This Data Processing Addendum (the "DPA") forms part of and is incorporated into the Terms and Conditions or other written or electronic agreement (the "Agreement") between Customer and Chincha Consulting AS, trading as Context Windows ("Context Windows"). Each of Context Windows and Customer shall be referred to individually as a Party and collectively as the Parties. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

WHEREAS, pursuant to the Agreement, Context Windows ("Processor") shall provide certain services (the "Services") to Customer ("Controller") which may include the Processing of Controller Personal Data by Context Windows (and its subcontractors) under the GDPR, UK GDPR, California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 to 1798.199), any applicable national data protection laws of EU/EEA Member States or the United Kingdom, the Norwegian Personal Data Act (personopplysningsloven), or any applicable federal and state data protection laws of the United States, and any amendments or replacements to them (collectively, the "Data Protection Laws"); and

WHEREAS, this DPA is to be made part of, and incorporated into the Agreement (as defined above); and

WHEREAS, the European Commission's Decision (EU) 2021/914 of 4 June 2021 has adopted standard contractual clauses for the transfer of personal data to processors established in non-EU/EEA countries (the "Clauses") to offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals; and

NOW THEREFORE, in order to comply with the requirements of the Data Protection Laws, the Controller and Processor agree to the following:

1. Definitions

All terms and phrases not defined herein shall have the meanings set forth in the Agreement or in Applicable Data Protection Law.

• "Applicable Data Protection Law" means the laws and regulations applicable to the Processing of Personal Data under the Agreement.
• "California Privacy Laws" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and their respective implementing regulations.
• "Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision (EU) 2021/914 of 4 June 2021) as updated from time to time.
• "Controller" and "Business" means the party that determines the purposes and means of the Processing of Personal Data.
• "Customer" means the entity or individual that has entered into the Agreement.
• "Controller Personal Data" means the Personal Data which Context Windows is processing as Processor on behalf of Controller in order to provide the Services.
• "Data Subject" means an identified or identifiable person entitled to rights under Applicable Data Protection Law and to whom Personal Data relates.
• "GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
• "Personal Data" means any information relating to an identified or identifiable natural person where such information is protected as personal data under Applicable Data Protection Law and where such data is Customer Data.
• "Processing" means an operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
• "Processor" and "Service Provider" mean a Party that Processes Personal Data on behalf of a Controller.
• "Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Services" means the Services provided by Context Windows to Customer pursuant to the Agreement.
• "Standard Contractual Clauses" means the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be updated, amended, and superseded from time to time; and the UK International Data Transfer Addendum as issued by the UK Information Commissioner.
• "Sub-processor" means any subcontractor engaged for the Processing of Controller Personal Data. Current Sub-processors are listed at contextwindows.ai/subprocessors.
• "Supervisory Authority" means an applicable independent public authority established by an EU Member State pursuant to the GDPR, the UK Information Commissioner's Office (ICO), the Norwegian Data Protection Authority (Datatilsynet), or the Swiss Federal Data Protection and Information Commissioner (FDPIC).
• "UK GDPR" means the Data Protection Act 2018, including any amendments thereto.

2. Data Processing Terms

2.1 Roles and Relationships

The Parties acknowledge and agree that with regard to Personal Data Processed under the Agreement, Customer is the Controller and Context Windows is the Processor. With respect to the California Privacy Laws, Context Windows shall be considered a Service Provider to Customer, which is the Business, to the extent that the California Privacy Laws apply.

2.2 Customer's Processing of Personal Data

Customer shall, in its use of the Services and provision of instructions to Context Windows, process Personal Data in accordance with Applicable Data Protection Law. Customer is solely responsible for its compliance with Applicable Data Protection Law, including providing required notices and obtaining required consents, and in regards to the accuracy, quality, and lawful basis of Processing.

2.3 Documented Instruction

Customer instructs Context Windows to process Personal Data for the purposes of providing the Services in accordance with the Agreement and any other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.

2.4 Details of Processing

The subject matter of the Processing is the Services under the Agreement. The duration of Processing shall be for the duration of the provision of Services to Customer and any time thereafter as may be permitted or required by applicable law.

2.5 California Privacy Laws

For purposes of the California Privacy Laws, the nature of the Processing is for a Business Purpose and does not involve the "sale" or "sharing" of Personal Data by Context Windows. Context Windows shall not retain, use, or disclose Personal Data for any purpose other than for the Business Purpose specified in the Agreement and shall not combine Personal Data with other information except as expressly permitted by Customer or the California Privacy Laws. Context Windows will notify Customer if it determines that it can no longer meet its obligations under the California Privacy Laws.

3. Processor Obligations

3.1 Processing Limitations

Context Windows shall process Personal Data for the sole purpose of providing the Services according to the terms of this DPA and as permitted by the Agreement. The Controller agrees that this DPA and the Agreement collectively contain its instructions for the Processing of Controller Personal Data.

3.2 Security of Processing

Context Windows has adopted technical and organizational measures designed to protect against the unauthorized or unlawful processing, accidental or unlawful destruction, loss or alteration, and unauthorized disclosure or access to Personal Data, as described in Annex II of this DPA.

3.3 Security Breach Notification

Context Windows shall notify Customer without undue delay upon becoming aware of a Security Breach for which notification to Customer is required under Applicable Data Protection Law. Context Windows will promptly investigate the breach and will provide the Controller with reasonable assistance to satisfy any legal notification obligations.

3.4 Audits and Inspections

Upon Customer's reasonable request no more than one (1) time per calendar year and subject to the confidentiality obligations set forth in the Agreement, Context Windows shall make available to Customer information necessary to demonstrate compliance with this DPA. Context Windows shall comply, as legally necessary, with audits by a competent Supervisory Authority under Data Protection Laws.

3.5 Data Subject Rights

In the event a Data Subject requests access to, or the deletion, blocking, and/or correction of any Personal Data directly from Context Windows, Context Windows will promptly notify the Controller of such request to the extent legally permissible. Context Windows will provide the Controller with reasonable assistance to enable the Controller to address the Data Subject's request.

3.6 Data Protection Impact Assessments

To the extent required by Applicable Data Protection Law, Context Windows shall render reasonable assistance to Customer in performing Data Protection Impact Assessments and providing Prior Consultation in accordance with Applicable Data Protection Law.

3.7 Return or Deletion of Personal Data

Upon termination of the Services, Context Windows shall, upon Customer's written request, return or delete Personal Data, including copies of such data in Context Windows' custody or control, unless and only to the extent Context Windows has a legitimate legal basis for retaining such data. Context Windows may retain any anonymous information obtained through Customer's use of the Services.

4. Sub-processing

4.1 Appointment of Sub-processors

Context Windows may appoint and retain Sub-processors in the Processing of Personal Data. Context Windows shall remain responsible for the acts and omissions of its Sub-processors as for its own acts and omissions. Sub-processors shall be bound to Processing Personal Data consistent with the requirements hereunder and Applicable Data Protection Law.

4.2 General Authorization

Context Windows shall have Customer's general authorization to engage Sub-processors from the Sub-processor List available at contextwindows.ai/subprocessors, as may be updated from time to time.

4.3 Change in Sub-processors

Context Windows may remove, replace, and appoint new Sub-processors in its discretion and will use commercially reasonable efforts to provide Controller with fourteen (14) days advance notice, which notice may be provided through updating the Sub-processor List at contextwindows.ai/subprocessors. Customer may object in writing to the appointment of a new Sub-processor on grounds of data protection within fourteen (14) days. Any objection shall be made in good faith and supported by reasonable information. Upon such objection, the Parties shall negotiate in good faith to reach a mutually agreeable resolution within thirty (30) days. If a resolution cannot be reached, either Party may terminate the affected portion of the Services without further liability upon reasonable written notice.

5. Transfers to Third Countries

5.1 Standard Contractual Clauses

This DPA incorporates by reference the Standard Contractual Clauses (Commission Decision (EU) 2021/914) for international transfers of Personal Data from the EU/EEA, UK, and Switzerland, respectively. The Standard Contractual Clauses shall apply only if and to the extent Personal Data Processed under the Agreement is subject to a restriction on such transfer under the GDPR, UK GDPR, or Swiss data protection law (a "Restricted Transfer").

The full text of the Standard Contractual Clauses is available at: eur-lex.europa.eu/eli/dec_impl/2021/914/oj

For transfers subject to UK GDPR, this DPA is supplemented with the UK International Data Transfer Addendum as issued by the UK Information Commissioner, available at: ico.org.uk

5.2 Invalidation Event

In the event that the Standard Contractual Clauses are invalidated or superseded, the Parties agree to reasonably cooperate to adopt another appropriate transfer mechanism to prevent undue disruptions to the transfers of Personal Data.

6. General Terms

6.1 Term and Termination

The term of this DPA is identical to the term of the Agreement. Except as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the Agreement.

6.2 Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of Norway. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.

6.3 Amendment

This DPA may be amended from time to time by Context Windows upon thirty (30) days' notice to Customer.

6.4 Entire Agreement

This DPA constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any and all prior written and/or oral agreements regarding data processing.

Schedule to the DPA

With respect to the EU/EEA Standard Contractual Clauses, the following details apply:

For transfers subject to UK GDPR, the UK International Data Transfer Addendum applies with the same Party details and Appendix Information as set out above.

Annex II: Technical and Organizational Security Measures

Context Windows has implemented the following technical and organizational measures to ensure an appropriate level of security for Personal Data:

Access Security

Users are required to authenticate over SSL/TLS. Passwords are salted and hashed when stored. Authentication is managed through Supabase Auth, which supports industry-standard protocols including OAuth 2.0. Row-level security (RLS) policies ensure users can only access their own data.

Data Hosting

Application hosting is provided by Vercel (USA), with database services provided by Supabase (cloud infrastructure). Search infrastructure is self-hosted on Hetzner Online GmbH (Germany). All data in transit is encrypted via TLS. Data at rest is encrypted using the hosting provider's encryption standards.

Payment Security

Payment processing is handled entirely by Stripe, Inc., a PCI DSS Level 1 certified service provider. Context Windows does not store, process, or transmit payment card data.

AI Data Processing

AI queries are processed by third-party AI service providers via encrypted API connections. We endeavor to select providers whose terms do not permit the use of customer data for model training. AI conversation data is stored with the same access controls and encryption as other user data.

Data Deletion

Users may delete individual AI conversations at any time. Account deletion triggers automatic cascade deletion of all associated data, including conversations, usage records, and subscription information. Deletion is permanent and irreversible.

Continued Evaluation

Context Windows will continually evaluate the security of its infrastructure and services to determine whether additional or different security measures are required to respond to new security risks or findings.

Annex III: List of Sub-processors

The Controller has granted the Processor general authorization to engage Sub-processors. The current list of Sub-processors is maintained at contextwindows.ai/subprocessors, which may be updated from time to time pursuant to Section 4 of this Data Processing Addendum.