---

​

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into as of {{effective_date}} (the “Effective Date”) by and between:

• NEUROSCALE LLC, a Virginia limited liability company with offices in the United States (“Neuroscale” or “Processor”); and
• {{customer_name}}, with offices at {{customer_address}} (“Customer” or “Controller”).

Neuroscale and Customer are each a “Party” and together the “Parties.” This DPA forms part of, and is subject to, the {{master_agreement_reference}} (the “Agreement”) between the Parties. In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA shall control.

​

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement or, if not defined therein, in Applicable Data Protection Laws. a. “Applicable Data Protection Laws” means all laws and regulations applicable to a Party’s Processing of Personal Data under the Agreement, including, where applicable: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as incorporated into United Kingdom law (“UK GDPR”) and the UK Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”); and (v) the comprehensive consumer privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island, and any other US state privacy laws in force during the term. b. “Authorized Affiliate” means any of Customer’s Affiliate(s) which (i) is subject to Applicable Data Protection Laws and (ii) is permitted to use the services pursuant to the Agreement, but has not signed its own order form with Neuroscale. c. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates. d. “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021. e. “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Neuroscale on behalf of Customer in connection with the Agreement, and includes “personal information” and “personal data” as defined in Applicable Data Protection Laws. f. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Neuroscale or any Sub-processor. g. “Processing” (and its variants “Process” and “Processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction. h. “Standard Contractual Clauses” or “SCCs” means, collectively, the EU SCCs and the UK Addendum (each as defined herein), as applicable to a given international transfer. i. “Sub-processor” means any third party (including any Neuroscale Affiliate) engaged by Neuroscale to Process Personal Data on Customer’s behalf in connection with the Agreement. j. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, version B1.0 (or any successor version).

​

2. Subject Matter, Duration, Nature, and Purpose

a. Subject matter. Neuroscale’s Processing of Personal Data on Customer’s behalf in order to provide the services described in the Agreement. b. Duration. The term of the Agreement, plus any retention period required to comply with Applicable Data Protection Laws or as set forth in Section 11 below. c. Nature and purpose; types of Personal Data; categories of Data Subjects. As described in Schedule 1 (Description of Processing), completed by Customer.

​

3. Roles of the Parties

a. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller (or, where Customer is itself a processor, the processor acting on behalf of a third-party controller), Neuroscale is the Processor, and Neuroscale will engage Sub-processors pursuant to Section 6 below. Without limiting the foregoing, Customer is the sole Controller of Candidate data and all Personal Data of Candidates (whether currently active applicants, prospective candidates, or other natural persons whose data Customer submits to the services), and Customer alone is responsible for: (i) determining a lawful basis for Processing under Applicable Data Protection Laws (including GDPR Art. 6 and, where applicable, Art. 9); (ii) providing all required notices to Data Subjects (including, where applicable, the indirect-collection notice under GDPR Art. 14, the AEDT notice under NYC Local Law 144, the disclosures required under the Illinois AI Video Interview Act, Illinois HB 3773, the Colorado AI Act §6-1-1703(4), the California Automated Decision-Making Technology pre-use notice, the Utah AI Policy Act material-use disclosure, and any analogous law); (iii) obtaining Data-Subject consent where required; (iv) honoring Data-Subject-rights requests under GDPR Arts. 12–22, the CCPA/CPRA, and analogous state laws; and (v) ensuring that Customer’s authority extends to the deidentification-and-training Processing instructed under Section 4 of this DPA. Neuroscale’s role with respect to Candidate data and other Customer-submitted Personal Data is solely as Processor acting on Customer’s documented instructions, including with respect to the deidentification step that produces Deidentified Data. b. CCPA/CPRA. With respect to Personal Data subject to the CCPA, Neuroscale is a “service provider” or “contractor” (as those terms are defined in the CCPA) and shall not: (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data outside of the direct business relationship with Customer or for any purpose other than the business purposes specified in the Agreement; (iii) combine Personal Data received from Customer with personal information received from any other source, except as permitted by 11 CCR §7050(b); or (iv) retain, use, or disclose Personal Data for a Commercial Purpose other than providing the services. Neuroscale certifies that it understands and will comply with these restrictions.

​

4. Customer Instructions

a. Neuroscale shall Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by Union, Member State, US federal, or US state law to which Neuroscale is subject. The Agreement (including the order form, this DPA, the Terms of Service, and Customer’s use of the services consistent with their documentation) constitutes Customer’s complete and final instructions to Neuroscale in relation to the Processing of Personal Data, including instructions to (i) Process Customer Content (and any Personal Data therein) through Neuroscale’s Deidentification Standard published in the AI Acceptable Use Policy for the purpose of generating Deidentified Data, and (ii) use the resulting Deidentified Data to train, fine-tune, evaluate, and improve Neuroscale’s own AI models in accordance with Section 7 of the Terms of Service. Once Customer Content has been transformed into Deidentified Data in accordance with the Deidentification Standard, the Deidentified Data is no longer Personal Data within the meaning of this DPA and is outside its scope; the upstream Processing required to generate the Deidentified Data remains within scope. Neuroscale shall not provide Customer Content or Deidentified Data to any third party for the purpose of training that third party’s AI models, and shall not attempt to reidentify any individual from Deidentified Data. b. Where Neuroscale is required by law to Process Personal Data outside the scope of Customer’s instructions, Neuroscale shall, to the extent legally permitted, inform Customer of that legal requirement before Processing. c. Neuroscale shall promptly inform Customer if, in Neuroscale’s opinion, an instruction from Customer infringes Applicable Data Protection Laws.

​

5. Confidentiality of Personnel

Neuroscale shall ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality (whether by contractual obligation or statutory duty), are trained on data protection requirements at least annually, and have access to Personal Data only on a need-to-know basis consistent with the principle of least privilege.

​

6. Sub-processing

a. General authorization. Customer provides general written authorization for Neuroscale to engage Sub-processors to Process Personal Data, subject to this Section 6 and to the safeguards set out in Annex III / Schedule 3. The current list of Sub-processors is published at the Subprocessor List. b. Notice and objection right. Neuroscale shall notify Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance (or such shorter period as is reasonable in the case of urgent operational or security needs), by updating the Subprocessor List and providing email notice to the Customer’s designated contact, thereby giving Customer the opportunity to object on reasonable, documented data-protection grounds. If Customer objects within fifteen (15) days of notice and the Parties cannot agree on a resolution, Customer may, as its sole and exclusive remedy, terminate the affected services on written notice and receive a pro-rata refund of pre-paid fees. c. Flow-down obligations. Neuroscale shall enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA. Neuroscale remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as for its own acts and omissions.

​

7. Data Subject Rights Assistance

a. Taking into account the nature of the Processing, Neuroscale shall assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligation to respond to requests for exercising Data Subject rights, including rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. b. If Neuroscale receives a request directly from a Data Subject relating to Personal Data Processed under the Agreement, Neuroscale shall, without undue delay, redirect the Data Subject to Customer (and notify Customer of the request) unless legally required to respond directly. Operational handling is described in the Data Subject Rights Procedure.

​

8. Security Measures

Neuroscale shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including the measures described in Schedule 2 / Annex II (Technical and Organizational Measures), the current version of which is published in Neuroscale’s Trust Center at https://www.neuroscale.ai/trust. Neuroscale may update these measures from time to time, provided that any update does not materially diminish the overall level of protection.

​

9. Personal Data Breach Notification

a. Neuroscale shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours after Neuroscale’s confirmation of a Personal Data Breach affecting Customer Personal Data. Such notice shall, to the extent then known, include: i. a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; ii. the likely consequences of the Personal Data Breach; iii. the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and iv. the name and contact details of Neuroscale’s data protection point of contact (privacy@neuroscale.ai). b. Neuroscale’s notification of, or response to, a Personal Data Breach under this Section shall not be construed as an acknowledgment by Neuroscale of any fault or liability with respect to the Personal Data Breach.

​

10. Data Protection Impact Assessments and Prior Consultation

Neuroscale shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities that Customer is required to carry out under Applicable Data Protection Laws, in each case solely in relation to the Processing of Personal Data by Neuroscale and taking into account the nature of the Processing and the information available to Neuroscale.

​

11. Return or Deletion of Personal Data

a. Upon termination or expiration of the Agreement, Neuroscale shall, at Customer’s election, return or delete all Personal Data Processed on Customer’s behalf in accordance with the Customer Data Export Procedure, unless Union, Member State, US federal, or US state law requires further storage. b. Customer may export its Personal Data using the self-service export functionality of the services at any time during the term and for thirty (30) days following termination, after which Neuroscale shall delete the Personal Data from production systems within sixty (60) days, and from backup systems on the next regularly-scheduled backup-rotation cycle, in each case unless legally required to retain.

​

12. Audit Rights

a. Neuroscale shall make available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and analogous obligations under Applicable Data Protection Laws. b. Audit reports. Neuroscale’s compliance program is assessed by independent third parties under the AICPA SOC 2 framework and is being aligned to ISO/IEC 27001:2022. The current status of each engagement (including the SOC 2 Type I observation date and the SOC 2 Type II audit window) is published in Neuroscale’s Trust Center at https://www.neuroscale.ai/trust. Upon Customer’s reasonable written request, Neuroscale shall provide a copy of its then-most-recent third-party audit report (or, in advance of the issuance of any such report, the corresponding readiness or interim assessment that is then available) under a non-disclosure agreement, and the Parties agree that such report or assessment satisfies Customer’s audit rights in lieu of an on-site audit, except where: (i) required by a supervisory authority; (ii) the report does not reasonably address Customer’s concerns; or (iii) a Personal Data Breach has occurred. Neuroscale will use commercially reasonable efforts to maintain SOC 2 Type II coverage on a continuous basis once first issued. c. Where an on-site audit is permitted under this Section, Customer shall provide at least thirty (30) days’ prior written notice, conduct the audit during regular business hours, at Customer’s expense, no more than once per twelve (12) month period (except in the case of a Personal Data Breach), through an independent third-party auditor reasonably acceptable to Neuroscale and bound by confidentiality obligations, and in a manner that does not interfere with Neuroscale’s operations.

​

13. International Data Transfers

a. EU/EEA transfers. To the extent that Neuroscale’s Processing of Personal Data involves transfers from the European Economic Area to a third country not subject to an adequacy decision, the Parties hereby incorporate by reference the EU SCCs, with Module Two (Controller to Processor) applying where Customer is a controller, or Module Three (Processor to Processor) applying where Customer is itself a processor. The Parties agree: i. Clause 7 (Docking clause) shall apply; ii. Clause 9(a), Option 2 (general written authorization) shall apply, with the time period set in Section 6(b) of this DPA; iii. Clause 11(a) optional language shall not apply; iv. Clause 17, Option 1 shall apply; the Parties agree the governing law is the law of Ireland; v. Clause 18(b) — the courts of Ireland shall have jurisdiction; vi. Annex I, II, and III are completed in Schedule 1, Schedule 2, and Schedule 3 to this DPA. b. UK transfers. To the extent Neuroscale’s Processing involves transfers from the United Kingdom, the UK Addendum is incorporated by reference and applies in conjunction with the EU SCCs as described therein. Tables 1-4 of the UK Addendum are completed by reference to the corresponding sections of this DPA and its Schedules; the Parties select Option 1 (neither Party may end the UK Addendum unilaterally on changes to the Approved Addendum). c. Swiss transfers. The EU SCCs apply with the following modifications: (i) references to “GDPR” shall be interpreted as references to the FADP where applicable; (ii) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; (iii) “Member State” shall not be interpreted to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence. d. EU-US, UK-US, and Swiss-US Data Privacy Framework. Where Neuroscale is certified under the EU-US, UK Extension, and Swiss-US Data Privacy Frameworks (“DPF”), Neuroscale may rely on the DPF as a transfer mechanism for transfers to the United States. The current status of Neuroscale’s DPF certification is published in the Trust Center.

​

14. Liability

Each Party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Any reference in such limitations and exclusions to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement and this DPA together. Notwithstanding the foregoing, the limitations and exclusions in the Agreement shall not apply to the extent prohibited by Applicable Data Protection Laws (including Clause 12 of the EU SCCs in respect of Data Subject claims).

​

15. Authorized Affiliates

a. Contractual relationship. The Parties acknowledge and agree that, by executing the Agreement, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Neuroscale and each such Authorized Affiliate, subject to the Agreement and this DPA. b. Communications. Customer shall remain responsible for coordinating all communications with Neuroscale under this DPA on behalf of its Authorized Affiliates, and shall be entitled to make and receive any communications related to this DPA on behalf of such Authorized Affiliates.

​

16. Order of Precedence

In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the EU SCCs and UK Addendum (where applicable to a given international transfer); (2) this DPA, including its Schedules and Annexes; (3) the Agreement; and (4) any other documents incorporated by reference.

​

17. General

a. Severability. If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA shall continue in full force and effect. b. Modifications. Neuroscale may update this DPA where required to comply with changes in Applicable Data Protection Laws, the EU SCCs, or the UK Addendum, on thirty (30) days’ written notice; provided, that no such update shall materially diminish the overall level of protection afforded to Personal Data. c. Term and termination. This DPA shall continue for so long as Neuroscale Processes Personal Data on Customer’s behalf, notwithstanding termination of the Agreement.

---

​

Schedule 1 — Description of Processing (Annex I to the EU SCCs)

Customer to complete; Neuroscale to confirm. A. List of Parties B. Description of Transfer C. Competent Supervisory Authority The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs (typically the supervisory authority of the EU/EEA Member State in which Customer’s EU representative is established, or, where Customer is established in the EU/EEA, the supervisory authority of that Member State). For UK transfers: the UK Information Commissioner’s Office. For Swiss transfers: the Swiss Federal Data Protection and Information Commissioner.

---

​

Schedule 2 — Technical and Organizational Measures (Annex II to the EU SCCs)

The current version of Neuroscale’s Technical and Organizational Measures (“TOMs”) is maintained in Neuroscale’s Trust Center at https://www.neuroscale.ai/trust and is incorporated into this DPA by reference. The TOMs cover, at minimum, the following measure categories required by Annex II of the EU SCCs: a. Pseudonymization and encryption of Personal Data (encryption in transit using TLS 1.2+; application-layer envelope encryption via HashiCorp Vault Transit (Neuroscale-managed keys held in Neuroscale’s self-hosted Vault cluster) for Confidential Personal Data on either cloud, with cloud-native at-rest encryption from each provider — AWS KMS-managed encryption for AWS-resident EBS / RDS / S3 / DynamoDB, and Vultr platform-managed encryption for Vultr Block Storage / Object Storage — as an additional layer beneath the application-layer wrap). b. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services. c. Measures for ensuring the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident. d. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures, including independent third-party assessment under the AICPA SOC 2 framework (see Section 12 and the Trust Center for the current engagement status) and ongoing alignment to ISO/IEC 27001:2022. e. Measures for user identification and authorization (Rippling, MFA enforcement, role-based access control, quarterly access reviews). f. Measures for the protection of data during transmission and during storage. g. Measures for ensuring physical security of locations at which Personal Data are processed (AWS and Vultr data center physical controls — each provider attested via SOC 2 / ISO 27001 — and Rippling-managed endpoints with full-disk encryption and EDR). h. Measures for ensuring events logging (Better Stack and CloudWatch logging, with log review per the Operations Security Policy). i. Measures for ensuring system configuration, including default configuration (configuration hardening per Engineering documentation). j. Measures for internal IT and IT security governance and management (information security program governed by NEUROSCALE LLC’s Information Security Policy, ISO/IEC 27001:2022-aligned ISMS). k. Measures for certification/assurance of processes and products (independent SOC 2 audit per Section 12; alignment to ISO/IEC 27001:2022 with the current engagement status published in the Trust Center). l. Measures for ensuring data minimization, data quality, limited data retention, accountability, and allowing data portability and erasure. m. Measures to be taken by Sub-processors to be able to provide assistance to the controller.

---

​

Schedule 3 — Sub-processors (Annex III to the EU SCCs)

The current list of Sub-processors authorized to Process Customer Personal Data is published at the Subprocessor List and is incorporated by reference. The Subprocessor List sets out, for each Sub-processor: (i) name and address; (ii) contact person’s name, position, and contact details; (iii) description of processing (including a clear delimitation of responsibilities in case of multiple sub-processors); and (iv) for transfers, the basis of transfer pursuant to Chapter V of the GDPR.

---

​

Signature Block

Each Party warrants that the individual signing below has the authority to bind that Party to this DPA. NEUROSCALE LLC By: _________________________ Name: General Counsel (signing on behalf of NEUROSCALE LLC under the standing engagement letter with VGC LLP; current engagement principal: Brandt Mori) Title: General Counsel Date: ____________________ {{customer_name}} By: _________________________ Name: {{customer_signatory}} Title: ____________________ Date: ____________________

---

​

Variables

​

Cross-References

• Vendor Risk Assessment Procedure — third-party risk diligence performed before Neuroscale onboards a sub-processor that will Process Customer Personal Data.
• Customer Data Export Procedure — operational steps Neuroscale follows to satisfy Section 11 (return/deletion) and Customer-initiated export requests.
• Data Subject Rights Procedure — how Neuroscale routes and assists with DSR requests received under Section 7.
• Data Management Policy — Neuroscale’s overarching data-classification and handling policy.
• Subprocessor List — public, current list of Sub-processors referenced by Section 6 and Schedule 3.
• Trust Center — current Technical and Organizational Measures (Schedule 2 / Annex II).

​

Version history