Data Processing Agreement

This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1 ("DPA Standard Terms"), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this DPA. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement. A copy of the DPA Standard Terms is attached for convenience only.

Key Terms

Approved Subprocessors:

Name: Google Cloud

Country of location: United States

Anticipated processing task: cloud services and artificial intelligence

Name: Amazon Web Services

Country of location: United States

Anticipated processing task: cloud services and artificial intelligence

Provider Security Contact:

security@circlemind.co

Security Policy:

As defined in the Agreement.

Service Provider Relationship:

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.

Governing Member State:

EEA Transfers: Netherlands

UK Transfers: England and Wales

Annex I(A) - List of Parties

Data Exporter:

Name: the Customer signing this DPA

Activities relevant to transfer: See Annex 1(B)

Role: Controller

Data Importer:

Name: the Provider signing this DPA

Contact person: Antonio Vespoli, CEO

Address: 1111B S Governors Ave STE 23337, Dover, Delaware 19904, USA

Activities relevant to transfer: See Annex 1(B)

Role: Processor

Annex I(B) - Description of Transfer and Processing Activities

Categories of Data Subjects:

Customer's end users or customers

Categories of Personal Data:

Name
Contact information such as email, phone number, or address
Employment information such as employee ID or compensation
Financial information such as bank account numbers
Professional or biographic information such as resume or CV
Transactional information such as account information or purchases
User activity and analysis such as device information or IP address
Location information

Special Category Data:

Is special category data (as defined in Article 9 of the GDPR) Processed? Yes

Special Category Data Restrictions or Safeguards:

See Security Policy

Frequency of Transfer:

Continuous

Nature and Purpose of Processing:

Receiving data, including collection, accessing, retrieval, recording, and data entry
Holding data, including storage, organization, and structuring
Using data, including analysis, consultation, testing, automated decision making, and profiling
Updating data, including correcting, adaption, alteration, alignment, and combination
Protecting data, including restricting, encrypting, and security testing
Sharing data, including disclosure, dissemination, allowing access, or otherwise making available
Returning data to the data exporter or data subject
Erasing data, including destruction and deletion

Duration of Processing:

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

Annex I(C) - Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II - Technical and Organizational Security Measures

See Security Policy