Data Processing Agreement

This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service (the "Agreement") between Preslav Mihaylov, a sole proprietor registered in Bulgaria, with a business address at Bulevard "Inzh. Ivan Ivanov" 100, Sofia, Bulgaria, operating as nairi.ai ("Provider", "we", "us") and the entity or person agreeing to these terms ("Customer", "you").

This DPA applies to the processing of Customer Personal Data by the Provider in connection with the provision of the Services under the Agreement.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined in this DPA have the meanings given in the Agreement.

• "Customer Personal Data" means any Personal Data processed by the Provider on behalf of the Customer in connection with the Services.
• "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the GDPR as incorporated into UK law ("UK GDPR"), the California Consumer Privacy Act ("CCPA"), and any associated implementing legislation and regulations as amended from time to time.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR.
• "Sub-Processor" means any third party engaged by the Provider to process Customer Personal Data on behalf of the Customer.
• "Standard Contractual Clauses" (or "SCCs") means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

2. Roles and Scope

The parties acknowledge that in respect of Customer Personal Data, the Customer is the Controller and the Provider is the Processor processing Personal Data on behalf of the Customer.

The Provider shall process Customer Personal Data only for the purpose of providing the Services in accordance with the Agreement and any documented instructions from the Customer. The Provider shall not process Customer Personal Data for any other purpose unless required by applicable law, in which case the Provider shall notify the Customer of such requirement before processing (unless prohibited by law).

3. Customer Personal Data

The following categories of Personal Data and Data Subjects are processed under this DPA:

3.1 Categories of Data Subjects

• Customer personnel (employees, contractors, administrators)
• Customer's end users who interact with the Services

3.2 Types of Personal Data

• Names and email addresses (via OAuth authentication)
• User account identifiers and organisation membership
• Communication data (chat messages sent through Slack, Discord, or other connected channels)
• Technical data (IP addresses, browser type, device information)
• Repository access permissions and related metadata
• Any other Personal Data contained in content submitted by the Customer through the Services

3.3 Duration of Processing

Processing of Customer Personal Data shall continue for the duration of the Agreement. Upon termination or expiry of the Agreement, the Provider shall delete or return all Customer Personal Data in accordance with Section 10 of this DPA.

4. Obligations of the Provider

The Provider shall:

• Process Customer Personal Data only on documented instructions from the Customer, unless required by applicable law.
• Ensure that persons authorised to process Customer Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data as described in Schedule 2.
• Comply with the conditions for engaging Sub-Processors as set out in Section 6.
• Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures in fulfilling the Customer's obligation to respond to Data Subject requests.
• Assist the Customer in ensuring compliance with its obligations under Data Protection Laws in respect of security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the choice of the Customer, delete or return all Customer Personal Data upon termination of the Services and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections as set out in Section 9.
• Immediately inform the Customer if, in the Provider's opinion, an instruction infringes Data Protection Laws.

5. Security Measures

The Provider shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data, including as appropriate:

• Encryption of Personal Data in transit (TLS/HTTPS for all communications)
• Encryption of Personal Data at rest (database-level encryption via managed database services)
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
• Dedicated server isolation for paid-tier Customers, ensuring agent workloads run on infrastructure not shared with other customers
• Container-level isolation of Customer environments with enforced resource limits
• Credential management through a secret injection proxy that prevents secrets from being stored in agent environments
• SSH key-based authentication with non-standard ports for infrastructure access
• Multi-tenant data isolation with organisation-level access controls at the database layer
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures

A more detailed description of the technical and organisational measures is set out in Schedule 2.

6. Sub-Processors

6.1 General Authorisation

The Customer provides a general authorisation to the Provider to engage Sub-Processors listed in Schedule 1 to process Customer Personal Data. The Provider shall ensure that any Sub-Processor it engages has entered into a binding written agreement that imposes data protection obligations substantially equivalent to those set out in this DPA.

6.2 Changes to Sub-Processors

The Provider shall notify the Customer at least 14 days in advance of any intended changes to the list of Sub-Processors, including the addition or replacement of Sub-Processors. The Customer may object to the appointment of a new Sub-Processor on reasonable grounds relating to data protection by notifying the Provider in writing within 14 days of receiving notice. If the Customer does not object within this period, the Customer is deemed to have accepted the new Sub-Processor.

If the Customer objects and the Provider cannot reasonably accommodate the objection, either party may terminate the affected Services by providing written notice.

6.3 Liability

The Provider shall remain fully liable to the Customer for the performance of any Sub-Processor's obligations under this DPA.

7. Data Subject Rights

The Provider shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

If the Provider receives a request from a Data Subject in respect of Customer Personal Data, the Provider shall promptly notify the Customer and shall not respond to the request except on the Customer's documented instructions or as required by applicable law.

8. Personal Data Breach

The Provider shall notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of the point of contact from whom further information can be obtained
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its effects

The Provider shall cooperate with the Customer and take reasonable steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

9. Audit Rights

The Provider shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer.

Audits shall be conducted with reasonable advance notice (no less than 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Provider's operations. The Customer shall bear its own costs of any such audit unless the audit reveals a material breach of this DPA by the Provider.

10. Data Deletion or Return

Upon termination or expiry of the Agreement, the Provider shall, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies within 30 days, unless applicable law requires continued storage. The Provider shall certify in writing that it has complied with this obligation upon the Customer's request.

This obligation extends to Customer Personal Data held by Sub-Processors. The Provider shall ensure that its Sub-Processors comply with equivalent deletion or return obligations.

11. International Data Transfers

The Provider shall not transfer Customer Personal Data outside the European Economic Area ("EEA") or the United Kingdom unless appropriate safeguards are in place as required by Data Protection Laws.

Where Customer Personal Data is transferred to a country that has not been deemed to provide an adequate level of data protection by the European Commission or UK authorities, the parties agree that the transfer shall be subject to the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914), which are incorporated into this DPA by reference:

• For Controller-to-Processor transfers: Module 2 of the SCCs shall apply.
• The governing law of the SCCs shall be the law of the EU Member State in which the Customer is established, or, if the Customer is not established in an EU Member State, the laws of Ireland.
• The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.

For transfers subject to UK GDPR, the International Data Transfer Addendum to the EU Standard Contractual Clauses (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) shall apply.

12. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit or affect either party's liability to Data Subjects or supervisory authorities under Data Protection Laws.

13. General

This DPA shall take effect on the date the Customer accepts the Agreement and shall remain in effect for the duration of the Provider's processing of Customer Personal Data. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.

This DPA shall be governed by the same governing law as the Agreement, unless otherwise required by Data Protection Laws.