Data Processing Addendum

This Data Processing Addendum (the “DPA”) supplements the Terms of Service between you (the “Customer”, acting as data controller) and UgenticAI, Inc. (the “Provider”, acting as data processor), and applies when Customer uses the CloneOS Service to process personal data relating to its own end users or other individuals (collectively, “Customer Personal Data”).

This DPA is offered to all paid customers and is automatically in force on acceptance of the Terms. For consumers using CloneOS for personal purposes, the Privacy Policy describes the relationship and this DPA does not apply. Where Customer is acting as a joint controller with Provider for specific feature areas, the parties will execute a separate joint-controller agreement.

Where there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Customer Personal Data.

Capitalized terms used but not defined here have the meaning given in the Terms of Service. The following definitions apply:

• Applicable Data Protection Law means GDPR (EU Regulation 2016/679), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act and California Privacy Rights Act (collectively “CCPA”), and other equivalent laws.
• Data Subject means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• Personal Data means any information relating to a Data Subject as defined under Applicable Data Protection Law.
• Processing has the meaning given in GDPR Article 4(2).
• Sub-processor means a third party engaged by Provider to process Customer Personal Data.
• SCCs means the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914.

Customer is the controller of Customer Personal Data; Provider is the processor. Provider will only process Customer Personal Data on Customer’s documented instructions, including (a) those set out in the Terms and this DPA, (b) the Customer’s configuration of the Service, and (c) any other written instructions Customer provides through normal use of the Service.

Provider will inform Customer if, in its opinion, an instruction violates Applicable Data Protection Law, and may decline to perform that instruction. Provider will not process Customer Personal Data for its own purposes outside the scope of providing the Service.

Provider will process Customer Personal Data for the duration of the Customer’s subscription and for the limited post- termination period specified in Section 11 (Return and Deletion). The nature and purpose of the processing is to deliver the CloneOS features Customer subscribes to, including authentication, AI content generation, voice and image cloning, knowledge-base retrieval, community and messaging, live sessions, billing, analytics in aggregate, and customer support.

Provider ensures that personnel authorized to process Customer Personal Data are subject to written confidentiality obligations or under appropriate statutory obligations of confidentiality. Access is limited to those personnel with a documented need to know.

Provider has implemented and will maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption of Customer Personal Data in transit using TLS 1.2 or higher.
• Encryption of Customer Personal Data at rest using AES-256.
• Role-based access control with the principle of least privilege, mandatory multi-factor authentication for personnel, and quarterly access reviews.
• Audit logging of administrative actions on Customer Personal Data, retained for 24 months.
• Regular vulnerability scanning, dependency monitoring, and patching of identified vulnerabilities within commercially reasonable timelines based on severity.
• Network segmentation, secret management via environment-scoped stores, and signed deployments.
• Documented incident response runbook and on-call rotation.
• Background checks on personnel where lawful.
• Annual security awareness training for personnel.

Provider is pursuing SOC 2 Type II certification. Until certified, Provider will provide its security questionnaire and most recent internal assessment to Customer on request, subject to a reasonable confidentiality agreement.

Customer authorizes Provider to engage the sub-processors listed in Annex 2. Provider will (a) impose contractual obligations on each sub-processor that are at least as protective as those in this DPA, (b) remain liable for any sub-processor’s acts and omissions to the same extent Provider would be if performing the services itself, and (c) maintain an up-to-date list at this URL.

Provider will give Customer at least 30 days’ advance notice of new sub-processors via email to the Customer billing contact and a notice on the Legal Center. Customer may object to a new sub-processor on reasonable grounds within that 30-day window. If the parties cannot reach a workable solution, Customer may terminate the affected portion of the Service for cause and receive a pro-rated refund of pre-paid fees for the remainder of the term.

Provider will, taking into account the nature of the processing, provide Customer with reasonable assistance to enable Customer to respond to Data Subject requests under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection, opting-out of sale, automated decision-making, and similar). Where a Data Subject contacts Provider directly, Provider will redirect them to Customer or to Customer’s designated contact, unless legally prohibited from doing so.

The Service includes self-service tools (Settings → Export & delete; Privacy & data) so Data Subjects can exercise their rights without Customer or Provider intervention.

Provider will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer Personal Data. The notice will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. Provider will keep Customer informed of material developments and will reasonably assist Customer in meeting its own breach-notification obligations to supervisory authorities and Data Subjects.

On reasonable advance written notice and not more than once per 12-month period (except in connection with a personal data breach or a regulatory request), Customer may audit Provider’s compliance with this DPA. The default and preferred audit method is Provider’s most recent SOC 2 Type II report (when available) plus the security questionnaire. Where Customer has a documented and reasonable need for an on-site audit, the parties will agree on scope, timing, and confidentiality; Customer is responsible for the costs of any on-site audit.

Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission or the UK government, the parties enter into the SCCs as follows:

• Module Two (Controller to Processor) applies where Customer is the controller and Provider is the processor.
• Module Three (Processor to Sub-processor) applies between Provider and its sub-processors.
• For UK transfers, the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office is incorporated.
• For Swiss transfers, references to the GDPR are deemed to include the Swiss FADP.

Annex 1 below incorporates the SCC Annexes (subject matter, transfer details, competent supervisory authority, and security measures).

On termination of the Service, Provider will, at Customer’s choice, return or delete Customer Personal Data in its possession within 60 days, except where retention is required by law (e.g., tax records). Customer may export data through the in-product export tools at any time prior to termination. Backups containing Customer Personal Data are deleted on the standard backup rotation cycle (no later than 90 days after the termination date).

Subject matter: processing of Customer Personal Data necessary to provide the CloneOS Service.

Duration: for the term of the Customer’s subscription plus the post-termination period in Section 11.

Nature and purpose: hosting, transmission, storage, AI inference, training of voice and image clones, knowledge-base indexing and retrieval, community and messaging, live-session ingest and replay, billing, analytics in aggregate, and support.

Categories of Data Subjects: Customer’s end users, members, employees, contractors, and contacts.

Categories of Personal Data: name, email, handle, profile data, voice samples, photos, knowledge-base documents, generated AI content, community posts and messages, live-session attendance, IP address and device info, billing data (handled by Stripe).

Special categories: none unless Customer chooses to upload them as part of training or KB content. Customer is responsible for obtaining any required heightened consent.

Frequency of transfer: continuous, on use.

Competent supervisory authority: the supervisory authority of the EU member state in which Customer is established.

Technical and organizational measures: as described in Section 6 above.

• Supabase, Inc. — primary database, auth, object storage. United States.
• Vercel, Inc. — application hosting, edge runtime, request logs. United States.
• Stripe, Inc. — payments and subscription billing. United States and EU.
• ElevenLabs, Inc. — voice cloning and text-to-speech inference. United States.
• Replicate, Inc. — image generation and LoRA training. United States.
• Mux, Inc. — live streaming and replay storage. United States and global delivery.
• Resend, Inc. — transactional email delivery. United States.
• DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co.). — large language model inference for chat features. People’s Republic of China and approved API regions; data sent is limited to the prompt and is not used for training under our enterprise contract.
• OpenAI, L.L.C. — embeddings for semantic search. United States.
• Functional Software, Inc. d/b/a Sentry. — application error monitoring. United States.

Customer can request the most current list at any time. Material changes are notified per Section 7 (Sub-processors).

This DPA is effective as of the date Customer accepts the Terms of Service and remains in effect until the Service is terminated and the post-termination return/deletion obligations are fulfilled. The governing law and dispute resolution rules in the Terms of Service apply equally to this DPA, except where Applicable Data Protection Law mandates a different forum.

If a court of competent jurisdiction or a supervisory authority finds any provision invalid, the parties will work in good faith to replace it with an enforceable provision that achieves the original intent. Provider may update this DPA to reflect changes required by law or the addition of approved sub-processors; material changes are notified per Section 7.