Data Processing Addendum (Lite)

Purpose and Scope

1.1 This Data Processing Addendum ("Addendum") supplements [MASTER_AGREEMENT_NAME] (the "Master Agreement") and governs aisecurity.llc's ("Processor") processing of personal data on behalf of [CONTROLLER_LEGAL_NAME] ("Controller") in connection with the services described in the Master Agreement.

1.2 The parties intend this Addendum to satisfy applicable data protection requirements, including where required by the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), and comparable data protection laws.

1.3 This Addendum is incorporated into and forms part of the Master Agreement. In the event of conflict between this Addendum and the Master Agreement on data protection matters, this Addendum controls.

1.4 This Addendum applies only to Personal Data that Controller provides to Processor under the Master Agreement. It does not apply to Processor's processing of its own customer data or data collected independently.

Definitions

2.1 "Controller" means [CONTROLLER_LEGAL_NAME] as the party that determines the purposes and means of Personal Data processing.

2.2 "Processor" means aisecurity.llc as the party that processes Personal Data on behalf of and under the documented instructions of Controller.

2.3 "Personal Data" means any information relating to an identified or identifiable natural person that Controller provides to Processor under the Master Agreement.

2.4 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or erasure.

2.5 "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed under this Addendum. For the avoidance of doubt, a Security Incident includes events that are suspected but not yet confirmed.

2.6 "Subprocessor" means any third party engaged by Processor to carry out Processing of Personal Data on Controller's behalf.

2.7 "Applicable Data Protection Law" means the data protection and privacy laws applicable to the Processing, which may include the GDPR, UK GDPR, CCPA, and comparable statutes.

Processing Details

3.1 The subject matter, nature, purpose, and categories of Personal Data processed under this Addendum are as follows:

Subject matter: [SUBJECT_MATTER_OF_PROCESSING]

Nature and purpose: [NATURE_AND_PURPOSE_OF_PROCESSING]

Categories of data subjects: [CATEGORIES_OF_DATA_SUBJECTS]

Categories of personal data: [CATEGORIES_OF_PERSONAL_DATA]

Special categories (if applicable): [SPECIAL_CATEGORIES_IF_ANY]

Retention period: [RETENTION_PERIOD]

3.2 This Addendum does not govern Processor's processing of publicly available job descriptions, public hiring signals, or aggregate benchmark data that does not constitute Personal Data under Applicable Data Protection Law.

Controller Instructions

4.1 Processor will process Personal Data only on Controller's documented instructions, which are set out in this Addendum, the Master Agreement, and any subsequent written instructions provided by Controller during the engagement.

4.2 Processor will promptly notify Controller if it reasonably believes an instruction violates Applicable Data Protection Law, unless prohibited by law from doing so.

4.3 Processor will not process Personal Data for any purpose beyond Controller's documented instructions, except to the extent required by applicable law, in which case Processor will notify Controller before processing (unless prohibited by law).

Processor Obligations

5.1 Processor will:

1. process Personal Data only as documented in Controller's instructions;
2. ensure that persons authorized to process Personal Data are committed to confidentiality or subject to statutory confidentiality obligations;
3. implement and maintain the technical and organizational security measures in Section 6;
4. engage Subprocessors only in accordance with Section 8;
5. assist Controller with data subject rights requests in accordance with Section 9;
6. notify Controller of Security Incidents in accordance with Section 10;
7. assist Controller with data protection impact assessments in accordance with Section 11;
8. return or delete Personal Data in accordance with Section 12; and
9. make available information reasonably necessary to demonstrate compliance with this Addendum and cooperate with Controller's audit rights in Section 13.

Technical and Organizational Security Measures

6.1 Processor will implement and maintain security measures appropriate to the nature, scope, context, and purposes of Processing and the risks posed to data subjects, including:

1. encryption of Personal Data in transit using TLS 1.2 or higher;
2. encryption of Personal Data at rest using AES-256 or equivalent;
3. access controls limiting Personal Data access to authorized personnel only, based on need-to-know;
4. logical and physical separation of Controller Personal Data from Processor's own data and other clients' data;
5. audit logging of access to and Processing of Personal Data;
6. vulnerability management, patch management, and security monitoring for systems that process Personal Data;
7. background verification practices for personnel with regular access to Personal Data; and
8. documented incident detection, classification, response, and notification procedures.

6.2 Processor's security measures will evolve with applicable technology standards and industry practice. Processor will maintain measures that provide at least equivalent protection to those described in Section 6.1.

6.3 Processor does not warrant that its security measures will prevent all unauthorized access, disclosure, or loss. Controller acknowledges that no system is completely secure.

Confidentiality of Processing

7.1 Processor will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality commitments, whether by contract or statutory obligation.

7.2 Processor will restrict access to Personal Data to personnel who require access to perform Processor's obligations under the Master Agreement.

Subprocessors

8.1 Controller grants general authorization for Processor to engage Subprocessors to carry out specific Processing activities on Controller's behalf, subject to the requirements of this Section.

8.2 Processor will maintain a current list of Subprocessors, which is available at [SUBPROCESSOR_LIST_URL] or will be provided upon request.

8.3 Processor will notify Controller of any intended addition, replacement, or removal of a Subprocessor at least [SUBPROCESSOR_NOTICE_DAYS] days before the change takes effect, by email or by updating the Subprocessor list.

8.4 Controller may object to a new or replacement Subprocessor by providing written notice within [SUBPROCESSOR_OBJECTION_DAYS] days of notification, stating legitimate grounds related to data protection. If the parties cannot agree on an alternative, Controller may terminate the affected services on written notice.

8.5 Processor will impose on each Subprocessor data protection obligations that are substantively equivalent to those in this Addendum and will remain fully responsible to Controller for the performance of those obligations by each Subprocessor.

Data Subject Rights

9.1 Processor will provide Controller with reasonable technical and organizational assistance to help Controller respond to data subject requests for access, rectification, erasure, restriction, portability, or objection under Applicable Data Protection Law.

9.2 Processor will forward data subject requests received directly by Processor to Controller without undue delay, and in any event within [DATA_SUBJECT_REQUEST_FORWARD_DAYS] business days of receipt.

9.3 Controller remains responsible for all determinations about how to respond to data subject requests. Processor's assistance is limited to what is technically feasible within Processor's systems.

9.4 If Processor is legally prohibited from notifying Controller of a data subject request, Processor will inform the relevant authority and refer the data subject to Controller.

Security Incident Notification

10.1 Processor will notify Controller of a Security Incident without undue delay, and in any event within [INCIDENT_NOTIFICATION_HOURS] hours of Processor becoming aware of the incident, regardless of whether the incident is confirmed or still under investigation.

10.2 Processor's initial notification will include, to the extent then available:

1. a description of the nature and likely cause of the Security Incident;
2. the categories and approximate number of data subjects and Personal Data records affected;
3. the name and contact details of Processor's data protection contact;
4. the likely consequences of the Security Incident for data subjects; and
5. the measures taken or proposed to address the Security Incident and mitigate its effects.

10.3 Where not all information is available at the time of initial notification, Processor may provide information in phases and will supplement its notice as additional information becomes available.

10.4 Notification to Controller does not constitute an acknowledgment of fault, causation, liability, or negligence on the part of Processor.

10.5 Controller is responsible for determining whether a Security Incident requires notification to a supervisory authority or affected data subjects under Applicable Data Protection Law. Processor will reasonably cooperate with Controller's notification obligations.

Data Protection Impact Assessments

11.1 To the extent required by Applicable Data Protection Law, Processor will provide reasonable assistance to Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities relating to Processor's Processing of Personal Data under this Addendum.

11.2 Processor's assistance will be proportional to the nature and scope of its Processing activities and limited to information within Processor's knowledge and control.

Return and Deletion

12.1 Upon expiry or termination of the Master Agreement, or upon Controller's written request, Processor will, at Controller's election:

1. return all Personal Data to Controller in a commonly used and machine-readable format; or
2. securely delete or destroy all Personal Data, including copies held by Subprocessors.

12.2 Processor will complete return or deletion within [DELETION_COMPLETION_DAYS] days of written request and certify completion in writing.

12.3 Processor may retain Personal Data beyond the deletion deadline to the extent required by Applicable Data Protection Law, applicable regulatory obligation, legal hold, or dispute resolution requirement. Processor will notify Controller of any such retention and will continue to apply the protections in this Addendum to any retained Personal Data until it is deleted.

Audit Rights

13.1 Processor will make available to Controller, upon reasonable written request, information reasonably necessary to demonstrate compliance with this Addendum.

13.2 Controller may, no more than once per calendar year and with [AUDIT_NOTICE_DAYS] days' prior written notice, conduct or commission a third-party audit of Processor's data protection practices, limited to matters within the scope of this Addendum.

13.3 Audits must be conducted during normal business hours, with minimum disruption to Processor's operations. Auditors must execute a confidentiality agreement acceptable to Processor before receiving access.

13.4 Where an industry-standard certification (such as ISO 27001, SOC 2 Type II) or qualified independent assessment covers the relevant controls, Processor may satisfy audit requests by providing the applicable report in lieu of an on-site audit.

13.5 Controller will bear audit costs and expenses unless the audit reveals a material breach of this Addendum by Processor, in which case Processor will bear the reasonable costs of that audit.

International Transfers

14.1 Processor will not transfer Personal Data to a country or territory outside the European Economic Area, the United Kingdom, or a jurisdiction recognized by the relevant supervisory authority as providing adequate protection, without:

Controller's prior written authorization; and

1. implementation of an appropriate transfer mechanism under Applicable Data Protection Law, such as Standard Contractual Clauses (SCCs) adopted or approved by the European Commission or UK Information Commissioner's Office, or binding corporate rules.

14.2 The parties will execute any required transfer mechanisms upon request, and Processor will update such mechanisms if required by changes in applicable law.

14.3 Where Processor uses SCCs or equivalent mechanisms, Processor will comply with all obligations imposed on data importers by those mechanisms.

Liability

15.1 Liability of each party for breaches of this Addendum is governed by the Master Agreement's limitation of liability provisions, to the extent permitted by Applicable Data Protection Law.

15.2 Where Applicable Data Protection Law allocates liability between controller and processor based on fault, each party will bear liability for the portion of harm, loss, or regulatory fine attributable to its own breach of its respective obligations.

Term and Survival

16.1 This Addendum is effective from the Effective Date and continues for as long as Processor processes Personal Data under the Master Agreement.

16.2 The following obligations survive termination of this Addendum: confidentiality; Section 10 (Security Incident Notification) for incidents discovered after termination relating to data processed during the term; Section 12 (Return and Deletion) until complete; Section 13 (Audit Rights) for the period permitted by applicable law; and Section 14 (International Transfers) for any retained Personal Data.

Signature Blocks