new Sub-processor that will Process Personal Information. If Customer reasonably objects to a new Sub-processor on data-protection grounds within the notice period, K2A will work with Customer in good faith to find a workable solution; if no resolution is reached, Customer may terminate the affected portion of the Service without penalty by giving written notice.

10. Assistance with requests

Taking into account the nature of the processing and the information available to K2A, K2A will provide Customer with reasonable assistance, at Customer's expense, in:

• Responding to verified consumer requests to know, access, correct, delete, opt out, or otherwise exercise rights granted by applicable law;
• Complying with Customer's obligations to conduct data protection impact assessments and consult with regulators;
• Notifying affected individuals or regulators of a Security Incident affecting Personal Information.

11. Security measures

K2A maintains appropriate administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Personal Information. These measures are described in K2A's Security page, which is incorporated by reference and which K2A may update from time to time provided the updates do not materially diminish the level of protection.

K2A ensures that any K2A personnel authorized to access Personal Information are bound by written confidentiality obligations.

12. Breach notification

K2A will notify Customer of a confirmed Security Incident affecting Customer's Personal Information without undue delay and in any event within seventy-two (72) hours after K2A becomes aware of it. The notification will, to the extent then known, describe: the nature of the Incident, the categories and approximate number of records and individuals affected, K2A's contact for further information, the likely consequences of the Incident, and the measures K2A has taken or proposes to take to address it and mitigate its effects.

K2A will reasonably cooperate with Customer in any investigation, remediation, and notification effort.

13. Return and deletion of personal information

On termination or expiration of the Agreement, or at Customer's earlier written request, K2A will: (a) make Customer's Personal Information available for export by Customer for a period of thirty (30) days; and (b) thereafter delete or return the Personal Information within sixty (60) days, except for copies retained on routine backup media (which will be deleted on the standard backup rotation, typically within ninety (90) days) and copies K2A is required to retain by law. K2A will, on written request, certify in writing that deletion has been completed.

14. Audit rights

K2A will make available to Customer, on reasonable written request, the information reasonably necessary to demonstrate K2A's compliance with this DPA and applicable law. Customer may take reasonable and appropriate steps to ensure that K2A uses Personal Information consistent with Customer's obligations under applicable privacy law, and to stop and remediate any unauthorized use.

Customer's audit right is satisfied by K2A's response to a written security questionnaire and by K2A's provision of any third-party audit reports K2A then holds, no more than once per year except in connection with a Security Incident or a regulator request. Any on-site audit will be conducted only on at least thirty (30) days' written notice, during normal business hours, by a mutually agreed independent auditor bound by confidentiality, at Customer's expense, and in a manner that does not interfere with K2A's operations or compromise other customers' confidentiality.

15. International data transfers

K2A's customers are based in the United States. Personal Information is generally Processed in the United States by K2A's U.S.-based Sub-processors. Hosting may be located in Germany or the United States depending on the customer's tenant region.

If, in the future, Personal Information is transferred from a jurisdiction with international transfer restrictions (including the European Economic Area, the United Kingdom, or Switzerland), the parties will enter into the applicable Standard Contractual Clauses or other lawful transfer mechanism, which will be deemed incorporated into this DPA on execution.

16. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability to a data subject under applicable law where such limitation is prohibited.

17. Term and conflict

This DPA takes effect on Customer's acceptance of the Agreement and continues for the term of the Agreement and for any post-termination period required to return or delete Personal Information.

In the event of a conflict between this DPA and the body of the Agreement with respect to the Processing of Personal Information, this DPA controls.

18. Contact

For questions or to exercise rights under this DPA:

• Privacy: privacy@k2asolutions.com
• Security: security@k2asolutions.com
• Legal: legal@k2asolutions.com

K2A Solutions LLC, New York, NY