Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Service or other written agreement between you ("Customer") and Smart Unlimited Holding B.V. (trading as AnyForge) ("AnyForge") governing Customer's use of the AnyForge platform (the "Agreement"). It applies to the extent AnyForge processes Personal Data on behalf of Customer in connection with the Service. Capitalized terms not defined here have the meaning given in the Agreement.

If there is a conflict, this DPA prevails over the rest of the Agreement on matters of data protection, and the Standard Contractual Clauses referenced in Section 12 prevail over this DPA to the extent of any conflict.

• "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to a party, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the GDPR as incorporated into the law of the United Kingdom ("UK GDPR"), and the Swiss Federal Act on Data Protection, each as amended or replaced.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
• "Customer Personal Data" means Personal Data contained within Customer Data that AnyForge processes on behalf of Customer under the Agreement.
• "Sub-processor" means any third party engaged by AnyForge to process Customer Personal Data on AnyForge's behalf.
• "Standard Contractual Clauses" or "SCCs" means the clauses approved by European Commission Implementing Decision (EU) 2021/914, and, for transfers subject to UK or Swiss law, the applicable UK and Swiss transfer mechanisms described in Section 12.

2.1 As between the parties, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) of Customer Personal Data, and AnyForge is the Processor. Where Customer acts as a Processor, AnyForge acts as a Sub-processor, and Customer warrants it has the authority of the relevant Controller to engage AnyForge on the terms of this DPA.

2.2 AnyForge will process Customer Personal Data only as a Processor on behalf of Customer. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

3.1 Instructions. AnyForge will process Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case AnyForge will, where legally permitted, inform Customer first). The Agreement, this DPA, and Customer's configuration and use of the Service constitute Customer's complete and documented instructions. AnyForge will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

3.2 Customer responsibilities. Customer is responsible for the accuracy and lawfulness of Customer Personal Data and for ensuring it has a valid legal basis, has provided all required notices, and has obtained all necessary consents and rights to provide the data to AnyForge and to authorize the processing contemplated by the Agreement, including any transmission to providers Customer connects under Section 8.

AnyForge will: (a) process Customer Personal Data only as described in this DPA; (b) implement and maintain the security measures in Section 6 and Annex II; (c) ensure persons authorized to process Customer Personal Data are bound by confidentiality; (d) assist Customer as set out in Sections 9 and 10; and (e) make available information reasonably necessary to demonstrate compliance with this DPA, as set out in Section 14.

AnyForge will treat Customer Personal Data as confidential and will ensure that any personnel and Sub-processors authorized to process it are subject to a duty of confidentiality.

6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, AnyForge will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II.

6.2 AnyForge may update its security measures from time to time, provided the updates do not materially reduce the overall level of protection of Customer Personal Data.

7.1 General authorization. Customer provides general authorization for AnyForge to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is available on request from privacy@anyforge.ai.

7.2 New Sub-processors. AnyForge will notify Customer (for example, by updating the list or by email where Customer has subscribed to notifications) before authorizing any new Sub-processor. Customer may object on reasonable data protection grounds within thirty (30) days. The parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected part of the Service as its sole remedy.

7.3 Flow-down and responsibility. AnyForge will impose data protection obligations on its Sub-processors that are no less protective than those in this DPA and remains responsible for its Sub-processors' performance of those obligations.

8.1 The Service operates on a "bring your own key" basis. Where Customer connects an artificial intelligence provider or other third-party service using Customer's own credentials, Customer authorizes and instructs AnyForge to transmit Customer Personal Data to that provider as necessary to deliver the Service in accordance with Customer's configuration.

8.2 Any such provider is engaged directly by Customer under Customer's own agreement with that provider and is not a Sub-processor of AnyForge. Customer is responsible for that provider's data processing terms, for the lawfulness of the transmission, and for ensuring an appropriate transfer mechanism applies to any Personal Data the provider processes. AnyForge's responsibility is limited to transmitting Customer Personal Data in accordance with Customer's instructions and configuration.

Taking into account the nature of the processing, AnyForge will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If AnyForge receives such a request directly, it will, where legally permitted, advise the Data Subject to submit the request to Customer and will not respond except on Customer's instructions.

Taking into account the nature of processing and the information available to it, AnyForge will provide reasonable assistance to Customer with: (a) the security of processing; (b) notification of Personal Data Breaches to Supervisory Authorities and Data Subjects; and (c) data protection impact assessments and prior consultations with Supervisory Authorities. AnyForge may charge a reasonable fee for assistance that exceeds the functionality of the Service or requires significant effort, having notified Customer in advance.

11.1 AnyForge will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

11.2 The notification will include the information then available to AnyForge to help Customer meet its own breach obligations, and AnyForge will provide further information as it becomes available. AnyForge's notification is not an acknowledgment of fault or liability.

12.1 AnyForge will not transfer Customer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland except where an appropriate transfer mechanism under Applicable Data Protection Law is in place.

12.2 Where AnyForge processes Customer Personal Data that is subject to the GDPR and transfers it to a country without an adequacy decision, the SCCs (Module Two, controller to processor, or Module Three, processor to processor, as applicable) are incorporated into this DPA by reference and completed as follows: the data exporter is Customer; the data importer is AnyForge; the optional docking clause applies; the option for general Sub-processor authorization in Clause 9 applies with the notice period in Section 7.2; Annex I, II, and III to this DPA populate the corresponding SCC Annexes; and the governing law and forum are those identified in Annex I or, failing that, the law and courts of the Netherlands.

12.3 For transfers subject to UK law, the UK International Data Transfer Addendum to the SCCs applies and is incorporated by reference. For transfers subject to Swiss law, the SCCs apply with the amendments necessary to align them with Swiss requirements, including references to the Swiss Federal Data Protection and Information Commissioner.

On termination or expiry of the Agreement, AnyForge will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, within a reasonable period, unless retention is required by law. Backup copies will be deleted in the ordinary course of AnyForge's backup cycle.

14.1 AnyForge will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer.

14.2 To the extent permitted, AnyForge may satisfy its obligation under Section 14.1 by providing relevant third-party certifications or audit reports (such as SOC 2 or ISO 27001) where available.

14.3 Any audit will be on at least thirty (30) days' prior written notice, during normal business hours, no more than once in any twelve (12) month period (except where required by a Supervisory Authority or following a Personal Data Breach), subject to confidentiality, conducted so as not to unreasonably disrupt AnyForge's operations, and at Customer's expense.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the exclusions and limitations of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.

This DPA takes effect when Customer accepts the Agreement or begins using the Service, whichever is earlier, and continues until AnyForge has ceased all processing of Customer Personal Data. Provisions that by their nature should survive termination will survive.

17.1 Order of precedence. In the event of conflict on data protection matters, the order of precedence is: (1) the SCCs; (2) this DPA; (3) the remainder of the Agreement.

17.2 Changes. AnyForge may update this DPA where necessary to comply with Applicable Data Protection Law or to reflect changes to the Service, provided the changes do not materially reduce the protection of Customer Personal Data.

17.3 Governing law. Except where the SCCs or Applicable Data Protection Law require otherwise, this DPA is governed by the law that governs the Agreement.

A. Parties. Data exporter: Customer, as identified in the Agreement. Data importer: Smart Unlimited Holding B.V. (trading as AnyForge), Den Hout, the Netherlands, providing the AnyForge platform.

B. Description of processing.

• Subject matter: provision of the AnyForge governance and orchestration platform under the Agreement.
• Duration: the term of the Agreement plus any period until deletion or return of Customer Personal Data under Section 13.
• Nature and purpose: hosting, storage, routing, logging, and processing of Customer Data as necessary to provide, secure, and maintain the Service, including transmitting data to providers Customer connects under Section 8.
• Types of Personal Data: as determined and submitted by Customer, for example: identifiers, business contact details, account identifiers, and any Personal Data contained in prompts, content, or configurations Customer routes through the Service. Customer must not submit special categories of Personal Data unless agreed in writing.
• Categories of Data Subjects: as determined by Customer, for example: Customer's personnel, end users, and other individuals whose data Customer includes in Customer Data.
• Frequency: continuous, for the duration of the Agreement.

C. Competent Supervisory Authority. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or the authority determined under SCC Clause 13.

AnyForge maintains the following measures, which it may update provided the overall level of protection is not materially reduced:

• Encryption: encryption of Customer Personal Data in transit using current protocols (for example, TLS) and at rest where appropriate.
• Access control: role-based access on a least-privilege basis, unique credentials, and multi-factor authentication for administrative access.
• Network and infrastructure security: segmentation, firewalls, and use of reputable cloud infrastructure providers with recognized security certifications.
• Logging and monitoring: logging of access and significant events, and monitoring for anomalous or unauthorized activity.
• Secure development: secure software development practices, change management, and vulnerability management including regular patching.
• Resilience and backup: backup of data and measures to restore availability and access in a timely manner after an incident.
• Incident response: a documented process to detect, investigate, and respond to security incidents and Personal Data Breaches.
• Personnel: confidentiality obligations and security awareness training for personnel.
• Data segregation: logical separation of different customers' data.
• Credential handling (BYOK): provider credentials supplied by Customer are stored with protection appropriate to their sensitivity and used only to operate the Service.

The current list of Sub-processors, including the processing they perform and their location, is available on request from privacy@anyforge.ai and forms part of this DPA. The list is updated in accordance with Section 7.2.