Data Processing Agreement

Effective: March 14, 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between H33.ai, Inc. d/b/a Cachee (the "Processor") and the customer identified in the applicable service agreement (the "Controller") for the provision of Cachee services (the "Service").

This DPA is entered into pursuant to GDPR Article 28 and supplements our Terms of Service and Privacy Policy.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Protection Laws" means GDPR (Regulation 2016/679), CCPA, and any other applicable data protection legislation.
• "SCCs" means Standard Contractual Clauses as adopted by the European Commission (Decision 2021/914).

2. Scope of Processing

Detail	Description
Subject Matter	Provision of the Cachee caching, identity verification, and authentication platform
Duration	Duration of the service agreement between Controller and Processor
Nature & Purpose	Caching, identity verification, biometric matching, authentication, and related infrastructure services
Categories of Data Subjects	Controller's end users, employees, and authorized representatives
Types of Personal Data	Email addresses, phone numbers, names, biometric templates (encrypted), authentication events, IP addresses, API usage logs, infrastructure configuration

3. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including transfers to third countries (unless required by law).
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
   • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256);
   • Fully homomorphic encryption (FHE) for biometric data processing;
   • Post-quantum cryptography (PQC) for long-term data protection;
   • httpOnly cookies for session management (no JavaScript access to tokens);
   • VPC isolation with no cross-region data transfer;
   • Region-locked KMS encryption keys;
   • Regular security assessments and penetration testing;
   • Access controls with principle of least privilege.
4. Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) via self-service tools and API endpoints.
5. Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation).
6. Delete or return all Personal Data to the Controller upon termination of the service agreement, and delete existing copies unless retention is required by law.
7. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

4. Subprocessors

The Controller provides general written authorization for the Processor to engage subprocessors listed on the Subprocessors page. The Processor shall:

1. Maintain an up-to-date list of subprocessors at cachee.ai/legal/subprocessors.html.
2. Notify the Controller at least 30 days in advance of any intended addition or replacement of subprocessors via email to the account owner.
3. Provide the Controller the opportunity to object to such changes within the 30-day notice period.
4. Impose data protection obligations on each subprocessor that are no less protective than those in this DPA.
5. Remain fully liable to the Controller for the performance of each subprocessor's obligations.

Current Subprocessors

Subprocessor	Purpose	Location
Amazon Web Services (AWS)	Hosting, database, caching, storage, CDN	US (us-east-1)
Netlify	Static hosting, serverless functions	US
Auth1 (z101.ai)	Identity verification, authentication	US (us-east-1)
Twilio	SMS OTP delivery	US
Amazon SES	Transactional email	US (us-east-1)
Amazon SNS	Fallback SMS delivery	US (us-east-1)
Stripe	Payment processing	US
Chat101 (z101.ai)	Support chat widget	US (us-east-1)

5. International Data Transfers

All data processing occurs within the United States. If Personal Data is transferred to a country outside the European Economic Area (EEA) that has not received an adequacy decision from the European Commission, the parties agree that the transfer shall be subject to the Standard Contractual Clauses (SCCs) adopted by European Commission Decision 2021/914, which are hereby incorporated by reference.

The applicable SCC Module is:

• Module 2 (Controller to Processor) — when the Controller is established in the EEA and the Processor processes data in the US.

6. Data Breach Notification

The Processor shall:

1. Notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data.
2. Include in such notification: (a) the nature of the breach, (b) categories and approximate number of data subjects concerned, (c) likely consequences, and (d) measures taken or proposed to address the breach.
3. Cooperate with the Controller in investigating and mitigating the breach.
4. Not notify any data subject or supervisory authority on behalf of the Controller without prior written instruction.

7. Data Subject Requests

The Processor provides the following self-service mechanisms for data subject rights:

Right	Self-Service Mechanism	API Endpoint
Access / Portability	Dashboard: Settings > Export My Data	GET /api/dsar/export
Rectification	Dashboard: Settings > Profile Information	POST /api/profile/update
Erasure	Dashboard: Settings > Delete My Account	POST /api/account/delete

For requests that cannot be fulfilled via self-service (e.g., restriction, objection), the Processor shall assist the Controller upon written request within 10 business days.

8. Audit Rights

The Controller may, upon 30 days' written notice and no more than once per calendar year:

1. Request a copy of any relevant third-party audit reports (e.g., SOC 2 Type II) held by the Processor.
2. Conduct or commission an audit of the Processor's processing activities, subject to reasonable confidentiality obligations and during normal business hours.
3. Request written responses to reasonable compliance questionnaires.

The Processor shall cooperate in good faith with all audit requests and provide access to relevant systems, records, and personnel.

9. Data Retention and Deletion

Upon termination of the service agreement, the Processor shall:

1. At the Controller's election, return all Personal Data in a structured, commonly used, machine-readable format (JSON) or securely delete all Personal Data.
2. Complete deletion within 30 days of termination, unless retention is required by applicable law.
3. Provide written certification of deletion upon request.

Retention periods during the term of service are specified in our Privacy Policy, Section 8.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the underlying service agreement (Terms of Service). Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.

11. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. The obligations of the Processor with respect to data deletion, confidentiality, and cooperation shall survive termination of this DPA.

12. Governing Law

This DPA shall be governed by the laws of the State of Delaware, USA, except where Data Protection Laws mandate otherwise (e.g., GDPR shall apply to the extent the Controller or data subjects are within the EEA).

13. Contact

To request an executed copy of this DPA, or for any questions regarding data processing:

• Data Protection Officer: privacy@h33.ai
• Privacy inquiries: privacy@h33.ai
• Legal: legal@h33.ai