GDPR - DATA PROCESSING AGREEMENT (DPA)

Data Processing Agreement for the License to Use Mihu AI Software Products

Hereinafter, both parties jointly referred to as "the Parties" or individually as "the Party" acknowledge sufficient capacity to enter into this Data Processing Agreement (hereinafter, "DPA" or "Data Processing Agreement") and to this effect:

RECITALS

CLAUSES

FIRST. Purpose

Through these clauses, the Data Processor is authorized to process, on behalf of the Data Controller, the personal data necessary to provide the service described in clause three of the Terms and Conditions for the License to use the Processor's software products. The Processor will always act in accordance with the Controller's instructions, which are described in this DPA.

The authorized processing operations will be strictly necessary to achieve the purpose of the service, and may include:

• Consultation
• Storage
• Limitation
• Deletion / Destruction

SECOND. Duration

This Data Processing Agreement will enter into force at the time of its acceptance and will have the same duration as the services contracted with the Data Processor.

THIRD. Purpose of Processing

The Data Processor undertakes that the data processing it performs will be limited to what is necessary to carry out the provision of services regulated in the Mihu AI Terms of Use (https://mihu.ai/tr/terms-of-use) that have been contracted by the Controller.

FOURTH. Types of Data Processed

Categories of Data Subjects:

• Controller's account data. Employees and individuals of the Controller authorized by them to access the account.
• Controller's content. Customers and end users of the Controller.
• Controller's usage data. Customers and end users of the Controller.

Types of Data Processed:

• Identification and contact data
• Professional data
• Application usage data
• Economic and banking data
• Voice and/or image data

The Data Processor is not responsible for the information that the client enters or stores, being exclusively responsible for both the type of data they enter, particularly special category data, and the processing they perform on them.

FIFTH. Prohibition of Communication of Personal Data

The Data Processor undertakes to keep under its control and custody the personal data provided by the Data Controller to which it has access for the purpose of providing the Services and not to disclose, transfer, or in any other way communicate them, not even for their storage, to other persons outside of it and the provision of the Service.

However, the Data Processor will not incur liability when, upon express written indication from the Data Controller, it communicates the data to a third party designated by the Controller, to whom it has entrusted the provision of a service in accordance with the provisions of current data protection regulations.

Access by the Data Processor to personal data will not be considered communication or transfer of data when such access is necessary for the correct provision of the Services.

SIXTH. Subcontracting of Services

The Controller accepts that the Processor may contract with sub-processors (hereinafter, "Sub-processors" or "Sub-processor") to fulfill its obligations under this Agreement.

The Controller provides general consent for the Processor to engage with Sub-processors, subject to the following requirements:

• Every Sub-processor must guarantee compliance with data protection regulations.
• The Processor will restrict the Sub-processor's access to the Controller's Personal Data strictly necessary for the provision of their services.
• The Controller accepts that the Processor may contract with additional Sub-processors to process data within the services provided and for permitted purposes, and will maintain an updated list of its Sub-processors. In such cases, the Controller will be informed of such changes so that, if applicable, they may object to them. In case of objection, the Processor will decide whether to contract with said Sub-processor or not. If the Processor decides to contract with the Sub-processor despite the Controller's objection, it will automatically result in termination of the Agreement between the parties.

When the Processor resorts to a Sub-processor, both will respect the conditions indicated in paragraphs 2 and 4 of Article 28 of the GDPR. Specifically, the Processor undertakes that Sub-processors will respect the same data protection obligations as those indicated in this agreement.

SEVENTH. International Data Transfers

The Data Processor may carry out international transfers of data under the Controller's responsibility outside the European Economic Area, necessary for the provision of contracted services. In the case of transfers outside the EEA, these will be carried out in accordance with the provisions of Articles 44 to 49 of the GDPR.

EIGHTH. Personal Data Security

The Data Processor guarantees the application of appropriate technical and organizational measures so that the processing complies with legal requirements, in accordance with the provisions of Article 32 of the GDPR.

In the event that the Processor requests from the Controller, by the means indicated in Clause Sixteenth, an explanatory document of said measures, it will be delivered by the same means, as soon as possible.

NINTH. Cooperation in the Notification of Security Breaches

9.1. Notification of Security Breaches

In the event that a security breach occurs in the Processor's systems that may affect the data under the Controller's responsibility, the Processor, within a maximum period of 36 hours after becoming aware of the personal data breach, undertakes to notify the Controller through the email address designated by the Controller, together with all relevant information for the documentation and communication of the incident.

9.2. Assistance to the Controller

The Processor will make available to the Controller the information required by the Controller to demonstrate compliance with the obligations indicated in Article 28 of the GDPR. It will also allow audits, including inspections, by the Controller or another auditor authorized by them. The Processor is not adhered to any Code of Conduct approved under Article 40 of the GDPR.

TENTH. Rights of Access, Rectification, Deletion, Limitation, Opposition and Portability of Data

In the case of exercise of rights by third-party customers or workers of the Data Controller, the Processor will immediately transfer this to the Controller, and no later than 7 business days, so that they can attend to and give, if applicable, due response.

ELEVENTH. Confidentiality

The duty of secrecy and confidentiality derived from this Agreement binds the Data Processor during the term of the relationship maintained with the Data Controller.

The Data Processor ensures that the persons under its charge, authorized to process personal data under the Controller's responsibility, will assume a commitment of confidentiality and will be subject to adequate legal obligations of confidentiality, even after termination of the Agreement.

The Data Processor undertakes to allow access to such data only to those employees who need to know them for the correct execution of their functions within the framework of the provision of Services.

TWELFTH. Retention Period and Return of Information

The Processor will provide the possibility to obtain a copy or delete data through its system. This is the way in which the Controller may exercise their right of access, portability and deletion of data. The Controller accepts being solely responsible for obtaining a copy of their data and deleting it after the end of the deletion period indicated below. Once the contract ends, the Processor will:

• Provide the Controller for 30 days after the contract expiration date, the possibility to obtain a copy of their data through its system.
• Automatically delete the Controller's data within 30 days after termination of the contract.
• Automatically delete the Controller's data in backup systems within 60 days after termination of the contract.
• Any Controller content archived in the Processor's backup systems will be securely isolated and protected from any further processing, except when required by applicable law.

Notwithstanding the foregoing, the Data Processor may retain the Controller's information or any part thereof if required by applicable law. Thus, the Data Processor will process the Controller's account data for as long as necessary to provide services to the Controller. The Controller's account data stored in the management system(s) must be retained for a minimum period of six years after termination of the relationship for accounting, tax and audit purposes, according to and in accordance with applicable law. The Controller's account data stored in communications with the Processor's customer service teams may be retained for up to three years after termination of the Agreement.

In any case, data retained for the reasons indicated, once the contractual relationship between the parties has ended, will remain blocked at all times.

THIRTEENTH. Responsibilities of the Parties

THE DATA PROCESSOR will be responsible for any infringements that may occur in the event that it processes the Controller's personal data for a purpose other than that set forth in this agreement, as well as when it does not adopt the corresponding security measures.

THE DATA CONTROLLER will be responsible for any infringements, sanctions and/or fines that may be imposed for non-compliance with its obligations derived from Data Protection regulations.

FOURTEENTH. Data Protection

Each of the Parties is informed that their personal data will be processed by the other party, in accordance with the provisions of General Regulation 2016/679 on data protection and applicable data protection laws, for the purpose of allowing the development, fulfillment and control of the provision of services, the basis of the processing being the fulfillment of the contractual relationship. The data will be retained during the term of the contract and subsequently, by legal obligation, until the obligations and/or responsibilities derived therefrom prescribe. The parties' data may be transferred to banks, insurance companies and Public Administrations, in the cases provided for by Law and for the purposes defined therein. The parties may request access to personal data, its rectification, deletion, portability and limitation of its processing, as well as object to it, at the address of the other party that appears in the header of this Agreement.

FIFTEENTH. Applicable Legislation and Jurisdiction

The Data Controller affirms that they know and accept the terms of use set forth at mihu.ai/terms-of-use

This Data Processing Agreement will be governed by United States federal and state data protection laws and regulations, as well as the resolutions and guidelines of competent data protection authorities.

To resolve any discrepancy regarding the interpretation and/or execution of what is established in this Data Processing Agreement, the Parties submit to the jurisdiction of the Courts and Tribunals of Delaware, United States, with express waiver of any other legislation or jurisdiction that may correspond to them.

SIXTEENTH. Notifications

The parties undertake to communicate, with preference and habitually, through email to the following addresses:

• The Processor: privacy@mihu.ai
• The Controller: the email address of the main administrator of the contracted Mihu AI product or that of habitual use between the parties.

SEVENTEENTH. Acceptance

The Parties agree that they may use simple electronic signature to sign this Data Processing Agreement and consequently accept and recognize that the use of simple electronic signature will have the same validity as handwritten signature on paper for its completion.

---

HUNTERS AI, INC
131 Continental Dr, Suite 305
Newark, DE 19713
United States
Email: privacy@mihu.ai