Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Artifex Intelligence, Inc. ("Artifex") and Customer and governs Artifex's processing of personal information contained in Customer Data. Capitalized terms not defined here have the meaning given in the Terms.

1. Roles

With respect to personal information in Customer Data, Customer is the Business / Controller and Artifex is the Service Provider / Processor, and Artifex processes personal information only on Customer's documented instructions (as expressed through the Terms, this DPA, and Customer's use of the Services). Artifex acts as a Business / Controller with respect to (a) information collected directly by Artifex (e.g., from Customer's billing contact), (b) usage data, logs, and telemetry generated by operation of the Services, and (c) aggregated and de-identified data derived from Customer Data. This DPA does not apply to the data described in (a)–(c).

2. Customer Obligations

Customer represents that it has all rights, consents, and lawful bases required to submit personal information to the Services. Customer is responsible for providing notices to data subjects and for the accuracy and legality of Customer Data. Customer shall not submit restricted data categories without Artifex's prior written consent (see Acceptable Use Policy).

3. Artifex Obligations

Artifex will process personal information only as needed to provide the Services, will maintain commercially reasonable technical and organizational safeguards, and will impose confidentiality obligations on personnel with access to personal information. Artifex will not sell personal information or use it for purposes outside the business relationship with Customer, except as permitted by law (including for security, product improvement, and other purposes noted in Section 1).

4. Subprocessors

Customer authorizes Artifex to engage subprocessors (including cloud hosting providers, AI model providers, analytics, communications tools, and support tools). A current list is available on request at privacy@artifexhq.ai. Artifex will impose data-protection obligations on subprocessors substantially similar to those in this DPA. Artifex will notify Customer of new subprocessors (by email or in-product); Customer may object within 10 business days on reasonable data-protection grounds, and if the parties cannot agree on an alternative, Customer may terminate the affected portion of the Services with a refund of prepaid fees for that portion. Artifex's liability for subprocessors is subject to the liability cap in the Terms.

5. Data Subject Requests

Customer is responsible for responding to data subject requests. Artifex will provide reasonable assistance to the extent not already available through self-service features of the Services. Artifex may charge reasonable fees for non-self-service assistance.

6. Security Incidents

Artifex will notify Customer without undue delay after confirming a security incident that affects personal information in Customer Data. Notification is not an admission of fault. Customer is responsible for all notifications to data subjects, regulators, and others.

7. Audits

Artifex will, upon reasonable request (no more than once per year), provide Customer with Artifex's then-current third-party audit reports and security documentation to the extent available. Any additional audit requested by Customer must be limited in scope, conducted on at least 30 days' notice during business hours without disrupting Artifex's operations, subject to Artifex's confidentiality terms, and at Customer's sole expense.

8. Return or Deletion

Within 30 days after termination, Customer may request return of Customer Data; otherwise Artifex may delete it. Artifex may retain personal information as required by law, for legal holds, in routine backup archives overwritten in the ordinary course, or in aggregated/de-identified form (which is no longer personal information).

9. International Transfers

Artifex processes personal information in the United States and may engage subprocessors outside the U.S. Customer is responsible for compliance with any international-transfer restrictions applicable to Customer.

10. Liability; General

The liability cap and exclusions in the Terms apply to this DPA; claims under this DPA are claims under the Terms. This DPA is governed by the same law and dispute-resolution terms as the Terms. Artifex may update this DPA by posting a revised version; changes take effect at renewal or 30 days after posting, whichever is later. In the event of a conflict between this DPA and the Terms with respect to personal information in Customer Data, this DPA controls. In the event of a conflict with applicable law, applicable law controls only to the extent necessary for compliance.