Data Processing Addendum

1. Definitions

Unless defined below, capitalised terms have the meanings in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the LGPD (Lei Geral de Proteção de Dados) as applicable. Customer is the Controller; ARIAA is the Processor; Customer Personal Data is Personal Data submitted to the Platform by or on behalf of the Customer.

2. Subject matter and duration

ARIAA processes Customer Personal Data solely to provide the Platform under the Order Form. Processing duration matches the Order Form term plus the return-or-delete wind-down window defined in Section 9.

3. Nature and purpose of processing

Ingestion, indexing, analytical computation, forecasting, calibration recording, and delivery of outputs through authenticated APIs and dashboards. Operational telemetry (latency, error rate, queue depth) is collected in aggregated form to operate the Platform and meet SLAs.

4. Categories of data subjects and data

Data subjects and categories are those submitted by Customer. Typical categories include: public figures (politicians, executives) referenced in open-source signals; authorised Customer end-users (analysts and administrators) with business contact data; and any personal data incidental to the Customer's signal feed. ARIAA does not anticipate processing special-category personal data unless expressly described in the Order Form, in which case elevated safeguards apply.

5. Customer instructions

ARIAA processes Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries. The Order Form, these terms, and authenticated API calls constitute documented instructions. ARIAA will notify the Customer if, in its opinion, an instruction infringes applicable data-protection law.

6. Sub-processors

The Customer grants general authorisation to the sub-processors listed in the then-current sub-processor page (request from the address in Section 13). ARIAA will:

• Give at least 30 days' notice before engaging a new sub-processor;
• Flow down data-protection obligations at least as protective as this DPA;
• Remain liable for sub-processor acts and omissions.

If the Customer reasonably objects to a new sub-processor on data-protection grounds, the Customer may terminate the affected Platform services for convenience without penalty prior to the sub-processor being engaged.

7. Security (Art. 32)

ARIAA applies appropriate technical and organisational measures aligned with SOC 2 and ISO/IEC 27001. Measures include encryption in transit and at rest using modern algorithms, least-privilege access control integrated with the Customer's identity provider, end-to-end audit logging of changes to Customer Personal Data, network segmentation, hardened deployment baselines, and secure SDLC practices (code review, static analysis, dependency scanning). Specifics of the control implementation are shared with the Customer under NDA rather than disclosed publicly.

• Deployment modes that let the Customer keep data in-region, in-estate, or fully offline (SaaS, dedicated cloud, on-premises, air-gapped).
• Independent penetration testing on a regular cadence; remediation of high-severity findings before the engagement closes.
• SOC 2 Type II and ISO/IEC 27001 on the 2026 certification roadmap.
• Control-evidence package available under NDA for Customer review.

8. Personal data breach (Art. 33)

ARIAA will notify the Customer without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting the Customer's data. Notification will include the categories and approximate number of data subjects, likely consequences, and measures taken or proposed. ARIAA will cooperate with the Customer's investigation and, if required, regulator notifications.

9. Return or deletion

Within 30 days of termination, ARIAA will at Customer's option return or delete Customer Personal Data and certify the deletion in writing, except to the extent applicable law requires retention. Backups are rotated out of the retention window within 90 days.

10. International transfers

If ARIAA transfers Customer Personal Data outside the EEA, UK, or Switzerland, the transfer is governed by the Standard Contractual Clauses (Module 2 or Module 3 as applicable), incorporated here by reference. For LGPD data, transfers rely on the mechanisms in art. 33 LGPD. For the UK, the UK International Data Transfer Addendum to the SCCs applies. The SCCs and their annexes are available on request.

11. Audits (Art. 28(3)(h))

ARIAA will make available to the Customer the information necessary to demonstrate compliance, including the latest SOC 2 / ISO 27001 report once available, penetration-test summaries, and a reasonable response to the Customer's security questionnaire. On reasonable notice and not more than once per year, and subject to confidentiality, the Customer may audit ARIAA's compliance through an independent, mutually-agreed auditor; costs are borne by the Customer unless the audit reveals a material breach, in which case ARIAA bears costs.

12. Data subjects' rights

ARIAA will, taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures to fulfil the Customer's obligation to respond to requests from data subjects exercising their rights. The Platform exposes standardised controller-to-processor APIs for access, export, rectification, and deletion against Customer-scoped data.

13. Contact

Data-protection contact: marko@intellimento.com. Security disclosures and incident reports: marko@intellimento.com.