Data Processing Agreement

1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, GDPR, the UK GDPR, CCPA/CPRA, and any successor or implementing legislation.

1.2 "Customer Data" means all data, including Personal Data, submitted to or processed by Clenta on behalf of Customer in connection with the Services.

1.3 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. In the context of Clenta's Services, Data Subjects are typically end clients of Customer — shoppers, clientele, or contacts managed by Customer's retail or service operations.

1.4 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.5 "Personal Data" has the meaning given to it under Applicable Data Protection Law (including "personal information" as defined under CCPA/CPRA).

1.6 "Processing" (and "Process," "Processes," "Processed") means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.

1.7 "Security Incident" means any confirmed unauthorized access to, use of, disclosure of, or destruction of Customer Data, or any breach of Clenta's security measures that affects the confidentiality, integrity, or availability of Customer Data.

1.8 "Services" means the Clenta platform and AI-powered clienteling agent ("Iris") as described in the Agreement.

1.9 "Sub-processor" means any third party engaged by Clenta to process Customer Data in connection with the Services.

1.10 "Benchmark Data Program" means Clenta's optional program under which participating Customers' data may be included in cross-organization, aggregated, anonymized industry benchmarks, subject to the conditions in Article 6.

2.1 Processor designation. As between the parties, Customer is the Controller of Customer Data, and Clenta is the Processor acting on Customer's behalf. Customer determines the purposes and means of processing Customer Data; Clenta processes Customer Data only as necessary to provide the Services and as otherwise set forth in this DPA.

2.2 Controller obligations. Customer represents and warrants that:

1. it has a lawful basis for processing Personal Data under Applicable Data Protection Law;
2. it has provided Data Subjects with all required notices and obtained all required consents for the processing activities contemplated by the Services;
3. the instructions it gives Clenta comply with Applicable Data Protection Law; and
4. it is responsible for its own compliance with Applicable Data Protection Law, including responding to Data Subject requests relating to Customer Data.

2.3 Clenta's processing obligation. Clenta shall process Customer Data only:

1. to provide, operate, maintain, and support the Services as described in the Agreement;
2. as directed by Customer's documented instructions (including through Customer's configuration and use of the Services);
3. as necessary to comply with Applicable Data Protection Law; and
4. as otherwise expressly permitted by this DPA (including Articles 5 and 6).

Clenta shall not process Customer Data for any other purpose, including for Clenta's own independent commercial purposes, to sell to third parties, or to train general-purpose AI models without Customer's explicit written consent.

2.4 Conflicting legal requirements. If Clenta is required by applicable law to process Customer Data in a manner inconsistent with Customer's instructions, Clenta shall notify Customer before processing (unless prohibited by law) and shall process only to the minimum extent required.

4.1 Technical and organizational measures. Clenta shall implement and maintain appropriate technical and organizational measures ("TOMs") to protect Customer Data against unauthorized access, disclosure, alteration, or destruction, including:

1. encryption of Customer Data at rest and in transit;
2. access controls limiting access to Customer Data to personnel with a need to know;
3. logical isolation of Customer Data per organization (row-level security);
4. regular security assessments; and
5. personnel confidentiality obligations and security training.

See Annex 1 for a full description of Clenta's current technical and organizational security measures.

4.2 Sub-processor security. Clenta shall ensure that Sub-processors are bound by data protection and security obligations no less protective than those in this DPA.

5.1 Notification obligation. In the event Clenta becomes aware of a confirmed Security Incident affecting Customer Data, Clenta shall:

1. notify Customer within 48 hours of becoming aware of the incident; and
2. provide Customer with sufficient information to enable Customer to meet its own notification obligations under Applicable Data Protection Law (including GDPR Art. 33's 72-hour supervisory authority notification requirement).

5.2 Notification content. The notification shall include, to the extent then known:

1. a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected;
2. the likely consequences of the Security Incident;
3. the measures Clenta has taken or proposes to take to address the Security Incident; and
4. a contact point for further information.

5.3 Updates. Clenta shall provide Customer with timely updates as additional information becomes available.

5.4 No admission. Notification under this Article does not constitute an admission of fault or liability.

6.1 Primary use restriction. Clenta processes Customer Data only as set forth in Articles 2 and 3. Clenta shall not use Customer Data for cross-organizational analysis, benchmarking, or any secondary purpose without Customer's express opt-in under this Article.

6.2 Benchmark Data Program — opt-in. Customer may elect, at its sole discretion, to participate in the Clenta Benchmark Data Program by enabling the benchmark participation setting in the Clenta admin interface (or by written agreement). Participation is disabled by default and requires affirmative Customer action to enable.

6.3 Eligibility conditions. Clenta shall not include Customer's data in any Benchmark Data output unless all of the following conditions are met:

1. Customer has opted in under Section 6.2;
2. the applicable benchmark cohort contains data from at least 20 independent Customer organizations;
3. the output data has been de-identified such that no specific Customer organization, individual Data Subject, or combination of attributes can reasonably be used to identify any organization or individual; and
4. the benchmark output contains no Personal Data as defined under Applicable Data Protection Law.

6.4 Permitted uses of Benchmark Data. If the conditions in Section 6.3 are met, Clenta may use the resulting anonymized, aggregated benchmark data ("Benchmark Data") to:

1. generate and provide cross-organization performance insights and benchmarks to participating Customers; and
2. improve and develop the Services.

6.5 Limitations. Clenta shall not:

1. use Benchmark Data to identify or profile any specific Customer or Data Subject;
2. sell Benchmark Data to third parties in a form that could identify any Customer; or
3. use Benchmark Data in a manner that contradicts Section 6.3(c)–(d).

6.6 Opt-out. Customer may withdraw consent to participate in the Benchmark Data Program at any time by disabling the benchmark participation setting. Withdrawal does not affect any Benchmark Data already derived and anonymized prior to withdrawal, provided such data met the conditions in Section 6.3 at the time of derivation.

7.1 Clenta's assistance. Clenta shall provide Customer with reasonable technical assistance to fulfill Customer's obligations under Applicable Data Protection Law to respond to Data Subject requests (including requests for access, correction, deletion, restriction, or portability of Personal Data), taking into account the nature of the processing.

7.2 Clenta not the controller. Clenta has no direct relationship with Data Subjects and is not responsible for responding to Data Subject requests directly. If a Data Subject contacts Clenta directly, Clenta shall promptly notify Customer and direct the Data Subject to Customer.

8.1 Customer-initiated deletion. Customer may delete Customer Data at any time using the tools and controls provided within the Services.

8.2 Deletion on termination. Upon expiration or termination of the Agreement, Customer may request return of Customer Data in a machine-readable format within 30 days of the termination date.

8.3 Clenta's deletion obligation. Following the earlier of: (a) Customer's request for deletion under Section 8.1 or 8.2, or (b) 30 days after the termination or expiration of the Agreement, Clenta shall:

1. delete or render irretrievable all Customer Data from active production systems within 30 days of the deletion trigger; and
2. delete Customer Data from backup systems within 90 days of the deletion trigger.

8.4 Retained data. Notwithstanding the foregoing, Clenta may retain Customer Data to the extent required by Applicable Data Protection Law or legitimate business purposes (e.g., billing records, fraud prevention), provided that such retained data is: (a) kept confidential and not further processed except as required by law; and (b) deleted as soon as the legal or legitimate retention obligation expires.

8.5 Anonymized data. Anonymized and aggregated Benchmark Data derived prior to deletion (pursuant to Article 6 and where all conditions were met) is not "Customer Data" for purposes of this Article.

9.1 General authorization. Customer provides general written authorization for Clenta to engage Sub-processors to process Customer Data in connection with the Services, subject to the conditions in this Article.

9.2 Sub-processor obligations. Clenta shall:

1. enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; and
2. remain liable to Customer for the performance of Sub-processors' obligations under such agreements.

9.3 Sub-processor list. Clenta shall maintain and make available to Customer, upon request, a current list of Sub-processors engaged to process Customer Data.

9.4 AI provider restriction. Without limiting Section 9.2, Clenta shall ensure that any AI model provider (including Anthropic and any successor provider) processing Customer Data is prohibited by written agreement from:

1. using Customer Data to train, fine-tune, or improve general-purpose AI models; and
2. retaining Customer Data beyond the minimum period required to process each individual request.

9.5 New Sub-processors. Clenta shall provide Customer with 10 days' advance notice before engaging a new Sub-processor that will process Customer Data, and shall update the sub-processor list accordingly. Customer may object to a new Sub-processor within 10 days of notice by providing written notice to legal@clenta.ai describing the basis for the objection. If the parties cannot resolve the objection within the notice period, Customer may terminate the Agreement on 30 days' written notice without penalty.

Emergency exception. If Clenta is required to engage a Sub-processor on an emergency basis to respond to a Security Incident or protect the integrity of the Services, Clenta may engage such Sub-processor immediately and shall provide Customer with written notice within 10 days of doing so.

10.1 EEA/UK/Switzerland transfers. Where Customer Data originates in the European Economic Area, the United Kingdom, or Switzerland and is transferred to Clenta or its Sub-processors in a third country lacking an adequacy decision, such transfers shall be subject to the appropriate transfer mechanism, which may include:

1. the Standard Contractual Clauses adopted by the European Commission on June 4, 2021 (Module Two: Controller-to-Processor), which are incorporated into this DPA by reference; and/or
2. the UK International Data Transfer Addendum (IDTA) or Addendum to the EU SCCs for UK transfers; and/or
3. any other appropriate transfer mechanism under Applicable Data Protection Law.

10.2 CCPA/CPRA. For purposes of CCPA/CPRA, Clenta is a "Service Provider" (and "Contractor") as those terms are defined under applicable California law. Clenta:

1. shall not "sell" or "share" (as those terms are defined under CCPA/CPRA) Customer Data or Personal Data processed on behalf of Customer;
2. shall not retain, use, or disclose Customer Data for any purpose other than providing the Services or as otherwise permitted by CCPA/CPRA; and
3. shall not combine Customer Data with personal information Clenta receives from other businesses except as permitted by CCPA/CPRA.

11.1 Information provision. Clenta shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.

11.2 Audit right. Customer may, upon 30 days' written notice and no more than once per calendar year, conduct an audit of Clenta's data processing practices relevant to this DPA, at Customer's expense. Clenta may satisfy this obligation through provision of third-party audit reports, penetration test summaries, or equivalent certifications.

11.3 Confidentiality of audit. Any audit results are confidential and may not be shared with third parties without Clenta's consent, except as required by law or regulatory authority.

12.1 Application of Agreement cap. The liability of either party under this DPA shall be subject to the limitations of liability set forth in the Agreement, including any aggregate liability cap and exclusions.

13.1 This DPA shall remain in effect for as long as Clenta processes Customer Data under the Agreement. Termination of the Agreement shall automatically terminate this DPA, subject to the survival of deletion and return obligations in Article 8 and confidentiality obligations.

14.1 Governing law. This DPA shall be governed by the same governing law as the Agreement (State of Delaware), except where Applicable Data Protection Law requires otherwise.

14.2 Entire agreement. This DPA, together with the Agreement and any annexes, constitutes the entire agreement between the parties with respect to the processing of Customer Data.

14.3 Precedence. This DPA supersedes any prior agreements regarding data processing between the parties with respect to the subject matter herein.

14.4 Updates. Clenta may update this DPA from time to time to reflect changes in Applicable Data Protection Law or Clenta's Services. Clenta shall provide Customer with 30 days' advance notice of material changes. Continued use of the Services after the effective date constitutes acceptance.