Data Processing Addendum

1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Intelogos Inc., a Delaware corporation with offices at 251 Little Falls Drive, Wilmington, DE 19808, United States (the "Processor" or "Intelogos") and the entity identified as the customer in the applicable Order Form or account registration (the "Controller" or "Customer").

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Intelogos workforce analytics and AI-powered performance management platform (the "Service"), as described in the Agreement.

This DPA is entered into to ensure compliance with applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation as incorporated by the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and any other applicable data protection legislation.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. All capitalized terms not defined in this DPA shall have the meanings given to them in the Agreement.

2. Definitions

"Controller" means the entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Controller is the Customer.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, UK GDPR, FADP, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other applicable data protection or privacy legislation, as amended or replaced from time to time.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA. In the context of the Service, Data Subjects are primarily Authorized Users (employees and contractors of the Controller).

"EEA" means the European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway).

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service. This includes Activity Data, account information, and any other data constituting personal data under applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. "Process," "Processes," and "Processed" shall be construed accordingly.

"Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, the Processor is Intelogos Inc.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021, and as may be amended, replaced, or superseded from time to time.

"Sub-processor" means any third party appointed by the Processor (or by any Sub-processor) to process Personal Data on behalf of the Controller in connection with the Service.

"Supervisory Authority" means an independent public authority established by an EU/EEA Member State, the UK Information Commissioner's Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018, as may be amended or replaced from time to time.

3. Roles and Scope of Processing

3.1 Roles of the Parties

The Controller is the data controller of Personal Data processed through the Service. The Processor processes Personal Data solely on behalf of and in accordance with the documented instructions of the Controller, as described in this DPA, the Agreement, and any subsequent written instructions agreed upon by the parties.

3.2 Controller's Responsibilities

The Controller is responsible for: (a) ensuring that there is a lawful basis for the processing of Personal Data, including obtaining any necessary consents from Data Subjects; (b) providing all required notices and disclosures to Data Subjects regarding the processing of their Personal Data through the Service; (c) ensuring compliance with all applicable Data Protection Laws in its capacity as controller; (d) determining that the processing instructions it gives to the Processor are lawful; and (e) responding to Data Subject requests in accordance with applicable law.

3.3 Processor's Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Implement appropriate technical and organizational measures as described in Annex II;
Comply with the conditions for engaging Sub-processors as set out in Section 6;
Assist the Controller in responding to Data Subject requests as set out in Section 7;
Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR;
At the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage; and
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in Section 9.

3.4 Details of Processing

The details of the processing, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are set out in Annex I to this DPA.

4. Processing Instructions

4.1 The Processor shall process Personal Data only in accordance with the Controller's documented instructions. The Agreement (including this DPA) and the Controller's use and configuration of the Service constitute the Controller's initial and complete documented instructions to the Processor for processing Personal Data.

4.2 Any additional instructions beyond the scope of this DPA and the Agreement must be agreed upon in writing by the parties.

4.3 If the Processor reasonably believes that any instruction from the Controller infringes Data Protection Laws, the Processor shall promptly notify the Controller and shall be entitled to suspend performance of the relevant instruction until the Controller modifies or confirms the instruction in writing. The Processor shall not be liable for any delay or non-performance resulting from such suspension.

4.4 The Controller acknowledges that the Service inherently involves the processing of Personal Data through third-party AI providers (as listed in Annex III), and that such processing is an integral and necessary part of the Service. The Controller's use of the Service constitutes an instruction to process Personal Data through such AI providers.

5. Confidentiality

5.1 The Processor shall ensure that any person it authorizes to process Personal Data (including its employees, agents, and contractors) shall be subject to a duty of confidentiality, whether by contract or statutory obligation.

5.2 The Processor shall ensure that access to Personal Data is limited to those personnel who need access to fulfill the Processor's obligations under the Agreement and this DPA.

5.3 The obligations of confidentiality set out in this section shall survive the termination or expiration of this DPA.

6. Sub-processors

6.1 General Authorization

The Controller provides a general written authorization for the Processor to engage Sub-processors to process Personal Data on behalf of the Controller. The current list of authorized Sub-processors is set out in Annex III to this DPA.

6.2 Notification of Changes

The Processor shall notify the Controller in writing (by email to the address associated with the Controller's account, or by in-app notification) of any intended addition or replacement of Sub-processors at least fifteen (15) days prior to the change taking effect, giving the Controller the opportunity to object.

6.3 Objection Right

If the Controller has a reasonable, legitimate objection to a new Sub-processor based on data protection grounds, the Controller shall notify the Processor in writing within fifteen (15) days of receipt of the Processor's notification. The parties shall negotiate in good faith to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days, the Controller may terminate the affected portion of the Service (or the entire Agreement if the Sub-processor change affects the core functionality of the Service) by providing written notice to the Processor, and the Processor shall refund any prepaid fees covering the remainder of the Subscription Term for the terminated Service.

6.4 Sub-processor Agreements

The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures such that the processing will meet the requirements of applicable Data Protection Laws.

6.5 Liability for Sub-processors

The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations regarding the processing of Personal Data.

7. Data Subject Rights

7.1 The Controller is responsible for responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

7.2 The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to Data Subject requests. This includes providing the Controller with the ability to access, correct, delete, and export Personal Data through the Service's functionality.

7.3 If the Processor receives a Data Subject request directly, the Processor shall promptly redirect the Data Subject to the Controller and shall notify the Controller of the request without undue delay.

7.4 The Controller shall bear any costs associated with the Processor's assistance with Data Subject requests that require significant effort beyond the standard functionality of the Service.

8. Security Measures

8.1 Technical and Organizational Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II to this DPA. These measures include, as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

8.2 Security Updates

The Processor may update the security measures from time to time, provided that the updated measures shall not materially decrease the overall level of protection afforded to Personal Data.

9. Personal Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.

9.2 The notification shall include, to the extent available:

A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
The name and contact details of the Processor's data protection contact from whom more information can be obtained;
A description of the likely consequences of the Personal Data Breach; and
A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

9.4 The Processor's notification of or response to a Personal Data Breach shall not be construed as an acknowledgment of any fault or liability with respect to the breach.

10. Audits and Inspections

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

10.2 Audits shall be subject to the following conditions:

The Controller shall provide at least thirty (30) days' prior written notice of any audit request;
Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations;
The Controller shall bear all costs and expenses associated with the audit;
The Controller (and any auditor) shall comply with the Processor's reasonable security and confidentiality requirements;
Audits shall not extend to the facilities or systems of the Processor's Sub-processors unless required by applicable Data Protection Laws;
The Controller shall not be entitled to more than one audit per calendar year, unless required by a Supervisory Authority; and
Where the Processor has obtained a third-party audit report (such as SOC 2 Type II), the Processor may satisfy the Controller's audit request by providing such report, subject to appropriate confidentiality obligations.

11. Data Protection Impact Assessment

11.1 The Processor shall provide reasonable assistance to the Controller in conducting any data protection impact assessment ("DPIA") required under applicable Data Protection Laws, to the extent that the Controller does not otherwise have access to the relevant information and such information is available to the Processor.

11.2 The Processor shall provide reasonable assistance to the Controller in any prior consultation with a Supervisory Authority required under applicable Data Protection Laws.

12. International Data Transfers

12.1 Transfer Mechanism

The Controller acknowledges that the Processor is established in the United States and that Personal Data will be transferred to and processed in the United States. To the extent that such transfer constitutes a transfer of Personal Data to a third country within the meaning of applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Standard Contractual Clauses, which are hereby incorporated by reference into this DPA.

12.2 Standard Contractual Clauses (EEA Transfers)

For transfers of Personal Data from the EEA, the SCCs shall apply as follows: (a) Module Two (Controller to Processor) shall apply where the Controller transfers Personal Data to the Processor; (b) the optional docking clause (Clause 7) is included; (c) under Clause 9(a), Option 2 (general written authorization) applies, and the time period for prior notice of Sub-processor changes is fifteen (15) days as specified in Section 6.2; (d) under Clause 11, the optional language regarding the right to lodge a complaint with an independent dispute resolution body is not included; (e) under Clause 17, Option 1 applies, with the governing law being the law of the EU Member State in which the Controller is established, or if the Controller is not established in an EU Member State, the law of Ireland; (f) under Clause 18(b), disputes shall be resolved before the courts of the same jurisdiction as the governing law; and (g) Annexes I, II, and III of this DPA shall serve as the Annexes to the SCCs.

12.3 UK Transfers

For transfers of Personal Data from the United Kingdom, the UK Addendum (as issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018) shall apply, and is incorporated by reference into this DPA. The information required to complete the UK Addendum is contained in the Annexes to this DPA. The UK Information Commissioner's Office (ICO) shall act as the competent supervisory authority for UK transfers.

12.4 Swiss Transfers

For transfers of Personal Data from Switzerland, the SCCs shall apply with the following modifications: (a) references to the GDPR shall be interpreted as references to the Swiss FADP; (b) references to "EU" and "Member State" shall not be interpreted in a way that excludes Swiss Data Subjects from exercising their rights; (c) the Swiss Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority; and (d) the applicable governing law shall be Swiss law.

12.5 Supplementary Measures

The Processor implements the following supplementary technical and organizational measures to supplement the SCCs and ensure an adequate level of protection for Personal Data transferred internationally: (a) encryption of Personal Data in transit using TLS 1.2 or higher; (b) encryption of Personal Data at rest using AES-256; (c) access controls with multi-factor authentication for administrative access; (d) audit logging of access to Personal Data; and (e) regular review of access rights. Additional details are provided in Annex II.

12.6 Government Access Requests

The Processor shall: (a) promptly notify the Controller of any legally binding request from a government authority for disclosure of Personal Data, unless such notification is prohibited by law; (b) challenge requests that the Processor reasonably considers to be unlawful; and (c) provide the minimum amount of information permissible when responding to a disclosure request. The Processor represents that, as of the date of this DPA, it has not received any request from a government authority for mass or indiscriminate access to Personal Data.

13. Data Return and Deletion

13.1 Upon termination or expiration of the Agreement, the Controller may request the return of its Personal Data in a commonly used, machine-readable format (such as CSV or JSON) for a period of thirty (30) days following the effective date of termination.

13.2 Following the thirty (30) day retrieval period, the Processor shall delete all Personal Data from its active production systems within ninety (90) days, unless applicable law requires continued storage. Personal Data residing in backup systems shall be deleted in the ordinary course of backup rotation, which shall not exceed one hundred eighty (180) days from deletion from production systems.

13.3 The Processor shall certify in writing, upon the Controller's request, that it has deleted all Personal Data in accordance with this section.

13.4 Notwithstanding the foregoing, the Processor may retain de-identified, aggregated, or anonymized data that does not constitute Personal Data under applicable Data Protection Laws.

14. Liability

14.1 Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.

14.2 The Controller acknowledges that the Processor's compliance with this DPA is dependent in part on the Controller's compliance with its own obligations, including providing lawful processing instructions, ensuring a valid legal basis for processing, providing required notices to Data Subjects, and obtaining required consents.

14.3 The Processor shall not be liable for any claim arising from: (a) the Controller's failure to comply with its obligations under applicable Data Protection Laws or this DPA; (b) the Controller's processing instructions that infringe applicable Data Protection Laws; (c) the Controller's failure to provide required notices to or obtain required consents from Data Subjects; or (d) any actions of the Controller that caused or contributed to the claim.

14.4 To the extent permitted by applicable law, the aggregate liability of the Processor under this DPA shall be subject to the limitation of liability provisions in the Agreement.

15. Term and Termination

15.1 This DPA shall take effect on the date of the last signature below (or, if incorporated into the Agreement by reference, on the Effective Date of the Agreement) and shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.

15.2 The provisions of this DPA that by their nature should survive termination shall survive, including Sections 5 (Confidentiality), 9 (Personal Data Breach Notification), 13 (Data Return and Deletion), 14 (Liability), and 16 (Miscellaneous).

16. Miscellaneous

16.1 Entire DPA: This DPA, together with the Agreement and the Annexes, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior discussions, negotiations, and agreements on this subject.

16.2 Amendments: This DPA may only be amended in writing, signed by both parties, except that the Processor may update the Annexes to reflect changes to Sub-processors (subject to the notification requirements in Section 6) and security measures (subject to the non-degradation requirement in Section 8.2).

16.3 Severability: If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

16.4 Governing Law: Except as provided in the SCCs and UK Addendum, this DPA shall be governed by and construed in accordance with the laws governing the Agreement.

16.5 Notices: All notices under this DPA shall be sent in accordance with the notice provisions in the Agreement. Privacy and DPA-related notices should be sent to privacy@intelogos.com.

Annex I: Description of Processing

Part A: List of Parties

Data Exporter (Controller)

Name	Customer name as identified in the Order Form or account registration
Address	Customer address
Contact Person	Customer's designated contact for data protection matters
Role	Controller

Data Importer (Processor)

Name	Intelogos Inc.
Address	251 Little Falls Drive, Wilmington, DE 19808, United States
Contact Person	Data Protection Contact: privacy@intelogos.com
Role	Processor

Part B: Description of Transfer

Subject matter	Provision of workforce analytics, AI-powered performance management, time tracking, attendance monitoring, burnout prevention, and employee activity monitoring services.
Duration	For the duration of the Agreement plus the data retention/deletion period specified in the Agreement and Section 13 of this DPA.
Nature of processing	Collection, storage, organization, structuring, retrieval, use, analysis (including AI/ML-powered analysis), transmission, and deletion of Personal Data.
Purpose	To provide the Service, including generating workforce analytics, productivity insights, performance assessments, time and attendance reports, burnout predictions, and related AI-powered analytics, as configured by the Controller.
Categories of Data Subjects	Authorized Users (employees, contractors, and agents of the Controller) whose activities are monitored through the Service.
Types of Personal Data	Name, email address, job title, department; Application and website usage data (app names, URLs, window titles, time spent); Keyboard and mouse activity indicators (active/idle status only, no keystrokes or content); Login/logout times, active/idle periods, attendance data; Project and task time allocations; IP address, device type, operating system, timezone; AI-generated analytics and scores derived from the foregoing.
Sensitive data	The Service is not designed to collect special categories of data (Article 9 GDPR). However, window titles and URLs may inadvertently contain data that reveals sensitive information. The Controller is responsible for assessing this risk.
Frequency of transfer	Continuous, real-time during active monitoring periods.
Retention period	As specified in the Agreement: duration of subscription plus 30-day export period, 90-day production deletion, 180-day backup deletion.

Annex II: Technical and Organisational Measures

The Processor implements the following technical and organizational security measures:

Encryption

Encryption in transit: All data transmitted between Authorized Users' devices and the Processor's servers, and between the Processor's services, is encrypted using TLS 1.2 or higher.
Encryption at rest: All Personal Data stored in the Processor's databases and storage systems is encrypted using AES-256 encryption.
Encryption key management: Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation.

Access Controls

Role-based access control (RBAC): Access to Personal Data is restricted based on job function and the principle of least privilege.
Multi-factor authentication (MFA): Required for all administrative access to production systems.
Unique user accounts: Each person with access to production systems has a unique, identifiable account.
Password policies: Strong password requirements enforced, including minimum length, complexity, and expiration.
Access reviews: Regular reviews of access rights to ensure appropriateness.

Infrastructure Security

Cloud infrastructure: The Service is hosted on Amazon Web Services (AWS) in US regions, leveraging AWS's security controls, certifications (SOC 1/2/3, ISO 27001), and compliance programs.
Network security: Firewalls, network segmentation, and intrusion detection/prevention systems.
Vulnerability management: Regular vulnerability scanning and timely patching of known vulnerabilities.
DDoS protection: Protection against distributed denial-of-service attacks through AWS Shield and related services.

Monitoring and Logging

Audit logging: Access to Personal Data is logged, including who accessed what data and when. Logs are retained for a minimum of twelve (12) months.
Security monitoring: Automated monitoring of systems for anomalous activity and potential security incidents.
Alerting: Automated alerts for security-relevant events.

Data Backup and Recovery

Regular backups: Automated, encrypted backups of all production data.
Backup testing: Periodic testing of backup restoration procedures.
Geographic redundancy: Backups stored in geographically separate AWS regions for disaster recovery.

Organizational Measures

Confidentiality agreements: All employees and contractors with access to Personal Data are bound by confidentiality obligations.
Security awareness: Security awareness training for all personnel.
Incident response: Documented incident response procedures for identifying, containing, and resolving security incidents.
Vendor management: Security assessment of Sub-processors before engagement and periodic review thereafter.
Secure development: Security considerations integrated into the software development lifecycle.

Annex III: List of Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of the Controller as of the date of this DPA:

Sub-processor	Purpose	Location	Data Processed
Amazon Web Services (AWS)	Cloud infrastructure: hosting, storage, computing, backup, and data processing	United States (US regions)	All Personal Data processed through the Service
Anthropic (Claude)	AI/ML processing: generating workforce analytics, performance insights, and automated recommendations	United States	Activity Data, anonymized/aggregated metrics as needed for AI analysis
OpenAI	AI/ML processing: generating workforce analytics, performance insights, and automated recommendations	United States	Activity Data, anonymized/aggregated metrics as needed for AI analysis
Google (Gemini)	AI/ML processing: generating workforce analytics, performance insights, and automated recommendations	United States	Activity Data, anonymized/aggregated metrics as needed for AI analysis
xAI (Grok)	AI/ML processing: generating workforce analytics, performance insights, and automated recommendations	United States	Activity Data, anonymized/aggregated metrics as needed for AI analysis
Vercel	Web application hosting and deployment infrastructure	United States	Account data, session data, application data
Stripe	Payment processing and subscription billing	United States	Billing data: name, email, payment card details (tokenized), billing address, transaction history

The Controller may request the most current version of this Sub-processor list at any time by contacting privacy@intelogos.com. The Processor will notify the Controller of changes in accordance with Section 6.2 of this DPA.