Data Processing Agreement

This Data Processing Agreement ("DPA") applies to the processing of personal data by E-ARI ("Processor," "we," "us") on behalf of the user or organization ("Controller," "you") in connection with your use of the E-ARI platform. This DPA is incorporated into and forms part of the Terms of Service. By using the Service, you agree to the terms of this DPA.

This DPA is designed to comply with the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. Where these laws impose different or additional requirements, the stricter standard applies. For Enterprise customers with custom DPA requirements, the terms of the executed Enterprise Agreement shall prevail to the extent of any conflict.

The following definitions apply throughout this DPA:

• "Personal Data": Any information relating to an identified or identifiable natural person that is processed by E-ARI in the course of providing the Service. This includes user account information and assessment responses that may contain personal identifiers.
• "Processing": Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Controller": The user or organization that determines the purposes and means of the processing of Personal Data. When you create an account and submit assessment data, you act as the Controller.
• "Processor": E-ARI, which processes Personal Data on behalf of the Controller in the course of providing the Service.
• "Sub-Processor": Any third party engaged by E-ARI to process Personal Data on behalf of the Controller as part of the Service delivery.
• "Data Subject": An identified or identifiable natural person whose Personal Data is processed.
• "Data Protection Laws": The GDPR, CCPA, and any other applicable data protection or privacy laws in the jurisdiction(s) where the Controller operates.

You (the user or organization) are the Controller of the Personal Data submitted to and generated by the Service. You determine the purposes for which Personal Data is processed, including why you are conducting AI readiness assessments and how you use the results.

E-ARI acts as the Processor, processing Personal Data only on your instructions and for the purposes described in the Terms of Service and this DPA. We do not process your Personal Data for our own purposes beyond what is necessary to provide the Service, maintain platform security, and comply with legal obligations. Specifically, we do not use your assessment data or AI-generated outputs for marketing, advertising, or product training purposes.

In certain limited circumstances, E-ARI may act as a Controller in its own right with respect to certain categories of data, such as operational metadata (server logs, performance metrics) and aggregate anonymized statistics used for benchmarking. In such cases, the processing is governed by our Privacy Policy rather than this DPA.

The following categories of Personal Data are processed by E-ARI in the course of providing the Service:

4.1 Data Provided by the Controller

• Identity data: Full name, job title, and professional contact information of the account holder and designated team members.
• Contact data: Email address, phone number (if provided), and mailing address (Enterprise customers only).
• Organization data: Organization name, size, sector, geographic region, and information about current AI initiatives that may include references to identifiable individuals.
• Assessment responses: Answers to the 8-pillar questionnaire, including selected options, free-text elaborations, and notes. These responses may contain personal opinions, organizational details, or references to identifiable colleagues.

4.2 Data Generated by Processing

• Scoring outputs: Pillar scores (0-100), overall readiness scores, maturity band classifications, and weighted adjustments produced by the deterministic Scoring Agent (Methodology v5.3).
• AI-generated narratives: Strategic insights, gap analyses, competitive positioning assessments, learning path recommendations, and Q&A responses produced by the Insight, Discovery, Literacy, and Assistant agents using large language models.
• Reports: PDF documents compiled by the Report Agent containing executive summaries, benchmark comparisons, roadmaps, and strategic recommendations.
• Benchmark comparisons: Sector-specific comparisons derived from our curated benchmark dataset covering eight industry sectors.

4.3 Sensitive Data

E-ARI is not designed to collect or process special categories of personal data as defined by the GDPR (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If you inadvertently include such data in your assessment responses, please notify us immediately at dpo@e-ari.com so we can take appropriate measures. We recommend that you do not include personally identifiable information about specific individuals in your assessment responses.

E-ARI commits to the following obligations as Processor of your Personal Data:

• Instruction-based processing: We process Personal Data only on your documented instructions, as set out in the Terms of Service, this DPA, and any subsequent written instructions you provide through the platform's administrative features or by email to dpo@e-ari.com. We will not process Personal Data for any purpose incompatible with the purposes set out in this DPA.
• Confidentiality: All personnel authorized to process Personal Data have committed themselves to confidentiality obligations, either through employment contracts or specific NDAs. Access to Personal Data is restricted to personnel who need it to perform their duties.
• Security measures: We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.
• Sub-processor engagement: We engage Sub-Processors only with prior authorization, as described in Section 6, and impose the same data protection obligations on them as are imposed on us under this DPA.
• Data subject rights assistance: We assist you in responding to requests from Data Subjects exercising their rights, as described in Section 9.
• Deletion and return: Upon termination of the Service, we will delete or return all Personal Data in accordance with Section 12, unless retention is required by applicable law.
• Audit support: We make available to you all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections as described in Section 10.

E-ARI engages the following categories of Sub-Processors to process Personal Data in the course of providing the Service. By accepting this DPA, you authorize the use of these Sub-Processors:

6.1 Current Sub-Processors

6.2 Sub-Processor Changes

We will notify you of any addition or replacement of Sub-Processors by updating this page and sending an email notification to the address associated with your account at least 30 days before the change takes effect. You may object to a new Sub-Processor by notifying us at dpo@e-ari.com within 30 days of receiving the notification. If you object and we cannot provide an alternative, you may terminate the affected portion of the Service without penalty.

6.3 LLM Processing Specifics

When assessment data is sent to OpenAI for processing by the Insight, Discovery, Literacy, and Assistant agents, the data is transmitted over encrypted connections (TLS 1.3) and processed under OpenAI's enterprise API agreement. Under this agreement, OpenAI does not use API data to train or improve their models. Prompts and completions are retained by OpenAI for a maximum of 30 days solely for abuse monitoring, after which they are permanently deleted. The Scoring Agent and Report Agent do not send data to OpenAI or any LLM provider.

E-ARI implements the following technical and organizational measures to protect Personal Data:

7.1 Technical Measures

• Encryption in transit: All data transmitted between your browser and our servers, and between our services and Sub-Processors, is encrypted using TLS 1.3.
• Encryption at rest: All data stored in our databases and file storage systems is encrypted using AES-256. Database backups are encrypted and stored in geographically separate locations.
• Key management: Encryption keys are managed through a dedicated key management service with regular rotation schedules (at least every 90 days) and strict access controls.
• Network security: Our infrastructure is protected by firewalls, intrusion detection systems, and network segmentation. Direct database access from the public internet is not permitted.
• Application security: We perform regular vulnerability assessments, penetration testing, and security code reviews. Our development pipeline includes automated security scanning (SAST/DAST).
• Password security: User passwords are stored using bcrypt hashing with adaptive work factors. We never store passwords in plaintext or using reversible encryption.

7.2 Organizational Measures

• Access control: Role-based access control (RBAC) with the principle of least privilege. Production access requires multi-factor authentication and is logged for audit purposes.
• Personnel training: All personnel with access to Personal Data receive data protection training upon hire and annually thereafter. Training covers GDPR requirements, security best practices, and incident response procedures.
• Data minimization: We apply data minimization principles throughout the platform. Assessment data is only processed by the agents necessary for the requested output. LLM prompts include only the data required for the specific agent function.
• Separation of concerns: Development, staging, and production environments are strictly separated. Production data is never used in development or testing environments.
• Vendor management: All Sub-Processors are assessed for data protection compliance before engagement and reviewed annually. Sub-Processor agreements include data protection clauses equivalent to those in this DPA.

7.3 Enterprise Security

Enterprise customers may request additional security measures including: Single Sign-On (SSO) with SAML 2.0 integration, IP allowlisting, custom session timeout policies, and enhanced audit logging. These features are available on the Enterprise plan and can be configured by your organization's administrator.

In the event of a Personal Data breach (as defined by the GDPR), E-ARI will:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects.
• Provide the following information: The nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.
• Cooperate with the Controller in investigating the breach and taking remedial action, including assisting with any required notifications to supervisory authorities or Data Subjects.
• Document all breaches, including the facts of the breach, its effects, and the remedial action taken, and make this documentation available to supervisory authorities upon request.

Notifications will be sent to the email address associated with your account and, for Enterprise customers, to the designated security contact specified in your Enterprise Agreement. We will also make reasonable efforts to notify affected Data Subjects directly if the breach is likely to result in a high risk to their rights and freedoms, unless prohibited by law.

E-ARI assists you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws. Specifically:

• Access requests: We provide tools in the platform dashboard for users to access and export their personal data, including assessment responses, scores, and AI-generated content. For bulk or complex access requests, contact dpo@e-ari.com.
• Rectification requests: Users can update their account information and retake assessments with corrected data directly from the platform. If rectification requires changes to previously generated AI outputs, the assessment can be reprocessed through the agent pipeline.
• Erasure requests: Users can request account deletion from their dashboard or by emailing dpo@e-ari.com. We will delete Personal Data within 30 days of receiving a valid erasure request, except where retention is required by law.
• Portability requests: Users can export their data in machine-readable formats (JSON, PDF) from the platform dashboard. This includes assessment responses, scores, and generated reports.
• Objection and restriction: Users can object to or request restriction of processing by contacting dpo@e-ari.com. We will cease the relevant processing unless we have compelling legitimate grounds that override the user's interests.

If you receive a request from a Data Subject that requires our assistance, please forward the request to dpo@e-ari.com and we will respond within 15 business days. We will not respond directly to Data Subjects without your authorization, except where required by law.

E-ARI makes available to you all information reasonably necessary to demonstrate our compliance with this DPA. We maintain the following certifications and compliance standards:

• SOC 2 Type II: Our infrastructure providers maintain SOC 2 Type II certifications, and we are working toward our own SOC 2 Type II certification for the E-ARI platform.
• ISO 27001: Our cloud infrastructure providers are ISO 27001 certified. We follow ISO 27001 information security management practices internally.
• GDPR compliance: We comply with the GDPR as a Processor and have appointed a Data Protection Officer (DPO) who can be reached at dpo@e-ari.com.
• Regular assessments: We conduct annual security assessments and penetration testing by independent third parties. Summary reports are available to Enterprise customers upon request under NDA.

Enterprise customers may conduct or commission audits of our data processing practices, subject to reasonable advance notice (at least 30 days) and execution of a mutually acceptable NDA. Audits must be conducted during normal business hours and in a manner that does not disrupt the Service or compromise the security of other customers' data. We will cooperate with any such audit and provide reasonable access to relevant facilities, systems, and records.

Personal Data may be transferred to and processed in countries other than the country in which it was originally collected. We ensure that all international transfers are subject to appropriate safeguards:

• Standard Contractual Clauses (SCCs): For transfers from the EEA, UK, or Switzerland to countries that do not have an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (as approved and amended from time to time). These clauses are incorporated into our agreements with Sub-Processors by reference.
• Adequacy decisions: Where the European Commission has issued an adequacy decision for a specific country, transfers may proceed without additional safeguards.
• Transfer Impact Assessments: We conduct Transfer Impact Assessments for Sub-Processors located in countries without adequacy decisions, evaluating the legal framework of the destination country and the effectiveness of the safeguards in place.
• OpenAI data residency: OpenAI processes API data in the United States. We rely on Standard Contractual Clauses for this transfer and OpenAI's enterprise API data handling commitments, which include not using API data for model training and deleting data after 30 days.

We will inform you of any changes to the transfer mechanisms we rely on and will obtain your consent before adopting alternative mechanisms where required by applicable law. For Enterprise customers with specific data residency requirements, we can discuss options for data processing within the EEA.

E-ARI retains Personal Data for the duration of your account plus the periods specified below:

• Active accounts: All Personal Data is retained for as long as your account is active and you are using the Service. Assessment data remains accessible through your dashboard throughout the account lifetime.
• Post-termination: After account termination, Personal Data is retained for 90 days to allow for account reactivation and data export. After the 90-day period, all Personal Data is permanently deleted from our production systems within 30 additional days.
• Backup systems: Personal Data in backup systems is deleted within 180 days of account termination through our regular backup rotation cycle.
• Legal holds: Where retention is required by applicable law (e.g., financial records), Personal Data is retained for the legally mandated period and deleted promptly upon expiration.
• Anonymized data: Data that has been properly anonymized (such that re-identification is not reasonably possible) may be retained indefinitely for benchmarking and research purposes. Anonymized data is not subject to this DPA.

You may request early deletion of your Personal Data at any time by contacting dpo@e-ari.com or using the account deletion feature in your dashboard. Upon confirmation, we will initiate deletion within 30 days and confirm completion via email.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service (Section 8). Nothing in this DPA limits either party's liability to the extent that such limitation would be unlawful under the GDPR or other applicable Data Protection Laws.

E-ARI shall indemnify the Controller against claims, actions, third-party claims, losses, damages, and expenses incurred by the Controller arising out of or in connection with E-ARI's breach of this DPA or any applicable Data Protection Laws, provided that the Controller promptly notifies E-ARI in writing of the claim, gives E-ARI sole control of the defense and settlement, and provides reasonable cooperation.

The Controller shall indemnify E-ARI against claims arising from: (a) the Controller's instructions to E-ARI that result in a violation of Data Protection Laws; (b) the Controller's failure to comply with its obligations as a Controller under Data Protection Laws; or (c) the content of the Personal Data provided by the Controller, including any unlawful or infringing content.

For questions about this DPA, to exercise Data Subject rights, or to request a signed copy of this agreement, please contact us:

• Data Protection Officer: dpo@e-ari.com
• Privacy Team: privacy@e-ari.com
• Legal Team: legal@e-ari.com
• Security Team: security@e-ari.com

Enterprise customers who require a signed, customized DPA with specific data processing terms, data residency requirements, or additional security schedules should contact their account manager or email legal@e-ari.com. We will negotiate and execute a custom DPA within 30 days of receiving a written request.

For EU/EEA residents: If you believe that our processing of your Personal Data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. We are committed to resolving any concerns and encourage you to contact us before filing a formal complaint.