Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service or Master Services Agreement (the "Agreement") between NorthStar AI S.R.L. ("NorthStar," "Processor") and the Customer identified in the Agreement ("Customer," "Controller").

This DPA reflects the parties' agreement with respect to the Processing of Personal Data by NorthStar on behalf of Customer in connection with the Services, in accordance with Regulation (EU) 2016/679 (GDPR) and Romanian Law no. 190/2018.

In case of conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA prevails.

1. Definitions

Capitalized terms not defined herein have the meanings given in the Agreement or in the GDPR. The following definitions apply:

• "Customer Personal Data": Personal Data Processed by NorthStar on behalf of Customer in connection with the Services
• "Data Subject": an identified or identifiable natural person whose Personal Data is Processed
• "International Transfer": any transfer of Personal Data from the European Economic Area to a third country
• "Personal Data," "Processing," "Controller," "Processor," "Supervisory Authority," "Personal Data Breach": have the meanings given in Article 4 GDPR
• "Restricted Transfer": any transfer of Personal Data subject to GDPR transfer restrictions under Chapter V GDPR
• "Services": the services provided by NorthStar under the Agreement
• "Sub-Processor": any third party engaged by NorthStar to Process Customer Personal Data under this DPA
• "Standard Contractual Clauses" or "SCCs": the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914, including the Module 3 Processor-to-Processor clauses where applicable

2. Roles and Scope

2.1 Roles

For Customer Personal Data Processed under this DPA, the parties acknowledge that:

• Customer is the Controller of Customer Personal Data
• NorthStar is the Processor, Processing Customer Personal Data on behalf of Customer

In limited circumstances where Customer Personal Data falls into both controller and joint controller arrangements (e.g., NorthStar's processing of account holder data for billing and security), the parties' roles are as set forth in the Privacy Policy at ns-ai.io/privacy.

2.2 Processing Details

The details of Processing are set forth in Annex 1 — Description of Processing.

2.3 Customer Instructions

NorthStar will Process Customer Personal Data only on documented instructions from Customer. Customer's use of the Services in accordance with the Agreement constitutes Customer's documented instructions for Processing.

Customer instructs NorthStar to Process Customer Personal Data to: (a) provide the Services as described in the Agreement; (b) comply with reasonable instructions from Customer; (c) ensure the security, integrity, and performance of the Services.

If NorthStar believes that an instruction from Customer infringes applicable data protection law, NorthStar will inform Customer promptly.

3. Customer Responsibilities

3.1 Customer Warranties

Customer warrants that:

(a) Customer has all necessary rights, consents, and legal bases to Process Customer Personal Data and to instruct NorthStar to Process Customer Personal Data on its behalf (b) Customer Personal Data has been collected and is being Processed in compliance with applicable data protection law (c) Customer is responsible for providing transparency to Data Subjects as required by Articles 13 and 14 GDPR (d) Customer is responsible for responding to Data Subject requests under Articles 15-22 GDPR, with NorthStar's assistance as provided in this DPA (e) Where Customer submits Special Category Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR), Customer has a valid legal basis under those Articles

3.2 Special Category Data

If Customer Personal Data includes Special Category Data (Article 9 GDPR), including data submitted to the Recruitment Assistant:

(a) Customer acknowledges that the legal basis for Processing is determined by Customer (typically Article 9(2)(b) — employment law obligations, or Article 9(2)(a) — explicit consent) (b) Customer must activate the appropriate handling settings in the Platform to acknowledge the submission of Special Category Data (c) Aggregation of Special Category Data for analytics requires explicit opt-in by Customer's administrator (default: disabled)

4. NorthStar's Processing Obligations

NorthStar agrees that, in connection with Processing of Customer Personal Data, NorthStar will:

4.1 Process Only on Instructions

Process Customer Personal Data only on Customer's documented instructions and not for any other purpose, except where required by applicable law (in which case NorthStar will inform Customer of the legal requirement before Processing, unless prohibited from doing so).

4.2 Confidentiality

Ensure that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security of Processing (Article 32 GDPR)

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those described in Annex 2 — Technical and Organizational Measures, which include:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
• Multi-tenant isolation: row-level security (RLS) in the database to isolate Customer Personal Data
• Access control: role-based access control (RBAC), multi-factor authentication for administrators
• Audit logging: logging of administrative actions and access to Personal Data
• Vulnerability management: automated dependency scanning, regular security reviews
• Incident response: documented procedures for detecting, responding to, and reporting Personal Data Breaches
• Background checks: background screening of personnel with access to Personal Data, where permitted by law
• Network security: infrastructure security via Vercel (hosting) and Supabase (database), with their respective security certifications

NorthStar will not use Customer Personal Data for AI model training. NorthStar's use of Anthropic and OpenAI APIs is governed by their respective Commercial Terms and Data Processing Addenda, which contractually prohibit the use of Customer Personal Data for AI model training. Default API retention periods: Anthropic 7 days, OpenAI 30 days for abuse monitoring.

4.4 Sub-Processors (Article 28(2)-(4) GDPR)

4.4.1 General Authorization. Customer authorizes NorthStar to engage Sub-Processors for the Processing of Customer Personal Data. The current list of Sub-Processors is published at ns-ai.io/subprocessors and includes the Sub-Processors listed in Annex 3 to this DPA.

4.4.2 New Sub-Processors. NorthStar will provide Customer with at least 30 days' prior written notice before engaging any new Sub-Processor that Processes Customer Personal Data. Notice will be provided by email to Customer's designated administrator and through update of the Sub-Processors page.

4.4.3 Right to Object. Customer may object to the engagement of a new Sub-Processor on reasonable grounds related to data protection by notifying NorthStar in writing within the 30-day notice period. The parties will work in good faith to resolve the objection. If they cannot resolve it within a reasonable time, Customer's exclusive remedy is to terminate the affected portion of the Services without further liability.

4.4.4 Sub-Processor Contracts. NorthStar will enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those in this DPA. NorthStar remains fully liable to Customer for the acts and omissions of its Sub-Processors.

4.5 Assistance to Customer

4.5.1 Data Subject Requests. Taking into account the nature of the Processing, NorthStar will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests under Articles 15-22 GDPR.

For Data Subject requests received directly by NorthStar, NorthStar will:

• Not respond to the Data Subject directly, except to confirm the request will be forwarded to Customer
• Notify Customer within 5 business days
• Provide reasonable assistance to Customer in responding

4.5.2 DPIA Assistance (Article 35-36 GDPR). NorthStar will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments and prior consultations with Supervisory Authorities, including by providing relevant technical documentation regarding the Processing activities. For the Recruitment Assistant, NorthStar maintains DPIA-relevant documentation as part of its EU AI Act Provider obligations.

4.5.3 Security and Breach Assistance. NorthStar will assist Customer in ensuring compliance with obligations under Articles 32-36 GDPR.

4.6 Personal Data Breach Notification (Article 33 GDPR)

4.6.1 Notification to Customer. NorthStar will notify Customer without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent available:

• The nature of the breach
• Categories and approximate number of Data Subjects and Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects
• Contact point at NorthStar for further information

4.6.2 Customer Responsibility. Customer is responsible for notifying the competent Supervisory Authority and affected Data Subjects of the Personal Data Breach as required by Articles 33-34 GDPR.

4.7 Audit Rights (Article 28(3)(h) GDPR)

4.7.1 Information on Request. NorthStar will make available to Customer, upon written request, the information necessary to demonstrate compliance with Article 28 GDPR, including:

• The current Sub-Processors list and Sub-Processor agreements (redacted as necessary for confidentiality)
• Description of technical and organizational measures (Annex 2 and any updates)
• Most recent third-party security audit report or compliance certifications (e.g., SOC 2, ISO 27001, where applicable)
• Information about NorthStar's Personal Data Breach response procedures
• Records of NorthStar's data protection training

4.7.2 On-Site Audit Rights for Enterprise Customers. For Enterprise Customers under a Master Services Agreement, on-site audit rights are governed by the specific terms of the MSA. NorthStar may satisfy on-site audit obligations by providing reasonable access to compliance documentation, security certifications, and (where requested) interviews with NorthStar's security personnel.

4.7.3 Audit Costs. Customer shall bear its own costs for audits. NorthStar's reasonable costs of supporting an audit beyond providing standard documentation may be charged to Customer.

4.7.4 Audit Frequency. Unless required by a Supervisory Authority or by law, audits shall not be conducted more frequently than once per year.

5. Data Retention and Return/Deletion

5.1 During Term

Customer Personal Data is retained as needed to provide the Services. Specific retention periods for categories of Customer Personal Data are set forth in NorthStar's Privacy Policy at ns-ai.io/privacy.

5.2 Upon Termination

Following termination or expiration of the Agreement, NorthStar will:

(a) Retain Customer Personal Data for 90 calendar days post-termination during which Customer may request export per Section 5.3 (b) Following the 90-day retention period, permanently delete Customer Personal Data from production systems (c) Remove Customer Personal Data from backup systems within an additional 30 days through the normal backup rotation cycle

5.3 Export Right (Article 20 GDPR + EU Data Act)

Customer may request export of Customer Personal Data in a structured, commonly used, machine-readable format within 30 days of a written request. Export is provided in compliance with EU Regulation 2023/2854 (EU Data Act). From 12 January 2027 onward, no switching fees shall apply.

5.4 Certificate of Deletion

Upon written request after deletion, NorthStar will provide a written certificate confirming that Customer Personal Data has been deleted in accordance with this DPA.

6. International Transfers (Chapter V GDPR)

6.1 Sub-Processor Locations

Some Sub-Processors process Customer Personal Data outside the European Economic Area, primarily in the United States. The locations of current Sub-Processors are set forth at ns-ai.io/subprocessors.

6.2 Transfer Mechanisms

For Restricted Transfers to Sub-Processors:

6.2.1 EU-US Data Privacy Framework. Where the Sub-Processor is certified under the EU-US Data Privacy Framework (DPF), transfers are made under the European Commission's adequacy decision (Implementing Decision (EU) 2023/1795). DPF certification can be verified at dataprivacyframework.gov/list.

6.2.2 Standard Contractual Clauses (SCCs). Where DPF certification is not in place or has been suspended, NorthStar relies on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), including Module 3 (Processor-to-Processor) where applicable, supplemented by:

• Transfer Impact Assessments (TIAs) evaluating the legal environment of the recipient country
• Technical and organizational measures including encryption in transit and at rest
• Contractual safeguards (no-training clauses, retention limits, confidentiality)

6.2.3 SCCs Between Parties. If Customer is established in the European Economic Area and NorthStar transfers Customer Personal Data outside the EEA on Customer's behalf, the SCCs Module 3 (Processor-to-Processor) are deemed incorporated into this DPA, with NorthStar acting as the Processor exporter and the relevant Sub-Processor as the Sub-Processor importer.

6.3 Customer Cooperation

Customer agrees to provide reasonable cooperation in connection with Transfer Impact Assessments and to provide additional information about its Processing where reasonably necessary for NorthStar to comply with applicable transfer requirements.

7. Liability and Indemnification

Liability under this DPA is governed by the liability provisions of the Agreement, except that:

(a) The liability cap in the Agreement applies to liability arising under this DPA, except where Customer has acted in violation of its responsibilities under Section 3 or has provided incomplete or inaccurate information to NorthStar (b) Each party is responsible for its own administrative fines imposed by Supervisory Authorities resulting from its own breach of GDPR

8. Term and Termination

This DPA is effective from the Effective Date and remains in effect for as long as NorthStar Processes Customer Personal Data on behalf of Customer under the Agreement. Termination of this DPA does not terminate NorthStar's obligation to retain, export, and delete Customer Personal Data in accordance with Section 5.

9. Miscellaneous

9.1 Conflict

In case of conflict between this DPA and the Agreement regarding Processing of Personal Data, this DPA prevails.

9.2 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

9.3 Updates to This DPA

NorthStar may update this DPA from time to time to reflect changes in data protection law, regulatory guidance, or NorthStar's practices. Material changes will be communicated with at least 30 days' prior notice.

9.4 Governing Law

This DPA is governed by the laws of Romania, consistent with the governing law of the Agreement.

Annex 1 — Description of Processing

A. Subject Matter and Duration

Subject matter: Processing of Customer Personal Data by NorthStar as Processor in connection with the provision of the Services.

Duration: The duration of the Agreement, plus retention periods set forth in Section 5.

B. Nature and Purpose of Processing

NorthStar Processes Customer Personal Data for the purpose of:

• Providing the Services to Customer
• Hosting Customer Personal Data on NorthStar's infrastructure
• Generating AI Outputs in response to Customer prompts
• Providing customer support and account management
• Ensuring security, fraud prevention, and integrity of the Services

C. Types of Customer Personal Data

• Account and authentication data — Names, email addresses, login credentials, authentication tokens
• Communication data — Email correspondence, support tickets, chat messages
• Content data — Customer-uploaded documents, conversations with Digital Employees, generated outputs
• Recruitment data (where Recruitment Assistant is used) — Candidate names, contact information, CV content, employment history, candidate scoring outputs
• Usage and technical data — IP addresses (hashed), browser type, OS, usage logs
• Billing data — Billing contact, organization VAT number, invoice records

D. Categories of Data Subjects

• Customer's account holders and end-users
• Candidates submitted to the Recruitment Assistant
• Customer's customers and contacts mentioned in submitted content
• Other natural persons referenced in Customer Content

E. Special Category Data

Customer Personal Data may include Special Category Data (Article 9 GDPR), particularly where Customer uses the Recruitment Assistant or submits documents containing such data. Special Category Data is Processed only on Customer's instructions and with Customer ensuring the legal basis under Article 9(2) GDPR.

Annex 2 — Technical and Organizational Measures

NorthStar implements the following technical and organizational measures to protect Customer Personal Data:

A. Confidentiality

• Multi-tenant isolation via row-level security (RLS) at the database level
• Role-based access control (RBAC)
• Multi-factor authentication for administrators
• Principle of least privilege for personnel access
• Confidentiality obligations imposed on all personnel via employment or contractor agreements

B. Integrity

• Cryptographic integrity controls (TLS 1.2+ for data in transit; AES-256 at rest)
• Database constraints and validation
• Backup integrity verification
• Audit logging of administrative actions and access to Personal Data

C. Availability

• Hosting on Vercel (web application) and Supabase (database), both with documented availability SLAs and disaster recovery
• Automated backups with point-in-time recovery (rolling 30 days)
• Monitoring and alerting on infrastructure and application health

D. Resilience and Recovery

• Disaster recovery procedures
• Multi-provider failover for AI processing (Anthropic, OpenAI)
• Regular testing of backup restoration

E. Personal Data Breach Response

• Documented incident response procedures
• Detection through automated monitoring (Sentry, infrastructure logs)
• Notification within 72 hours per Section 4.6
• Forensic analysis and root cause investigation
• Remediation and lessons-learned process

F. Encryption and Pseudonymization

• TLS 1.2+ for all data in transit
• AES-256 encryption at rest (provided by Supabase and Vercel)
• IP addresses hashed in long-term storage
• Pseudonymization of identifiers in erasure requests where possible

G. Vendor Management

• Sub-Processor agreements with GDPR-compliant data protection clauses
• Periodic review of Sub-Processor security posture
• Sub-Processor change notifications per Section 4.4

H. AI Provider Safeguards

• Use of Anthropic and OpenAI APIs governed by Commercial Terms and DPAs prohibiting model training on Customer Personal Data
• Both providers certified under EU-US Data Privacy Framework
• Default API retention: 7 days (Anthropic), 30 days (OpenAI) for abuse monitoring

I. Employee Training and Awareness

• Data protection training for personnel handling Customer Personal Data
• Security awareness training
• AI-specific responsible use training for personnel working with the Platform

J. Compliance and Audit

• Internal audit and compliance review processes
• Cooperation with Supervisory Authority inquiries
• Records of Processing Activities (RoPA) maintained per Article 30 GDPR
• Documentation made available to Customer per Section 4.7

Annex 3 — Sub-Processors

The list of Sub-Processors is published and maintained at ns-ai.io/subprocessors. As of the Effective Date, the Sub-Processors are:

For current list, transfer mechanisms, and verification status, see ns-ai.io/subprocessors.

Annex 4 — Standard Contractual Clauses (Reference)

Where required by Section 6 of this DPA, the parties incorporate by reference the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, including:

• Module 3 (Processor-to-Processor): for transfers from NorthStar (Processor exporter) to Sub-Processors located outside the EEA

The SCCs are deemed completed as follows:

• Annex I.A (List of Parties): Customer as Data Exporter (acting through NorthStar as authorized) and the relevant Sub-Processor as Data Importer
• Annex I.B (Description of Transfer): as set forth in Annex 1 to this DPA and the relevant Sub-Processor's processing scope
• Annex II (Technical and Organizational Measures): as set forth in Annex 2 to this DPA
• Annex III (Sub-Processors): as set forth in Annex 3 to this DPA
• Clause 7 (Docking clause): applicable
• Clause 9 (Use of Sub-Processors): Option 2 — general written authorization (consistent with Section 4.4 of this DPA)
• Clause 11 (Redress): the optional redress provision is included
• Clause 17 (Governing Law): Romanian law
• Clause 18 (Forum): courts of Bucharest, Romania

The full text of the SCCs is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914 and is incorporated by reference.

Executed by Customer's acceptance of the Agreement that incorporates this DPA.

For NorthStar AI S.R.L.: this DPA is executed by NorthStar's authorized signatory upon Customer's acceptance.