Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between ITLOX Inc. ("Processor") and you, the customer ("Controller"), and governs RadMah AI's processing of personal data on your behalf in connection with the RadMah AI platform and services. This DPA is incorporated into and subject to the RadMah AI Terms of Service (www.radmah.ai/legal/terms). In the event of any conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA shall prevail. This DPA is intended to satisfy the requirements of: — GDPR Article 28 (processor contracts) — UK GDPR Article 28 — Swiss revFADP equivalent obligations — CCPA/CPRA service provider contract requirements — Other applicable data protection legislation requiring a data processing agreement Enterprise customers requiring a bespoke, countersigned DPA (for example, for audit, procurement, or regulatory purposes) should contact legal@radmah.ai. The terms below represent RadMah AI's standard DPA terms and take legal effect upon your use of the Service without requiring a countersigned instrument, unless your Enterprise contract specifies otherwise.

In this DPA: "Applicable Data Protection Law" means all applicable data protection and privacy legislation in force, including but not limited to the GDPR (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, the Swiss revFADP, the California Consumer Privacy Act (CCPA) as amended by the CPRA, Brazil's LGPD, and any other applicable national or regional data protection law. "Controller" means you, the customer, who determines the purposes and means of processing of Personal Data that is uploaded to or generated within the Service. "Data Subject" means any identified or identifiable natural person whose Personal Data is processed under this DPA. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data. "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law, that is submitted to or processed through the Service by or on behalf of the Controller. "Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. "Processor" means ITLOX Inc., acting on the instructions of the Controller to process Personal Data for the purposes of delivering the Service. "Processing" has the meaning given under Applicable Data Protection Law and includes any operation performed on Personal Data. "Reference Dataset" means data uploaded by the Controller for use as statistical input for synthetic data generation, which may contain Personal Data. "Service" means the RadMah AI synthetic data generation platform, including all engines, APIs, dashboards, and associated services. "Sub-processor" means any natural or legal person engaged by the Processor to carry out processing activities on behalf of the Controller. "Supervisory Authority" means the competent data protection authority in the relevant jurisdiction.

2.1 Subject Matter. RadMah AI processes Personal Data that the Controller uploads as Reference Datasets for the sole purpose of providing the synthetic data generation Service as described in the Terms of Service. 2.2 Nature of Processing. Processing activities may include: storage, retrieval, analysis of statistical distributions and schema structures, computation of differentially private aggregate statistics, and deletion. 2.3 Purpose. The purpose of processing is limited to: (a) executing the Controller's generation and training jobs; (b) maintaining job metadata and evidence bundles; (c) providing the Service as contracted; and (d) complying with legal obligations. 2.4 Duration. Processing continues for the duration of the Controller's active subscription and for up to 30 days following termination or Account deletion, during which the Controller may export data. After 30 days, Personal Data is deleted per Section 10. 2.5 Types of Personal Data. The types of Personal Data processed depend entirely on the Reference Datasets provided by the Controller. RadMah AI does not pre-specify or require the use of any particular category of Personal Data. Common categories uploaded by customers include: names and contact information, IP addresses, transactional records, employment records, health or operational records (for healthcare and critical infrastructure customers), and network or security event data. RadMah AI strongly recommends that Controllers avoid uploading special category personal data (as defined under GDPR Article 9) unless they have a documented lawful basis and have implemented appropriate safeguards. Controllers must contact RadMah AI to discuss additional safeguards before uploading special category data. 2.6 Categories of Data Subjects. Data Subjects may include the Controller's employees, customers, end users, operational personnel, or any other individuals whose data is included in Reference Datasets.

The Controller warrants and represents that: 3.1 It has a documented lawful basis under Applicable Data Protection Law (e.g., consent, contract, legitimate interest) for processing the Personal Data that it uploads to the Service as a Reference Dataset. 3.2 It has provided all required notices and obtained all required consents from Data Subjects whose data is included in Reference Datasets. 3.3 It has conducted (or is not required to conduct) any applicable Data Protection Impact Assessment (DPIA) under GDPR Article 35 prior to uploading Reference Datasets that may result in high risks to Data Subjects' rights. 3.4 It will use the Service only in accordance with the Terms of Service and this DPA. 3.5 It will not upload any Reference Dataset that contains Personal Data of children under 18 years of age without specific prior consent and documented lawful basis. 3.6 It will promptly notify RadMah AI if it becomes aware of any inaccuracy in a Reference Dataset that may affect the lawfulness of processing. 3.7 The Controller is solely responsible for all decisions relating to the scope, content, and lawful basis of any Reference Dataset it uploads.

RadMah AI, as Processor, shall: 4.1 Instructions. Process Personal Data only on the Controller's documented instructions, as set out in this DPA and the Terms of Service. If RadMah AI is required by Applicable Data Protection Law to process Personal Data in a manner that goes beyond the Controller's instructions, RadMah AI will inform the Controller of that requirement before processing (to the extent permitted by law). 4.2 Confidentiality. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 4.3 Security. Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (see Section 7). 4.4 Sub-processors. Not engage any Sub-processor without prior notification to the Controller (see Section 5). 4.5 Data Subject Rights. Assist the Controller, by appropriate technical and organisational measures, to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. RadMah AI will forward to the Controller any Data Subject requests received directly within 5 business days. 4.6 Compliance Assistance. Assist the Controller in ensuring compliance with its obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available to RadMah AI. 4.7 Deletion or Return. Upon termination or expiry of the DPA or on the Controller's request, delete or return all Personal Data and delete existing copies, except to the extent that Applicable Data Protection Law requires RadMah AI to retain copies (see Section 10). 4.8 Audit. Make available to the Controller all information necessary to demonstrate compliance with obligations under GDPR Article 28, and allow for and contribute to audits (including inspections) conducted by the Controller or a mandated third-party auditor subject to the conditions in Section 8. 4.9 No Sale. RadMah AI will not sell, rent, or otherwise disclose the Controller's Personal Data to any third party for the third party's own independent purposes. 4.10 No Training. RadMah AI will not use the Controller's Reference Datasets or the Personal Data they contain to train, fine-tune, or improve any RadMah AI model or product without the Controller's prior written consent.

5.1 Authorisation. The Controller provides general written authorisation to RadMah AI to engage Sub-processors, subject to the conditions in this Section. 5.2 Current Sub-processors. RadMah AI's current approved Sub-processors as of the DPA effective date are: | Sub-processor | Processing Activity | Data Location | |---|---|---| | Amazon Web Services, Inc. (AWS) | Cloud hosting, compute, storage (S3, RDS, ECS, Fargate), logging, monitoring, secrets management | United States (primary: us-east-1), with EU West and APAC options for Enterprise data residency | | Stripe, Inc. | Payment processing and subscription billing (billing data only; does not process Reference Datasets) | United States (PCI-DSS Level 1) | | Postmark (ActiveCampaign, Inc.) | Transactional email delivery (email addresses only) | United States | | Sentry (Functional Software, Inc.) | Error tracking and performance monitoring (may process user identifiers and request metadata in error traces; does not process Reference Datasets) | United States | 5.3 Notification of Changes. RadMah AI will provide at least 30 days' prior written notice of any intended addition or replacement of Sub-processors by updating this section and emailing all registered account contact addresses. 5.4 Right to Object. Within 14 days of receiving notice of a new Sub-processor, the Controller may object in writing to legal@radmah.ai on reasonable data protection grounds. If the parties cannot resolve the objection within 30 days, either party may terminate the affected Service with 30 days' written notice without liability for early termination. 5.5 Sub-processor Obligations. RadMah AI imposes data protection obligations on each Sub-processor that are equivalent to those in this DPA. RadMah AI remains liable to the Controller for the acts and omissions of its Sub-processors to the same extent RadMah AI would be liable if performing the services directly.

6.1 RadMah AI's primary infrastructure is located in the United States. Transfers of Personal Data from the EEA, UK, or Switzerland to the United States are made subject to the following transfer mechanisms: EEA → USA: EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor), as incorporated into this DPA by reference. UK → USA: UK International Data Transfer Agreement (IDTA) (ICO template, May 2022 version) or the UK Addendum to the EU SCCs (International Data Transfer Addendum, version B.1.0), as incorporated into this DPA by reference. Switzerland → USA: Swiss Standard Contractual Clauses adapted to the revFADP, as incorporated into this DPA by reference. 6.2 Enterprise Data Residency. Enterprise customers may elect EU West (eu-west-1, Ireland) or Asia Pacific (ap-southeast-1, Singapore) as their primary data region to minimise international transfers of Reference Datasets and Generated Data. Contact your account manager to configure data residency. Data residency configuration does not affect billing data processed by Stripe. 6.3 Adequacy Decisions. Where the European Commission or the UK government issues an adequacy decision covering the United States (or any other country in which a Sub-processor operates), transfers to that country may be made on the basis of that adequacy decision in lieu of the mechanisms above. 6.4 Copies of Instruments. Copies of the applicable SCC modules, UK IDTA/Addendum, and Swiss SCCs are available on request by emailing privacy@radmah.ai. 6.5 Supplementary Measures. RadMah AI has conducted a Transfer Impact Assessment (TIA) for transfers to the United States under the Schrems II framework. Supplementary technical measures include end-to-end encryption of data at rest (AES-256) and in transit (TLS 1.3), data minimisation in logging, and access controls limiting US government access risk. A summary of the TIA is available to Enterprise customers under NDA.

In accordance with GDPR Article 32, RadMah AI implements and maintains the following technical and organisational measures, taking into account the state of the art, costs, nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects: Pseudonymisation and Encryption: — All Reference Datasets and Generated Data at rest are AES-256 encrypted in AWS S3 and RDS via AWS envelope encryption. — All data in transit is encrypted via TLS 1.3. API endpoints enforce HSTS with a minimum 1-year max-age. — Passwords are stored as bcrypt hashes. API keys are stored as one-way SHA-256 hashes (the raw key is never stored or recoverable). Access Controls: — Role-based access control (RBAC) with principle of least privilege. — Multi-tenant isolation at the database layer (row-level security), object storage layer (tenant-scoped S3 key prefixes), and queue layer (isolated Celery queues). — Production system access requires MFA and is restricted to named RadMah AI operations personnel with a verified operational need. — All access to production systems is logged in an immutable audit trail. Incident Detection and Response: — AWS GuardDuty for real-time threat detection. — AWS CloudWatch alarms and SIEM-compatible log forwarding. — AWS WAF v2 and CloudFront DDoS protection on all public endpoints. — A documented Incident Response Plan covering detection, containment, eradication, recovery, and notification. Personnel Measures: — All RadMah AI personnel with access to Personal Data are subject to confidentiality obligations. — Security awareness training conducted on joining and annually. — Background checks conducted for personnel with production system access (to the extent permitted by applicable law). Organisational Measures: — Annual third-party penetration testing of all public API surfaces. — Active CVE/bug-bounty programme. — Platform architecture designed with Security, Availability, and Confidentiality controls: tenant isolation, encryption at rest and in transit, immutable audit trail, and BLAKE3 cryptographic evidence seals. The Controller acknowledges that no security measure provides absolute protection and that RadMah AI's security obligations are obligations of means, not results.

8.1 The Controller may audit RadMah AI's compliance with this DPA by: (a) Requesting and reviewing RadMah AI's then-current security architecture documentation, penetration test executive summary (when available), or other relevant security review materials (available under NDA, at no charge, once per 12-month period); (b) Submitting a written audit questionnaire to legal@radmah.ai, which RadMah AI will complete within 30 days; (c) Conducting (or commissioning) an on-site or remote audit, with at least 30 days' prior written notice, no more than once per 12-month period unless a confirmed Personal Data Breach has occurred. On-site audits are conducted at the Controller's cost and subject to RadMah AI's reasonable security and confidentiality requirements. 8.2 RadMah AI may require the Controller to use a qualified third-party auditor who signs a confidentiality agreement acceptable to RadMah AI. 8.3 Audit findings that reveal a material DPA violation will be remediated by RadMah AI within a risk-appropriate timeframe.

9.1 Notification to Controller. RadMah AI will notify the Controller of a confirmed Personal Data Breach affecting the Controller's Personal Data without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. 9.2 Notification Content. The notification will include (to the extent available at the time of notification): a description of the nature of the breach; the categories and approximate number of Data Subjects and records affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects. 9.3 Assistance. RadMah AI will cooperate reasonably with the Controller in notifying Supervisory Authorities and affected Data Subjects as required by Applicable Data Protection Law. The Controller remains responsible for determining whether notification to a Supervisory Authority or Data Subjects is required. 9.4 No Fault Admission. RadMah AI's notification of a Personal Data Breach does not constitute an admission of fault or liability. 9.5 Contact. Personal Data Breach notifications will be sent to the primary email address on your Account and to security@radmah.ai as the coordination point.

10.1 Controller-Initiated Deletion. The Controller may delete Reference Datasets, Generated Data, and Evidence Bundles at any time through the platform dashboard or API. Deletion is executed within 72 hours of the request, with cryptographic confirmation logged in the immutable audit trail. 10.2 Post-Termination. Upon termination or expiry of the Controller's subscription: (a) The Controller has 30 days to export its data via API; (b) After 30 days from termination, RadMah AI will permanently delete all Controller Personal Data from live systems; (c) Data may persist in encrypted backup snapshots for up to 35 days after deletion from live systems. Backup data is subject to the same access controls and encryption as live data. 10.3 Legal Retention. RadMah AI may retain Personal Data that is required to be retained under Applicable Data Protection Law (for example, billing records, AML/CTF records, audit logs) for the applicable mandatory retention period, after which such data is deleted. 10.4 Deletion Certificate. Upon request, RadMah AI will provide a written confirmation of deletion to the Controller within 30 days of completing the deletion process.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service (Section 17 — Limitation of Liability), except to the extent that Applicable Data Protection Law imposes mandatory liability that cannot be limited by contract (for example, GDPR Article 82 liability to Data Subjects). As between the parties: — The Controller is responsible for ensuring the lawfulness of the Personal Data it uploads and the instructions it provides. — RadMah AI is responsible for processing Personal Data in accordance with those instructions and this DPA. — Where both parties are found liable to a Data Subject, liability shall be apportioned between them in accordance with their respective responsibilities for the damage caused.

This DPA is governed by the same governing law as the Terms of Service (State of Delaware, United States), except where Applicable Data Protection Law mandates a different governing law for specific provisions (for example, the mandatory application of GDPR or UK GDPR provisions). Where EU SCCs or the UK IDTA/Addendum are incorporated, those instruments' governing law and jurisdiction provisions apply to the extent required by those instruments.

This DPA is effective from the date you first access the Service or execute a Terms of Service agreement, whichever is earlier. In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails. In all other respects, the Terms of Service govern. Enterprise customers who have executed a separate, countersigned DPA with RadMah AI should refer to that countersigned document, which takes precedence over this standard DPA. For a countersigned DPA (required by some procurement processes, regulated industries, or national data protection authorities), contact: legal@radmah.ai