Teravexa Data Processing Addendum ("DPA")

This Data Processing Addendum ("DPA") is entered into by and between:

• The entity or person defined as "Client" under the Teravexa Terms of Service ("Client"), and
• AI Boss Pty Ltd (ABN 65 685 702 345), a company registered in Victoria, Australia, operating the Teravexa service ("Teravexa", "we", "us", "our").

Client and Teravexa are each a "Party" and together the "Parties".

This DPA forms part of, and is subject to, the Teravexa Terms of Service ("Terms"). This DPA takes effect upon Client's acceptance of the Terms and continues in accordance with the Terms and this DPA.

If there is a conflict between the Terms and this DPA, this DPA prevails with respect to data protection and privacy matters. If Standard Contractual Clauses apply (Section 7), the Standard Contractual Clauses prevail to the extent of any conflict with this DPA for international transfer compliance.

1. Background

1.1 Client has agreed to the Terms, under which Teravexa provides certain services to Client ("Services").

1.2 When providing the Services, Teravexa may collect, access, or otherwise Process Personal Data of individuals ("Data Subjects") on behalf of Client. Unless otherwise agreed, Client acts as Controller and Teravexa acts as Processor for such Personal Data.

1.3 This DPA specifies the Parties' obligations for Processing Personal Data under the Terms. It applies to all Processing by Teravexa (including its personnel and Sub-Processors) of Personal Data as Processor on behalf of Client.

2. Definitions

2.1 Capitalized terms not defined in this DPA have the meaning given in the Terms.

2.2 "Controller" means the entity that determines the purposes and means of Processing Personal Data.

2.3 "Processor" means the entity that Processes Personal Data on behalf of the Controller.

2.4 "Data Protection Laws" means all applicable worldwide data protection and privacy laws and regulations relevant to the Processing under the Terms, including (as applicable):

• EU GDPR (Regulation (EU) 2016/679) ("GDPR"),
• UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"),
• Swiss Federal Data Protection Act ("Swiss DPA"),
• California Consumer Privacy Act, as amended ("CCPA"),
• Australia's Privacy Act 1988 (Cth) and the Australian Privacy Principles ("Australian Privacy Law"),
• and any amendments, replacements, or re-enactments.

2.5 "Data Subject" means the individual to whom Personal Data relates.

2.6 "Personal Data" means any information relating to an identified or identifiable Data Subject contained within Client Data and protected as personal data/personal information under Data Protection Laws. For clarity, Personal Data includes "personal information" as defined under the Privacy Act 1988 (Cth) where Australian Privacy Law applies.

2.7 "Processing" means any operation performed on Personal Data (e.g., collection, storage, access, use, disclosure, deletion). "Process/Processes/Processed" are interpreted accordingly.

2.8 "Instructions" means Client's documented instructions to Teravexa regarding Processing, including instructions provided through Client's configuration and use of the Services.

2.9 "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Teravexa and/or its Sub-Processors in connection with the Services. It excludes unsuccessful attempts that do not compromise security.

2.10 "Sub-Processor" means any Processor engaged by Teravexa to assist in fulfilling its obligations to provide the Services.

2.11 "Standard Contractual Clauses" or "SCCs" means:

• the EU standard contractual clauses in Commission Decision 2021/914 (modules as applicable) ("EU SCCs"), and
• the UK International Data Transfer Addendum to the EU SCCs (or other valid UK transfer mechanism) ("UK Addendum"),
• each as updated or replaced.

2.12 "Third Country" means any country outside the EEA and/or UK (as applicable) that is not recognized as providing adequate protection under applicable Data Protection Laws.

3. Details of Processing

3.1 Purpose of Processing. Subject to Section 5.1, Teravexa will Process Personal Data only to provide, maintain, secure, and support the Services, and as otherwise permitted by the Terms and this DPA. Teravexa will Process Personal Data in accordance with the Terms and reasonable Instructions that do not conflict with Data Protection Laws or this DPA.

3.2 Nature of Processing. Teravexa is a cloud-based SaaS platform for document creation/management with AI-powered tools and templates. Processing may include:

• hosting, storage, backup, and retrieval of Client Data;
• generating Outputs requested by users (including via AI functionality where enabled);
• user authentication, authorization, and account administration;
• customer support and troubleshooting;
• monitoring and abuse prevention; and
• disclosures as required by law.

3.3 Controller Instructions. The Parties agree that the Terms and Client's use of the Services constitute Client's complete Instructions. Instructions outside the scope of the Services require prior written agreement.

3.4 Categories of Data Subjects. Depending on Client's use, Data Subjects may include Client's users (employees/contractors), customers, prospects, vendors, business contacts, and any other individuals whose Personal Data Client includes in documents or uploads.

3.5 Categories of Personal Data. Depending on Client's use, Personal Data may include:

• name, title, email, phone, address, and other contact details;
• document content and free-text notes created or uploaded by Client;
• usage and device data (e.g., IP address, logs, timestamps);
• account metadata (workspace/user IDs, roles, settings).

Billing data: Teravexa uses Stripe for payment processing; payment card information is generally processed by Stripe, and Teravexa typically stores only limited billing metadata (e.g., subscription status, invoice identifiers), depending on configuration.

3.6 Sensitive Information. The Parties do not anticipate Processing of special category/sensitive information unless explicitly agreed and supported. Client agrees not to upload Sensitive Information where prohibited by the Terms or applicable law.

4. Client Obligations

4.1 Compliance with Laws. Client is responsible for complying with Data Protection Laws applicable to Client as Controller, including for its collection and use of Personal Data and any Instructions issued to Teravexa.

4.2 Client is solely responsible for:

• the accuracy, quality, and legality of Personal Data and how it was obtained;
• providing required notices and obtaining necessary consents/lawful bases;
• ensuring it has the right to transfer Personal Data to Teravexa;
• ensuring Instructions comply with Data Protection Laws; and
• ensuring any document content and use of AI features complies with law and third-party rights.

4.3 Client will inform Teravexa without undue delay if Client cannot comply with Section 4 or applicable Data Protection Laws.

5. Teravexa Obligations

5.1 Scope of Processing. Teravexa will Process Personal Data only on documented Instructions from Client, unless required by applicable law. Where legally permitted, Teravexa will inform Client of such legal requirement before Processing.

5.2 Confidentiality. Teravexa ensures that persons authorized to Process Personal Data are subject to confidentiality obligations.

5.3 Qualified Personnel. Teravexa will use personnel with appropriate training and access controls suitable for their role.

5.4 Instructions to Personnel. Teravexa will ensure its personnel Process Personal Data only in accordance with the Terms, this DPA, and Client's Instructions.

5.5 Notification of Violation. Teravexa will notify Client without undue delay if Teravexa believes an Instruction violates Data Protection Laws.

5.6 Personal Data Breach (Australia–NDB Scheme) Notification and Cooperation. Teravexa will notify Client as soon as practicable after becoming aware of a suspected or confirmed Personal Data Breach affecting Personal Data Processed on Client's behalf, and will provide reasonable information and cooperation to support Client's compliance with applicable notification obligations (including the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), where applicable). The Parties will cooperate in good faith to determine scope, containment, remediation, and any required notifications. Teravexa's notification is not an admission of fault or liability.

5.7 Third Parties. Teravexa will not disclose Personal Data to any third party except as permitted by the Terms/DPA (including Sub-Processors) or as required by law.

5.8 Data Subject Requests. Taking into account the nature of Processing, Teravexa will provide reasonable assistance to Client to respond to Data Subject requests (access, deletion, correction, portability, objection). Where the Services provide self-service tools, Teravexa may satisfy this obligation by directing Client to those tools. If a Data Subject contacts Teravexa directly, Teravexa will direct them to Client where appropriate.

5.9 Security. Teravexa will implement appropriate technical and organizational measures to protect Personal Data, as described in Annex 2.

5.10 Deletion and Return. Upon termination of Services, Teravexa will, in accordance with Client's Instructions, delete or return Personal Data unless retention is required by law or retained in backups/archives for a limited period. Client may be able to export/delete data via self-service features.

Default retention (may be adjusted by policy):

• Account content: typically deleted within 30 days after account closure/termination (or after Client deletes it); and
• Backups/archives: typically purged within 90 days thereafter.

5.11 DPIAs and Prior Consultation. To the extent reasonably available and where Client lacks access to necessary information, Teravexa will provide reasonable assistance with DPIAs and prior consultations required under Data Protection Laws.

6. Sub-Processors

6.1 General Authorization. Client grants Teravexa general authorization to engage Sub-Processors.

6.2 Authorized Sub-Processors. Teravexa maintains a list of Sub-Processors at https://teravexa.com/subprocessors (or will provide it on request). Common Sub-Processor categories may include hosting/infrastructure providers, email delivery, analytics, customer support tools, AI service providers (if enabled), and Stripe for payment processing.

6.3 Notification of Changes. Teravexa will provide notice before appointing new Sub-Processors (e.g., via email or posting an update). Client may object on reasonable data protection grounds by notifying Teravexa at support@teravexa.com within 10 calendar days of notice.

6.4 Objection Remedy. If Client objects, Teravexa will use commercially reasonable efforts to address the objection (e.g., configuration alternatives). If unresolved within 30 days, Client may terminate the affected Services and receive a pro-rata refund of prepaid fees for the unused portion of that paid period for the affected Services, unless prohibited by law or otherwise agreed.

6.5 Flow-Down Terms. Teravexa will enter into written agreements with Sub-Processors imposing obligations no less protective than this DPA and will implement lawful international transfer mechanisms where required.

6.6 Responsibility. Teravexa remains responsible for Sub-Processors' performance under this DPA, subject to the liability limitations in the Terms.

7. Place of Processing and Data Transfers

7.1 Places of Processing. Client acknowledges that Teravexa may Process Personal Data globally as necessary to provide the Services, including in Australia and in locations where Sub-Processors operate.

7.2 Transfer Compliance. Each Party will ensure international transfers comply with Data Protection Laws (including GDPR Chapter V where applicable).

7.3 EEA/UK/Swiss Transfers – SCCs. If Client (or Client's affiliates) transfers Personal Data subject to GDPR/UK GDPR/Swiss DPA to Teravexa in Australia or another Third Country requiring safeguards, the Parties agree that:

• the EU SCCs (Module 2 Controller→Processor, and Module 3 Processor→Processor where applicable) are incorporated by reference and form part of this DPA; and
• the UK Addendum is incorporated where UK GDPR applies.

For SCC purposes:

• Exporter: Client (Controller)
• Importer: Teravexa (Processor)
• Clause 9: Option 2 (general authorization) applies; notice period 10 days
• Annex I (parties / processing description): as per this DPA (Sections 1–3)
• Annex II (TOMs): as per Annex 2
• Annex III (Sub-Processors): as per Section 6.2 (and Sub-Processor list URL)

Default SCC selections:

• EU SCC Clause 17 (governing law): Ireland
• EU SCC Clause 18 (competent courts): Ireland

7.4 Australian cross-border disclosures (APP 8). Where Client is an APP entity and discloses personal information to Teravexa and/or Teravexa's overseas Sub-Processors, the Parties acknowledge Client may be required to take reasonable steps to ensure overseas recipients do not breach the Australian Privacy Principles and that Client may remain accountable for certain overseas handling of personal information (including under section 16C of the Privacy Act 1988 (Cth)). Teravexa will maintain contractual measures with Sub-Processors intended to support Client's compliance with APP 8.

8. Technical and Organizational Measures

Teravexa will maintain appropriate technical and organizational measures designed to protect Personal Data. These are described in Annex 2 and may be updated over time, provided changes do not materially reduce protections.

9. Audits

Upon written request, Teravexa will provide information reasonably necessary to demonstrate compliance with this DPA. Where audit rights apply under Data Protection Laws, audits will be:

• limited to once per 12-month period (unless a material incident justifies more),
• subject to reasonable notice, scope, and confidentiality protections, and
• conducted in a manner that avoids unreasonable disruption and protects security.

Any third-party auditor must be bound by confidentiality obligations. Client will reimburse reasonable costs for any on-site audits if required.

10. Liability

The Parties' obligations and liability under this DPA are subject to the limitations of liability set out in the Terms, unless prohibited by applicable law.

11. Miscellaneous

11.1 Governing Law. This DPA is governed by the governing law specified in the Terms. If the Terms do not specify governing law, this DPA is governed by the laws of Victoria, Australia, and the Commonwealth of Australia, as applicable (excluding conflict of law rules), unless mandatory Data Protection Laws require otherwise for specific claims.

11.2 Changes to the DPA. Teravexa may update this DPA where necessary to comply with Data Protection Laws, regulatory guidance, updated SCCs, or changes in processing practices. Updates take effect upon posting with a revised "Last updated" date, unless otherwise required by law.