Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Customer entity identified in the signature page to this DPA ("Customer") and Thema AI Limited ("Provider") pursuant to the agreement, order form, statement of work, online terms or other written or electronic agreement between the parties governing Provider's provision of the services to Customer (the "Services"), as applicable (the "Agreement").

Data Processing and Protection

Description of Parties' Roles and Processing

The Parties agree that the Customer will be the controller of Personal Data and Provider will be the processor of Personal Data. Provider will Process Personal Data only on documented instructions from Customer, including as set out in this DPA and the Agreement, unless required to do so by Law. In that case, Provider will inform Customer of the legal requirement before Processing, unless that Law prohibits such information on important grounds of public interest. The subject matter, nature and purpose of the Processing, the type of Personal Data and the categories of Individuals whose Personal Data are Processed are set out in Annex I of this DPA (Description of Transfer).

Anonymization

Customer instructs Provider to anonymise and/or aggregate the Processed Personal Data for the purpose of improving the Services, and Customer acknowledges that Provider may aggregate and/or anonymise the Processed Personal Data and use such anonymised data for its own business purposes, provided that Provider does not attempt to re-identify the data or associate it with Customer, an Individual or the original Personal Data.

Compliance with Law

The Parties will comply with their respective obligations under Data Protection Law, as further specified in this DPA. Customer is solely responsible for informing the Individuals about the Processing of their Personal Data by Provider, as required by Data Protection Law. Customer is responsible for determining what Personal Data it submits to, uploads to, enters into, or otherwise makes available through the Services and for ensuring that such Processing complies with Data Protection Laws. Customer will not intentionally submit special category data, criminal offence data or other sensitive Personal Data to the Services unless expressly agreed in writing by the parties.

Confidentiality

Provider will ensure that Provider Personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security

Provider will implement appropriate technical and organizational measures designed to protect Personal Data against anticipated threats or hazards to their security, confidentiality or integrity. A description of the security measures that Provider shall apply to the Personal Data is set out at Annex II to this DPA (Security Standards). Provider will maintain these measures throughout the term of this DPA.

Engagement of Sub-processors

Customer provides its general authorization for Provider to engage sub-processors that it deems necessary to provide the Services. On Customer's written request, Provider shall make available a current list of sub-processors that it has engaged to Customer. Provider shall inform Customer if it intends to add a new sub-processor to this list, giving Customer a period of thirty (30) days to object to such changes. The parties will discuss any such objection in good faith. Provider shall, prior to using a sub-processor to Process Personal Data, enter into an agreement with such sub-processor that is at least as restrictive as this DPA.

Individuals' Rights Requests

Provider will promptly notify Customer in writing (including in electronic form), unless prohibited by Law, if Provider receives: (i) any requests from an Individual with respect to Personal Data Processed, including, but not limited to, opt-out requests; requests for access and/or rectification, erasure or restriction; requests for data portability and all similar requests; or (ii) any complaint relating to the Processing of Personal Data, including allegations that the Processing infringes on an Individual's rights. Unless required by Law, Provider will not respond to any such request, inquiry or complaint without Customer's prior consent, except to confirm that the request relates to Customer and to provide Customer's contact information, to which Customer hereby agrees.

Personal Data Breach

Provider will notify Customer without undue delay and in any event within forty-eight (48) hours after becoming aware of any breach of the security of Personal Data leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed ("Personal Data Breach"). Taking into account the information available to Provider, Provider will assist Customer upon Customer's request in complying with Customer's notification obligations regarding a Personal Data Breach under Data Protection Law.

Audit

Upon Customer's reasonable request (to be exercised no more than once a year, unless required more frequently by Law), Provider will provide relevant information in its possession that is reasonably necessary to demonstrate Provider's compliance with this DPA and will allow for and contribute to audits at Customer's cost, provided that: (i) Customer gives Provider reasonable notice in advance of any audit (where permitted by Law); (ii) the audit is carried out in a manner that causes the minimum possible disruption to Provider's business; and (iii) Customer shall treat any information provided to it by Provider in response to an audit as confidential.

Return or Disposal

Upon termination or expiration of the Agreement or this DPA, Provider shall, at the choice of Customer, delete, anonymize, or return to Customer the Processed Personal Data, including any copies thereof, unless Provider is obliged by Law to continue storing Personal Data.

Other

Upon Customer's request, Provider will provide assistance and information in its possession necessary to demonstrate Provider's compliance with its obligations under this DPA and the Data Protection Laws and assist Customer in meeting its obligations under Data Protection Law, including: (i) registration and notification obligations; (ii) accountability; (iii) ensuring the security of Personal Data; (iv) if required by Data Protection Law, establishment and maintenance of a record of Personal Data Processing; and (v) conducting and documenting privacy and data protection impact assessments and related consultations of data protection authorities. Provider will inform Customer if Provider believes that any instructions of Customer regarding the Processing of Personal Data would violate Law.

Adverse Changes

Provider will notify Customer in writing promptly if Provider: (i) has reason to believe it is not or will not be able to comply with any of its obligations under Data Protection Law or this DPA; or (ii) becomes aware of any circumstances or change in Law that is likely to prevent it from fulfilling its obligations under this DPA. Customer has the right, upon providing notice to Provider, to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Data, including where Provider has notified Customer that it can no longer meet its obligations under the Data Protection Law. In the event that this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either party's obligations under the Law applicable to each party, the parties will negotiate to agree upon an appropriate amendment to this DPA.

Data Transfers

Provider is incorporated in the United Kingdom. Customer acknowledges and agrees that Provider may Transfer Personal Data to third parties, including sub-processors, outside of the United Kingdom and European Economic Area, provided that Provider ensures that such Transfers comply with Data Protection Laws, including by concluding EU SCCs and/or the UK SCCs Addendum with any third parties prior to any Transfer where applicable.

Amendments

The parties agree that this DPA may be amended only by written agreement between the parties.

Effective Date

This DPA will take effect on the date of the last signature by the parties below, or, if earlier, the date on which Provider first Processes Personal Data on behalf of Customer in connection with the Services, in each case the "Effective Date".

Miscellaneous

Survival

The obligations of Provider under this DPA will continue for as long as Provider continues to have access to, is in possession or control of, or acquires Personal Data on behalf of Customer, even if all agreements between Provider and Customer have expired or have been terminated.

Conflicts

To the extent of any conflict or inconsistency between this DPA and any Agreement, this DPA will prevail with respect to the Processing of Personal Data.

Governing Law

This DPA and any dispute or claim, including any non-contractual dispute or claim, arising out of or in connection with it or its subject matter or formation will be governed by and construed in accordance with the laws of England and Wales. Each party irrevocably agrees that the courts of England and Wales will have exclusive jurisdiction to settle any such dispute or claim.

Execution

This DPA may be executed in several counterparts (including delivery via facsimile or electronic mail), each of which will be deemed to be an original but all of which together will constitute one and the same instrument.

Definitions

Capitalized terms used but not defined in this DPA will have the meanings set forth in the applicable Agreement.

  • "Adequacy Decision" means a decision adopted by a competent authority with jurisdiction over Customer declaring that a jurisdiction meets an adequate level of protection of Personal Data.
  • "Data Protection Law" means any Law relating to the Processing of Personal Data under this DPA, including, as applicable, the UK GDPR (as defined in section 3(10) and 205(4) of the Data Protection Act 2018 and the Data Protection Act 2018 (as amended over time).
  • "EU SCCs" means the 2021 EU Standard Contractual Clauses ((EU) 2021/914).
  • "Individual" means any individual about whom Personal Data may be Processed under this DPA.
  • "Law" means any applicable law, statute, code, regulation, rule, consent agreement, order, injunction, judgment, decree, ruling, constitution, treaty, or other similar requirement of any governmental authority.
  • "Personal Data" means any information Processed under this DPA that identifies, directly or indirectly, an Individual or relates to an identifiable Individual.
  • "Process" or "Processing" means the collection, recording, organization, structuring, alteration, access, disclosure, copying, transfer, storage, deletion, retention, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, sale, sharing, augmentation or other use of Personal Data, whether by automated means or otherwise.
  • "Provider Personnel" means any Provider's employees, contractor, subcontractor or agent to whom Provider authorizes to access or Process Personal Data.
  • "Transfer" means the access by, transfer or delivery to or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.
  • "UK SCCs Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022.

Annex I — Description of Transfer

Data Subjects

The personal data transferred concern the following categories of data subjects:

  • Customer's personnel who are authorised to access or use the Services, including employees, contractors, consultants and representatives of Customer;
  • Customer's business contacts and other individuals whose Personal Data is submitted to, made available to, generated by or otherwise Processed through the Services; and
  • individuals associated with companies, organisations or other business entities identified, analysed or processed through the Services, including directors, officers, shareholders, beneficial owners, employees, representatives and other business contacts whose information may be available from public sources, company registries, business databases or other sources relevant to the Services.

Categories of Data

The personal data transferred concern the following categories of data:

  • business contact information, including names, job titles, roles, employer or organisation, business address, business telephone number, business email address and professional profile information;
  • account and user information relating to Customer's authorised users, including names, business contact details, role, permissions, authentication information and account preferences;
  • usage, log and metadata relating to access to and use of the Services, including user identifiers, access logs, timestamps, search queries, activity logs, device and browser information, IP addresses and other technical metadata;
  • any other Personal Data contained in content, records, datasets, prompts, queries, outputs, notes or other materials submitted to, generated by, or processed through the Services by or on behalf of Customer.

Nature of the Processing

The personal data transferred will be subject to the following basic processing activities: collection, receipt, access, retrieval, recording, organisation, structuring, storage, hosting, indexing, matching, deduplication, enrichment, analysis, extraction, transformation, adaptation, consultation, use, disclosure by transmission or making available, alignment, combination, generation of outputs, restriction, deletion, return and erasure, in each case as necessary to provide, maintain, secure, support, improve and develop the Services in accordance with the DPA and the Agreement.

Purpose of the Processing

The purpose of the transfer and Processing is to provide, operate, maintain, secure, support, improve and develop the Services for Customer.

Duration of the Processing

The term of the Agreement, unless otherwise agreed by the Parties.

Annex II — Technical and Organisational Measures

Thema AI maintains an information security management system aligned to ISO/IEC 27001:2022 (certification in progress) and is undergoing a SOC 2 Type II examination. These frameworks govern the technical and organisational measures applied to Personal Data, which include:

  • Encryption: AES-256 at rest and TLS 1.2+ in transit.
  • Access control: role-based, least-privilege access with enforced MFA, SSO and quarterly access reviews.
  • Device security: full-disk encryption and endpoint posture verification on company devices.
  • Confidentiality: authorised personnel under confidentiality obligations, with security training at onboarding and annually.
  • Infrastructure security: segregated VPCs, private subnets, default-deny network controls and a web application firewall, hosted in AWS (eu-west-2).
  • Logging and monitoring: security, audit and access events logged and retained for 12 months.
  • Vulnerability management: cloud, dependency and container scanning, remediation SLAs (Critical 7 days, High 30 days), and annual independent penetration testing.
  • Resilience and backup: backups with a point-in-time-restore window of up to 30 days, replicated across availability zones and tested at least annually.
  • Incident management: documented incident response plan.
  • Secure development: mandatory peer review, branch protection and CI checks before production deployment.
  • Sub-processors: due diligence and contractual obligations at least as protective as this DPA.
  • Retention: Personal Data retained only as necessary and deleted or anonymised per the Data Retention Policy.