Data Processing Addendum

1. Definitions

For purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable individual
• "Processing" means any operation performed on Personal Data (e.g., collection, storage, use, disclosure)
• "Controller" means the entity determining the purposes and means of processing
• "Processor" means the entity processing Personal Data on behalf of the Controller
• "Applicable Law" includes relevant U.S. federal and state privacy laws, including the Virginia Consumer Data Protection Act

2. Scope and Roles

The parties acknowledge that:

• The Customer acts as the Controller of Personal Data
• Noir Stack acts as the Processor (or service provider)

Processing will be performed solely to provide the Services in accordance with the Agreement and documented instructions from the Customer.

3. Nature and Purpose of Processing

Processing activities may include:

• Storage and hosting of Customer Data
• Transmission and retrieval of data
• Organization, structuring, and indexing
• Analytics, computation, and transformation
• AI-assisted processing and inference

The purpose of processing is limited to delivering, maintaining, and securing the Services.

4. Categories of Data Subjects and Data

A. Data Subjects

May include:

• Customer employees, contractors, and agents
• End users and authorized users
• Business contacts

B. Categories of Personal Data

May include:

• Contact information (e.g., name, email)
• Account identifiers
• Usage and system interaction data
• Content submitted by the Customer

The Customer determines the scope and type of Personal Data submitted.

5. Processor Obligations

The Company shall:

• Process Personal Data only on documented instructions from the Customer
• Not sell Personal Data
• Not retain, use, or disclose Personal Data for purposes outside the Agreement
• Implement reasonable administrative, technical, and organizational safeguards
• Ensure personnel are bound by confidentiality obligations
• Limit access to authorized personnel

6. Security Measures

The Company implements safeguards consistent with industry practices, including:

• Encryption in transit (TLS)
• Encryption at rest where applicable
• Access controls and authentication mechanisms
• Logging and monitoring
• Incident response procedures

Security measures are aligned with principles consistent with SOC 2 Trust Services Criteria.

7. Subprocessors

The Customer authorizes the Company to engage subprocessors as necessary to provide the Services.

The Company shall:

• Use commercially reasonable efforts to select reliable subprocessors
• Impose data protection obligations consistent with this DPA
• Remain responsible for subprocessor performance

A list of subprocessors may be provided upon request or maintained separately.

8. Data Subject Rights

To the extent required under Applicable Law, the Company shall:

• Assist the Customer in responding to data subject requests
• Provide reasonable cooperation to enable compliance

The Customer remains responsible for responding to such requests.

9. Data Breach Notification

In the event of a confirmed breach of Personal Data, the Company shall:

• Notify the Customer without undue delay
• Provide available information regarding the nature and scope of the breach
• Take reasonable steps to mitigate and remediate the incident

Notification obligations are subject to Applicable Law, including Virginia requirements.

10. Data Retention and Deletion

Upon termination or expiration of the Agreement, the Company shall:

• Delete or return Personal Data, at the Customer's election, where feasible
• Retain data only as required by law or for legitimate operational purposes

Backup systems may retain data for a limited period consistent with standard practices.

11. Confidentiality

The Company shall ensure that all personnel authorized to process Personal Data:

• Are subject to confidentiality obligations
• Access data only as necessary to perform their duties

12. Audits and Assessments

Upon reasonable request, the Company may provide:

• Documentation describing security practices
• Evidence of compliance with applicable standards

Formal audits may be subject to:

• Reasonable notice
• Confidentiality obligations
• Limitations to protect other customers and system integrity

13. International Data Transfers

If Personal Data is transferred outside the United States, the Company shall implement appropriate safeguards consistent with Applicable Law and contractual obligations.

14. AI and Automated Processing

Where AI-enabled systems are used:

• Processing is performed to deliver requested functionality
• The Company does not use Customer Personal Data to train third-party public models unless expressly agreed
• The Customer remains responsible for determining lawful use of AI outputs

15. Liability

Liability related to data protection shall be governed by the limitation of liability provisions set forth in the Agreement.

16. Term

This DPA remains in effect for the duration of the Agreement and for as long as the Company processes Personal Data on behalf of the Customer.

17. Order of Precedence

In the event of a conflict:

• This DPA governs with respect to data protection matters
• The Agreement governs all other matters

18. Governing Law

This DPA shall be governed by the laws of the Commonwealth of Virginia, unless otherwise required by Applicable Law.

19. Execution

This DPA may be executed by reference in an Order Form, Master Services Agreement, or through electronic acceptance.