Data Processing Agreement

1. Parties and Roles

1.1 Processor.LeMans Labs OÜ, Estonian registry code 16872044, Valukoja tn 8/1, 11415 Tallinn, Harju maakond, Estonia. VAT EE102683710.

1.2 Controller. The Subscription Admin, acting on behalf of the legal entity that subscribed.

1.3 Data Scope.All Personal Data (Article 4(1) GDPR) processed by the Processor on the Controller's behalf, including: (a) business contact data of Controller's staff and Operators; (b) end-customer data received via Controller's Linked Accounts; (c) knowledge-base content uploaded to AI Employees; (d) inference artefacts – prompts, embeddings, outputs.

1.4 Exclusions.Personal Data the Controller submits in BYOK Mode (Terms §21.2) to a provider the Controller elected is processed by that provider as a separate processor engaged directly by the Controller. In BYOK Mode, the Controller is solely responsible for (a) executing a processor contract with the elected LLM provider meeting Article 28 GDPR and equivalent local-law requirements, (b) performing any transfer-impact assessment under Articles 44–49 GDPR, and (c) satisfying any applicable regulatory obligation (including Executive Order 14117, ITAR, EAR, HIPAA, and state equivalents). ewpire acts as router only for BYOK traffic. Stripe payment data is processed by Stripe as independent controller.

2. Subject Matter, Duration, Purpose

2.1 Subject. Processing necessary to deliver the Service.

2.2 Duration. From the Subscription effective date until thirty (30) days after cancellation, subject to legal retention.

2.3 Nature. Collection, storage, indexing (vector embedding), retrieval, transmission to sub-processors for inference or delivery, output rendering, deletion.

2.4 Purpose.To provide the Service. No other purpose without Controller's specific written instruction.

2.5 Data Subjects.Controller's employees, contractors, Operators, sales prospects, support requesters, job applicants, tender counterparties, document subjects, scheduling participants.

2.6 Categories. Identifiers (name, email, phone, messenger handle); professional (title, employer, seniority); communications (messages, voice transcripts, documents); inferred (lead scores, sentiment, intent); technical (IP, user-agent, timestamps).

2.7 Special Categories (Art. 9). Not intended. The Controller undertakes not to submit Article 9 data without a supplementary Schedule.

3. Processor Obligations (Art. 28(3) GDPR)

3.1 Instructions Only. Processor processes solely on documented Controller instructions, including as to third-country transfers, unless required by EU or Estonian law.

3.2 Confidentiality. Authorised persons are bound by confidentiality.

3.3 Security (Art. 32). Measures in Annex II.

3.4 Sub-Processors. Per Section 4.

3.5 Data-Subject Requests.Processor assists Controller via appropriate technical and organisational measures. Requests received directly by Processor are forwarded to Controller without undue delay; Processor does not respond substantively without Controller's authorisation.

3.6 Controller Assistance (Arts. 32–36). Processor assists with Articles 32 to 36 GDPR compliance, considering nature of processing and available information.

3.7 Deletion or Return.At Controller's choice, Processor deletes or returns all Personal Data at end of service and deletes existing copies, unless EU or Estonian law requires storage.

3.8 Audit Rights.Processor makes available information necessary to demonstrate Article 28 compliance and allows audits by Controller or mandated auditor, limited to once per calendar year, on not less than thirty (30) days' written notice, during business hours, subject to confidentiality, save that audits more frequent than once per calendar year may be conducted where a specific good-faith regulatory trigger, a data-subject complaint supported by specific evidence, or a cyber-incident of material scope justifies them; any such additional audit is scoped to the triggering event and subject to the same notice, business-hours, and confidentiality conditions. Processor may provide a current SOC 2 Type II, ISO 27001, or equivalent independent attestation in lieu, which Controller accepts as reasonable evidence absent specific good-faith concerns.

3.9 Instruction-Breach Notice. Processor immediately informs Controller if an instruction infringes the GDPR or other data-protection law.

3.10 Service-Provider Obligations (California).Where the Controller is subject to CCPA/CPRA and shares Personal Information with Processor, Processor shall: (a) not sell or share such Personal Information; (b) not retain, use, or disclose it for any purpose other than the specific business purpose of the Service; (c) not combine it with Personal Information from other sources except as permitted by §1798.140(ag)(1) CCPA; (d) comply with applicable CCPA/CPRA obligations; and (e) notify Controller if Processor can no longer meet these obligations.

4. Sub-Processors

4.1 Authorisation.Controller grants general authorisation to engage sub-processors listed in Annex III and to replace or add sub-processors per §4.2.

4.2 Change Notice.Processor notifies Controller at least fourteen (14) days before any addition or replacement, by updating ewpire.com/subprocessors and emailing the Controller's billing contact. Controller may object on reasonable data-protection grounds within fourteen (14) days. Failing agreement, Controller may terminate the affected portion and receive pro-rata refund of unused prepaid fees.

4.3 Back-to-Back Terms. Processor imposes on every sub-processor, by contract, data-protection obligations materially equivalent to this DPA and remains fully liable for sub-processor performance.

5. International Transfers

5.1 EEA by Default. Persistent Controller Personal Data is stored on EEA infrastructure (primarily Hetzner Germany and Cloudflare EU edge).

5.2 Third-Country Transfers.Where a sub-processor is outside the EEA without adequacy, Processor relies on the European Commission's SCC (Module Two, Implementing Decision (EU) 2021/914) with additional safeguards from a transfer impact assessment. UK transfers incorporate the UK IDTA. Counter-signed SCC/IDTA copies available on written request.

5.3 Destinations. Disclosed in Annex III.

5.4 US-regulated Controllers and BYOK election.Where the Controller is subject to US data-localisation obligations or country-of-concern restrictions, and the default LLM sub-processor is not compatible with such obligations, the Controller may elect BYOK on a Pro or Business Subscription (Terms §21.2) to route inference to a provider of the Controller's own choice. ewpire neither warrants the regulatory suitability of any particular LLM sub-processor nor assumes responsibility for the Controller's compliance; the Controller is solely responsible for that assessment and for the consequences of its routing election.

6. Breach Notification

6.1 Processor Duty. Notice to Controller without undue delay and in any event within forty-eight (48) hours of becoming aware of a Personal Data breach affecting Controller data, providing Article 33(3) GDPR information at minimum.

6.2 Controller Duty.Controller retains sole responsibility for notifying the supervisory authority (Art. 33) and affected data subjects (Art. 34); Processor assists under §3.6.

6.3 Log. Internal breach log kept per Art. 33(5) for at least three (3) years.

7. Liability

7.1 Caps.Terms §§11 and 12 liability caps and exclusions apply, save that nothing limits liability for: (a) Article 82 GDPR damages; (b) supervisory-authority fines on the liable party; (c) gross negligence or wilful misconduct.

7.2 Allocation. Where both parties are jointly liable under Art. 82(4), each bears the share corresponding to its responsibility per Art. 82(5).

8. Term, Conflict, Law

8.1 Term. Commences on the Subscription Effective Date and continues until cancellation under the Terms and thereafter for as long as Processor retains Controller Personal Data.

8.2 Conflict. This DPA prevails over the Terms in data-protection matters.

8.3 Law / Jurisdiction.Estonian law; Harju County Court, Tallinn – without prejudice to data-subject rights under Art. 79(2) GDPR.

Annex II – Technical and Organisational Measures (Art. 32)

Access control (RBAC, least privilege, MFA, bastion host); encryption (TLS 1.3 transit, AES-256-GCM rest, per-Subscription DEK); tenant isolation (schema-per-Subscription, Dedicated Container on Pro/Business, Dedicated VPS on Enterprise); logging ninety (90) days, structured security-event log, Telegram alerting; change management (version-controlled config, mandatory peer review, blue-green deploy); backups (daily encrypted, fourteen (14) days short-term, ninety (90) days long-term, forty-eight (48) hour point-in-time recovery); vulnerability management (weekly dependency scan, monthly patch, annual third-party pentest); personnel (confidentiality in all engagements, GDPR training on onboarding and annually, twenty-four (24) hour revocation on role change); business continuity (documented IR plan, RTO twenty-four (24) hours Business-tier, RPO one (1) hour); deletion within thirty (30) days of request. Detailed specification available under NDA at ewpire.com/security.

Annex III – Authorised Sub-Processors (effective 2026-04-22)

Sub-processors are engaged only as required by Controller configuration. Anthropic, OpenAI, and Google are engaged only when the Controller elects that LLM via BYOK and contracts with the provider directly under §1.4 Exclusions.

Deferred (future re-activation).Meta Platforms Ireland Ltd., Twilio Inc., and 360dialog GmbH will be added as sub-processors when WhatsApp integration is restored to the Service. At that time, Controllers will receive not less than thirty (30) days' advance notice of the addition in accordance with §4.2.

Annex IV – Notification Contacts

Processor-to-Controller: Stripe billing email + Messenger broadcast to Admin.

Controller-to-Processor: [email protected] (copy [email protected]).

Supervisory authority of Processor: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, [email protected].