This Data Processing Addendum (“DPA”) is entered into by and between AgentCore LLC (“AgentCore”, “Processor”, “we”, “us”, or “our”) and the customer agreeing to the Midus Terms of Service (“Customer” or “Controller”).

This DPA forms part of and supplements the Midus Terms of Service (the “Agreement”). In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to the subject matter herein.

1. Definitions

The terms “personal data,” “controller,” “processor,” “data subject,” and “processing” have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). Equivalent terms under other laws (e.g., “business,” “service provider,” “consumer” under the CCPA) shall be interpreted accordingly.

• Customer Data: Personal data contained in Customer Content, Output, or other information uploaded or provided by Customer and its Authorized Users through the Service.

• Data Protection Laws: GDPR, the UK Data Protection Act 2018, UK GDPR, Swiss Federal Data Protection Act, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

• Subprocessor: Any third party engaged by AgentCore to process Customer Data on behalf of Customer.

• Standard Contractual Clauses (SCCs): The clauses annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.


2. Roles of the Parties

• Customer as Controller: Customer determines the purposes and means of processing Customer Data.

• AgentCore as Processor: AgentCore processes Customer Data only on behalf of and in accordance with Customer’s documented instructions.

• Service Data: Operational data collected by AgentCore (e.g., usage logs, device metadata) is processed by AgentCore as a controller, as described in the Privacy Policy.


3. Processing Instructions

3.1 Permitted Purpose. AgentCore processes Customer Data solely for providing, maintaining, and securing the Service, performing obligations under the Agreement, preventing abuse, complying with law, and supporting the Customer as instructed.

3.2 Customer Instructions. Customer instructs AgentCore to process Customer Data for the purposes described in the Agreement and this DPA. Additional instructions require prior written agreement.

3.3 Prohibited Uses. AgentCore will not:

• Sell Customer Data.

• Retain, use, or disclose Customer Data for purposes other than providing the Service.

• Use Customer Data for training or improving foundation models, unless Customer opts in.


4. Confidentiality

AgentCore ensures that persons authorized to process Customer Data are bound by confidentiality obligations no less protective than this DPA.


5. Security

5.1 Safeguards. AgentCore implements appropriate technical and organizational measures to protect Customer Data, including:

• Encryption in transit and at rest.

• Access controls and authentication.

• Regular security reviews and vulnerability management.

• Physical and logical security safeguards for systems.

5.2 Incident Notification. If AgentCore becomes aware of a data breach affecting Customer Data, it will notify Customer without undue delay, providing details available at the time.


6. Subprocessors

6.1 Use of Subprocessors. Customer authorizes AgentCore to engage Subprocessors for the provision of the Service.

6.2 Obligations. AgentCore ensures Subprocessors are bound by written agreements imposing data protection obligations no less protective than this DPA.

6.3 List and Updates. A current list of Subprocessors is available upon request. AgentCore will provide notice of new Subprocessors and allow Customer to object on reasonable grounds related to data protection.


7. International Transfers

7.1 Mechanisms. AgentCore may transfer Customer Data outside the country of origin, subject to appropriate safeguards under Data Protection Laws.

7.2 SCCs. For transfers from the EEA, the SCCs (Module 2: Controller to Processor) are incorporated by reference into this DPA, with Customer as “data exporter” and AgentCore as “data importer.”

• Clause 7: Docking clause applies.

• Clause 9: General authorization for Subprocessors with notice mechanism.

• Clause 11: Independent dispute resolution not required.

• Clause 17/18: Governing law = Ireland; jurisdiction = Ireland.

7.3 UK Addendum. For UK transfers, the International Data Transfer Addendum (issued by the UK ICO, March 2022) applies, incorporating the SCCs.

7.4 Swiss Addendum. For Swiss transfers, references to GDPR shall be read as references to Swiss law; competent authority = FDPIC.


8. Data Subject Rights

AgentCore will, to the extent permitted by law, assist Customer in responding to requests by data subjects to exercise their rights under Data Protection Laws (e.g., access, rectification, deletion, portability).


9. Audit and Compliance

• Customer may audit AgentCore’s compliance with this DPA once per year (or more frequently if required by law) by written request.

• Audits may consist of reviewing third-party certifications, security reports, or, if necessary, an on-site inspection with reasonable notice.

• Audits must not disrupt operations and are at Customer’s expense.


10. Data Return and Deletion

• During the subscription term, Administrators can export Customer Data from supported features.

• Upon termination, AgentCore will retain Customer Data for up to 30 days for retrieval, unless earlier deletion is requested.

• After that period, Customer Data will be deleted from active systems, and backups purged in the ordinary course of business.


11. Liability

The limitations of liability in the Agreement apply to this DPA, except to the extent prohibited by law.


12. Miscellaneous

• This DPA is governed by the laws of Delaware, United States, unless otherwise required by Data Protection Laws.

• If provisions of this DPA conflict with the SCCs or other transfer mechanisms, the latter will prevail.

• This DPA terminates automatically with the Agreement.


Annex I – Details of Processing

• Subject Matter: Provision of the Midus Service.

• Nature and Purpose: Hosting, processing, transmitting, and generating AI Output from Customer Data.

• Categories of Data Subjects: Customer employees, contractors, and other Authorized Users.

• Categories of Data: Chat inputs, documents, metadata, identifiers, and other information uploaded by Customer.

• Duration: For the term of the Agreement, plus any applicable retention period.


Annex II – Security Measures

1. Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.

2. Access Control: Role-based access, MFA, least-privilege enforcement.

3. Monitoring: Intrusion detection, logging, anomaly detection.

4. Personnel Security: Background checks, confidentiality agreements, security training.

5. Resilience: Redundancy, regular backups, disaster recovery testing.


Annex III – Subprocessors

A current list of Subprocessors (e.g., cloud infrastructure, database providers, AI model providers) is available upon request at legal@heymidus.com.


Execution

By accepting the Midus Terms of Service, Customer and AgentCore agree that this DPA is incorporated and binding.