U.S. Data Processing Addendum

1. Scope and Applicability

This DPA covers the processing of personal information subject to applicable U.S. data protection laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and similar state privacy laws in Virginia, Colorado, Utah, and Connecticut. When processing such personal information, DeepXL acts as a 'service provider' under CCPA/CPRA, and data processor under other laws. Our customers act as businesses, controllers, or data owners.

2. Processing Roles and Responsibilities

DeepXL will process personal information only as instructed by the customer, as necessary to provide the services, or as required by law. We will inform customers if we cannot comply with a processing instruction due to a legal requirement.

DeepXL is responsible for the processing activities of our subprocessors, and for compliance with reasonable security procedures and practices appropriate to the nature of the personal information. Customers are responsible for the lawfulness of collection, accuracy, and notification of processing to data subjects.

3. Security Measures

DeepXL will implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect personal information from unauthorized access, destruction, use, modification, or disclosure. These measures include:

• Access controls and authentication
• Encryption of data in transit and at rest
• Network security monitoring
• Automated threat detection
• Employee security training
• Secure development practices
• Incident response procedures

4. Subprocessors

We may engage subprocessors to process personal information. All subprocessors will be bound by contractual obligations that are substantially similar to this DPA. A list of current subprocessors is available at deepxl.ai/subprocessors. We will inform customers of changes to subprocessors, with an opportunity to object. Liability for subprocessors' acts and omissions shall be limited to the same extent as DeepXL's liability under our agreements.

5. Data Subject Requests

Customers are primarily responsible for handling data subject requests. DeepXL will assist customers by providing information necessary to respond to a request, to the extent we are legally permitted to do so. If we receive a request directly, we will advise the data subject to submit the request to our customer.

6. Data Retention and Deletion

DeepXL will retain personal information only for as long as the customer instructs, or as necessary to provide the services. At the end of the retention period or upon customer request, we will securely delete or anonymize personal information, unless retention obligations apply.

7. Transparency and Cooperation

DeepXL will make available information necessary to demonstrate compliance with this DPA. We will promptly inform customers of data subject requests, government inquiries, or other events related to their personal information. We will provide reasonable assistance to customers in conducting data protection impact assessments or consulting with regulators.

8. Incident Notification

In the event of a confirmed data breach, DeepXL will notify affected customers without undue delay. Notifications will include a description of the incident, types of data involved, consequences, and measures taken. We will provide timely updates and cooperate with customers to investigate and remediate the incident.

9. Compliance Verification

Customers may request information to verify DeepXL's compliance with this DPA, including security documentation, certifications, and audit reports. Customers may conduct audits of processing activities, upon reasonable notice, with minimal disruption to DeepXL's business, and subject to reasonable confidentiality procedures.

10. Governing Law

This DPA shall be governed by the laws of the State of Delaware, without regard to conflict of law principles. The parties submit to the exclusive jurisdiction of Delaware state courts for any disputes arising from this DPA.

11. Liability and Indemnification

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set forth in the parties' Services Agreement. Each party shall defend and indemnify the other against claims arising from its respective DPA violations.

12. Modifications

We may modify this DPA to reflect changes in our services, applicable laws, regulations, or industry standards. Material changes will be announced to customers at least 30 days prior to the effective date. Customer's continued use of the services constitutes acceptance of the modified DPA.