1. Overview and Scope

This Data Processing Addendum ("DPA") forms part of the Covlant Master Cloud Services Agreement ("Agreement") between Covlant AI, Inc. ("Covlant") and the Customer named in the applicable Order Form. This DPA applies where Customer submits Personal Data to the Service and governs Covlant's processing of that Personal Data on Customer's behalf.

In the event of a conflict between this DPA and the Agreement with respect to Personal Data, this DPA shall control.

Capitalized terms not defined herein have the meanings given in the Agreement. Terms such as "Personal Data," "Controller," "Processor," "Processing," "Data Subject," and "Supervisory Authority" have the meanings given under applicable Data Protection Laws.

2. Roles of the Parties

• Customer is the Controller. Customer determines the purposes and means of Processing Personal Data submitted to the Service.

• Covlant is the Processor. Covlant Processes Personal Data solely on Customer's documented instructions and in accordance with this DPA.

Where Covlant Processes Personal Data for its own operational purposes independent of Customer's instructions (e.g., as required by applicable law), Covlant acts as an independent Controller for such Processing.

3. Customer's Instructions

Customer instructs Covlant to Process Personal Data to the extent necessary to:

1. Provide, maintain, and operate the Service during the Subscription Period

2. Deliver technical support to Customer

3. Comply with applicable laws or respond to valid legal process

Covlant will not Process Personal Data for any other purpose, including training of general-purpose AI or ML models, without Customer's prior written consent. If Covlant believes any instruction from Customer violates applicable Data Protection Laws, Covlant will promptly notify Customer.

4. Details of Processing

Subject Matter: Operation of the Covlant AI platform and associated features as described in the Agreement and applicable Order Form.

Nature of Processing: Collection, storage, analysis, retrieval, and deletion of Personal Data submitted by Customer to the Service.

Duration: For the duration of the Subscription Period, plus the post-termination retention period set out in Section 4.6 of the Agreement (up to sixty (60) days).

Types of Personal Data: As determined and submitted by Customer, which may include names, email addresses, professional information, and any other Personal Data contained within Customer Content.

Categories of Data Subjects: Employees, contractors, or end users of Customer whose Personal Data is included in Customer Content submitted to the Service.

Purpose and Legal Basis: As determined by Customer as Controller. Customer is responsible for ensuring a valid legal basis exists for all Personal Data submitted to the Service.

5. Covlant's Obligations as Processor

Covlant shall:

1. Process Personal Data only on Customer's documented instructions as set out in this DPA, except where required to do so by applicable law

2. Ensure that all Covlant personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations

3. Implement and maintain technical and organizational security measures as described in the Covlant Security Policy at [covlant.ai/security] and in accordance with Article 32 GDPR or equivalent applicable standards

4. Assist Customer, through appropriate technical and organizational measures, in fulfilling Customer's obligations to respond to Data Subject rights requests (see Section 7)

5. Assist Customer in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of Processing and information available to Covlant

6. At Customer's election, delete or return all Personal Data upon termination or expiration of the Agreement, and delete existing copies unless retention is required by applicable law

7. Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and cooperate with reasonable audits or inspections by Customer or a mandated auditor, subject to reasonable prior notice and confidentiality obligations

6. Sub-Processors

6.1 Authorization. Customer provides general written authorization for Covlant to engage sub-processors to assist in providing the Service. Covlant's current list of sub-processors is available upon request and will be updated as sub-processors are added or removed.

6.2 Notification. Covlant will provide Customer with at least thirty (30) days' prior written notice of any intended addition or replacement of a sub-processor. Customer may object to a new sub-processor on reasonable data protection grounds by notifying Covlant in writing within fourteen (14) days of such notice. If Covlant proceeds with the sub-processor despite a reasonable objection, Customer may terminate the affected Order Form without penalty upon written notice.

6.3 Sub-Processor Obligations. Covlant will impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. Covlant remains liable to Customer for the acts and omissions of its sub-processors to the same extent Covlant would be liable if performing the Processing directly.

7. Data Subject Rights

Covlant will, upon Customer's written request, provide reasonable assistance to help Customer fulfill its obligations to respond to Data Subject rights requests under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. Where a Data Subject submits a request directly to Covlant, Covlant will promptly redirect the request to Customer and not respond on Customer's behalf without Customer's instruction.

8. Security Measures

Covlant implements and maintains technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in the Covlant Security Policy at [covlant.ai/security] and include, at minimum:

• Logical access controls and multi-factor authentication for personnel accessing production systems

• Regular vulnerability assessments and security testing

• Personnel confidentiality obligations and security awareness training

• Incident response and business continuity procedures

Covlant may update its security measures from time to time provided that updates do not materially reduce the overall level of protection afforded to Personal Data.

9. Data Breach Notification

In the event of a confirmed security breach involving Personal Data, Covlant will:

1. Notify Customer without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach

2. Provide reasonable information about the nature of the breach, categories and approximate volume of Personal Data and Data Subjects affected, likely consequences, and measures taken or proposed to address the breach

3. Cooperate with Customer's reasonable requests for additional information to support Customer's own notification obligations to Supervisory Authorities and Data Subjects

Notification by Covlant does not constitute an acknowledgment of fault or liability.

10. International Data Transfers

Where Processing involves the transfer of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing adequate protection under applicable Data Protection Laws, the parties agree that such transfers are governed by the applicable Standard Contractual Clauses (SCCs) issued by the European Commission, or equivalent transfer mechanisms recognized under applicable law, which are incorporated into this DPA by reference.

Customer is responsible for ensuring that any transfer of Personal Data to Covlant has a valid transfer mechanism in place. Covlant will cooperate with Customer to execute any additional documentation required to give effect to valid transfer mechanisms.

11. Data Deletion and Return

Upon expiration or termination of the Agreement or an applicable Order Form, Covlant will, at Customer's election:

1. Return all Personal Data to Customer in a commonly used machine-readable format; or

2. Securely delete all Personal Data from Covlant's systems

Covlant will retain Personal Data for up to sixty (60) days following termination to permit Customer to exercise the above election, after which Covlant will delete Personal Data unless retention is required by applicable law. Upon Customer's written request, Covlant will certify in writing that deletion has been completed.

12. Governing Law

This DPA shall be governed by the same governing law and jurisdiction as the Agreement, except where applicable Data Protection Laws require otherwise.

For data protection inquiries, contact: legal@covlant.ai