LEGAL

Data Processing Addendum

Last updated: July 15, 2026
HAVE COUNSEL REVIEW BEFORE USE

This DPA is a starting template. If you process the personal data of people in the EEA, UK, or Switzerland, you will likely need to attach the current EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and a completed transfer-impact assessment. Have a privacy lawyer finalize this and the annexes for your actual data flows.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Markovate.com Inc. ("Processor," "we") and the Customer ("Controller," "you"). It applies where, in providing the Service, we process Personal Data that is contained within your systems, code, or data on your behalf. Capitalized terms not defined here have the meaning in the Terms or in applicable data-protection law ("Data Protection Law," including the EU/UK GDPR and applicable US state laws).

1Scope & roles

For Personal Data that resides in your environment and that Experts access to perform work you request, you are the Controller and we are the Processor (and Experts and our providers act as sub-processors). We process such Personal Data only to provide the Service and on your instructions. For Personal Data we determine the purposes of (your account and billing data), we act as controller under our Privacy Policy, and this DPA does not apply.

2Processing on your instructions

We will process Personal Data only on your documented instructions, including as set out in the Terms, this DPA, and the actions you approve through the Agent, unless required by law (in which case we will inform you unless prohibited). If we believe an instruction violates Data Protection Law, we will tell you. You are responsible for the lawfulness of the Personal Data you provide and instructions you give, and for having a legal basis and any required notices or consents.

3Confidentiality

We ensure that persons authorized to process Personal Data — including Experts and staff — are bound by confidentiality obligations and are informed of the sensitivity of the data. Access is limited to those who need it to provide the Service ("least privilege").

4Security measures

We implement appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art and the risk, including: encryption in transit; the outbound-only, read-only-by-default, approval-gated Agent design; access controls and authentication; logging of Expert actions and approvals; least-privilege staffing; and personnel confidentiality. A summary is in the Annex. You are responsible for configuring your own systems securely and for what you expose and approve.

5Sub-processors

You authorize us to engage sub-processors — including Experts and the providers listed at Subprocessors — to process Personal Data. We impose data-protection obligations on each sub-processor no less protective than this DPA, and remain responsible for their performance. We will give notice before adding or replacing a sub-processor as described on the Subprocessors page, and you may object on reasonable data-protection grounds; if we cannot resolve the objection, you may terminate the affected Service.

6Assisting with data-subject requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from individuals exercising their rights (access, correction, deletion, portability, objection, restriction). If we receive such a request directly relating to your data, we will refer the individual to you unless legally required to act.

7Personal-data breach notification

We will notify you without undue delay after becoming aware of a Personal-Data Breach affecting Personal Data we process for you, and provide information reasonably available to help you meet your notification obligations. We will take reasonable steps to mitigate and remediate.

8International transfers

Where we transfer Personal Data across borders subject to transfer restrictions, we will rely on a lawful transfer mechanism, such as the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference where applicable. [Attach and reference the executed clauses and module selections.]

9Return & deletion

On termination of the Service, or on your request, we will delete or return Personal Data we process for you and delete existing copies, unless retention is required by law. Because most Customer Content stays in your own systems and is accessed transiently, our retention of it is limited; session and chat records are retained per the Privacy Policy.

10Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice, no more than once per year (or after a breach), subject to confidentiality and without unreasonably disrupting our operations. We may satisfy audit requests by providing third-party reports or certifications where available.

Annex — details of the processing

Subject matterProvision of on-demand expert software services via the Agent
DurationThe term of the Service plus any legally required retention
Nature & purposeAccessing, reviewing, modifying, and deploying your systems and data as you approve
Types of data[Whatever exists in your systems — may include names, emails, user records, credentials, application data]
Data subjects[Your end users, employees, customers, as applicable]
Sub-processorsExperts and the providers at Subprocessors
Security measuresSee Section 4 — encryption in transit, outbound-only/read-only-by-default/approval-gated Agent, access controls, action logging, least privilege, confidentiality

To request a signed copy of this DPA, contact privacy@appsstore.ai.