Data Processing Agreement

Preamble

This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the processing of Personal Data and is designed to meet the requirements of:

• Regulation (EU) 2016/679 (General Data Protection Regulation — “GDPR”)
• UK General Data Protection Regulation (“UK GDPR”)
• California Consumer Privacy Act of 2018 as amended (“CCPA/CPRA”)
• EU AI Act (Regulation (EU) 2024/1689), where applicable

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail.

1. Definitions

Capitalized terms not defined herein shall have the meaning given in the Terms of Service. “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-Processor”, and “Security Incident” have the meanings ascribed to them under applicable Data Protection Laws.

2. Processing of Personal Data

2.1 Roles and Responsibilities

The Customer is the Controller of Personal Data. Abbasi Global Ltd processes Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law.

2.2 Nature and Purpose of Processing

The Processor provides an AI agent orchestration platform enabling the Controller to deploy, monitor, and manage AI agents. Processing is necessary to deliver this service, including account management, data storage, AI/LLM inference execution, analytics, payment processing, and technical support.

2.3 Duration of Processing

The Processing shall continue for the duration of the Agreement plus any post-termination data handling period (not to exceed 90 days), unless otherwise agreed in writing.

2.4 Categories of Data Subjects

• Authorized users of the Controller’s FuseIQ accounts
• Individuals whose data is submitted or processed by the Controller’s AI agents
• End users interacting with AI agents deployed through the Platform

2.5 Categories of Personal Data

• Identity data: name, email address, company name
• Contact data: email, billing address
• Account credentials and authentication data
• User-generated content: prompts, queries, instructions submitted to AI agents
• AI-generated outputs derived from User Content
• Technical data: IP addresses, browser/user-agent information, device identifiers, usage logs
• Communications: support tickets, correspondence

2.6 Special Categories of Data

The Controller shall not submit Special Categories of Data (as defined in GDPR Art. 9) to the Platform without prior written agreement and implementing appropriate safeguards.

3. Processor Obligations

The Processor warrants and agrees to process Personal Data only on documented instructions, ensure confidentiality of authorized personnel, assist the Controller with Data Subject rights requests, implement appropriate security measures (including AES-256-GCM encryption, TLS 1.2+, RBAC, MFA, 24/7 monitoring, and incident response), maintain a list of Sub-Processors, and ensure appropriate safeguards for international data transfers.

4. Security Incident Management

The Processor shall notify the Controller of any Security Incident without undue delay and in any event within 48 hours of becoming aware of the incident. The notification shall include the nature of the incident, categories of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

5. Sub-Processors

The Controller provides general authorization for the Processor to engage the following Sub-Processors:

6. Audit and Compliance

Upon 30 days’ written notice and no more than once per calendar year, the Controller or a mutually agreed independent auditor may audit the Processor’s compliance with this DPA. The Processor shall provide a SOC 2 Type II report or equivalent audit certificate upon request.

7. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales (for GDPR matters) and the State of Florida (for matters not governed by GDPR), unless otherwise agreed.