Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between the Customer (you, identified by the Account email) and RWX-TEK INC, a California corporation ("Jettson", "Processor"). It applies when Customer processes personal data of EU, UK, EEA, or Swiss data subjects through the Jettson Service.

To execute a counter-signed DPA, email customertek@rwxtek.com with subject "DPA" and your company details. We will return a counter-signed PDF.

1. Roles

• Customer is the Controller of personal data they submit to the Service.
• Jettson is the Processor, acting on the documented instructions of the Customer.
• Where both parties are Controllers of the same data (e.g. account billing data), each party is independently responsible for its own processing.

2. Subject matter

Jettson processes personal data on Customer's behalf as necessary to provide the Service described in the Terms of Service.

3. Duration

For the term of the Customer's subscription, plus the deletion period defined in Section 11.

4. Nature and purpose of processing

To host, run, and operate autonomous AI agents on behalf of the Customer; store memory the agents read and write; deliver outputs to the Customer; and provide related security, billing, and support functions.

5. Categories of personal data

Personal data the Customer may submit through the Service, which may include identifiers, contact details, professional information, account or transaction records, free-form text in agent prompts and outputs, and any other categories the Customer chooses to submit.

Customer must not submit special categories of personal data (race, religion, health, biometrics, sexual orientation, criminal records, or children's data) without specific prior written approval from Jettson and a separate written agreement covering such processing.

6. Categories of data subjects

Individuals whose data the Customer chooses to process — typically the Customer's end users, prospects, employees, contractors, or research subjects.

7. Sub-processors

Jettson uses the sub-processors listed at /sub-processors. The list is updated when sub-processors are added or removed. Customer may subscribe to notifications by emailing customertek@rwxtek.com.

Notice and objection. Jettson will give at least thirty (30) days' notice before adding a new sub-processor. Customer may object on reasonable grounds within that window; if Jettson and Customer cannot reach a resolution, Customer's exclusive remedy is to terminate the affected portion of the Service and receive a prorated refund of pre-paid Fees.

8. Security measures

Jettson implements the technical and organizational measures described in the Security Overview, which is incorporated by reference. Measures include TLS in transit, encryption at rest, hashed credentials, network and process isolation per agent, least-privilege internal access, and logging of security-relevant events.

9. Data subject rights

Jettson will assist Customer with reasonable measures to fulfill Customer's obligation to respond to data subject requests (access, correction, deletion, portability, restriction, objection). Where a data subject contacts Jettson directly, Jettson will forward the request to Customer where the Customer is the Controller.

10. Personal data breaches

Jettson will notify Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, with the information required by Article 33(3) GDPR to the extent then known.

11. Deletion and return

On Customer's written request or on termination of the Service, Jettson will delete or return all personal data processed on Customer's behalf within ninety (90) days, except where retention is required by law (billing and tax records — see Privacy Policy).

12. International transfers

Personal data is processed in the United States. Where the EU/UK/EEA/Swiss data exporter relies on Standard Contractual Clauses (SCCs) for transfers, the Module Two SCCs (Controller-to-Processor) are deemed incorporated, with: Clause 7 (docking clause) included; Clause 9(a) Option 2 (general written authorization); Clause 11(a) — independent dispute resolution body not included; Clause 17 governing law = Republic of Ireland; Clause 18 forum = courts of Ireland. UK Addendum and Swiss adaptations are deemed incorporated where applicable.

13. Audits

Jettson will, on reasonable notice and no more than once per twelve (12) months, make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by Customer or a mutually agreed third-party auditor. Audits must respect confidentiality and not unduly disrupt Jettson's business. Customer pays its own audit costs.

14. Confidentiality

Jettson treats Customer Personal Data as confidential and ensures personnel with access are bound by confidentiality obligations.

15. Liability

Liability under this DPA is subject to the limitation of liability in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law, including Article 82 GDPR.

16. Conflict

In the event of conflict between this DPA and the Terms of Service with respect to processing of personal data, this DPA prevails.

17. Execution

This DPA is offered as a standing offer to all Customers. By using the Service after the Last updated date, Customer accepts this DPA. For a counter-signed copy, email customertek@rwxtek.com.

18. Contact

DPA questions: customertek@rwxtek.com.