Data Processing Agreement

For the purposes of this Data Processing Agreement ("DPA"): "Controller" means the entity that determines the purposes and means of the processing of Personal Data. This is you, the customer. "Processor" means the entity that processes Personal Data on behalf of the Controller. This is HermesCloud AI. "Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1). "Processing" has the meaning given in GDPR Article 4(2) and includes any operation performed on Personal Data. "Sub-processor" means any third-party processor engaged by HermesCloud AI to process Personal Data. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council. "Services" means the HermesCloud AI platform and associated services as described in the Terms of Service.

2.1 Applicability: This DPA applies to all Processing of Personal Data by HermesCloud AI on behalf of the Customer in connection with the Services. 2.2 Data Controller and Processor: The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and HermesCloud AI is the Processor. 2.3 Customer Responsibilities: As Controller, Customer: • Ensures lawful basis for Processing • Provides necessary notices to Data Subjects • Handles Data Subject rights requests • Determines retention periods • Ensures data accuracy and relevance 2.4 HermesCloud AI Responsibilities: As Processor, HermesCloud AI: • Processes Personal Data only on documented instructions • Ensures confidentiality of Processing • Implements appropriate technical and organizational measures • Assists with Data Subject rights requests • Notifies Customer of data breaches

3.1 Subject Matter: Processing of Personal Data necessary to provide the Services under the Terms of Service. 3.2 Duration: The term of this DPA coincides with the term of the Services agreement, plus the retention period specified in Section 8. 3.3 Nature and Purpose of Processing: • Provision of AI automation services • User authentication and account management • Service analytics and optimization • Customer support and communications • Billing and payment processing 3.4 Types of Personal Data: • Identity data (name, username, email address) • Contact data (phone number, mailing address) • Account data (login credentials, workspace settings) • Usage data (feature interactions, timestamps, IP addresses) • Financial data (payment information, billing address) • Professional data (job title, company name, department) • Content data (files, messages, AI interactions uploaded by Customer) 3.5 Categories of Data Subjects: • Customer employees and contractors • Customer's end users • Customer's clients and partners • Any other individuals whose Personal Data is uploaded to the Services

4.1 Instruction to Process: By using the Services, Customer instructs HermesCloud AI to Process Personal Data as necessary to: (a) Provide the Services in accordance with the Terms of Service (b) Comply with applicable laws and regulations (c) Follow Customer's documented instructions via the Service interface 4.2 Additional Instructions: Customer may issue additional documented instructions through: • Configuration settings within the Service • Written requests to support@hermescloud.ai • API calls and integrations 4.3 Unlawful Instructions: HermesCloud AI will promptly inform Customer if, in its opinion, an instruction violates GDPR or other applicable data protection laws. 4.4 Scope of Instructions: HermesCloud AI will not Process Personal Data for any purpose other than as instructed by Customer, except where required by applicable law.

5.1 Technical and Organizational Measures: HermesCloud AI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: Technical Measures: • Encryption in transit (TLS 1.3) and at rest (AES-256) • Network security (firewalls, intrusion detection/prevention) • Access controls and authentication (including MFA) • Secure software development lifecycle • Regular vulnerability scanning and penetration testing • Backup and disaster recovery procedures Organizational Measures: • Information security policies and procedures • Employee confidentiality agreements • Security awareness training • Incident response and breach notification procedures • SOC 2 Type II certification • Annual third-party security audits 5.2 Confidentiality: HermesCloud AI ensures that all personnel authorized to Process Personal Data: (a) Are subject to binding confidentiality obligations (b) Receive appropriate training on data protection (c) Process Personal Data only as instructed by Customer 5.3 Security Updates: HermesCloud AI regularly reviews and updates security measures to maintain appropriate protection against evolving threats.

6.1 General Authorization: Customer provides general authorization for HermesCloud AI to engage Sub-processors to Process Personal Data, subject to the requirements of this Section. 6.2 Current Sub-processors: • Amazon Web Services (AWS) - Cloud infrastructure hosting • Google Cloud Platform - AI/ML model hosting • Stripe - Payment processing • SendGrid - Email delivery • Intercom - Customer support platform • PostHog - Product analytics (anonymized data only) 6.3 Sub-processor Obligations: HermesCloud AI: (a) Enters into written agreements with Sub-processors imposing data protection obligations equivalent to this DPA (b) Remains fully liable for any Sub-processor's failure to fulfill data protection obligations (c) Conducts due diligence on Sub-processors' security and compliance capabilities 6.4 Notice of Changes: HermesCloud AI will provide at least 30 days' notice of any intended changes to Sub-processors via: • Email notification to Customer's registered email • Updates to our Sub-processor list at hermescloud.ai/sub-processors • In-app notifications 6.5 Objection Rights: Customer may object to a new Sub-processor on reasonable data protection grounds by notifying HermesCloud AI within 14 days of notice. If objection is substantiated, parties will work in good faith to resolve concerns. If resolution is not possible, Customer may terminate the affected Services.

7.1 Assistance with Requests: HermesCloud AI will assist Customer in responding to Data Subject rights requests under GDPR Chapter III, including: • Right of access (Article 15) • Right to rectification (Article 16) • Right to erasure ("right to be forgotten") (Article 17) • Right to restriction of processing (Article 18) • Right to data portability (Article 20) • Right to object (Article 21) • Rights related to automated decision-making (Article 22) 7.2 Request Handling: When HermesCloud AI receives a Data Subject request directly: (a) We will promptly redirect the Data Subject to Customer (within 2 business days) (b) We will notify Customer of the request (within 2 business days) (c) We will not respond directly unless legally required or instructed by Customer 7.3 Technical Assistance: HermesCloud AI provides tools within the Service to enable Customer to: • Search for and export Data Subject information • Correct or update Personal Data • Delete Personal Data • Restrict processing of specific data 7.4 Timeframe: HermesCloud AI will provide assistance with Data Subject requests within 10 business days of Customer's request for assistance. 7.5 Fees: Assistance with routine Data Subject requests is included in the Services. Excessive or repetitive requests may be subject to reasonable fees to cover administrative costs.

8.1 Deletion Upon Termination: Upon termination or expiration of the Services, HermesCloud AI will: (a) Delete all Personal Data within 30 days, or (b) Return Personal Data to Customer in a structured, commonly used, machine-readable format if requested 8.2 Customer-Initiated Deletion: Customer may request deletion of specific Personal Data at any time through: • Self-service tools within the Service • Written request to support@hermescloud.ai 8.3 Exceptions: HermesCloud AI may retain Personal Data to the extent required by applicable law, provided that such data is securely isolated and protected from further Processing except as required by law. 8.4 Certification: Upon request, HermesCloud AI will provide written certification of data deletion or return within 60 days of completion. 8.5 Backup Systems: Personal Data in backup systems will be deleted or anonymized within 90 days following termination, in accordance with our backup retention policies.

9.1 Breach Notification Obligation: HermesCloud AI will notify Customer without undue delay after becoming aware of a Personal Data breach, and in any event within 72 hours of discovery. 9.2 Notification Contents: Breach notifications will include, to the extent known: (a) Nature of the breach, including categories and approximate number of Data Subjects and Personal Data records affected (b) Name and contact details of HermesCloud AI's data protection officer or other contact point (c) Likely consequences of the breach (d) Measures taken or proposed to address the breach and mitigate its effects 9.3 Phased Notification: Information may be provided in phases as it becomes available, with initial notification provided within 72 hours even if full details are not yet known. 9.4 Incident Response: HermesCloud AI will: • Investigate the breach and take steps to mitigate harm • Cooperate with Customer in incident response efforts • Preserve evidence for regulatory investigation • Provide regular updates until the incident is resolved 9.5 Customer Responsibilities: Customer is responsible for: • Notifying affected Data Subjects as required by GDPR Article 34 • Notifying supervisory authorities as required by GDPR Article 33 • Meeting all legal obligations arising from the breach

10.1 DPIA Assistance: HermesCloud AI will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35. 10.2 Information Provided: Upon request, HermesCloud AI will provide: • Description of Processing operations • Security measures implemented • Sub-processor information • Data flow diagrams • Relevant compliance certifications • Previous audit reports (subject to confidentiality) 10.3 Prior Consultation: If Customer is required to consult with supervisory authorities under GDPR Article 36, HermesCloud AI will provide reasonable cooperation and assistance.

11.1 Transfer Mechanisms: For transfers of Personal Data from the EEA to third countries, HermesCloud AI relies on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission (b) Adequacy decisions under GDPR Article 45 where available (c) Other legally recognized transfer mechanisms 11.2 Standard Contractual Clauses: The parties agree to execute the SCCs as an addendum to this DPA upon Customer's request. 11.3 Supplementary Measures: HermesCloud AI implements supplementary technical and organizational measures to ensure adequate protection for international transfers, including: • Encryption in transit and at rest • Access controls and authentication • Data minimization and pseudonymization where possible • Contractual restrictions on Sub-processor access to Personal Data 11.4 Data Localization Options: Enterprise customers may request data localization to specific regions, subject to availability and additional fees.

12.1 Audit Rights: Customer may audit HermesCloud AI's compliance with this DPA, subject to the following: (a) Audits may be conducted no more than once per year unless required by regulatory authority (b) Customer must provide at least 30 days' written notice (c) Audits must not unreasonably interfere with HermesCloud AI's business operations (d) Customer and auditors must execute HermesCloud AI's standard confidentiality agreement 12.2 Audit Information: HermesCloud AI will make available to Customer: • SOC 2 Type II reports (annually) • ISO 27001 certificates • Security questionnaire responses • Evidence of Sub-processor compliance • Security policies and procedures (subject to confidentiality) 12.3 Third-Party Audits: In lieu of Customer-conducted audits, HermesCloud AI may provide reports from independent third-party audits conducted within the past 12 months. 12.4 Audit Costs: Customer bears all costs of audits, including HermesCloud AI's reasonable costs for time spent facilitating audits exceeding 8 hours per year. 12.5 Remediation: If an audit reveals non-compliance, HermesCloud AI will promptly implement a remediation plan and provide regular progress updates.

13.1 Liability: Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. 13.2 GDPR Fines: To the extent that Customer is fined by a supervisory authority due to HermesCloud AI's violation of this DPA, HermesCloud AI will indemnify Customer for such fines, subject to: (a) Customer's compliance with this DPA (b) Customer promptly notifying HermesCloud AI of any regulatory investigation (c) HermesCloud AI having the right to participate in the defense (d) The limitations in the Terms of Service 13.3 Mutual Cooperation: The parties will cooperate in good faith to minimize liability exposure for both parties.

14.1 Term: This DPA becomes effective on the date Customer first accesses the Services and continues until termination of the Services agreement. 14.2 Survival: The following provisions survive termination: Security Measures (for duration of data retention), Data Deletion and Return, Liability and Indemnification, and Audit Rights (for 12 months post-termination). 14.3 Effect of Termination: Upon termination, HermesCloud AI will cease all Processing of Personal Data and comply with Section 8 (Data Deletion and Return).

15.1 Governing Law: This DPA is governed by the laws specified in the Terms of Service. 15.2 Conflicts: In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to Processing of Personal Data. 15.3 Dispute Resolution: Disputes will be resolved in accordance with the dispute resolution provisions in the Terms of Service, except where supervisory authorities have jurisdiction under GDPR. 15.4 Supervisory Authority: Nothing in this DPA affects Data Subjects' rights to lodge complaints with supervisory authorities under GDPR Article 77.

16.1 Changes: HermesCloud AI may update this DPA to reflect: • Changes in data protection laws • New security measures or certifications • Changes to Processing operations • Regulatory guidance or supervisory authority requirements 16.2 Notice: Material changes will be notified at least 30 days in advance via email and in-app notifications. 16.3 Acceptance: Continued use of the Services after changes become effective constitutes acceptance. If Customer objects, Customer may terminate the Services in accordance with the Terms of Service.

For questions or requests related to this DPA, contact: Data Protection Officer Email: dpo@hermescloud.ai Address: HermesCloud AI, Inc., Data Protection Office, [Address] Legal Department Email: legal@hermescloud.ai Privacy Team Email: privacy@hermescloud.ai Support Center: hermescloud.ai/support EU Representative: [If applicable under GDPR Article 27]