DATA PROCESSING ADDENDUM

Effective Date: September 3, 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of DOJO AI’s Terms of Service (the “Terms” or the “Agreement”). It applies to DOJO AI’s processing of Customer Data as a processor on behalf of the Customer as the controller (as defined below) and as further detailed in Annex I. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Terms. If there is any conflict between the terms of this DPA and the Terms, the terms of this DPA will prevail. DOJO AI may update this DPA from time to time to reflect changes in Data Protection Laws or in its processing activities. For any data protection inquiries, please contact admin@getdojo.ai.

1. DEFINITIONS

“Personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” and equivalent terms not otherwise defined in this DPA have the meanings given to them in Data Protection Laws.

“Customer Data” means any personal data that DOJO AI processes on behalf of the Customer as described in Annex I.

“Data Protection Laws” means the GDPR and/or any applicable data protection legislation.

“Data Subject Request” means a request from a data subject to exercise their personal data-related rights under Data Protection Laws, such as rights to access, correct, or delete their personal data.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council.

“Security Breach” means a personal data breach of Customer Data in the context of the Service.

“Standard Contractual Clauses” or “SCC” means Module Three (processor to processor) or Module Four (processor to controller) of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR and approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available here.

“Sub-processor” means an entity engaged by DOJO AI to process Customer Data.

2. DOJO AI’S MAIN OBLIGATIONS

As a data processor, DOJO AI agrees to:

2.1. Only process Customer Data in accordance with the documented instructions of the Customer, including in relation to transfers of Customer Data as described in Section 8, except if required to process it by applicable law, in which case DOJO AI will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2. Promptly inform the Customer if DOJO AI concludes that it can no longer comply with its obligations under this DPA, as required under applicable Data Protection Laws.

2.3. Communicate to the Customer any material changes to this DPA.

2.4. Comply with all applicable Data Protection Laws.

2.5. Promptly inform the Customer if, in DOJO AI’s opinion, an instruction from the Customer infringes any applicable law.

2.6. Ensure that the persons it authorizes to process Customer Data are bound by appropriate confidentiality obligations.

2.7. Maintain appropriate security measures, as detailed in Annex III.

2.8. Provide reasonable assistance to the Customer with Data Subject Requests and other relevant obligations of the Customer (reasonable fees may apply as determined by DOJO AI on a case-by-case basis).

2.9. Promptly forward to the Customer any Data Subject Request it receives in relation to Customer Data and advise the data subject to submit their request directly to the Customer.

3. CUSTOMER’S MAIN OBLIGATIONS

As a data controller, the Customer:

3.1. Declares that it has, and promises to maintain, all necessary rights, consents and authorizations to provide the Customer Data to DOJO AI and to authorize DOJO AI to use, disclose, retain and otherwise process Customer Data as contemplated by this DPA, the Terms and/or other processing instructions provided to DOJO AI.

3.2. Will comply with all applicable Data Protection Laws.

3.3. Will only transfer Customer Data to DOJO AI using agreed, secure, reasonable and appropriate mechanisms.

3.4. Will not take any action that would (i) render the provision of Customer Data to DOJO AI a “sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render DOJO AI not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws.

4. SECURITY BREACH NOTIFICATION

4.1. DOJO AI will notify the Customer without undue delay upon becoming aware of any Security Breach, including available information about:

a) Nature of the breach.

b) Categories of personal data and approximate number of records affected.

c) Mitigation measures taken or proposed.

4.2. DOJO AI will cooperate with the Customer in taking appropriate actions to mitigate the impact of the Security Breach and in providing all necessary information for the Customer’s fulfilment of its legal obligations.

4.3. DOJO AI’s actions in response to a Security Breach, including, without limitation, notifications and follow-up actions, will not be construed as acknowledgement of any fault or liability with respect to the Security Breach.

5. TERM AND RETENTION

5.1. This DPA will apply until all Customer Data has been returned, deleted or anonymized upon the termination of the Service as described in this DPA.

5.2. Upon termination of the Service, and after a recovery period of up to 30 days from that date, DOJO AI will delete or anonymize all Customer Data as soon as reasonably practicable and within a maximum period of 90 days, and will instruct its Sub-processors to do the same. However, data may be retained for longer if required by law, and some Customer Data, due to the nature of distributed systems and backup archives, may also persist in non-production backups for a longer period until it is overwritten. In the latter cases, such retained Customer Data will be isolated, secured, and protected from any further processing until it is deleted.

5.3. Upon termination of the Service, DOJO AI may, at the choice of the Customer, send it a copy of the available Customer Data.

5.4. To improve DOJO AI’s systems and services, DOJO AI may continue to process information derived from Customer Data that has been deidentified, anonymized, and/or aggregated in such a way that it is no longer considered personal data under Data Protection Laws. The Customer authorizes DOJO AI to anonymize Customer Data for this purpose.

6. SUB-PROCESSORS

6.1. The Customer grants a general authorization for the Sub-processors listed in Annex IV.

6.2. DOJO AI will use reasonable efforts to notify the Customer as soon as practicable in case of any changes to the Sub-processor list mentioned above, either via email to the account administrator or via other appropriate means.

6.3. The Customer may object to the change by terminating the Agreement for convenience as described in the relevant section of the Terms or as otherwise agreed with DOJO AI.

6.4. DOJO AI will ensure Sub-processors are subject to data protection obligations substantially similar to those outlined in this DPA.

6.5. DOJO AI will remain liable to the Customer if the Sub-processor’s fails its data processing obligations, to the extent DOJO AI is liable for its own data processing obligations under this DPA and subject to the conditions and limitations of liability provided in the Terms.

7. VERIFICATION OF COMPLIANCE

7.1. DOJO AI may demonstrate compliance with its obligations under this DPA by providing the Customer, upon written request, relevant compliance certifications or third-party audit reports (such as SOC 2 and ISO 27001) if and when they are obtained by DOJO AI.

7.2. Upon receiving an audit request by the Customer, DOJO AI will, to the extent legally required, permit the Customer, at the Customer’s expense, to audit DOJO AI’s compliance with this DPA, provided all of the following conditions apply:

a) The Customer submits the request with a prior written notice of at least thirty (30) days.

b) The audit is conducted by the Customer or by a third-party auditor designated by the Customer that has an appropriate confidentiality agreement in place with DOJO AI.

c) DOJO AI and the Customer agree on reasonable details of the audit, including its start date, form, scope, maximum duration, applicable calendar days, daily schedules, access rights (if any), and relevant controls.

d) The request contains an explanation regarding the reasons why in the Customer’s opinion DOJO AI’s compliance certifications or third-party audit reports (if any) are insufficient for ascertaining DOJO AI’s compliance under this DPA.

e) No similar audit has been conducted in the prior twelve (12) months.

f) The Customer agrees to pay any costs and expenses reasonably incurred by DOJO AI for the purposes of the audit.

7.3. Conditions d), e) and f) above do not apply if (i) the request follows a confirmed Security Breach affecting the Customer, (ii) the Customer provides prior and clear evidence of non-compliance by DOJO AI and/or (iii) the audit is explicitly required by Data Protection Laws or a competent authority under Data Protection Laws.

7.4. The Customer agrees that any information provided under this Section 7 constitutes DOJO AI’s Confidential Information.

8. INTERNATIONAL TRANSFERS

8.1. When DOJO AI transfers personal data to recipients (such as, if applicable, the Customer and/or a Sub-processor) located in jurisdictions that do not provide the same level of data protection of the originating jurisdiction of the Customer Data, it will do so for the purposes set out in Annex I and while ensuring that adequate protection measures are in place (such as standard contractual clauses).

8.2. For transfers to Sub-processors outside the EEA/UK to a country without an adequacy decision, DOJO AI will implement appropriate safeguards, which may include Standard Contractual Clauses (Module 3: processor-to-processor), where applicable.

8.3. DOJO AI implements supplementary measures where reasonably required (such as encryption, access controls, and contractual commitments from Sub-processors).

8.4. To the extent required by Data Protection Laws, the parties agree that the terms of the SCCs Module Four (processor to controller), as specified in Annex II, are incorporated by reference in this DPA and will be deemed to have been executed by the parties.

8.5. To the extent that there is any conflict between the terms of this DPA and the terms of the SCCs, the terms of the SCCs will prevail.

Annex I (PROCESSING DETAILS)

Categories of data subjects: As determined by the Customer’s configuration of the Service under the Agreement.
Categories of personal data: As determined by the Customer’s configuration of the Service under the Agreement.
Special categories of personal data: None are expected.
Duration and frequency of the processing: The processing will occur on a continuous basis until the term as defined in Section 5 and is determined by the Customer’s configuration of the Service.
Subject-matter and nature of processing: DOJO AI’s processing of Customer Data in the context of the Service, which may include automated and/or manual collection, analysis, verification, storage, aggregation, de-identification (including pseudonymization and anonymization) and structuring of Customer Data, and as otherwise described or implied in the Terms and in this DPA.
Purpose: Delivering the Service requested by the Customer, providing customer support, verifying or maintaining the quality, security, and integrity of the Service, and identifying and correcting any bugs/errors or inefficiencies that negatively affect the Service’s functionality.
Duration: In line with the Agreement, plus retention periods specified in Section 5.

Annex II (TRANSFER DETAILS)

1. EU Standard Contractual Clauses (MODULE FOUR – transfer from DOJO AI as processor to the Customer as controller)

a) Clause 7 (Docking clause): not applicable.

b) Clause 11 (Redress): without optional wording.

c) Clause 17 (Governing Law): The law of Portugal applies.

d) Clause 18 (Choice of forum and jurisdiction): Courts of Portugal will have jurisdiction.

e) Annex I, Part A (List of parties): the data exporter’s (DOJO AI) and the data importer’s (the Customer) relevant contact details, including contact person’s name, position and contact details, the data protection officer’s name and contact details (if applicable) and (if relevant) the representative’s contact details are included in the Agreement, are otherwise publicly available or will be disclosed to the other party upon request.

f) Annex I, Part B (Description of transfer): Categories of data subjects and of personal data – see Annex I to this DPA.

g) Annex I, Part C (Competent supervisory authority): Comissão Nacional de Proteção de Dados (Portugal).

h) Annex II (Technical and organizational measures): If applicable, see Annex III to this DPA.

Annex III (SECURITY MEASURES)

Technical Measures:

Encryption: AES-256 at rest, TLS 1.2+ in transit.
Access Control: Role-based permissions, MFA for administrative access where appropriate, API key management.
Network Security: VPC isolation, firewall rules, DDoS protection.
Data Segregation: Logical separation per customer, isolated processing environments.
Monitoring: Centralized logging to observability providers (18-month retention for LangSmith/Pydantic Logfire operational data).

Organizational Measures:

Background checks for employees with data access where legally permitted.
Security training upon hiring and periodically thereafter.
Incident response procedures.
Security reviews as appropriate.
Secure development practices including code review.
Confidentiality agreements for all personnel with data access.

Note: Security measures will be enhanced as the company scales and may be updated periodically to reflect industry best practices.

Annex IV (AUTHORIZED SUB-PROCESSORS)

    
            Entity
            Purpose
            Location
            Safeguards
        

    
            Amazon Web Services
            Infrastructure (EU-West-1)
            Ireland
            (EU data residency)
        

            Fivetran
            Data integration and ETL
            EU/USA
            Standard Contractual Clauses
        

            Anthropic
            AI language processing
            USA
            Standard Contractual Clauses
        

            OpenAI
            AI language processing
            USA
            Standard Contractual Clauses
        

            Google
            AI language processing
            USA/EU
            Standard Contractual Clauses
        

            LangSmith
            Application observability
            USA/EU
            Standard Contractual Clauses
        

            Pydantic Logfire
            Service monitoring
            EU
            (EU data residency)
        

Note: All AI service providers are contractually prohibited from using Customer Data to train their models. Additional Sub-processors may be added in accordance with Section 6.