The DPA, incorporated by reference.

Capitalized terms not defined here have the meaning in the Terms or in GDPR. "GDPR" means Regulation (EU) 2016/679 and Regulation (UK) 2016/679 as it forms part of UK law ("UK GDPR"). "EU SCCs" means the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914. "UK IDTA" means the International Data Transfer Addendum to the EU SCCs issued by the UK ICO. "Applicable Privacy Law" means GDPR, UK GDPR, the Swiss FADP, CCPA/CPRA, and any other privacy law applicable to the Processing.

The Customer is the "Controller" (or where applicable, a Processor acting on behalf of a third-party Controller) of Personal Data submitted to the Service. Verdict is the "Processor" (or Sub-Processor) and processes Personal Data only as described in this DPA.

Subject matter. Processing of Personal Data necessary to provide the Service to the Customer.
Duration. The term of the Order plus any retention period required by law or set out in the Privacy Policy retention table.
Nature. Hosting, transmission, hashing, signing, anchoring, storage, retrieval, search, and analytics telemetry related to the Service.
Purpose. Performance of the Service under the Terms.
Details: see Annex I (§ 15).

Verdict processes Personal Data only on documented instructions from the Customer, including transfers, except where required by law. The Terms, this DPA, the Order, and any Customer configurations expressed through the Service constitute the Customer's documented instructions. If Verdict believes an instruction violates Applicable Privacy Law, Verdict will inform the Customer.

Verdict will:

• Process Personal Data only as instructed by the Customer.
• Ensure persons authorized to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
• Implement the technical and organizational measures in Annex II (§ 16).
• Engage Subprocessors only under Section 6.
• Taking into account the nature of the processing, assist the Customer in fulfilling its obligation to respond to data-subject requests.
• Assist the Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
• Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as described in Section 11.
• On termination, delete or return Personal Data as described in Section 12, subject to the integrity-preserving redaction mechanism for Evidence Records.

The Customer authorizes Verdict to engage the Subprocessors listed in Annex III (§ 17 / and at /subprocessors). Verdict will:

• Impose data-protection terms on each Subprocessor that are no less protective than this DPA.
• Remain liable for each Subprocessor's performance.
• Give the Customer at least 30 days' advance notice by email or in-product notice (and by update to /subprocessors) before adding or replacing a Subprocessor.

If the Customer reasonably objects to a new Subprocessor on data-protection grounds within the 30-day window, the parties will work in good faith to resolve. If unresolved, the Customer may terminate the affected portion of the Service for the unused remainder of its prepaid term and receive a prorated refund.

Where Verdict receives a request from a data subject relating to Customer Personal Data, Verdict will, unless legally prohibited, forward the request to the Customer within five business days and will not respond directly except to confirm receipt and route. Taking into account the nature of the Processing, Verdict will assist the Customer by appropriate technical and organizational measures.

Verdict implements and maintains the security measures in Annex II (§ 16), aligned with the architecture at /security. The measures meet the requirements of Article 32 GDPR taking into account the state of the art, costs, the nature, scope, context, and purposes of Processing, and the risks to data subjects.

Where Verdict transfers Personal Data subject to GDPR, UK GDPR, or the Swiss FADP outside the EEA, UK, or Switzerland to a country without an adequacy decision, the EU SCCs (Module 2 controller-to-processor, or Module 3 processor-to-processor as applicable) are incorporated into this DPA by reference, with the following selections:

• Clause 7 (docking clause): applicable.
• Clause 9(a) (subprocessing): Option 2 (general written authorization) with 30-day notice as in § 6.
• Clause 11 (redress): the optional independent dispute-resolution body provision is not selected.
• Clause 17 (governing law): the law of Ireland.
• Clause 18 (forum): the courts of Ireland.
• Annexes I, II, III of the SCCs are completed by §§ 15, 16, 17 below.

The UK IDTA applies to UK transfers and is incorporated by reference, with Tables 1–4 completed by §§ 15–17 and the Mandatory Clauses as published by the ICO. The Swiss FADP adaptations apply where Swiss transfers are involved, with references to the GDPR read as references to the FADP and references to EU member states read as references to Switzerland.

Verdict will notify the Customer without undue delay, and in any event within 72 hoursafter becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent then known: nature, data subjects and records affected, likely consequences, and measures taken or proposed. Verdict will provide updates as additional information becomes available and cooperate reasonably with the Customer's breach-response obligations.

Verdict will make available the information necessary to demonstrate compliance with Article 28 GDPR, including:

• Annual third-party audit reports (e.g., SOC 2 Type II once issued).
• Responses to a standard customer security-questionnaire of reasonable scope, once per 12-month period.
• On at least 30 days' written notice, an on-site audit by the Customer or its independent auditor, once per 12-month period, conducted during business hours, under reasonable confidentiality, and in a manner that does not unreasonably interfere with the Service or other customers. The Customer will bear its own costs. Verdict will bear costs only where the audit finds material non-compliance.

Where a supervisory authority requires an audit, Verdict will cooperate as required by law without the limits above.

On termination or expiration of the Order, and except for Evidence Records governed by Terms § 6.4–6.5 (immutability and hash-preserving redaction), Verdict will, at the Customer's election within 30 days of termination, delete or return Customer Personal Data. Backups are deleted in accordance with our backup-retention cycle (≤ 35 days). Personal Data retained to comply with law is segregated from active processing.

The limitations and exclusions of liability in the Terms apply to this DPA and the EU SCCs in the aggregate, except where Applicable Privacy Law requires otherwise.

This DPA is part of the Terms. In a conflict between this DPA and the Terms, this DPA prevails as to the Processing of Personal Data. In a conflict between this DPA and the EU SCCs or UK IDTA, the SCCs / IDTA prevail.

A. List of Parties

Data exporter: the Customer, as identified in the Order, acting as Controller (or, where applicable, as Processor on behalf of a third-party Controller).
Data importer: Verdict Systems Inc., a Delaware corporation, Houston, Texas, USA, acting as Processor (or Sub-Processor). Contact: privacy@verdict.systems.

B. Description of the Transfer

Categories of data subjects:Customer's end users, employees, contractors, agents (human or autonomous), and any individuals identified in events the Customer submits to the Service.
Categories of Personal Data: identifiers (name, email, account ID), authentication and access metadata, technical identifiers (IP, user-agent), content of agent events, traces, prompts, and outputs the Customer chooses to submit.
Special categories: none expected by default; Customer must not submit special-category data unless configured for that use case under an Order.
Frequency: continuous.
Nature of the processing: hosting, hashing, signing, anchoring, storage, retrieval, search, telemetry.
Purpose: performance of the Service.
Retention: per Privacy Policy § 10.

C. Competent Supervisory Authority

The Irish Data Protection Commission, unless another supervisory authority is competent under Clause 13(a) SCCs.

Aligned with the architecture at /security.

• Encryption in transit: TLS 1.3 minimum, modern cipher suites, HSTS with preload.
• Encryption at rest: AES-256, customer-data partitions.
• Key management: Ed25519 signing keys generated and stored in AWS CloudHSM (FIPS 140-2 Level 3). Quarterly rotation; old keys retained in HSM for verification only.
• Transparency log: Sigstore Rekor anchoring of Merkle roots only; no payload data.
• Access control: role-based with least privilege; mandatory MFA on production; just-in-time elevation; access reviews quarterly.
• Network: production isolated; egress allow-list; default-deny on internal services.
• Monitoring: centralized log aggregation; anomaly detection; 24-month retention of security logs.
• Vulnerability management: dependency scanning on every commit; quarterly third-party penetration testing.
• Backups: encrypted, geographically separated, ≤ 35-day retention; tested restore semi-annually.
• Incident response: documented plan; on-call rotation; 72-hour external notification target on confirmed breach affecting Customer data.
• Personnel: background checks where lawful; mandatory annual security and privacy training; signed confidentiality agreements.
• Business continuity: multi-region failover; documented RTO and RPO targets per tier.
• Sub-processor management: contractual data-protection terms; annual review.

The list of current Subprocessors and their roles is published at /subprocessors. The list as of the Last-Updated date of this DPA is incorporated here by reference. Changes are governed by Section 6.

This DPA is automatically applicable when the Customer submits Personal Data through the Service. Where a counter-signed copy is required by Customer policy, email privacy@verdict.systems and we will counter-sign within five business days at no charge.

Verdict Systems Inc.
By: Authorized signatory
Title: Chief Executive Officer
Date: As of the date the Customer accepts the Terms or submits Personal Data, whichever is earlier.