Data Processing Agreement

1. Scope and Execution

This Data Processing Agreement ("DPA") is entered into between the customer identified in the account registration record (the "Controller" or "Customer") and IS NOT AI LLC, a Delaware limited liability company, 7014 E Camelback Rd B100A, Scottsdale, Arizona 85251, United States ("NotAI" or the "Processor"). Controller and Processor are individually a "Party" and collectively the "Parties."

Execution. This DPA is executed when the Controller clicks the "I have read and agree to the Terms of Service, Privacy Policy, and Data Processing Agreement" acceptance box during account registration at dash.isnotai.com/signup, or when the Controller otherwise executes this DPA by electronic or written signature. The click-through acceptance constitutes the written contract required by Article 28(9) of Regulation (EU) 2016/679 (the "GDPR") and the corresponding provision of the UK GDPR. The Parties agree that electronic acceptance and electronic signature are effective and satisfy Article 28(9), Article 46, and all applicable writing requirements.

Relationship to the Terms of Service. This DPA is incorporated into and forms part of the NotAI Terms of Service (the "Agreement") and supplements the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA controls. In the event of any conflict between this DPA and the NotAI Privacy Policy with respect to the processing of Controller Personal Data (as defined below), this DPA controls.

Applicability. This DPA applies to NotAI's Processing of Controller Personal Data to provide the Services (as defined in the Agreement) where such Processing is subject to the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection of 25 September 2020 (the "nFADP"), Brazil's Lei Geral de Proteção de Dados (Law No. 13,709/2018, the "LGPD"), the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA/CPRA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, the Iowa Consumer Data Protection Act, the Delaware Personal Data Privacy Act, the New Hampshire Data Privacy Act, the New Jersey Data Privacy Act, the Nebraska Data Privacy Act, the Tennessee Information Protection Act, the Minnesota Consumer Data Privacy Act, the Maryland Online Data Privacy Act, the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, the Rhode Island Data Transparency and Privacy Protection Act, or any other applicable data protection or privacy law (collectively, "Data Protection Laws").

2. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following additional terms apply:

• "Controller Personal Data" means Personal Data that NotAI Processes on behalf of the Controller in the course of providing the Services.
• "Personal Data," "Processing," "Data Subject," "Controller," "Processor," "Personal Data Breach," and "Supervisory Authority" have the meanings given in Article 4 of the GDPR.
• "EEA" means the European Economic Area.
• "EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Modules Two and Three as applicable, as amended or replaced from time to time.
• "UK IDTA" means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner's Office under section 119A of the UK Data Protection Act 2018, as amended or replaced from time to time.
• "Sub-processor" means any third party engaged by NotAI to Process Controller Personal Data.
• "Service Provider" has the meaning given in the CCPA/CPRA.

3. Roles of the Parties

With respect to Controller Personal Data, the Controller is the "controller" (or "business" under the CCPA/CPRA) and NotAI is the "processor" (or "service provider" under the CCPA/CPRA). NotAI Processes Controller Personal Data only on behalf of and on the documented instructions of the Controller.

Where NotAI collects Personal Data directly from an individual interacting with NotAI (for example, a prospective customer sending an enquiry to our support address, or an employee of the Controller accessing the NotAI dashboard), NotAI acts as an independent Controller of that Personal Data, and the NotAI Privacy Policy, not this DPA, governs that Processing.

4. Details of Processing (Annex 1)

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects are set out in Annex 1 to this DPA.

5. NotAI's Obligations under Article 28(3)

5.1 Documented Instructions (Art. 28(3)(a))

NotAI shall Process Controller Personal Data only on the Controller's documented instructions, including with regard to transfers of Controller Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which NotAI is subject. In such a case, NotAI shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's documented instructions are those set out in the Agreement, this DPA (including Annex 1), and any subsequent instructions that the Controller issues in writing (including by email or through the NotAI dashboard).

5.2 Confidentiality of Personnel (Art. 28(3)(b))

NotAI shall ensure that persons authorised to Process Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. NotAI binds all personnel with access to Controller Personal Data by written confidentiality agreements that survive the termination of their engagement with NotAI, and limits access to Controller Personal Data to personnel who have a need to know for purposes of providing the Services.

5.3 Security of Processing (Art. 28(3)(c) and Art. 32)

NotAI shall implement and maintain the technical and organisational measures set out in Annex 2 to this DPA, which are designed to satisfy Article 32 of the GDPR and comparable Data Protection Laws, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons. NotAI may update Annex 2 from time to time, provided that such updates do not materially diminish the protection afforded to Controller Personal Data.

5.4 Engagement of Sub-processors (Art. 28(3)(d), Art. 28(2), Art. 28(4))

The Controller provides general written authorisation under Article 28(2) for NotAI to engage Sub-processors, subject to this Section 5.4. NotAI maintains a current list of Sub-processors at Annex 3 and at isnotai.com/privacy Section 5. NotAI will notify the Controller of any intended addition or replacement of Sub-processors at least thirty (30) days in advance by posting an update to Annex 3 and, where the Controller has subscribed to sub-processor change notifications, by email. The Controller may object to such a change on reasonable data-protection grounds within fifteen (15) days of notification, in which case the Parties will work in good faith to resolve the objection; if the Parties cannot resolve the objection, the Controller may terminate the Agreement with respect to the affected Services without penalty.

NotAI shall impose on each Sub-processor, by way of a written contract, data protection obligations that are at least as protective as those set out in this DPA, including (where relevant) the same Article 28(3) obligations and the same international transfer safeguards. NotAI remains fully liable to the Controller for the performance of each Sub-processor's obligations.

Statutory conversion of NotAI. A statutory conversion, domestication, or other change of entity form of NotAI (including a conversion under 6 Del. C. § 18-214) does not, in itself, constitute the engagement, addition, or replacement of a Sub-processor for purposes of this Section 5.4 and does not trigger the notice or objection rights set out in the preceding paragraphs. On any such conversion: (i) the converted entity is, by operation of 6 Del. C. § 18-214(f) (and the equivalent provisions of the law of any other jurisdiction to or from which the conversion occurs), deemed to be the same entity as NotAI for all purposes of the laws of the State of Delaware (and equivalent purposes under the law of any such other jurisdiction) and succeeds to all of NotAI's obligations under this DPA, including the Article 28 flow-down obligations imposed by this Section 5.4 on Sub-processors; (ii) each Sub-processor contract in effect immediately before the conversion continues in effect with the converted entity without further action of the Parties; and (iii) the converted entity remains fully liable to the Controller for the performance of each Sub-processor's obligations on the same basis as NotAI prior to the conversion. NotAI will, however, notify the Controller of any such conversion as part of the notice required under Section 15 of the Privacy Policy and Section 15 of the Terms of Service.

5.5 Assistance with Data Subject Rights (Art. 28(3)(e))

Taking into account the nature of the Processing, NotAI shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising rights under Chapter III of the GDPR and comparable rights under other Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and rights concerning automated decision-making). Where NotAI receives a Data Subject request directly, NotAI shall, unless prohibited by law, promptly forward the request to the Controller and shall not itself respond except on the Controller's documented instructions.

5.6 Assistance with Articles 32 through 36 (Art. 28(3)(f))

Taking into account the nature of Processing and the information available to NotAI, NotAI shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 through 36 of the GDPR, including (a) Article 32 security, (b) Article 33 and 34 Personal Data Breach notification to Supervisory Authorities and Data Subjects, (c) Article 35 data protection impact assessments, and (d) Article 36 prior consultation with Supervisory Authorities. NotAI's assistance includes providing the Controller with the information and documentation reasonably required to complete a data protection impact assessment for the Services.

5.7 Return or Deletion on Termination (Art. 28(3)(g))

On termination or expiry of the Agreement, or at the Controller's earlier written election, NotAI shall, at the Controller's choice, either (i) return all Controller Personal Data to the Controller in a commonly used electronic format, or (ii) delete all Controller Personal Data, and delete existing copies unless Union or Member State law requires storage of the Personal Data. Deletion of live (production) Personal Data shall be completed within thirty (30) days of termination or the Controller's election, whichever is earlier. Encrypted backup copies that cannot be selectively deleted shall be expunged on the next regularly scheduled backup-rotation cycle, and in any event within ninety (90) days, during which period such copies are isolated from active processing, remain protected by the technical and organisational measures in Annex 2, and may not be restored to live systems for any purpose other than disaster recovery affecting the Controller's own data. NotAI shall provide written certification of deletion on request. This obligation extends to Personal Data held by Sub-processors.

5.8 Audits and Information Rights (Art. 28(3)(h))

NotAI shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. NotAI's audit cooperation is discharged in the following order: (a) NotAI shall make available, on request, NotAI's most recent SOC 2 Type II report, ISO/IEC 27001 certification (where applicable), and penetration-test summary, subject to reasonable confidentiality protections; (b) where the Controller has a documented regulatory or contractual audit requirement that the documentation in (a) does not satisfy, NotAI shall cooperate in good faith with a reasonable, pre-agreed, on-site or remote audit conducted no more than once per calendar year (absent a Personal Data Breach or a supervisory-authority instruction), during normal business hours, on at least thirty (30) days' prior written notice, and subject to a mutually acceptable confidentiality agreement; and (c) the Controller shall bear its own costs and NotAI's reasonable costs of such an on-site audit, save where the audit reveals a material breach by NotAI, in which case NotAI shall bear its own costs. Nothing in this Section limits the audit and information rights of Supervisory Authorities.

5.9 Notice of Infringing Instructions (Art. 28(3), final sentence)

NotAI shall immediately inform the Controller if, in NotAI's opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions, or any other applicable Data Protection Law. NotAI may, pending resolution of the matter, suspend Processing under the instruction without liability to the Controller.

6. Controller Obligations

The Controller warrants and represents that (a) the Controller has the legal authority and all necessary consents, rights, and bases to disclose Controller Personal Data to NotAI for Processing under the Agreement and this DPA; (b) the Controller's instructions to NotAI comply with all applicable Data Protection Laws; (c) the Controller has provided all notices and obtained all consents required to enable NotAI to Process Controller Personal Data for the purposes set out in Annex 1; and (d) the Controller is solely responsible for the accuracy, quality, and legality of Controller Personal Data and the means by which the Controller acquired Controller Personal Data.

7. International Data Transfers

7.1 Transfer Mechanisms

To the extent that NotAI Processes Controller Personal Data originating from the EEA, the United Kingdom, or Switzerland in a country that is not the subject of an adequacy decision under the applicable law, the Parties rely on the following transfer mechanisms: (a) the EU SCCs, the UK IDTA, and the Swiss equivalent are incorporated into this DPA by reference and are the primary mechanism for transfers to NotAI, as set out in Section 7.2 and Annex 4; and (b) where a Sub-processor located in the United States is itself self-certified under the EU-US Data Privacy Framework (the "EU-US DPF"), the UK Extension to the EU-US DPF, or the Swiss-US DPF (collectively, the "DPF"), that Sub-processor's DPF certification may be relied upon as an additional transfer mechanism for the onward transfer to that Sub-processor in accordance with the European Commission's adequacy decision of 10 July 2023 and the corresponding UK and Swiss instruments. NotAI is not currently self-certified under the DPF; if NotAI becomes self-certified, NotAI will update this DPA and the NotAI Privacy Policy accordingly.

Remote access by authorised NotAI or Sub-processor personnel located outside the Controller's selected region for support, incident response, or security investigation is treated as a transfer for GDPR Chapter V purposes and is covered by the mechanisms set out in this Section 7, consistent with EDPB Guidelines 05/2021 on the Interplay between the Application of Article 3 and the Provisions on International Transfers of Chapter V of the GDPR.

7.2 EU SCCs, UK IDTA, Swiss Transfers

EU SCCs. The Parties agree that the EU SCCs, Module Two (controller-to-processor), are incorporated into this DPA by reference and are deemed executed by the Parties on the effective date of this DPA, with the elections and parameters set out in Annex 4. To the extent NotAI engages a Sub-processor to Process Controller Personal Data, Module Three (processor-to-processor) of the EU SCCs is similarly incorporated between NotAI and the Sub-processor on the terms set out in Annex 4, and the Controller authorises NotAI to enter into Module Three in the Controller's name for that purpose.

UK IDTA. For transfers subject to the UK GDPR, the UK IDTA is incorporated into this DPA by reference and is deemed executed by the Parties on the effective date of this DPA, with the information required by Part 1 of the UK IDTA set out in Annex 4.

Swiss transfers. For transfers subject to the nFADP, the Parties rely on the EU SCCs as amended as follows: references to the GDPR are read as references to the nFADP where the latter applies; the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner; and the governing law is Swiss law for purposes of Clause 17 of the EU SCCs to the extent required by the Swiss Federal Data Protection and Information Commissioner.

7.3 Precedence

In the event of a conflict between this DPA and the EU SCCs or the UK IDTA, the EU SCCs or the UK IDTA (as applicable) shall prevail with respect to the transfer of Controller Personal Data from the EEA, the United Kingdom, or Switzerland.

8. Personal Data Breach Notification

NotAI shall notify the Controller without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Controller Personal Data. The notification shall include, to the extent known at the time of notification and updated as further information becomes available: (a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and (d) the name and contact details of NotAI's data protection officer or other point of contact.

NotAI shall cooperate with the Controller and provide reasonable assistance in the Controller's notification obligations to Supervisory Authorities under Article 33 of the GDPR, to affected Data Subjects under Article 34 of the GDPR, and in corresponding obligations under other Data Protection Laws, including (without limitation) Article 24 of the revised Swiss Federal Act on Data Protection, California Civil Code § 1798.82, the New York SHIELD Act (N.Y. Gen. Bus. Law § 899-aa and § 899-bb), Florida Statutes § 501.171, Texas Business & Commerce Code § 521.053, Colorado Revised Statutes § 6-1-716, Illinois 815 ILCS 530/10, Massachusetts General Laws ch. 93H § 3, Washington Revised Code § 19.255.010, Maine Revised Statutes tit. 10 § 1348, and comparable statutes in other US states. NotAI's assistance under this Section extends to the Controller's notifications to affected Data Subjects, state attorneys general, state police (where required, including under the New York SHIELD Act), and consumer reporting agencies (where required).

9. CCPA/CPRA Service-Provider Terms

To the extent NotAI Processes Personal Information (as defined in the CCPA/CPRA) on behalf of a Controller that is a "business" under the CCPA/CPRA, NotAI acts as a "Service Provider" and commits that: (a) NotAI shall not Sell or Share (as those terms are defined in the CCPA/CPRA) Personal Information; (b) NotAI shall not retain, use, or disclose Personal Information outside of the direct business relationship between NotAI and the Controller, or for any Commercial Purpose other than providing the Services specified in the Agreement; (c) NotAI shall not combine Personal Information received under the Agreement with Personal Information from other sources, except as permitted by 11 CCR § 7050(b); (d) NotAI certifies that it understands and will comply with these restrictions; and (e) NotAI shall notify the Controller if NotAI determines it can no longer meet its Service-Provider obligations, and on such notification the Controller may take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Information.

10. Liability

Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Agreement, including the Data Protection Cap and the carve-outs set out in Terms of Service Section 10. Nothing in this DPA or in the Agreement limits either Party's liability to Data Subjects under Article 82 of the GDPR or to Supervisory Authorities.

11. Term, Termination, Order of Precedence

This DPA takes effect on the date it is executed as set out in Section 1 and continues in force until the earlier of (a) the termination or expiry of the Agreement and completion of NotAI's obligations under Section 5.7, and (b) the Parties' written agreement to terminate this DPA.

Order of precedence. In the event of conflict, the order of precedence is (i) the EU SCCs and the UK IDTA (for transfers within their scope); (ii) this DPA; (iii) the Agreement; (iv) the Privacy Policy.

12. Governing Law

This DPA is governed by, and construed in accordance with, the governing-law provision of the Agreement, save that (a) the EU SCCs are governed by the law of the EEA Member State identified in Annex 4, and (b) the UK IDTA is governed by the law of England and Wales.

13. Contact

Notices under this DPA should be sent to:

• NotAI Privacy Team: [email protected]
• NotAI Legal Team: [email protected]
• Mail: IS NOT AI LLC, Attn: Privacy, 7014 E Camelback Rd B100A, Scottsdale, Arizona 85251, United States
• EU Representative (GDPR Art. 27): as identified in Privacy Policy Section 16
• EU Data Protection Officer: as identified in Privacy Policy Section 16
• UK Representative (UK GDPR Art. 27): as identified in Privacy Policy Section 16

Annex 1. Details of Processing

A. Subject Matter and Duration

Subject matter. Provision of the Services, being NotAI's authorship verification and AI-agent detection platform, including collection and analysis of behavioral signals during text composition, generation of confidence scores and associated reports, and associated account, billing, and support operations.

Duration. For the term of the Agreement, plus the period required to complete return or deletion under Section 5.7.

B. Nature and Purpose

Processing is carried out for the purpose of providing the Services to the Controller, including detection of automated agents and verification of human authorship in text submitted through the Controller's digital systems; generation of confidence scores and reviewer reports; provision of the NotAI dashboard and API; support and troubleshooting; billing; compliance with applicable law; and, in aggregated and de-identified form only, improvement of the Services as described in Privacy Policy Section 3.

C. Types of Personal Data

• Behavioral session data (keystroke-timing sequences, cursor-movement dynamics, scroll and click telemetry, paste events, focus/blur transitions, and related session metadata);
• Device and connection metadata (IP address, user-agent string, browser fingerprint, WebDriver and automation-framework signatures);
• Institution-provided identity fields (student, instructor, or user identifier; assignment or session identifier; roster-group identifier), where the Controller chooses to provide them;
• Account information for the Controller's users of the NotAI dashboard (name, email, role).

Processing of special categories of Personal Data (Article 9 of the GDPR) is not intended and is limited to (i) behavioral signals where those signals are treated as special category data under Article 9(1) in reliance on the Controller's Article 9(2) basis, as described in Privacy Policy Section 13.7, or (ii) where the Controller otherwise elects to submit such data to the Services on documented instructions.

D. Categories of Data Subjects

• End users of the Controller's digital systems, including students, applicants, candidates, employees, and website visitors, whose text composition is analysed by the Services;
• Authorised users of the NotAI dashboard and API who act on behalf of the Controller.

E. Frequency and Duration of Transfer

Continuous for the duration of the Services.

F. Competent Supervisory Authority (EU SCCs Annex I.C)

The competent Supervisory Authority is determined in accordance with Clause 13 of the EU SCCs. Where the Controller is established in the EEA, the Supervisory Authority is the Supervisory Authority of the Member State in which the Controller is established. Where the Controller is not established in the EEA but falls within the territorial scope of the GDPR under Article 3(2) and has appointed a representative under Article 27, the Supervisory Authority is the Supervisory Authority of the Member State in which the representative is established. In any other case, the Supervisory Authority is the Irish Data Protection Commission.

Annex 2. Technical and Organisational Measures

NotAI implements and maintains the following technical and organisational measures. NotAI may update these measures from time to time, provided that the updated measures do not materially diminish the protection afforded to Controller Personal Data.

• Encryption. AES-256 encryption at rest for all Controller Personal Data, with customer-managed keys held in Azure Key Vault. TLS 1.2 or higher (TLS 1.3 where supported) for all data in transit.
• Access control. Role-based access control and the principle of least privilege for all personnel. Multi-factor authentication required for administrative and privileged access. Authorized-personnel access is logged, reviewed, and revoked on role change or separation.
• Personnel security. All Processor employees and direct contractors with direct access to Controller Personal Data on or via the production Services have undergone a fingerprint-based criminal-history check, which includes a search of the U.S. Federal Bureau of Investigation Next Generation Identification ("NGI") database conducted through Arizona's fingerprint clearance card program under A.R.S. § 41-1758.01 et seq. (or a successor program of equivalent scope and stringency) for personnel resident in Arizona, or a comparable state-authorised program for personnel resident elsewhere, prior to being granted such access; criminal history is reviewed in accordance with applicable employment-screening laws. This requirement does not apply to professional service providers (such as outside accountants, attorneys, auditors, and similar advisers) who are bound by applicable professional-conduct confidentiality obligations and whose limited access to Personal Data, if any, is incidental to the provision of their professional services to NotAI rather than processing of Controller Personal Data on NotAI's behalf in the provision of the Services; such providers are not Sub-processors and are subject to written confidentiality agreements appropriate to the engagement. All such personnel are bound by written confidentiality obligations that survive termination of engagement. Sub-processor personnel are subject to the background-screening requirements set out in the applicable sub-processor agreement.
• Network and infrastructure security. Network segmentation, firewalls, web-application firewall, intrusion detection, continuous monitoring, and automated alerting. Production infrastructure is hosted on Microsoft Azure in the data-centre region selected by the Controller.
• Secure development lifecycle. Code review, automated static and dependency analysis, secret scanning, and pre-production vulnerability testing for every release. Annual third-party penetration testing.
• Pseudonymisation and data minimisation. Behavioral session data is stored under session identifiers that are not directly tied to end-user identity where the Controller has not elected to provide institution-provided identity fields.
• Resilience. Backup and disaster-recovery procedures, with documented Recovery Time Objective and Recovery Point Objective targets tested at least annually.
• Incident response. Documented incident-response plan, on-call rotation, tested breach-notification playbook, and post-incident review.
• Audit logging. Immutable audit logs of administrative access, Controller Personal Data access, configuration changes, and Sub-processor interactions, retained in accordance with applicable law and NotAI's information-security program.
• Data centre. Microsoft Azure data centres with physical access controls, redundant power, environmental monitoring, and attestations including ISO/IEC 27001, SOC 2 Type II, and applicable sector certifications.
• Deletion and return. Documented procedures for secure deletion on termination under Section 5.7, with verification and certification.
• Framework alignment. NotAI aligns its information-security program with the NIST Cybersecurity Framework 2.0 (published February 2024).
• Independent attestations. NotAI maintains its own SOC 2 Type II attestation, refreshed annually. The attestation report is available under NDA on request to [email protected].

Annex 3. Sub-processors

A current list of NotAI's Sub-processors is maintained at isnotai.com/privacy Section 5. By executing this DPA, the Controller provides general written authorisation under Article 28(2) for NotAI to engage those Sub-processors and any additional Sub-processors added in accordance with Section 5.4 of this DPA, subject to the Controller's right of objection.

Annex 4. EU SCCs and UK IDTA Completion

A. EU SCCs, Module Two (Controller to Processor)

Annex I.A, per-customer specificity. For the avoidance of doubt, the data exporter named in Annex I.A is the customer's signing entity as recorded in the customer's NotAI account registration and any executed Order Form. The exporter's notified contacts for the purposes of Clause 7 (Docking) and Clause 13 (Supervision) of the EU SCCs are the administrative and security contacts the customer has designated in its NotAI account; the customer may update those contacts at any time. NotAI, as data importer, is identified in Section 13 of this DPA. This per-customer identification satisfies the specificity requirement of Annex I.A without requiring a separate paper signature for each customer relationship.

B. EU SCCs, Module Three (Processor to Processor)

Module Three of the EU SCCs applies between NotAI (as intermediate processor) and each Sub-processor (as sub-processor), with elections and parameters that mirror Part A above to the extent applicable, and with Annex III completed to identify the Controller as the data exporter's controller.

C. UK IDTA