Data Processing Agreement

1. Purpose and Scope

This DPA governs DevAI's processing of personal data on behalf of Customer in connection with the provision of the Service.

2. Roles of the Parties

The parties acknowledge that:

• Customer is the controller or business, or acts on behalf of the relevant controller; and
• DevAI is the processor or service provider with respect to personal data processed on Customer's behalf through the Service.

3. Customer Instructions

DevAI will process personal data only:

• on documented instructions from Customer;
• as necessary to provide the Service;
• to comply with applicable law; or
• as otherwise permitted by the agreement between the parties.

Customer is responsible for ensuring that it has all necessary rights and lawful bases to provide personal data to DevAI and to instruct DevAI to process it.

4. Nature and Purpose of Processing

DevAI processes personal data for the limited purpose of providing, securing, supporting, maintaining, and improving the Service for Customer in accordance with Customer's documented instructions and the parties' agreement.

5. Types of Personal Data

Depending on Customer's use of the Service, personal data may include:

• names
• business contact information
• user account details
• role and permission data
• project and operational records
• uploaded documents
• communications content
• system logs
• usage metadata
• other personal data included by Customer in Customer Data

6. Categories of Data Subjects

Data subjects may include:

• Customer personnel
• Customer contractors
• Customer end users
• Customer suppliers or partners
• individuals whose information is included in Customer Data by Customer

7. Confidentiality

DevAI will ensure that personnel authorized to process personal data are subject to appropriate confidentiality obligations.

8. Security Measures

DevAI will implement and maintain appropriate administrative, technical, and organizational safeguards designed to protect personal data, taking into account the nature of the processing and the risks involved.

A summary of DevAI's security practices is described in its Security Overview and may be supplemented in writing for enterprise customers.

9. Subprocessors

Customer grants DevAI general authorization to engage subprocessors to assist in providing the Service.

DevAI will:

• impose data protection obligations on subprocessors appropriate to the nature of the services provided;
• remain responsible for the performance of its subprocessors to the extent required by applicable law;
• maintain a public subprocessor list or otherwise make subprocessor information available on request;
• provide notice of material subprocessor changes where commercially reasonable.

10. Assistance to Customer

Taking into account the nature of the processing and information available to DevAI, DevAI will provide reasonable assistance to Customer with:

• data subject requests;
• security incident response;
• data protection impact assessments, where applicable;
• regulatory or supervisory inquiries relating to processing performed by DevAI on Customer's behalf.

11. Security Incidents

DevAI will notify Customer without undue delay after becoming aware of a confirmed security incident affecting personal data processed under this DPA, and will provide information reasonably necessary for Customer to meet its own notification obligations.

Under EU/UK-style rules, some personal-data breaches must be reported to regulators within 72 hours after awareness when the legal threshold is met, which is why this clause should remain operationally strong.

12. Deletion and Return

Upon termination or expiration of the Service, DevAI will delete or return personal data processed on behalf of Customer, unless retention is required by applicable law or reasonably necessary for security, dispute resolution, backup rotation, or legal compliance.

13. Audit and Information Rights

DevAI will make available information reasonably necessary to demonstrate compliance with this DPA. Any audit rights will be exercised in a manner that is reasonable, proportionate, and protective of DevAI's confidential information and the security of other customers.

14. International Transfers

Where personal data subject to EEA, UK, Swiss, or similar transfer restrictions is transferred internationally, the parties will implement an appropriate transfer mechanism required by applicable law, which may include:

• the European Commission's Standard Contractual Clauses;
• the UK International Data Transfer Addendum or IDTA;
• other recognized safeguards or lawful transfer mechanisms.

The Commission's SCCs and the UK Addendum/IDTA remain the official mechanisms referenced by EU and UK authorities for these situations.

15. Order of Precedence

If there is a conflict between this DPA and the Terms of Service solely with respect to personal data processing, this DPA will control to the extent of that conflict.

16. Annex 1 - Processing Details

Subject matter: provision of the DevAI Suite Service
Duration: for the term of the applicable agreement and any post-termination retention period permitted by law
Nature and purpose: hosting, storage, organization, retrieval, analysis, support, security, and customer-directed processing of Customer Data
Categories of data subjects: as described above
Categories of personal data: as described above

17. Annex 2 - Technical and Organizational Measures

DevAI maintains safeguards addressing, as appropriate:

• access control
• identity and authentication controls
• encryption in transit and at rest where applicable
• logging and monitoring
• vulnerability and patch management
• backup and restoration
• incident response
• vendor management
• confidentiality obligations
• secure development and change management

18. Annex 3 - Subprocessors

DevAI will maintain an up-to-date subprocessor list on its website or make it available upon request.

19. Contact

Questions regarding this DPA may be directed to: info@devaisuite.com