Data Processing Addendum

1. Definitions

"Agreement" means the Dossium Terms of Service, this DPA, and any other written agreement between Customer and Dossium that governs Customer's use of the Service.

"Applicable Data Protection Laws" means privacy, data protection, and data security laws and regulations applicable to the processing of Customer Personal Data under the Agreement. This may include, as applicable, the GDPR, UK GDPR, Swiss data protection laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and other U.S. state privacy laws.

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Customer Data" has the meaning given in the Terms of Service and includes data submitted to, uploaded to, connected to, or processed through the Service by or on behalf of Customer.

"Customer Personal Data" means Personal Data contained in Customer Data that Dossium processes on behalf of Customer as a Processor or Service Provider.

"Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.

"GDPR" means Regulation (EU) 2016/679.

"Personal Data" means information relating to an identified or identifiable natural person, or equivalent terms under Applicable Data Protection Laws such as "personal information" or "personal data."

"Process", "Processed", and "Processing" mean any operation performed on Personal Data, including collection, storage, use, transmission, retrieval, organization, structuring, transformation, indexing, deletion, or disclosure.

"Processor" means the entity that Processes Personal Data on behalf of a Controller.

"Security Incident" means a confirmed breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Dossium.

"Service" means the Dossium platform, APIs, SDKs, hosted services, developer tools, dashboards, connectors, integrations, ingestion pipelines, search and retrieval features, AI-assisted workflows, and related services.

"Service Provider" has the meaning given under applicable U.S. state privacy laws.

"Subprocessor" means a third party engaged by Dossium to process Customer Personal Data on behalf of Customer in connection with the Service.

"UK GDPR" means the GDPR as incorporated into United Kingdom law.

2. Roles of the Parties

As between the parties, Customer is the Controller or Business with respect to Customer Personal Data.

Dossium is the Processor or Service Provider with respect to Customer Personal Data.

Customer determines the purposes and means of Processing Customer Personal Data, including what data is submitted to the Service, which data sources are connected, which workflows are configured, which model providers are used, and how outputs are used.

Dossium Processes Customer Personal Data only to provide, secure, support, maintain, and improve the Service in accordance with the Agreement, Customer's documented instructions, and Applicable Data Protection Laws.

3. Customer Instructions

Customer instructs Dossium to Process Customer Personal Data as necessary to provide the Service and as otherwise described in the Agreement.

Customer's instructions include:

• Creating and managing accounts
• Connecting data sources
• Uploading or submitting Customer Data
• Ingesting, extracting, transforming, embedding, indexing, retrieving, and storing Customer Data
• Using configured AI model providers and third-party services
• Generating and storing outputs where required by the Service
• Providing support, troubleshooting, security, and operational maintenance
• Deleting, exporting, or modifying Customer Data through supported product or API mechanisms

Dossium will not Process Customer Personal Data for purposes outside the Agreement unless required by law. If Dossium is required by law to Process Customer Personal Data outside Customer's instructions, Dossium will inform Customer unless legally prohibited from doing so.

Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws.

4. Description of Processing

The subject matter, nature, purpose, duration, categories of Data Subjects, and types of Customer Personal Data are described in Appendix 1.

Customer acknowledges that the specific Customer Personal Data processed by Dossium depends on Customer's configuration, connected data sources, uploaded content, API usage, selected model providers, and downstream applications.

5. Confidentiality

Dossium will ensure that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations or professional obligations of confidentiality.

Dossium will limit internal access to Customer Personal Data to personnel who need access for customer-requested support, debugging, security, operational, or service delivery purposes.

6. Security Measures

Dossium will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

Current security measures are described in Appendix 2 and in the Dossium Security Policy available at:

https://www.dossium.ai/legal/security

Customer acknowledges that no method of transmission, processing, storage, or access control is completely secure.

Customer is responsible for securing its own accounts, API keys, credentials, connected data sources, applications, user permissions, authentication providers, and downstream systems.

7. Subprocessors

Customer authorizes Dossium to use Subprocessors to provide the Service.

Dossium may use Subprocessors for cloud infrastructure, storage, compute, databases, search, authentication, billing, AI model provider access, monitoring, analytics, support, and other service operations.

Dossium will impose data protection obligations on Subprocessors that are designed to provide a level of protection for Customer Personal Data materially consistent with this DPA, taking into account the nature of the services provided by the Subprocessor.

Dossium maintains a Subprocessor list available at:

https://www.dossium.ai/legal/subprocessors

Dossium may update the Subprocessor list from time to time. Where required by Applicable Data Protection Laws or commercially reasonable under the circumstances, Dossium will provide notice of material Subprocessor changes through the website, email, product notice, or other reasonable means.

Customer may object to a new Subprocessor on reasonable data protection grounds by contacting legal@dossium.ai within 30 days after notice of the new Subprocessor. Dossium will use commercially reasonable efforts to address the objection. If the parties cannot resolve the objection, Customer may stop using the affected Service feature or terminate the affected Service subscription.

8. Third-Party AI Model Providers

Dossium does not train, fine-tune, host, or deploy its own AI foundation models.

Depending on Customer's configuration and use of the Service, Dossium may transmit prompts, retrieved context, extracted text, embeddings-related input, Customer Data, or other customer-selected content to third-party AI model providers to provide requested functionality.

Third-party AI model provider handling is governed by the applicable provider terms, Customer configuration, and Dossium's agreements with those providers where applicable.

Dossium does not use Customer Personal Data to train or fine-tune AI foundation models.

Dossium does not sell Customer Personal Data.

Dossium does not share Customer Personal Data for unrelated third-party use.

Customer is responsible for selecting model providers, model configurations, workflows, prompts, guardrails, and downstream applications appropriate for Customer's risk profile and legal obligations.

9. Data Subject Requests

Customer is responsible for responding to Data Subject requests relating to Customer Personal Data.

To the extent Customer cannot fulfill a Data Subject request using the Service, Dossium will provide reasonable assistance, taking into account the nature of the Processing and the information available to Dossium.

Such requests may include access, deletion, correction, portability, objection, restriction, or similar rights under Applicable Data Protection Laws.

Dossium may require Customer to provide information reasonably necessary to verify the request, identify relevant Customer Personal Data, and confirm Customer's authority to make the request.

10. Deletion and Return

Customer may delete Customer Data through supported product and API mechanisms.

Upon termination of the Agreement or upon Customer's written request, Dossium will delete or return Customer Personal Data in accordance with the Agreement, supported product functionality, and applicable law.

Deletion may be subject to operational retention windows, backups, logs, security records, legal obligations, dispute resolution, fraud prevention, financial records, and other legitimate business or legal requirements.

Dossium's current support-log retention window is 90 days unless otherwise required by operational, legal, or contractual needs.

11. Security Incident Notification

Dossium will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data.

Notice may be provided by email, product notice, or other reasonable communication method.

Where reasonably available, the notice will include information about:

• The nature of the Security Incident
• The categories of Customer Personal Data affected
• The likely consequences of the Security Incident, if known
• Measures taken or proposed to address the Security Incident
• Steps Customer may consider taking in response

Dossium's notification of or response to a Security Incident is not an admission of fault or liability.

Unsuccessful attacks, scans, pings, denial-of-service attempts, failed login attempts, or events that do not result in unauthorized access to Customer Personal Data are not Security Incidents under this DPA.

12. Assistance with Compliance

Taking into account the nature of Processing and information available to Dossium, Dossium will provide reasonable assistance to Customer as required by Applicable Data Protection Laws for:

• Data Subject requests
• Security obligations
• Security Incident notifications
• Data protection impact assessments
• Prior consultations with regulators, where required

Dossium may satisfy this obligation by providing documentation, security summaries, audit reports where available, product functionality, written responses, or other reasonable assistance.

Dossium may charge reasonable fees for assistance that is outside standard support, requires significant engineering effort, or is not required by Applicable Data Protection Laws.

13. Audits and Information

Dossium will make available information reasonably necessary to demonstrate compliance with this DPA.

Dossium may satisfy this obligation by providing documentation such as:

• Security policy
• Privacy policy
• Subprocessor list
• Customer-facing security overview
• AI risk and governance overview
• Written security questionnaire responses
• Third-party audit reports, certifications, or attestations, when available

Dossium does not currently hold its own SOC 2 certification. SOC 2 readiness and related compliance work are active priorities.

Customer may request additional information by contacting legal@dossium.ai.

Dossium may decline audit requests that are duplicative, unreasonable, create security risk, seek confidential information of other customers, or would compromise the security or integrity of the Service.

Any onsite audit, penetration test, vulnerability scan, or technical assessment of the Service requires Dossium's prior written approval.

14. International Data Transfers

Customer acknowledges that Dossium and its Subprocessors may Process Customer Personal Data in the United States and other jurisdictions where Dossium or its Subprocessors operate.

If Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not been recognized as providing adequate protection under Applicable Data Protection Laws, the parties agree that an appropriate transfer mechanism will apply.

Where required, the parties agree to incorporate the applicable Standard Contractual Clauses, UK Addendum, or other lawful transfer mechanism by reference.

For purposes of the Standard Contractual Clauses, Customer is the data exporter and Dossium is the data importer, unless the facts require otherwise.

If there is a conflict between this DPA and the applicable Standard Contractual Clauses, the Standard Contractual Clauses will control to the extent required by law.

15. U.S. State Privacy Laws

To the extent Dossium Processes Customer Personal Data subject to U.S. state privacy laws, Dossium will act as a Service Provider or Processor.

Dossium will not:

• Sell Customer Personal Data
• Share Customer Personal Data for cross-context behavioral advertising
• Retain, use, or disclose Customer Personal Data outside the business relationship except as permitted by Applicable Data Protection Laws
• Retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Service
• Combine Customer Personal Data with personal data received from other sources except as permitted by Applicable Data Protection Laws

Dossium may Process Customer Personal Data for the business purposes described in the Agreement, including providing, securing, supporting, maintaining, and improving the Service.

16. Customer Responsibilities

Customer is responsible for:

• Complying with Applicable Data Protection Laws
• Providing required notices to Data Subjects
• Obtaining required consents and authorizations
• Having a valid legal basis for Processing Customer Personal Data
• Ensuring Customer Data may lawfully be submitted to Dossium
• Configuring the Service appropriately
• Managing user access, permissions, credentials, and API keys
• Selecting appropriate third-party model providers and integrations
• Reviewing AI-generated outputs before relying on them
• Implementing human review, approval workflows, and downstream controls where required
• Responding to Data Subject requests
• Ensuring Customer's downstream applications comply with applicable law

Customer will not submit Customer Personal Data to the Service where Processing that data would violate Applicable Data Protection Laws or the Agreement.

17. Sensitive Data

Customer is responsible for determining whether Customer Data includes sensitive, regulated, or special category data.

Customer may not use the Service to Process sensitive or regulated data unless Customer has determined that the Service is appropriate for that use and Customer has implemented required safeguards, consents, notices, and legal bases.

Dossium is not intended to be used as the sole decision-maker for regulated, high-risk, safety-critical, employment, credit, healthcare, legal, financial, biometric, law enforcement, or essential-service decisions unless separately assessed and contractually approved.

18. Limitation of Liability

The limitations of liability in the Terms of Service apply to this DPA unless otherwise required by Applicable Data Protection Laws.

19. Term and Survival

This DPA remains in effect for as long as Dossium Processes Customer Personal Data on behalf of Customer.

Obligations that by their nature should survive termination will survive, including confidentiality, deletion, audit, liability, and provisions required by Applicable Data Protection Laws.

20. Contact

For questions about this DPA, contact:

Unstruk Data, Inc.
Legal: legal@dossium.ai
Security: security@dossium.ai
Website: https://www.dossium.ai

Appendix 1: Processing Details

Subject Matter

The subject matter of Processing is Dossium's provision of the Service to Customer.

Duration

The duration of Processing is the term of Customer's use of the Service, plus any period required for deletion, backup retention, legal compliance, dispute resolution, security, or legitimate operational purposes.

Nature and Purpose of Processing

Dossium Processes Customer Personal Data to provide, secure, support, maintain, and improve the Service.

Processing may include:

• Account creation and administration
• Authentication and authorization
• Data ingestion
• File storage
• Content extraction
• Metadata extraction
• Markdown conversion
• Embedding generation
• Search indexing
• Retrieval
• Entity-aware retrieval
• Context graph and workflow operations
• Conversation history
• Summarization
• Classification
• Extraction
• Question answering
• AI-assisted generation
• Customer-configured agent workflows
• API responses
• Usage metering
• Billing support
• Logging, monitoring, debugging, and security operations
• Customer support

Categories of Data Subjects

Customer Personal Data may relate to:

• Customer's employees, contractors, and authorized users
• Customer's end users
• Customer's customers, prospects, vendors, suppliers, partners, and contacts
• People appearing in Customer's documents, messages, files, tickets, transcripts, CRM records, project-management records, source-code systems, collaboration systems, or connected data sources
• Meeting participants, email senders and recipients, ticket reporters, repository contributors, and other persons whose information appears in Customer Data

The specific categories depend on Customer's configuration and submitted data.

Categories of Personal Data

Customer Personal Data may include:

• Names
• Email addresses
• Usernames
• Job titles
• Company names
• Contact information
• Account identifiers
• Authentication metadata
• Billing contact metadata
• Communications content
• Documents and file contents
• Message contents
• Ticket contents
• CRM records
• Calendar and meeting metadata
• Meeting transcripts
• Notes
• Project-management records
• Source-code collaboration metadata
• Repository comments, issues, pull requests, and related metadata
• Prompts
• Queries
• Retrieved context
• AI-generated outputs
• Embeddings
• Extracted entities
• Summaries
• Classifications
• Facts
• Timestamps
• Provenance references
• Operational logs and support metadata

The specific categories depend on Customer's configuration and submitted data.

Sensitive Data

Dossium does not require Customer to submit sensitive data. Customer controls whether sensitive data is submitted to the Service.

Customer is responsible for determining whether Customer Data includes sensitive data or special category data and for ensuring that Processing is lawful and appropriate.

Frequency of Processing

Processing occurs continuously or periodically as Customer uses the Service, submits Customer Data, connects data sources, invokes workflows, calls APIs, or configures integrations.

Appendix 2: Technical and Organizational Measures

Dossium maintains technical and organizational measures designed to protect Customer Personal Data. Current measures include the following.

Infrastructure Security

• Hosted on Microsoft Azure
• Use of managed Azure services for storage, indexing, compute, databases, monitoring, and operational infrastructure
• Azure-managed infrastructure security controls
• Azure-managed encryption-at-rest capabilities for supported services
• Operational monitoring and logging

Microsoft Azure maintains infrastructure-level compliance programs. These apply to Azure's cloud infrastructure and services and do not mean Dossium has completed its own SOC 2 audit.

Access Control

• JWT-based API authentication
• Authentication supported through third-party authentication providers such as Clerk
• Project-level isolation
• Authorization checks for access to customer-scoped resources
• Internal access limited to authorized personnel
• Access intended for customer-requested support, debugging, security, and operational needs
• Principle of least privilege for administrative access where applicable

Encryption

• TLS-encrypted HTTPS connections for customer API interactions and data transfer
• Encryption at rest through managed Azure storage, database, and search services where applicable

Data Isolation

• Logical isolation by customer, account, organization, and/or project
• Customer-scoped data access through authenticated API and product mechanisms
• Separation of control-plane account and billing functions from data-plane customer processing functions where applicable

Logging and Monitoring

• Platform logging and monitoring for operational support, reliability, debugging, and security event awareness
• Operational logs available to authorized engineering and support personnel
• Current support-log retention window of 90 days unless otherwise required by operational, legal, or contractual needs

Secure Development

• Source control for platform code
• CI/CD-based deployment workflows
• Code review and deployment review practices
• Automated testing where appropriate
• Dependency review and vulnerability monitoring
• Secure handling of credentials and secrets
• Human approval workflows for production changes where appropriate

Incident Response

• Incident triage and severity assessment
• Containment and mitigation procedures
• Internal escalation
• Customer impact assessment
• Remediation and follow-up
• Customer or regulatory notification where required by law or contract
• Post-incident review and process improvement

Data Deletion and Retention

• Customer-directed deletion through supported product and API mechanisms
• Project deletion mechanisms where supported
• Operational retention windows for logs, backups, security records, and legal requirements
• Support-log retention currently set at 90 days unless otherwise required

Organizational Measures

• Confidentiality obligations for personnel with access to non-public information
• Limited production access
• Security-aware development practices
• Security documentation and compliance-readiness work in progress
• Subprocessor review and documentation

Appendix 3: Subprocessors

Dossium maintains a Subprocessor list at:

https://www.dossium.ai/legal/subprocessors

Subprocessors may include providers used for:

• Cloud hosting and infrastructure
• Storage, database, search, indexing, and compute
• Authentication
• Billing and payment processing
• AI model provider access
• Monitoring, analytics, support, and operational tooling

Customer authorizes Dossium to use Subprocessors as described in this DPA.