Data Processing Addendum

Effective: April 10, 2026Last updated: April 6, 2026

This DPA forms part of the agreement between HumanDeploy (Processor) and Customer (Controller) and governs the processing of personal data on Customer's behalf.

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between Lets Imagine, LLC d/b/a HumanDeploy ("Processor" or "HumanDeploy") and the customer identified in the Terms of Service ("Controller" or "Customer") for the provision of the HumanDeploy service (the "Principal Agreement"). This DPA reflects the parties' agreement with respect to the Processing of Personal Data by HumanDeploy on behalf of Customer in connection with the Service.

In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails with respect to the Processing of Personal Data.

1. Definitions

"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data, including the GDPR, UK GDPR, CCPA/CPRA, PIPEDA, Australia Privacy Act, and LGPD.

"Personal Data" means any information relating to an identified or identifiable natural person contained in Customer Data and Processed by HumanDeploy.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Sub-processor" means any third party engaged by HumanDeploy to Process Personal Data on behalf of Customer.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914.

"Security Incident" means a breach of security leading to unauthorized access, disclosure, alteration, or destruction of Personal Data.

2. Roles and Scope of Processing

2.1 Role of the Parties

Customer is the Controller (or Processor on behalf of a Controller) and HumanDeploy is the Processor. HumanDeploy will Process Personal Data only on documented instructions from Customer, including with regard to transfers to third countries, unless required by law.

2.2 Customer Instructions

Customer's instructions are set forth in the Principal Agreement, this DPA, and Customer's use of the Service. Customer may provide additional written instructions. HumanDeploy will inform Customer if an instruction infringes Data Protection Laws.

2.3 Details of Processing

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex I.

2.4 No Sale or Sharing

HumanDeploy will not sell Personal Data, share it for cross-context behavioral advertising, retain it outside the business relationship, or combine it with data from other sources without CCPA/CPRA permission.

2.5 AI Training Restriction

HumanDeploy will not use Personal Data to train foundational AI models. Learning is confined to the Customer's Business Context Graph for that Customer only.

3. Confidentiality

HumanDeploy will ensure persons authorized to Process Personal Data are bound by written confidentiality obligations or statutory confidentiality. HumanDeploy limits access to those who need it to perform the Service.

4. Sub-Processors

4.1 General Authorization

Customer provides general authorization for HumanDeploy to engage Sub-processors. A current list is maintained at humandeploy.ai/sub-processors.

4.2 Sub-processor Obligations

HumanDeploy will enter written agreements with each Sub-processor containing data protection obligations no less protective than this DPA. HumanDeploy remains fully liable for Sub-processor failures.

4.3 Notice of Changes

HumanDeploy will provide at least 30 days' notice of Sub-processor changes by posting updates or email.

4.4 Objection Right

Customer may object on reasonable data protection grounds within 30 days of notice. The parties will work in good faith to resolve objections. Unresolved objections allow Customer to terminate that portion of the Service and receive a refund of unused prepaid fees.

5. Security

5.1 Technical and Organizational Measures

HumanDeploy implements appropriate technical and organizational measures to protect Personal Data, taking into account state of the art, implementation costs, nature, scope, context, and purposes of Processing. Measures are described in Annex II.

5.2 Personnel

HumanDeploy ensures personnel receive regular training on data protection and are subject to background checks where permitted by law.

6. Security Incidents

HumanDeploy will notify Customer without undue delay and within 72 hours of becoming aware of a Security Incident. Notices will include the nature of the incident, categories and number of affected Data Subjects and records, likely consequences, measures taken, and contact information.

7. Data Subject Rights

HumanDeploy will assist Customer by appropriate technical and organizational measures to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection). If HumanDeploy receives a direct request, it will promptly forward it to Customer and respond only as required by law.

8. Data Protection Impact Assessments

HumanDeploy will provide reasonable assistance to Customer, at Customer's cost, with DPIAs and prior consultations with supervisory authorities that Customer is required to conduct under Data Protection Laws.

9. International Data Transfers

9.1 Transfer Mechanisms

Transfers from EEA, UK, or Switzerland to a non-adequate country are governed by Standard Contractual Clauses (incorporated by reference). Module Two (Controller-Processor) applies where Customer is Controller; Module Three (Processor-Processor) where Customer is itself Processor.

9.2 SCC Selections

Clause 7 (Docking) applies; Clause 9(a) Option 2 applies with 30-day notice; Clause 17 Option 1 applies (governing law: Ireland); Clause 18(b) selects Irish courts.

9.3 UK Transfers

Transfers from UK are governed by the UK Addendum (incorporated by reference). Neither party may terminate it under Section 19.

9.4 Swiss Transfers

Transfers from Switzerland use SCCs with modifications: GDPR references include Swiss Federal Act on Data Protection; competent authority is Swiss Federal Data Protection Commissioner; governing law and forum are Swiss for Swiss-only transfers.

9.5 Data Privacy Framework

Where HumanDeploy or Sub-processors are certified under the EU-U.S., UK, or Swiss-U.S. Data Privacy Framework, the parties may rely on such certification as an alternative transfer mechanism.

10. Audits

HumanDeploy will make available information reasonably necessary to demonstrate compliance and allow for audits by Customer or an independent auditor. Audits will occur no more than annually (except where required by authority or after incident), upon 30+ days' notice, during business hours, subject to confidentiality. HumanDeploy may satisfy obligations by providing third-party audit reports (SOC 2) or responding to written questionnaires.

11. Deletion and Return of Personal Data

Upon termination, HumanDeploy will, at Customer's choice, delete or return all Personal Data and existing copies, unless retention is required by law. Deletion occurs within 30 days following termination; backups within 90 days (ordinary course). Customer may request deletion certification.

12. Liability

Each party's liability under this DPA is subject to the limitations in the Principal Agreement. Nothing limits either party's liability to Data Subjects under SCC third-party beneficiary rights.

13. Miscellaneous

13.1 Order of Precedence

This DPA prevails over the Principal Agreement for Personal Data Processing. In conflict with SCCs, SCCs prevail.

13.2 Governing Law

This DPA is governed by the Principal Agreement's governing law, except SCC provisions are governed as set forth in Section 9.

13.3 Severability

If any DPA provision is invalid, remaining provisions remain in full force.

ANNEX I — DETAILS OF PROCESSING

A. List of Parties: Data Exporter: Customer (Controller or Processor on behalf of Controller). Data Importer: Lets Imagine, LLC (Processor). Contact: privacy@humandeploy.ai.

B. Subject Matter and Duration: Provision of HumanDeploy Service. Duration: for the term of the Principal Agreement and until deletion of Personal Data per Section 11.

C. Nature and Purpose: Collection, storage, organization, structuring, analysis, retrieval, consultation, use, disclosure to Sub-processors, erasure of Personal Data for Service delivery, security, and improvement.

D. Categories of Data Subjects: Customer's employees, contractors, users; prospects, leads, end customers; recipients of Customer's marketing, sales, communications; other natural persons in Customer Data.

E. Categories of Personal Data: Identification (name, title, company); Contact (email, phone, address); Professional (role, seniority, employer, industry); Communications (Slack messages, requests, feedback); Commercial (pipeline, activity, usage); Technical (IP, device IDs, logs).

F. Special Categories: None intentionally Processed. Customer will not submit special category data without prior written agreement and safeguards.

G. Frequency of Transfer: Continuous for the Principal Agreement duration.

H. Retention Period: For the duration and 30 days after termination (90 for backups), unless longer retention is required by law.

I. Competent Supervisory Authority: EU: Irish Data Protection Commission. UK: UK Information Commissioner's Office. Switzerland: Swiss Federal Data Protection Commissioner.

ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES

HumanDeploy implements:
• Encryption: TLS 1.2+ for transit; AES-256 for rest; credential/token encryption
• Access Control: Role-based access, least-privilege, MFA, SSO, quarterly reviews, immediate revocation
• Network & Infrastructure: ISO 27001/SOC 2-certified cloud; firewalls, IDS, segmentation; vulnerability scanning; annual pen tests
• Application Security: Secure SDLC, code review, SAST/DAST, dependency scanning, input validation, parameterized queries
• Logging & Monitoring: Centralized access/auth/admin logs; monitoring with on-call response; 12+ month retention
• Business Continuity: Regular tested backups; documented recovery plans; defined RTO/RPO
• Personnel: Background checks (where permitted); confidentiality agreements; annual training
• Sub-processor Management: Security due diligence; written agreements; ongoing monitoring
• Incident Response: Documented plan, 24-hour monitoring, 72-hour Customer notification
• AI-Specific: Enterprise AI endpoints with zero/short retention; contractual no-training; per-Customer Context Graph isolation; AI logging