Data Processing Addendum

1. Data Processing

1.1 Scope and Roles

This DPA applies when Ribera AI Processes Customer Personal Data in providing the Services under the Agreement to Customer. The Parties agree that Ribera AI is a Processor and Customer is a Controller with respect to the Processing of Customer Personal Data. For purposes of applicable Canadian Data Protection Laws, each Party acts as an "organization" within the meaning of such laws, and Ribera AI Processes Customer Personal Data on Customer's behalf.

1.2 Processing Details

Ribera AI will only Process Customer Personal Data in accordance with the Agreement, this DPA (including, if the CCPA applies to Customer's use of the Services, Appendix A, and if the Canadian Data Protection Laws apply to Customer's use of the Services, Appendix B), and the Order Forms (together, the "Documented Instructions"). Ribera AI will promptly inform Customer if it becomes aware that the Documented Instructions violate Data Protection Laws.

1.3 Customer Obligations

Customer is responsible for ensuring that no Sensitive Personal Data (defined in Data Protection Laws) is submitted to Ribera AI for Processing and for providing notice and obtaining any required consents from Data Subjects with respect to the processing of their Personal Data.

1.4 Compliance with Laws

Each Party will comply with all the Data Protection Laws applicable to its performance under this DPA.

1.5 Cross-Border Processing

Customer acknowledges and agrees that Customer Personal Data may be transferred to, accessed from, and Processed in the United States or other jurisdictions outside Canada. Ribera AI will implement reasonable contractual, technical, and organizational measures designed to provide a level of protection for Customer Personal Data that is comparable to that required under applicable Canadian Data Protection Laws, taking into account the sensitivity of the Personal Data, the purposes of Processing, and the legal regime of the destination jurisdiction. Upon Customer's reasonable request, Ribera AI will provide information reasonably necessary to enable Customer to conduct a privacy impact assessment or transfer risk assessment required under applicable Canadian Data Protection Laws.

1.6 Accountability and Privacy Governance

Ribera AI will maintain a privacy governance framework appropriate to the nature and volume of Customer Personal Data Processed, including internal policies, access controls, and training measures designed to ensure compliance with applicable Canadian Data Protection Laws. Upon reasonable request, Ribera AI will provide Customer with a summary description of such measures to the extent required for Customer's compliance obligations.

2. Duration

This DPA remains in effect until the later of (a) the expiration or termination of the Agreement, and (b) the return or deletion of Customer Personal Data in accordance with Section 6.

3. Security and Confidentiality

Ribera AI will implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access (the "Technical and Organizational Measures"). Ribera AI will take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate confidentiality obligations.

4. Subprocessors

4.1 Subprocessor Authorization

Customer generally authorizes Ribera AI to engage Subprocessors in accordance with this Section 4 and approves Ribera AI's use of the Subprocessors listed in the Subprocessors List. Ribera AI will update the Subprocessors List at least 30 days before appointing a new Subprocessor and will provide Customer with a mechanism to receive notifications of new Subprocessors (a "Change Notice"), which today is available through the Subprocessors List. The Subprocessors List will identify the jurisdiction(s) in which each Subprocessor Processes Customer Personal Data.

4.2 Objections to Subprocessors

Customer may object to a new Subprocessor on reasonable grounds related to the protection of Customer Personal Data by sending an email to [email protected] describing its legitimate, good-faith objection within 15 days of a Change Notice (an "Objection Notice"), in which case Ribera AI may satisfy the objection by (a) not using the new Subprocessor to Process Customer Personal Data; (b) taking corrective steps requested by Customer in its Objection Notice; or (c) ceasing to provide the parts of the Services that involve the new Subprocessor Processing Customer Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope. If none of the options outlined above are reasonably available and Customer's objection has not been resolved to the Parties' mutual satisfaction within 15 days of Ribera AI's receipt of the Objection Notice, either Party may terminate the affected Order Form without penalty. If Customer does not provide a timely Objection Notice, Customer will be deemed to have authorized Ribera AI's use of the Subprocessor and to have waived its right to object.

4.3 Subprocessor Requirements

Ribera AI will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Ribera AI will be liable for the actions and omissions of its Subprocessors undertaken in connection with Ribera AI's performance under this DPA to the same extent Ribera AI would be liable if performing the Services directly.

5. Individual Rights Requests

If Ribera AI receives a Data Subject Request, or other request from an individual exercising rights under applicable Canadian Data Protection Laws (including rights of access, correction, or withdrawal of consent), Ribera AI will (a) advise the Data Subject to submit the request to Customer directly, and (b) promptly notify Customer of the request. Where required by Data Protection Laws, Ribera AI will, on Customer's request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance to Customer in fulfilling the Data Subject Request to the extent Customer is unable through its use of the Services to address a particular Data Subject Request on its own. To the extent permitted by Applicable Law, Customer will be responsible for any costs arising from Ribera AI's assistance.

6. Data Deletion

Commencing 30 days after the effective date of termination of the Agreement, or upon request by Customer, Ribera AI will initiate a process on Customer's written request that deletes Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from any further Processing, except as otherwise required by Applicable Laws. Notwithstanding the foregoing, to the extent Ribera AI is required by Applicable Laws to retain some or all Customer Personal Data, Ribera AI will not be obligated to delete the retained Customer Personal Data, and this DPA will continue to apply to the retained Customer Personal Data. Customer acknowledges that it is responsible for exporting any Customer Personal Data that Customer wants to retain prior to expiration of the 30-day period referenced in this Section 6 pursuant to the Agreement.

7. Personal Data Breaches

7.1 Breach Notification

Ribera AI will notify Customer without undue delay after becoming aware of a Personal Data Breach. Ribera AI's notification to Customer will describe (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the measures Ribera AI has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures Ribera AI recommends that Customer take to address the Personal Data Breach; and (d) information related to Ribera AI's point of contact with respect to the Personal Data Breach. If Ribera AI cannot provide all the information above in the initial notification, Ribera AI will provide the information to Customer as soon as it is available.

7.2 Breach Response

Ribera AI will promptly take all actions relating to its Technical and Organizational Measures that it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.

7.3 Regulatory Assistance and Records

Ribera AI will maintain records of any confidentiality incident (as defined under applicable Canadian Data Protection Laws) involving Customer Personal Data and will provide reasonable assistance to Customer in meeting its obligations to assess, document, report, and notify such incidents, including notifications to privacy regulators and affected individuals, where required by law.

7.4 General

Ribera AI's notification of or response to a Personal Data Breach will not constitute an acknowledgment of fault or liability with respect to the Personal Data Breach. The obligations in this Section 7.3 do not apply to Personal Data Breaches that are caused by Customer or Authorized Users. Except as may otherwise be required by Applicable Law (including any mandated deadlines under Data Protection Laws), if Customer decides to notify a Supervisory Authority, Data Subjects, or the public of a Personal Data Breach, Customer will make reasonable efforts to provide Ribera AI with advance copies of the notice(s) and allow Ribera AI an opportunity to provide any clarifications or corrections to them.

8. Audits

8.1 Customer's Audit Rights

Customer may request (directly or through a third-party auditor subject to written confidentiality obligations) an audit of Ribera AI to verify Ribera AI's compliance with the terms of this DPA if such an audit is required by Data Protection Laws and Ribera AI's compliance cannot be demonstrated by means that are less burdensome on Ribera AI. Any audit under this section must meet the following requirements:

• Customer must provide Ribera AI at least 30 days' prior written notice of a proposed audit unless otherwise required by a competent supervisory authority or Data Protection Laws
• Customer may not perform more than one audit in any 12-month period, except where required by a competent supervisory authority
• Customer and Ribera AI must mutually agree on the time, scope, and duration of the audit in advance
• Any audit shall be at Customer's expense and Customer must reimburse Ribera AI for its time expended in connection with an audit at Ribera AI's reasonable professional service rates, which will be made available to Customer on request
• Customer must ensure that its representatives performing an audit protect the confidentiality of all information obtained through the audit in accordance with the Agreement, execute an enhanced mutually agreeable nondisclosure agreement if requested by Ribera AI, and abide by Ribera AI's security policies while on Ribera AI's premises
• Customer must promptly disclose to Ribera AI any written audit report created, and any findings of noncompliance discovered, as a result of the audit

Nothing in this Section limits Ribera AI's obligation to cooperate with a privacy regulator or authority having jurisdiction over Customer or the Processing of Customer Personal Data, as required by applicable Canadian Data Protection Laws.

9. Impact Assessments and Prior Consultation

Taking into account the nature of the Processing and the information available to Ribera AI will, when required by Data Protection Laws, assist Customer with its obligations related to data protection impact assessments (where related to the Services, and only to the extent that Customer does not otherwise have access to the relevant information) and prior consultation with supervisory authorities.

10. Limitation of Liability

Each Party's liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

11. Conflict

In the event of a conflict or inconsistency between the Agreement, this DPA, the terms of the following documents will prevail (in order of precedence): this DPA and then the Agreement.

12. Modifications

Ribera AI may change this DPA where (a) the change is required to comply with an Applicable Law; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of Ribera AI's processing of Customer Personal Data, and does not have a material adverse impact on Customer's rights under this DPA.

13. Definitions

Capitalized terms not otherwise defined in this DPA or the Agreement have the meanings assigned to them below.

"Canadian Data Protection Laws" means, as applicable:

• the Personal Information Protection and Electronic Documents Act (Canada)
• Québec's Act respecting the protection of personal information in the private sector, as amended by Law 25
• Alberta's Personal Information Protection Act
• British Columbia's Personal Information Protection Act

"Controller" means the entity that determines the purposes and means of Processing Personal Data.

"Customer Data" if not defined in the Agreement, means data submitted to the Services for Processing by or on behalf of Customer.

"Customer Personal Data" means the Personal Data contained within Customer Data.

"Data Protection Laws" means data protection or privacy laws and regulations directly applicable to a Party's Processing of Personal Data under the Agreement.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Data Subject Request" means a request from a Data Subject exercising a right under Data Protection Laws that relates to Customer Personal Data and identifies Customer.

"Personal Data" means any information relating to an identified or identifiable natural person and includes "personal information" as defined under applicable Canadian Data Protection Laws.

"Personal Data Breach" means a breach of Ribera AI's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Process" and "Processing" mean any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, whether or not by automated means.

"Processor" means the entity that Processes Personal Data on behalf of a Controller.

"Subprocessor" means any Processor engaged by Ribera AI or a Ribera AI Affiliate to Process Customer Personal Data on Ribera AI's or its Affiliate's behalf while providing the Services.

"Subprocessors List" means the list of Subprocessors available upon request.

Appendix A – CCPA Terms

These CCPA Terms apply when the California Consumer Privacy Act of 2018, Cal. Civ. Code §§1798.100–1798.199.100, as amended, and the CCPA regulations, Cal. Code Regs. §§7000–7304 (together, the "CCPA") apply to Customer's use of the Services to process the Personal Information contained in Customer Data ("Covered Information"). For the purpose of these CCPA Terms, the terms "Commercial Purpose", "Consumer", "Personal Information", "Sell", "Service Provider", and "Share" have the meanings given to them in the CCPA.

Ribera AI's Obligations

Ribera AI will:

• not Sell or Share Covered Information
• process Covered Information only to provide, support, and improve the Services in accordance with the Agreement or Order Forms, or as otherwise permitted under the CCPA
• not retain, use, or disclose Covered Information (i) for any purpose, including any Commercial Purpose, except to provide, support, and improve the Services in accordance with the Agreement or Order Forms, or as otherwise permitted under the CCPA, (ii) outside the direct business relationship between Ribera AI and Customer, or (iii) in any way prohibited by the CCPA
• not combine the Covered Information it receives from, or on behalf of, Customer with Personal Information it receives from, or on behalf of, another person or from Ribera AI's own interactions with the Consumer to whom the Personal Information relates, except to the extent a Service Provider is permitted to do so under the CCPA
• comply with all applicable obligations under, and provide the same level of privacy protection to Covered Information as required by, the CCPA
• notify Customer if it believes it cannot meet its obligations under the CCPA
• on Customer's request and taking into account the nature of the Covered Information processed, provide reasonable assistance to Customer in fulfilling consumer requests made under the CCPA to the extent Customer is unable through its use of the Services to address a particular request on its own

Customer's Obligations and Rights

Customer may:

• only disclose Covered Information to Ribera AI for the limited purpose of using the Services in accordance with the Agreement
• audit Ribera AI's compliance with its obligations under these CCPA terms by requesting and reviewing (i) copies of or extracts from Ribera AI's audit reports related to the security of the Services, or (ii) other information Ribera AI deems is reasonably necessary to demonstrate Ribera AI's compliance
• upon notice to Ribera AI, take reasonable and appropriate steps to stop and remediate any unauthorized use of Covered Information by Ribera AI

Appendix B – Processing Details (Canada)

1. Categories of Data Subjects

• Customer's employees, contractors, agents
• Customer's end users or clients
• Other individuals whose Personal Information is submitted to the Services by or on behalf of Customer

2. Categories of Personal Information

• Contact information (e.g., name, email address, business contact details)
• Account credentials and identifiers
• Usage, configuration, and support data
• Any other Personal Information submitted to the Services by or on behalf of Customer

3. Sensitive Personal Information

The Services are not intended to Process Sensitive Personal Information. Customer determines whether any such data is submitted.

4. Purpose of Processing

• Provision, operation, maintenance, and support of the Services
• Security monitoring, incident prevention, and troubleshooting
• Compliance with applicable legal obligations

5. Processing Activities

• Collection, storage, hosting
• Access, retrieval, and use
• Transmission and disclosure to authorized Subprocessors
• Deletion and destruction

6. Processing Locations

• Canada
• United States
• Other jurisdictions where authorized Subprocessors are located, as identified in the Subprocessors List

7. Retention

Customer Personal Data is retained in accordance with Section 6 of the DPA and the Agreement.

Québec-Only Enterprise Rider (Law 25 Specific)

This Québec Privacy Rider ("Rider") supplements the DPA and applies solely to Personal Information subject to Québec's Act respecting the protection of personal information in the private sector, as amended by Law 25 ("Québec Personal Information"). In the event of a conflict, this Rider prevails with respect to Québec Personal Information.

1. Delegated Processing

Ribera AI Processes Québec Personal Information solely on Customer's behalf and in accordance with documented instructions, and may not use such information for its own purposes.

2. Confidentiality Incidents

Ribera AI will promptly notify Customer of any confidentiality incident involving Québec Personal Information and provide reasonable cooperation to enable Customer to comply with its obligations to assess, document, report, and notify such incidents under Québec law.

3. Privacy Governance

Ribera AI confirms that it has implemented governance policies and practices regarding the protection of Personal Information, including employee access controls and training measures appropriate to the nature of the Processing.

4. Cross-Border Disclosure

Customer acknowledges that Québec Personal Information may be communicated outside Québec, including to the United States. Ribera AI represents that it has implemented contractual and technical safeguards providing protection comparable to that required under Québec law and will assist Customer, upon reasonable request, with any privacy impact assessment relating to such disclosure.

5. Subcontracting

Ribera AI will ensure that any Subprocessor Processing Québec Personal Information is bound by written obligations consistent with this Rider.

6. Audit and Regulator Cooperation

Ribera AI will reasonably cooperate with the Commission d'accès à l'information or any other competent Québec authority in connection with the Processing of Québec Personal Information, as required by law.

Contact Us

If you have questions or concerns about this Data Processing Addendum, please contact us: