Data Processing Agreement

This DPA forms part of the Customer Agreement between Neuravant AI Limited ("Processor") and the Customer ("Controller") where personal data is processed on behalf of the Controller. It satisfies Art. 28 GDPR (EU 2016/679) and Art. 28 UK GDPR. Version 1.0 · April 2026.

1. Definitions

Capitalised terms not defined herein have the meaning given in the Customer Agreement or the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data Breach" have the meaning given in Art. 4 GDPR.

2. Scope & Roles

The Controller determines the purposes and means of processing. Neuravant AI Limited acts as Processor. For certain processing activities incidental to operating NAIL (billing, account administration, product telemetry), Neuravant AI Limited acts as independent Controller and the terms of our Privacy Policy apply.

3. Subject Matter, Duration, Nature & Purpose of Processing

• Subject matter: provision of the NAIL Platform (AI agent certification, auditing, monitoring, reporting).
• Duration: for the term of the Customer Agreement and a 30-day post-termination retention window for forensic export (Art. 6(1)(f) legitimate interest).
• Nature & purpose: submission, storage, analysis, and reporting of AI-agent configuration, prompts, and operational telemetry supplied by the Controller.
• Types of Personal Data: Customer account data (name, email, role), end-user identifiers if present in submitted logs (typically scrubbed by the NAIL SDK via local Presidio pipeline).
• Categories of Data Subjects: Customer's employees, contractors, and end-users.

4. Processor Obligations (Art. 28(3) GDPR)

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including transfers to third countries (unless required by law).
2. Ensure all personnel authorised to process Personal Data are bound by confidentiality obligations.
3. Implement appropriate technical and organisational measures as described in Annex II.
4. Engage Sub-processors only under the conditions of Section 5 below.
5. Taking into account the nature of processing, assist the Controller by appropriate measures with Data Subject requests (Art. 15–22).
6. Assist the Controller in ensuring compliance with Art. 32–36 (security, breach notification, DPIA, prior consultation).
7. At the Controller's choice, delete or return all Personal Data after the end of provision, unless law requires storage.
8. Make available all information necessary to demonstrate compliance and allow audits (Section 7).

5. Sub-processors

The Controller grants general authorisation for the engagement of Sub-processors listed at neuravant.ai/sub-processors. Neuravant AI Limited shall provide at least 30 days' prior notice of any intended addition or replacement, giving the Controller the opportunity to object on reasonable grounds. If the parties cannot reach agreement within 14 days, the Controller may terminate the affected Services without penalty.

Neuravant AI Limited imposes on each Sub-processor the same data-protection obligations as set out in this DPA, by written contract.

6. International Transfers

Personal Data is stored and processed in the European Economic Area (Google Cloud europe-west3, Frankfurt, Germany) as described in our Data Residency statement.

Where transfer outside the EEA/UK is necessary (e.g. engineering support from the UK entity), the transfer relies on:

• UK Addendum to the EU Standard Contractual Clauses (Module 2 — Controller to Processor) for EU → UK flows,
• The EU Commission's 2021/914 SCCs (Module 2/3) for any residual non-EEA transfer, together with a Transfer Impact Assessment (TIA).

Copies of executed SCCs are available to the Controller on request at legal@neuravant.ai.

7. Audit Rights

The Processor shall make available on request, free of charge and at most once per year, the following evidence of compliance:

• ISO 27001 / SOC 2 Type II attestation reports (once obtained);
• The Processor's security and compliance posture via written questionnaire response;
• Policy and procedure excerpts relevant to the Services.

On-site audits may be requested with 30 days' written notice and will be conducted during business hours, by a mutually-agreed auditor bound by confidentiality, at the Controller's expense, subject to not disrupting operations or breaching obligations to other customers.

8. Personal Data Breach Notification

Neuravant AI Limited shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Controller Personal Data, together with:

• the nature of the breach, categories and approximate numbers of Data Subjects / records affected,
• the likely consequences,
• the measures taken or proposed to address the breach and mitigate adverse effects,
• the name and contact details of our DPO / privacy contact (privacy@neuravant.ai).

9. Return and Deletion

On termination, Personal Data is deleted within 30 days and purged from backups within 90 days, unless EU, Member State or UK law requires retention. On written request before deletion, the Processor provides an export in JSON and Parquet format.

10. Liability & Conflict

In case of conflict, the order of precedence is: (1) the SCCs where applicable; (2) this DPA; (3) the Customer Agreement. Liability is governed by the Customer Agreement and not otherwise affected by this DPA.

Annex I — Processing Details

As set out in Section 3 above. Controllers may supplement via order form or DPIA documentation.

Annex II — Technical & Organisational Measures (TOM)

• Encryption in transit: TLS 1.3 for all API and UI traffic; HSTS preload.
• Encryption at rest: AES-256 (Google Cloud KMS, customer-managed key option on Enterprise tier).
• Access control: role-based access, least privilege, SSO/SAML (Enterprise), mandatory 2FA on admin accounts.
• Key management: Google Cloud KMS; rotation every 90 days; HMAC-SHA256 signing for audit chain.
• PII minimisation: NAIL SDK performs local Presidio-based scrubbing (<PERSON>, <EMAIL>, <ACCOUNT_NUM>) before any network egress.
• Audit logging: SHA-256 hash-chained event log; append-only; exportable to Customer on request.
• Monitoring: Google Cloud SCC + custom anomaly detection; 24/7 on-call rotation.
• Business continuity: multi-zone deployment within europe-west3; RPO 15 min; RTO 4 h.
• Vulnerability management: monthly dependency scanning, quarterly penetration testing.
• Personnel: background checks, mandatory security training, NDAs, enforced at-rest device encryption.
• Incident response: documented playbook; 72-hour breach notification SLA.

Annex III — Sub-processors

See neuravant.ai/sub-processors.

Acceptance

This DPA is automatically incorporated by reference into the Customer Agreement. A counter-signed version is available on request at legal@neuravant.ai.

Version 1.0 · April 2026