Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or other written agreement ("Agreement") between Xentovia Tech Private Limited ("Xentovia," "Processor," "we," or "us") and the entity executing the Agreement ("Customer," "Controller," or "you") for the provision of AI-powered document processing, workflow automation, and related services (the "Services").

This DPA sets out the terms that apply when Personal Data is processed by Xentovia on behalf of the Customer in the course of providing the Services. The purpose of this DPA is to ensure such processing is conducted in accordance with applicable data protection laws, including but not limited to the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the California Consumer Privacy Act ("CCPA"), India's Digital Personal Data Protection Act, 2023 ("DPDPA"), and other applicable data protection legislation (collectively, "Data Protection Laws").

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, the Customer is the Controller.
• "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Xentovia is the Processor.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject that is processed by Xentovia on behalf of the Customer in connection with the Services, including but not limited to names, identification numbers, contact details, financial records, health information, and any data defined as "personal data," "personal information," or equivalent under applicable Data Protection Laws.
• "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by Xentovia to Process Personal Data on behalf of the Customer in connection with the Services.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by Xentovia or its Sub-processors.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission or other competent authority.

2. Scope and Purpose of Processing

2.1 Scope

This DPA applies to all Processing of Personal Data by Xentovia on behalf of the Customer in connection with the Services. The Services involve AI-powered document intelligence, including but not limited to the processing of insurance claims, healthcare records, mortgage and lending documents, government records, and other enterprise documents as directed by the Customer.

2.2 Categories of Data Subjects

Data Subjects may include, but are not limited to:

• Customer's employees, contractors, and agents
• Customer's end users and clients
• Policyholders, claimants, patients, borrowers, and applicants whose records are processed through the Services
• Any other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer

2.3 Types of Personal Data

Personal Data processed may include, depending on the Customer's use of the Services:

• Names, addresses, and contact information
• Government-issued identification numbers (e.g., Social Security Numbers, Tax IDs)
• Financial information (account numbers, income details, credit data)
• Health and medical records
• Insurance policy and claims information
• Employment information
• Any other categories of Personal Data submitted by the Customer to the Services

2.4 Purpose of Processing

Xentovia shall Process Personal Data solely for the purpose of providing the Services to the Customer in accordance with the Agreement, including: document ingestion and extraction, AI-powered classification and analysis, data validation, workflow automation, and generation of outputs as configured by the Customer. Xentovia shall not Process Personal Data for any other purpose unless required by applicable law, in which case Xentovia shall inform the Customer of that legal requirement before Processing unless prohibited by law from doing so.

2.5 Duration of Processing

Xentovia shall Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.

3. Obligations of Xentovia as Processor

3.1 Documented Instructions

Xentovia shall Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. Where Xentovia believes that an instruction from the Customer infringes applicable Data Protection Laws, Xentovia shall promptly notify the Customer.

3.2 Confidentiality

Xentovia shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to those personnel who require access to perform the Services.

3.3 Security Measures

Xentovia shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 4 of this DPA. These measures shall be designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure.

3.4 Sub-processors

Xentovia shall not engage any Sub-processor to Process Personal Data without prior written authorization from the Customer. Xentovia maintains a list of currently approved Sub-processors as described in Section 5 of this DPA. Xentovia shall notify the Customer of any intended changes to that list by adding or replacing a Sub-processor at least 30 days in advance, giving the Customer the opportunity to object to such changes. If the Customer reasonably objects to a new Sub-processor on data protection grounds, Xentovia shall use commercially reasonable efforts to make available an alternative arrangement. Where Xentovia engages a Sub-processor, Xentovia shall impose on that Sub-processor data protection obligations no less protective than those set out in this DPA by way of a written contract. Xentovia shall remain fully liable for the acts and omissions of its Sub-processors.

3.5 Data Subject Rights

Xentovia shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill the Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). If Xentovia receives a request directly from a Data Subject, Xentovia shall promptly redirect the Data Subject to the Customer and notify the Customer of such request, unless otherwise required by applicable law.

3.6 Assistance with Compliance

Xentovia shall assist the Customer in ensuring compliance with its obligations under applicable Data Protection Laws, including obligations relating to data protection impact assessments and prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to Xentovia.

3.7 Deletion and Return of Data

Upon termination or expiration of the Agreement, Xentovia shall, at the Customer's election, delete or return all Personal Data to the Customer, and delete existing copies unless applicable law requires storage of the Personal Data. The Customer may request return of Personal Data in a commonly used, machine-readable format. Xentovia shall complete deletion within 90 days of termination unless otherwise agreed or required by law.

3.8 Audit Rights

Xentovia shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. Such audits shall be conducted with reasonable notice (no less than 30 days, except in the case of a Security Incident), during normal business hours, and in a manner that does not unreasonably disrupt Xentovia's operations. The Customer shall bear the costs of any audit unless the audit reveals material non-compliance by Xentovia, in which case Xentovia shall bear the costs.

4. Security Measures

Xentovia implements and maintains the following technical and organizational security measures to protect Personal Data:

4.1 Encryption

• Data at Rest: All Personal Data stored by Xentovia is encrypted using AES-256 encryption.
• Data in Transit: All data transmitted between the Customer and Xentovia, and between Xentovia and its Sub-processors, is encrypted using TLS 1.3 or higher.
• Key Management: Encryption keys are managed using industry-standard key management services with regular key rotation.

4.2 Access Controls

• Authentication: Multi-factor authentication (MFA) is required for all access to systems that Process Personal Data.
• Authorization: Role-based access control (RBAC) ensures that personnel access only the data necessary for their function.
• Least Privilege: Access permissions follow the principle of least privilege, with regular access reviews conducted quarterly.

4.3 Infrastructure Security

• Tenant Isolation: Customer data is logically isolated at the infrastructure level, ensuring strict separation between tenants.
• Network Security: Firewalls, intrusion detection systems, and network segmentation protect the processing environment.
• Vulnerability Management: Regular vulnerability scanning and penetration testing are conducted, with critical vulnerabilities remediated promptly.

4.4 Monitoring and Logging

• Audit Logging: Comprehensive audit logs are maintained for all access to and operations on Personal Data, including user identity, timestamp, action performed, and affected resources.
• Monitoring: Continuous monitoring and alerting for anomalous access patterns or potential security threats.
• Log Retention: Audit logs are retained for a minimum of 12 months in tamper-evident storage.

4.5 Business Continuity

• Backups: Regular encrypted backups with tested restoration procedures.
• Disaster Recovery: Documented disaster recovery plan with defined recovery time and recovery point objectives.
• Incident Response: Documented incident response plan with designated response team and defined escalation procedures.

4.6 Personnel Security

• Background checks for personnel with access to Personal Data, to the extent permitted by applicable law.
• Mandatory data protection and security awareness training upon onboarding and annually thereafter.
• Binding confidentiality agreements for all personnel.

5. Sub-processors

5.1 Authorized Sub-processors

The Customer hereby provides general written authorization for Xentovia to engage the following Sub-processors. This list is current as of the date of this DPA:

• Amazon Web Services (AWS) — Cloud infrastructure, compute, storage, and database services. Processing locations: United States, with availability in EU and Asia-Pacific regions as configured by the Customer.
• Google Cloud Platform (Gemini API) — AI model inference via Google's Gemini API for document understanding, classification, and data extraction. Processing locations: United States.

5.2 Sub-processor Changes

Xentovia shall notify the Customer at least 30 days prior to engaging any new Sub-processor or replacing an existing Sub-processor. Notification shall be provided via email to the Customer's designated contact address. If the Customer objects to a new Sub-processor on reasonable data protection grounds within 14 days of receiving notice, the parties shall discuss the Customer's concerns in good faith. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Services without penalty.

5.3 Sub-processor Obligations

Xentovia shall ensure that each Sub-processor is bound by written obligations that provide at least the same level of data protection as this DPA. Xentovia shall conduct due diligence on the security and data protection practices of each Sub-processor before engagement and on an ongoing basis.

6. International Data Transfers

6.1 Transfer Locations

In connection with the provision of Services, Personal Data may be transferred to and processed in the following jurisdictions:

• India — Xentovia's primary operations and engineering team are based in India.
• United States — Cloud infrastructure (AWS) and AI model inference (Google Cloud / Gemini API).
• European Union — Available as a processing region upon Customer request for AWS-hosted services.

6.2 Transfer Mechanisms

Where Personal Data is transferred from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, Xentovia shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): Xentovia shall enter into the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Sub-processor, as applicable) with the Customer and/or its Sub-processors.
• UK International Data Transfer Addendum: Where applicable, the UK Addendum to the EU SCCs shall be incorporated.
• Supplementary Measures: Where required by applicable law or supervisory authority guidance, Xentovia shall implement supplementary technical, contractual, or organizational measures to ensure an essentially equivalent level of protection.

6.3 Transfer Impact Assessment

Xentovia shall, upon Customer request, cooperate in conducting a transfer impact assessment to evaluate whether the laws of the destination country provide an adequate level of protection for Personal Data, and shall implement additional safeguards where necessary.

7. Security Incident Notification

7.1 Notification Obligation

Xentovia shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed on behalf of the Customer. Notification shall be provided to the Customer's designated security contact via email and, where available, through the Xentovia platform's notification system.

7.2 Content of Notification

The notification shall include, to the extent reasonably available:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned
• The name and contact details of Xentovia's data protection point of contact
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects

7.3 Cooperation

Xentovia shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident. Xentovia shall preserve and provide to the Customer relevant logs, records, and forensic evidence related to the Security Incident.

7.4 No Unauthorized Disclosure

Xentovia shall not inform any third party of a Security Incident without first obtaining the Customer's prior written consent, unless notification is required by applicable law. Where legally compelled to notify, Xentovia shall provide the Customer with advance notice to the extent permitted by law.

8. Data Protection Impact Assessments

Where a type of Processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of Data Subjects, Xentovia shall provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to Xentovia.

9. Term and Termination

9.1 Term

This DPA shall become effective on the date the Agreement is executed and shall remain in effect for the duration of the Agreement. The obligations under this DPA shall survive termination or expiration of the Agreement to the extent Xentovia continues to Process Personal Data on behalf of the Customer.

9.2 Effect of Termination

Upon termination or expiration of the Agreement, Xentovia shall comply with the data deletion and return obligations set out in Section 3.7. The following provisions shall survive termination: confidentiality obligations, audit rights (for a period of 12 months following termination), data deletion obligations, and any provisions that by their nature are intended to survive.

10. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in the Agreement shall limit either party's liability for breaches of this DPA to the extent such limitation is prohibited by applicable Data Protection Laws.

11. Governing Law

This DPA shall be governed by the laws that govern the Agreement, unless otherwise required by applicable Data Protection Laws. Where the GDPR applies to the Processing, the relevant provisions of this DPA shall be interpreted in accordance with the GDPR regardless of the governing law of the Agreement.

12. Updates to This DPA

Xentovia may update this DPA from time to time to reflect changes in applicable Data Protection Laws, our Processing activities, or our Sub-processors. We will notify Customers of material changes at least 30 days in advance. Continued use of the Services following such notification constitutes acceptance of the updated DPA.

13. Contact

For questions, concerns, or requests related to this Data Processing Agreement or Xentovia's data protection practices, please contact:

• Privacy Email: privacy@xentovia.ai
• General Inquiries: sales@xentovia.ai
• Entity: Xentovia Tech Private Limited