KODA TECHNOLOGIES, INC.
DATA PROCESSING ADDENDUM

1. ROLES AND SCOPE

Customer is the "Controller" of Personal Data submitted to or processed through the Service, and Company is the "Processor" as those terms are defined under the GDPR and similar laws. This DPA applies only to Personal Data that Company processes on behalf of Customer in connection with the Service.

Customer is responsible for determining the purposes and means of processing, ensuring it has a lawful basis for processing, and providing required notices to Data Subjects.

2. PROCESSING INSTRUCTIONS

Company will process Personal Data only in accordance with Customer's documented instructions, including as necessary to provide the Service, maintain and improve the Service, provide support, prevent abuse, and comply with applicable law. Customer's instructions are documented in the Terms of Use, this DPA, and any support requests or tickets submitted by Customer.

The categories of data subjects, types of Personal Data, processing activities, and duration are described in Annex I.

3. CONFIDENTIALITY

Company will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations appropriate to the nature of the data and will access Personal Data only as needed to provide the Service.

4. SECURITY

Company implements commercially reasonable technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A summary of security measures is provided in Annex II. Company may update its security measures from time to time, provided such updates do not materially reduce overall protection.

5. SUB-PROCESSORS

Customer authorizes Company to engage sub-processors to process Personal Data to provide the Service. A current list of sub-processors is available in our Privacy Policy. We will provide notice of new sub-processors to Teams customers with a DPA at least thirty (30) days in advance, and Customer may object in writing during the notice period.

If Customer objects to a new sub-processor, the parties will work in good faith to resolve the objection. If no resolution is possible, Customer may terminate the affected portion of the Service.

6. DATA SUBJECT REQUESTS

Customer is responsible for responding to requests from Data Subjects to exercise their rights. Company will provide reasonable assistance to Customer to respond to such requests, to the extent Customer cannot do so through the Service.

7. BREACH NOTIFICATION

Company will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer and will provide information reasonably requested by Customer.

8. INTERNATIONAL TRANSFERS

The Service is hosted in the United States, and Personal Data may be transferred to and processed in the United States and other jurisdictions. For transfers of Personal Data from the EEA, Switzerland, or the UK to countries that do not provide an adequate level of protection, the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) are incorporated by reference into this DPA. For UK transfers, the UK Addendum to the EU SCCs applies.

You can view the official SCCs and the UK Addendum at the links below.

9. DELETION OR RETURN

Upon termination of the Service, Company will delete or return Customer's Personal Data within ninety (90) days, unless retention is required by law or for legitimate business purposes (e.g., dispute resolution, security, or enforcement). Prompt text and limited metadata are retained for up to thirty (30) days for support, debugging, and abuse prevention, then deleted or anonymized.

10. AUDIT AND COMPLIANCE

Company will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits by Customer or Customer's auditor at reasonable intervals, subject to confidentiality obligations and reasonable limitations designed to protect the security, privacy, and operations of the Service. On-site audits, if any, will be at Customer's expense and subject to mutually agreed scope and timing.

11. PRECEDENCE

This DPA is incorporated into and forms part of the Terms of Use. If there is a conflict between this DPA and the Terms of Use with respect to the processing of Personal Data, this DPA will control.

ANNEXES

Annex I: Details of Processing

Data Exporter (Customer): The entity that has entered into the Terms of Use and this DPA.

Data Importer (Company): Koda Technologies, Inc., 850 New Burton Road, Suite 201, Dover, DE 19904, United States.

Categories of Data Subjects:

• Customer's end users and team members
• Customer account administrators
• Customer contacts who communicate with support

Categories of Personal Data:

• Account data (name, email, authentication details)
• Prompt text and related metadata (retained up to 30 days)
• Usage metadata (token usage, model identifiers, latency, billing records)
• Support communications
• Device identifiers, IP address, and fraud prevention signals

We do not store full spreadsheet files; prompt text and limited metadata may include excerpts provided by the Customer.

Special Categories of Data: Not intended to be processed. Customer must not upload regulated data such as protected health information (HIPAA) or payment card data (PCI) unless a separate agreement is in place.

Processing Activities: Hosting, inference processing, support, security, abuse prevention, billing, and service analytics.

Duration: For the term of the Service plus up to ninety (90) days.

Annex II: Security Measures

• Encryption in transit (TLS) and encryption at rest where supported
• Access controls and least-privilege permissions
• Secure authentication and logging
• Vulnerability management and security monitoring
• Backups and disaster recovery procedures

Annex III: Sub-processors

A current list of sub-processors is available in our Privacy Policy: getgriddy.ai/privacy.