Data Processing Agreement

Customer appoints the Company as a Processor to Process Personal Data on Customer's behalf solely for the purposes of providing the Services as described in Exhibit A ("Processing Activities").

The Company shall Process Personal Data only in accordance with Customer's documented instructions (as set forth in this DPA and the MSA/Order Form) and applicable law. The Company shall inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

The categories of Personal Data and Data Subjects are set forth in Exhibit A. Customer shall not submit Special Categories of Personal Data (e.g., health, biometric, political views) to the Services without the Company's prior written consent.

To the extent that Customer Content includes voice recordings, facial images, voiceprints, retina or iris scans, fingerprints, or any other biometric identifier or biometric information as defined under applicable law (including the Illinois Biometric Information Privacy Act (740 ILCS 14/), California Civil Code § 1798.91.04, Texas Business & Commerce Code Chapter 503, or similar biometric privacy statutes) (collectively, "Biometric Data"), Customer represents, warrants, and covenants that: (a) it has provided all legally required written notices to the individuals whose Biometric Data is included in Customer Content; (b) it has obtained all legally required written consents from such individuals prior to submitting Biometric Data to the Services; (c) it has established and made available a publicly available retention schedule and guidelines for permanently destroying Biometric Data as required by applicable law; and (d) its collection, use, and submission of Biometric Data complies in all respects with applicable biometric privacy laws. Customer shall defend, indemnify, and hold the Company harmless from any claims, regulatory actions, fines, or penalties arising from Customer's failure to comply with this Section 3.4.

The Company shall ensure that persons authorised to Process Personal Data are subject to enforceable confidentiality obligations or professional secrecy duties.

The Company shall use commercially reasonable efforts to implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are described in Exhibit B (Security Measures). The Company may update Exhibit B provided the overall level of protection is not materially reduced.

Upon Customer's request, the Company shall provide reasonable assistance to help Customer fulfill its obligations to respond to Data Subject requests (access, rectification, erasure, portability, objection). Customer shall be solely responsible for responding to Data Subjects.

The Company shall provide reasonable assistance to Customer in carrying out any required Data Protection Impact Assessment (DPIA) or prior consultation with a Supervisory Authority, to the extent that such DPIAs relate to the Company's Processing activities.

The Company shall not: (a) sell or share Personal Data for cross-context behavioural advertising; (b) retain, use, or disclose Personal Data outside the scope of the Services; or (c) combine Personal Data with data obtained from other sources except as specifically authorised in writing by Customer.

The Company shall not use Customer Data (including Personal Data) to train, fine-tune, evaluate, or improve any general-purpose AI model that is offered to customers other than Customer, without Customer's explicit written consent.

Customer hereby provides general written authorisation for the Company to engage Sub-processors. The Company's current list of Sub-processors is available at lenera.ai/legal/subprocessors ("Sub-processor List").

The Company shall provide Customer with thirty (30) days' prior written notice of any new Sub-processor additions or material changes. Customer may object to a new Sub-processor within this notice period on reasonable, documented data protection grounds by providing written notice specifying the objection. The parties shall negotiate in good faith to resolve the objection within fifteen (15) days. If the parties cannot resolve the issue, Customer may terminate the portion of the Service relying on the objected Sub-processor upon thirty (30) days' written notice, and the Company shall refund a pro-rata portion of any prepaid Fees for the terminated portion covering the period after the effective date of termination.

The Company shall impose data protection obligations on Sub-processors no less protective than those in this DPA. The Company remains fully liable for the acts and omissions of its Sub-processors.

• Multi-factor authentication required for all Company staff accessing production systems
• Role-based access control (RBAC) — principle of least privilege
• Customer data is logically isolated between tenants

• Data at rest: AES-256 encryption
• Data in transit: TLS 1.2+ on all endpoints

• Hosted on AWS / Render / Vercel — ISO 27001 and SOC 2 Type II certified infrastructure
• Network segmentation and firewall rules enforced

• Security incident response plan maintained and tested annually
• 72-hour breach notification commitment to Customer

• Employee security training annually
• Background checks for employees with access to production data
• Vendor risk assessments for all Sub-processors

• Regular penetration testing (annually by external firm)
• Automated dependency vulnerability scanning in CI/CD pipeline