Data Processing Addendum

This Data Processing Addendum ("Addendum" or "DPA") forms part of the Terms of Service (the "Primary Agreement") between YORPH AI INC, a Delaware corporation ("Yorph," "we," or "Processor"), and the entity or individual subscribing to the Yorph AI Services ("Customer," "you," or "Controller").

This Addendum governs Yorph's processing of Personal Data on behalf of the Customer in connection with use of the Yorph AI platform and related services (the "Services").

1. Scope and Roles

1.1 Purpose

This Addendum applies to all Personal Data Yorph processes on behalf of the Customer in providing the Services.

1.2 Roles

The Customer acts as the Controller (or as a Processor where processing on behalf of another Controller), and Yorph acts as a Processor (or Sub-Processor) for such data.

2. Processing Details

2.1 Nature and Purpose

Yorph processes Customer Personal Data solely to provide, maintain, and support the Services, including workflow execution, data transformation, and AI-powered analytics.

2.2 Types of Data

Personal Data may include names, email addresses, identifiers, and metadata contained within or associated with Customer Data, such as user inputs, uploaded files, or connected data sources.

2.3 Sensitive Data

• Yorph AI does not intend to process, store, or manage any data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or similar healthcare privacy laws.
• Customers are strictly prohibited from uploading or transmitting Protected Health Information (PHI), genetic, biometric, or other health-related data through the Services. Yorph AI's platform is not designed or certified for HIPAA-compliant processing, and Yorph does not monitor user uploads for such content.
• Yorph does not intentionally collect or process any special-category or sensitive personal data (such as racial or ethnic origin, religious or philosophical beliefs, sexual orientation, political opinions, or trade union membership). If such data is inadvertently included in Customer uploads, it is processed only as necessary to deliver the Services and promptly deleted in accordance with Yorph's data retention policy.

2.4 Retention

• By default, all Customer Data (prompts, files, and outputs) is deleted automatically once a session or workflow completes.
• Customers may opt-in to a 30-day retention window for temporary storage and retrieval.
• Customer Data is permanently deleted after that period unless extended by Customer action.
• Anonymized and aggregated data may be retained indefinitely for analytics, model evaluation, and system improvement.

3. Yorph's Processing Obligations

3.1 Lawful Processing

Yorph processes Personal Data only on documented Customer instructions and in compliance with applicable privacy laws (including the GDPR and CCPA where applicable).

3.2 Confidentiality

All personnel with access to Customer Personal Data are bound by confidentiality obligations and trained on data security practices.

3.3 Security Measures

Yorph implements and maintains industry-standard technical and organizational safeguards, including encryption in transit and at rest, access controls, audit logging, and monitored cloud infrastructure (Google Cloud Platform, Fastn). Detailed measures are provided in Schedule C.

3.4 No Sale or Training Use

• Yorph does not sell or share Personal Data as defined under the CCPA/CPRA.
• Customer Data is never used to train AI models.
• Only anonymized, aggregated usage metrics may be analyzed to enhance performance.

3.5 Incident Notification

Yorph will notify the Customer within 48 hours of becoming aware of a data breach involving Customer Personal Data, including known details and remediation steps.

4. Customer Responsibilities

4.1 Lawful Basis and Consents

Customer is responsible for obtaining all necessary consents or other lawful bases for processing Personal Data and for ensuring its processing instructions comply with applicable laws.

4.2 Accuracy and Restrictions

Customer must ensure uploaded data is accurate, lawful, and not subject to restrictions (e.g., HIPAA, export-controlled data, or other prohibited content).

4.3 Account Security

Customer is responsible for safeguarding login credentials and monitoring access to its Yorph account.

5. Sub-Processors

5.1 Authorized Sub-Processors

Customer authorizes Yorph to engage the following Sub-Processors to support the Services:

5.2 New Sub-Processors

Yorph may engage additional Sub-Processors to support the Services. Yorph will make available an up-to-date list of Sub-Processors on its website or upon request and will provide reasonable notice of any material changes. Customers may object in writing to the engagement of a new Sub-Processor on reasonable data-protection grounds.

5.3 Sub-Processor Agreements

All Sub-Processors are bound by written data-protection terms no less protective than this Addendum. Yorph remains responsible for their performance.

6. Data Subject Rights

Yorph assists the Customer, upon written request, in responding to data-subject access, correction, deletion, or portability requests where legally required.

Yorph does not respond directly to data subjects except on the Customer's instructions or where legally obligated.

7. International Data Transfers

7.1 U.S. Processing

Customer acknowledges and agrees that Personal Data may be processed in the United States, where Yorph and its Sub-Processors operate.

7.2 Transfers from the EEA, UK, and Switzerland

For any data transfers from these jurisdictions to the United States, the parties incorporate the EU Standard Contractual Clauses (2021/914), using Module 2 (Controller → Processor) or Module 3 (Processor → Processor), as applicable.

The UK Addendum and Swiss FDPIC extensions apply for UK and Swiss data respectively.

7.3 Governing Law for Transfers

The Standard Contractual Clauses are governed by Delaware, USA law for non-EU matters, and by the law designated under Clause 17 of the SCCs for EU matters.

8. Audits and Compliance

• Yorph maintains appropriate technical and organizational measures to protect Customer Personal Data as described in Schedule C.
• Upon written request, Yorph will provide Customers with a summary of its security practices and policies reasonably necessary to demonstrate compliance with this Addendum.
• Yorph is not required to provide third-party audit reports (e.g., SOC 2) or to permit on-site inspections, but will cooperate in good faith with Customer's reasonable information security inquiries related to the Services.

9. Term and Termination

This Addendum remains in force as long as Yorph processes Customer Personal Data.

Upon termination of the Services, Yorph deletes or returns all Customer Personal Data per the retention policy unless required by law to retain it.

10. General Terms

• Precedence: In case of conflict, this Addendum prevails over the Primary Agreement solely with respect to Personal Data processing.
• Governing Law: Delaware law governs this Addendum, except where otherwise required by applicable data-protection laws.
• Severability: If any provision is found invalid, the remainder shall continue in effect.

Schedule C – Technical and Organizational Security Measures

Yorph maintains industry-standard security measures, including but not limited to:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control (RBAC)
• Data Segregation and Backups: Logical isolation between customer environments
• Documented incident response procedures with 48-hour notice window