Data Processing Addendum

1. Introduction and Incorporation

This Data Processing Addendum ("DPA") is entered into between ByteSlice, LLC., a Delaware limited liability company ("Company," "we," "us," or "our"), and the customer entity identified in the applicable account or order form ("Customer"). This DPA is incorporated into and forms part of the Terms of Service available at swirls.ai/terms-of-service ("Agreement"). In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the subject matter hereof.

This DPA applies to the extent that the Company processes Personal Data on behalf of the Customer in connection with providing the Swirls platform ("Service"). It is intended to satisfy the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Terms not otherwise defined herein have the meanings given to them in the Agreement or in applicable data protection law.

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• "Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including without limitation the GDPR, UK GDPR, CCPA/CPRA, and any implementing legislation or successor legislation thereto.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Company on behalf of the Customer in connection with the Service.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Processing" (and "process," "processed," and "processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
• "Subprocessor" means any Processor engaged by the Company who processes Personal Data in connection with providing the Service.
• "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses adopted by the European Commission pursuant to Article 46(2) of the GDPR, as updated or replaced from time to time.

3. Roles of the Parties

The Customer is the Controller of Personal Data that Customer inputs into, or causes to be processed through, the Service. The Company is the Processor of such Personal Data, processing it only on behalf of and at the direction of the Customer as described in this DPA.

Where the Company processes Personal Data for its own purposes (such as account management, billing, and security), it does so as an independent Controller, and such processing is governed by the Company's Privacy Policy at swirls.ai/privacy-policy, not by this DPA.

4. Details of Processing

The following describes the subject matter, duration, nature, purpose, type of Personal Data, and categories of Data Subjects for the processing activities covered by this DPA.

Subject matter

The processing of Personal Data submitted by or on behalf of the Customer through the use of the Service, including workflow execution data, inputs passed to workflow nodes, and data received through Customer-configured webhooks, forms, APIs, and integrations.

Duration

The Company will process Personal Data for the duration of the Agreement, or until earlier termination of the Agreement or Customer's account. Upon termination, the Company will delete Personal Data as described in Section 11 of this DPA.

Nature and purpose of processing

The Company processes Personal Data to provide the Service to the Customer, including executing agentic AI workflows, storing workflow state, routing data between workflow nodes (including Customer-configured LLM and third-party provider nodes), and providing human-in-the-loop review functionality. The Company does not use Customer Personal Data for any purpose outside the scope of providing the Service.

Types of Personal Data

The type of Personal Data processed depends on what the Customer and Data Subjects submit through the Service. This may include, without limitation: names, email addresses, contact information, identification information, professional information, and any other Personal Data that the Customer chooses to include in workflow inputs, prompts, or data payloads. The Company does not control or limit the categories of Personal Data that Customer submits.

Categories of Data Subjects

Data Subjects may include the Customer's employees, contractors, customers, end users, prospects, or any other individuals whose Personal Data the Customer submits to or processes through the Service.

5. Company Obligations as Processor

The Company shall, with respect to Personal Data processed under this DPA:

• Process Personal Data only on documented instructions from the Customer, as set forth in this DPA and the Agreement, unless required to do so by applicable law. If applicable law requires processing beyond Customer's instructions, the Company will inform the Customer of that legal requirement before processing, unless prohibited by law.
• Not process Personal Data for any purpose other than as necessary to provide the Service, as described in Section 4 of this DPA.
• Not sell Personal Data, share Personal Data for cross-context behavioral advertising, or use Personal Data to train machine learning models.
• Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure, as described in Section 8 of this DPA.
• Assist the Customer in complying with its obligations under applicable Data Protection Law, to the extent reasonably practicable given the nature of the processing and the information available to the Company.
• Notify the Customer without undue delay after becoming aware of a Personal Data Breach, as described in Section 10 of this DPA.
• Provide the Customer with reasonable assistance in conducting data protection impact assessments and, where required by applicable law, prior consultations with supervisory authorities, to the extent such assistance relates to the Company's processing activities under this DPA.
• Delete or return Personal Data upon termination of the Agreement, as described in Section 11 of this DPA.
• Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and cooperate with Customer audits as described in Section 14 of this DPA.

6. Customer Instructions

The Customer's documented instructions to the Company are set out in this DPA and the Agreement. Customer may issue additional written instructions from time to time, provided such instructions are consistent with the terms of this DPA and the Agreement. The Company shall promptly inform Customer if it believes that any instruction infringes applicable Data Protection Law.

By configuring workflow definitions, connecting third-party integrations, and submitting data to the Service, the Customer issues instructions to the Company to process Personal Data for the purpose of executing those workflows. The Customer is responsible for ensuring that its instructions are lawful and that it has a valid legal basis for processing under applicable Data Protection Law.

7. Confidentiality of Personnel

The Company shall ensure that its personnel authorized to process Personal Data under this DPA are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional in nature, with respect to the Personal Data they process. The Company shall limit access to Personal Data to those personnel who require such access for the purposes described in this DPA.

8. Security Measures

The Company implements and maintains appropriate technical and organizational security measures to protect Personal Data, including the following:

• AES-256-GCM encryption at rest with per-node encryption contexts, ensuring that data encrypted by one node cannot be decrypted by another.
• HKDF-SHA512 key derivation with no persistent storage of derived key material. Keys are derived on demand and discarded after use.
• HMAC-SHA256 cryptographically chained authorization tokens enforcing least-privilege access across workspace, deployment, execution, node, and tool levels.
• SHA-512 tamper-evident audit trails on append-only, immutable storage.
• Encryption of secrets at rest with per-node scoping, preventing cross-node secret access.
• Access controls and authentication mechanisms designed to prevent unauthorized access to Personal Data.

A detailed description of the Company's security posture, subprocessor list, and compliance objectives (including SOC 2 target for 2027) is available at swirls.ai/security.

The Company shall assess whether the security measures described above are appropriate in light of the risks presented by the relevant processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects.

For self-hosted deployments, the Customer is responsible for the security of the infrastructure on which the Service is deployed, including encryption at rest, key management, access controls, network security, and audit log integrity. The security measures described in this Section apply to the Company's cloud-hosted Service. The Customer's self-hosted environment is within Customer's sole control and responsibility.

9. Subprocessors

The Customer provides general authorization for the Company to engage Subprocessors in connection with the Service, subject to the requirements of this Section.

The Customer configures which LLM and third-party AI providers are used within the Customer's workflow definitions. When a workflow executes a node that calls a Customer-configured provider, Personal Data included in that node's input is transmitted to that provider. The Company does not send Customer Personal Data to any LLM or AI provider beyond the providers the Customer specifies in its workflow definitions. The Customer's selection and configuration of such providers constitutes Customer's instruction to the Company to transmit the relevant data and Customer's authorization for each such provider to act as a Subprocessor for the purposes of that workflow node. The Customer is responsible for reviewing and accepting the terms and privacy practices of any provider it configures.

For infrastructure and operational Subprocessors engaged by the Company (such as cloud hosting, monitoring, and support tooling), a current list is available at swirls.ai/security or upon request by contacting [email protected].

The Company will provide at least thirty (30) days' prior written notice to the Customer before adding a new operational Subprocessor that will process Personal Data ("Subprocessor Notice"). Such notice will be provided by email to the address associated with the Customer's account, or through a notice posted on the Service or on the Security page. The Customer may object to the appointment of a new Subprocessor by notifying the Company in writing within thirty (30) days of receipt of the Subprocessor Notice. If the parties cannot resolve such an objection in good faith within thirty (30) days of the Company's receipt of the objection, either party may terminate the Agreement on written notice.

The Company shall impose data protection obligations on each Subprocessor that are no less protective than those imposed on the Company under this DPA, and shall remain liable to the Customer for the performance of each Subprocessor's obligations to the extent the Company is responsible under this DPA.

10. Personal Data Breach Notification

The Company will notify the Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. This notification timeline is consistent with the Company's security incident response policy as described at swirls.ai/security.

Breach notification will be made to the email address associated with the Customer's account, or through such other contact method as the parties may agree. Each notification will include, to the extent then known and available:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of records concerned.
• The name and contact details of a point of contact at the Company from whom further information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken by the Company to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects.

Where the above information cannot be provided simultaneously, the Company will provide it in phases without undue further delay.

The Company's notification of or response to a Personal Data Breach does not constitute an acknowledgment of fault or liability. The Customer is responsible for determining whether it is required to notify a supervisory authority or Data Subjects, and for making any such notifications, based on the information provided by the Company and the Customer's own assessment of its obligations under applicable Data Protection Law.

11. Data Subject Rights

The Company shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance to the Customer in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law, including rights of access, rectification, erasure, portability, restriction of processing, and objection.

If the Company receives a request from a Data Subject that relates to Personal Data processed under this DPA, the Company will promptly forward that request to the Customer and will not respond to the Data Subject directly, except as required by applicable law or as directed by the Customer.

The Customer is the primary point of contact for Data Subjects and is responsible for responding to data subject requests within the timelines required by applicable Data Protection Law.

12. Deletion and Return of Personal Data

Upon termination or expiration of the Agreement, or upon written request by the Customer at any time, the Company shall, at the Customer's election: (a) return a complete copy of all Personal Data processed under this DPA to the Customer; or (b) delete all Personal Data processed under this DPA and certify in writing to the Customer that such deletion has been completed.

The Company will complete deletion of Personal Data, including encrypted workflow data and derived key material, within thirty (30) days of the effective date of termination. This retention schedule is consistent with the data retention practices described in the Company's Privacy Policy at swirls.ai/privacy-policy.

Notwithstanding the foregoing, the Company may retain Personal Data to the extent required by applicable law (such as financial record-keeping obligations), provided that such retained data remains subject to the confidentiality and security obligations of this DPA and is not processed for any other purpose.

For self-hosted deployments, the Customer controls the infrastructure and is responsible for the deletion of Personal Data stored within the Customer's self-hosted environment. The Company's deletion obligations under this Section apply only to Personal Data that the Company processes in connection with the cloud-hosted Service.

13. International Transfers

The Service is operated from the United States. To the extent that the Company transfers Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or any other country that has not been recognized as providing an adequate level of protection for Personal Data, the Company shall ensure that such transfers are effected pursuant to an appropriate transfer mechanism under applicable Data Protection Law, including without limitation Standard Contractual Clauses adopted by the European Commission or the competent UK authority.

The parties agree that, to the extent required by applicable Data Protection Law, the SCCs in the form approved by the European Commission for controller-to-processor transfers are hereby incorporated by reference into this DPA and shall apply to any transfers of Personal Data from the EEA to the United States. The Company agrees to execute any documentation reasonably requested by the Customer to give effect to such transfer mechanisms.

For self-hosted deployments, the Customer controls the location of data storage and processing. The international transfer obligations in this Section apply to data transferred to or processed by the Company in connection with the cloud-hosted Service.

14. Audits and Information

The Company shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall, upon reasonable written notice of no less than thirty (30) days (except in the case of a regulatory requirement or audit compelled by a supervisory authority, in which case shorter notice is acceptable), allow for and cooperate with audits conducted by the Customer or a qualified third-party auditor appointed by the Customer, subject to the following conditions:

• Audits shall be conducted during normal business hours, in a manner that does not unreasonably disrupt the Company's operations.
• The Customer (and any appointed auditor) shall execute confidentiality obligations reasonably acceptable to the Company prior to conducting any audit.
• Audits shall be limited in scope to matters directly related to the Company's obligations under this DPA.
• The Company may satisfy all or part of its audit obligations by providing the Customer with relevant certifications, audit reports, or attestations (such as SOC 2 Type II reports or ISO 27001 certifications) obtained from qualified third-party auditors.

The Customer shall bear all costs associated with audits conducted pursuant to this Section, unless the audit reveals a material non-compliance by the Company with this DPA, in which case the Company shall bear its own reasonable costs.

15. Data Protection Impact Assessments

To the extent required by applicable Data Protection Law, the Company shall provide the Customer with reasonable cooperation and information to assist the Customer in conducting data protection impact assessments ("DPIAs") and, where required, in consulting with competent supervisory authorities, to the extent such activities relate to the Company's processing of Personal Data under this DPA.

The Customer is responsible for determining whether a DPIA is required for the Customer's use of the Service and for conducting any such DPIA. The Company's obligations under this Section are limited to providing information and cooperation reasonably within the Company's possession and control.

16. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA is intended to create liability beyond what is permitted under the Agreement or applicable Data Protection Law.

To the extent that applicable Data Protection Law imposes liability on the Company as a Processor that cannot be excluded or limited by contract, nothing in this DPA or the Agreement shall be read to limit that statutory liability. The parties agree to cooperate in good faith to allocate any shared liability in a manner consistent with their respective responsibilities under applicable law.

17. Order of Precedence

In the event of a conflict or inconsistency between this DPA, the Agreement, and any other agreement between the parties, the following order of precedence shall apply with respect to obligations related to the processing of Personal Data: (a) any applicable Standard Contractual Clauses; (b) this DPA; (c) the Agreement. With respect to all other matters, the Agreement shall control.

18. Term

This DPA is effective as of the date the Customer accepts the Agreement and continues in force for the duration of the Agreement. Upon expiration or termination of the Agreement, this DPA shall automatically terminate, except that the obligations of confidentiality and security and the deletion obligations under Section 12 shall survive termination for as long as the Company retains any Personal Data.

19. Governing Law

This DPA shall be governed by the laws of the State of Delaware, United States, consistent with the governing law of the Agreement, except to the extent that applicable Data Protection Law (including the GDPR and UK GDPR) requires otherwise. Any disputes arising out of or relating to this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.

20. Contact

For questions about this DPA or to exercise data protection rights, contact us at [email protected].

For security inquiries and vulnerability reports, contact [email protected].