Data Processing Agreement

1. Scope & Purpose

Rootlab LLC, doing business as Attevera(“Processor”), processes personal data on behalf of the customer (“Controller”) solely to provide the Attevera readiness operating platform as described in the Terms of Service. The nature and purpose of the processing is the storage, organisation, and retrieval of AI system records, compliance controls, evidence metadata, and audit logs as entered by the Controller's authorised users.

Processing will occur only for as long as the subscription agreement is active, and for the retention period described in Section 9 below. Processing outside the scope of the subscription agreement requires a separate written instruction from the Controller.

2. Categories of Data Subjects and Personal Data

The personal data processed may relate to the following categories of data subjects:

• Customer employees and administrators— individuals within the Controller's organisation who register for or use Attevera, including their email addresses, names, and roles
• AI system end users — individuals referenced in AI system records entered by the Controller, such as deployment context descriptions and affected user populations
• Third parties named in evidence — individuals incidentally referenced in documentation or evidence files uploaded by the Controller

The categories of personal data may include account identifiers, names, email addresses, organisation roles, workspace activity, AI system descriptions, deployment context, affected population descriptions, evidence files and metadata, audit trail entries, billing contact metadata, and any personal data included by the Controller in uploaded evidence or generated records.

3. Obligations of the Processor

Rootlab LLC, as Processor, commits to:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
• Ensure that all personnel authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organisational security measures as described in Section 6
• Assist the Controller in responding to data subject requests under GDPR Articles 15–21, to the extent technically feasible. Assistance includes making the “Export all data” flow in Settings → Data & privacy available to the Controller's authorised administrators, which delivers a structured record of workspace data in support of Articles 15 (access) and 20 (portability)
• Not respond directly to a data subject request received about the Controller's workspace content unless legally required, and instead promptly notify the Controller so the Controller may respond or authorise Rootlab LLC to respond on its behalf
• Support the Controller's obligations under GDPR Articles 32–36, including security measures, breach notification under Article 33, and data protection impact assessments under Article 35, by providing the documentation and product functionality described in this DPA and in the Privacy Policy
• Delete or return all personal data upon termination, as described in Section 9
• Make available all information reasonably necessary to demonstrate compliance with this DPA
• Inform the Controller if, in Rootlab LLC's opinion, an instruction infringes GDPR or other applicable EU or Member State data protection law

4. Sub-processors

The Controller grants general authorisation for Rootlab LLCto engage the sub-processors listed below. The full and current list, including pending entries, is published at attevera.com/sub-processors.

• Supabase — database, authentication, and evidence-file storage. Production data hosted in the EU (Frankfurt).
• Stripe — payment processing and subscription billing. Processes billing contact details only.
• Sentry — error monitoring. Only sessions that experience an error are recorded, and input fields and displayed text are masked before transmission. Sampled session recording is disabled.
• Hosting provider — the platform that runs the Attevera application tier. The identity of the hosting provider will be published in this section before the Service is made generally available to EU customers.

Rootlab LLCwill provide at least 30 days' written notice before engaging any new sub-processor that will process personal data. The Controller may object to the appointment of a new sub-processor within that notice period on reasonable data-protection grounds. If the Controller raises such an objection, Rootlab LLC will work in good faith with the Controller to identify an alternative arrangement. If an alternative cannot be agreed within a reasonable period, the Controller may terminate the affected functionality or the subscription with a pro-rata refund for the unused portion of the then-current billing period. If no objection is raised during the notice period, the new sub-processor is deemed approved. Rootlab LLC imposes data protection obligations on sub-processors that are no less protective than those in this DPA and remains responsible for their performance as required by GDPR Article 28.

5. Data Transfers

Rootlab LLC seeks to keep core workspace processing in EU/EEA-hosted infrastructure where commercially available and configured for the production service. Some sub-processors or support operations may involve transfers outside the EU/EEA.

Where a transfer to a third country occurs (for example, in connection with a sub-processor or with support personnel based outside the EU/EEA), Rootlab LLCrelies primarily on the European Commission's 2021 Standard Contractual Clauses (Module 2 controller-to-processor, or Module 3 processor-to-processor, as applicable), supplemented by the EU–US Data Privacy Framework where a sub-processor is certified under it, and by applicable adequacy decisions.

6. Security Measures

Rootlab LLC implements the following technical and organisational measures to protect personal data:

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.2 or higher)
• Row Level Security (RLS) policies in the database, enforcing strict organisation-level access boundaries
• Role-based access controls within each organisation workspace
• Audit logging of workspace actions, exports, and record changes
• Backup and recovery controls for production databases
• Restricted access to production systems for authorisedRootlab LLC personnel only

7. Breach Notification

In the event of a personal data breach involving data processed under this DPA, Rootlab LLC will notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. This is intended to leave the Controller sufficient time to meet its own 72-hour notification obligation to the competent supervisory authority under GDPR Article 33 where such notification is required.

Notification will be sent by email to the admin contact(s) on file for the affected Controller, and will include: the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate volume of records affected, the likely consequences of the breach, and the measures taken or proposed to address it, where that information is available. If complete information is not available at the time of notification,Rootlab LLC will provide it in phases without undue further delay and will keep the Controller informed of developments.

8. Audit Rights

The Controller may audit Rootlab LLC's compliance with this DPA upon reasonable written notice of at least 30 days. Audits must be conducted during normal business hours, must not unreasonably disrupt Rootlab LLC's operations, and may be conducted no more than once per calendar year unless a data breach has occurred.

In lieu of an on-site audit, Rootlab LLC may provide relevant third-party audit reports, security certifications, or completed security questionnaires to satisfy audit requests where appropriate.

9. Data Deletion on Termination

Upon termination or expiry of the subscription agreement,Rootlab LLCwill, at the Controller's choice and subject to product export functionality and applicable law, return or delete personal data processed on behalf of the Controller. Deletion will be completed within 30 days of the Controller's written request, subject to the retention carve-outs below.

Rootlab LLCmay retain limited copies where required by Union or Member State law, for security, dispute handling, backup lifecycle, or audit recordkeeping obligations. In particular, where the Controller's workspace contains records of AI systems classified as high-risk or unacceptable- risk under the EU AI Act, Article 18(1) of that Regulation requires the record to be retained for at least ten years after placing the system on the market or putting it into service. To support this obligation, such records are archived rather than hard-deleted and retained for ten years. The Controller retains controller rights over these archived records for the duration of the retention period.

Upon request, Rootlab LLC will provide written confirmation that deletion has been completed.

10. Duration & Termination

This DPA is effective for the duration of the subscription agreement between the Controller and Rootlab LLC. It automatically terminates upon the end of the subscription, subject to any obligations that survive termination (including confidentiality obligations and data deletion requirements under Section 9).

This DPA supersedes any prior data processing terms between the parties. In the event of conflict between this DPA and the Terms of Service on matters of data protection, this DPA takes precedence.

11. Governing Law

This DPA is governed by and construed in accordance with the same law as the Terms of Service (the laws of the Republic of Ireland), and disputes relating to this DPA are subject to the same jurisdiction, unless a separately executed agreement between the parties states otherwise. This choice does not limit either party's rights or obligations under mandatory provisions of EU or Member State data protection law that apply irrespective of the parties' choice.

For questions about this DPA, contact us at support@attevera.com.