Data Processing Addendum (DPA)

Effective Date: November 07, 2025
This DPA is incorporated into and forms part of the agreement between Metrix Zenith X Artificial Intelligence ( “MZX AI”, “Processor”, “Service Provider”) and [Customer legal name] (“Customer”, “Controller”, “Business”) that governs Customer’s use of MZX AI Services (the “Agreement”). If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.

1. Definitions

• Applicable Privacy Laws: All data protection laws that apply to the Processing of Personal Data under the Agreement, including the EU GDPR, UK GDPR, the Swiss FADP, and U.S. state privacy laws (CA/CPRA, CO, CT, VA, UT) to the extent applicable.
• Customer Content: Files and data Customer or its Users submit to the Services (e.g., RfPs, attachments, instructions) and Outputs generated for Customer, including related metadata.
• Personal Data: Any information relating to an identified or identifiable natural person contained in Customer Content or otherwise provided by/for Customer.
• Process/Processing: Any operation performed on Personal Data, as defined by Applicable Privacy Laws.
• Subprocessor: Any third party engaged by MZX AI to Process Personal Data on behalf of Customer.
• Services: MZX AI’s upload/download portals and AI-assisted proposal generation platform, and related support.

Capitalized terms not defined here have the meanings in the Agreement.

2. Role of the Parties; Scope

2.1 Roles. For Customer Content, Customer is the Controller/Business and MZX AI is the Processor/Service Provider.
2.2 Instructions. MZX AI will Process Personal Data only (a) to provide the Services; (b) per the Agreement and this DPA; and (c) per Customer’s written, documented instructions, including configurations made in the Services. MZX AI will notify Customer if an instruction violates Applicable Privacy Laws.
2.3 No Sale/No Sharing. Under CPRA and similar laws, MZX AI does not sell or share Personal Data; it receives Personal Data solely to perform the Services for Customer.
2.4 No Training by Default. MZX AI will not use Customer Content or Personal Data to train foundation models or general-purpose AI except where Customer explicitly opts in in a signed order or DPA addendum.
2.5 No-Training Subprocessors (LLM APIs). MZX AI will engage LLM/API Subprocessors only where (a) the Subprocessor’s publicly available privacy policy and/or terms state that API inputs/outputs are not used to train or improve its foundation models; and (b) MZX AI’s contract with such Subprocessor prohibits the Subprocessor from using Customer Content or Personal Data for model training or improvement. MZX AI will flow down these no-training restrictions to all such Subprocessors and will not enable any provider feature that permits retention for training unless Customer expressly opts in in a signed order or addendum.

3. Confidentiality

MZX AI will ensure personnel authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training.

4. Security

4.1 Measures. MZX AI will implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, considering the state of the art, costs, and nature, scope, context, and purposes of Processing. Core TOMs are summarized in Annex II (Security Measures).

4.2 Customer Responsibilities. Customer is responsible for (a) its Users’ access controls; (b) secure submission of Customer Content; (c) configurations Customer selects (e.g., deletion schedules, approved regions); and (d) notifying MZX AI of special categories or high-risk data if permitted under the Agreement.

5. Subprocessors

5.1 Authorization. Customer authorizes MZX AI to use Subprocessors reasonably necessary to provide the Services (e.g., cloud hosting, email delivery, ticketing, optional model APIs). The current Subprocessors are identified in MZX AI’s “Subprocessor List” (as updated from time to time), which is incorporated by reference into this DPA.

5.2 Engagement. MZX AI will: (a) impose written obligations on Subprocessors that are no less protective than this DPA; and (b) remain responsible for Subprocessors’ performance.

5.3 Changes. MZX AI will provide advance notice of changes to Subprocessors by updating the Subprocessor List (and, where contractually agreed, via email alert). Customer may object on reasonable privacy grounds within 10 days. If the parties cannot resolve the objection, Customer may terminate the impacted Services (without penalty) and receive a pro-rata refund of prepaid unused fees.

5.4 LLM/API Subprocessors. For LLM/API Subprocessors, the no-training commitment in §2.5 applies in addition to the obligations in this §5.

6. International Transfers

6.1 Transfers. Where MZX AI transfers Personal Data outside the EEA/UK/Switzerland, it will ensure a valid transfer mechanism (e.g., EU SCCs, UK Addendum/IDTA, Swiss Addendum) as set out in Annex I.
6.2 Supplementary Measures. Where appropriate, MZX AI will implement supplementary measures (organizational, contractual, technical) to ensure essentially equivalent protection.

7. Assistance; Data Subject Requests

7.1 Individual Rights. Taking into account the nature of Processing, MZX AI will reasonably assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill requests to exercise data subject rights (access, rectification, deletion, restriction, portability, objection). If MZX AI receives a request directly, it will promptly forward it to Customer (unless legally prohibited).
7.2 DPIAs & Consultation. MZX AI will provide reasonable assistance to Customer with data protection impact assessments and consultations with supervisory authorities to the extent required by Applicable Privacy Laws and related to the Services.
7.3 Records. MZX AI will maintain records of Processing as required by Applicable Privacy Laws and make them available upon reasonable request.

8. Security Incidents

8.1 Notification. If MZX AI becomes aware of a Personal Data Breach affecting Customer Personal Data, MZX AI will notify Customer without undue delay (and, where feasible, within 72 hours) after becoming aware, providing available information to assist Customer in meeting its breach notification obligations.
8.2 Remediation & Cooperation. MZX AI will take reasonable steps to mitigate the effects and cooperate with Customer to investigate and remediate. Notifications are not an acknowledgment of fault.

9. Audit and Verification

9.1 Documentation. Upon request, MZX AI will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security summaries, policies, third-party assessment summaries where available).
9.2 Audits. Where required by Applicable Privacy Laws, Customer (or an independent auditor it appoints) may audit MZX AI’s compliance no more than once per 12 months, on 30 days’ prior written notice, during normal business hours, in a manner that does not unreasonably disrupt operations, and subject to confidentiality and facility/IT security policies. Remote reviews of documentation are preferred; onsite activities (if any) are narrowly scoped and at Customer’s expense.
9.3 Confidentiality. Audit results are Confidential Information.

10. Return and Deletion

Upon termination or expiry of the Agreement, MZX AI will, upon written request and subject to legal retention requirements, either return or delete Personal Data in its systems. Standard backup media will be overwritten per normal cycles. If Customer requires a specific deletion certificate, MZX AI will provide a confirmation upon completion.

Default retention (unless configured otherwise or required by law):

• Uploaded client documents & attachments: auto-delete after 360 days
• Generated content and documents: retained for 360 days or per customer setting
• Operational logs/telemetry: 24 months
• Billing/transaction records: retained as required by law (7 years)

We may retain de-identified or aggregated data for longer.

11. Government Requests

Where legally permitted, MZX AI will promptly notify Customer of any binding request for disclosure of Personal Data by a public authority and will challenge unlawful  equests. MZX AI will disclose only the minimum necessary to comply with applicable law.

12. CPRA/State Law Service Provider/Processor Terms

To the extent state privacy laws apply, MZX AI will:
(a) not sell or share Personal Data;
(b) not retain, use, or disclose Personal Data for any purpose other than performing the Services or as permitted by law/this DPA;
(c) not combine Personal Data with data received from other sources except to detect security incidents, protect against fraudulent or illegal activity, or to the extent permitted for aggregated/de-identified analytics not identifiable to a consumer or household;
(d) assist Customer in responding to verifiable consumer requests; and
(e) flow down equivalent obligations to Subprocessors.

13. Liability; Order of Precedence

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. If there is a conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA prevails. Nothing in this DPA limits either party’s responsibilities under Applicable Privacy Laws.

14. Miscellaneous

This DPA becomes effective on the Effective Date or the date the parties otherwise agree to be bound. Electronic acceptance or signature is permitted. This DPA terminates automatically upon termination of the Agreement.

Annex I – International Transfer Mechanisms

A. EU Standard Contractual Clauses (SCCs)

Module 2 (Controller → Processor) applies where Customer (data exporter) transfers Personal Data to MZX AI (data importer) in a non-adequate country. The parties agree the EU Commission Implementing Decision (EU) 2021/914 SCCs are incorporated by reference with the following selections:

• Clause 7 (Docking): Applicable.
• Clause 9 (Subprocessors): General authorization; notice and objection per Section 5.3.
• Clause 11 (Redress): Not applicable to non-public authorities.
• Clause 13: Supervisory authority is determined per the exporter’s EEA establishment or where the representative is located.
• Clause 17 (Governing law): Laws of Ireland.
• Clause 18 (Forum): Courts of Ireland.

Annex I.A – Parties

• Exporter: Customer (details per Agreement/order).
• Importer: MZX AI, Metrix Zenith X Artificial Intelligence; IFZA Business Park – Dubai Silicon Oasis – Dubai – United Arab Emirates, privacy@mzx.ai.

Annex I.B – Description of Transfer

• Categories of data subjects: Customer’s employees/agents; Customer’s clients and counterparties as included in Customer Content.
• Categories of personal data: Contact details, business context data, document contents provided by Customer (which may incidentally contain personal data), logs/telemetry required for operation.
• Sensitive data: Not intended. If present, only as instructed by Customer and subject to enhanced safeguards.
• Frequency: Continuous/as needed during the Agreement.
• Nature and purpose: Hosting, processing, transformation, and delivery of proposal documents; support; security/availability.
• Retention: As per Section 10 and Customer configuration.
• Subprocessors: As identified in MZX AI’s Subprocessor List (maintained by MZX AI and incorporated by reference; available via the customer portal or upon request).

Annex I.C – Competent Supervisory Authority: Determined per Clause 13.

B. UK Addendum / IDTA

For transfers subject to UK GDPR, the parties incorporate the UK Addendum to the EU SCCs (version issued by the ICO) with the EU SCCs above, with:

• Table 1–3: Completed by reference to Annex I (for Exporter/Importer details and the description of transfer) and Annex II (for the TOMs).
• Table 4 (Mandatory Clauses): The Approved Addendum. Alternatively, if agreed, the UK IDTA may be used.

C. Swiss Addendum

For transfers subject to the Swiss FADP, the EU SCCs apply with: references to GDPR read as FADP; “Member State” read as “Switzerland”; the FDPIC as the competent authority; and the governing law/forum adapted accordingly.

Annex II – Security Measures (Summary)

MZX AI maintains commercially reasonable TOMs including:

1. Governance & Access Control

   • Role-based access; least privilege; periodic access reviews.
   • Multi-factor authentication for privileged accounts.
   • Background checks where legally permissible.

2. Infrastructure & Network Security

   • Hosting on reputable cloud provider(s) (e.g., AWS) with hardened configurations.
   • Network segmentation; security groups; managed WAF/CDN (as applicable).
   • Optional VPC/private deployment for enterprise customers per order form.

3. Encryption

   • In transit: TLS 1.2+ for data flows.
   • At rest: encryption of storage (e.g., S3 SSE-KMS, encrypted databases/volumes).
   • Managed key services (e.g., AWS KMS); customer-managed keys where agreed.

4. Monitoring, Logging, and Alerting

   • Centralized logging of authentication, admin, and data access events.
   • Automated alerts for anomalous activity; time-synced logs.

5. Application Security

   • Secure SDLC practices, code review, dependency management.
   • Regular vulnerability scanning; remediation based on risk.
   • Third-party security testing/assessments where appropriate.

6. Data Management

   • Configurable retention/deletion windows for Customer Content (where available).
   • Segregation by tenant; logical isolation.
   • Controlled test data handling (no production data in lower environments unless agreed and safeguarded).

7. Business Continuity & DR

   • Regular backups with encryption; restoration testing.
   • Redundancy and availability targets per Agreement.

8. Incident Response

   • Documented IR plan; defined roles; timely customer notifications per Section 8.

9. Personnel & Training

   • Security and privacy training on hire and periodically thereafter.
   • Confidentiality obligations for all personnel handling Personal Data.

10. Vendor & Subprocessor Management

• Written contracts; risk assessment and onboarding controls; periodic review.

Annex III – Data Processing Details (Art. 28(3) GDPR)

• Subject matter & duration: Provision of the Services for the term of the Agreement plus retention/deletion periods in Section 10.
• Nature & purpose: Storage, transformation, and generation of proposal content; support; security; availability.
• Types of Personal Data: Names, business contact details, role/title; any personal data included within Customer documents; technical identifiers (IP, logs).
• Categories of Data Subjects: Customer’s personnel, Customer’s clients/counterparties referenced in documents.
• Special Categories: Not intended; if present, processed only on documented instructions and with enhanced safeguards.
• Processing operations: Collection, storage, organization, adaptation, retrieval, transmission, deletion, and as otherwise necessary to provide the Services.

Signatures
By signing below (or accepting the Agreement referencing this DPA), the parties agree to this DPA, including Annexes.

Customer (Controller/Business)
Name:__________________________
Title: ___________________________
Date:___________________________

MZX AI (Processor/Service Provider)
Name:__________________________
Title: ___________________________
Date:___________________________