Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between NCS — Neural Compute Systems, operated by Easy Drift AS ("Processor", "NCS", "we", "us") and the entity agreeing to these terms ("Controller", "Customer", "you") for the provision of NCS Services. This DPA reflects the parties' commitment to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and any other applicable data protection legislation when NCS processes personal data on behalf of the Customer. This DPA applies automatically to all Customers who use NCS Services that involve the processing of personal data.

The following terms have the meanings set out below. Any capitalized terms not defined here have the meaning given in the GDPR or the main service agreement. - **"Personal Data"** means any information relating to an identified or identifiable natural person processed by NCS on behalf of the Customer through the Services. - **"Processing"** means any operation performed on Personal Data, including collection, storage, use, transfer, or deletion. - **"Sub-processor"** means any third party engaged by NCS to process Personal Data on the Customer's behalf. - **"Data Breach"** means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. - **"Services"** means the NCS platforms, products, APIs, and infrastructure as described in the Terms of Service.

**Customer as Controller:** The Customer determines the purposes and means of processing Personal Data and acts as the data controller under applicable data protection law. **NCS as Processor:** NCS processes Personal Data only on behalf of and under the documented instructions of the Customer. NCS acts as a data processor (or sub-processor where the Customer acts as a processor for another controller). **Subject Matter:** The processing concerns the operation of AI infrastructure services, including model deployment, data ingestion, analytics, and related technical operations. **Categories of Data Subjects:** Employees, end users, customers, and other individuals whose data the Customer processes through NCS Services. **Types of Personal Data:** Contact information, technical identifiers, usage data, and any other personal data the Customer submits to the Services. **Duration:** Processing continues for the duration of the service agreement plus any retention period required by law.

NCS processes Personal Data only in accordance with the Customer's documented instructions, which include: - The provisions of the main service agreement and this DPA. - Configuration choices made by the Customer within the NCS platform (e.g., data region selection, retention settings). - Any additional written instructions agreed between the parties. If NCS believes an instruction violates applicable data protection law, we will promptly notify the Customer and await revised instructions before proceeding (except where legally required to process).

NCS ensures that all personnel authorized to process Personal Data: - Are bound by appropriate confidentiality obligations, whether contractual or statutory. - Process Personal Data only as necessary to perform the Services and in accordance with the Customer's instructions. - Receive appropriate training on data protection requirements. These obligations survive the termination of the employment or engagement of such personnel.

NCS implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage. These measures include but are not limited to: **Technical Measures:** - Encryption of data in transit (TLS 1.3) and at rest (AES-256). - Network segmentation and firewall protection. - Intrusion detection and prevention systems. - Automated vulnerability scanning and patch management. - Multi-factor authentication for platform access. **Organizational Measures:** - Role-based access controls following the principle of least privilege. - Regular security assessments and third-party penetration testing. - Documented incident response procedures. - Employee security awareness training. - Background checks for personnel with access to Customer data. NCS regularly reviews and updates these measures to address evolving threats and maintain industry-standard protection levels.

**Authorization:** The Customer provides general authorization for NCS to engage sub-processors to assist in providing the Services. **Notification:** NCS maintains a list of current sub-processors. We will notify the Customer at least 30 days before adding or replacing a sub-processor, providing the Customer an opportunity to object. **Objection Right:** If the Customer reasonably objects to a new sub-processor on data protection grounds, NCS will make commercially reasonable efforts to provide an alternative or allow the Customer to terminate the affected Services without penalty. **Sub-processor Obligations:** NCS imposes data protection obligations on all sub-processors that are materially equivalent to those in this DPA. NCS remains fully liable for the acts and omissions of its sub-processors. **Current Sub-processors:** A list of current sub-processors is available upon request at legal@ncsengine.com.

NCS assists the Customer in fulfilling obligations to respond to data subject requests under the GDPR, including requests for: - Access (Article 15) - Rectification (Article 16) - Erasure (Article 17) - Restriction of processing (Article 18) - Data portability (Article 20) - Objection (Article 21) NCS provides technical mechanisms through the platform to enable the Customer to manage data subject requests directly where feasible. Where a data subject contacts NCS directly, we will redirect the request to the Customer without undue delay.

In the event of a Data Breach affecting Personal Data processed under this DPA, NCS will: - **Notify** the Customer without undue delay and in any event within 48 hours of becoming aware of the breach. - **Provide** sufficient information to enable the Customer to meet its obligations under Articles 33 and 34 of the GDPR, including: - The nature of the breach and categories/number of data subjects and records affected. - The likely consequences of the breach. - Measures taken or proposed to address the breach and mitigate its effects. - **Cooperate** with the Customer in investigating, mitigating, and remediating the breach. - **Document** all Data Breaches, including facts, effects, and corrective actions taken. Notification of a Data Breach shall not be construed as an acknowledgment of fault or liability by NCS.

NCS provides reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, as required under Articles 35 and 36 of the GDPR. This assistance includes providing information about NCS's processing activities, security measures, and sub-processor arrangements, to the extent necessary for the Customer's assessment.

NCS processes Personal Data primarily within the European Economic Area (EEA). Where transfers to countries outside the EEA are necessary, NCS ensures compliance through one or more of the following safeguards: - **Adequacy Decisions:** Transfers to countries recognized by the European Commission as providing adequate protection. - **Standard Contractual Clauses (SCCs):** EU Commission-approved SCCs are incorporated into contracts with recipients outside the EEA. - **Supplementary Measures:** Additional technical and organizational measures where required, including encryption and access controls that prevent third-country government access. The Customer may select the data processing region through the NCS platform. Data will not be transferred outside the selected region without the Customer's explicit authorization.

**Right to Audit:** The Customer has the right to audit NCS's compliance with this DPA, subject to reasonable notice and scope. **Third-Party Certifications:** NCS makes available relevant third-party audit reports, certifications, and compliance documentation to satisfy audit requirements where possible. **On-Site Audits:** Where the Customer requires an on-site audit beyond available documentation, the parties will agree on scope, timing, and conditions. The Customer bears the costs of such audits, provided they do not interfere with NCS operations or the security of other customers. **Cooperation:** NCS cooperates with supervisory authorities in the performance of their duties, including inspections, to the extent required by law.

Upon termination or expiration of the service agreement: - **Data Export:** NCS makes Customer Data, including Personal Data, available for export for a period of 30 days in a standard, machine-readable format. - **Deletion:** After the export period, NCS deletes all Personal Data from its systems within 90 days, unless retention is required by applicable law. - **Certification:** Upon request, NCS provides written confirmation that Personal Data has been deleted in accordance with this section. Backup copies are deleted in accordance with NCS's standard backup rotation schedule, not exceeding 180 days.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main service agreement (Terms of Service), except where such limitations are prohibited by applicable data protection law. Nothing in this DPA limits either party's liability for breaches of the GDPR or applicable data protection law to the extent such limitation is not permitted.

This DPA takes effect when the Customer begins using NCS Services that involve processing of Personal Data and remains in effect for as long as NCS processes Personal Data on behalf of the Customer. Obligations related to confidentiality, data deletion, and cooperation with audits survive termination of this DPA.

This DPA is governed by the laws of Norway, consistent with the governing law of the main service agreement. For matters specifically related to GDPR enforcement, the applicable EU member state law applies.

For any questions regarding this Data Processing Agreement, please contact: **NCS Data Protection** Email: dpo@ncsengine.com **Mailing Address:** Easy Drift AS Norway