Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the BotPM.ai Terms of Service or executed order form between Dritarr Inc ("Processor") and the customer entity ("Controller"). It addresses the processing of Personal Data in connection with BotPM.ai (the "Service") and is intended to satisfy obligations under the EU GDPR, the UK GDPR, the Swiss FADP, and applicable U.S. state privacy laws (including the CCPA/CPRA where the Processor acts as a Service Provider).

1. Definitions

Capitalized terms have the meanings given in the GDPR (Articles 4 and 28) where applicable. "Customer Personal Data" means Personal Data submitted to or generated by the Service that the Controller is responsible for under applicable Data Protection Laws.

2. Roles and processing scope

The Controller determines the purposes and means of processing. The Processor processes Customer Personal Data only on the Controller's documented instructions, including those reflected in the Service configuration, the documentation, and the order form.

• Subject matter: Provision of the Service.
• Duration: The term of the Agreement plus any retention required by law.
• Nature and purpose: Hosting, processing, and AI-assisted analysis of project-management content.
• Categories of data subjects: Controller's personnel, contractors, customers, and end users referenced in submitted content.
• Categories of Personal Data: Identification data, contact data, professional data, and any Personal Data the Controller chooses to submit.

3. Sub-processors

The Controller authorizes the use of the sub-processors listed at /legal/subprocessors. The Processor will give at least 30 days' advance notice of changes via the published list and email subscription. The Controller may object on reasonable data-protection grounds; the parties will work in good faith to resolve.

4. International transfers

Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum, with the relevant fields completed by reference to this DPA and the Order Form.

5. Security

The Processor maintains technical and organizational measures appropriate to the risk, including access controls, encryption in transit, encryption at rest for production stores, role-based access, audit logging, vulnerability management, and personnel confidentiality obligations. A current summary of controls is available under NDA via the Trust & Security page.

6. Personal Data Breach

The Processor notifies the Controller without undue delay (and in any case within 72 hours of becoming aware) of a confirmed Personal Data Breach affecting Customer Personal Data, with the information then available.

7. Data subject rights and assistance

The Processor provides reasonable assistance to enable the Controller to respond to data subject requests via in-product tooling and the request channel at /legal/data-requests.

8. Audits

The Processor will make available information necessary to demonstrate compliance with Article 28 GDPR and allow for audits, including by providing third-party reports under NDA when available. On-site audits may be requested no more than once per year and at the Controller's expense.

9. Return or deletion

On termination of the Agreement, the Processor will, at the Controller's choice, delete or return all Customer Personal Data, subject to legal retention obligations and routine backup cycles.

10. CCPA / CPRA

The Processor acts as a Service Provider under the CCPA/CPRA. It will not sell or share Customer Personal Data, retain, use, or disclose it outside the direct business relationship, or combine it with Personal Data from other sources except as permitted by the CCPA.