Data Processing Agreement

This DPA governs the processing of Personal Data by IKARUSHOLDS LLC on behalf of the Customer in connection with the Texterz.ai platform ("Services").

The subject matter, nature, purpose, and duration of processing are described in Annex I below.

The Processor shall process Personal Data only:

• On documented instructions from the Controller
• As necessary to provide the Services
• As required by applicable law

The Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor implements appropriate technical and organizational measures including:

• Encryption of all data in transit (TLS 1.3, mutual TLS between services) and at rest (AES-256)
• Per-tenant database isolation
• Access controls with least-privilege principles
• Audit logging for all write operations
• Regular security assessments

The Controller provides general written authorization for the Processor to engage the Sub-Processors listed in Annex II by executing this DPA. The Processor shall notify the Controller of any changes to Sub-Processors in accordance with Section 4.4.

The Processor shall impose equivalent data protection obligations on Sub-Processors and remain liable for their compliance.

Upon request, the Processor shall assist the Controller in responding to Data Subject requests including:

• Right of Access (Art. 15 GDPR)
• Right to Erasure (Art. 17 GDPR)
• Right to Rectification (Art. 16 GDPR)
• Right to Restriction (Art. 18 GDPR)
• Right to Portability (Art. 20 GDPR)
• Right to Object (Art. 21 GDPR)

The Processor shall notify the Controller without undue delay (within 72 hours of becoming aware) in the event of a Personal Data breach, providing:

• Nature of the breach
• Categories and approximate number of Data Subjects and records affected
• Likely consequences
• Measures taken or proposed

The Processor shall assist the Controller with DPIAs where required by applicable law, and with prior consultation of supervisory authorities under Art. 36 GDPR where applicable.

Upon reasonable written request with at least 30 days advance notice and no more than once per calendar year, the Controller may request an audit or inspection of the Processor's data handling practices. The Processor may satisfy this obligation by providing a written summary of security measures, recent penetration test results (if available) or a third-party audit report. On-site inspections require mutual agreement on scope, timing and confidentiality. The Controller shall bear its own costs for any audit.

Upon termination of the Services, the Processor shall, at the Controller's choice:

• Delete all Personal Data and certify deletion, or
• Return all Personal Data in machine-readable format (JSON)

Deletion shall be completed within 30 days of termination. Backup systems may retain encrypted copies for up to an additional 60 days due to automated retention cycles, after which they are permanently purged.

The Processor utilizes infrastructure providers with data center locations in the European Union and the United States. The Processor implements encryption in transit (TLS 1.3) and at rest (AES-256) for all Personal Data regardless of processing location.

Where Personal Data is transferred to Sub-Processors in the United States, such transfers are governed by Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914/EU, Module 3 (Processor to Processor).

Canadian Data Subjects (PIPEDA): The Controller acknowledges that data may be processed outside of Canada. The Processor will disclose the purpose, nature, and location of such transfers upon request.

The Processor shall notify the Controller of any material changes to Sub-Processors with at least 14 days advance notice. If the Controller objects to a new Sub-Processor within 7 days of notification, the parties shall discuss the concern in good faith.

This DPA is effective from the date of signing and remains in force for the duration of the Services Agreement.

Either Party may terminate this DPA in case of material breach, upon 30 days written notice if the breach is not remedied.

Each Party shall be liable for damages caused to the other Party due to breach of this DPA, subject to the limitations set forth in the Terms of Service.

Where both Parties are responsible for damage to a Data Subject, liability shall be apportioned according to each Party's degree of fault.

The commercial Controller-Processor relationship under this DPA is governed by the laws of Florida, USA.

The Standard Contractual Clauses (Section 4.2) and all obligations arising under EU GDPR are governed by the laws of Ireland. This governing law applies to the interpretation, performance, and enforcement of the SCCs regardless of Section 7.1.

Obligations arising under Canadian PIPEDA are governed by the applicable Canadian federal and provincial privacy laws.

End User messages are routed through the Processor's infrastructure to third-party LLM providers (Sub-Processors listed in Annex II) for AI-generated responses, then delivered back to the End User via the originating channel.

What is sent to LLM providers:

• End User message content (text only)
• Controller's system prompt and bot configuration
• Conversation history (for context, configurable retention)

What is NOT sent to LLM providers:

• End User phone numbers, email addresses, or other identifiers (stripped before processing)
• Encrypted credentials
• Billing or payment information
• Data from other tenants