Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Use or Master Services Agreement (“Agreement”) between Compliance Singularity (“Processor,” “Service Provider,” “we,” “us”) and the customer organization (“Customer,” “Controller,” “you”).

This DPA governs the processing of personal data by Compliance Singularity on behalf of Customer.

1. Definitions

Applicable Data Protection Laws — All applicable privacy and data protection laws including but not limited to:

• GDPR (EU 2016/679)
• UK GDPR
• CCPA / CPRA
• U.S. state privacy laws
• Other applicable global privacy laws

Personal Data — Any information relating to an identified or identifiable person processed through the Platform.

Processing — Any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.

2. Roles of the Parties

Customer acts as Data Controller.

Compliance Singularity acts as Data Processor.

Compliance Singularity processes Personal Data only to provide the Platform services described in the Agreement.

3. Nature and Purpose of Processing

Compliance Singularity processes Personal Data to provide AI-assisted compliance management services.

Processing may include:

• Analyzing company profiles
• Identifying potential compliance obligations
• Generating compliance task lists
• Storing compliance documentation
• Integrating with customer systems

AI processing occurs through anonymization layers where feasible.

4. Categories of Data

Customer may submit the following data types:

Business Information

• Company name
• Entity structure
• Jurisdiction
• Subsidiaries
• Office locations

Personnel Data

• Employee names
• Role titles
• Email addresses

Compliance Data

• Tax information
• Regulatory filings
• HR compliance data
• Operational records

5. Data Minimization and Anonymization

Compliance Singularity implements technical measures to reduce exposure of personal data.

The platform architecture includes anonymization mechanisms where:

• Identifiable company and personnel information may be removed before AI processing
• Anonymized data is used for regulatory research operations

6. Security Measures

Compliance Singularity implements appropriate technical and organizational safeguards including:

• Encryption of sensitive data at rest
• Access control systems
• Role-based access permissions
• Tenant isolation for organizational data
• Monitoring and logging of AI system calls
• Infrastructure security controls

Enterprise customers may deploy the platform in:

• Hybrid deployments
• On-premise configurations
• BYOK (Bring Your Own Key) encryption environments

7. Subprocessors

Compliance Singularity may use subprocessors to provide the Platform. Examples include:

• Cloud infrastructure providers
• Database providers
• AI model providers
• Integration partners

Compliance Singularity remains responsible for ensuring subprocessors meet appropriate security and privacy standards.

A current list of subprocessors will be made available upon request.

8. International Data Transfers

Personal Data may be transferred internationally where necessary to provide the Platform.

Where required, Compliance Singularity will implement appropriate safeguards including:

• Standard Contractual Clauses
• Contractual data protection commitments
• Enterprise deployment options allowing customers to control data residency

9. Data Retention

Customer data is retained:

• For the duration of the customer account
• As necessary to provide the Platform services
• Or as required by law

Upon termination of services, Customer may request deletion of Personal Data.

10. Data Subject Rights

Compliance Singularity will assist Customer, where reasonably possible, in responding to requests from data subjects under applicable privacy laws.

11. Security Incident Notification

Compliance Singularity will notify Customer without undue delay upon becoming aware of a confirmed security incident involving Customer Personal Data.

Notifications will include:

• Description of incident
• Potential impact
• Mitigation steps

12. Deletion or Return of Data

Upon termination of services and written request, Compliance Singularity will delete or return Customer Personal Data, unless retention is required by law.

13. Audits

Enterprise customers may request reasonable information demonstrating compliance with this DPA.

14. Liability

Liability under this DPA is subject to the limitations of liability defined in the Terms of Use or applicable Master Services Agreement.