Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("TOS") between Futurity Technologies PTE. LTD ("Futurity", "Processor") and the entity agreeing to the TOS ("Customer", "Controller"), and governs the processing of personal data by Futurity on behalf of the Customer in connection with the Futurity Services.

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given to them in the TOS.

• "Agreement" means this DPA, including its Annexes.
• "Controller" means the Customer, the entity that determines the purposes and means of processing personal data.
• "Processor" means Futurity Technologies PTE. LTD, which processes personal data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed, including the Controller's employees, end users, and contacts.
• "Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) of the GDPR and Section 2 of the PDPA.
• "Processing" means any operation or set of operations performed on personal data, as defined in Article 4(2) of the GDPR.
• "Sub-Processor" means a third party engaged by Futurity to process personal data on behalf of the Controller.
• "Services" means the Futurity Services as defined in the TOS.
• "Data Protection Laws" means all applicable data protection and privacy legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Singapore Personal Data Protection Act 2012 ("PDPA"), the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection legislation.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, as set out in the European Commission Implementing Decision (EU) 2021/914.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.

2.1. This DPA applies when the Controller uses the Services and Futurity processes personal data on behalf of the Controller as described in Annex I.

2.2. This DPA supplements the TOS. In the event of any conflict between this DPA and the TOS regarding the processing of personal data, this DPA prevails.

2.3. Futurity will process personal data solely for the purpose of providing the Services as described in the TOS and in accordance with the Controller's documented instructions, unless required to do otherwise by applicable law.

2.4. The details of the processing (subject matter, duration, nature, purpose, categories of data subjects, and types of personal data) are set out in Annex I.

Futurity, as Processor, shall:

3.1. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data outside the EEA, unless required to do so by applicable law. In such a case, Futurity shall inform the Controller of that legal requirement before processing, unless prohibited by law.

3.2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Implement and maintain appropriate technical and organisational security measures as described in Annex IV, including:

• Encryption at rest and in transit (TLS 1.2+)
• Role-based access controls with the principle of least privilege
• Multi-factor authentication for internal systems
• Continuous monitoring for unauthorised access
• Regular security assessments and vulnerability scanning
• Documented incident response process with defined roles and escalation procedures

3.4. Comply with the conditions for engaging Sub-Processors set out in Section 5.

3.5. Taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject requests as set out in Section 6.

3.6. Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Futurity.

3.7. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of Services, as set out in Section 8, and delete existing copies unless applicable law requires storage.

3.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR, and allow for and contribute to audits as set out in Section 9.

3.9. Immediately inform the Controller if, in Futurity's opinion, an instruction from the Controller infringes Data Protection Laws.

The Controller shall:

4.1. Ensure that it has a lawful basis for the processing of personal data as instructed to Futurity, in compliance with applicable Data Protection Laws.

4.2. Provide Futurity with documented instructions regarding the processing of personal data.

4.3. Be responsible for its own compliance with Data Protection Laws regarding the personal data of its end users and Data Subjects.

4.4. Notify Futurity promptly of any Data Subject request that requires Futurity's assistance.

5.1. The Controller provides general written authorisation for Futurity to engage the Sub-Processors listed in Annex III.

5.2. Futurity shall notify the Controller at least 14 days before adding or replacing a Sub-Processor, providing the Controller with an opportunity to object.

5.3. If the Controller objects to a new or replacement Sub-Processor on reasonable data protection grounds within 14 days of notification, the parties shall work in good faith to resolve the objection. If no resolution is reached within 30 days, the Controller may terminate the affected Services by providing written notice to Futurity.

5.4. Futurity shall ensure that each Sub-Processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA.

5.5. Futurity shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

6.1. Futurity shall, taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights, including rights of access, rectification, erasure, data portability, restriction of processing, and objection.

6.2. If Futurity receives a request directly from a Data Subject of the Controller, Futurity shall promptly redirect the request to the Controller, unless Futurity is legally required to respond directly.

6.3. The Controller shall reimburse Futurity for reasonable costs incurred in providing assistance beyond the basic redirection of Data Subject requests.

7.1. Futurity shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident involving the Controller's personal data.

7.2. The notification shall include, to the extent available:

• The nature of the Security Incident, including the categories and approximate number of Data Subjects and personal data records affected
• The likely consequences of the Security Incident
• The measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects
• The name and contact details of Futurity's Data Protection Officer or other contact point

7.3. Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

7.4. Futurity shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

7.5. Futurity shall cooperate with the Controller in connection with any notification to supervisory authorities, Data Subjects, or other parties required by Data Protection Laws.

7.6. Futurity shall maintain a record of all Security Incidents, including their effects and the remedial action taken.

8.1. Upon termination or expiry of the Services, Futurity shall:

• Provide the Controller with 30 days to export their data using the export functionality available in the Services
• After the export period, delete all personal data within the retention periods specified in the Privacy Policy (90 days for account, chat, and workflow data; 30 days for vault files)
• Provide written confirmation of deletion upon the Controller's request

8.2. The following exceptions apply:

• Data required to be retained by applicable law (e.g., billing records retained for 7 years for tax and legal requirements)
• Data in backup archives, which shall be purged within 30 additional days after the applicable retention period expires

8.3. Futurity shall ensure that any personal data retained under Section 8.2 remains subject to the confidentiality and security obligations of this DPA.

9.1. Futurity shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.

9.2. The Controller, or a third-party auditor appointed by the Controller, may conduct audits of Futurity's processing activities under this DPA, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice prior to any audit
• Audits shall be conducted no more than once per year, unless triggered by a Security Incident or a requirement from a supervisory authority
• Audits shall be conducted during normal business hours
• Audits shall be scoped to processing activities relevant to this DPA
• The auditor shall be bound by confidentiality obligations

9.3. The Controller shall bear the cost of any audit, unless the audit reveals material non-compliance by Futurity, in which case Futurity shall bear the reasonable costs of the audit.

9.4. Futurity may satisfy audit requests by providing:

• SOC 2 Type II reports or equivalent certifications (when available)
• Results of penetration tests or security assessments conducted by independent third parties
• Written responses to reasonable audit questionnaires

10.1. Personal data may be transferred to and processed in Singapore, the United States, and Germany, as necessary to provide the Services.

10.2. For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to countries that have not received an adequacy decision, the parties agree to the Standard Contractual Clauses as set out in Annex II.

10.3. For transfers of personal data from Singapore, Futurity shall ensure that recipients provide a standard of protection comparable to that under the PDPA, in accordance with Section 26 of the PDPA.

10.4. For transfers of personal data from Canada, the Controller acknowledges that personal data may be processed in the United States and Singapore by Futurity's infrastructure and AI providers, and that under the laws of those jurisdictions, data may be accessible to law enforcement and national security authorities.

10.5. Futurity shall implement appropriate supplementary measures where necessary to ensure that the level of protection of personal data is not undermined by the transfer.

11.1. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the TOS.

11.2. Nothing in this DPA shall exclude or limit either party's liability for:

• Breaches of the confidentiality obligations in this DPA
• Wilful misconduct or gross negligence
• Any liability that cannot be excluded or limited by applicable law

12.1. This DPA takes effect when the Controller accepts the TOS (or signs a separate order form referencing this DPA) and shall remain in effect for the duration of the provision of the Services.

12.2. The following provisions shall survive termination or expiry of this DPA: Sections 7 (Security Incident Notification), 8 (Data Deletion and Return), 9 (Audit Rights), 11 (Liability), and 13 (General Provisions), together with any Annex that by its nature is intended to survive.

13.1. Governing Law. This DPA shall be governed by and construed in accordance with the laws of the Republic of Singapore, without regard to its conflict of law principles.

13.2. Dispute Resolution. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the TOS.

13.3. Amendments. This DPA may only be amended in writing, signed or otherwise agreed to by both parties.

13.4. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced with a valid and enforceable provision that achieves, to the extent possible, the original intent of the parties.

13.5. Entire Agreement. This DPA, together with the TOS and Privacy Policy, constitutes the entire agreement between the parties regarding the processing of personal data. In the event of conflict regarding data processing matters, the order of precedence is: this DPA, then the TOS, then the Privacy Policy.

13.6. Contact. Questions about this DPA may be directed to Futurity's Data Protection Officer:

Name: Miklos Sunario
Email: dpo@futurity.work
Address: 111 North Bridge Road, #07-11, Peninsula Plaza, Singapore 179098

EU Standard Contractual Clauses

For transfers of personal data from the EEA, the parties agree to be bound by the Standard Contractual Clauses set out in the European Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), which are incorporated into this DPA by reference.

The full text of the SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

The following selections and supplementary information apply to the SCCs:

Clause 7 (Docking Clause): The optional docking clause is included, permitting additional controllers to accede to the SCCs.

Clause 9(a) (Sub-Processors): Option 2 applies — General written authorisation. The Processor shall inform the Controller of any intended changes to the list of Sub-Processors at least 14 days in advance, giving the Controller the opportunity to object.

Clause 11(a) (Redress): The optional clause on independent dispute resolution is not included.

Clause 13 and Annex I.C (Competent Supervisory Authority): The competent supervisory authority is the supervisory authority of the EEA member state in which the Controller is established. Where the Controller is not established in the EEA, the competent supervisory authority is that of the EEA member state in which the Data Subjects whose personal data is transferred are located.

Clause 17 (Governing Law): The SCCs shall be governed by the laws of the EU member state in which the Controller is established. Where the Controller is not established in an EU member state, the laws of Ireland shall apply.

Clause 18(b) (Choice of Forum): Disputes shall be resolved before the courts of the EU member state in which the Controller is established. Where the Controller is not established in an EU member state, the courts of Ireland shall apply.

Annex I (Parties and Transfer Details): As set out in Annex I of this DPA.

Annex II (Technical and Organisational Measures): As set out in Annex IV of this DPA.

UK International Data Transfer Addendum

For transfers of personal data from the United Kingdom, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as approved by the Information Commissioner's Office under Section 119A of the Data Protection Act 2018, version B1.0, in force 21 March 2022) is incorporated by reference and applies to such transfers.

The following information supplements the UK Addendum:

The following Sub-Processors are authorised by the Controller as of the date of this DPA:

Futurity maintains an up-to-date list of Sub-Processors at https://futurity.work/privacy. Changes to this list are communicated to the Controller at least 14 days in advance in accordance with Section 5 of this DPA.

Futurity implements the following technical and organisational measures to protect personal data processed on behalf of the Controller:

1. Encryption

• At rest: AES-256 (AWS KMS for key management)
• In transit: TLS 1.2+

2. Access Controls

• Role-based access control (RBAC)
• Principle of least privilege
• Employee access to production data is logged and reviewed

3. Authentication

• Multi-factor authentication for all internal systems

4. Monitoring

• Continuous monitoring for unauthorised access
• Anomalous activity detection
• Error tracking via Sentry

5. Security Assessments

• Regular vulnerability scanning
• Penetration testing

6. Incident Response

• Documented incident response process
• Defined roles and escalation procedures
• Breach notification to the Controller within 48 hours

7. Data Separation

• Customer data is logically separated via organisation-scoped access controls
• Multi-tenant architecture with per-organisation isolation

8. Backup and Recovery

• Regular automated backups
• Backup archives purged within 30 days of retention expiry

9. Personnel

• Confidentiality obligations for all employees with access to personal data
• Data protection training