Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Agreement between OurBase IA SL ("Processor") and the customer named in the Order Form ("Controller") and governs the Processing of Personal Data by OurBase on behalf of Controller in connection with the Service.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement. The terms "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" have the meaning given in the GDPR. "Applicable Data Protection Law" means the GDPR, the UK GDPR, Spanish Organic Law 3/2018, and any other data protection or privacy law that applies to the Processing.

2. Scope and Roles

2.1 Roles. Controller is the controller and Processor is the processor of the Personal Data described in Appendix 1.

2.2 Duration. This DPA applies for as long as Processor Processes Personal Data on behalf of Controller under the Agreement.

3. Processing Instructions

3.1 Documented instructions. Processor will Process Personal Data only on Controller's documented instructions, including those in the Agreement, this DPA, and any reasonable written instructions given through the Service interface or Controller's account. Using the Service as designed is itself a documented instruction.

3.2 Legal requirement. If Processor is required by Union or Member State law to Process Personal Data otherwise than on Controller's instructions, it will inform Controller of that requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

3.3 Unlawful instructions. Processor will inform Controller without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Processing Details

The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects are set out in Appendix 1 below.

5. Confidentiality

Processor will ensure that persons authorised to Process Personal Data are bound by appropriate confidentiality obligations and have received adequate training on Applicable Data Protection Law.

6. Security of Processing

6.1 Measures. Processor will implement and maintain the technical and organisational measures set out in Appendix 2 below, as required by Article 32 GDPR.

6.2 Review. Processor may update its security measures from time to time, provided that the updated measures do not materially reduce the overall level of protection.

7. Sub-processors

7.1 General authorisation. Controller grants Processor general written authorisation to engage sub-processors to assist in providing the Service. The current list of sub-processors is maintained in Appendix 3 below.

7.2 New sub-processors. Processor will give Controller at least thirty (30) days' prior notice of any addition or replacement of a sub-processor, by publishing an updated list and notifying Controller's notices contact. Controller may object to the change on reasonable data protection grounds within that period. If the parties cannot agree on a resolution, Controller may terminate the affected part of the Service on written notice, with a pro rata refund of any pre-paid Fees for the unused period.

7.3 Flow-down terms. Processor will impose on each sub-processor, by written contract, data protection obligations that are no less protective than those in this DPA. Processor remains fully liable to Controller for the performance of each sub-processor's obligations.

8. Data Subject Rights

Taking into account the nature of the Processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Chapter III GDPR, including access, rectification, erasure, restriction, portability, and objection. If Processor receives a request directly from a Data Subject, it will not respond to the Data Subject except to direct them to Controller, and will forward the request to Controller without undue delay.

9. Other Assistance

Processor will provide reasonable assistance to Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including security of processing, personal data breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of the Processing and the information available to Processor.

10. Personal Data Breach Notification

10.1 Notice. Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data.

10.2 Content. The notification will include, to the extent known at the time and updated as further information becomes available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• The likely consequences; and
• The measures taken or proposed to address the breach and to mitigate its possible adverse effects.

11. Return or Deletion of Personal Data

On termination or expiry of the Agreement, Processor will, at Controller's choice, delete or return all Personal Data to Controller and delete existing copies, unless retention is required by Union or Member State law. Where Controller has not made an election within thirty (30) days of termination, Processor may delete the Personal Data in the ordinary course of its retention policy.

12. Audits

12.1 Information. Processor will make available to Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including by providing summaries of its most recent third-party audit reports or certifications (such as ISO 27001 or SOC 2), where available.

12.2 On-site audits. If the information provided under Clause 12.1 is not sufficient to demonstrate compliance, Controller may, no more than once per year and on at least thirty (30) days' prior written notice, conduct an on-site audit during normal business hours, subject to reasonable confidentiality and security obligations. Each party bears its own costs, except that Controller will reimburse Processor's reasonable costs where an audit is required as a result of a Supervisory Authority instruction.

13. International Transfers

Where Processing involves the transfer of Personal Data outside the European Economic Area or the United Kingdom to a country that does not benefit from an adequacy decision, the parties will put in place an appropriate transfer mechanism under Applicable Data Protection Law, including the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum where relevant. The Standard Contractual Clauses are hereby incorporated by reference and deemed executed by the parties with the following selections: Clause 7 docking clause not applicable; Clause 9 general authorisation under Option 2 with thirty (30) days' notice; Clause 11 independent dispute resolution not applicable; Clause 17 governed by Spanish law; Clause 18 competent courts in Madrid, Spain. Appendices to the Standard Contractual Clauses are completed by reference to Appendices 1 to 3 of this DPA.

14. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects under Applicable Data Protection Law.

15. Order of Precedence

In the event of any conflict or inconsistency between this DPA and the body of the Agreement in relation to the Processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Appendix 1 — Description of Processing

A. Parties

Data Exporter / Controller: the Customer identified in the Order Form.

Data Importer / Processor: OurBase IA SL, Plaza del Conde del Valle de Súchil, 19 2D, 28015 Madrid, Spain. Privacy contact: privacy@ourbase.ai.

B. Subject Matter and Duration

Subject matter: Processing of Personal Data by OurBase to provide the Service described in the Agreement.

Duration: The Term of the Agreement, plus any period required for deletion or return of Personal Data in accordance with Clause 11 of this DPA.

C. Nature and Purpose of Processing

Hosting and storing Personal Data submitted by Controller or accessed by the Service on Controller's instructions; executing Agentic Loops and related agent workflows on Controller's behalf; generating outputs, logs, and traces; providing support and troubleshooting; and any other Processing reasonably necessary to operate the Service.

D. Categories of Data Subjects

As determined by Controller, which may include:

• Controller's employees, contractors, and Authorised Users;
• Controller's customers and prospects;
• Controller's suppliers and business contacts; and
• Any other individuals whose Personal Data Controller chooses to submit to, or allow the Service to access.

E. Categories of Personal Data

As determined by Controller, which may include:

• Identification data (name, username, employee or customer ID);
• Contact data (email address, phone number, postal address);
• Professional data (job title, employer, team);
• Communications data (email content, chat messages, meeting notes);
• Technical data (IP address, device identifiers, log data);
• Content submitted to agents (prompts, uploaded files, connected-system content);
• Outputs generated by agents on behalf of Controller.

F. Special Category Data

Not expected in the ordinary course. Controller is responsible for not submitting special category data within the meaning of Article 9 GDPR or criminal-offence data within the meaning of Article 10 GDPR through the Service, unless the parties have agreed additional safeguards in writing.

G. Frequency of Processing

Continuous, for the duration of the Agreement.

Appendix 2 — Technical and Organisational Measures

OurBase implements and maintains the following technical and organisational measures to protect Personal Data, as required by Article 32 GDPR. The specific controls in place at any given time are described in OurBase's then-current security documentation, which is made available to Controller on request.

A. Access Control

• Role-based access controls and the principle of least privilege for personnel with access to Personal Data.
• Multi-factor authentication for all administrative access to production systems.
• Centralised identity management with prompt revocation of access on role change or termination.

B. Encryption

• Encryption of Personal Data in transit using TLS 1.2 or higher.
• Encryption of Personal Data at rest using industry-standard algorithms (e.g. AES-256).
• Secure key management with restricted access and regular rotation.

C. Network and Infrastructure Security

• Segregated production and non-production environments.
• Firewalling, network segmentation, and monitored perimeter controls.
• Regular vulnerability scanning and timely patching of known vulnerabilities.

D. Application and Development Security

• Secure software development lifecycle, including peer code review and automated security testing.
• Risk-based security testing.
• Dependency scanning and prompt remediation of critical vulnerabilities.

E. Logging and Monitoring

• Centralised logging of access to Personal Data and security-relevant events.
• Monitoring and alerting for anomalous activity and suspected Personal Data Breaches.
• Retention of audit logs for a period appropriate to the risk.

F. Resilience and Business Continuity

• Regular encrypted backups of Personal Data with periodic restoration testing.
• Documented business continuity and disaster recovery procedures.
• Capacity planning and monitoring to maintain availability of the Service.

G. Personnel

• Background checks on personnel with access to Personal Data, where permitted by law.
• Confidentiality undertakings from all personnel with access to Personal Data.
• Periodic data protection and security awareness training.

H. Incident Response

• Documented incident response plan covering detection, containment, eradication, recovery, and notification.
• Defined roles, responsibilities, and escalation paths for Personal Data Breaches.
• Post-incident review to identify and implement corrective actions.

I. Vendor Management

• Due diligence on sub-processors, including review of their security posture.
• Contractual data protection and security obligations imposed on all sub-processors.
• Ongoing monitoring of sub-processor performance.

Appendix 3 — Sub-processors

OurBase engages the following sub-processors to assist in providing the Service. This list may be updated in accordance with Clause 7 of this DPA.

OurBase maintains this list current and notifies Controller of additions or replacements in accordance with Clause 7.2 of the DPA.

Contact

For questions about this DPA, please contact: