Data Processing Addendum

This Data Processing Addendum (the "DPA") governs Stern Bench's processing of DPA Data that is required to provide Stern Bench Assistant under the serious pilot ring and that Stern Bench processes on Your behalf as a processor under the Platform Agreement or another written agreement between You and Stern Bench.

1. IMPORTANT TERMS

1.1. This DPA forms part of the applicable Terms only to the extent Stern Bench acts as a processor of DPA Data on Your behalf.

1.2. As between You and Stern Bench, You are the controller and Stern Bench is the processor with respect to DPA Data covered by this DPA.

1.3. Stern Bench acts as an independent controller with respect to:

• publicly sourced case law and judicial decisions that Stern Bench independently collects, processes, and makes available through the Service;
• Stern Bench's own operational, security, analytics, attribution, reliability, abuse-prevention, and similar processing described in the Privacy Policy that is not performed on Your behalf; and
• data processing carried out outside the scope of processor-role Paid Services or a written serious pilot arrangement.

1.4. Personal Data contained within DPA Data is limited to account information, persistent thread content, saved prompts, saved responses, saved assistant artifacts, exported artifacts, account-linked or workspace-linked materials, and other Personal Data that Stern Bench expressly agrees in writing to process on Your behalf in connection with Paid Services or a serious pilot arrangement. Where uploads are expressly enabled for the applicable serious pilot deployment, uploaded materials will also constitute DPA Data.

2. PROCESSING REQUIREMENTS

Stern Bench will:

• process DPA Data only on Your documented instructions and as necessary to provide the Service;
• promptly notify You if it cannot comply with the requirements of this DPA;
• promptly inform You if, in Stern Bench's opinion, an instruction infringes applicable data protection law; and
• ensure that all persons authorized to process DPA Data are subject to confidentiality obligations.

3. SUBPROCESSORS

3.1. Stern Bench may use subprocessors to provide the Service and will maintain a subprocessor list for subprocessors that process DPA Data.

3.2. Stern Bench will impose contractual obligations on subprocessors requiring them to provide an appropriate level of data protection and confidentiality for the data they process on Stern Bench's behalf.

3.3. Stern Bench will remain responsible for the acts and omissions of its subprocessors to the extent provided in the DPA and Platform Agreement.

4. NOTICE AND DATA SUBJECT REQUESTS

Stern Bench will inform You, to the extent legally permitted, if Stern Bench receives:

• a legally binding request for disclosure of DPA Data by a law enforcement authority;
• a notice, inquiry, or investigation by a supervisory authority with respect to DPA Data; or
• a complaint or request from a data subject exercising their rights under applicable data protection law with respect to DPA Data.

Other than to request further information or identify the data subject, Stern Bench will not respond to a data subject request without prior written authorization from You.

5. PERSONAL DATA BREACH

If Stern Bench experiences a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data, Stern Bench will notify You without undue delay and, where applicable, within 72 hours of becoming aware of the breach.

6. SECURITY

Stern Bench will implement and maintain appropriate technical and organizational measures to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of DPA Data, including measures relating to encryption in transit and at rest where supported by the applicable infrastructure, access controls, logging and monitoring appropriate to the Service, and incident response procedures.

7. CROSS-BORDER DATA TRANSFERS

Unless You and Stern Bench agree in writing to process and store DPA Data exclusively in a different geographic location, DPA Data may be processed in Canada, the United Kingdom, the United States, or other jurisdictions where Stern Bench's subprocessors operate, depending on the serious pilot architecture and provider stack used to provide the Service. Where the applicable pilot arrangement specifies a particular deployment region, Stern Bench will use commercially reasonable efforts to align the serious pilot deployment with that regional commitment.

Where DPA Data originating from the EEA, UK, or Switzerland is transferred to a jurisdiction that has not been deemed to provide an adequate level of data protection, Stern Bench will ensure that appropriate safeguards are in place, including standard contractual clauses or the UK International Data Transfer Addendum where applicable.

8. RETENTION AND DELETION

This DPA remains in effect until (i) the Service is terminated and (ii) Stern Bench no longer processes DPA Data on Your behalf.

Following termination of the Service or upon Your reasonable request, Stern Bench will return to You or delete the DPA Data within a commercially reasonable period, taking into account the applicable deployment architecture, backup cycling, and any retention required by law.

9. CONTACT

For data protection inquiries relating to this DPA, contact founder@sternbench.com.