Data Processing Addendum

This DPA is incorporated into and forms part of the Agreement. By accepting the Terms of Service, executing an Order, or accessing or using the Services, Customer and InsForge are deemed to have agreed to this DPA, and this DPA becomes legally binding on both Parties without the need for a separate signature.

If Customer requires a counter-signed copy of this DPA for its records, Customer may request one at legal@insforge.dev; however, a signature is not a condition of this DPA taking effect. The individual accepting this DPA represents that they are authorized to do so on behalf of Customer.

a. "Customer Data" has the meaning given in the Agreement and includes any Personal Data contained therein.

b. "Personal Data" means any information relating to an identified or identifiable natural person that is contained in Customer Data and Processed by InsForge on Customer's behalf.

c. "Processing" (and "Process") means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

d. "Controller," "Processor," and "Data Subject" have the meanings given under applicable Data Protection Laws. As between the Parties, Customer is the Controller (or processor acting on behalf of a third-party controller) and InsForge is the Processor.

e. "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the EU/UK GDPR and U.S. state privacy laws.

f. "Sub-processor" means any third party engaged by InsForge to Process Personal Data in connection with the Services.

g. "Trust Center" means InsForge's security and compliance resource, available at InsForge's Trust Center, which contains InsForge's current list of Sub-processors, security practices, and compliance certifications, made available by InsForge online or upon request.

InsForge will Process Personal Data only (i) to provide, secure, and support the Services; (ii) in accordance with Customer's documented instructions, including those set out in the Agreement and this DPA; and (iii) as otherwise required by applicable law (in which case InsForge will, where legally permitted, inform Customer of that requirement). InsForge will not Process Personal Data for its own purposes, sell Personal Data, or use it for advertising. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are determined by Customer's use of the Services. A description of the Processing is set out in Exhibit A.

CCPA. To the extent the California Consumer Privacy Act ("CCPA") applies and InsForge acts as a service provider, InsForge will not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than providing the Services, or as otherwise permitted by the CCPA; or (iii) combine Personal Data with personal information obtained from other sources, except as permitted by the CCPA. InsForge certifies that it understands and will comply with these restrictions.

InsForge will treat Personal Data as Customer's confidential information and will not disclose it except as permitted by the Agreement or this DPA, or as required by law. InsForge ensures that personnel and contractors authorized to Process Personal Data are bound by written confidentiality obligations and Process Personal Data only as instructed.

InsForge will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art and the nature of the data. A summary of these measures is set out in Exhibit B. The current and authoritative description of InsForge's security measures and compliance program is available through the Trust Center.

Customer provides general authorization for InsForge to engage Sub-processors to Process Personal Data in connection with the Services. InsForge maintains a current list of Sub-processors through the Trust Center and will provide a mechanism to be notified of changes. InsForge will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA and remains responsible for its Sub-processors' performance.

InsForge will give Customer reasonable prior notice of any intended addition or replacement of a Sub-processor. If Customer has a reasonable, data-protection-based objection, the Parties will work together in good faith to address it; if the objection cannot be resolved, Customer may terminate the affected Services.

Where the Services route Customer inputs to one or more upstream AI model providers, such requests are routed through InsForge's Model Gateway. InsForge does not consent to its upstream model provider(s) using Customer inputs or outputs to train or improve models, and InsForge does not itself store prompt or completion content beyond what is necessary to return a response. Retention by the upstream and underlying model providers is governed by InsForge's configuration with, and the data-retention policies of, those providers; where Zero Data Retention ("ZDR") is supported and enabled, Customer Data submitted for inference is not retained beyond the immediate request. The current upstream provider(s) and the applicable data-retention posture are identified through the Trust Center.

InsForge uses a limited set of analytics and product-monitoring tools, identified in the Trust Center, for usage analytics and for performance, reliability, and security monitoring. These tools operate on InsForge's control plane (the management dashboard and management APIs) and are not deployed within the per-customer backend instances that store and serve Customer Data. Customer Data — the contents of a customer's backend, including database records, stored files, and AI prompts and outputs — is not transmitted to these tools. Account and usage information (such as user identifiers and feature usage) is processed for these purposes as described in InsForge's Privacy Policy.

To the extent InsForge Processes Personal Data subject to the laws of the European Economic Area, the United Kingdom, or Switzerland and transfers it to a country that does not provide an adequate level of protection, the Parties agree that the applicable Standard Contractual Clauses (and any UK or Swiss addenda) are incorporated into this DPA by reference and apply to such transfers.

Taking into account the nature of the Processing, InsForge will provide reasonable assistance to Customer, through appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects exercising their rights and to meet Customer's obligations relating to security, breach notification, and data protection impact assessments under Data Protection Laws. If InsForge receives a request directly from a Data Subject relating to Customer Data, it will, where permitted, refer the request to Customer.

InsForge will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to it to assist Customer in meeting its obligations to notify regulators or affected individuals. InsForge's notification is not an acknowledgment of fault or liability.

InsForge maintains a SOC 2 compliance program. Information about InsForge's current certification status and audit reports is available through the Trust Center or on request under a non-disclosure agreement. On Customer's reasonable written request, and no more than once per year (unless required by a regulator or following a Personal Data Breach), InsForge will make available information necessary to demonstrate compliance with this DPA. Provision of an applicable third-party audit report (such as a SOC 2 report) satisfies this obligation.

Upon termination or expiration of the Agreement, InsForge will, at Customer's request, make Customer Data available for export for a limited period and will thereafter delete Customer Data in the ordinary course of operations, except to the extent retention is required by applicable law.

This DPA forms part of the Agreement. In the event of a conflict between this DPA and the body of the Agreement with respect to the Processing of Personal Data, this DPA controls. Each Party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the laws and dispute-resolution provisions specified in the Agreement.

Questions about this DPA may be directed to legal@insforge.dev.

Subject matter. InsForge's provision of the InsForge Platform, a backend-as-a-service platform for AI coding agents, including database, authentication, storage, and functions services.

Duration. For the term of the Agreement and any period required to perform post-termination obligations.

Nature and purpose. Hosting, storage, transmission, and processing of Customer Data as necessary to provide, secure, and support the Services in accordance with Customer's instructions.

Categories of Data Subjects. Determined by Customer; may include Customer's end users, Authorized Users, and any individuals whose Personal Data Customer chooses to store through the Services.

Categories of Personal Data. Determined by Customer; may include identifiers (such as name and email address), authentication credentials, profile information, and any other Personal Data Customer stores in its backend (database records, authentication records, and storage objects).

Sensitive Data. InsForge does not require Sensitive Data to provide the Services. Sensitive Data is Processed only to the extent Customer chooses to store it, and Customer is responsible for ensuring an appropriate legal basis for doing so.

Frequency. Continuous, for the duration of the Agreement.

This Exhibit summarizes the technical and organizational measures InsForge maintains. These measures form part of an evolving security program; the current and authoritative description is maintained through the Trust Center.

a. Access control. Access to production systems is managed under a role-based access control model on the principle of least privilege. Provisioning requires management approval and follows a documented onboarding process, access is reviewed at least annually, and access is revoked promptly upon termination or role change.

b. Encryption. Customer Data is encrypted in transit and at rest using industry-standard mechanisms.

c. Hosting and physical security. Production infrastructure is hosted on Amazon Web Services (AWS). Physical security of the underlying data centers is managed by AWS as a sub-service organization; InsForge reviews AWS's audit reports at least annually.

d. Change management. InsForge follows a formal software development lifecycle in which code changes are tracked in version control, require a peer-reviewed pull request before release to production, and must pass automated tests and security checks prior to deployment.

e. Vulnerability management. InsForge performs automated dependency vulnerability scanning and remediates identified vulnerabilities in accordance with documented timelines (Critical within 30 days; High within 60 days).

f. Resilience and backups. Customer database data is backed up with point-in-time recovery, encrypted, and stored redundantly across availability zones. InsForge maintains an Incident Response Plan and a Business Continuity and Disaster Recovery Plan that is exercised at least annually.

g. Personnel. Personnel and contractors with access to Customer Data are bound by written confidentiality obligations and are granted access only on a least-privilege, need-to-know basis.

h. Risk management. InsForge maintains a risk register and performs a formal risk assessment at least annually.