Data Processing Agreement

• “Applicable Data Protection Laws” means the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and its national implementations (including UK GDPR); and any other data protection laws in Europe (e.g., the UK Data Protection Act 2018).
• “Controller's Personal Data” means any Personal Data that Bonnard processes on behalf of the Controller under the Principal Agreement.
• “Personal Data” has the meaning set out in Article 4(1) of the GDPR.
• “Services” means the services that Bonnard provides to the Controller under the Principal Agreement.

Both Bonnard and the Controller shall comply with all applicable provisions of the Applicable Data Protection Laws in connection with the Processing of Controller's Personal Data. Each party shall ensure that its employees, agents or Sub-processors abide by the requirements of this DPA and Applicable Data Protection Laws.

2.1 Subject matter and duration

Bonnard will process Controller's Personal Data solely to provide the Services described in the Principal Agreement. The duration of Processing shall be the term of the Principal Agreement, including any renewals.

2.2 Nature and purpose of Processing

Bonnard will Process Personal Data as strictly necessary to:

• Provide and maintain the Services
• Detect, prevent and resolve technical or security issues
• Respond to Controller's support requests
• Comply with any other documented instructions from the Controller

2.3 Categories of Personal Data

The Controller determines which Personal Data it uploads. Typical categories include:

• Names (e.g., customer name, lead name)
• Email addresses
• Telephone numbers
• IP addresses and device identifiers

2.4 Categories of Data Subjects

Employees, contractors or affiliates of Controller (to the extent their data is processed).

2.5 Controller's Instructions

Bonnard shall Process Personal Data only on documented instructions of the Controller. If Bonnard believes any instruction conflicts with Applicable Data Protection Laws, Bonnard shall inform Controller without undue delay.

2.6 Controller Responsibilities

Controller is responsible for:

• Ensuring it has a valid legal basis for Processing the Personal Data
• Providing accurate instructions and verifying data is lawfully collected
• Limiting the scope of data uploaded to what is necessary for the Services
• Encrypting any Personal Data before transmission if required by law

For all Processing under this DPA, Controller is the Data Controller and Bonnard is the Data Processor. If the Controller acts as Processor in any context, Bonnard becomes a Sub-processor.

Bonnard's designated Data Protection contact: privacy@bonnard.ai

Bonnard shall ensure that any person it authorises to Process Controller's Personal Data is under a binding confidentiality obligation. All personnel involved shall receive appropriate training on security and data protection.

Bonnard has implemented appropriate technical and organizational measures to protect Controller's Personal Data, including:

Access Control

Role-based access controls with quarterly reviews.

Authentication & Passwords

Passwords of at least 12 characters, hashed and salted. Multi-Factor Authentication (MFA) for all administrative access.

Encryption

All in-transit data encrypted via TLS 1.2 or higher. All data at rest encrypted using AES-256 or equivalent.

Vulnerability Management

Weekly automated vulnerability scans. High/critical patches applied within 30 days of release.

Backup & Recovery

Daily incremental backups, weekly full backups.

Incident Detection & Monitoring

Continuous logging and monitoring of platform events. Endpoint Detection & Response (EDR) on all server environments.

Physical Security

Data centers located in EU/EEA member states with strict access controls. Redundant power and environmental controls.

Data Retention & Minimization

Minimize Personal Data collected to only what is necessary. Automated data deletion 90 days after account termination unless Controller requests return.

6.1 General Authorization

Controller hereby authorises Bonnard to appoint Sub-processors to provide parts of the Services.

6.2 Current Sub-processors

6.3 Notice and Objection

Bonnard will notify Controller at least 14 days in advance of any new Sub-processor appointment. Controller may object in writing within 10 business days.

6.4 Flow-down Requirements

Bonnard will impose on any Sub-processor data protection obligations at least as stringent as those in this DPA. Bonnard remains fully liable for acts or omissions of its Sub-processors.

If Bonnard receives a request directly from a Data Subject, Bonnard will promptly (within 5 business days) forward such request to Controller. Bonnard shall provide reasonable assistance to help Controller respond to Data Subject requests.

Bonnard shall notify Controller without undue delay — and in any event within 48 hours — after becoming aware of any Personal Data Breach. Notification shall include:

• Description of the nature of the breach
• Likelihood and severity of any risk to Data Subjects
• Proposed measures taken or to be taken to mitigate adverse effects
• Any other information necessary to fulfill Controller's breach-notification obligations

If Controller determines that a DPIA or prior consultation with a supervisory authority is required, Bonnard shall provide reasonable assistance with the preparation.

10.1 Compliance Documentation

Bonnard shall make available to Controller information necessary to demonstrate compliance with this DPA.

10.2 On-site or Third-party Audits

Controller may, once per calendar year and upon at least 30 days' written notice, conduct an audit of Bonnard's facilities insofar as they relate to Processing of Controller's Personal Data.

Before or within 30 days after termination, Controller may request that Bonnard return all copies of Controller's Personal Data or securely delete such data. If Controller does not request return, Bonnard may securely delete all Personal Data 90 days after termination.

Bonnard will store and Process Controller's Personal Data exclusively within the EU/EEA/UK. Bonnard shall not transfer any data outside the EU/EEA/UK unless Controller explicitly instructs otherwise, in which case appropriate Standard Contractual Clauses or other approved transfer mechanisms must be in place.

This DPA and all disputes arising from it are governed by the laws of England and Wales, subject to the exclusive jurisdiction of the courts of England and Wales.

If there is any conflict between this DPA and other agreements, this DPA shall prevail. If any provision is unenforceable, the remainder continues in full force. This DPA terminates automatically when the Principal Agreement terminates. Sections 11, 12, 13, 14, and 15 survive expiration or termination.