Data Processing Addendum (DPA)

Effective date: June 30, 2025

Parties: Globizora Inc. (“Processor”) and the customer identified in the applicable order or agreement (“Controller”). This DPA forms part of the agreement between the parties.

1. Purpose and Scope

This DPA governs Processor’s processing of personal data on behalf of Controller in connection with the Services.

2. Roles and Instructions

Processor processes personal data only on documented instructions from Controller and will inform Controller if instructions conflict with law.

3. Security

Appropriate technical and organizational measures include encryption in transit and at rest, access control, logging/monitoring, backups and recovery, and vulnerability management.

4. Sub-processors

Processor may engage sub-processors under written contracts with protections no less protective than this DPA and remains responsible for their performance. A current list is available on request at privacy@globizora.com.

5. International Transfers

Where GDPR/UK GDPR applies, the EU Standard Contractual Clauses (C2P or P2P as applicable) and the UK Addendum are incorporated by reference with Globizora Inc. as importer in the United States.

6. Assistance

Processor will assist with data subject requests and obligations regarding security, breach notices, DPIAs, and regulator engagement.

7. Breach Notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach.

8. Audits

Processor will make available information necessary to demonstrate compliance and allow audits on reasonable notice, subject to confidentiality and security requirements.

9. Return and Deletion

Upon termination, Processor will return or delete personal data at Controller’s choice, except where retention is required by law.

10. Liability and Precedence

Liability is subject to the limits in the underlying agreement. This DPA controls in the event of conflict regarding personal data processing.

Annex I – Details of Processing

• Subject matter: processing personal data to provide the Services.
• Duration: term of the agreement plus necessary retention.
• Nature and purpose: hosting, storage, transmission, analysis, model inference, logging, support.
• Types of data: identifiers (name, email), usage/device data, billing, and end-user content submitted by Controller.
• Data subjects: Controller’s employees, contractors, customers, and end users.
• Special categories: not intended; if processed, Controller ensures a lawful basis and notice.

Annex II – Security Measures (summary)

• Encryption in transit and at rest.
• Least-privilege access and MFA for administrative access.
• Network security, logging, and intrusion detection.
• Secure SDLC and vulnerability management.
• Backups, disaster recovery, and business continuity.
• Vendor risk management and sub-processor due diligence.