Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data. In the context of this DPA, Customer is the Controller.
• "Processor" means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, Ordica LLC is the Processor.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Ordica on behalf of Customer through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means a natural person whose Personal Data is processed under this DPA.
• "Sub-Processor" means any third party engaged by Ordica to process Personal Data on Ordica's behalf in connection with providing the Service.
• "Security Incident" means any unauthorized or unlawful access to, or destruction, loss, alteration, disclosure of, or accidental access to, Personal Data.
• "EEA" means the European Economic Area.
• "GDPR" means the European General Data Protection Regulation (Regulation 2016/679) and, where applicable, the UK GDPR as defined in the Data Protection Act 2018.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, adopted by the European Commission (Commission Implementing Decision 2021/914).
• "Service" means the Ordica prompt compression service provided under the Terms of Service between the parties.

2. Scope and Application

This DPA applies to the extent that Ordica processes Personal Data on behalf of Customer in the course of providing the Service. It supplements the Terms of Service between Customer and Ordica LLC.

This DPA applies where Customer routes prompts or other content through the Service that includes or may include Personal Data relating to Customer's end users or other individuals. Customer is responsible for determining whether any such Personal Data is included in content processed through the Service.

In case of conflict between this DPA and the Terms of Service with respect to the subject matter of data processing, this DPA controls.

3. Controller and Processor Roles

The parties agree that, with respect to the processing of Personal Data through the Service:

• Customer acts as the Controller of Personal Data included in prompts and other content submitted to the Service.
• Ordica acts as the Processor of such Personal Data, processing it solely on Customer's behalf and pursuant to Customer's documented instructions (which are, in the normal course, the act of routing prompts through the Service).

Ordica will not process Personal Data for any purpose other than providing and operating the Service, complying with legal obligations, or as otherwise agreed in writing. If Ordica receives a legal requirement to process Personal Data in a manner inconsistent with Customer's instructions, Ordica will notify Customer before compliance unless legally prohibited from doing so.

4. Processor Obligations

Ordica agrees to:

• Process Personal Data only on Customer's documented instructions and not for Ordica's own purposes
• Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 6
• Engage Sub-Processors only in accordance with Section 5
• Assist Customer in fulfilling Data Subject rights requests as described in Section 8
• Assist Customer in meeting obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Ordica
• Notify Customer of any Security Incident affecting Personal Data as described in Section 7
• Return or delete Personal Data on termination as described in Section 11
• Make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, and cooperate with audits as described in Section 10

5. Sub-Processors

Customer provides general authorization for Ordica to engage the following Sub-Processors to perform specific processing activities in connection with providing the Service:

Ordica will impose data protection obligations on Sub-Processors that are no less protective than those in this DPA. Ordica remains liable to Customer for the performance of Sub-Processors' obligations to the extent Ordica is liable under this DPA.

Changes to Sub-Processors: Ordica will provide at least 30 days' prior written notice before adding or replacing a Sub-Processor that may process Customer's Personal Data. Customer may object to a new Sub-Processor on reasonable grounds related to data protection within 14 days of notice. The parties will work in good faith to resolve any such objection. If the objection cannot be resolved and the Sub-Processor is necessary for Ordica to provide the Service, Customer may terminate the Service without penalty.

6. Security Measures

Ordica implements and maintains technical and organizational measures appropriate to the risk presented by the processing, including:

• Encryption: Encryption of Personal Data in transit (all data transmitted between Customer, Ordica, and Sub-Processors is encrypted over secure channels) and at rest
• Access controls: Role-based access controls, principle of least privilege, and multi-factor authentication for systems that may handle Personal Data
• Data minimization: Prompt content is processed in memory only and discarded after each request. No prompt content is written to persistent storage.
• Audit logging: Access to production systems and any systems that may process Personal Data is logged and monitored
• Personnel: Personnel with access to systems that may process Personal Data are subject to confidentiality obligations and receive appropriate training
• Incident response: Ordica maintains procedures for detecting, investigating, and responding to Security Incidents
• Vendor management: Sub-Processors are contractually required to maintain appropriate security measures

Ordica will review and update security measures as the threat environment evolves. Documentation of specific security controls is available to Enterprise and Government customers under non-disclosure agreement. Current security posture summaries are available on request to security@ordica.ai.

7. Personal Data Breach Notification

Ordica will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Security Incident that affects Customer's Personal Data. Notification will be provided to Customer's designated contact (or, if none designated, to the email address on the account) and will include, to the extent then known:

• A description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned
• The contact details of Ordica's point of contact for further information
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects

Where information is not available at the time of initial notification, Ordica will provide it in phases as it becomes available. Notification of a Security Incident under this Section does not constitute an admission of fault or liability.

Ordica will cooperate with Customer's investigation of any Security Incident and provide reasonable assistance in meeting Customer's own breach notification obligations under applicable law.

8. Data Subject Rights Assistance

Taking into account the nature of the processing, Ordica will provide Customer with reasonable assistance in responding to Data Subject requests to exercise rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).

Where a Data Subject makes a rights request directly to Ordica that is attributable to Customer's processing, Ordica will promptly notify Customer and not respond on Customer's behalf without authorization.

Limitation on prompt content: Because Ordica does not store prompt content, Ordica has no ability to fulfill data access, rectification, or erasure requests with respect to Personal Data that was included in prompts. Customer is responsible for managing such requests independently.

9. International Transfers

Customer acknowledges that Ordica's infrastructure and some Sub-Processors are located in the United States. Where Ordica transfers Personal Data from the EEA, UK, or Switzerland to the United States or other countries not recognized as providing an adequate level of protection, Ordica will implement appropriate transfer safeguards, which may include:

• Standard Contractual Clauses (SCCs): The SCCs adopted by the European Commission (Decision 2021/914), Module 2 (Controller to Processor) incorporated by reference into this DPA for EEA-originating data
• UK International Data Transfer Addendum: The UK IDTA addendum to SCCs, as applicable for UK-originating data

To the extent SCCs apply and there is any conflict between this DPA and the SCCs, the SCCs will prevail with respect to the transfer of Personal Data from the EEA or UK.

A signed copy of the SCCs for EEA or UK transfers is available upon request from legal@ordica.ai.

10. Audit Rights

Ordica will provide Customer with access to all information reasonably necessary to demonstrate compliance with this DPA and will permit and contribute to audits and inspections conducted by Customer or its authorized auditors, subject to the following conditions:

• Customer will provide at least 30 days' prior written notice of any audit, except in cases of reasonable suspicion of a Security Incident or material DPA breach, in which case shorter notice may be given
• Audits will be conducted during normal business hours and in a manner that minimizes disruption to Ordica's operations
• Customer bears the costs of its own audits. Ordica may charge reasonable fees for staff time spent supporting Customer-initiated audits beyond one per calendar year.
• Ordica may satisfy audit requirements by providing a current SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party security audit summary, where available and relevant to the scope of the audit
• All information disclosed in connection with an audit is Ordica's confidential information and subject to confidentiality obligations no less protective than those in the parties' Terms of Service

11. Return and Deletion of Data

Upon termination of the Service, or upon Customer's written request, Ordica will:

• Cease processing Personal Data for the purposes described in this DPA
• At Customer's election: (a) return to Customer all Personal Data then in Ordica's custody that is attributable to Customer's account; or (b) securely delete or destroy all such Personal Data
• Delete or destroy all copies of Personal Data in the custody of Sub-Processors, to the extent practicable and not prohibited by applicable law
• Provide written certification of deletion upon Customer's request

Ordica may retain Personal Data to the extent required by applicable law, provided that such data is isolated from further active processing and deleted as soon as the legal retention period expires.

Prompt content: Because prompt content is not stored, there is no prompt-content data to return or delete on termination. Only account metadata (usage records, billing history) would be subject to return or deletion under this Section.

12. Liability and Indemnification

Each party's liability to the other under this DPA is subject to the limitations of liability in the Terms of Service, to the extent permitted by applicable data protection law.

Where applicable law (including GDPR Article 82) requires a Processor to be liable for damage caused by processing that does not comply with applicable law, Ordica shall be exempt from that liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Each party shall indemnify the other for damages, costs, and losses arising from a material breach of this DPA attributable to that party's fault, subject to the liability caps in the Terms of Service.

Nothing in this DPA is intended to limit either party's liability to Data Subjects or to supervisory authorities under applicable data protection law.

13. Governing Law

This DPA is governed by the laws of the State of California, except to the extent that a provision of applicable data protection law (including GDPR) mandates a different governing law. For transfers subject to SCCs, the governing law of the applicable SCCs applies.

Disputes arising under this DPA shall be subject to the dispute resolution provisions of the Terms of Service.

14. Entire Agreement and Amendments

This DPA, together with the Terms of Service and any applicable Order Form, constitutes the entire agreement between the parties with respect to the processing of Personal Data in connection with the Service. This DPA supersedes all prior or contemporaneous understandings, representations, and agreements regarding its subject matter.

Ordica may update this DPA in response to changes in applicable law or regulatory guidance, or to reflect changes in Ordica's practices. Ordica will provide at least 30 days' notice of material changes. Customer may terminate the Service without penalty if Customer provides written notice of objection within 14 days of such notice and the parties cannot agree on amended terms.

Any amendment to this DPA must be in writing and signed by authorized representatives of both parties. To obtain a countersigned copy of this DPA for your legal team or procurement process, contact legal@ordica.ai.

Annex I — Description of Processing (placeholder)

Ordica will complete Annex I upon execution of a DPA as follows:

A. List of Parties. Data exporter: Customer as identified in the applicable order form. Data importer: Ordica LLC, California, United States. Contact: legal@ordica.ai.

B. Description of Transfer. Categories of data subjects: Customer's end users and Customer's personnel who submit prompts to the Service. Categories of personal data: any personal data contained in prompts submitted to the Service by Customer. Sensitive data: none expected; Customer is responsible for prompt content. Frequency: continuous, on request. Nature and purpose: token compression and routing middleware. Period of retention: duration of processing plus logs retained per the published Privacy Policy.

C. Competent Supervisory Authority. To be completed based on data exporter's place of establishment.

Annex II — Technical and Organizational Measures (placeholder)

Ordica's technical and organizational measures are described at a high level on the Security page; an audit-oriented description is available on request to security@ordica.ai under NDA.

Annex III — Sub-processors

See the Subprocessors section of the Security page for the current list.