Data Processing Addendum

This DPA forms part of the Taska Terms of Service (the "Agreement") between Enrevia Technologies ("Processor") and the customer entity that has agreed to the Agreement ("Controller"). It applies to Personal Data processed by the Processor on the Controller's behalf in connection with the Taska service.

The Controller determines the purposes and means of processing the Personal Data; the Processor processes it only on the Controller's documented instructions. Each end-user of the Controller's Taska account remains a data subject under applicable data protection laws.

• Data subjects: employees, contractors, and other authorised users of the Controller; senders and recipients of email correspondence connected to the service.
• Categories: identification data (name, email), authentication data (OAuth refresh tokens), email content (subject, sender, body, snippets), meeting recordings + transcripts, extracted task content, usage telemetry, and any other Personal Data the Controller chooses to submit to the service.

• Process Personal Data only on documented instructions from the Controller (the Agreement + this DPA constitute such instructions).
• Ensure persons authorised to process the data are subject to confidentiality obligations.
• Implement the technical + organisational measures described in our Security overview (KMS envelope encryption, TLS 1.2+, IAM least privilege, audit logging).
• Assist the Controller with data subject requests (access, rectification, erasure, portability) within the timeframes required by applicable law.
• Notify the Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach, with sufficient detail to allow the Controller to meet its own notification obligations.
• On termination of the Agreement, delete or return all Personal Data and existing copies within 30 days, except where applicable law requires storage.

The Controller authorises the Processor to engage the following sub-processors:

New sub-processors will be announced via email to a designated contact at least 30 days before engagement; the Controller may object in writing, in which case the parties will negotiate in good faith.

Where Personal Data of EEA, UK, or Swiss data subjects is transferred to a country without an adequacy decision, the parties agree to incorporate the Standard Contractual Clauses (2021/914) as if executed on the Agreement effective date, with Module 2 (controller-to-processor). The UK addendum to the SCCs is incorporated by reference for UK transfers.

The Processor will make available to the Controller, on reasonable written request, the SOC 2 Type II report (when available) and the CASA Letter of Assessment to demonstrate compliance with this DPA. On-site audits may be performed once per 12 months at the Controller's expense, with at least 30 days' written notice and during ordinary business hours.

This DPA takes effect when accepted by the Controller and remains in force for as long as the Processor processes Personal Data on the Controller's behalf under the Agreement. Termination of the Agreement automatically terminates this DPA.

Each party's liability under this DPA is subject to the aggregate liability caps set out in the Agreement. Nothing in this DPA limits a party's liability for breach of applicable data protection laws.

Data protection enquiries: privacy@enrevia-taska.com. To execute a countersigned DPA, email legal@enrevia-taska.com with your company name and a designated contact.