This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between Troopr Labs, Inc., a Delaware corporation (“Company” or “Processor”), and the entity accepting the Agreement (“Customer” or “Controller”). This DPA applies to the extent Company processes Personal Data on behalf of Customer in connection with the Platform Services (Troopr, Enjo, and OrgLogic). This DPA does not apply to Professional Services engagements, which are governed by the applicable Statement of Work.

By accessing or using the Platform Services, Customer accepts this DPA as part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing and protection of Personal Data. Capitalized terms not defined herein have the meanings given in the Agreement.

1. Definitions

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Data Protection Act, US State Privacy Laws (including the California Consumer Privacy Act as amended by the CPRA), and any implementing legislation.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Company.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Company on behalf of Customer in connection with the Platform Services. For the avoidance of doubt, Personal Data is a subset of Customer Data as defined in the Agreement.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.

“SCCs” means the Standard Contractual Clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), or any successor clauses adopted by the European Commission.

“Sub-processor” means any third party engaged by Company to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1 Roles

Customer is the Controller (or, where Customer itself acts as a processor for a third-party controller, the initial Processor) and Company is the Processor (or Sub-processor, as applicable) of Personal Data under this DPA.

2.2 Scope

This DPA applies solely to the processing of Personal Data by Company in the course of providing the Platform Services. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex 1.

2.3 Instructions

Company shall process Personal Data only on the documented instructions of Customer, including as set forth in this DPA and the Agreement, unless required to do so by applicable law, in which case Company shall inform Customer of such legal requirement before processing (unless prohibited by law).

3. Company Obligations

3.1 Confidentiality

Company shall ensure that all personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality.

3.2 Security

Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Annex 2. These measures include, at a minimum, AES-256 encryption at rest and in transit, role-based access controls, audit logging, and SOC 2 Type II and ISO 27001 certified information security management systems.

3.3 No Training. Company shall not use Personal Data to train, fine-tune, or improve any artificial intelligence or machine learning models. Personal Data transmitted to third-party AI model providers is processed solely for the purpose of generating responses in connection with the Platform Services and is subject to agreements prohibiting such providers from using Personal Data for model training.

3.4 Data Minimization

Company shall process only the minimum Personal Data necessary to perform the Platform Services and shall not process Personal Data for any purpose other than as specified in this DPA and the Agreement.

4. Sub-processors

4.1 General Authorization

Customer provides a general written authorization for Company to engage Sub-processors to process Personal Data. The current list of Sub-processors is set forth in Annex 3 and is available at trooprlabs.com/sub-processors.

4.2 Notification

Company shall notify Customer at least thirty (30) days before engaging any new Sub-processor or replacing an existing Sub-processor. Notification shall be provided via email to the address associated with Customer’s account or via the mechanism specified in the Agreement.

4.3 Objection Right

Customer may object to a new Sub-processor on reasonable data-protection grounds by providing written notice to Company within fifteen (15) days of receiving notification. The parties shall negotiate in good faith to resolve the objection. If no resolution is reached within thirty (30) days, Customer may terminate the affected Platform Service subscription and receive a pro-rata refund of prepaid, unused fees.

4.4 Sub-processor Obligations

Company shall impose on each Sub-processor data protection obligations no less protective than those set forth in this DPA and shall remain liable for the acts and omissions of its Sub-processors.

5. International Data Transfers

5.1 Data Hosting

Customer Data is hosted on Amazon Web Services (AWS) infrastructure. Company offers data residency in US and EU regions, as specified in the applicable Order Form.

5.2 Transfer Mechanisms

To the extent Personal Data is transferred from the EEA, UK, or Switzerland to a jurisdiction that does not provide an adequate level of data protection, the parties agree that such transfers shall be governed by the SCCs (referenced in Annex 4), supplemented by the UK International Data Transfer Addendum where applicable. Upon Company’s certification under the EU-US Data Privacy Framework, the Data Privacy Framework shall serve as the primary transfer mechanism for transfers to the United States, with the SCCs as a fallback.

5.3 Transfer Impact Assessment

Company has conducted a transfer impact assessment and shall make available to Customer, upon request, a summary of such assessment relevant to the Personal Data being transferred.

6. Data Breach Notification

6.1 Notification

Company shall notify Customer without undue delay after becoming aware of a Data Breach affecting Personal Data. Notification shall include, to the extent reasonably available: (a) the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Data Breach; and (c) the measures taken or proposed to address the Data Breach and mitigate its effects.

6.2 Cooperation

Company shall cooperate with Customer and provide reasonable assistance to enable Customer to meet its breach notification obligations under Applicable Data Protection Law.

6.3 Limitations

Company’s notification of a Data Breach shall not be construed as an acknowledgment of fault or liability.

7. Data Subject Rights

7.1 Assistance

Company shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures to fulfill Customer’s obligations to respond to Data Subject requests exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 Referral

If Company receives a Data Subject request directly, Company shall promptly redirect the Data Subject to Customer and notify Customer, unless prohibited by applicable law.

8. Audit and Compliance

8.1 Audit Reports

Company shall make available to Customer, upon written request and no more than once per twelve-month period, copies of its then-current SOC 2 Type II report and ISO 27001 certificate (or equivalent third-party audit reports). Customer agrees that these reports shall satisfy Customer’s audit rights under Article 28(3)(h) of the GDPR and equivalent provisions of other Applicable Data Protection Law.

8.2 Additional Information

Company shall provide reasonable additional information necessary to demonstrate compliance with this DPA upon Customer’s written request. Such information shall be treated as Company’s Confidential Information under the Agreement.

8.3 Regulatory Audits

To the extent a supervisory authority requires an audit that cannot be satisfied by the reports described in Section 8.1, Company shall cooperate with such audit, subject to reasonable advance notice and confidentiality protections.

9. Data Deletion and Return

9.1 Upon Termination

Upon termination or expiration of the Agreement, Company shall, at Customer’s election, return or delete all Personal Data in its possession or control, in accordance with Section 5.6 of the Agreement (30-day export window, followed by deletion within 90 days), except to the extent applicable law requires continued storage.

9.2 Certification

Upon Customer’s written request, Company shall provide written confirmation that Personal Data has been deleted in accordance with this Section 9.

10. AI-Specific Provisions

Supplemental provisions for AI-powered features in the Platform Services.

10.1 LLM Provider Controls

Personal Data transmitted to third-party LLM providers (as listed in Annex 3) is sent via API and is not retained by such providers beyond the time necessary to process the request and generate a response. Company maintains Data Processing Agreements with all LLM providers prohibiting the use of Personal Data for model training.

10.2 PII Redaction

Where enabled by Customer, the Platform Services apply automatic PII detection and masking before transmitting data to LLM providers. PII redaction operates on a best-efforts basis. Customer acknowledges that no automated redaction system guarantees complete removal of all Personal Data.

10.3 Vector Embeddings

Where Customer enables RAG-based features, documents are converted into vector embeddings stored on Company’s AWS infrastructure. Vector embeddings are one-way mathematical transformations and cannot be reverse-engineered to reconstruct the original documents.

10.4 AI Interaction Logs

AI interaction logs (prompts and responses) may be retained for quality monitoring, debugging, and audit purposes. Customer may configure retention periods or request that AI interaction logging be disabled through admin settings.

11. CCPA and US State Privacy Laws

To the extent the California Consumer Privacy Act (as amended by the CPRA) or other US State Privacy Laws apply to Company’s processing of Personal Data on behalf of Customer:

11.1 Service Provider Status

Company is a “Service Provider” (as defined under the CCPA) with respect to Personal Data and shall not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the Platform Services as specified in the Agreement; or (c) combine Personal Data with personal information received from or on behalf of another person, except as permitted by the CCPA.

11.2 Compliance Certification

Company certifies that it understands its obligations under the CCPA and US State Privacy Laws and shall comply with them.

11.3 Sub-contractor Flow-Down

Company shall ensure that any Sub-processor processing Personal Data subject to the CCPA is bound by obligations consistent with the requirements applicable to Service Providers.

12. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. This DPA does not modify the liability caps or carve-outs established in the Agreement.

13. Term

This DPA shall remain in effect for the duration of the Agreement. Obligations relating to confidentiality, data deletion, and Company’s processing of any retained Personal Data shall survive termination of this DPA until all Personal Data has been deleted or returned in accordance with Section 9.

14. General

14.1 Amendments

Company may update this DPA by posting revised terms at trooprlabs.com/dpa and providing at least thirty (30) days’ prior written notice. The amendment provisions of Section 18.1 of the Agreement apply.

14.2 Governing Law

This DPA is governed by the laws specified in the Agreement (State of Delaware), without prejudice to any mandatory data protection laws applicable to the processing of Personal Data.

14.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.4 Entire DPA

This DPA, together with its Annexes, constitutes the complete agreement between the parties regarding data processing and supersedes all prior data processing agreements or addenda between the parties.