Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Business Terms of Service (the “Agreement”) between Kindred AI, PBC (“Kindred”) and the business customer identified in the Agreement or relevant order form (“Customer”). It applies whenever Kindred processes Personal Data on Customer's behalf in connection with the Kindred platform.

Where the Agreement and this DPA conflict on the subject of personal data processing, this DPA controls. In all other respects the Agreement remains in force.

Capitalized terms not defined here have the meaning given in the Agreement or in the GDPR (Regulation (EU) 2016/679). The following short forms apply throughout:

• Personal Data means information relating to an identified or identifiable natural person that Kindred processes on Customer's behalf under the Agreement.
• Data Subject means the natural person to whom Personal Data relates.
• Controller and Processor have the meaning given in the GDPR.
• Subprocessor means a third party engaged by Kindred to process Personal Data in support of the platform, as listed at Subprocessor List.
• Data Protection Laws means the laws applicable to the processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act, and any successor or equivalent laws.

For Personal Data Customer submits to the platform or that Kindred otherwise processes on Customer's behalf in connection with the Agreement, Customer is the Controller and Kindred is the Processor. Where Customer acts as a processor for its own customer who is the controller, Kindred acts as the sub-processor and the obligations in this DPA flow accordingly.

Kindred processes Personal Data only as necessary to provide, secure, and improve the platform under the Agreement and on Customer's documented instructions. The Agreement and this DPA constitute Customer's complete and final documented instructions to Kindred. Additional or alternative instructions must be agreed in writing.

Subject matter: the provision of the Kindred platform. Duration: for the term of the Agreement and until deletion of Customer Personal Data under this DPA. Nature of processing: hosting, storage, transmission, AI inference, search, export, and routine operational processing required to deliver the platform. Categories of Data Subjects: Customer's authorized users and any individuals identifiable in content Customer submits. Categories of Personal Data: account identifiers and credentials, queries and uploaded content (which may include any category of personal data Customer chooses to submit), platform usage records, and operational logs.

Kindred will:

• process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required by applicable law;
• ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
• implement the technical and organizational measures described under Security Measures below;
• assist Customer, taking into account the nature of the processing, with responding to Data Subject requests and with Customer's obligations under Articles 32 to 36 GDPR;
• make available to Customer the information necessary to demonstrate compliance with this DPA; and
• not sell Personal Data or share it for cross-context behavioral advertising within the meaning of applicable U.S. state privacy laws.

Customer provides general written authorization for Kindred to engage Subprocessors. The current Subprocessors are listed at Subprocessor List. Kindred ensures that each Subprocessor is bound by data protection obligations no less protective than those in this DPA.

Kindred will provide Customer at least thirty (30) days' prior written notice of a new Subprocessor by email to the account contact and by updating the Subprocessor List. Customer may object on reasonable grounds related to data protection within that period. If a reasonable objection cannot be resolved, Customer may terminate the affected portion of the service with no refund of fees attributable to use already made and a pro-rata refund of unused prepaid fees.

Taking into account the nature of the processing, Kindred will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws. Where Kindred receives a Data Subject request relating to Customer's Personal Data, Kindred will, unless prohibited by law, refer the Data Subject to Customer and notify Customer.

Kindred implements and maintains technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, including those summarized in the Trust Center and the public security architecture page, and any further measures specified in an order form or annex. Kindred may update its measures from time to time provided the level of protection is not materially decreased.

Kindred will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data breach affecting Personal Data processed under this DPA. The notice will describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned (to the extent known), the likely consequences, and the measures taken or proposed to address it.

On termination or expiration of the Agreement, and at Customer's written request received within thirty (30) days, Kindred will return or delete all Personal Data processed under this DPA, unless retention is required by applicable law. Absent a written request within that window, Kindred will delete the Personal Data in the ordinary course in accordance with our retention practices and the Privacy Policy.

Kindred will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including current third-party audit reports and security documentation, on request and subject to confidentiality undertakings. Where a Data Protection Law specifically requires an on-site audit and the information made available is not sufficient, Customer may, at its expense and with reasonable advance notice, audit Kindred's processing during business hours and in a manner that does not unreasonably disrupt operations, no more than once per calendar year unless required more often by a competent authority.

Where Kindred transfers Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection under Data Protection Laws, the transfer is governed by the EU Standard Contractual Clauses (Module Two: Controller-to-Processor or Module Three: Processor-to-Processor, as applicable), the UK International Data Transfer Addendum, and the Swiss data protection safeguards, each as may be amended from time to time. The relevant modules and addendum are incorporated by reference and, on execution, will be attached as Annex A. [TODO: attach executed SCC modules and UK Addendum as Annex A.]

This DPA is governed by the law and jurisdiction provisions of the Agreement, except where Data Protection Laws require otherwise. If a court or supervisory authority of competent jurisdiction holds any provision of this DPA invalid or unenforceable, the remainder remains in full force, and the parties will negotiate in good faith a replacement provision that gives effect to the original intent.

For DPA questions or to request a countersigned copy, email legal@bekindred.ai. Notices to Kindred AI, PBC should be sent to [TODO: registered address]. Our data protection contact is [TODO: privacy/DPO contact name and address].