This Data Processing Addendum (“DPA”) forms part of the Terms of Service, Order Form, statement of work, or other written agreement between Team Clarity, Inc. DBA Iron Gorilla (“Team Clarity,” “Iron Gorilla,” “we,” “us,” or “our”) and the customer identified in the applicable agreement (“Customer,” “you,” or “your”) that governs Customer’s use of the Services (the “Agreement”).

This DPA applies when Team Clarity processes Customer Personal Data on behalf of Customer in connection with the Services. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

“Applicable Data Protection Laws” means privacy, data protection, and data security laws that apply to the processing of Customer Personal Data under this DPA, including where applicable the GDPR, UK GDPR, Swiss Federal Act on Data Protection, California Consumer Privacy Act as amended by the California Privacy Rights Act, and other U.S. state privacy laws.

“Customer Personal Data” means Personal Data contained in Customer Data that Team Clarity processes on behalf of Customer as a Processor, service provider, contractor, or equivalent role under Applicable Data Protection Laws.

“GDPR” means Regulation (EU) 2016/679, including any applicable implementing or supplementary laws.

“Personal Data,” “Personal Information,” “Controller,” “Processor,” “Business,” “Service Provider,” “Contractor,” “Consumer,” “Sell,” and “Share” have the meanings given to them under Applicable Data Protection Laws.

“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Team Clarity. Security Incident does not include unsuccessful attempts, pings, scans, denial-of-service attempts, or similar events that do not compromise Customer Personal Data.

“SCCs” means the European Commission Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914, as amended or replaced.

“Subprocessor” means any third party engaged by Team Clarity to process Customer Personal Data on Team Clarity’s behalf in connection with the Services.

“Restricted Transfer” means a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data transfer restrictions to a country that is not subject to an adequacy decision or otherwise recognized under Applicable Data Protection Laws as providing an adequate level of protection.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under the UK GDPR, as amended or replaced.

2. Scope and Order of Precedence

This DPA applies only to Team Clarity’s processing of Customer Personal Data on behalf of Customer. Team Clarity’s processing of account, billing, website, sales, marketing, security, telemetry, compliance, and business operations information for its own purposes is governed by Team Clarity’s Privacy Policy and not by this DPA, except to the extent Applicable Data Protection Laws require otherwise.

If there is a conflict between this DPA and the Agreement regarding Customer Personal Data, this DPA controls. If there is a conflict between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum control for the relevant Restricted Transfer. If there is a conflict between this DPA and an Order Form that expressly modifies this DPA, the Order Form controls for that Customer only.

This DPA is effective for so long as Team Clarity processes Customer Personal Data on behalf of Customer.

3. Roles of the Parties

For Customer Personal Data, Customer is the Controller, Business, or equivalent role, and Team Clarity is the Processor, Service Provider, Contractor, or equivalent role. If Customer is acting as a Processor on behalf of another Controller, Customer appoints Team Clarity as a Subprocessor, and Customer represents that it has authority to do so.

Customer determines the purposes and means of processing Customer Personal Data, including what data is submitted, which users are authorized, which integrations are connected, which agents and workflows are configured, which models are used, and which outputs or actions are relied upon.

Team Clarity processes Customer Personal Data to provide, operate, maintain, secure, support, troubleshoot, improve, and enforce the Services as described in the Agreement, this DPA, Customer’s configurations, Customer’s documented instructions, and applicable law.

4. Customer Instructions

Customer instructs Team Clarity to process Customer Personal Data as necessary to provide the Services and as otherwise described in the Agreement, this DPA, applicable Order Forms, Customer’s account settings, Customer’s integrations, Customer’s workflows, Customer’s agents, Customer’s policies, and Customer’s use of the Services.

Customer’s instructions include authorization for Team Clarity to access, host, store, transmit, proxy, route, transform, inspect, log, analyze, secure, troubleshoot, support, delete, disclose, and otherwise process Customer Personal Data as necessary to provide the Services.

Team Clarity may refuse or suspend any instruction that Team Clarity reasonably believes violates Applicable Data Protection Laws, the Agreement, third-party rights, platform security, or the rights and freedoms of individuals. Team Clarity will inform Customer if Team Clarity believes an instruction infringes Applicable Data Protection Laws, unless prohibited by law.

5. Customer Responsibilities

Customer is responsible for complying with Applicable Data Protection Laws in connection with its use of the Services. Customer is responsible for providing notices, obtaining consents, establishing lawful bases, responding to data subject requests, honoring opt-out choices, maintaining records of processing where required, and ensuring that Customer has the right to submit Customer Personal Data to the Services.

Customer is responsible for the accuracy, quality, legality, and configuration of Customer Personal Data, connected systems, credentials, tokens, API keys, prompts, outputs, agents, workflows, policies, permissions, approval flows, and authorized users.

Customer may not submit, process, store, transmit, or expose protected health information, payment card data, cardholder data, CUI, FCI, export-controlled data, classified information, children’s data, biometric data, genetic data, precise geolocation data, or other highly regulated or sensitive data through the Services unless expressly authorized in a signed Order Form, business associate agreement, security addendum, or other written agreement with Team Clarity.

6. Team Clarity Processor Obligations

Team Clarity will process Customer Personal Data only on documented instructions from Customer, including the instructions described in this DPA, unless required by law. If Team Clarity is required by law to process Customer Personal Data other than on Customer’s instructions, Team Clarity will inform Customer before processing unless legally prohibited from doing so.

Team Clarity will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

Team Clarity will implement and maintain technical and organizational measures designed to protect Customer Personal Data, as further described in Annex B.

Team Clarity will not use Customer Personal Data to train or fine-tune third-party foundation models. Team Clarity may use aggregated, anonymized, or de-identified data as described in the Agreement and Privacy Policy, provided such data does not reasonably identify Customer or any individual.

Team Clarity may process Customer Personal Data as necessary to comply with law, enforce the Agreement, prevent fraud or abuse, maintain security, investigate incidents, protect the Services, or protect Team Clarity, Customer, users, individuals, or the public.

7. Security Measures

Taking into account the nature of the processing and information available to Team Clarity, Team Clarity will maintain technical and organizational measures designed to protect Customer Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.

The measures in Annex B are intended to provide a level of security appropriate to the risk. Team Clarity may update its security measures from time to time, provided that updates do not materially reduce the overall protection of Customer Personal Data during the applicable subscription term.

Customer is responsible for securely configuring the Services, managing user access, protecting credentials, restricting integrations, setting permissions, defining policies, managing connected systems, and maintaining appropriate internal controls.

8. Subprocessors

Customer grants Team Clarity general written authorization to engage Subprocessors to process Customer Personal Data. Team Clarity will impose data protection obligations on Subprocessors that are designed to provide substantially similar protection for Customer Personal Data as this DPA, taking into account the nature of the services provided by the Subprocessor.

Team Clarity’s current Subprocessor categories and providers are listed in Annex C and may also be described in Team Clarity’s Privacy Policy, subprocessor list, security documentation, or other customer-facing documentation. Not every Subprocessor processes Customer Personal Data for every Customer or every use case.

Team Clarity may add or replace Subprocessors. Team Clarity will provide notice of material Subprocessor changes by updating its subprocessor list, Privacy Policy, customer portal, in-product notice, email notice, or other commercially reasonable means. Customer may object to a new Subprocessor within fifteen (15) days after notice on reasonable data protection grounds. If the parties cannot resolve the objection, Team Clarity may suspend or terminate the affected Services. Customer’s sole remedy for an unresolved Subprocessor objection is termination of the affected Services, subject to the payment, credit, refund, and termination terms of the Agreement.

Team Clarity remains responsible for its Subprocessors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Laws and this DPA.

9. AI Model Providers and Connected Systems

Customer authorizes Team Clarity to transmit Customer Personal Data, prompts, outputs, metadata, model calls, tool calls, and related information to supported AI model providers as necessary to provide the Services. Current supported AI model providers include OpenAI API, Anthropic API, and Grok API.

Where an AI model provider processes Customer Personal Data on behalf of Team Clarity to provide the Services, that provider is treated as a Subprocessor. Where Customer connects or directs transmission to a third-party system, integration, model, or recipient that is not engaged by Team Clarity as a Subprocessor, that third party is a Customer-authorized recipient and not Team Clarity’s Subprocessor.

Customer is responsible for determining whether connected systems, integrations, agents, workflows, outputs, and automated actions are appropriate and lawful for Customer’s use case.

10. Data Subject Requests

Taking into account the nature of the processing, Team Clarity will provide reasonable assistance to Customer, through appropriate technical and organizational measures and to the extent possible, to help Customer respond to requests from individuals exercising rights under Applicable Data Protection Laws.

If Team Clarity receives a request from an individual relating to Customer Personal Data, Team Clarity may direct the individual to Customer and will not respond on Customer’s behalf unless required by law or authorized by Customer. Customer is responsible for responding to data subject requests concerning Customer Personal Data.

11. Security Incidents

Team Clarity will notify Customer without undue delay after Team Clarity confirms a Security Incident involving Customer Personal Data. Notice may be provided by email, in-product notice, customer portal, or other reasonable means.

Team Clarity’s notice will include information reasonably available to Team Clarity, such as the nature of the Security Incident, categories of affected Customer Personal Data, likely consequences, measures taken or proposed, and contact information for follow-up, to the extent known and legally permitted.

Team Clarity will take reasonable steps to contain, investigate, and remediate the Security Incident. Customer is responsible for determining whether to notify individuals, regulators, customers, or other third parties, except to the extent Team Clarity is independently required by law to do so. Team Clarity’s notification of a Security Incident is not an admission of fault or liability.

12. Assistance with Compliance

Taking into account the nature of processing and information available to Team Clarity, Team Clarity will provide reasonable assistance to Customer with Customer’s obligations concerning security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws and applicable to Team Clarity’s processing of Customer Personal Data.

Customer is responsible for determining whether its use of the Services requires a data protection impact assessment, transfer impact assessment, prior consultation, privacy notice update, consent, opt-out mechanism, or other compliance measure.

13. Audits and Information Rights

Team Clarity will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, compliance summaries, audit reports, certifications, questionnaires, policies, or other materials made available by Team Clarity.

To the extent required by Applicable Data Protection Laws, Customer may request an audit of Team Clarity’s processing of Customer Personal Data. Any audit must be limited to information relevant to Customer, occur no more than once per year unless required by law or following a confirmed Security Incident, be conducted during normal business hours, be subject to reasonable confidentiality and security requirements, and avoid disruption to Team Clarity’s business or other customers.

Team Clarity may satisfy audit requests by providing third-party audit reports or other documentation. Customer may not access systems, data, code, facilities, or information belonging to Team Clarity’s other customers or information that would compromise Team Clarity security, confidentiality, trade secrets, or legal obligations. Customer is responsible for its audit costs, and Team Clarity may charge reasonable fees for support of audits outside ordinary customer support.

14. Return and Deletion

Upon termination or expiration of the Services, Customer may request export of Customer Personal Data subject to the Agreement, plan limits, technical availability, and applicable law. After termination, Team Clarity may disable Customer access to Customer Personal Data.

Unless an Order Form states otherwise, Team Clarity will delete Customer Personal Data from active production systems within ninety (90) days after termination where technically feasible and legally required. Customer Personal Data may remain in backups, logs, archives, legal holds, billing records, security records, abuse-prevention records, audit records, and other retention systems until applicable retention periods expire.

Team Clarity may retain Customer Personal Data where required or permitted by law, including for legal compliance, dispute resolution, security, fraud prevention, auditability, backup integrity, and enforcement of the Agreement.

15. International Transfers

Customer authorizes Team Clarity and its Subprocessors to process Customer Personal Data in the United States, European Union, Asia-Pacific, and other jurisdictions where Team Clarity, its Subprocessors, supported model providers, or Customer-authorized integrations operate, subject to the Agreement, Order Form, and applicable transfer safeguards.

If Customer Personal Data is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data transfer restrictions to a country that does not provide an adequate level of protection, the parties will rely on an appropriate transfer mechanism to the extent required by Applicable Data Protection Laws.

For Restricted Transfers from the EEA, the SCCs are incorporated into this DPA and apply as follows: Module Two applies where Customer is a Controller and Team Clarity is a Processor; Module Three applies where Customer is a Processor and Team Clarity is a Subprocessor. Annexes A, B, C, and D of this DPA provide the information required by the SCCs. The optional docking clause does not apply unless the parties agree otherwise in writing.

For Restricted Transfers from the United Kingdom, the UK Addendum is incorporated into this DPA and applies to the SCCs as modified for UK law. For Restricted Transfers from Switzerland, the SCCs apply with modifications required by Swiss data protection law, including references to the Swiss Federal Act on Data Protection and the Swiss Federal Data Protection and Information Commissioner where applicable.

If Team Clarity is certified under the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Data Privacy Framework, such certification may also serve as an applicable transfer mechanism to the extent legally valid and applicable to the relevant transfer.

16. U.S. State Privacy Laws

For Customer Personal Data subject to U.S. state privacy laws, Team Clarity will process Customer Personal Data as a Service Provider, Contractor, Processor, or equivalent role, as applicable. Team Clarity will not Sell or Share Customer Personal Data, retain, use, or disclose Customer Personal Data outside the business relationship with Customer, or process Customer Personal Data for a purpose other than the business purposes described in the Agreement and this DPA, except as permitted by Applicable Data Protection Laws.

Team Clarity may process Customer Personal Data for permitted business purposes, including providing the Services, security, fraud prevention, debugging, analytics, quality assurance, service improvement, compliance, and other purposes permitted for service providers, contractors, or processors under Applicable Data Protection Laws.

Team Clarity will not combine Customer Personal Data with personal information received from other sources except as permitted by Applicable Data Protection Laws, including to provide, secure, debug, improve, or protect the Services, or as otherwise permitted for service providers, contractors, or processors.

Team Clarity certifies that it understands and will comply with the restrictions in this Section 16. Customer has the right to take reasonable and appropriate steps to help ensure Team Clarity processes Customer Personal Data in a manner consistent with Customer’s obligations under applicable U.S. state privacy laws, as described in the audit and information rights section of this DPA.

17. Legal Requests

If Team Clarity receives a subpoena, court order, law enforcement request, regulator request, national security request, or other legal request for Customer Personal Data, Team Clarity may disclose Customer Personal Data to the extent required or permitted by law. Where legally permitted and practical, Team Clarity may notify Customer or direct the requesting party to Customer, but Team Clarity does not guarantee notice.

18. Customer-Managed and Private Deployments

For on-premise, private, dedicated, or customer-managed deployments, the allocation of security, infrastructure, hosting, control-plane, logging, telemetry, update, and support responsibilities is governed by the applicable Order Form. Customer is responsible for the security and legality of any Customer-managed environment, network, system, credential, integration, and deployment component not operated by Team Clarity.

Customer acknowledges that private or customer-managed deployments may depend on Team Clarity’s shared control plane for licensing, telemetry, billing, updates, policy services, security monitoring, model proxying, feature enablement, support, and service operation, unless expressly stated otherwise in an Order Form.

19. Liability

The liability, indemnity, warranty, disclaimer, exclusion, and remedy provisions of the Agreement apply to this DPA. Nothing in this DPA increases Team Clarity’s liability beyond the limits set out in the Agreement unless expressly stated in a signed Order Form.

20. Changes to this DPA

Team Clarity may update this DPA from time to time. Updated versions will be effective as described in the Agreement or as otherwise required by applicable law. For Customers under an active Order Form, the version of this DPA in effect as of the Order Form’s effective date controls for the then-current subscription term unless the Order Form states otherwise.

Annex A. Processing Details

Subject Matter. Team Clarity’s processing of Customer Personal Data to provide, operate, maintain, secure, support, troubleshoot, improve, and enforce Iron Gorilla and related Services.

Duration. The term of the Agreement and any period during which Team Clarity processes Customer Personal Data in accordance with the Agreement, this DPA, backup cycles, legal obligations, security obligations, or retention requirements.

Nature and Purpose of Processing. Hosting, storage, transmission, proxying, routing, transformation, inspection, logging, analysis, monitoring, reporting, governance, policy enforcement, DLP processing, model call processing, agent runtime operation, workflow execution, integration processing, authentication, authorization, billing support, security, incident investigation, troubleshooting, support, analytics, abuse prevention, compliance, and service improvement.

Frequency. Continuous or as initiated by Customer, Customer’s users, Customer’s agents, Customer’s workflows, Customer’s connected systems, or the Services.

Categories of Data Subjects. Customer’s authorized users, administrators, employees, contractors, service providers, customers, end users, prospects, business contacts, support contacts, individuals represented in Customer Data, individuals associated with connected systems, and other individuals whose Personal Data is submitted to or processed through the Services by Customer.

Categories of Personal Data. Names, business contact information, account identifiers, usernames, authentication data, organization and role information, IP addresses, device and browser information, account settings, permissions, prompts, outputs, files, messages, tickets, code snippets, business records, CRM records, ERP records, HRIS records, cloud resource data, repository data, productivity data, logs, traces, policy decisions, model calls, tool calls, integration activity, workflow configuration, agent configuration, metadata, API keys, OAuth tokens, credentials, security events, audit events, and other data submitted to or processed through the Services by Customer.

Sensitive Data. Customer may not submit highly regulated or sensitive data unless expressly authorized in writing. Where authorized, categories may include special categories of Personal Data or other sensitive information described in the applicable Order Form, DPA, security addendum, or other written agreement. The Services may process credentials, API keys, OAuth tokens, security logs, and payment-related metadata as necessary to provide and secure the Services.

Retention. Retention is governed by the Agreement, applicable Order Form, Customer configuration, this DPA, the Privacy Policy, backup cycles, legal obligations, and security requirements. In the absence of a specified period, Customer Personal Data is generally deleted from active production systems within ninety (90) days after termination, subject to backups, logs, archives, legal holds, billing records, security records, and other retention systems.

Locations of Processing. United States, European Union, Asia-Pacific, and other jurisdictions where Team Clarity, its Subprocessors, supported model providers, or Customer-authorized integrations operate, subject to applicable transfer safeguards.

Annex B. Technical and Organizational Measures

Team Clarity maintains technical and organizational measures designed to protect Customer Personal Data. Measures may vary by plan, deployment model, feature, region, Order Form, and Customer configuration.

Access Controls. Role-based access controls, account authentication, administrative controls, least-privilege practices, access review processes, and logical separation of customer environments or data where applicable.

Encryption. Encryption in transit using industry-standard protocols where supported, and encryption at rest for applicable production storage systems where supported by the relevant infrastructure or service provider.

Network and Infrastructure Security. Use of reputable cloud and infrastructure providers, network segmentation or isolation where appropriate, firewalls or equivalent controls, DDoS and traffic protection where available, and monitoring of relevant infrastructure events.

Application Security. Secure development practices, code review or equivalent review processes, vulnerability management, dependency monitoring, testing, change management, and controlled deployment processes appropriate to the maturity and nature of the Services.

Logging and Monitoring. Logging, telemetry, audit events, security monitoring, operational monitoring, alerting, and investigation processes designed to detect, investigate, and respond to security, reliability, abuse, and performance issues.

Credential and Secret Protection. Controls designed to protect API keys, OAuth tokens, credentials, and secrets processed by the Services, including access restrictions and operational safeguards.

Incident Response. Processes for identifying, investigating, escalating, mitigating, and documenting suspected security incidents, including customer notification procedures where required.

Availability and Backup. Backup, recovery, redundancy, and resilience measures appropriate to the applicable Service, deployment model, plan, and Order Form.

Personnel and Confidentiality. Confidentiality obligations for personnel with access to Customer Personal Data and access limited to personnel with a business need.

Subprocessor Management. Assessment and contractual controls for Subprocessors designed to require appropriate confidentiality, security, and data protection obligations.

Customer Configuration. Customer is responsible for enabling, configuring, and maintaining available security features, including user permissions, authentication settings, policies, approvals, integrations, logs, agents, workflows, and connected-system permissions.

Annex C. Subprocessors

The following providers or provider categories may process Customer Personal Data depending on the Services used, Customer configuration, support needs, billing relationship, region, deployment model, and connected systems. Not every provider processes Customer Personal Data for every Customer.

Amazon Web Services. Application hosting.

Microsoft 365. Business productivity and internal operations.

Cloudflare. Edge hosting and customer support.

Sentry. Logging and monitoring.

Stripe. Payment processing.

Resend. Email delivery.

Twilio. SMS and phone verification.

OpenAI API. LLM processing.

Anthropic API. LLM processing.

Grok API. LLM processing.

Customer-Authorized Integrations. Third-party systems, applications, APIs, model providers, cloud services, productivity systems, repositories, CRM, ERP, HRIS, ticketing, communications, or other systems connected or authorized by Customer. These are Customer-authorized recipients and are not Team Clarity Subprocessors unless Team Clarity separately engages them to provide the Services.

Other Service Providers. Vendors that support hosting, compute, storage, security, monitoring, support, analytics, communications, billing, compliance, and operations, as updated from time to time in accordance with this DPA.

Annex D. SCC and Transfer Details

Data Exporter. Customer, as identified in the applicable Agreement or Order Form. Customer’s contact details are those associated with Customer’s account or Order Form.

Data Importer. Team Clarity, Inc. DBA Iron Gorilla, 1111B S Governors Ave #41605, Dover, Delaware 19904, United States. Contact: legal@teamclarity.ai.

EU/UK Representative and Contact Address. Jacob Hartmann, EU/UK Representative under GDPR Article 27 and UK GDPR – Team Clarity / Iron Gorilla, Sos. Morarilor 2 B, Et. 3, Cam. 11, Cod 022452, Bucharest, Romania. Contact: legal@teamclarity.ai.

Modules. SCC Module Two applies where Customer is a Controller and Team Clarity is a Processor. SCC Module Three applies where Customer is a Processor and Team Clarity is a Subprocessor.

Description of Transfer. The categories of data subjects, categories of Personal Data, sensitive data, frequency, nature, purpose, duration, and retention are described in Annex A.

Subprocessors. Subprocessor information is described in Annex C. Customer grants general authorization for Subprocessors as described in Section 8.

Technical and Organizational Measures. The technical and organizational measures are described in Annex B.

Competent Supervisory Authority. The competent supervisory authority will be determined in accordance with Clause 13 of the SCCs. Where no supervisory authority is otherwise determined, the Irish Data Protection Commission will be the competent supervisory authority for SCC purposes.

Governing Law for SCCs. For SCC Clause 17, the SCCs are governed by the laws of Ireland, unless the SCCs require another EU Member State law or the parties agree otherwise in an Order Form.

Jurisdiction for SCCs. For SCC Clause 18, the parties submit to the courts of Ireland, unless the SCCs require another jurisdiction or the parties agree otherwise in an Order Form.

UK Addendum. For Restricted Transfers from the United Kingdom, the UK Addendum is deemed completed using the information in this DPA, the Agreement, and the applicable Order Form. The SCCs are modified as required by the UK Addendum.

Swiss Transfers. For Restricted Transfers from Switzerland, references in the SCCs to the GDPR will include the Swiss Federal Act on Data Protection as applicable, references to EU supervisory authorities will include the Swiss Federal Data Protection and Information Commissioner where applicable, and references to the EU or Member States will include Switzerland where required.

Optional Signature Page

This DPA is incorporated into the Agreement and does not require separate signature unless the parties choose to sign it or an Order Form requires signature.

Team Clarity, Inc. DBA Iron Gorilla

By: ________________________________

Name: ______________________________

Title: _______________________________

Date: _______________________________

Customer

By: ________________________________

Name: ______________________________

Title: _______________________________

Date: _______________________________