Data Processing Agreement

A. The Controller wishes to use the KAI platform and related services ("the Service") provided by the Processor, as described in the Terms of Service available at www.aidatadesk.com/terms.

B. In the course of providing the Service, the Processor will process personal data on behalf of the Controller within the meaning of the GDPR.

C. The Parties wish to set out in this Data Processing Agreement ("DPA") the terms on which the Processor shall process personal data on behalf of the Controller, in accordance with Article 28 of the GDPR.

D. This DPA is incorporated into and forms part of the Terms of Service between the Parties. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

In this DPA, the following definitions apply:

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data.
• "Personal Data" has the meaning given in Article 4(1) GDPR.
• "Processing" has the meaning given in Article 4(2) GDPR.
• "Data Subject" has the meaning given in Article 4(1) GDPR.
• "Controller" has the meaning given in Article 4(7) GDPR — the entity that determines the purposes and means of processing personal data through the Service.
• "Processor" has the meaning given in Article 4(8) GDPR — AI Data Desk B.V., which processes personal data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process personal data in connection with providing the Service.
• "Supervisory Authority" means the Autoriteit Persoonsgegevens (the Netherlands) or, where applicable, another competent supervisory authority under the GDPR.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Article 46(2)(c) GDPR, as currently in force.
• "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.

The Controller is the data controller in respect of Personal Data processed through the Service. The Processor processes Personal Data solely on behalf of and on the documented instructions of the Controller, as set out in this DPA and the Terms of Service.

Where the Processor processes Personal Data for its own purposes — for example, account management, billing, fraud prevention, or service improvement in aggregate anonymised form — the Processor acts as an independent data controller for those purposes, as described in the Privacy Policy at www.aidatadesk.com/privacy.

Each party shall comply with its respective obligations under the GDPR and any other applicable data protection legislation. Nothing in this DPA relieves the Controller of its own data protection obligations as a controller.

The details of the processing carried out by the Processor on behalf of the Controller are as follows:

The Processor provides the KAI platform, which processes Personal Data as necessary to deliver AI-assisted email replies, meeting transcription and summarisation, Knowledge Base management, and Company AI Chat functionality.

The Processor shall process Personal Data for the duration of the Controller's subscription to the Service, and thereafter only as required by applicable law or to fulfil the deletion obligations set out in this DPA.

Personal Data is processed for the following purposes:

• Authenticating users via Google or Microsoft OAuth
• Accessing and processing email content to generate AI-assisted reply suggestions
• Accessing calendar data to detect and join meetings for transcription
• Recording, transcribing, and summarising meetings
• Storing and querying documents uploaded to the Knowledge Base
• Providing Company AI Chat functionality using authorised internal data
• Sending transactional and notification emails to users
• Managing subscriptions and billing
• Maintaining security, preventing fraud, and providing technical support

Depending on the features used, the following categories of Personal Data may be processed:

• Identification data: name, email address, profile picture, job title
• Authentication data: OAuth tokens for Google and/or Microsoft accounts
• Email data: email metadata (sender, recipient, subject, date) and email body content
• Calendar data: meeting titles, times, participants, and meeting links
• Meeting data: meeting audio, video, transcripts, and AI-generated summaries
• Document data: content of files uploaded to the Knowledge Base
• Usage and technical data: IP address, browser type, session data, error logs
• Billing data: subscription plan and status (payment data is processed directly by Stripe)

• The Controller's employees and staff who use the Service
• The Controller's contractors and authorised third parties who use the Service
• Third parties whose Personal Data appears in emails, meetings, or documents processed through the Service (e.g. email correspondents, meeting participants)

The Service is not designed or intended to process special categories of Personal Data as defined in Article 9 GDPR. The Controller must not submit special category data through the Service. If the Processor becomes aware that special category data has been submitted, it will notify the Controller and delete such data without undue delay.

The Processor shall process Personal Data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service. If the Processor is required by applicable law to process Personal Data in a way not covered by the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.

The Processor shall ensure that persons authorised to process Personal Data under this DPA are bound by appropriate confidentiality obligations, whether by contract or statutory duty.

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include, as a minimum:

• All data hosted on AWS EU (Frankfurt, eu-central-1) infrastructure
• Encryption in transit using TLS 1.3
• Encryption at rest using AES-256
• Role-based access control and zero-trust architecture
• Periodic penetration testing by independent third parties
• Information security practices aligned with ISO 27001 standards
• Strict access controls limiting employee access to Personal Data to that described in Section 4.10

The Processor shall review and update these measures periodically. The Processor may update the specific technical measures from time to time provided the overall level of security is not materially reduced.

The Controller provides general written authorisation for the Processor to engage sub-processors. The current list of approved sub-processors is:

The Processor shall maintain an up-to-date sub-processor list at www.aidatadesk.com/subprocessors.

The Processor shall notify the Controller of any intended addition or replacement of sub-processors at least 14 days in advance by email to the address associated with the Controller's account. The Controller may object to the change in writing within 14 days of notification. If the Controller objects and the Parties cannot resolve the issue, either party may terminate the Service on reasonable written notice without penalty with respect to the affected processing.

The Processor shall impose data protection obligations on sub-processors equivalent to those in this DPA and shall remain fully liable to the Controller for the acts and omissions of its sub-processors.

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests by data subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). The Processor shall forward any data subject request it receives directly to the Controller without undue delay and shall not respond to data subjects on the Controller's behalf without authorisation.

The Processor shall assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to the Processor.

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA. The notification shall include, to the extent available at the time:

• A description of the nature of the Security Incident, including the categories and approximate number of data subjects and records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to address the Security Incident

The Processor shall provide further information as it becomes available. The Processor shall cooperate fully with the Controller in meeting the Controller's breach notification obligations under Article 33 GDPR (72-hour notification to the supervisory authority) and Article 34 GDPR (notification to affected data subjects).

Upon termination or expiry of the Service, or at the Controller's written request at any time, the Processor shall:

• Delete all Personal Data processed on behalf of the Controller within 30 days; and
• Confirm in writing that deletion has been completed

Backup purge: Residual copies in encrypted backups are purged within 30 days of the deletion date. The Processor may retain Personal Data where required to do so by applicable law, in which case it shall notify the Controller of the legal basis and limit processing to what is strictly required.

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller agrees to: (a) give the Processor at least 30 days' prior written notice of any audit; (b) conduct audits during normal business hours with minimal disruption to the Processor's operations; (c) limit audits to once per calendar year unless there is reasonable cause to believe a Security Incident has occurred; and (d) bear the costs of any audit, including the Processor's reasonable costs in cooperating.

The Processor may satisfy the audit obligation by providing a current third-party audit report or certification (such as a SOC 2 Type II or equivalent) where available.

The Processor shall ensure that no employee, contractor, or agent accesses Personal Data processed under this DPA except:

• (a) where strictly necessary to provide the Service in accordance with the Controller's instructions;
• (b) where the Controller has given explicit written permission to access specific data for a defined support purpose;
• (c) where access is necessary to investigate a confirmed Security Incident or prevent abuse of the Service; or
• (d) where required by applicable law.

All such access shall be logged and auditable.

Where Personal Data processed under this DPA includes data obtained via Google APIs (including Gmail and Google Calendar data), The Processor confirms that such data is processed strictly in accordance with the Google API Services User Data Policy and the Limited Use requirements thereunder. The Processor requests only the minimum OAuth scopes necessary — specifically gmail.modify (to read emails and save AI-drafted replies as drafts), gmail.labels (to create and apply email labels), and calendar (to read calendar events for meeting detection and to create meeting invites on behalf of the user). The Processor does not request scopes for features not yet implemented. The Processor does not use Google API data for advertising, profiling, model training, or any purpose beyond delivering the Service to the authorised user.

The Controller represents and warrants that:

• It has a valid lawful basis under the GDPR for each processing activity it instructs the Processor to carry out under this DPA
• It has provided all required notices to, and obtained all required consents from, data subjects whose Personal Data will be processed through the Service, including employees, contractors, and third-party email correspondents and meeting participants
• Its instructions to the Processor comply with applicable law
• It will not instruct the Processor to process special categories of Personal Data unless it has notified the Processor in writing and appropriate safeguards are in place
• It will promptly notify the Processor of any instruction that, in the Controller's reasonable view, would require the Processor to violate applicable law

Where the Processor or its sub-processors transfer Personal Data to a country outside the EU/EEA that does not benefit from an adequacy decision, the transfer shall be made subject to Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR, or another valid transfer mechanism under Article 46 GDPR. Details of transfers and applicable mechanisms are set out in the sub-processor table in Section 4.4.

The Processor shall promptly notify the Controller if, in its reasonable opinion, a change in applicable law or regulatory guidance would affect the validity of the transfer mechanism in place for any sub-processor.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability to data subjects or to supervisory authorities under the GDPR.

Where a data subject or supervisory authority brings a claim against one party in respect of a breach that is wholly or partly attributable to the other party, the party at fault shall indemnify the other party against the portion of liability attributable to it.

This DPA shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller under the Terms of Service. Termination of the Terms of Service shall automatically terminate this DPA, subject to the Processor's obligation to delete data as set out in Section 4.8 and any obligations that survive termination by their nature.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the subject matter of data protection. In the event of any conflict between this DPA and the Standard Contractual Clauses where those clauses apply, the Standard Contractual Clauses shall prevail.

This DPA shall be governed by the laws of the Netherlands. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

This DPA is entered into by the Parties as of the date the Controller accepts the Terms of Service or, where executed separately, as of the date of the last signature below.

For AI Data Desk B.V. (Processor):

Name: _______________________
Title: _________________________
Date: _________________________
Signature: ____________________

For [Controller Organisation Name] (Controller):

Name: ________________________
Title: __________________________
Date: __________________________
Signature: _____________________

The following technical and organisational measures are implemented by AI Data Desk B.V. as of the date of this DPA:

Infrastructure Security

• All data hosted exclusively on AWS EU (Frankfurt, eu-central-1)
• Network isolation and hardened cloud infrastructure
• Zero-trust architecture — every user, device, and request is authenticated and authorised
• No implicit trust granted within the system

Encryption

• Encryption in transit: TLS 1.3 for all data in motion
• Encryption at rest: AES-256 for all stored data
• OAuth tokens encrypted at rest and never exposed to other users or systems

Access Control

• Role-based access control (Admin, Team Lead, User) enforced at application layer
• Principle of least privilege — users are granted only permissions required for their role
• Employee access to Personal Data restricted to that described in Section 4.10
• All privileged access is logged and auditable

Authentication

• Multi-factor authentication supported and enforced at login
• OAuth 2.0 for third-party account connections (Google, Microsoft)
• Firebase Authentication for session management

Monitoring and Incident Response

• Proactive monitoring and structured logging for anomaly detection
• Defined incident response procedures aligned with GDPR Article 33/34 timelines
• Security events monitored and managed under defined protocols

Penetration Testing and Vulnerability Management

• Periodic penetration testing by independent third parties
• Vulnerability findings are triaged, prioritised, and remediated according to severity

Data Minimisation and Retention

• Only data strictly necessary to provide the Service is collected and processed
• Automated retention enforcement in accordance with the periods set out in Section 3.2 and the Privacy Policy
• Backups purged within 30 days of data deletion

Personnel

• All personnel with access to Personal Data are bound by confidentiality obligations
• Security awareness is part of employee onboarding and ongoing operations
• Access is revoked immediately upon change of role or departure

Current as of 9 April 2026. The most current version is maintained at www.aidatadesk.com/subprocessors.