Data Processing Addendum

Data Processing Addendum

Effective Date: April 20, 2026 Last Updated: April 20, 2026

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement or other written or electronic agreement (the “Agreement”) between Red Sovereign LLC d/b/a Aumata (“Aumata,” “Processor”) and the customer identified in the Agreement (“Customer,” “Controller”) for the provision of Services.

Where the Agreement is silent and the Services involve processing of Customer Personal Data, this DPA applies. A countersigned copy is available on request to [email protected].

1. Definitions

  • “Customer Personal Data” means personal data processed by Aumata on behalf of Customer in connection with the Services.
  • “Data Protection Laws” means all applicable data protection and privacy laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other US state comprehensive privacy laws to the extent applicable.
  • “Data Subject”, “Controller”, “Processor”, “Personal Data”, “Processing”, and “Sub-processor” have the meanings given in the GDPR or, where the CCPA/CPRA applies, the equivalent CCPA terms (“Consumer,” “Business,” “Service Provider,” “Personal Information”).
  • “Standard Contractual Clauses” or “SCCs” means the clauses annexed to Commission Implementing Decision (EU) 2021/914, as updated.
  • “UK IDTA” means the UK International Data Transfer Addendum issued by the UK Information Commissioner.
  • “DPF” means the EU-US Data Privacy Framework, the UK Extension to the DPF, and the Swiss-US Data Privacy Framework.

2. Scope and roles

2.1 Roles of the parties

With respect to Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of its own controllers) and Aumata is the Processor. With respect to CCPA/CPRA, Customer is the Business and Aumata acts as a Service Provider.

2.2 Subject matter, nature, purpose, duration

The subject matter, nature, purpose, categories of Data Subjects, and types of Personal Data are described in Annex I to this DPA. Processing continues for the duration of the Agreement.

2.3 Compliance with instructions

Aumata will process Customer Personal Data only on documented instructions from Customer, including the instructions contained in the Agreement and this DPA, and as otherwise required by applicable law. Aumata will inform Customer if it cannot comply with an instruction.

2.4 CCPA Service Provider certification

Aumata certifies that it understands the restrictions imposed on service providers under the CCPA/CPRA and will comply with them. Aumata will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer; (c) combine Customer Personal Data with personal information received from other sources, except as expressly permitted by the CCPA/CPRA.

3. Sub-processing

3.1 Authorization

Customer authorizes Aumata to engage the sub-processors listed at www.aumata.ai/legal/subprocessors and to add new sub-processors subject to Section 3.2.

3.2 Notice and objection

Aumata will give Customer at least 30 days’ prior notice of a new or replacement sub-processor that will process Customer Personal Data (by updating the sub-processors page and, where Customer has subscribed, by email). Customer may object in writing within the notice period on reasonable grounds related to data protection. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Services without penalty.

3.3 Sub-processor obligations

Aumata will impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Aumata remains liable for its sub-processors’ acts and omissions to the same extent as for its own.

4. Security

Aumata maintains the technical and organizational security measures described in Annex II to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, and disclosure.

5. Personal data breach

Aumata will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notification will include the information required by GDPR Article 33(3) to the extent known. Aumata will take reasonable steps to mitigate and, where possible, remedy the breach.

6. Confidentiality

Aumata will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or an appropriate statutory duty.

7. Data subject rights

Aumata will, taking into account the nature of the processing, provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws. Aumata will promptly notify Customer of any request received directly from a Data Subject relating to Customer Personal Data and will not respond except on Customer’s instruction.

8. Data protection impact assessments

Aumata will provide reasonable assistance, at Customer’s cost, with data protection impact assessments and prior consultations with supervisory authorities where required by Article 35 or 36 GDPR.

9. Audits and information

Aumata will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. On not more than annual written request (except after a Personal Data Breach or regulatory demand), Aumata will submit to an audit, conducted by Customer or an independent auditor bound by confidentiality, during business hours, with reasonable notice, and without disruption. Customer will bear its own audit costs.

10. International transfers

10.1 Transfer mechanisms

Where Aumata transfers Customer Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, the parties incorporate the following safeguards, in the following order of precedence:

  1. EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework, for transfers to Aumata or sub-processors certified under the DPF for the relevant type of data.
  2. Standard Contractual Clauses, Module Two (Controller to Processor) and Module Three (Processor to Processor) as applicable, incorporated by reference into this DPA with the selections in Annex III.
  3. UK IDTA for transfers subject to UK GDPR.
  4. Swiss addendum for transfers subject to FADP.

10.2 DPF contingency

If the DPF ceases to provide an adequate basis for transfer (for example, following a successful challenge), the SCCs and UK IDTA in Section 10.1(2)-(3) will apply automatically without further action.

11. Deletion and return

Upon termination of the Services and at Customer’s election, Aumata will delete or return all Customer Personal Data within 30 days and delete existing copies, except to the extent retention is required by applicable law. Aumata may retain anonymized or aggregated data and minimal records necessary for legal compliance.

12. AI and model training

Aumata does not use Customer Personal Data to train, fine-tune, or otherwise improve large language models. Aumata’s AI sub-processors (including Anthropic) are contractually prohibited from using Customer Personal Data transmitted via API for model training.

13. Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.

14. General

14.1 Conflict

In the event of conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA prevails.

14.2 Changes

Aumata may update this DPA from time to time to reflect changes in Data Protection Laws, subject to giving Customer prior notice of any material change. No change will reduce the protection afforded to Customer Personal Data.

Annex I — Description of processing

  • Subject matter: provision of the Services as described in the Agreement.
  • Duration: the term of the Agreement plus any legally required retention.
  • Nature and purpose: hosting, content generation, SEO/marketing execution, analytics, CRM, communications.
  • Categories of Data Subjects: Customer’s personnel, Customer’s end users and site visitors, Customer’s prospects and contacts.
  • Categories of Personal Data: name, business contact details, company, role, IP address, device/browser metadata, usage data, content provided to the Services. Aumata does not knowingly process special categories of data.
  • Retention: as specified in the Agreement; otherwise deleted within 30 days of termination.

Annex II — Security measures

  • TLS 1.2+ for data in transit; encryption at rest via managed providers.
  • Role-based access controls with least-privilege principles; SSO for internal systems.
  • Multi-factor authentication for all administrative accounts.
  • Logging and monitoring of access to systems that process Customer Personal Data.
  • Annual access reviews; incident response plan.
  • Vendor security reviews for sub-processors.
  • Data segregation between customers within shared agent infrastructure.

Annex III — SCC module selections

  • Module: Two (Controller → Processor) and, where Customer is itself a Processor, Module Three (Processor → Processor).
  • Clause 7 (docking clause): does not apply.
  • Clause 9 (sub-processor authorization): Option 2, general authorization with 30 days’ notice.
  • Clause 11 (independent dispute resolution): optional language does not apply.
  • Clause 17 (governing law): law of the Republic of Ireland.
  • Clause 18 (forum): courts of the Republic of Ireland.
  • Annex I.C (supervisory authority): the supervisory authority of the Member State in which the Controller is established, or where the Controller is not established in the EEA, the Irish Data Protection Commission.

Contact

Red Sovereign LLC d/b/a Aumata Email: [email protected]