Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Terms of Use or other written or electronic agreement governing access to and use of the products, software, websites, platforms, and services provided by Artificial Brain Tech Inc. (“Artificial Brain”, “we”, “us”, or “our”) to the customer identified in the applicable agreement or order form (“Customer”).

This Addendum applies when Artificial Brain processes Customer Personal Data on behalf of Customer in connection with the Services. Customer enters into this Addendum on behalf of itself and, where applicable, its authorized affiliates that use the Services under the Agreement.

The terms below are added to the Agreement and are intended to help the parties meet their obligations under applicable privacy, security, and data protection laws.

Affiliate means an entity that controls, is controlled by, or is under common control with a party.

Customer Personal Data means Personal Data provided by Customer, made available by Customer, or collected by Artificial Brain on behalf of Customer and processed to provide the Services.

Data Protection Laws means privacy, security, and data protection laws applicable to the processing of Customer Personal Data, including, where applicable, GDPR, UK GDPR, Swiss data protection law, CCPA/CPRA, and similar laws.

EU Area means the European Economic Area, United Kingdom, and Switzerland.

Restricted Transfer means a transfer of Customer Personal Data from the EU Area to a country or recipient that requires a lawful transfer mechanism under applicable Data Protection Laws.

Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Artificial Brain.

Services means the software, products, platforms, websites, support, and related services supplied by Artificial Brain under the Agreement.

Subprocessor means a third party engaged by Artificial Brain to process Customer Personal Data for the purpose of providing the Services.

Terms such as Controller, Processor, Business, Service Provider, Personal Data, Process, Data Subject, and Supervisory Authority have the meanings given to them under applicable Data Protection Laws.

For Customer Personal Data processed under this Addendum, Customer acts as the Controller or Business, and Artificial Brain acts as the Processor or Service Provider, unless Annex 1 states otherwise.

Customer is responsible for ensuring that it has provided all required notices, obtained all required consents, and has a lawful basis for making Customer Personal Data available to Artificial Brain.

Customer is responsible for communications with its affiliates, end users, data subjects, and regulators where required by applicable law, except where this Addendum expressly requires Artificial Brain to assist.

The subject matter, nature, purpose, categories of data subjects, categories of Customer Personal Data, and retention details are described in Annex 1.

Artificial Brain processes Customer Personal Data to provide, secure, maintain, support, analyze, and improve the Services, and to perform obligations under the Agreement and applicable order forms.

Customer and Artificial Brain may update Annex 1 by mutual written agreement where reasonably necessary to reflect changes to the Services or Data Protection Laws.

Customer shall comply with Data Protection Laws in connection with its use of the Services and its processing, collection, and transfer of Customer Personal Data to Artificial Brain. Customer shall not provide Artificial Brain with special categories of Personal Data unless expressly permitted under the Agreement or an applicable order form.

Artificial Brain shall process Customer Personal Data only on documented instructions from Customer, including the Agreement, this Addendum, applicable order forms, and Customer’s configuration and use of the Services.

Artificial Brain shall not sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, or process Customer Personal Data outside the business relationship with Customer, except as required or permitted by law or expressly authorized by Customer.

Artificial Brain may process Customer Personal Data as necessary to provide the Services, operate and maintain the Services, protect the Services and Customer Personal Data, comply with law, disclose aggregated or de-identified statistics, and perform other business purposes permitted by the Agreement and Data Protection Laws.

Artificial Brain shall ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations and receive appropriate privacy and security training.

Artificial Brain shall maintain commercially reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data, including measures intended to support confidentiality, integrity, availability, resilience, restoration, and regular evaluation of security controls.

Artificial Brain shall inform Customer if it determines that it can no longer meet its obligations under applicable Data Protection Laws or if, in Artificial Brain’s opinion, an instruction from Customer infringes Data Protection Laws.

Customer authorizes Artificial Brain to engage Subprocessors to support delivery of the Services. Current Subprocessors are described in Annex 2 or otherwise made available by Artificial Brain.

Artificial Brain shall impose data protection obligations on each Subprocessor that are materially consistent with this Addendum and shall remain responsible for each Subprocessor’s processing of Customer Personal Data.

Artificial Brain will provide reasonable advance notice of material Subprocessor changes where required by Data Protection Laws. Customer may object on reasonable data protection grounds, and the parties will work in good faith to address the objection.

To the extent legally permitted, Artificial Brain will promptly notify Customer if it receives a request from a Data Subject, Supervisory Authority, court, or governmental authority relating to Customer Personal Data.

Artificial Brain will not respond to Data Subject requests on Customer’s behalf unless authorized by Customer or required by law. Taking into account the nature of the processing, Artificial Brain will provide reasonable assistance to Customer in responding to Data Subject requests.

Where legally permissible, Artificial Brain will notify Customer of binding legal requests for Customer Personal Data and will disclose only the minimum amount required by law.

Upon becoming aware of a Security Incident involving Customer Personal Data, Artificial Brain will notify Customer without undue delay and provide information reasonably available to help Customer meet its breach notification obligations.

Artificial Brain will take reasonable steps to investigate, mitigate, and remediate the Security Incident and will keep Customer reasonably informed of material developments.

Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial-of-service attempts, or other network events that do not result in unauthorized access.

Notification of a Security Incident is not an admission of fault or liability by Artificial Brain.

Where a transfer of Customer Personal Data is a Restricted Transfer, the parties agree that the applicable transfer mechanism will apply, including the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism as required by Data Protection Laws.

For transfers from the EU Area where Customer is the exporter and Artificial Brain is the importer, the parties intend that Module Two of the EU Standard Contractual Clauses applies for controller-to-processor transfers, unless another module is required by the parties’ roles.

Artificial Brain will implement supplementary measures where required to protect transferred Customer Personal Data to the standard required by Data Protection Laws.

Where Artificial Brain uses AI or machine learning technologies to provide the Services, such processing will be limited to the purposes described in the Agreement, this Addendum, and applicable order forms.

Artificial Brain shall maintain records reasonably necessary to demonstrate compliance with this Addendum.

Upon reasonable written request, Artificial Brain will provide information reasonably necessary to demonstrate compliance with this Addendum and will allow for audits where required by Data Protection Laws, provided that Customer gives reasonable prior notice, conducts the audit during normal business hours, and avoids unnecessary disruption to Artificial Brain’s operations.

The parties agree that documentation, security summaries, certifications, assessment responses, or similar materials should be used first where they reasonably demonstrate compliance.