Data Processing Agreement

This Data Processing Agreement ("DPA") supplements and is incorporated into the Terms of Service(the "Agreement") between Optima Engineering LLC ("Optima," "Processor") and you ("Customer," "Controller"). This DPA governs the processing of Personal Data by Optima on behalf of Customer in connection with the Kraken AI platform (also referred to as "Kraken" or the "Kraken Platform") and related services (the "Services").

This DPA applies to the extent that Optima processes Personal Data on behalf of Customer as a data processor (or equivalent role under applicable data protection laws). Where Customer acts as a processor on behalf of its own customers, references to "Controller" apply to Customer in its capacity as a sub-processor's instructing entity.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, modification, transmission, deletion, or destruction.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR (Regulation (EU) 2016/679), UK GDPR, Swiss Federal Act on Data Protection (FADP), CCPA/CPRA, and any other applicable privacy legislation.
• "Sub-processor" means any third party engaged by Optima to process Personal Data on behalf of Customer.
• "Customer Data" means all data submitted by Customer to the Services, including any Personal Data contained therein.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, as adopted by the European Commission on June 4, 2021 (Implementing Decision (EU) 2021/914), as may be amended or replaced.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope and Purpose of Processing

Optima processes Personal Data solely on behalf of and in accordance with Customer's documented instructions to provide the Services. The details of processing are as follows:

• Subject matter: provision of the Kraken AI platform, including AI agent orchestration, monitoring, safety controls, observability, data integrations, and governance features.
• Duration: for the term of the Agreement, plus the period required to delete or return Personal Data as described in this DPA.
• Nature and purpose: processing Customer Data as necessary to provide, maintain, and support the Services, including agent execution, workflow processing, data pipeline operations, and platform administration.
• Categories of Data Subjects:Customer's employees, contractors, end users, and any other individuals whose Personal Data is submitted to the Services by Customer.
• Types of Personal Data: as determined by Customer, which may include names, email addresses, contact information, IP addresses, identifiers, operational data, and any other Personal Data submitted through the Services.

3. Customer Obligations

Customer agrees to:

• Comply with all applicable Data Protection Laws in its use of the Services and its processing instructions to Optima.
• Ensure that it has obtained all necessary consents, authorizations, and legal bases required for the processing of Personal Data through the Services.
• Provide processing instructions that comply with applicable law and this DPA.
• Be responsible for the accuracy, quality, and legality of Personal Data submitted to the Services.

4. Optima's Processing

In connection with providing the Services, Optima will use commercially reasonable efforts to:

• Process Personal Data only on documented instructions from Customer, unless required to do so by applicable law (in which case Optima will inform Customer of such legal requirement before processing, unless prohibited by law).
• Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures as described in Section 7.
• Provide reasonable cooperation to Customer in fulfilling its obligations regarding Data Subject rights, security, breach notification, and data protection impact assessments, as required by Data Protection Laws, at Customer's expense.
• Process Personal Data in connection with providing and improving the Services, subject to Section 12 (De-identified and Aggregated Data).

5. Sub-processors

Customer provides general authorization for Optima to engage Sub-processors to process Personal Data in connection with the Services. Optima maintains a list of current Sub-processors, available on our Subprocessor List page.

Optima may update its Sub-processors from time to time. A current list is available on our Subprocessor List page. If Customer objects to a new Sub-processor, Customer's sole remedy is to terminate the affected Services in accordance with the Agreement's termination provisions.

Optima's standard practice is to require sub-processors to maintain appropriate data protection measures.

6. Data Subject Rights

Customer is solely responsible for responding to Data Subject requests. If Optima receives a request directly from a Data Subject, Optima may redirect the request to Customer. Customer may use self-service tools available in the Services, if any. Any additional assistance is subject to separate agreement and fees.

7. Security Measures

Optima maintains commercially reasonable technical and organizational security measures designed to protect Customer Data. Specific security commitments, certifications, and controls are addressed in individually negotiated Enterprise Agreements.

8. Personal Data Breach Notification

Optima will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Data. The notification will include, to the extent reasonably available at the time:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
• The name and contact details of Optima's point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its effects.

Optima will take commercially reasonable steps to contain and remediate the breach. Additional cooperation and assistance will be provided at Customer's expense.

9. Data Deletion and Return

Upon termination or expiration of the Agreement, Customer is solely responsible for exporting Customer Data before termination using any self-service tools available in the Services. After termination, Optima may delete Customer Data in accordance with its standard deletion processes, unless retention is required by applicable law or an Enterprise Agreement specifies otherwise. Optima is not responsible for Customer Data that is not exported before termination.

10. International Data Transfers

Optima is based in the United States. To the extent that processing involves the transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the parties agree that such transfers will be governed by the Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference.

For the purposes of the SCCs:

• Module Two (Controller to Processor) applies where Customer is a Controller and Optima is a Processor.
• Module Three (Processor to Processor) applies where Customer is a Processor acting on behalf of its own controller.
• In Clause 9, Option 2 (general written authorization) applies, with a 30-day prior notice period for Sub-processor changes.
• In Clause 17, the SCCs are governed by the laws of Ireland.
• In Clause 18, disputes will be resolved before the courts of Ireland.

For transfers from the UK, the International Data Transfer Addendum issued by the UK Information Commissioner's Office applies. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act.

11. Audit Rights

Upon Customer's reasonable written request and no more than once per year, Optima will make available relevant security certifications and audit reports (e.g., SOC 2 Type II) to demonstrate compliance with this DPA. Optima may satisfy any audit request by providing such third-party audit reports, and Customer agrees that these reports constitute sufficient demonstration of compliance. On-site audits or inspections are not permitted unless required by a supervisory authority under applicable Data Protection Laws.

12. De-identified and Aggregated Data

Optima may process information derived from Customer Data that has been de-identified, anonymized, and/or aggregated such that the data is no longer considered Personal Data under applicable Data Protection Laws. Optima may use such de-identified data without restriction to improve and optimize the Services and for other business purposes.

13. CCPA/CPRA Provisions

To the extent that the CCPA/CPRA applies, Optima acts as a "Service Provider" as defined by the CCPA/CPRA. Optima's obligations under the CCPA/CPRA are limited to the statutory minimums and are subject to Section 14 (Limitation of Liability). Specific CCPA/CPRA commitments may be addressed in individually negotiated Enterprise Agreements.

14. Limitation of Liability

OPTIMA'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS DPA, THE PROCESSING OF PERSONAL DATA, ANY DATA PROTECTION LAWS, OR ANY SECURITY INCIDENT WILL BE SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN THE AGREEMENT. IN NO EVENT WILL OPTIMA BE LIABLE FOR: (I) ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES; (II) ANY FINES OR PENALTIES IMPOSED BY SUPERVISORY AUTHORITIES, EXCEPT TO THE EXTENT SUCH FINES OR PENALTIES ARISE DIRECTLY FROM OPTIMA'S BREACH OF ITS OBLIGATIONS UNDER THIS DPA OR THE AGREEMENT; (III) ANY COSTS OF NOTIFICATION, CREDIT MONITORING, OR REMEDIATION, EXCEPT TO THE EXTENT SUCH COSTS ARISE DIRECTLY FROM OPTIMA'S BREACH OF ITS OBLIGATIONS UNDER THIS DPA OR THE AGREEMENT; OR (IV) ANY DAMAGES ARISING FROM CUSTOMER'S FAILURE TO EXPORT DATA — IN EACH CASE ARISING FROM OR RELATED TO THIS DPA, REGARDLESS OF THE THEORY OF LIABILITY.

15. Term and Termination

This DPA terminates upon termination of the Agreement. Sections 12, 14, and 16 survive termination.

In the event of a conflict between this DPA and the Agreement, the Agreement prevails. This DPA supplements but does not replace the Agreement. Where an Enterprise Agreement exists, the Enterprise Agreement controls over this DPA.

16. Modifications

We may update this DPA at any time in our sole discretion. Updated versions will be posted on our website. All modifications are immediately binding upon posting. We are not obligated to notify you of changes. It is solely your responsibility to review this DPA regularly. Your continued use of the Services constitutes your acceptance of the then-current DPA.

Notwithstanding the foregoing, for customers who have entered into a Master Cloud Services Agreement, modifications to this DPA shall be governed by the amendment provisions of that agreement (Section 15.4) and require mutual written agreement between the parties.

17. Contact

For questions about this DPA or to submit a data processing request, please contact us:

• Email: privacy@optima.engineering
• Legal inquiries: legal@optima.engineering
• Entity: Optima Engineering LLC