Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following definitions apply:

• "Controller" means the Client who determines the purposes and means of processing Personal Data.
• "Processor" means Askbuc, Inc., processing Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by Askbuc to process Personal Data on behalf of the Controller.
• "Data Subject" means the individual to whom Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Applicability

This DPA applies to all processing of Personal Data by Askbuc on behalf of the Client in connection with enterprise IT infrastructure, data platforms, AI datacenters, communications systems, and related services. This DPA supplements and forms an integral part of the Master Services Agreement between the parties.

All processing activities are conducted under strict Non-Disclosure Agreements (NDAs) with additional security measures for classified or sensitive government and enterprise data.

3. Data Processing Obligations

3.1 Processing Instructions

Askbuc shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law. In such cases, Askbuc shall inform the Controller of that legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

Askbuc ensures that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All engagements are conducted under strict NDA with security clearances where required.

3.3 Security Measures

Askbuc implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of Personal Data (AES-256-GCM)
• Ongoing confidentiality, integrity, availability, and resilience of processing systems (99.999% uptime SLA)
• Ability to restore availability and access to Personal Data in a timely manner (15-minute RPO, 1-hour RTO)
• Regular testing, assessment, and evaluation of security effectiveness (SOC 2 Type II certified)
• Zero-trust architecture with micro-segmentation and identity-based access controls
• Physical security with biometric access, 24/7 surveillance, and armed security personnel
• Network security with next-generation firewalls, deep packet inspection, and advanced threat prevention

4. Sub-processors

4.1 Authorization

The Controller provides general authorization for Askbuc to engage Sub-processors. Askbuc shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

4.2 Sub-processor Obligations

Where Askbuc engages a Sub-processor, Askbuc shall impose the same data protection obligations as set out in this DPA on that Sub-processor by way of a contract. Askbuc remains fully liable to the Controller for the performance of the Sub-processor's obligations.

5. Data Subject Rights

Askbuc shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Askbuc shall assist the Controller in responding to such requests within the timeframes required by GDPR.

6. Data Breach Notification

In the event of a Personal Data breach, Askbuc shall:

• Notify the Controller without undue delay and, where feasible, within 24 hours of becoming aware of the breach
• Provide sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the breach under GDPR
• Cooperate with the Controller and take reasonable commercial steps to remediate the breach
• Document all Personal Data breaches, including facts, effects, and remedial action taken

7. Data Protection Impact Assessment

Askbuc shall provide reasonable assistance to the Controller in ensuring compliance with the Controller's obligations to conduct Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 of GDPR.

8. Deletion or Return of Data

Upon termination of services, Askbuc shall, at the Controller's choice:

• Delete all Personal Data and existing copies (using DoD 5220.22-M or NIST 800-88 standards), or
• Return all Personal Data to the Controller in a commonly used, machine-readable format

Askbuc may retain Personal Data to the extent required by applicable law, provided that Askbuc ensures the confidentiality of all such Personal Data and only processes it as required by law.

9. Audit Rights

Askbuc shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Askbuc maintains SOC 2 Type II certification and undergoes annual third-party security audits, reports of which are available to the Controller upon request.

10. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Askbuc shall ensure that:

• Transfers are made to countries recognized by the European Commission as providing adequate protection, or
• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or
• The Controller has provided explicit consent for the transfer, or
• Data sovereignty requirements are met by storing data in specified jurisdictions only

For government and defense clients, Askbuc operates sovereign cloud infrastructure ensuring data never leaves specified national boundaries.

11. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Master Services Agreement. Askbuc shall indemnify the Controller against any claims, losses, or damages arising from Askbuc's breach of this DPA, subject to the Controller's prompt notification and reasonable cooperation.

12. Term and Termination

This DPA shall remain in effect for the duration of the Master Services Agreement or until all Personal Data has been deleted or returned in accordance with Section 8. Either party may terminate this DPA immediately upon written notice if the other party materially breaches this DPA and fails to remedy such breach within 30 days of receiving written notice.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Master Services Agreement. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Master Services Agreement.

14. Contact Information

For questions or concerns regarding this Data Processing Agreement, please contact: