Invent

Data Processing Addendum

Effective as of June 15th, 2025

At Zydeer LLC, we understand that protecting your data is paramount. This Data Processing Agreement ("DPA" or "Addendum"), along with its Exhibits (collectively, the "Agreement"), is a vital document that forms part of your main service agreement with us (the "Principal Agreement").

It's designed to give you peace of mind by outlining how we responsibly handle the data you entrust to our multi-model assistant platform. Whether your business operates locally or serves a global audience, this DPA ensures we uphold the highest standards of data privacy and comply with diverse worldwide privacy regulations.

Here's how we'll work together:

Client: You, our Customer (or "Your Company"), acting as the responsible party for determining how and why data is processed (the Data Controller).

Zydeer LLC: ("Zydeer"), providing the innovative platform and processing data strictly on your behalf (the Data Processor).

This DPA specifically addresses compliance with key privacy frameworks, including the General Data Protection Regulation (EU 2016/679) ("GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws (collectively, "Data Protection Laws"). Any terms capitalized here but not defined will have the meaning given to them in your Principal Agreement.

1. Definitions

The following terms shall have the meanings set forth below:

  1. "Applicable Data Protection Laws" means all applicable privacy, data protection, and cybersecurity laws and regulations worldwide that apply to the processing of Personal Data under the Principal Agreement, including, but not limited to, GDPR, UK GDPR, CCPA, and any implementing or subordinate legislation.

  2. "Client Data" or "Customer Data" means any content, data, or information (including Personal Data) submitted by or for Client to or through the Services.

  3. "Company Account Data" means personal data that relates to Zydeer's relationship with the Client, including contact information of individuals authorized by Client to access the account, and billing information.

  4. "Company Usage Data" means Service usage data collected and processed by Zydeer in connection with the provision of the Services, including data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

  5. "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Supervisory Authority", "Sell", and "Share" shall have the meanings given to them in Applicable Data Protection Laws (and where the CCPA applies, "business," "service provider," "consumer," "personal information," and "sale" or "share" shall be equivalent terms).

  6. "Services" shall have the meaning set forth in the Principal Agreement.

  7. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), as may be amended or replaced.

  8. "Subprocessor" means any third-party processor engaged by Zydeer to process Personal Data on behalf of the Client.

  9. "UK Addendum" means the International Data Transfer Addendum to the SCCs, issued by the Information Commissioner under §119A(1) Data Protection Act 2018.

2. Relationship of the Parties; Nature and Purpose of Processing

2.1. The parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Controller and Zydeer is the Processor.

2.2. Zydeer shall process Personal Data strictly for the purpose of providing, maintaining, and improving its software and AI-powered Services, supporting the Client's use of the Services, and fulfilling contractual obligations as described in the Principal Agreement and this DPA.

2.3. The subject matter, nature, and duration of the Processing are defined by the Client's use of the Services and the term of the Principal Agreement. The Processing is performed on a continuous basis for the duration of the Principal Agreement.

2.4. Zydeer shall process Personal Data only (i) on Client's behalf and in accordance with Client's documented instructions, and (ii) in a manner that provides no less than the level of privacy protection required by Applicable Data Protection Laws.

2.5. If Zydeer is required by law to process Personal Data for a reason other than in connection with the Principal Agreement, Zydeer will inform the Client of this requirement in advance of any such processing, unless legally prohibited.

2.6. Zydeer shall promptly inform the Client in writing if, in Zydeer's opinion, an instruction from the Client violates Applicable Data Protection Laws.

2.7. CCPA (California Consumer Privacy Act) Compliance: Except with respect to Company Account Data and Company Usage Data (where Zydeer acts as a Controller as per Section 9), Zydeer acknowledges and agrees that it is a "service provider" for the purposes of the CCPA and is receiving personal information from Client to provide the Services for a business purpose. Zydeer shall not "Sell" or "Share" any such personal information, nor retain, use, or disclose it for any purpose other than as necessary for performing the Services for Client, or as otherwise set forth in the Principal Agreement or permitted by the CCPA.

3. Categories of Data and Data Subjects

3.1. Categories of Personal Data processed by Zydeer include:

  1. Identification Data: Name, email address, contact information.
  2. Technical Data: IP address, device information, operating system, browser, usage data (e.g., interactions with the platform, API calls, features used).
  3. User-Submitted Content: Prompts, documents, files, text, images, or any other content provided by the Client or its users through the Services, which may contain Personal Data.
  4. Communication Data: Metadata and content of communications facilitated by the Services.
  5. Analytics/Tracking Data: If enabled by the Client, open/link tracking and other analytics of recipient actions.

3.2. Categories of Data Subjects include:

  1. Client's end-users (e.g., customers of the Client).
  2. Client's employees, contractors, agents, and other individuals authorized by the Client to use or access the Services.
  3. Any other individuals whose Personal Data the Client submits to Zydeer.

4. Obligations of the Processor (Zydeer)

Zydeer shall:

  1. Process Client Data only on documented instructions from the Client, including those set out in the Principal Agreement and this DPA.
  2. Ensure the confidentiality, integrity, and availability of Personal Data by implementing and maintaining appropriate technical and organizational measures as detailed in Exhibit A (Technical and Organizational Measures).
  3. Limit access to Personal Data to authorized personnel who have committed themselves to confidentiality and are bound by appropriate data protection obligations.
  4. Promptly inform the Client in writing if Zydeer cannot comply with the requirements of this DPA.
  5. Not "Sell" or "Share" Personal Data as those terms are defined under Applicable Data Protection Laws.
  6. Not retain, use, or disclose Personal Data outside of the direct business relationship between Zydeer and Client, or for any purpose other than for the business purposes specified in the Principal Agreement and this DPA.
  7. Not combine Client Data with personal data that Zydeer receives from or on behalf of any other third party or collects from its own interactions with individuals, unless permitted under Applicable Data Protection Laws and specifically directed by Client for a purpose permitted under the CCPA.
  8. Provide the Client with reasonable assistance in fulfilling requests from Data Subjects related to their rights under Applicable Data Protection Laws, as further detailed in Section 8.
  9. Notify the Client without undue delay in case of a Personal Data Breach, as further detailed in Section 7.
  10. Maintain a list of current Subprocessors and provide notice of changes to the Client, as further detailed in Section 5.
  11. Upon reasonable request (no more than once per year), provide Client with Zydeer's privacy and security policies and other such information necessary to demonstrate compliance with its obligations set forth in this DPA and Applicable Data Protection Laws.

5. Subprocessing

5.1. Client grants Zydeer general written authorization to engage Subprocessors to support the delivery of the Services. Zydeer's current list of Authorized Subprocessors is available at Subprocessors.

5.2. Zydeer shall specifically inform the Client in writing of any intended changes to the Subprocessor List (including the addition or replacement of Subprocessors) at least thirty (30) days in advance, thereby giving the Client sufficient time to object to such changes.

5.3. If the Client reasonably objects to a new Subprocessor on grounds related to the protection of Personal Data within the notice period, and Zydeer cannot provide a commercially reasonable alternative, Client may discontinue use of the affected Service by providing written notice to Zydeer. This discontinuation shall not relieve the Client of any fees owed under the Principal Agreement.

5.4. For each Subprocessor, Zydeer shall enter into a written agreement that imposes data protection obligations on the Subprocessor that are substantially as protective as those imposed on Zydeer under this DPA with respect to the protection of Personal Data.

5.5. Zydeer shall remain liable to the Client for the performance of its Subprocessors' obligations under such written agreements.

6. International Data Transfers

6.1. Data may be transferred to and stored in the United States or other locations where Zydeer or its Subprocessors operate. Client acknowledges that Zydeer's primary processing operations take place in the United States, and that the transfer of Client Data to the United States is necessary for the provision of the Services.

6.2. Zydeer will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

6.3. EU-U.S. Data Transfers (GDPR): For transfers of Personal Data from the European Economic Area ("EEA") subject to the GDPR, the Standard Contractual Clauses (Module Two: Controller to Processor) as completed in Exhibit B (Standard Contractual Clauses) of this DPA are hereby incorporated by reference and deemed executed by the parties.

6.4. UK Data Transfers (UK GDPR): For transfers of Personal Data from the United Kingdom ("UK") subject to the UK GDPR, the UK Addendum, as completed in Exhibit C (UK Addendum) of this DPA, is hereby incorporated by reference and deemed executed by the parties.

6.5. Swiss Data Transfers: For transfers of Personal Data from Switzerland subject to Swiss Data Protection Laws, appropriate safeguards will be implemented, which may include the Standard Contractual Clauses with necessary modifications to reflect Swiss law. These modifications are detailed in Exhibit D (Swiss Addendum).

6.6. Supplementary Measures: In respect of any international data transfer, Zydeer shall, as appropriate, implement supplementary measures to ensure a level of data protection equivalent to that afforded in the EEA/UK/Switzerland. This includes:

  1. Maintaining records of any formal legal requests for disclosure of Customer Personal Data from government authorities.
  2. Making reasonable efforts to redirect such requests directly to the Client.
  3. Notifying the Client promptly, unless legally prohibited, if Zydeer is compelled to disclose Personal Data to a public authority.
  4. Cooperating with the Client to enable them to seek protective orders or other remedies.

7. Security Measures and Personal Data Breach Notification

7.1. Security Measures: Zydeer implements and maintains technical and organizational measures, as detailed in Exhibit A (Technical and Organizational Measures), designed to protect the security, confidentiality, and integrity of Personal Data, and to prevent unauthorized or accidental access, loss, alteration, disclosure, or destruction of Client Data. Zydeer may update these measures from time to time, provided that such updates do not materially diminish the overall security of the Services.

7.2. Personal Data Breach Notification: Zydeer will notify the Client in writing without undue delay, but in no event later than 48 hours after becoming aware of a Personal Data Breach affecting Client Data.

7.3. Upon becoming aware of a Personal Data Breach, Zydeer shall (a) investigate the Security Breach, and (b) provide the Client with timely information relating to the nature of the Security Breach, where reasonably possible, including:

  1. The categories and approximate number of Data Subjects concerned.
  2. The categories and approximate number of Personal Data records concerned.
  3. The likely consequences of the Personal Data Breach.
  4. The measures taken or proposed to be taken by Zydeer to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.4. Zydeer will assist the Client in complying with its obligations under Applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

8. Assistance to Client (Data Subject Rights & DPIAs)

8.1. Zydeer shall, taking into account the nature of the processing, provide the Client with reasonable and timely assistance as necessary for the Client to fulfill its obligations under Applicable Data Protection Laws to respond to Data Subject Requests (e.g., requests for access, rectification, erasure, data portability, objection, or restriction of processing). If Zydeer receives a Data Subject Request directly, Zydeer will promptly forward the request to the Client. Zydeer shall not respond to any such request unless authorized by the Client or required by applicable law.

8.2. Data Protection Impact Assessments (DPIAs) & Prior Consultation: Zydeer shall, taking into account the nature of the processing and the information available to Zydeer, provide the Client with reasonable cooperation and assistance where necessary for the Client to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to carry out prior consultation with a Supervisory Authority.

9. Zydeer's Role as a Controller (for specific data)

9.1. The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Zydeer is an independent Controller, not a joint Controller with the Client.

9.2. Zydeer will process Client Account Data and Client Usage Data as a Controller to: (i) manage the relationship with Client; (ii) carry out Zydeer's core business operations (e.g., accounting, audits, tax, and compliance); (iii) monitor, investigate, prevent, and detect fraud, security incidents, and other misuse of the Services; (iv) for identity verification purposes; (v) comply with legal or regulatory obligations; and (vi) as otherwise permitted under Data Protection Laws.

9.3. Any processing by Zydeer as a Controller shall be in accordance with Zydeer's privacy policy, available at https://www.useinvent.com/legal/privacy

10. Duration and Termination

10.1. This DPA shall remain in effect for as long as Zydeer processes Personal Data on behalf of the Client or until the termination of the Principal Agreement.

10.2. Upon termination or expiration of the Principal Agreement, Zydeer shall, at the Client's choice:

a. Return a copy of all Client Data in its control or possession to the Client; and/or

b. Delete all copies of Client Data (including Personal Data) processed by Zydeer or any Subprocessors, within 90 days, unless retention is required by Applicable Data Protection Laws or other legal/regulatory requirements.

10.3. Zydeer may continue to process information derived from Client Data that has been de-identified, anonymized, and/or aggregated such that the data is no longer considered Personal Data under Applicable Data Protection Laws and does not identify individuals or Client, for the purpose of improving Zydeer's systems and services.

11. Audits and Certifications

11.1. Zydeer is committed to implementing security controls in line with established industry standards (such as SOC 2 Type II) and is in the process of obtaining third-party certification. Upon completion of any such audit, and upon Client's written request, and subject to confidentiality obligations, Zydeer will make summary reports or certifications relevant to this DPA available to the Client.

11.2. If the provision of reports or certifications is not reasonably sufficient under Data Protection Laws, Zydeer may, upon Client's written request and at Client's sole expense, permit Client or a mutually agreed-upon independent third-party auditor to conduct an audit or inspection of Zydeer's data security infrastructure and procedures. Such audits shall be subject to: (a) reasonable prior written notice, (b) occurring no more than once per calendar year (unless non-compliance or a Security Breach is indicated), (c) being non-disruptive to Zydeer's business, and (d) the auditor entering into a confidentiality agreement with Zydeer.

12. Governing Law and Jurisdiction

12.1. This DPA shall be governed by and construed in accordance with the laws of the State of Florida, USA, unless otherwise specified in the Principal Agreement or superseded by the governing law of the Standard Contractual Clauses or UK Addendum for international data transfers.

12.2. Disputes arising from this DPA shall be resolved before the competent courts of the State of Florida, USA, unless otherwise specified in the Standard Contractual Clauses or UK Addendum.

13. Client's Obligations

a. Client represents, warrants, and covenants that it has and shall maintain throughout the term all necessary rights, consents, and authorizations to provide Client Data to Zydeer and to authorize Zydeer to use, disclose, retain, and otherwise process Client Data as contemplated by this DPA and the Principal Agreement.

b. Client shall comply with all Applicable Data Protection Laws in its use of the Services.

c. Client shall reasonably cooperate with Zydeer to assist Zydeer in performing any of its obligations with regard to any requests from Data Subjects.

d. Client acknowledges and agrees that it, rather than Zydeer, is responsible for certain configurations and design decisions for the Services and that Client, and not Zydeer, is responsible for implementing those configurations and design decisions in a secure manner that complies with Applicable Data Protection Laws.

e. Client shall not provide Client Data to Zydeer except through agreed mechanisms. For example, Client shall not include Client Data other than technical contact information in technical support tickets, or transmit user Client Data to Zydeer by email. Client represents, warrants, and covenants that it shall only transfer Client Data to Zydeer using secure, reasonable, and appropriate mechanisms, to the extent such mechanisms are within Client's control.

14. Conflict

14.1. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses (for international transfers only); (2) the terms of this DPA; (3) the Principal Agreement; and (4) Zydeer's privacy policy.

15. Contact

For questions regarding data protection:

Zydeer LLC Attn: Data Protection Team PO BOX 836053 Miami, FL 33283 [email protected]

By using Zydeer's Services, Client agrees to the terms of this Data Processing Agreement.

Exhibits

Exhibit A: Technical and Organizational Measures

Zydeer is committed to industry-recognized best practices for data security. Zydeer is in the process of completing its SOC 2 Type II certification, which demonstrates controls related to security, availability, processing integrity, confidentiality, and privacy. A copy of our SOC 2 report will be available upon request, subject to confidentiality agreements, once the certification process is complete.

1. Security Governance

Policies: Zydeer maintains comprehensive, management-approved information security policies reviewed annually.

Risk Management: Regular risk assessments identify and mitigate potential threats to data and operations.

Security Oversight: Zydeer's security is overseen by designated personnel assigned responsibility for security governance and implementation.

2. Application Security

Secure Development Lifecycle: All code is developed following secure coding practices, with security reviews at every major release stage.

Vulnerability Management: Regular vulnerability scans and patch management for application and supporting systems.

Penetration Testing: Zydeer is committed to regular, third-party penetration testing as part of our security program. This process will be formally implemented as part of our SOC 2 Type II certification and will include independent testing and prompt remediation of findings.

Static Code Analysis: Automated tools are used to detect code-level vulnerabilities before deployment.

3. Infrastructure Security

Data Centers & Cloud Providers: Zydeer hosts its infrastructure in industry-recognized cloud providers and data centers with physical and logical security controls.

Network Access Controls: Use of Virtual Private Clouds (VPC), strict firewall rules, network segmentation, and least-privilege access between network zones.

4. Access Controls

Authentication: All access to critical systems requires Multi-Factor Authentication (MFA) and, where applicable, Single Sign-On (SSO).

Authorization: Role-Based Access Control (RBAC) enforces least privilege. Permissions are regularly reviewed.

Account Management: Formal user provisioning and termination procedures, including offboarding access reviews and immediate deactivation.

Password Policies: Strong password policies consistent with NIST guidelines.

5. Encryption

In Transit: All data transmitted over public networks is encrypted using TLS 1.2 or higher (HTTPS).

At Rest: All customer data is encrypted at rest using AES-256 or stronger algorithms.

6. Monitoring and Incident Response

Logging: Security-relevant events are logged centrally and monitored using security information and event management (SIEM/SOAR) solutions.

Incident Response: Zydeer maintains a documented and tested incident response plan, including annual tabletop exercises and defined escalation procedures.

7. Personnel Management

Training: All employees receive security awareness and privacy training at onboarding and annually thereafter.

Background Checks: Pre-employment background checks are conducted as permitted by law.

Confidentiality: All personnel are required to sign confidentiality and acceptable use agreements.

8. Third-Party Risk Management

Vendor Assessment: All subprocessors and critical vendors undergo initial and periodic security evaluations to ensure alignment with Zydeer's standards.

9. Data Management

Segregation: Logical separation of customer data is implemented in multi-tenant environments.

Network Segmentation: Sensitive data and production resources are isolated from other systems.

10. Availability and Business Continuity

Redundancy: Critical systems and infrastructure are designed for high availability, with redundancy at multiple levels.

Disaster Recovery: Zydeer maintains tested backup, disaster recovery, and business continuity plans, including regular recovery testing.

Exhibit B: Standard Contractual Clauses (Controller to Processor)

These Clauses are incorporated by reference into the DPA between the client ("Data Exporter") and Zydeer ("Data Importer").

A completed copy of the EU Commission's SCCs (2021/914) can be found at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

The following options/Annexes are completed as follows:

Annex I.A: Data Exporter: The client (controller) who enters into a DPA with Zydeer, with address and contact information as provided by the client at registration or in the order form. Data Importer: Zydeer (processor), PO BOX 836053 Miami, FL 33283, Contact: [email protected]

Annex I.B: Description of Transfer (nature of data, frequency, subject, retention): As described in the DPA and as required for delivery of the Services.

Annex I.C: Competent Supervisory Authority: The EU member state where the data exporter is established.

Annex II: Technical and Organizational Measures: See Exhibit A of this DPA, as updated from time to time and available at [your security measures URL].

Annex III: List of Subprocessors: See current published Subprocessor List here.

The parties agree the remainder of the SCCs apply as published by the European Commission.

Exhibit C: UK Addendum

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022), issued by the UK Information Commissioner's Office, is incorporated by reference into this DPA.

The Addendum is completed as follows:

Start Date: The date on which the client accepts or otherwise enters into the DPA with Zydeer (via account registration).

Parties: As described in Exhibit B.

Table 1 (Parties): As set out in Annex I.A of Exhibit B.

Table 2 (Selected SCCs): As per Exhibit B (Module 2, Controller to Processor).

Table 3 (Appendix Information): As set forth in the Annexes to Exhibit B.

Table 4 (Ending this Addendum): Neither party may end the Addendum under Section 19.

Full text available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

Exhibit D: Swiss Addendum

For data transfers from Switzerland, the EU Standard Contractual Clauses incorporated in Exhibit B are deemed modified as follows:

  • References to "EU GDPR" are interpreted as references to the Swiss Federal Data Protection Act (FDPA).
  • References to an "EU Member State" or "EU" also include Switzerland.
  • The Swiss Federal Data Protection and Information Commissioner (FDPIC) will be the competent authority.
  • Data subjects in Switzerland may enforce their rights under the Clauses in Switzerland.
  • The governing law for contractual claims under the SCCs is Swiss law.