Data Processing Addendum

• "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and the UK Data Protection Act 2018 ("UK DPL"), the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act as amended by the CPRA ("CCPA").
• "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings in GDPR Art. 4. For purposes of the CCPA, Processor acts as a "Service Provider" and Controller acts as a "Business."
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in Decision (EU) 2021/914.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office under section 119A of the UK DPL.
• "Subprocessor" means any third party engaged by Processor to Process Personal Data on behalf of Controller.

• The SCCs (Module 2 — Controller-to-Processor) are incorporated by reference and apply to such transfers, with Controller as "data exporter" and Processor as "data importer." Clause 7 (docking) is included; the optional wording in Clause 11(a) regarding independent dispute resolution is not selected; Clause 17 Option 1 is selected with the governing law of Ireland; Clause 18(b) designates the courts of Ireland. The Annexes to the SCCs are populated by Annexes I, II, and III of this DPA.
• For transfers subject to the UK GDPR, the UK Addendum is incorporated and applies in place of the SCCs as modified by the Addendum. For transfers subject to the Swiss FADP, references in the SCCs to the GDPR are read as references to the FADP, and references to EU supervisory authorities and courts are read as references to the Swiss FDPIC and courts.
• Processor will assess transfer impact in light of the standards described in EDPB Recommendations 01/2020 and will inform Controller if it can no longer comply with the SCCs.

• Controller may conduct one audit per calendar year on at least thirty (30) days' advance written notice, during normal business hours, with reasonable scope and duration, and without disrupting Processor's operations or the security or confidentiality of other customers' data.
• Where available, Processor will satisfy audit requests by providing current third-party reports and certifications (Processor does not yet hold SOC 2 attestation; once obtained, the SOC 2 Type II report will be made available under NDA in place of an on-site audit).
• Each party will bear its own costs; if an audit reveals material non-compliance attributable to Processor, Processor will reimburse Controller's reasonable, documented audit costs.
• Audits in regulated industries or by supervisory authorities are permitted as required by law on the timelines required by law.

Categories of Data Subjects: Controller's authorized users, end-customers, employees, contractors, and any other natural persons whose Personal Data is included in briefs, voice recordings, transcripts, brand-kit assets, or other materials submitted to the Service.

Categories of Personal Data: identifiers (name, email, phone), authentication identifiers, billing contact details, audio recordings and transcripts of calls placed to Processor's voice number, brief content (which may include any information the Controller chooses to include), generated outputs, brand-kit assets, telemetry, IP addresses and device data, and support communications. Controller is responsible for ensuring it has a lawful basis for any special-category Personal Data it submits.

Sensitive Data: none required by the Service. Processor does not solicit or rely on sensitive Personal Data.

Frequency of transfer: continuous, on demand as the Service is used.

Nature and purpose of Processing: hosting, storage, transmission, transcription, generation of .pptx presentations, account and billing administration, support, security, and product analytics, as described in the Agreement and the Privacy Policy.

Duration: for the term of the Agreement and the retention periods described in the Privacy Policy.

Competent supervisory authority (for SCCs): where Controller is established in the EEA, its lead supervisory authority; otherwise, the Irish Data Protection Commission.

• Encryption in transit: TLS 1.2 or higher for all external connections; mTLS or VPC-private traffic for internal service-to-service calls where supported.
• Encryption at rest: AES-256 on Tigris object storage (server-side encryption) and on Neon-managed Postgres volumes (AWS-managed KMS keys).
• Access control: single sign-on with multi-factor authentication required for all production access; role-based access control with least-privilege defaults; quarterly access reviews; immediate revocation on role change or departure.
• Tenant isolation: per-customer row-level scoping in shared databases; per-customer object-storage prefixes with bucket-policy enforcement.
• Audit logging: append-only audit log of every mutating action and every administrative access to Personal Data; retained for 12 months.
• Vulnerability management: continuous dependency, container, and code scanning; remediation SLAs by severity; third-party penetration testing on the product roadmap.
• Secure SDLC: code review for every change; required automated tests, type checking, and lint; secrets managed outside source control.
• Backups and recovery: encrypted backups retained for up to 35 days; documented restore procedures tested periodically.
• Incident response: on-call rotation, documented runbooks, post-incident reviews, customer notification process aligned with Section 8.
• Personnel: background checks proportionate to role for personnel with production access; written confidentiality obligations; annual security and privacy training.
• Physical security: all production infrastructure runs in audited cloud data centers operated by AWS, Cloudflare, and Fly.io, which provide physical security controls equivalent to ISO 27001 / SOC 2.
• Data minimization: retention schedules enforced automatically; deletion APIs available to Controller and to Data Subjects.
• No model training: Customer Content is not used to train or fine-tune machine-learning models; contractual prohibitions in place with model Subprocessors.

The following Subprocessors are authorized as of the date of this DPA. The current list is also maintained at /dpa.

• Anthropic, PBC (United States) — LLM that drafts deck content; receives brief text.
• ElevenLabs, Inc. (United States) — voice intake (speech-to-text and voice-agent runtime); receives call audio and transcripts.
• Clerk, Inc. (United States) — authentication and account management; receives email addresses and authentication identifiers.
• Stripe, Inc. (United States) — payments; receives billing details and card data.
• Twilio Inc. (United States) — voice numbers and SMS delivery; receives phone numbers and SMS content.
• Wildbit, LLC (Postmark) (United States) — transactional email; receives email addresses and message content.
• Svix, Inc. (United States) — webhook delivery; receives webhook payloads emitted to Controller endpoints.
• Cloudflare, Inc. (United States) — CDN, DNS, and edge security; processes traffic metadata and IP addresses.
• Fly.io, Inc. (United States) — compute hosting; processes Service traffic and ephemeral runtime state.
• Neon, Inc. (United States; AWS US-East) — managed Postgres; stores account, brief, deck, and billing records.
• Tigris Data, Inc. (United States; AWS) — S3-compatible object storage; stores .pptx files, audio recordings, and brand-kit assets.

Processor will notify Controller at least thirty (30) days before adding or replacing a Subprocessor, in accordance with Section 6.