Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

This DPA supplements and forms part of the Infinized Terms of Service ("Agreement") and applies to the extent that Infinized processes Personal Data on behalf of the Customer in the course of providing the Platform services. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

This DPA is designed to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"), and specifically Article 28 thereof.

Unless otherwise defined herein, capitalised terms shall have the meanings given to them in Article 4 of the GDPR. The following definitions apply throughout this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) of the GDPR.
• "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data, as defined in Article 4(7) of the GDPR.
• "Processor" means the natural or legal person which processes Personal Data on behalf of the Controller, as defined in Article 4(8) of the GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR.
• "Platform" means the Infinized AI Control Plane, including the Agent Builder, Model Gateway, Governance Engine, Runtime Manager, and associated APIs and services.
• "BYOK" means "Bring Your Own Key," a feature allowing Customers to use their own API keys for third-party AI model providers.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

The Processor shall process Personal Data solely for the purpose of providing the Platform services to the Controller, as described in the Agreement. The scope of processing includes:

• Receiving, routing, and processing AI agent requests through the Model Gateway.
• Storing and managing conversation data, agent configurations, and associated metadata.
• Executing governance policies, including audit logging and compliance reporting.
• Providing the Agent Builder, Runtime Manager, and related tooling services.
• Generating usage analytics, billing records, and performance metrics.
• Providing technical support and incident resolution.

The Processor shall not process Personal Data for any purpose other than those specified in this DPA and the Agreement, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The categories of Personal Data processed under this DPA depend on the Controller's use of the Platform and may include:

The Data Subjects whose Personal Data may be processed under this DPA include:

• Controller's end users: Individuals who interact with the Controller's AI agents deployed on the Platform, including customers, clients, and members of the public.
• Controller's employees and contractors: Individuals who access the Platform on behalf of the Controller, including administrators, developers, and support staff.
• Third parties: Individuals whose Personal Data may be included in conversation data or agent inputs by the Controller or its end users.

The specific categories of Data Subjects are determined by the Controller's use of the Platform and the nature of the data submitted.

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Upon termination or expiration of the Agreement, the Processor shall, at the Controller's election:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete all Personal Data and existing copies, unless European Union or Member State law requires storage of the Personal Data.

The Controller must make its election within thirty (30) days of termination. If no election is made, the Processor shall delete all Personal Data within ninety (90) days of termination, subject to applicable legal retention obligations.

During the term of the Agreement, the Controller may configure data retention periods per project through the Platform's governance settings. The Processor shall automatically delete data in accordance with the Controller's configured retention policies.

In accordance with Article 28 of the GDPR, the Processor undertakes the following obligations:

7.1 Processing on Documented Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Member State law. The Agreement and this DPA constitute the Controller's documented instructions. Additional instructions may be provided in writing and must be agreed upon by both parties.

7.2 Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform the services under the Agreement.

7.3 Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are detailed in Section 11 of this DPA.

7.4 Assistance with Data Subject Requests

The Processor shall assist the Controller, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR. This includes requests for access, rectification, erasure, restriction of processing, data portability, and the right to object.

The Platform provides self-service tools for data export and deletion. Where automated tools are insufficient, the Processor shall respond to Controller requests within ten (10) business days.

7.5 Assistance with Data Protection Impact Assessments

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 35 and 36 of the GDPR (Data Protection Impact Assessments and prior consultation with supervisory authorities), taking into account the nature of processing and the information available to the Processor.

7.6 Deletion or Return of Data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless European Union or Member State law requires storage of the Personal Data. See Section 6 for details on the data return and deletion process.

7.7 Information and Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. See Section 12 for audit rights and procedures.

8.1 General Authorisation

The Controller provides general written authorisation to the Processor to engage Sub-processors for the provision of the Platform services, subject to the conditions set out in this Section.

8.2 Current Sub-processors

The following categories of Sub-processors are engaged by the Processor:

The Processor's primary infrastructure is located within the European Union. Personal Data is stored and processed within the EU by default.

Where the Controller selects AI model providers located outside the European Economic Area (e.g., OpenAI or Anthropic in the United States), Personal Data may be transferred to those providers for the purpose of model inference. Such transfers are governed by:

• Standard Contractual Clauses (SCCs): The Processor ensures that appropriate Standard Contractual Clauses, as adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, are in place with each Sub-processor located outside the EEA.
• Adequacy decisions: Where the European Commission has issued an adequacy decision for the recipient country under Article 45 of the GDPR, transfers may rely on such decision.
• Supplementary measures: Where required by the assessment of the legal framework of the recipient country, the Processor implements supplementary technical and organisational measures, including encryption in transit and at rest, to ensure an essentially equivalent level of protection.

The Controller may restrict model routing to EU-based providers only (e.g., Mistral AI) through the Platform's governance policies, thereby avoiding international data transfers for model inference entirely.

When using BYOK, the Controller is responsible for ensuring that their direct relationship with the AI provider includes appropriate transfer mechanisms for any international data transfers.

In accordance with Article 33 of the GDPR, the Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

10.1 Notification Content

The breach notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the Processor's data protection contact point.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

10.2 Cooperation

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach. The Processor shall not inform any third party of a Data Breach without first obtaining the Controller's written consent, unless required by European Union or Member State law.

10.3 Documentation

The Processor shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) of the GDPR.

In accordance with Article 32 of the GDPR, the Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

11.1 Encryption

• Encryption at rest: All Personal Data is encrypted at rest using AES-256 encryption. This includes database storage, file storage, and backups.
• Encryption in transit: All data in transit is protected using TLS 1.3. No plaintext communication is permitted at any layer of the Platform infrastructure.
• Key management: Encryption keys are managed using dedicated key management services with automatic key rotation. API keys provided by the Controller (including BYOK keys) are encrypted with per-tenant encryption keys and are never stored in plaintext.

11.2 Access Controls

• Authentication: Multi-factor authentication is enforced for all administrative access to the Platform infrastructure.
• Role-based access control: Access to Personal Data is restricted based on the principle of least privilege. Personnel are granted access only to the data necessary for their role.
• Access logging: All access to Personal Data is logged and monitored. Logs are retained for a minimum of twelve (12) months.

11.3 Tenant Isolation

• Organisation scoping: All data is scoped to the Controller's organisation. Cross-organisation data access is architecturally prevented.
• Project isolation: Within an organisation, projects provide additional data boundaries for agents and conversations.
• Runtime isolation: Enterprise customers receive dedicated VM-based runtimes with no shared compute resources.

11.4 Infrastructure Security

• Network security: Web Application Firewall (WAF), DDoS protection, and network segmentation are implemented across all infrastructure.
• Vulnerability management: Regular vulnerability scanning and penetration testing are conducted. Critical vulnerabilities are patched within 24 hours of identification.
• Backup and recovery: Encrypted backups are stored in separate EU availability zones. Recovery procedures are tested regularly.

11.5 Organisational Measures

• Staff training: All personnel with access to Personal Data receive regular data protection training.
• Confidentiality agreements: All personnel are bound by confidentiality obligations.
• Incident response: A documented incident response plan is maintained and tested at least annually.
• Business continuity: Business continuity and disaster recovery plans are maintained and tested regularly.

In accordance with Article 28(3)(h) of the GDPR, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

12.1 Audit Procedure

• The Controller shall provide at least thirty (30) days' written notice of an audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
• The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
• The auditor shall be bound by appropriate confidentiality obligations.

12.2 Certifications and Reports

The Processor may satisfy audit requests by providing:

• Relevant certifications (e.g., SOC 2 Type II, ISO 27001) obtained from independent third-party auditors.
• Summary audit reports or compliance attestations.
• Responses to reasonable written questionnaires from the Controller.

Where the Processor provides a current third-party audit report or certification that addresses the Controller's audit requirements, the Controller shall accept such report or certification in lieu of an on-site audit, unless the Controller has reasonable grounds to believe that the report or certification is insufficient.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside of or contrary to the Controller's lawful instructions, in accordance with Article 82 of the GDPR.

The Controller shall be liable for damage caused by processing which infringes the GDPR, including where the Controller has given unlawful instructions to the Processor.

Where both the Controller and the Processor are involved in the same processing and are responsible for any damage caused by that processing, each party shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject, in accordance with Article 82(4) of the GDPR. Where a party has paid full compensation for the damage suffered, that party shall be entitled to claim back from the other party that part of the compensation corresponding to the other party's share of responsibility.

This DPA shall commence on the date the Controller first accesses or uses the Platform and shall remain in effect for the duration of the Agreement.

This DPA shall automatically terminate upon termination or expiration of the Agreement. However, the Processor's obligations under this DPA shall continue for as long as the Processor retains any Personal Data processed on behalf of the Controller.

14.1 Effect of Termination

Upon termination of this DPA:

• The Processor shall comply with the data return and deletion obligations set out in Section 6.
• The Processor shall provide the Controller with a written certification of deletion upon request, confirming that all Personal Data has been deleted in accordance with this DPA.
• Sections relating to confidentiality, liability, and audit rights shall survive termination.

14.2 Amendments

This DPA may be amended only by a written instrument signed by both parties. The Processor may update this DPA to reflect changes in applicable data protection law, provided that such updates do not materially diminish the level of protection afforded to Personal Data. The Processor shall notify the Controller of any material changes at least thirty (30) days in advance.

14.3 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.