Data Processing Addendum

Effective Date: May 23, 2026
Last Updated: May 23, 2026

This Data Processing Addendum (this "DPA") forms part of, and is incorporated into, the Neural Core Master Subscription Agreement, the Terms of Service, or any other agreement under which Neural Partners Inc. ("Neural Partners") provides the Services to a customer ("Customer") (collectively, the "Agreement"). This DPA applies to the extent Neural Partners processes Personal Data (as defined below) on behalf of Customer in connection with the Services. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls. In the event of any conflict between this DPA and the Standard Contractual Clauses referenced in Annex 4, the Standard Contractual Clauses control. THIS DPA APPLIES TO ALL CUSTOMERS USING THE SERVICES TO PROCESS PERSONAL DATA. IT IS AVAILABLE ON REQUEST FROM PRIVACY@NEURALPARTNERS.AI AND, UPON CUSTOMER'S REASONABLE REQUEST, WILL BE COUNTERSIGNED BY NEURAL PARTNERS. NO ADDITIONAL ACTION IS REQUIRED FOR THIS DPA TO BE EFFECTIVE; IT BECOMES BINDING UPON CUSTOMER'S ACCEPTANCE OF THE AGREEMENT.

1. Definitions

Capitalized terms used in this DPA have the following meanings: Applicable Data Protection Laws — all laws and regulations applicable to a party's processing of Personal Data under this DPA, including (as applicable): the EU General Data Protection Regulation 2016/679 ('GDPR'); the UK Data Protection Act 2018 and UK GDPR ('UK GDPR'); the Swiss Federal Act on Data Protection ('Swiss FADP'); the California Consumer Privacy Act, as amended by the California Privacy Rights Act ('CCPA/CPRA'); and other U.S. state privacy laws applicable to Customer's processing.
Controller — the natural or legal person which, alone or jointly with others, determines the purposes and means of processing Personal Data. Under CCPA/CPRA, the equivalent term is 'business.'
Customer Personal Data — Personal Data that Neural Partners processes on behalf of Customer as part of the Customer Content under the Agreement.
Data Subject — the identified or identifiable natural person to whom Personal Data relates. Under CCPA/CPRA, the equivalent term is 'consumer.'
Personal Data — any information that constitutes 'personal data,' 'personal information,' or an equivalent term under Applicable Data Protection Laws, processed by Neural Partners on behalf of Customer through the Services.
Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Neural Partners or its Subprocessors.
Processor — the natural or legal person which processes Personal Data on behalf of the Controller. Under CCPA/CPRA, the equivalent term is 'service provider' or, in certain circumstances, 'contractor.'
Restricted Transfer — a transfer of Personal Data to a country, territory, sector, or international organization that is not subject to an adequacy decision under Applicable Data Protection Laws.
SCCs — the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded, or replaced from time to time.
Subprocessor — any third party engaged by Neural Partners to process Customer Personal Data.
UK Addendum — the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018, version B1.0, in force on 21 March 2022, as may be amended from time to time.

2. Scope and Roles of the Parties

2.1 Roles

With respect to Customer Personal Data, Customer is the Controller (or, under CCPA/CPRA, 'business') and Neural Partners is the Processor (or, under CCPA/CPRA, 'service provider'). To the extent Neural Partners processes Personal Data as an independent Controller (for example, account-management data, billing data, or aggregated de-identified data described in Section 4.3), that processing is governed by Neural Partners' Privacy Policy and is outside the scope of this DPA.

2.2 Customer's Responsibilities

Customer represents and warrants that: (a) it has all necessary rights, consents, and lawful bases under Applicable Data Protection Laws to provide Customer Personal Data to Neural Partners for processing under the Agreement; (b) its instructions to Neural Partners regarding the processing of Customer Personal Data comply with Applicable Data Protection Laws; (c) it has provided Data Subjects with all required notices regarding the collection and processing of their Personal Data; and (d) it is responsible for determining whether Customer Personal Data may be lawfully processed through the Services in Customer's specific use case and jurisdiction.

2.3 Neural Partners' Responsibilities

Neural Partners will: (a) process Customer Personal Data only in accordance with Customer's documented instructions, including with regard to transfers to third countries or international organizations, unless required to do so by law applicable to Neural Partners (in which case, Neural Partners will inform Customer of that legal requirement before processing, unless prohibited by law); (b) ensure that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (c) implement appropriate technical and organizational measures as described in Annex 2.

3. Customer Instructions

The Agreement and this DPA (including Customer's use of the Services in accordance with the Agreement and the Documentation) constitute Customer's documented instructions to Neural Partners regarding the processing of Customer Personal Data. Customer may issue additional written instructions to Neural Partners by submitting them to privacy@neuralpartners.ai; Neural Partners will process such instructions provided they are consistent with the Agreement, do not require modifications to the Services, and are technically and commercially reasonable to implement. Neural Partners will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Laws.

4. Processing of Personal Data

4.1 Purpose Limitation

Neural Partners will process Customer Personal Data solely for the purposes described in Annex 1 (Description of Processing) and solely as necessary to: (a) provide, operate, secure, support, and maintain the Services; (b) comply with Customer's instructions; (c) prevent or detect fraud, abuse, or security incidents; and (d) comply with legal obligations applicable to Neural Partners.

4.2 Sale and Sharing Restrictions (CCPA/CPRA)

Neural Partners will not (a) 'sell' or 'share' Customer Personal Data (as those terms are defined in CCPA/CPRA), (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific purposes set forth in the Agreement, or for a commercial purpose other than providing the Services, or as otherwise permitted by CCPA/CPRA, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Neural Partners and Customer, or (d) combine Customer Personal Data with Personal Data received from or on behalf of any other person, or collected from Neural Partners' own interactions with the consumer, except as permitted by CCPA/CPRA. Neural Partners certifies that it understands the restrictions of this Section 4.2 and will comply with them.

4.3 No AI Model Training on Customer Personal Data

Consistent with Section 4.2 of the Master Subscription Agreement, Neural Partners will not use Customer Personal Data, including AI Inputs and AI Outputs submitted by Customer or Customer's authorized Users, to train, fine-tune, or improve Neural Partners' or any third-party generative AI models, and Neural Partners will not permit its Subprocessors to do so. This restriction does not limit Neural Partners' right to use aggregated, de-identified data described in Section 4.3 of the Master Subscription Agreement; such aggregated, de-identified data does not constitute Customer Personal Data once aggregated and de-identified in accordance with industry-standard practices.

4.4 Categories of Data and Data Subjects

The categories of Personal Data, categories of Data Subjects, nature and purpose of the processing, and duration of the processing are set forth in Annex 1.

5. Subprocessors

5.1 General Authorization

Customer provides general authorization for Neural Partners to engage Subprocessors to process Customer Personal Data in connection with the Services, subject to the conditions in this Section 5 and in Section 5.4 of the Master Subscription Agreement. A current list of Subprocessors is maintained at www.neuralpartners.ai/legal/subprocessors/ and is identified in Annex 3 (Subprocessors).

5.2 Notice of New Subprocessors

Neural Partners will provide Customer with at least fifteen (15) days' prior notice (or thirty (30) days for high-impact additions) before engaging a new Subprocessor that will process Customer Personal Data, by updating the public Subprocessor page and by sending notice by email to the billing or legal contact on Customer's account. Notice is not required for the categories of changes set forth in Section 5.4 of the Master Subscription Agreement.

5.3 Objection

Customer may object in good faith to a new Subprocessor by providing written notice to privacy@neuralpartners.ai within thirty (30) days after Neural Partners' notice. The parties will work together in good faith to identify a commercially reasonable alternative. If no commercially reasonable alternative is feasible within a reasonable time, Customer may terminate the affected Services for cause and receive a pro-rated refund of any prepaid, unused fees attributable to the affected Services.

5.4 Subprocessor Obligations

Neural Partners will enter into a written agreement with each Subprocessor that imposes data-protection obligations on the Subprocessor that are substantially similar to those imposed on Neural Partners under this DPA. Neural Partners remains responsible to Customer for any Subprocessor's compliance with such obligations.

6. Security

6.1 Technical and Organizational Measures

Neural Partners will implement and maintain the technical and organizational measures set forth in Annex 2 (Technical and Organizational Measures), designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. Neural Partners may update Annex 2 from time to time, provided that any update will not materially diminish the level of protection.

6.2 Confidentiality of Processing

Neural Partners will ensure that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is limited to personnel who require access to perform their duties in connection with providing the Services.

7. Personal Data Breach Notification

Consistent with Section 5.3 of the Master Subscription Agreement and as required by Article 33(2) of the GDPR, Neural Partners will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Where feasible, Neural Partners will use commercially reasonable efforts to provide initial notification within seventy-two (72) hours of becoming aware. Such notification will include, to the extent then known to Neural Partners: (a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects; and (d) the contact point at Neural Partners for further information. Neural Partners will provide reasonable cooperation and assistance to Customer in connection with Customer's investigation and any required notifications to supervisory authorities or Data Subjects, taking into account the nature of the processing and the information available to Neural Partners. Neural Partners' notification under this Section 7 is not, and is not intended to be, an acknowledgment by Neural Partners of any fault or liability with respect to the Personal Data Breach.

8. Assistance with Data Subject Rights

8.1 Forwarding Requests

If Neural Partners receives a request from a Data Subject to exercise rights under Applicable Data Protection Laws with respect to Customer Personal Data (an 'Data Subject Request'), Neural Partners will, where reasonably practicable, promptly notify Customer of the request and not respond substantively except as directed by Customer or as required by law. Neural Partners' standard process for handling such requests is described in its DSAR Runbook.

8.2 Assistance

Taking into account the nature of the processing, Neural Partners will assist Customer by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Customer's obligation to respond to Data Subject Requests, including requests to access, rectify, restrict, port, delete, or opt out of the processing of Personal Data, and requests to exercise other rights under Applicable Data Protection Laws. Where reasonably required, Neural Partners may charge Customer a reasonable fee for assistance that goes beyond standard product features.

9. International Data Transfers

9.1 Restricted Transfers

To the extent Neural Partners' processing of Customer Personal Data involves a Restricted Transfer, the parties will rely on an appropriate transfer mechanism set forth in Annex 4 (International Data Transfer Mechanisms), including: (a) for transfers from the EEA to a third country, the SCCs (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable), which are hereby incorporated by reference; (b) for transfers from the UK, the UK Addendum, which is hereby incorporated by reference; (c) for transfers from Switzerland, the SCCs as modified by the Swiss Federal Data Protection and Information Commissioner; and (d) for transfers from other jurisdictions, any applicable transfer mechanism approved by the competent supervisory authority.

9.2 Supplementary Measures

In addition to the contractual safeguards in Annex 4, Neural Partners has implemented technical and organizational supplementary measures designed to ensure the level of protection required by Applicable Data Protection Laws, including encryption of Customer Personal Data in transit and at rest, access controls, audit logging, and limited use of the data for sole purpose of providing the Services. Annex 2 describes these measures in further detail.

10. Return or Deletion of Customer Personal Data

Upon termination or expiration of the Agreement, Neural Partners will, at Customer's election: (a) return all Customer Personal Data to Customer in a commercially reasonable format; or (b) delete all Customer Personal Data, unless retention is required by law applicable to Neural Partners or for the establishment, exercise, or defense of legal claims. The procedures and timeline for return or deletion are described in Section 7.4 of the Master Subscription Agreement (currently: a thirty (30)-day post-termination export window, after which Customer Personal Data may be deleted). To the extent any Customer Personal Data is retained after termination as required by law or for legitimate business purposes (such as resolution of disputes, enforcement of agreements, or compliance with retention obligations), Neural Partners will continue to apply the protections of this DPA to such retained Customer Personal Data for so long as it is retained.

11. Audit Rights

11.1 Information

Neural Partners will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Such information may include: (a) Neural Partners' current security overview, policies, and procedures; (b) summaries of third-party audits, certifications, or attestations that Neural Partners has obtained (such as SOC 2 reports, ISO 27001 certifications, or similar reports), subject to confidentiality undertakings; and (c) responses to reasonable written questions submitted to privacy@neuralpartners.ai.

11.2 Audits

To the extent Customer reasonably believes the information made available under Section 11.1 is insufficient to demonstrate compliance with this DPA, Customer may, no more than once per twelve (12)-month period (except where required more frequently by Applicable Data Protection Laws or a supervisory authority), audit Neural Partners' processing of Customer Personal Data, subject to the following conditions: (a) audits must be conducted with at least thirty (30) days' prior written notice; (b) audits must be conducted during regular business hours, in a manner that does not unreasonably interfere with Neural Partners' business operations; (c) audits must be conducted under appropriate confidentiality undertakings; (d) Customer is responsible for the costs of the audit unless the audit reveals a material breach by Neural Partners of this DPA; (e) at Neural Partners' option, the audit may be conducted by an independent third-party auditor agreed by the parties (not a Neural Partners competitor); and (f) Customer will provide Neural Partners with a copy of any audit report and will treat the report as Neural Partners' Confidential Information.

12. Liability and Indemnification

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations of liability set forth in the Master Subscription Agreement, including the cap and exclusions therein. For the avoidance of doubt, the limitations of liability in the Master Subscription Agreement apply to the parties' obligations under this DPA. Nothing in this DPA is intended to limit either party's liability for matters that cannot be limited under Applicable Data Protection Laws.

13. Term and Termination

This DPA is effective from the Effective Date set forth above and will remain in effect for so long as Neural Partners processes Customer Personal Data on behalf of Customer under the Agreement. Sections of this DPA that by their nature should survive termination will survive, including provisions related to confidentiality, security, liability, return or deletion of Personal Data, and audit rights.

14. Order of Precedence

In the event of any conflict between the provisions of this DPA and the Master Subscription Agreement or any other Agreement between the parties, the provisions of this DPA control with respect to the processing of Personal Data. In the event of any conflict between this DPA and the SCCs (where applicable to a Restricted Transfer), the SCCs control.

15. General Provisions

15.1 Governing Law and Jurisdiction

This DPA is governed by and construed in accordance with the laws specified in the Master Subscription Agreement, except that, for any Restricted Transfer governed by the SCCs, the governing law and jurisdiction of the SCCs apply with respect to the SCCs.

15.2 Severability

If any provision of this DPA is held invalid or unenforceable, that provision will be limited or eliminated to the minimum extent necessary, and the remainder will continue in full force and effect.

15.3 Amendments

Neural Partners may amend this DPA from time to time in accordance with Section 14 of the Master Subscription Agreement (Modifications to This Agreement), provided that no amendment will materially reduce the level of protection of Customer Personal Data without Customer's consent.

15.4 Notices

Notices to Neural Partners under this DPA must be sent to privacy@neuralpartners.ai with a copy to legal@neuralpartners.ai. Notices to Customer will be sent to the billing or legal contact on Customer's account. Annex 1 — Description of the Processing A. List of Parties Data Exporter: Customer (and Customer's affiliates that are authorized to use the Services), acting in the role of Controller (or 'business' under CCPA/CPRA). Data Importer: Neural Partners Inc., a Delaware corporation with a place of business at 390 NE 191st St, STE 65820, Miami, FL 33179, acting in the role of Processor (or 'service provider' under CCPA/CPRA). Data Importer Contact: Privacy Team, privacy@neuralpartners.ai, (802) 990-3883. B. Categories of Data Subjects Customer's processing through the Services may concern the following categories of Data Subjects, depending on Customer's specific use case:

• Customer's authorized Users (employees, contractors, agents accessing Neural Core)
• Customer's end consumers (visitors to and customers of websites and storefronts powered by Customer's use of the Services)
• Customer's prospects and contacts (individuals contacting Customer through forms, chat, or other channels on Customer's sites)
• Customer's vendors and service providers (to the extent their Personal Data is processed by Customer through the Services) C. Categories of Personal Data Customer's processing through the Services may concern the following categories of Personal Data, depending on Customer's specific use case and configuration:
• Identification and contact data: name, email address, postal address, phone number, account credentials
• Account and usage data: device identifiers, IP addresses, browser type, session data, page-view data, feature interaction data
• Commerce data: order history, payment status (note: full payment card data is processed by Stripe directly and is not stored by Neural Partners)
• Communications data: messages submitted to chat assistants, contact forms, support requests; AI Inputs and AI Outputs
• Profile and preference data: product preferences, search history, wishlists, and personalization settings
• Marketing data: marketing-preference signals, email-engagement signals, and consent records D. Special Categories of Personal Data Customer should not submit special categories of Personal Data (Article 9 GDPR) or sensitive personal information (CCPA/CPRA) to the Services, except where such categories of data are reasonably expected to be processed in connection with the specific category of Services Customer has subscribed to, and where Customer has the lawful basis to do so. The Master Subscription Agreement §3.4 (Restricted Data Categories) further restricts categories of regulated data that may be submitted to the Services without Neural Partners' prior written consent. E. Frequency of Transfer Continuous, in connection with Customer's use of the Services during the term of the Agreement. F. Nature of Processing Hosting, storage, transmission, structuring, analysis, retrieval, display, organization, modification (only as instructed by Customer or as inherent in providing the Services), application of AI models, and erasure of Customer Personal Data, in each case as necessary to provide the Services to Customer. G. Purpose of Processing Provision, operation, security, support, maintenance, and improvement of the Services for Customer; compliance with Customer's instructions; compliance with Neural Partners' legal obligations; and the aggregated/de-identified-data purposes described in Section 4.3 of the Master Subscription Agreement (which fall outside this DPA once the data is properly aggregated and de-identified). H. Duration of Processing For the duration of the Agreement, plus any post-termination period required for the export, deletion, or return of Customer Personal Data as set forth in Section 10 of this DPA and Section 7.4 of the Master Subscription Agreement, plus any retention period required by applicable law. I. Subprocessors As listed in Annex 3 and at www.neuralpartners.ai/legal/subprocessors/. Subprocessors process Customer Personal Data for the limited purposes and durations necessary to provide their respective services to Neural Partners in connection with the Services. Annex 2 — Technical and Organizational Measures Neural Partners implements and maintains the following technical and organizational measures designed to ensure the security of Customer Personal Data. Neural Partners may update these measures from time to time, provided that the level of protection is not materially diminished.

1. Pseudonymization and Encryption of Personal Data

• Customer Personal Data is encrypted in transit using TLS 1.2 or higher
• Customer Personal Data is encrypted at rest in primary databases using industry-standard encryption (AES-256 or equivalent) as provided by Neural Partners' cloud infrastructure provider
• Authentication credentials are stored using salted, modern password hashing algorithms
• Encryption keys for data at rest are managed by the cloud infrastructure provider's key management infrastructure, with access to encryption infrastructure restricted to authorized personnel

2. Confidentiality, Integrity, Availability, and Resilience

• Role-based access controls (RBAC) limit access to Customer Personal Data to personnel who require access for their job functions
• Multi-factor authentication is required for all personnel access to systems containing Customer Personal Data
• Production access is logged and reviewed
• Production and non-production environments are logically separated
• Customer Personal Data is hosted on cloud infrastructure with industry-standard physical and environmental controls (provided by Amazon Web Services, Inc.)
• Redundant infrastructure designed to maintain availability of the Services
• Capacity monitoring and auto-scaling to address load and resilience needs

3. Ability to Restore Availability and Access

• Automated backups of Customer Personal Data, retained according to a documented backup policy
• Documented disaster-recovery and business-continuity procedures, periodically reviewed
• Capability to restore the Services from backups in the event of a physical or technical incident

4. Testing, Assessment, and Evaluation

• Code review processes for changes that affect data-handling logic
• Dependency monitoring and patching for third-party libraries
• Documented incident response procedures
• Neural Partners does not currently hold a SOC 2, ISO 27001, or equivalent third-party security attestation. Neural Partners will make summaries of any future third-party security assessments available to Customer on reasonable request, subject to confidentiality undertakings

5. User Identification and Authorization

• Unique user identification for personnel accessing Customer Personal Data
• Access requests are reviewed and approved by authorized personnel
• Access is revoked upon termination of employment or change of role
• Periodic review of access rights

6. Protection of Data During Transmission

• All transmission of Customer Personal Data over public networks uses TLS 1.2 or higher
• API and web traffic terminates at edge layers with current cipher suites
• Cryptographic protocols are reviewed periodically and updated to address known vulnerabilities

7. Protection of Data During Storage

• Encryption at rest as described in Section 1 above
• Logical access controls applied to data stores
• Retention and deletion policies applied per data category
• Physical security controls provided by cloud infrastructure provider

8. Physical Security

Physical security of the underlying infrastructure is the responsibility of Neural Partners' hosting provider (currently Amazon Web Services, Inc.), which maintains industry-standard physical-security controls including controlled facility access, surveillance, environmental controls, and audit programs. See https://aws.amazon.com/compliance/ for current information.

9. Events Logging

• Application logs capture access to Customer Personal Data sufficient to identify and investigate security events
• Authentication and authorization events are logged
• Logs are retained per a documented retention policy and are protected against unauthorized modification
• Where applicable, audit logs are made available to Customer for events relating to Customer's account

10. System Configuration

• Documented baseline configurations for production systems
• Changes to production systems follow a documented change-management process
• Default credentials and unnecessary services are disabled on production systems

11. Internal IT and Governance

• Documented information-security and data-protection policies
• Confidentiality obligations imposed on personnel by employment, contractor, or other applicable agreements as a condition of access to systems containing Customer Personal Data

12. Certifications and Audits

As of the Effective Date, Neural Partners does not hold a SOC 2, ISO 27001, or equivalent third-party security attestation. Neural Partners may obtain such attestations in the future and will, upon reasonable request and subject to confidentiality undertakings, make summaries of any such attestations available to Customer. Customer may request the current status from privacy@neuralpartners.ai at any time.

13. Data Minimization

Neural Partners processes only the Customer Personal Data necessary to provide the Services, in accordance with Customer's instructions.

14. Data Quality

Customer Personal Data is processed in the form provided by Customer or Customer's authorized Users. Customer is responsible for the accuracy and completeness of Customer Personal Data submitted to the Services.

15. Limited Data Retention

Customer Personal Data is retained for the duration described in Section 10 of this DPA and the Master Subscription Agreement, plus any retention required by applicable law.

16. Accountability

Neural Partners maintains internal documentation of processing activities as required by Applicable Data Protection Laws. Designated privacy contacts within Neural Partners coordinate compliance with this DPA and respond to Customer inquiries.

17. Allowing Data Portability and Ensuring Erasure

The Services support Customer's ability to export Customer Personal Data and to delete Customer Personal Data, as described in the Documentation and Sections 7.4 and 10 of the Master Subscription Agreement and Section 10 of this DPA. Annex 3 — Subprocessors Neural Partners engages the following categories of Subprocessors to process Customer Personal Data in connection with the Services. A current and complete list, identifying each Subprocessor by name, the nature of services provided, and jurisdiction of processing, is maintained and updated at www.neuralpartners.ai/legal/subprocessors/ and is incorporated into this DPA by reference. Categories of Subprocessors as of the Effective Date include (without limitation): Cloud infrastructure (hosting and storage). Amazon Web Services, Inc. — provides cloud infrastructure for the Services. Processing location: United States (with regional configuration as applicable). Payment processing. Stripe, Inc. — provides payment processing services, including for the Digital Experience Platform. Processing location: United States. AI model services. Anthropic, PBC — provides AI model services for conversational, generative, and recommendation features. Processing location: United States. Transactional email delivery. Amazon Web Services, Inc. (Amazon Simple Email Service / 'Amazon SES') — provides delivery of transactional emails, including signup confirmations, password resets, billing notifications, MSA-update notices, DSAR responses, and other account-related communications. Processing location: United States. Marketing email, SMS, and customer engagement. Klaviyo, Inc. — provides marketing email and SMS delivery, audience segmentation, subscriber management, and customer-engagement analytics for marketing communications. Processing location: United States. Analytics and product telemetry. Google LLC (Google Analytics) and/or other analytics providers as configured by Customer. Processing location: United States (and other locations as applicable). Bot protection. HUMAN Security, Inc. — provides bot protection and fraud detection. Processing location: United States. Advertising and growth (where configured). Advertising platforms as configured by Customer. Processing location: United States. The list at www.neuralpartners.ai/legal/subprocessors/ is the authoritative source and may be updated in accordance with Section 5 of this DPA and Section 5.4 of the Master Subscription Agreement. Annex 4 — International Data Transfer Mechanisms The following data transfer mechanisms apply to Restricted Transfers of Customer Personal Data under this DPA: A. Transfers from the European Economic Area For transfers of Customer Personal Data from the European Economic Area to Neural Partners or its Subprocessors located in a country that has not received an adequacy decision under Article 45 GDPR, the parties incorporate the SCCs as follows:

• Module Two (Controller to Processor) applies when Customer transfers Customer Personal Data to Neural Partners as Processor
• Module Three (Processor to Processor) applies when Customer (in its capacity as a Processor) transfers Customer Personal Data to Neural Partners as a sub-processor
• Module Four (Processor to Controller) applies, if and to the extent the parties identify circumstances under which Neural Partners acts as Controller of Personal Data that originated as Customer Personal Data SCC Options Selected:
• Clause 7 (Docking Clause): Optional. Not selected.
• Clause 9 (Use of Sub-processors): Option 2 — general authorization, with the prior notice and objection rights set forth in Section 5 of this DPA and Section 5.4 of the Master Subscription Agreement
• Clause 11 (Redress): Optional independent dispute resolution body. Not selected.
• Clause 17 (Governing Law): The laws of Ireland
• Clause 18 (Choice of Forum and Jurisdiction): The courts of Ireland
• Annex I.A (List of Parties): As set forth in Annex 1 of this DPA
• Annex I.B (Description of Transfer): As set forth in Annex 1 of this DPA
• Annex I.C (Competent Supervisory Authority): The Data Protection Commission of Ireland, except where another Member State's supervisory authority has competence under applicable EU law
• Annex II (Technical and Organizational Measures): As set forth in Annex 2 of this DPA
• Annex III (List of Sub-processors): As set forth in Annex 3 of this DPA and at www.neuralpartners.ai/legal/subprocessors/ B. Transfers from the United Kingdom For transfers of Customer Personal Data from the United Kingdom to Neural Partners or its Subprocessors located in a country that has not received an adequacy decision under the UK GDPR, the parties incorporate the UK Addendum, which is hereby incorporated by reference. The UK Addendum applies the SCCs (as set forth in Section A above) with the modifications set forth in the UK Addendum. C. Transfers from Switzerland For transfers of Customer Personal Data from Switzerland to Neural Partners or its Subprocessors located in a country that has not received an adequacy decision under the Swiss FADP, the parties incorporate the SCCs (as set forth in Section A above) with the modifications recognized by the Swiss Federal Data Protection and Information Commissioner, including replacing references to GDPR with references to the Swiss FADP and replacing references to EU supervisory authorities with references to the Swiss FDPIC. D. Other Jurisdictions For Restricted Transfers from other jurisdictions, the parties will rely on the applicable transfer mechanism recognized by the competent supervisory authority. Where no such mechanism exists, the parties will work in good faith to identify appropriate safeguards.

Contact

For questions about this DPA or to request a countersigned copy, please contact:

Neural Partners Inc.

• Email (privacy): privacy@neuralpartners.ai
• Email (legal): legal@neuralpartners.ai
• Phone: (802) 990-3883
• Contact form: neuralpartners.ai/contact-us

Mailing Address: 390 NE 191st St, STE 65820, Miami, FL 33179