Patent Scout Data Processing Agreement

Effective Date: October 17, 2025
Last Updated: October 17, 2025

Introduction and Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Data Controller") and Phaethon Order LLC ("Company," "Processor," "We," "Us," or "Our") for the use of the Patent Scout service (the "Service").

This DPA governs the processing of Personal Data (as defined below) by the Company on behalf of the Customer in connection with the Service. This DPA reflects the parties' agreement on the terms governing the processing of Personal Data in compliance with applicable Data Protection Laws.

BY USING THE SERVICE, YOU AGREE TO THE TERMS OF THIS DPA. This DPA is automatically incorporated into and forms part of the Terms of Service between the parties.

If there is a conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings set forth in the Terms of Service. The following definitions apply:

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Authorized Sub-processor" means a third party authorized by the Company to process Personal Data in accordance with Section 6 of this DPA.

"Customer Data" means all data, content, and information submitted, uploaded, or transmitted by or on behalf of the Customer or its Authorized Users through the Service, including Personal Data.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to:

General Data Protection Regulation (EU) 2016/679 ("GDPR");
UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR");
Swiss Federal Act on Data Protection ("FADP");
California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA");
Virginia Consumer Data Protection Act ("VCDPA");
Colorado Privacy Act ("CPA");
Connecticut Data Privacy Act ("CTDPA");
Utah Consumer Privacy Act ("UCPA");
Any other applicable federal, state, provincial, or international data protection legislation.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA. For the purposes of this DPA, Data Subjects include Customer's employees, contractors, agents, consultants, and authorized users of the Service ("Authorized Users").

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Company on behalf of the Customer in connection with the Service. Personal Data includes but is not limited to:

Account holder names and email addresses;
Organization or company names and details;
User-generated content including saved search queries, alert configurations, and notes;
Usage data and activity logs;
IP addresses and technical identifiers;
Payment and billing information;
Communications with the Company.

Note: Personal Data does NOT include publicly available patent and publication data (titles, abstracts, claims, inventor names, assignee names) sourced from government databases, as this information does not relate to Customer's Data Subjects.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" (and "Process," "Processes," or "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Standard Contractual Clauses" or "SCCs" means:

For EEA/UK transfers: the standard contractual clauses approved by the European Commission pursuant to Decision 2021/914 (Module Two: Controller to Processor), as may be amended or replaced;
For Swiss transfers: the Swiss Federal Data Protection and Information Commissioner's approved standard contractual clauses or equivalent mechanisms;
For UK transfers: the International Data Transfer Agreement or Addendum issued by the UK Information Commissioner's Office.

"Supervisory Authority" means an independent public authority established by a Member State of the EEA, the UK, or Switzerland pursuant to applicable Data Protection Laws.

2. Scope and Roles

2.1 Relationship of the Parties

The parties acknowledge and agree that with respect to the Processing of Personal Data under this DPA:

Customer is the Data Controller, determining the purposes and means of Processing Personal Data;
Company is the Data Processor, Processing Personal Data on behalf of and in accordance with Customer's documented instructions;
Each party shall comply with the obligations applicable to it under applicable Data Protection Laws.

2.2 Scope of Processing

The Company shall Process Personal Data only:

To provide the Service as described in the Terms of Service;
As necessary to comply with applicable laws;
In accordance with Customer's documented instructions as set forth in this DPA and the Terms of Service;
As otherwise agreed in writing between the parties.

The Company shall not Process Personal Data for any other purpose or in a manner inconsistent with Customer's instructions without Customer's prior written consent, except where required by applicable law (in which case, the Company shall inform Customer of such legal requirement before Processing, unless prohibited by law).

2.3 Customer Instructions

Customer instructs the Company to Process Personal Data as follows:

Nature and Purpose: To provide the Service, including patent search, trend analysis, alert delivery, data export, and customer support;
Duration: For the term of the Terms of Service and as required for data retention obligations;
Types of Personal Data: As specified in Annex A (Details of Processing);
Categories of Data Subjects: Customer's employees, contractors, consultants, and Authorized Users;
Additional Instructions: Customer may issue additional written instructions through the Service interface (e.g., data export requests, deletion requests) or by contacting support@phaethon.llc.

If the Company believes that an instruction from Customer infringes applicable Data Protection Laws, it shall promptly inform Customer and may suspend performance of the instruction until Customer confirms or modifies it.

2.4 Compliance with Laws

Each party represents and warrants that it shall comply with its respective obligations under applicable Data Protection Laws. Customer is solely responsible for:

Ensuring that it has obtained all necessary consents and provided all required notices to Data Subjects for the Processing contemplated by this DPA;
Ensuring that the Processing instructions it provides to Company comply with applicable Data Protection Laws;
Determining the lawful basis for Processing under applicable Data Protection Laws;
Conducting any required data protection impact assessments.

3. Details of Processing

The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and categories of Data Subjects are further described in Annex A attached to this DPA.

4. Company Obligations

4.1 Confidentiality

The Company shall ensure that all persons authorized to Process Personal Data:

Are subject to a duty of confidentiality (whether by contract or statutory obligation);
Have received appropriate training on Data Protection Laws and data security;
Process Personal Data only as necessary to perform the Service or as instructed by Customer.

4.2 Security Measures

The Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breaches, taking into account:

The state of the art;
The costs of implementation;
The nature, scope, context, and purposes of Processing;
The risks to the rights and freedoms of Data Subjects.

The security measures implemented by the Company are described in Annex B (Security Measures) and include at minimum:

Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest;
Access controls and authentication mechanisms (including multi-factor authentication);
Regular security testing and vulnerability assessments;
Logging and monitoring of access to Personal Data;
Secure backup and disaster recovery procedures;
Physical security controls for data center facilities;
Incident response and breach notification procedures;
Regular security awareness training for personnel.

The Company shall regularly review and update these security measures as necessary to maintain a level of security appropriate to the risk.

4.3 Personal Data Breach Notification

The Company shall notify Customer without undue delay after becoming aware of a Personal Data Breach, and in any event:

Within 72 hours of becoming aware of the breach (or as soon as reasonably practicable);
Via email to Customer's registered email address and/or other contact methods on file;
Including, to the extent possible, the following information:
- Description of the nature of the breach;
- Categories and approximate number of Data Subjects affected;
- Categories and approximate number of Personal Data records affected;
- Likely consequences of the breach;
- Measures taken or proposed to address the breach and mitigate harm;
- Contact information for further inquiries.

The Company shall:

Provide reasonable assistance to Customer in fulfilling Customer's obligations to notify Supervisory Authorities and Data Subjects of the breach;
Take reasonable steps to remediate the breach and prevent future breaches;
Not publicly disclose any Personal Data Breach without Customer's prior written consent, except as required by applicable law;
Cooperate with Customer's investigation and remediation efforts.

4.4 Assistance with Data Subject Rights

The Company shall, taking into account the nature of the Processing, provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

Right of access;
Right to rectification;
Right to erasure ("right to be forgotten");
Right to restrict Processing;
Right to data portability;
Right to object to Processing;
Rights related to automated decision-making and profiling.

If the Company receives a request directly from a Data Subject, the Company shall:

Promptly notify Customer of the request within 5 business days;
Not respond to the Data Subject except as instructed by Customer or as required by law;
Cooperate with Customer to facilitate Customer's response within applicable timeframes.

The Company may charge reasonable fees for assistance with complex or repeated Data Subject requests, as mutually agreed in writing.

4.5 Assistance with Compliance Obligations

The Company shall provide reasonable assistance to Customer, at Customer's expense, in ensuring compliance with Customer's obligations under Data Protection Laws, including:

Data protection impact assessments (DPIAs);
Prior consultations with Supervisory Authorities;
Security audits and certifications;
Responding to inquiries from Supervisory Authorities;
Documentation of Processing activities.

Such assistance shall be subject to reasonable notice and scheduling, and the Company may charge fees for extensive or time-consuming assistance.

4.6 Deletion or Return of Personal Data

Upon termination or expiration of the Terms of Service, or upon Customer's written request, the Company shall, at Customer's option:

Delete all Personal Data and existing copies in the Company's systems within 30 days; OR
Return all Personal Data to Customer in a commonly used, machine-readable format within 30 days.

The Company may retain Personal Data to the extent required by applicable law, provided that the Company ensures the confidentiality of such Personal Data and Processes it only as necessary to comply with legal obligations.

Upon completion of deletion or return, the Company shall provide written certification to Customer confirming compliance with this section.

4.7 Records and Audits

The Company shall maintain records of all Processing activities carried out on behalf of Customer, including:

Name and contact details of the Company and Customer;
Categories of Processing;
Categories of Data Subjects and Personal Data;
Authorized Sub-processors;
International data transfers and safeguards;
Security measures implemented.

Audit Rights: The Company shall, upon Customer's written request and subject to reasonable notice (at least 30 days), allow Customer (or Customer's independent third-party auditor bound by confidentiality obligations) to:

Inspect the Company's relevant Processing facilities, systems, and records;
Conduct audits to verify compliance with this DPA;
Review certifications, audit reports (e.g., SOC 2, ISO 27001), or other compliance documentation.

Audit rights are subject to the following conditions:

Audits shall be conducted no more than once per year unless required by a Supervisory Authority or in response to a Personal Data Breach;
Audits shall be conducted during regular business hours and shall not unreasonably interfere with the Company's operations;
Customer shall bear all costs associated with audits;
Auditors shall execute confidentiality agreements acceptable to the Company;
The Company may provide existing audit reports, certifications, or summaries in lieu of on-site inspections where such documentation is reasonably sufficient to demonstrate compliance.

In the event that an audit reveals non-compliance with this DPA, the Company shall promptly implement corrective measures at its own expense.

5. Customer Obligations

5.1 Lawfulness of Instructions

Customer represents and warrants that:

It has obtained all necessary consents, authorizations, and lawful bases for Processing Personal Data;
Its Processing instructions comply with applicable Data Protection Laws;
It has provided all required notices to Data Subjects regarding the Processing;
It shall not instruct the Company to Process Personal Data in violation of Data Protection Laws.

5.2 Accuracy of Personal Data

Customer is responsible for ensuring that Personal Data provided to the Company is accurate, complete, and up-to-date. The Company is not responsible for the accuracy or quality of Personal Data provided by Customer.

5.3 Security of Customer Systems

Customer is responsible for:

Maintaining the security of its own systems, networks, and credentials;
Ensuring that Authorized Users comply with security requirements;
Promptly notifying the Company of any suspected unauthorized access;
Implementing appropriate security measures for its own environment.

5.4 Cooperation

Customer shall:

Respond promptly to the Company's requests for information or clarification regarding Processing instructions;
Cooperate with the Company in responding to Data Subject requests and Supervisory Authority inquiries;
Notify the Company of any changes that may affect the Processing of Personal Data.

6. Sub-Processing

6.1 Authorization of Sub-processors

Customer authorizes the Company to engage Authorized Sub-processors to Process Personal Data on Customer's behalf, subject to the terms of this DPA. The Company's current list of Authorized Sub-processors is set forth in Annex C (List of Sub-processors).

6.2 Sub-processor Requirements

The Company shall:

Enter into written agreements with each Authorized Sub-processor imposing data protection obligations substantially equivalent to those in this DPA;
Ensure that Authorized Sub-processors comply with the same data protection obligations as the Company;
Remain fully liable to Customer for the performance of each Authorized Sub-processor's obligations.

6.3 Changes to Sub-processors

The Company may engage new Sub-processors or replace existing Sub-processors from time to time. The Company shall:

Provide Customer with at least 30 days' advance written notice of any intended changes to Sub-processors via email or notification through the Service;
Update Annex C to reflect any changes;
Provide Customer an opportunity to object to the engagement of a new Sub-processor.

Customer's Right to Object: Customer may object to the engagement of a new Sub-processor on reasonable grounds relating to data protection by notifying the Company in writing within 30 days of receiving notice. If Customer objects:

The parties shall work together in good faith to resolve Customer's concerns;
If the parties cannot reach a resolution within 30 days, Customer may terminate the affected portion of the Service without penalty by providing written notice to the Company.

If Customer does not object within the 30-day notice period, Customer shall be deemed to have accepted the new Sub-processor.

6.4 Sub-processor List

The current list of Authorized Sub-processors is available in Annex C and may be updated at https://patent-scout.com/docs/dpa#annex-c.

7. International Data Transfers

7.1 Transfers Outside the EEA/UK/Switzerland

Customer acknowledges that the Company and its Sub-processors may transfer and Process Personal Data in countries outside the EEA, UK, and Switzerland, including the United States. The Company shall ensure that such transfers are conducted in accordance with applicable Data Protection Laws.

7.2 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, the Company shall implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs): The parties agree that the applicable Standard Contractual Clauses (set forth in Annex D) are incorporated into this DPA and apply to all transfers of Personal Data from the EEA/UK/Switzerland to the Company or its Sub-processors;
Binding Corporate Rules: Where applicable and available;
Other legally recognized mechanisms: Including approved certifications or codes of conduct;
Supplementary measures: Additional technical and organizational measures where necessary to ensure adequate protection (e.g., encryption, pseudonymization).

7.3 U.S. Government Access

Customer acknowledges that the Company's infrastructure is primarily located in the United States and that U.S. law enforcement and intelligence agencies may have access to Personal Data under certain circumstances (e.g., pursuant to lawful requests under FISA or other U.S. laws).

The Company commits to:

Implementing supplementary security measures (encryption, access controls, etc.) to minimize risks;
Challenging disproportionate or unlawful data requests where feasible;
Notifying Customer of any government data requests unless legally prohibited;
Providing an annual transparency report summarizing any government requests received.

7.4 Additional Safeguards

The Company shall, in relation to international transfers:

Use encryption (in transit and at rest) to protect Personal Data;
Implement strict access controls limiting access to Personal Data;
Conduct regular security assessments and audits;
Maintain compliance with relevant certifications (e.g., SOC 2, ISO 27001);
Cooperate with Customer in conducting transfer impact assessments (TIAs) as required under Data Protection Laws.

8. Liability and Indemnification

8.1 Allocation of Liability

Each party shall be liable for its own breaches of this DPA and applicable Data Protection Laws. The Company shall be liable for damages caused by Processing Personal Data in violation of this DPA or applicable Data Protection Laws, except where the Company can prove it was not responsible for the event giving rise to the damage.

8.2 Sub-processor Liability

The Company is fully liable to Customer for the performance of any Authorized Sub-processor's obligations under this DPA. The Company's liability for Sub-processor acts or omissions is the same as for its own acts or omissions.

8.3 Limitation of Liability

Notwithstanding any provision in the Terms of Service, the liability caps and exclusions in the Terms of Service do NOT apply to:

The Company's obligations under this DPA related to Personal Data Breaches;
Violations of Data Protection Laws;
Claims brought by Data Subjects or Supervisory Authorities;
Indemnification obligations under Section 8.4.

For clarity, the limitation of liability in the Terms of Service continues to apply to all other claims not related to data protection.

8.4 Indemnification

Company Indemnification: The Company shall indemnify, defend, and hold harmless Customer from and against all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

The Company's breach of this DPA;
The Company's violation of Data Protection Laws;
Personal Data Breaches caused by the Company's negligence or willful misconduct;
Claims by Data Subjects arising from the Company's Processing;
Fines or penalties imposed by Supervisory Authorities due to the Company's non-compliance.

Customer Indemnification: Customer shall indemnify, defend, and hold harmless the Company from and against all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

Customer's breach of this DPA;
Customer's failure to obtain necessary consents or provide required notices to Data Subjects;
Customer's Processing instructions that violate Data Protection Laws;
Claims arising from Customer's use of the Service in violation of applicable laws.

8.5 Insurance

The Company shall maintain, at its own expense, appropriate insurance coverage (including cyber liability insurance) covering liabilities arising from Personal Data Breaches and violations of Data Protection Laws. The Company shall provide proof of such insurance upon Customer's reasonable request.

9. Term and Termination

9.1 Term

This DPA shall commence on the Effective Date and continue for the duration of the Terms of Service, unless earlier terminated in accordance with this Section 9.

9.2 Termination

This DPA may be terminated:

Automatically upon termination of the Terms of Service;
By either party upon 30 days' written notice if the other party materially breaches this DPA and fails to cure such breach within the notice period;
By Customer immediately upon written notice if a Supervisory Authority orders cessation of Processing due to the Company's non-compliance;
By Customer as provided in Section 6.3 (objection to new Sub-processor).

9.3 Effect of Termination

Upon termination of this DPA:

The Company shall cease all Processing of Personal Data (except as required by law);
The Company shall delete or return Personal Data as provided in Section 4.6;
Both parties shall continue to comply with their obligations under this DPA with respect to Personal Data until such data is deleted or returned;
Sections that by their nature should survive (confidentiality, liability, indemnification, audit rights for records retention period) shall survive termination.

9.4 Suspension

The Company may suspend Processing of Personal Data if:

A Supervisory Authority orders suspension;
Required by applicable law;
Customer fails to pay fees for more than 30 days after notice;
Customer materially breaches this DPA and such breach poses a risk to the Company's compliance with Data Protection Laws.

The Company shall provide Customer with reasonable advance notice of suspension except where immediate suspension is required by law or to protect Data Subjects.

10. General Provisions

10.1 Relationship to Terms of Service

This DPA is incorporated into and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data, this DPA shall prevail.

10.2 Order of Precedence

With respect to the subject matter of this DPA, in the event of inconsistencies, the following order of precedence applies:

Standard Contractual Clauses (Annex D)
This DPA (main body)
Annexes A, B, and C
Terms of Service

10.3 Amendments

The Company may amend this DPA from time to time to:

Comply with changes in Data Protection Laws;
Reflect changes in the Service or Processing activities;
Implement decisions or guidance from Supervisory Authorities;
Address new security threats or best practices.

The Company shall provide Customer with at least 30 days' notice of material changes to this DPA. Continued use of the Service after such changes constitutes acceptance. If Customer does not agree to changes, Customer may terminate the Service as provided in the Terms of Service.

10.4 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full effect, and the invalid provision shall be modified to the minimum extent necessary to make it enforceable while preserving the parties' intent.

10.5 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay in exercising any right shall constitute a waiver.

10.6 Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the Processing of Personal Data and supersedes all prior agreements or understandings.

10.7 Governing Law and Jurisdiction

This DPA is governed by the same law and jurisdiction provisions as the Terms of Service, except:

Where Data Protection Laws require application of a specific jurisdiction's laws (e.g., GDPR for EEA customers);
For disputes related to the Standard Contractual Clauses, the governing law and jurisdiction provisions in the SCCs shall apply.

10.8 Third-Party Beneficiaries

Data Subjects are intended third-party beneficiaries of this DPA and may enforce its provisions directly against the Company where permitted by applicable Data Protection Laws.

10.9 Notices

All notices under this DPA shall be in writing and sent to:

For Company:
Phaethon Order LLC
Email: support@phaethon.llc
Subject: DPA Notice

For Customer:
The email address associated with Customer's account

Notices are deemed delivered: (a) when sent by email, if during business hours, or (b) the next business day if sent outside business hours.

10.10 Language

This DPA is drafted in English. Any translation is provided for convenience only, and the English version controls in case of conflict.

10.11 Assignment

Customer may not assign or transfer this DPA without the Company's prior written consent. The Company may assign this DPA in connection with a merger, acquisition, or sale of assets upon notice to Customer.

11. Contact Information

For questions, concerns, or notices regarding this DPA, please contact:

Phaethon Order LLC
Data Protection Officer: support@phaethon.llc
Subject Line: DPA Inquiry
Website: https://phaethonorder.com

Annex A: Details of Processing

Subject Matter of Processing

Provision of the Patent Scout service, including patent search, trend analysis, whitespace identification, alert delivery, data export, and customer support.

Duration of Processing

For the term of the Terms of Service plus any retention periods required by applicable law (up to 7 years for financial records).

Nature and Purpose of Processing

The Company Processes Personal Data to:

Create and manage user accounts;
Authenticate users and control access;
Provide search, analysis, and alert features;
Process payments and manage subscriptions;
Deliver customer support;
Improve the Service and develop new features;
Comply with legal obligations;
Detect and prevent fraud and security threats;
Send transactional and service-related communications.

Types of Personal Data

The Company Processes the following categories of Personal Data:

Identity Data: Full name, username, organization/company name;
Contact Data: Email address, business address;
Account Data: Account credentials, account settings, preferences;
Financial Data: Billing address, payment method details (processed by Stripe);
Transaction Data: Purchase history, subscription status, invoices;
Usage Data: Search queries, alerts configured, data viewed, features used, session data;
Technical Data: IP address, browser type, device information, cookies;
Communication Data: Support messages, feedback submissions;
User-Generated Content: Saved searches, notes, annotations (if enabled).

Note: Publicly available patent data (titles, abstracts, claims, inventor names from government databases) is NOT considered Personal Data of Customer's Data Subjects.

Categories of Data Subjects

Personal Data relates to the following Data Subjects:

Customer's employees;
Customer's contractors and consultants;
Customer's agents and representatives;
Authorized Users of Customer's account;
Prospective users (during trial or evaluation periods).

Special Categories of Data

The Company does NOT Process special categories of Personal Data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data) under this DPA.

Annex B: Technical and Organizational Security Measures

The Company implements and maintains the following technical and organizational measures to protect Personal Data:

1. Access Control

Multi-factor authentication (MFA) for user accounts;
Role-based access control (RBAC) for internal systems;
Least privilege principle for employee and system access;
Regular access reviews and deprovisioning of terminated users;
Unique user credentials for all personnel;
Secure password policies (complexity, rotation).

2. Encryption

In Transit: TLS 1.2 or higher for all data transmission;
At Rest: AES-256 encryption for database storage (via Neon.tech);
Secure key management practices;
Encrypted backups;
Encryption of payment data (handled by Stripe, PCI DSS compliant).

3. Network Security

Firewalls and intrusion detection/prevention systems (IDS/IPS);
Network segmentation and isolation;
DDoS protection (via Vercel and CDN);
Virtual Private Cloud (VPC) architecture;
Regular network vulnerability scans;
Secure APIs with rate limiting and authentication.

4. Application Security

Secure coding practices and code reviews;
Input validation and output encoding to prevent injection attacks;
Protection against OWASP Top 10 vulnerabilities;
Regular security testing (static and dynamic analysis);
Dependency scanning and patch management;
Session management and timeout controls;
CSRF and XSS protection.

5. Logging and Monitoring

Centralized logging of access to Personal Data;
Real-time monitoring and alerting for security events;
Audit trails for data access and modifications;
Log retention for security investigation (180 days minimum);
Security Information and Event Management (SIEM) capabilities;
Automated anomaly detection.

6. Incident Response

Documented incident response plan and procedures;
Designated incident response team;
Breach notification procedures as required by Section 4.3;
Regular incident response drills and testing;
Post-incident analysis and remediation;
Communication protocols for customers and authorities.

7. Physical Security

Data centers operated by certified providers (Vercel, Neon.tech);
24/7 physical security and access control;
Environmental controls (fire suppression, HVAC, power redundancy);
Video surveillance and alarm systems;
Visitor logging and escort requirements;
Secure destruction of physical media containing Personal Data.

8. Personnel Security

Background checks for employees with access to Personal Data (where legally permitted);
Confidentiality and non-disclosure agreements;
Regular security awareness training;
Data protection training for relevant personnel;
Clear roles and responsibilities for data protection;
Secure offboarding procedures (credential revocation, device return).

9. Backup and Recovery

Regular automated backups of Personal Data;
Encrypted backup storage;
Geographically redundant backup locations;
Documented disaster recovery and business continuity plans;
Regular testing of backup restoration procedures;
Recovery Time Objective (RTO): 24 hours;
Recovery Point Objective (RPO): 4 hours.

10. Vendor Management

Due diligence on Sub-processors before engagement;
Contractual data protection obligations for all Sub-processors;
Regular assessment of Sub-processor security practices;
Requirement for Sub-processors to maintain certifications (SOC 2, ISO 27001, etc.);
Right to audit Sub-processors (directly or via third-party auditors).

11. Testing and Assessment

Annual third-party security audits (SOC 2 Type II);
Quarterly vulnerability assessments;
Annual penetration testing;
Regular security reviews of code and infrastructure;
Compliance assessments against Data Protection Laws;
Continuous security monitoring and improvement.

12. Data Minimization and Retention

Collection of only necessary Personal Data;
Defined retention periods for each data category;
Automated data deletion processes;
Secure data disposal methods (overwriting, shredding);
Regular data retention audits;
Pseudonymization of data where feasible for analytics.

13. Certifications and Compliance

The Company and/or its Sub-processors maintain the following certifications and comply with industry standards:

SOC 2 Type II (System and Organization Controls);
ISO 27001 (Information Security Management);
PCI DSS (Payment Card Industry Data Security Standard - via Stripe);
GDPR compliance framework;
CCPA/CPRA compliance framework;
OWASP Top 10 security controls.

Note: The Company reviews and updates these security measures regularly to address evolving threats and maintain compliance with Data Protection Laws. Specific implementations may vary based on risk assessments and technological advancements.

Annex C: List of Authorized Sub-processors

The Company currently engages the following Authorized Sub-processors to Process Personal Data on behalf of Customer:

Sub-processor	Service Provided	Location	Website / Privacy Policy
Vercel Inc.	Web hosting, application deployment, CDN	United States	Privacy Policy
Neon Tech Inc.	PostgreSQL database hosting, data storage	United States	Privacy Policy
Auth0 Inc. (Okta)	Identity and access management, authentication	United States	Privacy Policy
Stripe Inc.	Payment processing, subscription billing	United States	Privacy Policy
Mailgun Technologies Inc.	Transactional email delivery, alert notifications	United States	Privacy Policy
OpenAI L.L.C.	Text embeddings for semantic search (patent text only, no user data)	United States	Privacy Policy
Google LLC	Analytics (Google Analytics), patent data source (BigQuery)	United States	Privacy Policy

Note on third-party API access: The Company sends patent and publication text (titles, abstracts, claims) to a third-party API for embedding generation to enable semantic search functionality. No Personal Data of Customer's Data Subjects is sent to the API. Patent data sent to the API consists of publicly available government records and does not contain user queries, account information, or other Personal Data.

Updates to Sub-processor List: This list may be updated from time to time in accordance with Section 6.3 of the DPA. Customer will receive 30 days' advance notice of any additions or changes. The current list is always available at this URL.

Last Updated: October 17, 2025

Annex D: Standard Contractual Clauses

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other countries without an adequacy decision, the parties agree to be bound by the following Standard Contractual Clauses (SCCs):

1. EU Standard Contractual Clauses (SCCs)

The parties agree to comply with the Standard Contractual Clauses for the transfer of personal data to processors established in third countries adopted by the European Commission pursuant to:

Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
Module Two (Controller to Processor) applies to transfers where Customer is the data controller and Company is the data processor;
The SCCs are incorporated by reference and form an integral part of this DPA.

Access to SCCs: The full text of the EU SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

2. UK Standard Contractual Clauses

For transfers of Personal Data from the United Kingdom, the parties agree to comply with the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable, issued by the UK Information Commissioner's Office.

Access to UK IDTA/Addendum: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/

3. Swiss Standard Contractual Clauses

For transfers of Personal Data from Switzerland, the parties agree to comply with the Swiss Federal Data Protection and Information Commissioner's (FDPIC) approved standard contractual clauses or equivalent mechanisms as required by the Swiss Federal Act on Data Protection (FADP).

Access to Swiss SCCs: https://www.edoeb.admin.ch/

4. Completing the SCCs

For the purposes of the Standard Contractual Clauses:

Data Exporter: Customer (as the data controller);
Data Importer: Phaethon Order LLC (as the data processor);
Module Two (Controller to Processor) applies;
Clause 7 (Docking Clause): Optional clause is available but not mandatory;
Clause 9(a) (Option 2): General written authorization for sub-processors with notification mechanism as described in Section 6 of this DPA;
Clause 11(a) (Redress): Independent dispute resolution body: Customer may contact a Supervisory Authority;
Clause 17 (Governing Law): The law of an EU Member State where Customer is established (if applicable) or Ireland;
Clause 18 (Choice of forum and jurisdiction): Courts of an EU Member State where Customer is established (if applicable) or Ireland;
Annex I (Transfer Details): As described in Annex A of this DPA;
Annex II (Technical and Organizational Measures): As described in Annex B of this DPA;
Annex III (Sub-processors): As described in Annex C of this DPA.

5. Supplementary Measures

In accordance with the Schrems II decision (Case C-311/18) and subsequent guidance from the European Data Protection Board (EDPB), the Company implements the following supplementary measures to ensure adequate protection for transfers to the United States:

Encryption: Personal Data is encrypted in transit (TLS 1.2+) and at rest (AES-256);
Access Controls: Strict role-based access controls limit who can access Personal Data;
Minimization: Only necessary Personal Data is transferred and processed;
Pseudonymization: Where feasible, data is pseudonymized for analytics;
Contractual Safeguards: Sub-processors are contractually bound to similar data protection standards;
Transparency: The Company commits to transparency regarding government data requests;
Challenge Mechanism: The Company will challenge disproportionate or unlawful government requests where legally possible;
Monitoring and Audits: Regular security audits and compliance assessments;
Incident Response: Robust breach notification procedures as described in Section 4.3;
Data Localization Options: Upon request and subject to feasibility and additional fees, Customer may request data to be stored in EEA-based data centers (where available).

6. Transfer Impact Assessment

Customer is responsible for conducting a Transfer Impact Assessment (TIA) to determine whether the safeguards provided by the SCCs and supplementary measures offer adequate protection for the specific data transfer. The Company will provide reasonable assistance and documentation to support Customer's TIA upon request.

7. Government Access Requests

The Company commits to:

Notifying Customer of any government or law enforcement requests for Customer's Personal Data, unless legally prohibited;
Challenging disproportionate, overbroad, or unlawful requests where feasible;
Disclosing only the minimum Personal Data necessary to comply with legally binding requests;
Documenting all requests and responses;
Publishing an annual transparency report summarizing requests received (in aggregated, anonymized form).

Note: The Company has never received a National Security Letter, FISA order, or any other classified government request for Customer data as of the date of this DPA. This statement will be updated if circumstances change and disclosure is legally permissible.

Last Updated: October 17, 2025

Acknowledgment and Acceptance

BY USING THE SERVICE, CUSTOMER ACKNOWLEDGES THAT IT HAS READ, UNDERSTOOD, AND AGREES TO BE BOUND BY THIS DATA PROCESSING AGREEMENT, INCLUDING ALL ANNEXES.

This DPA is effective as of the date Customer first accesses or uses the Service, or the date Customer executes the Terms of Service, whichever is earlier.

IF CUSTOMER DOES NOT AGREE TO THIS DPA, CUSTOMER MUST NOT ACCESS OR USE THE SERVICE.