Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is entered into between the Customer ("Controller") and GuruMood ("Processor") and applies to the processing of personal data carried out by GuruMood on behalf of the Customer when providing the Services. This DPA forms an integral part of the Terms of Service and the applicable Order Form/SOW. In the event of a conflict, this DPA prevails on the matters it regulates.

The terms "personal data", "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach", and "supervisory authority" have the meaning given in Regulation (EU) 2016/679 (GDPR). "Data Protection Laws" includes the GDPR, UK GDPR, LGPD, CCPA/CPRA, and any other equivalent legislation applicable to the processing.

The subject matter is the processing necessary to provide the Services described in the Order Form/SOW. The nature of the processing may include: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, restriction, erasure, or destruction. The purpose is to enable the Customer to operate AI agents and automations, analyze results, manage communications with end-users, and other tasks defined by the Customer.

This DPA applies while GuruMood processes personal data on behalf of the Customer, from the start of the Service until the deletion or return of the data after termination.

The categories of data subjects and types of data depend on the Service contracted and include, among others:

• Data subjects: Customer's end-users, employees, business contacts, and prospects.
• Types of data: identification and contact data, conversation content (text, audio, transcriptions), message metadata, preferences, technical data (IP, IDs, logs), marketing and analytics data.
• Special categories: will not be processed except on express instruction of the Customer and subject to any additional legal requirements that apply.

The Customer acts as Controller (or as Processor for its own customers, in which case GuruMood acts as Sub-processor). GuruMood acts as Processor and will process data only on documented instructions from the Customer, including those embedded in the Services, Order Forms, and this DPA.

1. Process personal data only on documented instructions from the Customer, including regarding international transfers, unless required by law; in such case, GuruMood will inform the Customer before processing unless the law prohibits it.
2. Ensure that authorized personnel are subject to appropriate confidentiality obligations.
3. Implement appropriate technical and organizational measures (see Annex II — Security Measures).
4. Comply with the conditions for engaging sub-processors (see Sub-processors clause).
5. Assist the Customer, as far as possible, in fulfilling its obligation to respond to data subject rights requests.
6. Assist the Customer in complying with Arts. 32-36 of the GDPR, including breach notification and, where applicable, Data Protection Impact Assessments (DPIAs) and prior consultations.
7. At the Customer's choice, delete or return the personal data at the end of the provision of the Services and delete existing copies unless legally required to retain.
8. Make available to the Customer all information necessary to demonstrate compliance with Art. 28 and allow for audits as described in the Audits section.
9. Immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

The Customer provides general authorization for GuruMood to engage sub-processors to provide the Services. GuruMood will maintain an up-to-date list of sub-processors, available on request at privacy@gurumood.com.

GuruMood will notify the Customer at least 30 days in advance of any intended change (addition or replacement of sub-processors), giving the Customer an opportunity to object on reasonable grounds. If the Customer objects for legitimate data protection reasons, the parties will negotiate in good faith. If no solution is reached, the Customer may terminate the affected Services.

GuruMood will impose on sub-processors data protection obligations equivalent to those set out in this DPA and will remain liable to the Customer for their performance.

When processing involves transfers of personal data outside the EEA, UK, or Switzerland to countries without an adequacy decision, appropriate safeguards will apply:

• EU Standard Contractual Clauses 2021/914 (Module 2: Controller–Processor, or Module 3: Processor–Sub-processor, as applicable), incorporated by reference into this DPA.
• UK International Data Transfer Addendum (IDTA) when transferring data subject to the UK GDPR.
• Swiss Addendum when transferring data subject to the Swiss FADP.
• Supplementary measures: encryption in transit and at rest, pseudonymization, strict access controls, and transfer impact assessment where appropriate.

The parties' signatures on the Terms of Service, Order Form, or DPA are deemed to constitute signature of the corresponding SCCs.

GuruMood will notify the Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach. The notification will include, as far as possible: the nature of the breach, categories and approximate number of data subjects and records affected, measures taken or proposed, and contact details of the security officer. GuruMood will assist the Customer in meeting its notification obligations to authorities and data subjects.

Taking into account the nature of the processing, GuruMood will assist the Customer with appropriate technical and organizational measures in responding to rights requests. If GuruMood receives a request directly from a data subject, it will redirect the data subject to the Customer and inform the Customer without delay.

GuruMood will provide the Customer with reasonable information necessary to carry out Data Protection Impact Assessments (DPIAs) and, where applicable, prior consultations with the supervisory authority, in relation to the contracted Services.

Upon termination of the Services, GuruMood, at the Customer's choice, will return or delete personal data within a maximum of 30 days, except where legally required to retain. Data in backups will be deleted within the normal backup rotation cycle (up to 90 days).

GuruMood will make reasonable information available to the Customer (certifications, audit summaries, questionnaire responses) to demonstrate compliance. The Customer may request an audit once a year, with at least 30 days' notice, subject to confidentiality obligations and during normal business hours, without disrupting operations. In cases of a significant breach or requirement from an authority, an additional audit may be agreed.

The parties' liability under this DPA is subject to the limitations set out in the Terms of Service and the applicable Order Form/SOW, except where the law requires otherwise.

A. List of parties: the Customer (Controller or initial Processor) and GuruMood (Processor or Sub-processor). B. Description of the transfer: as set out in the Order Form/SOW. C. Competent supervisory authority: that of the Member State of the Customer's main establishment in the EU; the ICO for the UK; the FDPIC for Switzerland.

• Pseudonymization and encryption: TLS 1.2+ in transit, AES-256 at rest, controlled key management.
• Ongoing confidentiality, integrity, availability, and resilience of systems and services.
• Ability to restore the availability and access to data in the event of a physical or technical incident (backups, DR).
• Process for regularly testing, assessing, and evaluating the effectiveness of measures.
• Access controls: RBAC, mandatory MFA for staff, least-privilege principle, periodic permission review.
• Operational security: patch management, vulnerability scanning, penetration testing, monitoring, and SIEM.
• Physical security at data centers used by cloud providers (SOC 2, ISO 27001 certifications).
• Personnel management: confidentiality agreements, background checks, periodic training.
• Vendor management: security due diligence, contracts with data protection clauses.
• Incident management: documented procedure, assigned roles, defined response times.

For questions about this DPA or to request the list of sub-processors, contact privacy@gurumood.com.