Sub-processor List

Lenera AI Inc. ("Lenera AI," "we," or "us") engages certain third-party service providers ("sub-processors") to process personal data on behalf of our customers in connection with the delivery of our AI video platform and related services. This document lists all current sub-processors, the categories of personal data each processes, and the applicable security certifications.

This sub-processor list forms an annex to the Lenera AI Data Processing Agreement ("DPA"). Capitalised terms not defined here have the meanings given in the DPA.

A sub-processor is any third party that processes personal data on our behalf to provide the Service. Sub-processors do not include:

• Third-party tools accessed independently by Customers (not part of Service delivery);
• Providers used only for anonymised or aggregate data;
• Professional service providers (e.g., legal counsel) who do not access personal data in the course of their engagement; or
• Providers used purely for Lenera AI's internal business operations that do not process Customer personal data.

The table below lists all current sub-processors as of the "Last Updated" date above, organised by functional category.

Lenera AI periodically reviews and updates its sub-processor list as our services and infrastructure evolve. We are committed to transparency and will:

• Provide at least thirty (30) days' prior written notice (by email to the Customer's registered contact address, or via the in-platform notification centre) before adding a new sub-processor or making a material change to an existing sub-processor's role or data processing scope;
• Maintain an up-to-date version of this sub-processor list at lenera.ai/legal/subprocessors;
• Log the effective date of each change in the version history; and
• Promptly notify Customers if a sub-processor suffers a material security incident affecting Customer personal data.

If a Customer reasonably objects to Lenera AI's use of a new or changed sub-processor on grounds that the change materially impairs the Customer's ability to comply with applicable data protection law, the Customer must:

• Submit a written objection to support@lenera.ai within thirty (30) days of receiving the notice;
• Identify the specific sub-processor and the legal or compliance concern; and
• Engage in good faith discussions with Lenera AI to explore alternative arrangements.

If Lenera AI cannot reasonably accommodate the objection within thirty (30) days of receiving it (e.g., by using an alternative sub-processor or modifying processing), the Customer may, as its sole and exclusive remedy, terminate the affected Service upon written notice, and Lenera AI will refund any prepaid, unused fees on a pro-rata basis.

Where a sub-processor processes personal data outside the European Economic Area, the United Kingdom, or other jurisdictions with adequacy decisions, Lenera AI ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Module 3: Processor-to-Processor);
• The UK International Data Transfer Addendum (UK IDTA) for UK data;
• Swiss-specific transfer mechanisms where applicable; and
• Sub-processor adherence to the EU-U.S. Data Privacy Framework (DPF) where certified.

Specific transfer mechanisms in place for each sub-processor are available upon written request to support@lenera.ai.

For questions about this sub-processor list or to submit an objection, please contact:

Privacy Team — Lenera AI Inc.
support@lenera.ai
28 Geary St STE 650 Suite #620, San Francisco, California 94108, United States