Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms of Use, master subscription agreement, order form, or other written agreement (the "Agreement") between AgentCore LLC, a Delaware limited liability company doing business as "Dale" ("Dale," "we," or "Processor"), and the customer that is a party to the Agreement (the "Customer," "you," or "Controller"). Each of Dale and Customer is a "Party," and together they are the "Parties."

This DPA reflects the Parties' agreement with respect to the Processing of Personal Data by Dale on behalf of Customer in connection with Dale's provision of the Services. It applies to the extent Dale Processes Personal Data subject to Data Protection Laws (defined below) on behalf of Customer.

By executing the Agreement, or by accessing or using the Services on or after the Effective Date, Customer accepts this DPA. Where Customer requires a counter-signed copy of this DPA, Customer may submit a request to legal@dale.legal.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement, the Privacy Policy, or applicable Data Protection Laws. For purposes of this DPA:

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where "control" means ownership of more than fifty percent (50%) of the voting securities or equivalent interests.
• "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with its implementing regulations.
• "Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including any equivalent term ("business" under the CCPA, "data controller" under UK GDPR, etc.).
• "Customer Personal Data" means Personal Data that Dale Processes on behalf of Customer in the course of providing the Services, including (a) Personal Data contained within Document Data uploaded by Customer or its Authorized Users to the Services, and (b) account, profile, and Usage Data described in the Privacy Policy.
• "Data Protection Laws" means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); the UK General Data Protection Regulation as defined in section 3(10) (and supplemented by section 205(4)) of the UK Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("FADP"); the CCPA; the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, and other comparable U.S. state privacy laws (collectively, "U.S. State Privacy Laws"); and any successor, superseding, or replacement law.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, including any equivalent term ("consumer" under the CCPA, etc.).
• "Document Data" has the meaning given in the Agreement and the Privacy Policy and refers to the content of Franchise Disclosure Documents and other files uploaded by Customer to the Services for analysis, together with the Review Output generated therefrom.
• "EU SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, replaced, or superseded from time to time.
• "Personal Data" means any information relating to a Data Subject, including any equivalent term ("personal information" under the CCPA, "personal data" under EU GDPR/UK GDPR, etc.).
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Dale or any Sub-processor.
• "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction.
• "Processor" means a natural or legal person who Processes Personal Data on behalf of a Controller, including any equivalent term ("service provider" under the CCPA, "data processor" under UK GDPR, etc.).
• "Restricted Transfer" means a transfer of Personal Data from (i) the European Economic Area to a country outside the EEA not subject to an adequacy decision; (ii) the United Kingdom to a country outside the UK not subject to UK adequacy regulations; or (iii) Switzerland to a country outside Switzerland not recognized by the Federal Data Protection and Information Commissioner ("FDPIC") as providing adequate protection.
• "Services" means the Dale platform, applications, APIs, and related services made available to Customer under the Agreement.
• "Sub-processor" means any third party engaged by Dale or any Dale Affiliate to Process Customer Personal Data on Dale's behalf in connection with the provision of the Services.
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, version B1.0, in force from 21 March 2022, as updated, amended, or replaced from time to time.

2. Scope, Roles & Order of Precedence

2.1 Scope

This DPA applies to the Processing of Customer Personal Data by Dale on behalf of Customer for the purpose of providing the Services. This DPA does not apply to (a) Personal Data for which Dale acts as a Controller, including Personal Data Processed by Dale for the limited internal purposes described in Section 2.4 below, or (b) data that does not constitute Personal Data under applicable Data Protection Laws.

2.2 Roles of the Parties

With respect to Customer Personal Data, the Parties acknowledge and agree that Customer is the Controller, Dale is the Processor, and Dale will engage Sub-processors pursuant to the requirements set forth in Section 8 below. Where Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants to Dale that Customer's instructions to Dale, including appointment of Dale as a Sub-processor, have been authorized by the relevant Controller.

2.3 CCPA Roles

For purposes of the CCPA and other U.S. State Privacy Laws, Dale is a "service provider," "processor," or analogous role acting on behalf of Customer. Dale will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer or for any purpose other than the specific business purposes set forth in this DPA and the Agreement, including Processing for any commercial purpose other than providing the Services; (c) combine Customer Personal Data with Personal Data received from any other source, except as expressly permitted by the CCPA. Dale certifies its understanding of the foregoing restrictions and its commitment to comply with them.

2.4 Limited Controller Role

Dale acts as an independent Controller of certain limited categories of Personal Data Processed in connection with the Services, including: (a) Personal Data contained in account registration records used to administer the Services, bill the Customer, communicate about the Services, and meet Dale's legal and regulatory obligations; (b) operational metadata, security logs, and Usage Data Processed for the purposes of operating, securing, monitoring, troubleshooting, and improving the Services; and (c) Personal Data Processed in connection with Dale's compliance with applicable law. The Processing described in this Section 2.4 is governed by the Privacy Policy rather than this DPA.

2.5 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the remainder of the Agreement, this DPA will govern and prevail solely with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and the EU SCCs or UK Addendum (as applicable), the EU SCCs or UK Addendum will govern and prevail. In the event of any conflict between this DPA and the Privacy Policy with respect to Processing performed on behalf of Customer, this DPA will govern and prevail.

3. Subject Matter, Duration, Nature & Purpose of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects related to the Processing of Customer Personal Data under this DPA are set out in Annex 1 (Description of Processing). Customer agrees that Annex 1 reflects the documented instructions of Customer to Dale at the Effective Date.

4. Customer's Instructions & Compliance

4.1 Documented Instructions

Dale will Process Customer Personal Data only on documented instructions from Customer, including with regard to Restricted Transfers, unless required to do so by applicable law to which Dale is subject. The Parties agree that the following constitute Customer's complete and final documented instructions to Dale at the Effective Date: (a) the Agreement, including this DPA; (b) the Customer's use of, and configuration of, the Services through the Services' interfaces, APIs, and administrative controls; and (c) any additional written instructions agreed by the Parties in writing.

4.2 Lawful Instructions

Customer represents and warrants that (a) it has provided all necessary notices to, and obtained all necessary consents and authorizations from, Data Subjects required to lawfully Process Customer Personal Data under this DPA and to lawfully transfer Customer Personal Data to Dale; (b) Customer's instructions to Dale comply with applicable Data Protection Laws; and (c) Customer's use of the Services and submission of Customer Personal Data does not violate any third-party rights or applicable law. Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such Personal Data.

4.3 Notification of Conflict

Dale will inform Customer if, in Dale's opinion, an instruction from Customer infringes applicable Data Protection Laws, provided that Dale is not obligated to perform a comprehensive legal analysis of Customer's instructions. Where Dale is required by applicable law to Process Customer Personal Data otherwise than as instructed by Customer, Dale will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

5. Confidentiality of Personnel

Dale will ensure that any person it authorizes to Process Customer Personal Data, including Dale's employees, agents, contractors, and Sub-processors' personnel: (a) is subject to a binding written or statutory obligation of confidentiality; (b) has received appropriate training on Data Protection Laws and on Dale's information-security policies; and (c) Processes Customer Personal Data only as necessary to perform the Services and only on a strict need-to-know basis. Dale will take reasonable steps to ensure the reliability of any such person and will limit access to Customer Personal Data using role-based access controls and the principle of least privilege.

6. Security of Processing

6.1 Technical & Organizational Measures

Dale will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data ("Security Measures"). The Security Measures in effect as of the Effective Date are set forth in Annex 2 (Technical and Organizational Measures). Dale may update the Security Measures from time to time, provided that any such update will not materially diminish the overall level of protection afforded to Customer Personal Data.

6.2 Risk-Based Standard

In assessing the appropriate level of security, Dale will take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. Dale's Security Measures are benchmarked against the AICPA SOC 2 Trust Services Criteria, ISO/IEC 27001:2022 Annex A controls, and analogous frameworks. Dale operates a continuous controls-monitoring program through Vanta, Inc. and is currently undergoing a SOC 2 Type II examination conducted by an independent AICPA-affiliated audit firm. Audit reports, summary security documentation, and the most current status of formal certifications are available to Customer upon written request, subject to execution of a customary non-disclosure agreement.

6.3 Customer Responsibilities

Customer is responsible for (a) the secure use of the Services by its Authorized Users, including the protection of authentication credentials and the prompt deactivation of access for terminated personnel; (b) Customer's configuration of the Services consistent with the security functionality made available; and (c) the categories of Personal Data that Customer chooses to upload to or transmit through the Services, including ensuring that uploads of any "special categories" of data, or other data subject to heightened legal restrictions, are appropriate and lawful.

7. Sub-processors

7.1 General Authorization

Customer provides Dale with general written authorization to engage Sub-processors to Process Customer Personal Data, subject to the requirements set forth in this Section 7. The Sub-processors authorized by Customer as of the Effective Date are listed in Annex 3 (List of Sub-processors).

7.2 Sub-processor Obligations

Where Dale engages a Sub-processor, Dale will (a) carry out a risk-based assessment of the Sub-processor's ability to provide the level of protection for Customer Personal Data required by this DPA; (b) enter into a written agreement with the Sub-processor that imposes data protection obligations on the Sub-processor that are no less protective than those set out in this DPA, to the extent applicable to the nature of the Services provided by the Sub-processor; and (c) remain liable to Customer for the acts and omissions of any Sub-processor to the same extent as if performed by Dale itself.

7.3 Notification of New Sub-processors

Dale maintains the current list of Sub-processors at dale.legal/dpa#sub-processors (or another URL designated by Dale from time to time). Dale will provide Customer with at least thirty (30) days' prior written notice (which may be by email to the Customer's designated notice contact, or by updating the foregoing URL together with a notification mechanism to which Customer may subscribe) before authorizing any new Sub-processor to Process Customer Personal Data ("Sub-processor Notice"). Customer may subscribe to such notifications by emailing legal@dale.legal.

7.4 Right to Object

Customer may object in writing to Dale's appointment of a new Sub-processor on reasonable data-protection grounds within fifteen (15) days following the Sub-processor Notice. Upon such objection, the Parties will discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached, Dale will, at its option, either (a) refrain from engaging the proposed Sub-processor with respect to Customer Personal Data, or (b) permit Customer to terminate the affected portion of the Services without further liability for unaccrued amounts paid in advance for such portion. Termination under this Section 7.4 is Customer's exclusive remedy for objections to a new Sub-processor.

8. Assistance with Data Subject Rights

8.1 Self-Service Tools

Dale will make available to Customer, through the Services, functionality that enables Customer to access, retrieve, correct, delete, restrict the Processing of, and export Customer Personal Data Processed in connection with the Services, in a manner that enables Customer to fulfill its obligations to respond to Data Subject requests under applicable Data Protection Laws.

8.2 Reasonable Assistance

Taking into account the nature of the Processing, Dale will provide reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligations to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, restriction, erasure, data portability, objection, and rights related to automated decision-making and profiling).

8.3 Forwarding Data Subject Requests

If Dale receives a request from a Data Subject relating to Customer Personal Data, Dale will (a) promptly notify Customer of the request, unless prohibited by applicable law; (b) not respond to the request directly other than to acknowledge receipt and direct the Data Subject to Customer; and (c) provide reasonable assistance to Customer in responding to the request.

8.4 Costs

Dale will provide the assistance described in this Section 8 at no additional charge for assistance reasonably required to enable Customer's compliance with the Data Protection Laws. To the extent that Customer's requests for assistance exceed the scope of Dale's standard self-service functionality and require material engineering or professional-services effort, Dale may charge Customer reasonable, time-and-materials fees for such additional assistance, subject to Customer's prior written approval.

9. Personal Data Breach Notification

9.1 Notice to Customer

Dale will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification will include, to the extent then known to Dale and to the extent permitted by applicable law: (a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Dale's data protection or security contact; (c) a description of the likely consequences of the Personal Data Breach; and (d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

9.2 Iterative Disclosure

Where it is not possible to provide all of the foregoing information at the same time, Dale will provide initial information promptly and supplement that information without further undue delay as it becomes available. Dale's notification of, or response to, a Personal Data Breach under this Section 9 will not be construed as an acknowledgement by Dale of any fault or liability with respect to the Personal Data Breach.

9.3 Cooperation & Remediation

Dale will cooperate with Customer and provide reasonable assistance, at no additional charge, in (a) the investigation, mitigation, and remediation of the Personal Data Breach; (b) the documentation of the Personal Data Breach as required by applicable Data Protection Laws; and (c) any required notifications to supervisory authorities or affected Data Subjects, where Customer is responsible for such notifications.

9.4 Customer's Notification Obligations

As between the Parties, Customer is solely responsible for complying with any notification obligations to supervisory authorities or affected Data Subjects under applicable Data Protection Laws. Customer agrees to coordinate with Dale on the content and timing of any public statement or notification that identifies Dale by name in connection with a Personal Data Breach, except where such coordination would conflict with Customer's legal obligations.

10. DPIAs & Prior Consultation

Taking into account the nature of the Processing and the information available to Dale, Dale will provide Customer with reasonable assistance, at no additional charge, with (a) any data protection impact assessment ("DPIA") that Customer is required to carry out under applicable Data Protection Laws in connection with the Services; and (b) any prior consultation with a supervisory authority that Customer is required to undertake under applicable Data Protection Laws. Dale's assistance will be limited to information reasonably available to Dale concerning the Services and Dale's Processing operations.

11. International Data Transfers

11.1 Transfer Mechanism

Customer acknowledges that Dale Processes Customer Personal Data in the United States and may, through Sub-processors, Process Customer Personal Data in other jurisdictions identified in Annex 3. Where the Processing of Customer Personal Data by Dale or any Sub-processor involves a Restricted Transfer, the Parties agree that the EU SCCs are hereby incorporated into and form part of this DPA, completed as set forth in Annex 4 (Cross-Border Transfer Mechanisms).

11.2 EU SCCs

For Restricted Transfers from the EEA, the EU SCCs apply as follows: (a) Module Two (Controller-to-Processor) applies where Customer is a Controller of the transferred Personal Data; (b) Module Three (Processor-to-Processor) applies where Customer is a Processor on behalf of a third-party Controller. The optional clauses set forth in Annex 4 are incorporated; clauses not selected in Annex 4 are not incorporated.

11.3 UK Addendum

For Restricted Transfers from the United Kingdom, the EU SCCs apply as supplemented by the UK Addendum, completed as set forth in Annex 4.

11.4 Switzerland

For Restricted Transfers from Switzerland, the EU SCCs apply with the following modifications: (a) references to "Regulation (EU) 2016/679" are interpreted as references to the FADP; (b) references to specific articles of "Regulation (EU) 2016/679" are replaced with the equivalent provisions of the FADP; (c) references to "Member State" do not prevent Data Subjects in Switzerland from exercising their rights in their place of habitual residence; (d) the term "supervisory authority" includes the FDPIC.

11.5 Onward Transfers

Where Dale engages a Sub-processor in a third country to Process Customer Personal Data subject to a Restricted Transfer, Dale will (a) ensure that the Sub-processor enters into the EU SCCs (and, where applicable, the UK Addendum) with Dale or directly with Customer; or (b) rely on another transfer mechanism recognized as providing adequate safeguards under applicable Data Protection Laws.

11.6 Transfer Impact Assessment

Dale will provide Customer, upon reasonable request, with information that Customer reasonably requires to conduct a transfer impact assessment in respect of Restricted Transfers, including information regarding (a) the destination jurisdictions of Customer Personal Data; (b) the laws and practices of those jurisdictions affecting the protection of the Personal Data; (c) the technical, organizational, and contractual measures applied to the transfer; and (d) Dale's experience with government access requests in relevant jurisdictions.

12. Audits & Inspections

12.1 Audit Reports

Dale will, upon reasonable written request, make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. Such information will include, as available, the most recent third-party audit reports, attestations, and certifications maintained by Dale (for example, SOC 2 Type II reports, ISO/IEC 27001 certifications, or equivalent), subject to Customer's execution of a customary non-disclosure agreement.

12.2 On-Site Audit Right

To the extent that the information made available pursuant to Section 12.1 is not sufficient to enable Customer to demonstrate compliance with applicable Data Protection Laws, Customer may, at its own cost, conduct an audit of Dale's Processing of Customer Personal Data, subject to the following conditions: (a) Customer provides at least sixty (60) days' prior written notice, except in the case of a Personal Data Breach where shorter notice may be appropriate; (b) the audit is conducted during regular business hours and in a manner that does not unreasonably interfere with Dale's business operations; (c) the audit is conducted by Customer or by an independent qualified third-party auditor mutually agreed by the Parties (such agreement not to be unreasonably withheld), bound by confidentiality obligations no less protective than those set forth in the Agreement; (d) the audit is limited to information and systems strictly relevant to Dale's Processing of Customer Personal Data; (e) the audit does not require Dale to disclose Personal Data of any other customer, Dale's confidential commercial information, or information that would compromise the security or integrity of the Services; and (f) audits may be conducted no more than once in any twelve-month period, except where required by a supervisory authority or following a confirmed Personal Data Breach.

12.3 Audit Findings

The Parties will discuss in good faith any material findings from an audit conducted under Section 12.2, and Dale will take reasonable corrective measures necessary to remedy any non-compliance with this DPA identified by the audit.

13. AI Processing & Model Training

13.1 Use of AI in the Services

The Services use artificial intelligence and machine-learning systems, including third-party large language model and embedding APIs operated by Sub-processors identified in Annex 3 ("AI Sub-processors"), to analyze Document Data and generate Review Output. Customer Personal Data may be transmitted to AI Sub-processors via encrypted channels strictly for the purpose of generating Review Output for Customer.

13.2 No Training on Customer Personal Data

Dale will not, and will not permit any Sub-processor to, use Customer Personal Data (including Document Data) to train, fine-tune, or otherwise improve any artificial intelligence or machine-learning model that is made available to any third party or any other Dale customer. Each agreement between Dale and an AI Sub-processor includes a contractual prohibition on the AI Sub-processor's use of Customer Personal Data for training, fine-tuning, or model improvement, and on the AI Sub-processor's retention of Customer Personal Data beyond the period strictly necessary to generate the requested Review Output.

13.3 No Sale or Sharing

Customer Personal Data is not sold, shared, licensed, or otherwise made available to any third party for advertising, marketing, or model-training purposes. Dale's commercial model is not based on monetizing Customer Personal Data.

13.4 Logging & Telemetry

Dale may collect operational telemetry from the Services (for example, prompt latency, token counts, error rates, and request identifiers) for the purposes of operating, securing, and improving the Services. Such telemetry is, where reasonably practicable, designed to exclude the substantive content of Customer Personal Data. Where telemetry incidentally includes Customer Personal Data, that data is Processed in accordance with this DPA.

14. Return & Deletion of Customer Personal Data

14.1 During the Term

Throughout the term of the Agreement, Customer may, at any time and through the Services' interfaces and APIs, (a) export Customer Personal Data in a structured, commonly used, and machine-readable format, and (b) delete Customer Personal Data on a per-record, per-document, or per-account basis.

14.2 Upon Termination

Upon termination or expiration of the Agreement, or earlier upon Customer's written request, Dale will, at Customer's election, return to Customer or delete all Customer Personal Data Processed by Dale on Customer's behalf and instruct each Sub-processor to do the same. Unless Customer affirmatively requests return of Customer Personal Data within thirty (30) days following termination, Dale may delete all Customer Personal Data in accordance with the timelines set forth in Section 14.3 below.

14.3 Deletion Timeline

Dale will delete Customer Personal Data from active production systems within thirty (30) days following the later of (a) termination of the Agreement, and (b) expiry of any post-termination data export period. Dale will purge Customer Personal Data from system backups in accordance with Dale's documented backup-rotation schedule (typically not later than ninety (90) days following deletion from production systems). During any period that Customer Personal Data remains on backup media pending purge, such data will be (i) inaccessible to Dale's general personnel, (ii) protected by the Security Measures set forth in Annex 2, and (iii) Processed only as necessary for backup-rotation purposes.

14.4 Retention Required by Law

Notwithstanding Sections 14.2 and 14.3, Dale may retain Customer Personal Data to the extent and for so long as required by applicable law, provided that any retained Customer Personal Data continues to be subject to the obligations set forth in this DPA.

15. Liability

Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Any reference in such limitations and exclusions to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement and this DPA together. Nothing in this DPA limits or excludes any liability that cannot, by applicable law, be limited or excluded, including liability under Article 82 of the EU GDPR (or analogous provisions of UK GDPR or the FADP) where such liability is non-waivable.

16. Term & Termination

This DPA takes effect on the Effective Date and remains in force for so long as Dale Processes Customer Personal Data on behalf of Customer pursuant to the Agreement. Termination or expiration of this DPA will not relieve either Party of any obligations expressed to survive termination or that, by their nature, are intended to survive termination, including Sections 9 (Personal Data Breach Notification, with respect to incidents occurring prior to termination), 14 (Return and Deletion), 15 (Liability), and 19 (Governing Law).

17. Notices

Any notice required or permitted to be given under this DPA must be in writing and will be deemed given upon (a) personal delivery; (b) electronic mail to the addresses identified by the Parties for legal notices, with confirmation of delivery; or (c) the next business day after deposit with a recognized overnight courier. Notices to Dale relating to this DPA must be sent to legal@dale.legal with a copy to privacy@dale.legal.

18. Severability & No Waiver

If any provision of this DPA is held by a court or other tribunal of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions of this DPA will remain in full force and effect, and the provision in question will be modified to the minimum extent necessary to render it valid, legal, and enforceable while preserving its intent. No failure or delay by either Party to exercise any right or remedy under this DPA will operate as a waiver of that right or remedy.

19. Governing Law & Jurisdiction

This DPA is governed by and construed in accordance with the governing-law provisions of the Agreement, except that, to the extent the EU SCCs apply, the EU SCCs are governed by the laws of the EU Member State specified in Annex 4 and any disputes are subject to the jurisdiction specified therein, and to the extent the UK Addendum applies, the UK Addendum is governed by the laws of England and Wales and any disputes are subject to the exclusive jurisdiction of the courts of England and Wales.

20. Entire Agreement & Amendments

This DPA, together with the Agreement and the Privacy Policy, constitutes the entire agreement between the Parties with respect to the Processing of Customer Personal Data and supersedes any prior or contemporaneous understandings or agreements on this subject matter. No amendment to this DPA will be effective unless made in writing and signed by an authorized representative of each Party, except that Dale may unilaterally update this DPA from time to time to reflect (a) changes in applicable Data Protection Laws or supervisory-authority guidance, (b) the addition of new Sub-processors or transfer mechanisms in accordance with the procedures set forth herein, or (c) clarifications or corrections that do not materially diminish Customer's rights, in each case effective upon Dale's posting of an updated DPA at the URL specified above and (where the change is material) provision of reasonable advance notice to Customer.

Annex 1

Description of Processing

Part A — List of Parties

Data Exporter (Controller): The Customer identified in the Agreement, including its Authorized Users and any Affiliates that access the Services pursuant to the Agreement. Contact details for data-protection matters are those provided by Customer in the order form, account profile, or other written notice to Dale.

Data Importer (Processor): AgentCore LLC dba Dale, a Delaware limited liability company. Address and contact details for data-protection matters: privacy@dale.legal and legal@dale.legal. The Data Importer is engaged in the business of providing artificial-intelligence-assisted compliance review of Franchise Disclosure Documents and related materials.

Part B — Description of Transfer / Processing

Categories of Data Subjects

The Personal Data transferred concerns the following categories of Data Subjects:

• Customer's Authorized Users (e.g., attorneys, paralegals, compliance personnel, in-house counsel, and franchise development professionals) who access and use the Services;
• Individuals identified or identifiable in Document Data uploaded by Customer, which may include franchisor principals, officers, directors, and trustees; current and former franchisees and their principals; sales representatives; salaried employees referenced in disclosures; and litigation parties and counsel referenced in Item 3 disclosures or related exhibits;
• Individuals whose Personal Data appears in financial statements, signature pages, exhibits, or other attachments to Franchise Disclosure Documents.

Categories of Personal Data

The Personal Data transferred concerns the following categories of data:

• Account & profile data: name, business email address, professional title, organizational affiliation, hashed authentication credentials, role assignments, and account preferences;
• Document Data: the full content of Franchise Disclosure Documents and related exhibits, which may incidentally contain Personal Data such as names, business contact details, signatures, professional histories, financial data, litigation history, and bankruptcy disclosures, as required to be disclosed under the FTC Franchise Rule and analogous state regulations;
• Communications data: the content of support requests, feedback submissions, and other communications sent to Dale by Authorized Users;
• Usage Data: records of interaction with the Services, including session metadata, feature usage, search queries, and the timestamps and identifiers associated therewith;
• Device & network data: IP address, browser type and version, operating system, device identifiers, and approximate geolocation derived from IP address.

Sensitive Data & Special Categories

The Services are not designed or intended to be used to Process special categories of Personal Data within the meaning of Article 9 EU GDPR or "sensitive personal information" within the meaning of the CCPA. Customer is responsible for ensuring that any such data, if incidentally present in Document Data, is handled in accordance with applicable Data Protection Laws and any heightened consents or notices required thereunder.

Frequency of Transfer

Personal Data is Processed on a continuous basis for so long as Customer accesses and uses the Services and during any post-termination retention period required for return, deletion, or legal compliance.

Nature of the Processing

Receipt, ingestion, parsing, hosting, structuring, indexing, storage, retrieval, transmission to AI Sub-processors for inference, generation of Review Output, presentation through the Services' user interfaces and APIs, security and integrity monitoring, backup, and ultimately return or deletion as instructed by Customer or as required by applicable law.

Purpose(s) of the Processing

To provide the Services to Customer in accordance with the Agreement, including the analysis of Customer's Document Data against applicable franchise compliance rulesets and the generation of compliance findings, reports, and other Review Output for Customer's review.

Duration of Processing & Retention Period

Personal Data is Processed and retained for the term of the Agreement and for the post-termination periods set forth in Section 14 of this DPA, plus any additional retention period required by applicable law.

Sub-processors

For onward transfers to Sub-processors, the subject matter, nature, and duration of Sub-processor Processing are described in Annex 3 below.

Part C — Competent Supervisory Authority

Where the EU SCCs apply, the competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs and is the supervisory authority of (a) the EU Member State in which the Customer (as Controller) is established, or (b) where the Customer is not established in the EEA but has appointed an EU representative under Article 27 of the EU GDPR, the supervisory authority of the Member State in which the EU representative is established, or (c) where neither (a) nor (b) applies, the supervisory authority of the Member State in which the Data Subjects whose Personal Data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

Where the UK Addendum applies, the competent supervisory authority is the United Kingdom Information Commissioner's Office. Where the FADP adaptations apply, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Annex 2

Technical & Organizational Measures

This Annex describes the technical and organizational measures implemented by Dale to ensure a level of security appropriate to the risk of the Processing, in accordance with Article 32 EU GDPR (and analogous provisions of UK GDPR, the FADP, and other Data Protection Laws). Dale benchmarks these measures against the AICPA SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 Annex A controls and is in active progress toward formal third-party attestation under each. Dale may update these measures from time to time, provided that any update will not materially diminish the overall level of protection.

1. Information Security Governance

• Dale maintains a documented information-security program owned by an executive-level security accountable individual, reviewed at least annually and following material changes to the Services, regulatory environment, or threat landscape.
• Dale maintains written policies covering access control, acceptable use, change management, vendor management, secure software development, vulnerability and patch management, incident response, business continuity and disaster recovery, data classification and handling, cryptography, and personnel security.
• All Dale personnel are required to acknowledge applicable security policies upon hire and at least annually thereafter, and to complete role-appropriate security and privacy training (including secure coding training for engineering personnel and privacy training for personnel with access to Customer Personal Data).

2. Personnel Security

• All personnel with access to Customer Personal Data are subject to background checks where permitted by applicable law, prior to being granted access.
• All personnel and contractors are bound by written confidentiality and acceptable-use obligations that survive termination of their engagement.
• Access provisioning follows a documented joiner-mover-leaver process; access is reviewed at least quarterly and revoked promptly upon role change or separation.

3. Identity, Authentication & Access Control

• Access to systems Processing Customer Personal Data is enforced through centralized identity management with single sign-on and multi-factor authentication required for all human access.
• Privileged access (production console, infrastructure, and administrative interfaces) requires hardware-backed multi-factor authentication and, where applicable, time-bound just-in-time elevation, with all sessions logged.
• Role-based access controls implement the principle of least privilege; access to Customer Personal Data is limited to personnel whose role requires it for the operation, support, or security of the Services.
• Authentication credentials are stored using industry-standard one-way hashing (e.g., bcrypt, argon2) with per-credential salting; service-to-service authentication uses short-lived credentials, signed tokens, or workload identities.
• Customer-tenant logical separation is enforced at the application and data-store layers; no Authorized User may access another organization's Customer Personal Data through the Services.

4. Encryption & Key Management

• In transit: All Customer Personal Data transmitted across public networks is encrypted using TLS 1.2 or higher with modern cipher suites and forward secrecy. Internal service-to-service traffic carrying Customer Personal Data is encrypted in transit.
• At rest: Customer Personal Data is encrypted at rest in primary stores and in backups using AES-256 (or equivalent or stronger) algorithms.
• Key management: Cryptographic keys are managed in cloud-provider key-management services with role-segregated access, automatic rotation in accordance with industry best practice, and audit logging of key-management operations.
• Database-level and application-level encryption of specific high-sensitivity fields is applied where appropriate based on data classification.

5. Network & Infrastructure Security

• Production infrastructure is hosted in commercial cloud environments operated by Sub-processors holding ISO/IEC 27001 certification and SOC 2 Type II attestation.
• Network segmentation isolates production from non-production environments. Public exposure is limited to the minimum surface area required to operate the Services. Inbound traffic is filtered through web-application-firewall and rate-limiting layers; egress is restricted to known destinations.
• Dale enforces hardened baseline configurations on production hosts and containers; configuration drift is detected and remediated through infrastructure-as-code controls.
• System and application logs are aggregated to a centralized, tamper-evident log store with retention sufficient to support forensic investigation.

6. Application Security & Secure Development Lifecycle

• Dale follows a documented secure-software-development lifecycle including peer code review for changes touching production systems, automated static and dependency analysis, and pre-merge security gates.
• Production deployments are performed through automated continuous-deployment pipelines with auditable change history; manual production access is restricted, logged, and reviewed.
• Customer-facing inputs are validated and output-encoded; the Services apply protections against the OWASP Top 10 categories of application vulnerabilities.
• A documented vulnerability-management program assigns severities, owners, and remediation timelines to identified vulnerabilities, with critical and high-severity vulnerabilities prioritized for accelerated remediation.

7. Vulnerability Management & Penetration Testing

• Dale conducts regular automated vulnerability scanning of internet-facing assets and container images.
• Dale engages independent third-party penetration testing of the Services on a periodic basis (no less than annually, and following material changes to the architecture). Summary results of the most recent test are available to Customer under non-disclosure agreement upon request.
• Identified findings are tracked through a remediation workflow with severity-based service-level objectives.

8. Logging, Monitoring & Detection

• Authentication events, privileged operations, and data-access events are logged and retained in a centralized log store.
• Dale monitors for anomalous access patterns, brute-force authentication attempts, and indicators of compromise; alerts are routed to on-call personnel for triage.
• Logs are retained for a period sufficient to support forensic investigation and applicable legal-retention obligations and are protected against unauthorized modification.

9. Incident Response

• Dale maintains a documented incident-response plan covering detection, triage, containment, eradication, recovery, post-incident review, and Customer notification, reviewed and tested at least annually.
• An on-call rotation is in place to ensure timely response to security alerts on a twenty-four-hour, seven-day basis.
• Personal Data Breaches involving Customer Personal Data are notified to Customer in accordance with Section 9 of the DPA.

10. Business Continuity & Disaster Recovery

• Customer Personal Data stored in primary production data stores is backed up on a regular schedule.
• Backups are encrypted at rest and stored with geographic redundancy within the Customer's primary region of Processing.
• Dale maintains documented recovery objectives and tests its backup-restoration procedures on a periodic basis.
• Critical infrastructure components are deployed across multiple availability zones to mitigate the impact of single-zone failures.

11. Data Lifecycle, Retention & Deletion

• Customer Personal Data is logically segregated by tenant. Customer-initiated deletion through the Services removes Customer Personal Data from active production stores in accordance with documented deletion routines.
• Following account termination, Customer Personal Data is purged from production within thirty (30) days and from backups within ninety (90) days, in accordance with Section 14 of the DPA.
• De-identified or aggregated data derived from Customer Personal Data may be retained for product-improvement purposes only where the de-identification is implemented in accordance with applicable Data Protection Laws and the data cannot reasonably be re-associated with any individual.

12. Vendor & Sub-processor Management

• Dale conducts a documented security and privacy review of each Sub-processor prior to engagement, considering the Sub-processor's certifications, audit reports, contractual posture, and security and privacy practices.
• Each Sub-processor is bound by a written agreement imposing data-protection obligations no less protective than those in this DPA (to the extent applicable to the Sub-processor's services).
• Sub-processor risk is reassessed periodically and following material changes in service or risk posture.

13. Physical Security

• Production data centers are operated by cloud Sub-processors and are physically secured in accordance with the certifications and attestations maintained by those providers, including biometric access controls, twenty-four-hour monitoring, and environmental safeguards.
• Dale's personnel work primarily in remote and home-office settings; corporate endpoints are managed through mobile-device-management with disk encryption, automatic patching, and remote-wipe capability.

14. Privacy by Design & Data Minimization

• Dale designs the Services to collect and Process only the Personal Data necessary to provide the requested functionality.
• Where reasonably practicable, Personal Data is pseudonymized or de-identified for non-production environments and operational telemetry.
• Personal Data is segregated by tenant and access is logged for accountability.

15. Compliance & Audit

• Dale's information-security program is designed against the AICPA SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 Annex A controls. A SOC 2 Type II examination is currently underway, conducted by an independent AICPA-affiliated audit firm.
• Dale operates a continuous controls-monitoring program through Vanta, Inc., providing automated, ongoing assurance over the implementation and operating effectiveness of in-scope security controls.
• Dale maintains records of Processing activities relating to Customer Personal Data sufficient to demonstrate compliance with this DPA.
• Audit reports, penetration-test summaries, and other security documentation are available to Customer upon written request, subject to execution of a customary non-disclosure agreement.
• Customer audit rights are governed by Section 12 of this DPA.

Annex 3

List of Sub-processors

The following Sub-processors are authorized to Process Customer Personal Data in connection with the Services as of the Effective Date. Dale will update this list in accordance with Section 7 of this DPA prior to engaging any new Sub-processor.

Annex 4

Cross-Border Transfer Mechanisms

Part A — EU Standard Contractual Clauses

Where the EU SCCs apply pursuant to Section 11 of this DPA, the following modular completions are agreed:

• Module Two (Controller-to-Processor) applies where Customer is a Controller of the Personal Data transferred to Dale. Module Three (Processor-to-Processor) applies where Customer is a Processor on behalf of a third-party Controller.
• Clause 7 (Docking Clause): not incorporated.
• Clause 9 (Use of Sub-processors): Option 2 (general written authorization) is selected. The notice period for changes is thirty (30) days as specified in Section 7.3 of this DPA.
• Clause 11 (Redress): the optional language permitting Data Subjects to lodge a complaint with an independent dispute-resolution body is not incorporated.
• Clause 17 (Governing Law): the EU SCCs are governed by the law of Ireland.
• Clause 18 (Choice of Forum and Jurisdiction): any dispute arising from the EU SCCs is resolved by the courts of Ireland.
• Annex I.A (List of Parties): as set forth in Annex 1, Part A of this DPA.
• Annex I.B (Description of Transfer): as set forth in Annex 1, Part B of this DPA.
• Annex I.C (Competent Supervisory Authority): as set forth in Annex 1, Part C of this DPA.
• Annex II (Technical and Organizational Measures): as set forth in Annex 2 of this DPA.
• Annex III (List of Sub-processors): as set forth in Annex 3 of this DPA.

Part B — UK International Data Transfer Addendum

Where the UK Addendum applies pursuant to Section 11.3 of this DPA, the Parties agree the following completions to the UK Addendum:

• Table 1 (Parties): as set forth in Annex 1, Part A of this DPA.
• Table 2 (Selected SCCs, Modules and Selected Clauses): the Approved EU SCCs as completed in Part A of this Annex 4.
• Table 3 (Appendix Information): as set forth in Annex 1, Part B; Annex 2; and Annex 3 of this DPA.
• Table 4 (Ending the Addendum): neither Party may end the UK Addendum as set forth in Section 19 of the UK Addendum.

Part C — Switzerland

For Restricted Transfers from Switzerland, the EU SCCs apply with the modifications set forth in Section 11.4 of this DPA. The competent supervisory authority for such transfers is the Swiss Federal Data Protection and Information Commissioner.

Part D — Data Privacy Framework (DPF)

To the extent Dale or any Sub-processor self-certifies under the EU–U.S. Data Privacy Framework, the UK Extension to the EU–U.S. Data Privacy Framework, or the Swiss–U.S. Data Privacy Framework (collectively, "DPF"), the DPF may serve as an alternative or supplemental transfer mechanism for the relevant transfers, in addition to the EU SCCs and UK Addendum set forth above.

21. Contact

Questions regarding this DPA, requests for a counter-signed version, sub-processor notifications, audit reports, or any other data-protection matter should be directed to:

AgentCore LLC dba Dale
Attn: Legal & Privacy
Email: legal@dale.legal
Privacy: privacy@dale.legal