LogiRootLogiRootAI Governance Platform

Data Processing Agreement

Between LogiRoot AI Inc. and Customer

Version: 2026-06-11 · Supersedes all prior drafts.


THIS DATA PROCESSING AGREEMENT ("DPA") supplements and forms part of the Master Subscription Agreement ("Agreement") between LogiRoot AI Inc., a Delaware corporation ("Processor" or "LogiRoot"), and the entity identified as Customer in the Agreement ("Controller" or "Customer").

This DPA supports the Parties' obligations under applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss FADP, and the California Consumer Privacy Act as amended ("CCPA/CPRA"), collectively "Data Protection Laws."

Effective Date: The date the Agreement becomes effective.


1. Definitions

1.1 "Personal Data" — information relating to an identified or identifiable natural person that LogiRoot Processes on behalf of Customer in connection with the Platform. 1.2 "Processing" — any operation performed on Personal Data, automated or not. 1.3 "Data Subject" — the natural person to whom Personal Data relates. 1.4 "Sub-Processor" — any third party LogiRoot engages to Process Personal Data on behalf of Customer. 1.5 "Security Incident" — any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by LogiRoot. 1.6 "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses approved by European Commission Decision 2021/914.


2. Scope and Roles

2.1 Roles. Customer is the Controller. LogiRoot is the Processor, Processing Personal Data solely on behalf of and per Customer's documented instructions. 2.2 Subject Matter. Provision of AI governance services through the LogiRoot Platform: evaluation of governance requests, generation of governance receipts, and associated analytics. 2.3 Categories of Data.

| Category | Description | |---|---| | Governance metadata | Tool name, action type, policy parameters, timestamps | | Tenant identifiers | Customer account and user identifiers | | Receipt data | Cryptographic hashes, decision outcomes, audit trails | | Contact information | Name, email (account administration only) |

2.4 Data Subjects. Customer's employees, contractors, and end users whose actions generate governance requests. 2.5 Duration. For the duration of the Agreement plus the deletion period in Section 11.


3. Customer Instructions

3.1 LogiRoot Processes Personal Data only on Customer's documented instructions, including as to international transfers, unless required by EU or Member State law (in which case LogiRoot informs Customer first, unless legally prohibited). 3.2 Instructions are documented in this DPA, the Agreement, Customer's Platform configuration, and any further written instructions acknowledged by LogiRoot. 3.3 LogiRoot informs Customer if, in its opinion, an instruction infringes Data Protection Laws, or if LogiRoot can no longer meet its obligations under this DPA or applicable law.


4. LogiRoot Obligations

LogiRoot shall: (a) Process Personal Data solely for the purposes in this DPA and on Customer's documented instructions; (b) ensure persons authorized to Process Personal Data are bound by confidentiality; (c) implement and maintain the technical and organizational measures in Annex II; (d) engage Sub-Processors only under Section 6; (e) assist Customer, by appropriate technical and organizational measures so far as possible, in responding to Data Subject rights requests; (f) assist Customer with GDPR Articles 32–36 (security, breach notification, impact assessments), taking into account the nature of Processing and the information available to LogiRoot; (g) on Customer's election, delete or return all Personal Data at the end of services per Section 11; and (h) make available to Customer the information necessary to demonstrate compliance with this DPA, by responding to written security questionnaires and providing relevant documentation and evidence records (Section 12).


5. AI Governance Records

5.1 Decision Records. Each governance evaluation produces a signed receipt recording the decision outcome, the policy-check results, and the reasons for the outcome. These records provide Customer with evidence to support its own transparency and record-keeping obligations. 5.2 Immutable Logging. The Platform generates immutable, hash-linked governance receipts for evaluations and retains them for no less than seven (7) years. The receipt chain is tamper-evident and independently verifiable offline.


6. Sub-Processors

6.1 Authorized Sub-Processors. Customer provides general written authorization for LogiRoot to engage the Sub-Processors listed in Annex III. LogiRoot imposes data-protection obligations on each Sub-Processor no less protective than this DPA. 6.2 Notification of Changes. LogiRoot notifies Customer by email to Customer's designated account contact at least thirty (30) days before engaging or replacing a Sub-Processor, including the Sub-Processor's identity, location, and nature of Processing. 6.3 Objection. Customer may object to a new Sub-Processor on reasonable data-protection grounds. If the Parties do not resolve the objection, Customer may terminate the affected services without penalty. 6.4 Liability. LogiRoot remains liable for its Sub-Processors' acts and omissions as if performed by LogiRoot.


7. International Data Transfers

7.1 Transfer Mechanism. For Personal Data originating in the EEA, UK, or Switzerland and Processed in the United States, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference and apply. The SCCs are completed as follows:

  • Clause 7 (docking): included
  • Clause 9(a): Option 2 (general written authorization), 30-day notice
  • Clause 11(a) (independent dispute resolution): not included
  • Clause 13(a): the supervisory authority of the EEA Member State in which Customer is established (or the Irish Data Protection Commission where Customer is not EEA-established)
  • Clause 17: Option 1; governing law of Ireland
  • Clause 18(b): courts of Ireland

For transfers from the UK, the UK International Data Transfer Addendum (issued under s.119A UK Data Protection Act 2018) is incorporated by reference.

7.2 Supplementary Measures. LogiRoot applies supplementary measures to Personal Data transferred to the United States, including encryption in transit and at rest and access controls, as described in Annex II.


8. Security Measures

8.1 LogiRoot implements and maintains the technical and organizational measures in Annex II to protect Personal Data against Security Incidents. 8.2 LogiRoot reviews and improves its security measures over time.


9. Security Incident Notification

9.1 Notification. LogiRoot notifies Customer of any confirmed Security Incident without undue delay and within seventy-two (72) hours of becoming aware of it. 9.2 Content. The notification includes, to the extent known: the nature of the incident and approximate scope of Data Subjects and records affected; LogiRoot's contact point; likely consequences; measures taken or proposed; and the receipt-chain integrity status at and after the incident. 9.3 Cooperation. LogiRoot takes reasonable commercial steps to assist Customer's investigation and remediation. 9.4 No Acknowledgment. Notification is not an acknowledgment of fault or liability.


10. Data Subject Rights

10.1 LogiRoot assists Customer, by appropriate technical and organizational measures and taking into account the nature of Processing, in responding to Data Subject rights requests. 10.2 If LogiRoot receives a request directly from a Data Subject, it promptly redirects the Data Subject to Customer and notifies Customer, unless applicable law requires otherwise.


11. Data Return and Deletion

11.1 On a verified written request to privacy@logirootai.com, or on termination or expiration of the Agreement, LogiRoot, at Customer's election, returns Personal Data in a structured, commonly used, machine-readable format, or erases it, within thirty (30) days. Erasure is operator-executed: identifying data is anonymized and access credentials revoked. The erasure action is itself recorded as a signed receipt. 11.2 Governance receipts are retained for no less than seven (7) years and, after anonymization, the tamper-evident receipt chain is retained in pseudonymized form (it contains no Personal Data after ingestion-time scrubbing) for integrity and record-keeping. Such retention is a documented instruction of Customer for purposes of this DPA.


12. Demonstrating Compliance

12.1 LogiRoot makes available to Customer the information reasonably necessary to demonstrate compliance with this DPA. 12.2 LogiRoot responds to Customer's written security questionnaires and provides relevant documentation and evidence records (including architecture descriptions, security-measure descriptions, and audit-trail evidence) within a reasonable period, no more than once per twelve-month period absent a Security Incident or regulatory investigation.


13. CCPA/CPRA Service-Provider Terms

Where LogiRoot Processes personal information subject to the CCPA/CPRA, LogiRoot acts as a Service Provider and: (a) does not sell or share that personal information; (b) does not retain, use, or disclose it except as necessary to perform the services or as permitted by the CCPA/CPRA; (c) does not combine it with personal information from other sources except as the CCPA/CPRA permits; and (d) notifies Customer if it determines it can no longer meet these obligations.


14. Term and Termination

This DPA remains in effect for the duration of the Agreement and terminates with it, subject to survival of obligations on data deletion, receipt retention, and confidentiality.


15. Governing Law

This DPA is governed by the laws of the State of Delaware, except where Data Protection Laws require another jurisdiction's law. The SCCs are governed as stated in Section 7.1.


16. Order of Precedence

On conflict, this DPA prevails over the Agreement as to Processing of Personal Data; the SCCs prevail over this DPA.


Annex I: Details of Processing

| Element | Description | |---|---| | Subject matter | AI governance evaluation and receipt generation | | Duration | Duration of the Agreement + 30 days for deletion | | Nature and purpose | Evaluation of governance requests; generation of immutable governance receipts; compliance analytics | | Categories of data | Governance metadata, tenant identifiers, receipt data, contact information | | Categories of data subjects | Customer's employees, contractors, end users | | Competent supervisory authority | The supervisory authority of the EEA Member State where Customer is established, or the Irish Data Protection Commission where Customer is not EEA-established |


Annex II: Technical and Organizational Security Measures

Encryption

  • Data in transit: TLS 1.3
  • Data at rest: AES-256
  • Envelope encryption of stored payloads via AWS KMS
  • Receipt-chain integrity via SHA-256 hashing

Access Control

  • Role-based access control with least privilege
  • Multi-factor authentication on AWS account and console access
  • Confidentiality obligations binding personnel with data access

Network Security

  • Virtual private cloud with network segmentation; database not publicly accessible
  • Application-layer request filtering and rate limiting
  • AWS Shield Standard DDoS protection at the CDN edge

Data Isolation

  • Logical tenant isolation at the application and database layers
  • Per-tenant data scoping enforced by tenant context
  • Cross-tenant access prevented by design

Monitoring and Logging

  • Centralized logging with real-time alerting on anomalous patterns
  • Audit-log retention of no less than seven (7) years
  • Tamper-evident governance receipt chain with offline integrity verification

Business Continuity

  • Multi-availability-zone database deployment with automated failover
  • Automated daily backups with 14-day retention

Vulnerability Management

  • Vulnerability disclosure program (security@logirootai.com, PGP key published)

Annex III: Authorized Sub-Processors

| Sub-Processor | Purpose | Location | Data Processed | |---|---|---|---| | Amazon Web Services, Inc. (AWS) | Cloud infrastructure: compute, storage, database, email delivery, content delivery | United States (us-east-1) | All categories in Annex I |

The current list of Sub-Processors is available on request to privacy@logirootai.com; LogiRoot notifies Customer of changes per Section 6.2.


Signatures

LOGIROOT AI INC. (Processor) — Name: Jared C. Rich · Title: Chief Executive Officer · Signature: __________ · Date: __________

CUSTOMER (Controller) — Name: __________ · Title: __________ · Signature: __________ · Date: __________

Incorporated by reference into the LogiRoot Master Subscription Agreement.