Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
• "Data Protection Laws" means all applicable data protection and privacy laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable national or state privacy legislation.
• "Controller" means the entity that determines the purposes and means of processing Personal Data (the Customer organization).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (MorPhoe Tech Inc. / BizNerva).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

This DPA applies to the processing of Personal Data by BizNerva on behalf of the Controller in connection with the Services described in the Terms of Service. BizNerva processes Personal Data solely for the purpose of providing the Services and as further instructed by the Controller. The nature of processing includes storage, organization, retrieval, consultation, use, alignment, combination, restriction, erasure, and destruction of Personal Data as necessary to deliver the Services.

The duration of processing corresponds to the term of the Agreement between the Controller and BizNerva, plus any legally required retention period.

Controller responsibilities: The Controller determines the purposes and means of processing, ensures a lawful basis for processing under applicable Data Protection Laws, provides any required notices to Data Subjects, and ensures compliance with its own obligations under Data Protection Laws.

Processor responsibilities: BizNerva shall process Personal Data only on documented instructions from the Controller, except where required by applicable law. BizNerva shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

BizNerva shall process Personal Data only in accordance with the Controller's documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. If BizNerva is required by applicable law to process Personal Data other than as instructed by the Controller, BizNerva shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

The Controller's instructions for processing are set forth in this DPA, the Terms of Service, and any additional written instructions agreed upon by the parties. BizNerva shall immediately inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Laws.

BizNerva processes the following categories of Personal Data on behalf of Controllers:

• Employee/staff data: Names, email addresses, job titles, roles, department assignments, employment dates, and organizational hierarchy information.
• Training records: Compliance training completion dates, scores, certification status, and training history.
• Incident reports: Workplace incident details, investigation notes, corrective actions, and related documentation (e.g., SB 553 workplace violence prevention).
• Compensation data: Salary ranges, pay bands, and wage records as required for pay transparency compliance (SB 642).
• Compliance records: Audit evidence, policy documents, regulatory filings, risk assessments, and gap analysis results.
• Account data: Names, email addresses, login activity, and authentication information for platform users.

Data subjects include: Customer employees, contractors, organizational administrators, and other individuals whose data is submitted to the platform by the Controller.

BizNerva implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption: All Personal Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access controls: Role-based access control (RBAC) with row-level security (RLS) ensuring strict multi-tenant data isolation.
• Authentication: Multi-factor authentication (MFA) with TOTP support; enforced for platform administrators.
• Audit logging: Comprehensive audit trails for all data access and modifications.
• Infrastructure: Hosted on cloud infrastructure provided by SOC 2 Type II certified sub-processors (Supabase, Vercel) with automatic backups and disaster recovery.
• Personnel: All personnel with access to Personal Data are bound by confidentiality obligations.
• Incident response: Documented incident response procedures with defined escalation paths.

The Controller authorizes BizNerva to engage Sub-processors for the processing of Personal Data. BizNerva maintains a current list of Sub-processors, which includes:

• Supabase Inc. (San Francisco, CA, USA) — Database hosting and authentication services.
• Vercel Inc. (San Francisco, CA, USA) — Application hosting and content delivery.
• Stripe Inc. (San Francisco, CA, USA) — Payment processing (PCI DSS Level 1 certified).
• OpenAI, L.L.C. (San Francisco, CA, USA) — Job posting compliance analysis: processes job posting text only (no personal identifiers) for regulatory compliance checking. Data processed under OpenAI API terms with zero data retention.
• Anthropic PBC (San Francisco, CA, USA) — AI Compliance Assistant: processes PII-redacted organization compliance data, sensitivity-screened uploaded documents, and conversation context for compliance analysis. Also serves as fallback provider for job posting analysis. Data processed under Anthropic API terms which prohibit use for model training.
• Google LLC (Mountain View, CA, USA) — Fallback provider for job posting compliance analysis. Processes job posting text only (no personal identifiers). Data processed under Google AI API terms.
• Mercury Technologies, Inc. (San Francisco, CA, USA) — Partner payment processing for ACH and wire transfers. Processes partner financial data (bank details, payout amounts) for revenue share disbursements. Data processed under Mercury API terms.

BizNerva shall notify the Controller of any intended changes to its Sub-processors by updating this page. In addition, BizNerva will send email notification to the Controller's registered email address at least thirty (30) days before any new Sub-processor begins processing Personal Data. The Controller may object in writing within fourteen (14) days of receipt of such notice. If the Controller raises a reasonable objection and BizNerva cannot accommodate it, either party may terminate the Agreement with thirty (30) days' written notice.

BizNerva shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, and BizNerva remains liable for the acts and omissions of its Sub-processors.

BizNerva shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If BizNerva receives a request directly from a Data Subject, BizNerva shall promptly notify the Controller and shall not respond to the request without the Controller's prior written authorization, unless required by applicable law.

The platform provides self-service data export, account deletion, and consent management features to facilitate Data Subject rights compliance.

BizNerva will respond to data subject access, deletion, and portability requests forwarded by the Controller within five (5) business days, to enable the Controller to meet its obligations under applicable law.

BizNerva shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected.
• The name and contact details of BizNerva's point of contact for further information.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its adverse effects.

BizNerva shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach. For California residents, notification shall comply with California Civil Code Section 1798.82 and SB 446 requirements (30-day notification window).

BizNerva processes Personal Data primarily within the United States. If Personal Data is transferred outside the country of origin, BizNerva shall ensure that appropriate safeguards are in place as required by applicable Data Protection Laws, including:

• EU Standard Contractual Clauses (SCCs) for transfers from the EEA/UK to the United States, incorporated by reference into this DPA.
• Participation in applicable data transfer frameworks, including the EU-US Data Privacy Framework where certified.
• Transfer Impact Assessments conducted as required.

BizNerva has conducted a Transfer Impact Assessment for EU-to-US data transfers and implemented supplementary technical and organizational measures including: (a) field-level AES-256 encryption of personal data at rest; (b) role-based access controls with Row Level Security; (c) comprehensive audit logging of all data access; and (d) encryption of data in transit using TLS 1.2 or higher.

Upon termination of the Agreement or upon the Controller's written request, BizNerva shall delete or return all Personal Data to the Controller, and delete existing copies, unless applicable law requires continued storage. Retention periods for specific data categories include:

• SB 553 training records: 1 year minimum
• SB 553 incident reports: 5 years minimum
• NERC CIP compliance records: 3+ years (CMEP retention)
• FCA compliance records: 6-10 years
• Audit logs: 3 years
• Login/session logs: 30 days

Where regulatory retention requirements exceed the term of the Agreement, BizNerva shall continue to protect retained data in accordance with this DPA and shall delete such data upon expiration of the applicable retention period.

BizNerva shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days) and during normal business hours.

The Controller may exercise its audit rights no more than once per 12-month period, unless required by applicable law or a supervisory authority, or following a Data Breach. The foregoing limitation does not apply to audits or investigations required by a regulatory authority or court order, which BizNerva will accommodate promptly and in good faith regardless of the annual limit. BizNerva shall also provide, upon request, copies of relevant certifications or audit summaries, to the extent available. BizNerva's security controls are designed to align with SOC 2 Trust Services Criteria; certifications and audit reports will be made available as they are obtained.

To the extent that BizNerva processes Personal Data subject to the CCPA/CPRA, BizNerva acts as a "Service Provider" as defined under the CCPA/CPRA and shall not:

• Sell or share Personal Data received from or on behalf of the Controller.
• Retain, use, or disclose Personal Data for any purpose other than providing the Services as specified in the Agreement, or as otherwise permitted by the CCPA/CPRA.
• Retain, use, or disclose Personal Data outside of the direct business relationship between BizNerva and the Controller.
• Combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA/CPRA.

BizNerva certifies that it understands the restrictions set forth in this Section and will comply with them. BizNerva shall assist the Controller in responding to verifiable consumer requests, including requests to know, delete, correct, and opt out of the sale/sharing of Personal Data.

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for breaches of its obligations under applicable Data Protection Laws that cannot be limited by contract.

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the provisions of this DPA relating to data deletion, retention, and confidentiality shall survive to the extent necessary to fulfill their purpose.

Either party may terminate this DPA if the other party materially breaches its obligations under this DPA and fails to cure such breach within 30 days of written notice.

For questions about this DPA or to exercise rights under this agreement, contact:

• MorPhoe Tech Inc.
• Email: contact@biznerva.com
• Subject line: "DPA Inquiry"