Data Processing Agreement

This InPolicy LLC Data Processing Agreement (the "DPA") governs InPolicy's processing of DPA Data required to provide the Service under the Order Form or other agreement between You and InPolicy (the "Agreement"). In the event of any conflicting language between the Agreement and this DPA, the terms of this DPA control with respect to data protection matters. This DPA is incorporated into and forms part of the Agreement. This DPA shall become effective on the date of the Agreement or, if later, the date on which this DPA is executed by both parties (the "DPA Effective Date"). This DPA applies to the extent that InPolicy processes DPA Data on behalf of the Controller in connection with the provision of the Service. Each party agrees to comply with the obligations applicable to it under this DPA.

Data Processing Roles: As between You and InPolicy, You are the Data Controller and InPolicy is the Data Processor.

Data Processing Purposes: InPolicy will process DPA Data solely for the purpose of providing or maintaining the Service and in accordance with Instructions.

Categories of Personal Data: Account data (name, email address, role/title of authorized users).

Categories of Data Subjects: Customer's employees and authorized users.

Duration of Processing: For the term of the Agreement.

1. Definitions

The definitions in Section 15 apply to this DPA. Capitalized terms not defined here have the meanings given in the Agreement.

2. Processing Requirements

As a Data Processor, InPolicy will:

2.1 process DPA Data on Your behalf, according to Instructions, and only as necessary to perform the Service;

2.2 promptly notify You if it cannot comply with this DPA;

2.3 promptly inform You if an instruction infringes applicable Data Protection Law; and

2.4 ensure all persons authorized to process DPA Data are subject to confidentiality obligations, whether statutory or contractual, and that such obligations survive the termination of such persons’ engagement;

2.5 not process DPA Data other than on documented Instructions from the Controller, unless processing is required by applicable law to which InPolicy is subject, in which case InPolicy shall inform the Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest;

2.6 taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Data Protection Law;

2.7 assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security of processing, notification of a Personal Data Breach, communication of a Personal Data Breach to Data Subjects, and data protection impact assessments), taking into account the nature of processing and the information available to InPolicy;

2.8 at the choice of the Controller, delete or return all DPA Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the DPA Data; and

2.9 make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

3. Usage Data and No Training

3.1 InPolicy may collect and use Usage Data to develop, improve, support, and operate the Service. InPolicy may not share Usage Data that includes Your Confidential Information with any third party except to the extent it is aggregated and anonymized such that You cannot be identified.

3.2 InPolicy may generate, retain, and use anonymized analytical metadata derived from its processing, including system-generated categorizations and classifications of policy types. Such derived metadata is generated solely by InPolicy's systems, does not reproduce Content or Customer Data, and cannot be used to identify Controller or any individual Data Subject.

3.3 InPolicy will not train any AI models using Your Content or Customer Data. Subprocessors will not train any AI models using Your Content or Customer Data. Subprocessors, except for cloud storage providers, will not retain or log Content or Customer Data for human review. For the avoidance of doubt, this prohibition extends to fine-tuning, reinforcement learning from human feedback (RLHF), embeddings generation for model improvement, transfer learning, and any other form of machine learning model development or optimization. This prohibition applies irrespective of whether the DPA Data has been anonymized or aggregated. InPolicy shall ensure that each Subprocessor agreement contains contractual restrictions on AI model training that are no less protective than those set forth in this Section 3.3.

3.4 InPolicy does not store Content. All Content is processed transiently and is not written to persistent storage.

3.5 InPolicy maintains a Tenant Knowledge Base for each customer organization — a structured set of facts assembled solely to fill the gaps necessary to make effective policy enforcement decisions. The Tenant Knowledge Base is assembled and maintained by InPolicy primarily from publicly available sources, is specific to each customer organization, and is never shared with or accessible to other customers. It contains no Content, no employee communications, and no personal data beyond what employees may voluntarily provide in response to authorized knowledge-gathering queries. The Tenant Knowledge Base constitutes Customer Data and is subject to the same protections and retention commitments that apply to Customer Data under this DPA.

4. Subprocessors

4.1 InPolicy will engage the Subprocessors listed in Exhibit A. You consent to InPolicy's use of existing Subprocessors and grant general authorization to engage Subprocessors to perform the Service. InPolicy will provide at least 30 days' prior notice before adding or replacing any Subprocessor. You may object within 15 days on reasonable data protection grounds. If the objection cannot be resolved within 30 days, either party may terminate the affected Services for cause. Such notice shall include the identity of the proposed Subprocessor, its location, and the nature of the processing activities to be performed. InPolicy shall maintain an up-to-date list of Subprocessors on its website or make such list available upon request. InPolicy shall not engage any new Subprocessor to process DPA Data until the objection period has expired without objection from the Controller.

4.2 InPolicy will impose data protection obligations on all Subprocessors substantially equivalent to this DPA and remains liable for Subprocessor performance. InPolicy shall conduct appropriate due diligence on each Subprocessor prior to engagement, including an assessment of the Subprocessor’s technical and organizational measures for the protection of Personal Data. InPolicy shall enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set out in this DPA. Where a Subprocessor fails to fulfill its data protection obligations, InPolicy shall remain fully liable to the Controller for the performance of that Subprocessor’s obligations.

5. Notice to Customer

InPolicy will inform You, to the extent legally permitted, of: (a) any legally binding law enforcement request for DPA Data; (b) any Supervisory Authority inquiry relating to DPA Data; or (c) any Data Subject Request. InPolicy will not respond to any Data Subject Request without Your prior written authorization. InPolicy shall provide such notification without undue delay, and in any event within five (5) business days of receipt. InPolicy shall use commercially reasonable efforts to challenge any law enforcement request that it reasonably believes to be legally deficient or overly broad, and shall seek to narrow the scope of any compelled disclosure to the minimum necessary. InPolicy shall cooperate with the Controller in preparing any response to a Supervisory Authority inquiry or Data Subject Request.

6. Personal Data Breach

InPolicy will notify You within 72 hours of becoming aware of a confirmed Personal Data Breach, providing: nature and categories of data affected; approximate number of Data Subjects and records; likely consequences; and measures taken or proposed. Notification does not constitute acknowledgment of fault or liability. InPolicy shall also provide the name and contact details of InPolicy’s point of contact from whom additional information may be obtained. If it is not possible to provide all required information simultaneously, InPolicy shall provide the information in phases without further undue delay. InPolicy shall cooperate with the Controller and take such commercially reasonable steps as the Controller may direct to assist in the investigation, mitigation, and remediation of each Personal Data Breach. InPolicy shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make such record available to the Controller and any Supervisory Authority upon request. InPolicy shall not inform any third party of any Personal Data Breach without first obtaining the Controller’s prior written consent, unless required by applicable law.

7. Assistance to Customer and Audits

InPolicy will assist You with: (a) responding to Data Subject Requests; (b) data protection impact assessments; and (c) audits, on at least 30 days' prior written notice, no more than once per year, at Your expense, during normal business hours. InPolicy may satisfy audit obligations by providing a current SOC 2 report in lieu of a direct audit. Notwithstanding the foregoing, the Controller may conduct an additional audit in the event of a confirmed Personal Data Breach or upon reasonable belief that InPolicy is not in compliance with this DPA. The scope of any audit shall be limited to InPolicy’s processing of DPA Data and compliance with this DPA. The Controller’s auditor shall be bound by confidentiality obligations with respect to any information obtained during the audit. InPolicy shall provide reasonable cooperation and access to relevant facilities, systems, and personnel during any audit. InPolicy shall promptly remediate any material non-compliance identified during an audit at its own expense. To the extent requested by a Supervisory Authority, InPolicy shall make relevant information, facilities, and processing activities available for inspection.

8. Required Processing

If required by applicable law to process DPA Data outside Your Instructions, InPolicy will inform You in advance unless legally prohibited.

9. Security

9.1 InPolicy will implement and maintain a written information security program with the data security measures set out in the Security Addendum to protect DPA Data against unauthorized or accidental access, loss, alteration, disclosure, or destruction. Such measures shall include, at a minimum: (a) encryption of DPA Data in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent; (b) access controls based on the principle of least privilege; (c) multi-factor authentication for administrative access to systems processing DPA Data; (d) regular vulnerability assessments and penetration testing at least annually; (e) documented incident response procedures; (f) secure development lifecycle practices; and (g) regular employee security awareness training. InPolicy shall periodically review and update its security measures to address evolving threats and ensure they remain appropriate to the risk.

9.2 InPolicy will take appropriate steps to ensure all personnel authorized to process DPA Data maintain appropriate data protection standards. InPolicy shall ensure that all personnel with access to DPA Data: (a) have received appropriate training on data protection obligations; (b) are subject to enforceable confidentiality obligations; (c) process DPA Data only as instructed by the Controller and as permitted under this DPA; and (d) are subject to appropriate background verification checks to the extent permitted by applicable law. InPolicy shall maintain records of such training and make them available to the Controller upon reasonable request.

10. US Specific Data Protection Obligations

To the extent applicable under US State Privacy Law, InPolicy certifies it will: (a) only process DPA Data for purposes set out in this DPA; (b) not sell or share DPA Data; (c) not retain, use, or disclose DPA Data outside the direct business relationship; (d) provide no less than the level of privacy protection required by law; (e) not combine DPA Data with personal data from other sources except as permitted by law; (f) not reidentify deidentified data except to verify deidentification compliance; and (g) grant You the right to ensure InPolicy's compliance and remediate unauthorized use. InPolicy further certifies that it understands and will comply with the restrictions set forth in this Section 10. If InPolicy determines that it can no longer meet its obligations under this Section, it shall promptly notify the Controller and the Controller shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of DPA Data. InPolicy shall not make any material determination relating to the processing of DPA Data on behalf of the Controller other than in accordance with documented Instructions.

11. Obligations of Customer

11.1 You represent You have all necessary rights, consents, and authorizations to provide DPA Data to InPolicy.

11.2 You shall cooperate with InPolicy to assist in performing obligations under Data Protection Law.

11.3 You are responsible for implementing Service configurations in a secure manner compliant with applicable Data Protection Law.

11.4 You shall not provide DPA Data to InPolicy except through agreed mechanisms (e.g., not in support tickets or email).

12. Cross-Border Data Transfers

12.1 All DPA Data is stored and processed in the United States. InPolicy does not transfer DPA Data outside the United States. InPolicy shall not change the location of its data processing facilities or transfer DPA Data to a jurisdiction outside the United States without the Controller’s prior written consent. InPolicy shall ensure that all Subprocessors similarly store and process DPA Data exclusively within the United States unless otherwise agreed in writing with the Controller.

12.2 To the extent GDPR applies and Personal Data is transferred from the EEA, Module 2 (Controller to Processor) of the EEA SCCs are incorporated by reference. Controller acts as data exporter and InPolicy acts as data importer. The parties agree that the EEA SCCs shall be deemed completed as follows: (a) Clause 7 (the optional docking clause) is included; (b) in Clause 9, Option 2 (general written authorization) is selected, with a prior notice period of thirty (30) days; (c) in Clause 11, the optional language is not included; (d) in Clause 17, Option 1 is selected, with the governing law being the law of Ireland; and (e) in Clause 18(b), disputes shall be resolved before the courts of Ireland.

12.3 To the extent the UK GDPR applies and Personal Data is transferred from the United Kingdom, the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner’s Office, or the UK Addendum to the EU Standard Contractual Clauses (as applicable), is incorporated by reference. Controller acts as data exporter and InPolicy acts as data importer.

12.4 InPolicy has conducted and maintains a transfer impact assessment evaluating the level of data protection afforded to DPA Data in the United States and has implemented supplementary measures where necessary. A copy of the transfer impact assessment is available upon request.

13. Future Regulations

Both parties agree to review this DPA if new AI-specific regulations are enacted, and to negotiate in good faith any amendments required for compliance. Either party may terminate upon written notice if new regulations render continued performance infeasible or unlawful. For the avoidance of doubt, this Section applies to legislation or binding regulation enacted or promulgated by a governmental authority with jurisdiction over one or both parties that specifically requires amendments to the terms governing the processing of Personal Data in connection with AI-powered services. The parties shall commence good faith negotiations within thirty (30) days of either party providing written notice that such legislation has been enacted. If the parties cannot reach agreement on required amendments within sixty (60) days of such notice, either party may terminate this DPA upon thirty (30) days’ written notice. During any negotiation period, both parties shall continue to perform their obligations under this DPA. Upon termination under this Section, InPolicy shall comply with its obligations under Section 14 (Retention Period).

14. Retention Period

Within 30 days following termination or upon Your reasonable request, InPolicy will return or securely delete all DPA Data, unless required by law to retain it. InPolicy will provide written confirmation of deletion upon request. Deletion shall be performed using industry-standard methods that render the data irrecoverable. If the Controller requests return of DPA Data, InPolicy shall provide such data in a commonly used, machine-readable format. Where applicable law requires InPolicy to retain any DPA Data beyond the retention period, InPolicy shall: (a) notify the Controller of the applicable legal requirement; (b) limit processing of the retained DPA Data to the purposes required by such law; (c) continue to apply the security and confidentiality obligations of this DPA to such retained data; and (d) securely delete such data promptly upon expiration of the applicable legal retention period. InPolicy shall ensure that each Subprocessor similarly deletes or returns all DPA Data in accordance with this Section.

14A. Liability

14A.1 Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Agreement, and any reference to the liability of a party under the Agreement shall include the aggregate liability of that party and all of its affiliates under the Agreement and this DPA taken together.

14A.2 Nothing in this DPA shall limit either party’s liability with respect to: (a) either party’s indemnification obligations under the Agreement; (b) either party’s liability for willful misconduct or fraud; (c) any liability that cannot be limited under applicable law, including Data Protection Law; or (d) Data Subject claims arising from a party’s breach of its obligations under Data Protection Law.

14B. Term and Termination

14B.1 This DPA shall remain in effect for so long as InPolicy processes DPA Data on behalf of the Controller. Upon termination or expiration of the Agreement, this DPA shall automatically terminate, subject to InPolicy’s obligations under Section 14 (Retention Period), which shall survive termination.

14B.2 Sections 3 (Usage Data and No Training), 6 (Personal Data Breach), 9 (Security), 10 (US Specific Data Protection Obligations), 12 (Cross-Border Data Transfers), 14 (Retention Period), 14A (Liability), 15 (Defined Terms), and this Section 14B shall survive any termination or expiration of this DPA.

14C. Governing Law

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions of the Agreement, unless otherwise required by Data Protection Law. To the extent that the EEA SCCs or the UK IDTA apply, the governing law and jurisdiction provisions specified therein shall take precedence with respect to the matters governed by such transfer mechanisms.

15. Defined Terms

"Content" means Input and Output collectively.

"Customer Data" means account and organizational data including user name, email, role, and policy documents uploaded to configure the Service, and the Tenant Knowledge Base maintained by InPolicy on Customer's behalf.

"Data Controller" means the entity determining the purposes and means of processing DPA Data (equivalent to "Business" under CCPA).

"Data Processor" means the entity processing DPA Data on behalf of the Data Controller (equivalent to "Service Provider" under CCPA).

"Data Protection Law" means applicable privacy law including CCPA (Cal. Civ. Code §§ 1798.100 et seq.) and GDPR (Regulation (EU) 2016/679).

"Data Subject" means an identified or identifiable natural person to which DPA Data relates.

"DPA Data" means Customer Data or Content that is Personal Data.

"EEA SCCs" means Module 2 (Controller to Processor) of the standard contractual clauses in European Commission Implementing Decision (EU) 2021/914.

"Instructions" means documented communications from You or the Agreement requiring InPolicy to provide the Service.

"Personal Data" means any information relating to an identifiable natural person protected under Data Protection Law.

"Personal Data Breach" means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data.

"Subprocessor" means an entity InPolicy engages to process DPA Data on InPolicy's behalf.

"Supervisory Authority" means an independent public authority with supervisory jurisdiction established pursuant to Article 51 of the GDPR.

"Tenant Knowledge Base" means the structured set of facts assembled and maintained by InPolicy for each customer organization solely to support effective policy enforcement decisions.

"Usage Data" means information reflecting access, interaction, or use of the Service including statistical analysis. Usage Data does not include Content or Customer Data.

"US State Privacy Law" means applicable US state privacy laws including CCPA, Virginia CDPA, Colorado Privacy Act, Connecticut TDPSA, and Utah Consumer Privacy Act.

"UK GDPR" means the United Kingdom General Data Protection Regulation, as defined in section 3(10) of the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

"IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018.

"Transfer Impact Assessment" means an assessment of the laws and practices of the destination country to determine whether they provide an adequate level of protection for Personal Data, conducted in accordance with the guidance of the European Data Protection Board or the UK Information Commissioner’s Office, as applicable.

Exhibit A — Subprocessors

InPolicy will provide at least 30 days' notice before adding or replacing any Subprocessor.

Exhibit B — Details of Processing