Data Processing Addendum.

1. Application

This Data Processing Addendum (DPA) is incorporated into the Terms of Service and applies to KYE™ Protocol™ Ltd's processing of personal data on behalf of the Customer. It is intended to satisfy the requirements of GDPR Article 28, UK GDPR Article 28, and equivalent provisions of the EU AI Act where applicable.

2. Roles

Customer is the data controller (or, where applicable, the processor on behalf of its own customers) of any personal data it transmits to KYE™ in connection with the Services. KYE™ is the data processor (or sub-processor). Each party will comply with its obligations under applicable data-protection law.

3. Subject matter and duration

KYE™ will process Customer Data only as needed to provide the Services described in the order form and the Terms. Duration: for the term of the Services plus any post-termination return / deletion window described in §11.

4. Nature and purpose of processing

Capturing Observed Actions from Customer Stack Bindings, running Shadow Evaluations, classifying Authority Gaps, generating Guard Recommendations, sealing Evidence Packs, and storing those records for the agreed retention period.

5. Categories of personal data

• Identifiers of customer-side AI agents and the principals on whose behalf they act.
• References to target resources (invoice IDs, vendor IDs, account IDs — not the underlying content unless Customer explicitly opts in).
• Hashed IP and User-Agent of customers' own end-users where these surface in Observed Actions.
• Personal data that the Customer's own AI agents touch in the course of their work, where such data is in scope of a Stack Binding.

6. Categories of data subjects

Customer's employees, contractors, agents, and end-users (including bank customers, patients, citizens) whose personal data is processed by Customer's AI agents under observation.

7. Sub-processors

Customer authorises KYE™ to engage the sub-processors listed at /legal/sub-processors as sub-processors. KYE™ imposes contractual obligations on each sub-processor that are no less protective than this DPA. Material additions are announced at least 30 days in advance; Customer may object on reasonable grounds, in which case the parties will work in good faith on a mitigation.

8. Standard Contractual Clauses

For transfers of personal data out of the UK, the UK International Data Transfer Addendum is incorporated by reference. For transfers out of the EEA, the EU Standard Contractual Clauses 2021/914 Module 2 (controller-to-processor) or Module 3 (processor-to-processor) are incorporated, with Customer as “data exporter” and KYE™ as “data importer”, governing law of England and Wales (Module 2 Clause 17(a) Option 1), competent supervisory authority the ICO unless otherwise required, and the docking clause adopted.

9. Security measures (Annex 1)

• Encryption in transit (TLS 1.3) and at rest (AES-256 or equivalent provider-managed encryption).
• Role-based access control with MFA on every administrative account.
• Network isolation between tenants, including isolated D1 / KV / R2 storage.
• Append-only audit logging of every administrative action via the AI Call Ledger™.
• Annual independent penetration test, results made available under NDA.
• SOC 2 Type II in progress (target completion Q4 2026); ISO 27001 statement of applicability mapped at /oscal.
• Background checks on every operator with production access.
• Documented incident-response plan; data-breach notification within 72 hours of becoming aware.

10. Data-subject rights handling

KYE™ will assist the Customer in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection). For requests routed directly to KYE™, KYE™ will redirect the data subject to the Customer (their controller) unless KYE™ is independently obliged to respond. Reasonable assistance costs may be charged at our standard rates.

11. Return and deletion on termination

On termination, KYE™ will, at Customer's written instruction received within 30 days of termination: (a) export Customer Data in a portable format (JSON, signed Evidence Packs); (b) delete remaining Customer Data within a further 30 days, subject to legal-retention obligations; (c) issue a written certification of deletion on request. After the 30-day window, KYE™ may delete Customer Data without further notice.

12. Audit rights

Customer (or its independent auditor) may audit KYE™'s compliance with this DPA once per calendar year, subject to reasonable notice (30 days), confidentiality undertakings, and during normal business hours. KYE™ will additionally make available the most recent SOC 2 Type II report (when available) and the OSCAL control statement (now). Audit costs are borne by Customer except where the audit identifies a material breach by KYE™.

13. Governing law

This DPA is governed by the laws of England and Wales (subject to the Standard Contractual Clauses' own choice-of-law where they apply).