DATA PROCESSING AGREEMENT

4.1 Instructions. Bayescase shall process Customer Personal Data only on documented instructions from Controller, including as set out in the Agreement, this DPA, and Controller's configuration of the Service. If Bayescase is required by EU, Member State, UK, Swiss or other applicable law to process Customer Personal Data beyond Controller's instructions, Bayescase will inform Controller before processing unless the law prohibits such notice.

4.2 Confidentiality. Bayescase ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations.

4.3 Security. Bayescase implements technical and organizational measures (TOMs) appropriate to the risk, as described in Annex II, including encryption in transit and at rest, access controls, logging, and backups.

4.4 Assistance. Taking into account the nature of the processing, Bayescase assists Controller by appropriate technical and organizational measures insofar as possible for the fulfilment of Controller's obligations to respond to data subject requests under Chapter III GDPR, and to conduct data protection impact assessments and consultations with supervisory authorities (Articles 35–36 GDPR). Bayescase may charge reasonable fees for assistance that goes beyond basic configuration or self-service capabilities of the Service.

4.5 Personal data breaches. Bayescase will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required by Controller to comply with Articles 33–34 GDPR as it becomes available. Notification will be sent to the admin email on the account unless Controller designates another address.

4.6 Model improvement/training (separate controllers). To improve and develop the Service, Bayescase may use Customer's inputs and Outputs to train, fine-tune, or otherwise improve algorithms, models, and features. For such improvement/training, Bayescase acts as an independent Controller, relies on legitimate interests (Art. 6(1)(f) GDPR), applies appropriate safeguards (e.g., de-identification where feasible), and honors Controller's opt-out at any time via email to privacy@bayescase.com. If Controller opts out, Bayescase will not include Controller's inputs/Outputs in training datasets after the opt-out effective date; this does not affect processing strictly necessary to provide the Service as Processor.

5.1 Authorization. Controller grants Bayescase a general authorization to engage Sub-processors to process Customer Personal Data. The current list is available at https://bayescase.com/subprocessors and includes processors engaged by Bayescase in its capacity as Processor for Service data, including providers used to process Customer Personal Data in connection with optional AI features requested by Controller's users. Vendors used by Bayescase in its own capacity as Controller (e.g., for billing or CRM) are not Sub-processors under this DPA.

5.2 Requirements. Bayescase shall:

• impose on Sub-processors data protection obligations no less protective than those in this DPA (including TOMs and, where applicable, SCCs), and
• remain responsible for Sub-processors' performance.

5.3 Changes. Bayescase will provide at least 30 days' prior notice of additions/replacements via the Sub-processor page or email. Controller may object on reasonable data protection grounds within that period. If the parties cannot resolve an objection in good faith, Controller may terminate the affected Service and receive a pro rata refund for prepaid, unused fees.

6.1 Locations. Bayescase primarily hosts and processes Customer Personal Data in the EU/EEA (AWS eu-central-1, Frankfurt). Certain AI-related processing of prompts, context, uploaded materials, and outputs may be carried out by Bayescase's AI provider outside the EU/EEA, including in the United States, where necessary to provide the AI features requested by Controller or its Authorized Users.

6.2 Safeguards. Where Customer Personal Data is transferred to a third country without an adequacy decision:

• For EU GDPR: The EU Standard Contractual Clauses (SCCs) adopted by Commission Decision 2021/914 are incorporated by reference. Module 2 (Controller-to-Processor) applies to transfers from Controller to Bayescase; Module 3 (Processor-to-Processor) applies between Bayescase and Sub-processors. The parties populate the SCCs as set out in Annex I and Annex II to this DPA. In case of conflict, the SCCs prevail for the relevant transfer.
• For UK GDPR: The UK International Data Transfer Addendum (IDTA) to the EU SCCs (version issued by the UK ICO and in force on the Effective Date) is incorporated and applies to relevant transfers; the EU SCCs as amended by the UK Addendum form the relevant transfer mechanism.
• For Switzerland: The Swiss FDPIC's provisions apply. The EU SCCs are adapted so references to GDPR are read as references to Swiss law, and supervisory authority references include the FDPIC.

6.3 Supplementary measures. Bayescase will implement appropriate supplementary measures (e.g., encryption in transit and at rest, access controls, data minimization), assess laws/practices of the destination country where reasonably possible, and document a transfer impact assessment (TIA) upon request. Bayescase will notify Controller if it can no longer comply with the SCCs and, if feasible, will suspend the relevant transfer or propose a reasonable alternative.

Organization and governance: Security responsibilities are assigned to Bayescase's founder/management. Personnel with access to Customer Personal Data are bound by confidentiality. Basic security awareness practices are applied.

Access controls and authentication: Named, least privilege access to production systems and Customer Personal Data. Timely provisioning and deprovisioning (typically within 24–48 hours) when roles change or staff leave. Multi-factor authentication (MFA) for privileged access to production and cloud consoles.

Physical and infrastructure security: Use of leading cloud providers' data centers (e.g., AWS eu-central-1) with certified physical security. Bayescase does not operate its own data centers.

Encryption and key management: Encryption in transit (TLS 1.2+) for data flows under Bayescase's control. Encryption at rest for databases, storage, and backups using cloud provider managed encryption. Keys are managed using cloud-native key management in the primary region; access to keys is restricted and logged.

Network and application security: Cloud network security controls (e.g., security groups, managed firewalls) configured to restrict inbound access to necessary ports/services. Software dependencies and platforms are kept reasonably up to date; critical security patches are applied in a commercially reasonable timeframe. Basic logging of administrative actions and access to Customer Personal Data; monitoring of critical infrastructure/service health.

Data management and segregation: Logical separation of Customer Data by account/tenant identifiers. Data minimization and purpose limitation applied to reduce personal data exposure.

Backup and recovery: Regular encrypted backups of Customer Data with a typical retention of up to 35 days. Procedures to restore data from backups; restoration capability is reviewed from time to time.

Incident management: Incident response procedures covering detection, assessment, containment, and recovery. Notification to Controller without undue delay upon becoming aware of a personal data breach affecting Customer Personal Data, with updates as information becomes available.

Vendor and sub-processor management: Data processing agreements with Sub-processors, including appropriate safeguards for international transfers (e.g., SCCs). Risk-based onboarding and a maintained Sub-processor register with change notifications.

Business continuity: Use of cloud-native redundancy for critical components; commercially reasonable efforts to restore service in the event of a disruption.