Data Processing Agreement

1.Definitions

Capitalised terms used but not defined in this DPA have the meaning given in the Principal Agreement or, where applicable, in the GDPR.

"Customer Personal Data" means personal data within Customer Data that is processed by the Processor on behalf of the Controller under the Principal Agreement.

"Data Subject" has the meaning given in Article 4(1) of the GDPR.

"Personal Data Breach" has the meaning given in Article 4(12) of the GDPR.

"Processing" has the meaning given in Article 4(2) of the GDPR.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission under Article 46(2)(c) of the GDPR, as amended from time to time.

"Sub-processor" means any third party engaged by the Processor to process Customer Personal Data, including affiliates of the Processor.

2.Subject matter, roles, and instructions

The subject matter, nature, purpose, duration of processing, the types of Customer Personal Data, and the categories of Data Subjects are set out in Schedule 1 to this DPA.

In respect of Customer Personal Data, the Controller is the controller and the Processor is the processor within the meaning of Article 4(7) and (8) of the GDPR. Where the Customer is itself a processor on behalf of an underlying controller, the Processor acts as sub-processor and these terms apply on a back-to-back basis.

The Processor will process Customer Personal Data only on documented instructions from the Controller, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor will inform the Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.

The Controller's documented instructions to the Processor are set out in the Principal Agreement, in this DPA, and in the lawful use of the Platform's configuration controls. The Controller may issue further written instructions at any time. The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.

3.No training on Customer Personal Data — Zero Data Retention

The Processor will not, and will procure that no Sub-processor will, use Customer Personal Data to train, fine-tune, evaluate, or improve any artificial intelligence model, nor for any other purpose other than the strict performance of the Principal Agreement.

The Processor contractually requires Zero Data Retention ("ZDR") from all Sub-processors that provide large-language-model inference. ZDR means that prompts, completions, and any related tool inputs or outputs are processed in-flight and are not retained or logged for human review by the Sub-processor beyond the time strictly necessary to return a response. Copies of the ZDR commitments and the contracts on which they sit are available to the Controller on request, subject to confidentiality protections.

This Section is a material term of this DPA. Breach of this Section is an uncured material breach for the purposes of Section 12 (Term and termination) of the Principal Agreement irrespective of the cure period in Section 9 (Warranties) of the Principal Agreement.

4.Confidentiality of personnel

The Processor will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Confidentiality undertakings survive termination of the Principal Agreement.

Access to Customer Personal Data is granted on a least-privilege basis, with role-based access controls aligned to the Processor's documented access-management policy. Background checks are conducted on personnel with access to Customer Personal Data in accordance with applicable Polish labour and data-protection law.

5.Security of processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The technical and organisational measures implemented by the Processor are described in Schedule 3. The Processor operates to the controls of ISO/IEC 27001:2022 and the Trust Services Criteria of SOC 2 Type II, and has published a roadmap to formal certification at grasperly.com/trust.

The Processor will review Schedule 3 at least annually and may update it from time to time to reflect technological developments and threat landscape, provided that the protections afforded to Customer Personal Data will not be materially reduced during a subscription term.

6.Sub-processors

The Controller hereby grants the Processor a general authorisation under Article 28(2) of the GDPR to engage Sub-processors for the processing of Customer Personal Data. The current list of authorised Sub-processors is published at grasperly.com/sub-processors ("Sub-processor List") and the initial Sub-processor List, as of the effective date of this DPA, is included in Schedule 2.

The Processor will inform the Controller of any intended addition or replacement of a Sub-processor at least thirty (30) days before that change takes effect, by email to the Controller's designated privacy contact and by updating the Sub-processor List. The Controller may object to the change on reasonable, documented data-protection grounds within thirty (30) days of the notice.

Where the Controller objects to a proposed Sub-processor, the Parties will discuss in good faith. If the Parties are unable to agree, the Controller may terminate the affected subscription on written notice; in such a case the Processor will refund any fees prepaid for the unused portion of the subscription term.

The Processor will ensure that each Sub-processor is bound by written terms imposing data-protection obligations on it that are at least as protective as those imposed on the Processor under this DPA, in line with Article 28(4) of the GDPR. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7.Assistance with data-subject requests

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR (Articles 15 to 22).

Where the Processor receives directly from a Data Subject a request relating to Customer Personal Data, the Processor will: (i) promptly notify the Controller; (ii) not respond to the request itself except to confirm receipt and direct the Data Subject to the Controller; and (iii) provide reasonable assistance to the Controller in responding.

The Processor makes available to the Controller, through the Platform's administrative interface or on request, the tools needed to exercise common rights (export of Customer Personal Data in a structured format, deletion of specific records, restriction of processing, and similar). Assistance with data-subject requests that is inherent in the operation of the Platform is provided without charge. Where the assistance required goes beyond what the Platform supports natively and requires significant additional engineering effort, the Processor will give the Controller advance written notice of the estimated reasonable cost; absent such prior notice no charge applies.

8.Personal Data Breach notification

The Processor will notify the Controller of a Personal Data Breach affecting Customer Personal Data without undue delay and in any case within thirty-six (36) hours of the Processor becoming aware of the breach. Notification will be made by email to the Controller's designated privacy contact and, where the Controller has appointed one, the Controller's data-protection officer.

The notification will include, to the extent then known: (i) the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned; (ii) the likely consequences of the breach; (iii) the measures taken or proposed by the Processor to address the breach and mitigate possible adverse effects; and (iv) the contact point at the Processor from whom further information may be obtained.

Where the information cannot be provided at the same time, it may be provided in phases without undue delay. The Processor will provide reasonable assistance to the Controller in the Controller's obligation to notify the supervisory authority and Data Subjects under Articles 33 and 34 of the GDPR.

Notification under this Section is not, in itself, an acknowledgement by the Processor of fault or liability.

9.DPIA and prior consultation assistance

Taking into account the nature of processing and the information available to the Processor, the Processor will provide reasonable assistance to the Controller in: (i) carrying out data-protection impact assessments under Article 35 of the GDPR where the processing through the Platform is likely to result in a high risk to the rights and freedoms of natural persons; and (ii) consulting the supervisory authority under Article 36 of the GDPR.

The Processor will make available reference materials, including its security white paper, sub-processor list, and incident-response summary, to support the Controller's DPIA process. Additional bespoke assistance is provided on commercially reasonable terms.

10.Audit rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in line with Article 28(3)(h) of the GDPR.

Standard audit means. The Processor's primary mechanism for demonstrating compliance is the summary security report that the Processor produces at least annually and that summarises the controls, audit findings, and remediation status. The Controller may request the latest summary security report at any time. Once a SOC 2 Type II report and ISO 27001 certificate are issued, those reports will substitute for the summary security report under appropriate confidentiality undertakings.

Bespoke audit. No more than once per calendar year (and additionally following a confirmed Personal Data Breach affecting the Controller's data), the Controller may conduct, or instruct an independent auditor bound by confidentiality to conduct, an on-site audit limited to the Processor's processing activities under this DPA. The Parties will agree the scope, timing, and methodology at least thirty (30) days in advance. The audit will not unreasonably interfere with the Processor's business and will not give access to data of other customers, source code, or other materials whose disclosure would create unjustified security risks. The Controller bears the costs of bespoke audits.

The Processor may charge the Controller a reasonable fee for personnel time required to support bespoke audits beyond two (2) person-days per audit.

11.International transfers

The Processor processes Customer Personal Data in the European Union (Frankfurt and Warsaw) by default. The Processor will not transfer Customer Personal Data outside the European Economic Area without the Controller's prior written instruction, except where such transfer is necessary for the lawful operation of the Platform configured by the Controller and the Controller has selected a non-EEA region or Sub-processor in the Order Form or Platform configuration.

Where a transfer outside the EEA is made, the Parties agree that the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 apply between them, with the Processor as data importer (Module 2 — controller to processor) or as data exporter onward to a non-EEA Sub-processor (Module 3 — processor to processor), in each case incorporated by reference into this DPA and completed as follows: (i) the optional docking clause in Clause 7 is included; (ii) Option 1 of Clause 9(a) is selected, with the thirty-day notice period in Section 6 of this DPA; (iii) the optional independent dispute-resolution body language in Clause 11(a) is not included; (iv) under Clause 17 the governing law is Polish law (an EU Member State law as required); (v) under Clause 18 the forum is the courts of the Republic of Poland competent for the Processor's registered office in Warsaw, without prejudice to data subjects' rights under Clause 18(c) to bring claims in the courts of their habitual residence; (vi) for Module 2, Annexes I, II, and III are completed by reference to Schedules 1, 3, and 2 of this DPA, respectively; (vii) for Module 3, Annexes I and II are completed by reference to Schedules 1 and 3 of this DPA, and the sub-processor onward-transfer obligations in Clause 9 are met by reference to the Sub-processor List published at grasperly.com/sub-processors.

Where the Court of Justice of the European Union or a competent supervisory authority requires supplementary measures for a particular transfer, the Parties will work together in good faith to implement them.

12.Return and deletion

On termination or expiry of the Principal Agreement, the Processor will, at the Controller's choice, return or delete all Customer Personal Data and copies of Customer Personal Data, unless Union or Member State law requires retention of the data.

Return is made available through the Platform's export functionality for a period of at least thirty (30) days after termination. Deletion is completed within forty-five (45) days after the later of (i) termination and (ii) the end of any export period requested by the Controller, except for back-up media on which Customer Personal Data is overwritten in the ordinary course of back-up rotation, in which case the data remains subject to the security measures in Schedule 3 until overwritten.

On request, the Processor will certify in writing that the deletion has been completed.

13.Liability and indemnification

Each Party's liability arising out of or in connection with this DPA is subject to the limitation of liability set out in Section 11 of the Principal Agreement, except for liability that cannot be excluded or limited by mandatory law, including liabilities directly imposed on a controller or processor by Article 82 of the GDPR.

Where both Parties are involved in the same processing and are, under Article 82(4) of the GDPR, jointly and severally liable, the Parties will apportion liability between themselves in accordance with their respective shares of responsibility. The Parties will cooperate in good faith in the defence of any claim, in particular by sharing information and aligning communications with regulators and Data Subjects.

14.General

Governing law and jurisdiction. This DPA is governed by the laws of the Republic of Poland. The courts of the Republic of Poland competent for the registered office of the Processor in Warsaw have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, subject to the SCC governing-law and forum provisions where applicable.

Language. This DPA is published in English and Polish. The English-language version is the binding text; the Polish-language version is a translation provided for convenience. In the event of any discrepancy, the English-language version prevails.

Updates. The Processor may update this DPA to reflect changes in applicable data-protection law or in the Sub-processor List. Material changes will be notified to the Controller at least thirty (30) days before they take effect. The Controller's continued use of the Platform after the effective date of an update constitutes acceptance, without prejudice to the Controller's right to terminate as set out in the Principal Agreement where the update is materially adverse to the Controller.

Counterparts. This DPA may be executed in counterparts, including by electronic signature, each of which is an original and all of which together constitute one instrument.

S1.Schedule 1 — Subject matter and details of processing

Subject matter: the provision of the Grasperly Platform as defined in the Principal Agreement.

Duration: the term of the Principal Agreement, plus the additional periods specified in Section 12 (Return and deletion) of this DPA.

Nature and purpose: processing by automated means of Customer Personal Data to provide legal-research, drafting, and analytical functionality to the Controller, including storage, retrieval, indexing, transformation, and AI-assisted generation of outputs.

Types of Customer Personal Data: identifiers and contact details (names, business email, business phone, role), professional information (employer, bar number where supplied), and any personal data contained within documents, prompts, queries, instructions, files, or other content uploaded to or generated through the Platform by the Controller or its Authorised Users. The Controller controls the scope and content of Customer Personal Data uploaded to the Platform.

Special categories: the Controller may upload data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, health, sex life, biometric or genetic data, or data concerning criminal convictions and offences. Such categories may appear in legal case material. The Processor's security measures in Schedule 3 are designed to be appropriate for such data, but the Controller remains responsible for the lawfulness of its processing under Articles 9 and 10 of the GDPR.

Categories of Data Subjects: clients of the Controller; opposing parties; counterparties; witnesses; experts; counsel of record; court personnel; employees and officers of the Controller; and any other natural person referenced in Customer Data.

S2.Schedule 2 — Initial Sub-processor list

The initial Sub-processor List as of the effective date of this DPA is:

• Amazon Web Services EMEA SARL (Luxembourg) — cloud hosting, application and database (Frankfurt eu-central-1; Warsaw eu-central-2). EU jurisdiction.

• Anthropic Ireland Limited (Ireland) — large-language-model inference (Claude family). Zero Data Retention. EU jurisdiction.

• Mistral AI SAS (France) — backup tier large-language-model inference. Zero Data Retention. EU jurisdiction.

• Plausible Insights OÜ (Estonia) — cookieless website analytics on grasperly.com. EU jurisdiction. (Note: Plausible does not process Customer Personal Data in the Platform; it analyses the marketing website only.)

• Resend Sp. z o.o. (Poland) — transactional email (password resets, invoices, notifications). EU jurisdiction.

Updates to this list are published on the Sub-processor page.

S3.Schedule 3 — Technical and organisational measures

The Processor implements and maintains the following measures, calibrated to the controls of ISO/IEC 27001:2022 (Annex A) and the SOC 2 Trust Services Criteria. The list is illustrative, not exhaustive, and is updated from time to time as set out in Section 5 of this DPA.

Information-security governance. Written information-security policy approved by management and reviewed at least annually. Documented risk-assessment methodology. Defined roles and responsibilities including a Head of Security accountable to the Board.

Access management. Centralised identity provider with single sign-on (SSO/SAML 2.0) available to Customers on Enterprise tier. Multi-factor authentication enforced for all personnel of the Processor with access to production systems. Role-based access control on a least-privilege basis. Quarterly access reviews. Immediate revocation on termination of employment.

Encryption. Customer Personal Data encrypted in transit using TLS 1.2 or higher (TLS 1.3 by default on all Processor-controlled endpoints). Customer Personal Data encrypted at rest using AES-256-GCM. Key management via cloud-provider KMS with customer-managed keys (CMK) available on Enterprise tier.

Network segregation. Multi-tenant production environment with logical isolation of Customer Personal Data at the tenant level. Separate networks for development, staging, and production. Production access restricted to a hardened bastion with audited session recording.

Secure development. Source-code management with mandatory peer review on all changes. Static and dynamic application-security testing in CI/CD. Dependency-vulnerability scanning. Annual third-party penetration testing of the Platform. Documented secure-development lifecycle.

Vulnerability management. Continuous vulnerability scanning. Documented remediation SLAs: critical vulnerabilities patched within forty-eight (48) hours; high within seven (7) days; medium within thirty (30) days; low within ninety (90) days. Subscription to threat-intelligence feeds.

Logging and monitoring. Application, infrastructure, and identity logs forwarded to a tamper-evident log store with twelve (12) months' retention. Twenty-four/seven security monitoring with documented playbooks for common alert classes.

Incident response. Documented incident-response plan with defined roles, RACI, and escalation paths. Annual tabletop exercises. Breach-notification process aligned with Section 8 of this DPA.

Business continuity. Documented business-continuity and disaster-recovery plans. Recovery time objective (RTO): twenty-four (24) hours. Recovery point objective (RPO): one (1) hour for the application database. Annual restoration test.

Personnel security. Background checks on new hires with access to Customer Personal Data, performed in line with applicable Polish labour and data-protection law. Annual security-awareness training. Confidentiality undertakings.

Physical security. Customer Personal Data is stored exclusively in AWS data centres certified to ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II. The Processor does not operate its own data centres.

Data minimisation and pseudonymisation. Default retention of audit logs limited to twelve (12) months. Pseudonymisation applied to test and pre-production environments.

Sub-processor management. All Sub-processors subject to a formal due-diligence process before engagement, contractually bound to data-protection obligations no less protective than this DPA, and re-assessed annually.

S4.Schedule 4 — SCC particulars

Where Section 11 of this DPA applies, the SCCs are completed by reference to this Schedule.

Annex I.A. List of Parties. Data exporter: the Controller as identified in the applicable Order Form, controller. Data importer: Grasperly Sp. z o.o., processor; contact privacy@grasperly.com.

Annex I.B. Description of transfer. As set out in Schedule 1.

Annex I.C. Competent supervisory authority. Where Module 2 applies and the Controller is established in the EU, the competent authority is the supervisory authority of the Controller's main establishment. Where the Controller is not established in the EU and has appointed an EU representative, the competent authority is the supervisory authority of the Member State of the representative. Otherwise, the competent authority is the President of the Personal Data Protection Office (UODO), Republic of Poland.

Annex II. Technical and organisational measures. As set out in Schedule 3.

Annex III. List of Sub-processors. As set out in Schedule 2 and on the Sub-processor page.