DATA PROCESSING AGREEMENT (DPA)

Between:

Data Controller: [CLIENT NAME] ("Controller" or "Client")
Data Processor: Cognitiva Systems Inc. ("Processor" or "Cognitiva")

Effective Date: 15 April 2026
Agreement Term: Duration of Services Agreement

RECITALS

WHEREAS:

A. Controller has entered into an agreement with Processor for the provision of CognitivaOS platform services ("Services Agreement");

B. In providing Services, Processor will process Personal Data on behalf of Controller;

C. The parties wish to ensure such processing complies with applicable Data Protection Laws;

D. This Data Processing Agreement ("DPA") governs Processor's obligations regarding Personal Data processing.

NOW THEREFORE, the parties agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including:

EU General Data Protection Regulation (GDPR) (Regulation 2016/679)
UK Data Protection Act 2018 and UK GDPR
California Consumer Privacy Act (CCPA) as amended by CPRA
Other applicable privacy laws in jurisdictions where Services are provided

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

"Processing" has the meaning given in applicable Data Protection Laws.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Sub-processor" means any third party appointed by Processor to process Personal Data on Controller's behalf.

"Standard Contractual Clauses" (SCCs) means:

EU SCCs: Commission Implementing Decision 2021/914
UK IDTA: UK International Data Transfer Addendum

"Supervisory Authority" means the relevant data protection regulatory authority.

1.2 Interpretation

Terms not defined here have meanings in Services Agreement
Headings are for convenience only
References to "include" mean "include without limitation"

2. SCOPE AND ROLES

2.1 Controller Role

Controller:

Determines purposes and means of Personal Data processing
Is responsible for compliance with Data Protection Laws
Issues documented instructions to Processor
Ensures lawful basis for processing exists

2.2 Processor Role

Processor:

Processes Personal Data only on documented Controller instructions
Complies with this DPA and Data Protection Laws
Implements appropriate technical and organizational measures
Assists Controller in meeting Data Protection Law obligations

2.3 Scope of Processing

Processing Activities:

Hosting and storing campaign execution data
Providing CognitivaOS platform functionality
Facilitating communication and workflow management
Generating reports and analytics
Providing customer support

NOT Included:

Anonymization and commercialization of data (Controller role per separate agreement)
Intelligence Platform AI services (separate processor arrangement if applicable)

3. CONTROLLER INSTRUCTIONS

3.1 Documented Instructions

Processor shall process Personal Data only:

As documented in this DPA
As necessary to provide Services per Services Agreement
As set forth in Annex A (Processing Details)
As instructed by Controller in writing (email acceptable)

3.2 Unlawful Instructions

If Processor believes an instruction violates Data Protection Laws:

Processor will promptly inform Controller
Processor may refuse to comply with instruction
Parties will discuss lawful alternative approach
Controller may not hold Processor liable for non-compliance with unlawful instruction

3.3 Additional Instructions

Controller may issue additional written instructions:

Via email to dpa@cognitiva.systems
Instructions must be specific and documented
Processor will confirm receipt within 48 hours
Processor may charge reasonable fees for materially increased processing scope

4. CONFIDENTIALITY

4.1 Personnel Obligations

Processor ensures that personnel authorized to process Personal Data:

Are bound by confidentiality obligations (contractual or statutory)
Receive appropriate data protection training
Access Personal Data only as needed for their role
Understand consequences of unauthorized disclosure

4.2 Confidentiality Survival

Confidentiality obligations survive termination of this DPA indefinitely.

5. SECURITY MEASURES

5.1 Technical and Organizational Measures

Processor implements appropriate technical and organizational measures to ensure security level appropriate to risk, including:

Access Control:

Role-based access control (RBAC)
Multi-factor authentication (MFA)
Least privilege principle
Regular access reviews
Automated session termination

Encryption:

Data in transit: TLS 1.3 or higher
Data at rest: AES-256 encryption
Database encryption
Encrypted backups

Network Security:

Firewall protection
Intrusion detection systems (IDS)
DDoS mitigation
Virtual Private Cloud (VPC) isolation
Network segmentation

Application Security:

Secure development lifecycle
Code review and testing
Regular vulnerability scanning
Annual penetration testing
Bug bounty program

Physical Security:

Data centers with 24/7 monitoring
Biometric access controls
Video surveillance
Environmental controls
Redundant power and cooling

Organizational:

Background checks for security-sensitive roles
Security awareness training
Incident response procedures
Business continuity planning
Disaster recovery testing

5.2 Security Documentation

Detailed security measures are documented in Annex B.

Controller may request:

Security questionnaire completion
SOC 2 Type II report (if available)
ISO 27001 certificate (if available)
Security audit results (subject to confidentiality)

5.3 Security Updates

Processor may update security measures:

To address evolving threats
To adopt improved technologies
To meet regulatory requirements

Notification: Material security changes will be communicated to Controller.

6. SUB-PROCESSORS

6.1 General Authorization

Controller grants general authorization for Processor to engage Sub-processors, subject to:

Compliance with this Section 6
Current Sub-processor list (Annex C)
Notification and objection rights

6.2 Sub-processor Obligations

Processor ensures Sub-processors:

Are bound by written contract imposing substantially same obligations as this DPA
Implement appropriate technical and organizational measures
Comply with applicable Data Protection Laws
Allow audits and inspections

Processor Liability:
Processor remains fully liable to Controller for Sub-processor performance.

6.3 Sub-processor List

Current Sub-processors: See Annex C

Categories:

Cloud infrastructure providers (AWS, GCP)
Payment processors (Stripe)
Customer support tools
Security monitoring services

6.4 New Sub-processors

Notification:

At least 30 days written notice before engaging new Sub-processor
Notice includes: name, location, processing activities

Objection:

Controller may object within 15 days of notice on reasonable data protection grounds
Parties will discuss in good faith
If unresolved, Controller may terminate Services Agreement with 30 days notice

No Objection:
Failure to object within 15 days constitutes acceptance.

7. DATA SUBJECT RIGHTS

7.1 Assistance Obligation

Processor will assist Controller in responding to Data Subject requests to exercise:

Right of access (GDPR Article 15)
Right to rectification (GDPR Article 16)
Right to erasure (GDPR Article 17)
Right to restriction (GDPR Article 18)
Right to data portability (GDPR Article 20)
Right to object (GDPR Article 21)
Rights related to automated decision-making (GDPR Article 22)
Equivalent rights under other Data Protection Laws

7.2 Assistance Process

Controller Requests:

Controller contacts Processor at dpa@cognitiva.systems
Specifies Data Subject identity and right being exercised
Provides necessary information for Processor to locate data

Processor Response:

Acknowledges request within 48 hours
Provides requested information/assistance within 10 business days
Uses reasonable efforts to facilitate Controller's response to Data Subject

Fees:

No fee for assistance with reasonable number of requests
Processor may charge reasonable fees for excessive or complex requests

7.3 Direct Requests

If Processor receives Data Subject request directly:

Processor will redirect Data Subject to Controller (unless prohibited by law)
Processor will notify Controller promptly
Processor will not respond without Controller instruction (except as required by law)

8. PERSONAL DATA BREACH

8.1 Notification Obligation

Personal Data Breach: Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Processor Obligation:

Notify Controller without undue delay, and in any event within 48 hours of becoming aware of Personal Data Breach
Notification to: [Controller designated email in Annex A]

8.2 Breach Notification Content

Notification shall include (to extent available):

Nature of breach and categories/approximate number of affected Data Subjects
Likely consequences of breach
Measures taken or proposed to address breach
Contact point for more information
Timeline of breach detection and response

8.3 Investigation and Remediation

Processor will:

Investigate breach promptly and thoroughly
Take reasonable steps to mitigate harm
Provide updates to Controller as investigation progresses
Cooperate with Controller's breach response
Implement measures to prevent recurrence

Documentation:
Processor will document all Personal Data Breaches, even if not notifiable.

8.4 Controller Responsibilities

Controller is responsible for:

Determining whether to notify Supervisory Authority (GDPR Article 33)
Determining whether to notify affected Data Subjects (GDPR Article 34)
Complying with applicable breach notification laws

Processor will reasonably assist Controller with these determinations and notifications.

9. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

9.1 Assistance Obligation

Where Data Protection Laws require Controller to conduct DPIA, Processor will provide reasonable assistance, including:

Information about processing activities
Technical and organizational measures
Security controls and safeguards
Sub-processor information
Data flow diagrams

9.2 Prior Consultation

If DPIA indicates high risk and Controller must consult Supervisory Authority, Processor will provide reasonable assistance with consultation.

9.3 Fees

No separate fee for reasonable DPIA assistance. Excessive requests may incur fees.

10. AUDITS AND INSPECTIONS

10.1 Audit Rights

Controller (or independent third-party auditor) may:

Audit Processor's compliance with this DPA
Inspect Processor's processing facilities
Review Processor's security measures
Interview Processor personnel (with consent)

Frequency: Once per year, or more frequently if required by Data Protection Laws or if reasonable cause exists.

10.2 Audit Process

Notice:

Controller provides at least 30 days advance written notice
Specifies scope, proposed dates, auditor identity

Coordination:

Parties mutually agree on audit date and logistics
Audit during normal business hours
Processor may require confidentiality agreement from auditor

Scope Limitations:

Audits limited to Processor's processing of Controller's Personal Data
No access to other clients' data
No access to Processor's proprietary information unrelated to DPA compliance
No disruption to Processor's operations or other clients

10.3 Audit Reports

Alternative to Audit: Processor may satisfy audit requirement by providing:

SOC 2 Type II report
ISO 27001 certificate
Third-party security audit report

If reports adequately demonstrate compliance, on-site audit may not be necessary.

10.4 Costs

Controller Costs:

Controller bears own costs of audit
Controller bears auditor fees

Processor Costs:

Processor bears cost of reasonable cooperation
Processor may charge for excessive or disruptive audits

10.5 Remediation

If audit reveals non-compliance:

Processor will implement corrective measures within reasonable timeframe
Processor will provide status updates
Follow-up audit at no cost if material non-compliance found

11. INTERNATIONAL DATA TRANSFERS

11.1 Transfer Locations

Processor may transfer Personal Data to:

United States (Processor location)
Countries where Sub-processors are located (see Annex C)

11.2 Transfer Mechanisms

For Transfers from EEA/UK to Third Countries:

Processor implements appropriate safeguards:

Standard Contractual Clauses (SCCs):
- EU SCCs (Commission Decision 2021/914) - Annex D
- UK IDTA (if applicable) - Annex E
Supplementary Measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Pseudonymization where feasible
- Access controls and logging
- Transfer impact assessments (TIAs)
- Contractual commitments to resist overbroad government demands
EU-U.S. Data Privacy Framework:
- If Processor is certified, certification as additional safeguard
- Current status: [INDICATE IF CERTIFIED]

11.3 Adequacy Decisions

If EU Commission or UK adopts adequacy decision for a transfer destination:

Transfers may rely on adequacy decision
SCCs remain in place as fallback

11.4 Transfer Impact Assessments (TIA)

Processor has conducted TIAs for transfers to:

United States
[Other third countries as applicable]

TIA Conclusions:

Encryption prevents government access to plaintext Personal Data
Limited personal data in transferred datasets
Supplementary measures adequate to ensure GDPR-level protection

TIA Updates:

Reviewed annually
Reviewed when legislation changes
Reviewed when new transfer destinations added

11.5 Government Access Requests

Processor Commitments:

If Processor receives government access request for Controller's Personal Data:

Notify Controller:
- Promptly (unless legally prohibited)
- Before complying (unless legally prohibited)
- Provide copy of request (unless legally prohibited)
Challenge Overbroad Requests:
- Seek legal advice
- Invoke applicable legal protections
- Request governmental authority to narrow scope
Minimize Disclosure:
- Disclose only minimum data legally required
- Resist blanket or disproportionate demands

Transparency Reporting:

Annual transparency report on government requests
Aggregated statistics (number, type, outcome)

12. DATA RETURN AND DELETION

12.1 Return Option

Upon termination or expiry of Services Agreement, Controller may request:

Data Return:

Format: JSON, CSV, or other machine-readable format
Method: Secure download link or encrypted transfer
Timeframe: Within 30 days of request
Cost: No additional fee

Certified Deletion:

Deletion of all Personal Data
Written certification of deletion
Timeframe: Within 90 days of termination
Cost: No additional fee

12.2 Deletion Process

Processor will delete Personal Data by:

Securely overwriting data
Cryptographic erasure (destroying encryption keys)
Physical destruction of media (when retired)

Backup Deletion:

Backups containing Personal Data deleted within 90 days
Automatic backup overwrite cycle

12.3 Exceptions to Deletion

Processor may retain Personal Data to extent:

Required by applicable law (e.g., tax, audit, financial records)
Necessary for establishment, exercise, or defense of legal claims
Stored in backup systems (deleted within 90 days)

Retained Data:

Isolated and access-restricted
Not used for processing purposes
Deleted when legal requirement expires

12.4 Anonymized Data

Data that has been irreversibly anonymized (per Privacy Policy Section 8) is not Personal Data and is not subject to deletion obligations.

13. PROCESSOR'S WARRANTIES

13.1 Compliance Warranty

Processor warrants that:

Processing will comply with this DPA
Processing will comply with Data Protection Laws
Personnel are properly trained on data protection
Technical and organizational measures are implemented as described
Sub-processors are contractually bound

13.2 No Other Warranties

Except as expressly stated in Section 13.1:

Processor makes no other warranties regarding:

Fitness for particular purpose of Personal Data
Accuracy or completeness of Personal Data (Controller's responsibility)
Results achievable using Services

14. LIABILITY AND INDEMNIFICATION

14.1 Liability Under GDPR

Controller Liability to Data Subjects:

GDPR Article 82(2): Controller liable for damage caused by processing that violates GDPR and is attributable to Controller

Processor Liability to Data Subjects:

GDPR Article 82(2): Processor liable for damage caused by processing that violates GDPR and is attributable to Processor

Joint Liability:

Where both responsible, Controller and Processor are jointly and severally liable
Party that paid compensation may claim back from other party the portion attributable to that party

14.2 Liability Between Parties

Processor Liability to Controller:

Processor is liable to Controller for damage caused by:

Breach of this DPA
Processing outside or contrary to Controller's lawful instructions
Failure to implement appropriate technical and organizational measures

Liability Cap:

Processor's liability under this DPA is limited to the greater of:

Fees paid by Controller in 12 months prior to claim, OR
$100,000 USD

Exceptions:

Liability cap does NOT apply to:
- Processor's gross negligence or willful misconduct
- Breach of confidentiality
- Violation of Data Protection Laws where no cap permitted by law

14.3 Indemnification

Processor Indemnification:

Processor indemnifies Controller against:

Fines imposed by Supervisory Authority for Processor's violation of Data Protection Laws
Claims by Data Subjects for damage caused by Processor's violation
Legal costs incurred defending against such claims

Conditions:

Controller provides prompt notice
Processor has control of defense
Controller provides reasonable cooperation

Exclusions:

No indemnity if breach caused by Controller's instructions or actions

15. TERM AND TERMINATION

15.1 Term

This DPA:

Begins: On effective date of Services Agreement
Continues: For duration of Services Agreement and any renewal
Survives: For duration of Personal Data retention

15.2 Termination

This DPA terminates:

Upon termination of Services Agreement
90 days after final deletion of all Personal Data (whichever is later)

Early Termination:

Controller may terminate this DPA immediately if:

Processor materially breaches DPA
Supervisory Authority orders cessation of processing
Transfer safeguards become invalid and no alternative exists

15.3 Effect of Termination

Upon termination:

Processor ceases all processing (except retention per Section 12.3)
Processor returns or deletes Personal Data per Controller instruction
Obligations in Sections 4 (Confidentiality), 12 (Data Return), 14 (Liability) survive

16. GENERAL PROVISIONS

16.1 Relationship to Services Agreement

Precedence: In case of conflict between this DPA and Services Agreement:

This DPA prevails on data protection matters
Services Agreement prevails on other matters

Incorporation: This DPA is incorporated into and forms part of Services Agreement.

16.2 Amendments

DPA Amendments:

This DPA may be amended:

By written agreement of both parties
By Processor to reflect changes in Data Protection Laws (with 30 days notice)

SCC Amendments:

If EU Commission or UK government updates Standard Contractual Clauses:

Updated SCCs automatically apply
Parties will execute updated SCCs within 60 days

16.3 Severability

If any provision is held invalid or unenforceable:

Provision modified to minimum extent to make valid
Remaining provisions remain in full force

16.4 Governing Law

This DPA is governed by same law as Services Agreement, except:

SCCs governed by law specified in SCCs
Where Data Protection Laws impose specific requirements

16.5 Dispute Resolution

Disputes regarding this DPA resolved per Services Agreement dispute resolution provisions, except:

Data Subjects may enforce rights directly per Data Protection Laws
Supervisory Authorities have jurisdiction per Data Protection Laws

16.6 Notices

To Controller: [Email in Annex A]

To Processor:
Cognitiva Systems Inc.
dpa@cognitiva.systems

Notices effective upon email receipt confirmation.

17. SCHEDULES AND ANNEXES

This DPA includes the following annexes:

Annex A: Processing Details
Annex B: Technical and Organizational Measures
Annex C: Sub-processor List
Annex D: EU Standard Contractual Clauses (if applicable)
Annex E: UK International Data Transfer Addendum (if applicable)

EXECUTION

CONTROLLER:

By: ___________________________
Name: [Print Name]
Title: [Title]
Date: [Date]

PROCESSOR:

Cognitiva Systems Inc.

By: ___________________________
Name: [Authorized Signatory]
Title: [Title]
Date: [Date]

ANNEX A: PROCESSING DETAILS

1. Subject Matter of Processing

Provision of CognitivaOS platform for influencer/creator campaign management.

2. Duration of Processing

Duration of Services Agreement plus data retention period (up to 90 days post-termination).

3. Nature and Purpose of Processing

Hosting and storing campaign execution data
Facilitating workflow management and approvals
Enabling communication between campaign participants
Generating analytics and reports
Providing customer support
Payment coordination (via Stripe sub-processor)

4. Type of Personal Data

Campaign Participants:

Names
Email addresses
Phone numbers (optional)
Social media handles
Profile information
Communication content
Deliverable submissions

Client Users:

Business contact details
Account credentials (hashed)
Usage data
IP addresses

5. Categories of Data Subjects

Client employees/contractors using platform
Influencers/creators participating in campaigns
Brand representatives
Campaign approvers

6. Obligations and Rights of Controller

Controller Contact:

Name: [Insert Contact Name]
Email: [Insert Email]
Role: [Insert Role]

Controller Responsibilities:

Ensure lawful basis for processing
Provide privacy notices to Data Subjects
Respond to Data Subject requests (with Processor assistance)
Determine data retention periods
Issue processing instructions to Processor

ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES

1. Access Control

Physical Access:

Data centers with 24/7 security
Biometric access controls
Video surveillance
Visitor logging

System Access:

Role-based access control (RBAC)
Multi-factor authentication (MFA)
Unique user credentials
Automatic session timeout (30 minutes)
Access logging and monitoring

Data Access:

Least privilege principle
Need-to-know basis
Segregation of duties
Regular access reviews (quarterly)

2. Transmission Control

Encryption in Transit:

TLS 1.3 for all data transmission
Certificate pinning for mobile apps
VPN for administrative access
Encrypted backup transfers

Network Security:

Firewall protection
Intrusion detection/prevention systems
DDoS mitigation
Network segmentation

3. Input Control

Data Entry:

User activity logging
Change tracking for sensitive operations
Approval workflows for critical changes

Data Quality:

Input validation
Format checks
Duplicate detection

4. Availability Control

Backup and Recovery:

Daily automated backups
Geographic redundancy
30-day backup retention
Quarterly recovery testing

Business Continuity:

Disaster recovery plan
Failover systems
99.5% uptime target
Incident response procedures

5. Separation Control

Data Isolation:

Multi-tenant architecture with logical separation
Workspace-based data isolation
Client data not commingled
Separate encryption keys per tenant

6. Pseudonymization

User IDs tokenized
IP addresses hashed in logs
Optional field-level encryption

7. Encryption

At Rest:

AES-256 encryption
Encrypted databases
Encrypted file storage
Encrypted backups

Key Management:

Hardware Security Modules (HSM)
Key rotation (annually)
Separate keys per tenant
Secure key destruction

8. Incident Response

Detection:

24/7 security monitoring
Automated anomaly detection
Log analysis (SIEM)

Response:

Incident response team
Documented procedures
Escalation protocol
Post-incident review

9. Personnel

Training:

Data protection training (annually)
Security awareness training (quarterly)
Phishing simulations
Incident response drills

Obligations:

Confidentiality agreements
Background checks (security-sensitive roles)
Clear desk policy
Acceptable use policy

10. Testing and Evaluation

Security Testing:

Vulnerability scanning (monthly)
Penetration testing (annually)
Code security reviews
Dependency vulnerability monitoring

Compliance:

Internal audits (semi-annually)
External audits (annually)
SOC 2 Type II (if available)
ISO 27001 certification (if available)

ANNEX C: SUB-PROCESSOR LIST

Last Updated: 15 April 2026

Current Sub-Processors

Sub-Processor	Service	Location	Processing Activity
Amazon Web Services (AWS)	Cloud Infrastructure	United States, [Other Regions]	Hosting, storage, compute
Google Cloud Platform (GCP)	Cloud Infrastructure	United States, [Other Regions]	Hosting, storage, compute
Stripe, Inc.	Payment Processing	United States	Payment coordination (card data held by Stripe)
[Support Tool]	Customer Support	[Location]	Support ticket management
[Security Tool]	Security Monitoring	[Location]	Threat detection, logging

Sub-Processor Safeguards

Each Sub-processor:

Is contractually bound to GDPR-equivalent obligations
Implements appropriate technical and organizational measures
Undergoes security assessment before engagement
Is subject to ongoing monitoring and audits

Standard Contractual Clauses

For Sub-processors in third countries without adequacy decision:

EU SCCs executed (Module 2: Controller-to-Processor or Module 3: Processor-to-Processor)
UK IDTA executed (if UK data processed)

Updates

Controller will be notified of Sub-processor changes per Section 6.4 of main DPA.

Notification Email: [Controller email from Annex A]

ANNEX D: EU STANDARD CONTRACTUAL CLAUSES

[INSERT EU Standard Contractual Clauses - Commission Implementing Decision 2021/914]

Module Used: Module 2 (Controller to Processor)

Docking Clause: [Specify if applicable]

Optional Clauses: [Specify which optional clauses selected]

ANNEX E: UK INTERNATIONAL DATA TRANSFER ADDENDUM

[INSERT UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses]

Version: [Current IDTA version]

Tables:

Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
Table 4: Ending this Addendum

END OF DATA PROCESSING AGREEMENT

Version: 2.0
Last Updated: 15 April 2026

Data Processing Addendum