Data Processing Agreement

For purposes of this DPA, the following terms have the meanings set out below. Terms not defined herein have the meanings ascribed to them in the Terms of Service or the applicable data protection laws.

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws, including CCPA, VCDPA, CPA, and equivalent state privacy statutes.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion.
• "Data Controller" means the Customer — the entity that determines the purposes and means of Processing Personal Data through the AI-STORMS platform.
• "Data Processor" means AI-STORMS (Right Away Group / DramWell LLC) — the entity that processes Personal Data on behalf of the Data Controller.
• "Sub-Processor" means any third party engaged by AI-STORMS to process Personal Data in connection with the Service.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of Personal Data to third countries, as adopted under Commission Implementing Decision (EU) 2021/914.

AI-STORMS will process Personal Data only on documented instructions from the Data Controller, unless otherwise required by applicable law. The Data Controller's instructions are set out in:

• This DPA and the Terms of Service;
• Campaign configurations, contact uploads, and workflow settings established by the Data Controller in the AI-STORMS platform; and
• Other written instructions provided by the Data Controller from time to time.

If AI-STORMS is required by applicable law to process Personal Data beyond these instructions, AI-STORMS will notify the Data Controller before such processing unless the law prohibits such notification.

The subject matter, nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex A below.

AI-STORMS will provide reasonable assistance to the Data Controller in responding to Data Subject rights requests under applicable law, including:

• Access requests — providing a copy of Personal Data processed by AI-STORMS on behalf of the Data Controller
• Deletion requests — permanently deleting Personal Data upon verified instruction
• Correction requests — updating inaccurate Personal Data
• Portability requests — exporting Personal Data in a machine-readable format
• Opt-out processing — honoring Data Subject opt-outs from AI voice calls, SMS, and email

The Data Controller is responsible for determining the validity of Data Subject requests and instructing AI-STORMS accordingly. AI-STORMS will not independently honor Data Subject requests without authorization from the Data Controller, except where legally required to do so.

AI-STORMS implements and maintains technical and organizational security measures appropriate to the risk, including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Role-based access controls with principle of least privilege
• Multi-factor authentication for administrative access
• Regular penetration testing and security reviews
• Background checks for employees with access to Personal Data
• Incident response procedures compliant with applicable breach notification laws
• SOC 2 Type I in progress — target completion Q4 2026

A detailed description of current technical and organizational measures is available upon request at hello@ai-storms.com. AI-STORMS reserves the right to update these measures as technology and best practices evolve, provided that updates do not materially reduce the overall level of protection.

The Data Controller hereby grants general authorization to AI-STORMS to engage Sub-Processors for the delivery of the Service, subject to the conditions in this section. AI-STORMS will:

• Enter into a written agreement with each Sub-Processor imposing data protection obligations at least as stringent as those in this DPA;
• Remain liable to the Data Controller for the acts and omissions of Sub-Processors to the same extent as if AI-STORMS had performed the processing directly; and
• Provide notice to Data Controller at least 30 days before adding or replacing a Sub-Processor that processes Personal Data.

The current list of approved Sub-Processors is set out in Annex B. Customers who wish to object to a new Sub-Processor may notify AI-STORMS in writing within 15 days of receiving notice. If the parties cannot resolve the objection, either party may terminate the relevant services on written notice.

AI-STORMS processes Personal Data primarily in the United States. Where AI-STORMS transfers Personal Data to countries that do not provide an adequate level of data protection under applicable law, AI-STORMS will ensure appropriate safeguards are in place, which may include:

• Standard Contractual Clauses (SCCs) as adopted under EU Commission Implementing Decision (EU) 2021/914 — applicable to transfers involving EU or UK residents; and
• The UK International Data Transfer Agreement (UK IDTA) for transfers from the United Kingdom.

AI-STORMS will notify the Data Controller of any confirmed Personal Data breach without undue delay and, where feasible, within 48 hours of becoming aware of the breach. Breach notifications will include, to the extent known:

• The nature of the breach, including the categories and approximate number of Data Subjects and records affected;
• The likely consequences of the breach;
• The measures AI-STORMS has taken or proposes to take to address the breach; and
• Contact details for the AI-STORMS security team.

The Data Controller is responsible for determining whether to notify supervisory authorities, Data Subjects, or other parties, and for making any required notifications in compliance with applicable law. AI-STORMS will cooperate reasonably with the Data Controller in connection with any such notifications.

Security incidents should be reported to: hello@ai-storms.com with subject line "Security Incident".

Upon expiration or termination of the applicable subscription, or earlier upon instruction from the Data Controller, AI-STORMS will, at the Data Controller's election:

• Delete all Personal Data within 90 days following account closure; or
• Return all Personal Data to the Data Controller in a machine-readable format before deletion.

AI-STORMS may retain copies of Personal Data where required by applicable law, provided that such retained data is stored securely and processed solely for the purpose required by law. Billing records are retained for seven years as required by applicable tax and accounting law. Anonymized or aggregated data that does not identify any individual may be retained indefinitely.

AI-STORMS will make available to the Data Controller all information reasonably necessary to demonstrate compliance with this DPA. AI-STORMS will allow for and contribute to audits and inspections conducted by the Data Controller or an auditor mandated by the Data Controller, subject to:

• Reasonable advance notice of at least 30 days;
• Audit activities being conducted during normal business hours and in a manner that minimizes disruption to operations;
• The Data Controller bearing all costs of audits it commissions; and
• Execution of a confidentiality agreement covering information disclosed during the audit.

In lieu of a customer-conducted audit, AI-STORMS may satisfy audit obligations by providing a current third-party audit report (e.g., SOC 2 Type I or II, when available). AI-STORMS does not currently hold a SOC 2 certification; SOC 2 Type I is in progress with a target completion date of Q4 2026.

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service or the applicable MSA. Nothing in this DPA limits liability that cannot be limited under applicable data protection law.

Where a Data Subject brings a claim against AI-STORMS for damages arising from a breach of this DPA attributable to the Data Controller's instructions, the Data Controller will indemnify AI-STORMS to the extent that AI-STORMS was acting in accordance with the Data Controller's documented instructions.

This DPA is effective from the date the Data Controller accepts the Terms of Service or executes the applicable MSA, and continues until the termination of the applicable subscription or MSA. Obligations under Sections 4, 7, 8, and 9 survive termination of this DPA.

This DPA is governed by the laws of the State of Florida, without regard to conflict of law provisions. For customers subject to EU GDPR or UK GDPR, the governing law and jurisdiction clauses of the applicable SCCs or UK IDTA will apply to the extent of any conflict.

For questions about this DPA, data protection requests, or to request execution of a customized DPA for enterprise customers: