Data Processing Addendum

Subject matter: processing of personal data uploaded by the Controller to deliver the Kauzio service.
Duration: for the term of the Controller's subscription, plus a deletion window of up to 30 days.
Nature & purpose: hosting, storage, AI inference, decision support, analytics on the Controller's instructions.
Categories of data subjects: Controller's employees, customers, suppliers, end-users as represented in uploaded datasets.
Categories of personal data: business contact details, transactional retail data, chat content, telemetry. No special categories.

For transfers of personal data from the EEA, UK or Switzerland to a country without an adequacy decision, the parties incorporate by reference:

• EU Commission Implementing Decision (EU) 2021/914. Module 2 (Controller-to-Processor) SCCs.
• The UK ICO International Data Transfer Addendum to the EU SCCs, Version B1.0.
• For Swiss data subjects, references to GDPR are read as references to the nFADP and the FDPIC as competent authority.

Optional clauses default as follows: docking clause (7). enabled; option 1 onward transfers. enabled subject to §3 below; supervisory authority. Controller's lead authority (or ICO for UK transfers).

The Controller authorises Kauzio to engage the following sub-processors:

• Amazon Web Services Inc.. hosting, database, object storage (eu-west-2, London).
• Render Services Inc.. managed application hosting (US/EU regions).
• Anthropic PBC. Claude AI inference (US).
• OpenAI LLC. model inference (US).
• Groq Inc.. low-latency inference (US).
• Stripe Payments Europe Ltd.. payment processing (Ireland/US).
• Plausible Insights OÜ. first-party analytics (EU).
• Twilio SendGrid (or equivalent). transactional email delivery.

Kauzio will give the Controller at least 30 days' notice of any addition or replacement of a sub-processor by updating this page and notifying the Controller's admin email. The Controller may object on reasonable data-protection grounds; if the parties cannot agree, the Controller may terminate the affected service.

• TLS 1.3 in transit; AES-256 at rest.
• Single-tenant logical isolation per Controller; per-row authorisation in the database.
• Argon2/bcrypt password hashing; optional 2FA.
• CSRF shield, strict CSP, HSTS, frame-ancestors none.
• Least-privilege IAM for engineering access; access logged and reviewed.
• Automated dependency & container scanning; rapid patch process.
• Annual third-party penetration test (planned as customer base grows).
• Encrypted, rolling 30-day backups.
• Incident response procedure with 72-hour breach notification.

Once per calendar year, with 30 days' written notice and under reasonable confidentiality, the Controller may audit Kauzio's compliance with this DPA. Kauzio may satisfy this by providing recent independent assessment reports.

Kauzio will assist the Controller in responding to data-subject requests and will notify the Controller without undue delay (and within 72 hours where feasible) of any confirmed personal data breach affecting Controller data.

On termination, Kauzio will delete Controller personal data within 30 days unless retention is required by law. A written deletion confirmation is available on request.

This DPA is incorporated into the Kauzio agreement by reference. A counter-signed copy is available on request to privacy@kauzio.com.