Data Processing Agreement

Processor

Aura Intelligence SL

Tax ID (NIF)

B26844217

Registered office

Plaza de la Coca, 08301 Mataró (Barcelona), Spain

Registry details

Registered with the Mercantile Registry of Barcelona, Section 8, Sheet B-652848, Entry 1, dated 12 March 2026.

DPA contact

legal@aidex.chat

Privacy contact

privacy@aidex.chat

The "Customer" is the legal or natural person identified in the Principal Agreement or, where access to the Services is provided through self-service signup, the legal person on whose behalf an authorised representative accepted the Terms and Conditions.

Terms not defined herein have the meaning given in the GDPR (Regulation (EU) 2016/679). In particular, "controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "supervisory authority" bear the meanings of Article 4 GDPR.

The Parties acknowledge that, for personal data processed through the Services on behalf of the Customer, the Customer acts as the controller (or, where relevant, as a processor for its own end-controllers) and the Processor acts as the processor (or sub-processor, accordingly).

Personal data of users of the aiDex platform that the Processor processes for its own purposes (account management, billing, security, service improvement) is governed by the Processor's own Privacy Policy and is outside the scope of this DPA.

Subject matter: the personal data submitted by or on behalf of the Customer through the Services (the "Customer Data").

Duration: the term of the Principal Agreement plus the post-termination retention period set out in clause 12 of this DPA.

Nature and purpose: storage, transmission, technical copy, display and onward transmission to AI providers selected by the Customer for the purpose of operating the Services (model orchestration, document generation, image generation, web search and related orchestration functions).

Categories of data subjects and personal data: as described in Annex 1 (Details of Processing).

The Processor shall:

1. Process Customer Data only on documented instructions from the Customer, including with regard to transfers of personal data to third countries. Such documented instructions are set out in the Principal Agreement, in this DPA, and in any subsequent instructions given by the Customer in writing. If the Processor considers that an instruction infringes data-protection law it shall inform the Customer promptly.
2. Ensure that persons authorised to process Customer Data are bound by appropriate confidentiality obligations.
3. Implement and maintain the technical and organisational measures set out in Annex 2, designed to provide a level of security appropriate to the risk in accordance with Article 32 GDPR.
4. Engage sub-processors only in accordance with clause 6 of this DPA.
5. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Articles 15-22 GDPR.
6. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the processing and the information available to the Processor.
7. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer, in accordance with clause 11 of this DPA.
8. Upon termination of the Principal Agreement, return or delete all Customer Data in accordance with clause 12 of this DPA.

The Customer grants the Processor a general authorisation to engage the sub-processors listed at https://aidex.chat/subprocessors (the "Sub-processor List") for the processing of Customer Data, subject to the conditions of this clause.

The Processor shall: (a) inform the Customer of any intended changes to the Sub-processor List at least thirty (30) days before the change takes effect by email to the Customer's billing-contact address; (b) impose on each sub-processor, by way of a written contract, data-protection obligations no less protective than those set out in this DPA; (c) remain fully liable to the Customer for the performance of each sub-processor's obligations.

The Customer may object to the engagement of a new sub-processor on reasonable, documented data-protection grounds within fifteen (15) days of receiving the notice. If the Parties cannot agree on a resolution, the Customer may terminate the affected portion of the Services with a pro-rata refund of any prepaid fees.

Customer Data is stored on infrastructure located in the European Union. Certain sub-processors, principally the AI providers selected by the Customer, may process Customer Data in third countries outside the European Economic Area.

Where personal data is transferred to a third country that is not the subject of a European Commission adequacy decision, the Parties enter into the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 (Module 2: controller-to-processor or Module 3: processor-to-processor, as applicable), which are incorporated by reference into this DPA, together with such additional safeguards as may be required by case law and guidance of the European Data Protection Board.

For transfers to a recipient certified under the EU-U.S. Data Privacy Framework, the relevant Commission adequacy decision applies and the SCCs serve as a contractual backstop.

The Processor shall implement and maintain the technical and organisational measures described in Annex 2 to ensure a level of security appropriate to the risk. The Processor may update those measures from time to time provided that the overall level of security is not materially reduced.

The Processor shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligations to respond to data subject requests under Articles 15-22 GDPR.

Where the Processor receives a request directly from a data subject relating to Customer Data, it shall forward the request to the Customer without undue delay and shall not respond to the request unless authorised by the Customer or required by applicable law.

The Processor shall notify the Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting Customer Data. The notification shall include, to the extent then known: (a) the nature of the breach including the categories and approximate number of data subjects concerned, (b) the likely consequences, (c) the measures taken or proposed to address the breach and to mitigate its effects, and (d) a contact point at the Processor.

Upon written request, the Processor shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR, including the Processor's most recent third-party security audit reports where available.

The Customer may conduct an on-site audit at the Processor's premises once per twelve-month period, with at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not interfere unreasonably with the Processor's operations and subject to confidentiality obligations. The Customer shall bear the costs of the audit unless the audit reveals a material breach of this DPA, in which case the Processor shall bear the Customer's reasonable audit costs.

On termination of the Principal Agreement, or upon written request by the Customer, the Processor shall, at the Customer's option, return all Customer Data to the Customer in a structured, commonly used and machine-readable format, or delete it from the Processor's production systems within thirty (30) days. Encrypted backups containing Customer Data are retained for a maximum of thirty-five (35) days following deletion before being overwritten.

The Processor shall retain Customer Data beyond such period only where required by applicable Union or Member State law, in which case the Processor shall inform the Customer of that legal requirement before processing for that purpose.

The liability of the Parties under this DPA is subject to the liability provisions of the Principal Agreement, save that the limitations therein do not apply to (a) the Parties' direct liability to data subjects under Article 82 GDPR or (b) any administrative fines imposed by a competent supervisory authority on the responsible Party.

This DPA shall remain in force for as long as the Processor processes Customer Data on behalf of the Customer. Clauses that, by their nature, are intended to survive termination (including clauses 10, 12 and 13) shall do so.

This DPA is governed by Spanish law and, where mandatory, by the law of the Member State of establishment of the Customer. The jurisdiction provisions of the Principal Agreement apply mutatis mutandis to disputes arising under this DPA, without prejudice to the data subject's right to bring proceedings under Article 79 GDPR.

Categories of data subjects

Employees, contractors, customers, prospects and other natural persons whose personal data the Customer chooses to submit to the Services.

Categories of personal data

Identification data (name, email, role); content data submitted by the Customer (prompts, messages, files, including any personal data the Customer chooses to include in such content); technical data necessary to operate the Services (timestamps, IP addresses, browser metadata).

Special categories

Not deliberately processed. The Customer shall avoid submitting special-category data (Article 9 GDPR) unless strictly necessary and lawful. If the Customer submits such data, the Customer remains the controller and is responsible for the lawful basis.

Frequency of processing

Continuous, throughout the term of the Principal Agreement.

Duration

For the term of the Principal Agreement plus the post-termination retention periods set out in clause 12.

The Processor applies the following measures, designed having regard to the state of the art, the costs of implementation, the nature of the processing and the risks to data subjects:

• Encryption in transit (TLS 1.2 or higher) for all customer-facing endpoints and for traffic between internal services.
• Encryption at rest of databases and object storage for Customer Data and of BYOK API keys using envelope encryption (libsodium-based) with key material held in a managed key-management service.
• Role-based access control with least-privilege for the Processor's personnel; access to production data restricted to a named on-call rotation.
• Audit logging of administrative actions on production systems, retained for at least 12 months.
• Multi-factor authentication for all administrative and developer access to production systems.
• Regular vulnerability scanning, dependency-update management and timely patching of known vulnerabilities.
• Backups taken at least daily, encrypted, and tested for restorability on a periodic basis.
• Documented incident-response and breach-notification procedures, exercised periodically.
• Confidentiality and data-protection training for all personnel with access to Customer Data.
• Secure software development lifecycle, including code review and dependency vetting.

The authoritative, up-to-date list of sub-processors is published at https://aidex.chat/subprocessors, including for each sub-processor: identity, country of incorporation, processing regions, purpose, whether the engagement is conditional on the Customer providing its own provider key (BYOK) and whether the Standard Contractual Clauses apply.

Changes to that list are notified in accordance with clause 6 of this DPA.