Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between RapierCraft Inc., doing business as AlterLab ("Processor," "we," "us," or "our"), and the entity or individual agreeing to these terms ("Controller," "you," or "your") for the use of AlterLab services at alterlab.io (the "Service").

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the extent that we process Personal Data on your behalf in connection with the Service.

This DPA supplements and is incorporated into our Terms of Service and Privacy Policy. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein shall have the meanings given in the GDPR.

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data — i.e., you, the customer.
• "Processor" means the entity that processes Personal Data on behalf of the Controller — i.e., RapierCraft Inc. (AlterLab).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or erasure.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" ("SCCs") means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

The Processor shall process Personal Data only to the extent necessary to provide the Service as described in the Terms of Service and as further instructed by the Controller.

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's instructions are documented in the Terms of Service and any additional written instructions provided to the Processor. The Controller acknowledges that the Service is provided on a standardized basis and that the Processor's ability to customize processing for individual Controllers may be limited.

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions.

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall take reasonable steps to ensure the reliability of any personnel who have access to Personal Data, and shall ensure that access to Personal Data is limited to those individuals who need access to perform their duties under this DPA.

In accordance with Article 32 of the GDPR, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption of Personal Data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest using AES-256 encryption
• Secure API key storage using Argon2 hashing algorithms
• Access controls and role-based authentication mechanisms
• Regular security audits and vulnerability assessments
• Monitoring and logging of security events
• Regular backup procedures with encrypted storage
• Incident response procedures and breach notification protocols
• Network isolation and firewall protection for production systems

The Processor shall regularly test, assess, and evaluate the effectiveness of these technical and organizational measures and shall update them as necessary to maintain an appropriate level of security.

The Controller provides general written authorization for the Processor to engage Sub-processors to assist in providing the Service, subject to the conditions set out in this section.

The Processor shall ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds, the Processor shall make reasonable efforts to provide an alternative solution. If no alternative is available, the Controller may terminate the affected portion of the Service.

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under Chapter III of the GDPR (Articles 15–22), including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless legally required to do so.

The Processor shall provide reasonable assistance, taking into account the nature of the processing, through appropriate technical and organizational measures, to the extent this is possible, to help the Controller meet its Data Subject request obligations.

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach, in accordance with Article 33 of the GDPR. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
• The name and contact details of the Processor's point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

Upon termination of the Service agreement, or at the Controller's written request, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete all Personal Data and existing copies, unless European Union or Member State law requires further storage

Deletion shall be completed within 90 days of the request or termination date. The Processor shall certify in writing that deletion has been completed upon the Controller's request.

The Processor may retain Personal Data to the extent required by applicable law, in which case the Processor shall continue to protect such data in accordance with this DPA and applicable data protection laws.

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to the Processor.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of any audit
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
• The Controller may conduct one audit per 12-month period, unless a Personal Data Breach has occurred or a supervisory authority requires additional audits
• The auditor shall be bound by appropriate confidentiality obligations
• The Controller shall bear all costs associated with the audit, unless the audit reveals material non-compliance by the Processor

The Processor is based in the United States (RapierCraft Inc., Middletown, Delaware). Infrastructure is hosted in the European Union (OVHcloud, France). Personal Data may be transferred to and processed in jurisdictions outside the European Economic Area ("EEA") where the Processor or its Sub-processors operate.

For transfers of Personal Data from the EEA to countries that do not benefit from an adequacy decision by the European Commission, the Processor shall ensure appropriate safeguards are in place, including the Standard Contractual Clauses (SCCs) as approved by the European Commission in Implementing Decision (EU) 2021/914.

The Processor shall ensure that any Sub-processor located outside the EEA is bound by equivalent data transfer mechanisms. For further details on international transfers, see our Privacy Policy, Section 9 (International Data Transfers).

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions, except to the extent that mandatory data protection laws of the European Union or a Member State apply.

Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the State of Delaware, provided that nothing in this clause limits the right of a Data Subject or supervisory authority to bring proceedings in their local jurisdiction as provided under the GDPR.

Entire Agreement: This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the processing of Personal Data.

Amendments: The Processor may update this DPA from time to time. Material changes will be communicated to the Controller with at least 30 days' prior notice. Continued use of the Service after notice constitutes acceptance of the updated DPA.

Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Survival: The obligations of the Processor under this DPA shall survive the termination of the Service agreement to the extent necessary to complete the deletion or return of Personal Data, and for any ongoing confidentiality obligations.