Data Processing Agreement

"Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and any other applicable regulations.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.

"Processor" means the entity which processes Personal Data on behalf of the Controller.

"Sub-processor" means any Processor engaged by the Processor to assist in fulfilling its obligations.

This DPA applies to the Processing of Personal Data by Lakehouse42 (the "Processor") on behalf of the Customer (the "Controller") in connection with the provision of the Services.

The purpose of Processing is to provide the knowledge management and search services as described in the Terms of Service, including document indexing, search, and AI-assisted retrieval.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure security
• Assist the Controller in fulfilling data subject rights requests
• Delete or return all Personal Data at the end of the service provision
• Make available all information necessary to demonstrate compliance

The Processor implements and maintains the following security measures:

The Controller authorizes the Processor to engage the following Sub-processors. The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Adequacy decisions by relevant authorities
• Other transfer mechanisms permitted under applicable Data Protection Laws

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably disrupt the Processor's business operations.

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of data subjects concerned
• Categories and approximate number of records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Upon termination of the Agreement, the Processor shall, at the choice of the Controller:

• Return all Personal Data to the Controller in a commonly used format
• Delete all Personal Data and certify such deletion

The Processor shall complete such return or deletion within 30 days of termination, unless applicable law requires retention of the Personal Data.

Each party shall be liable for damages caused by Processing that infringes applicable Data Protection Laws. The limitations of liability set forth in the Agreement shall apply to this DPA, except where prohibited by applicable law.