fileAI Data Processing Agreement

"Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller.

‍"Data Privacy Laws" means all laws and regulations applicable to the Processing of Personal Data, including without limitation: (a) the EU General Data Protection Regulation 2016/679 and any national implementing legislation ("GDPR"); (b) the UK GDPR and UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection; (d) the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); (e) the Singapore Personal Data Protection Act; and (f) any other applicable privacy, data protection, or data security laws, regulations, or regulatory guidance.

‍"Customer Personal Data" means Personal Data contained in Customer Data that fileAI processes on behalf of Customer in connection with providing the Services.

‍"Personal Data" has the meaning given in the GDPR and includes any information relating to an identified or identifiable natural person.

‍"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by fileAI or its sub-processors.

‍"Processing" (and "Process") has the meaning given in the GDPR and includes any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

‍"Processor" means the natural or legal person which processes Personal Data on behalf of the Controller. For purposes of this DPA, fileAI is the Processor.

‍"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as referenced in Attachment 1 to this DPA.

‍"Sub-processor" means any third party (including fileAI's Affiliates) engaged by fileAI to process Customer Personal Data in connection with the Services.

‍"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to the GDPR, or equivalent data protection authority under other applicable Data Privacy Laws.

2.1   Controller and Processor Relationship
Customer acts as the Controller and fileAI acts as the Processor with respect to Customer Personal Data processed in connection with the Services. Each party shall comply with the obligations applicable to it under Data Privacy Laws.

2.2   Processing Instructions

2.3   Processing Beyond Instructions
fileAI may Process Customer Personal Data beyond Customer's instructions only:

To the extent such Processing constitutes fileAI as a separate Controller, fileAI shall comply with its obligations as a Controller under Data Privacy Laws.

2.4  Customer Instructions
Customer represents and warrants that: (a) its instructions comply with Data Privacy Laws; (b) it has all necessary rights and legal bases to instruct fileAI to Process Customer Personal Data as contemplated by the Agreement; and (c) it has provided all necessary notices and obtained all necessary consents required under Data Privacy Laws.

3.1 Security Measures

3.2 Confidentiality

3.3 Security Certifications

4.1 General Authorization
‍Customer provides general written authorization for fileAI to engage Sub-processors to perform specific Processing activities on behalf of fileAI in connection with the Services, subject to the conditions in this Section 4.

4.2 Current Sub-processors
‍fileAI maintains a current list of authorized Sub-processors at the following URL: https://www.file.ai/subprocessors

‍The list includes for each Sub-processor: (a) name and contact information; (b) location (country) where Processing occurs; (c) description of Processing activities performed; and (d) date added to authorized list.

4.3 Sub-processor Changes

4.4   Sub-processors Obligations
fileAI shall:
- Enter into a written agreement with each Sub-processor imposing data protection obligations substantially equivalent to those in this DPA;
- Ensure Sub-processors implement appropriate technical and organizational security measures;
- Remain fully liable to Customer for any Sub-processor's acts or omissions with respect to Customer Personal Data as if they were fileAI's own acts or omissions;
- Conduct appropriate due diligence before engaging Sub-processors, including assessment of their security and data protection capabilities.

5.1   Notification Obligation
‍fileAI shall notify Customer without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

5.2   Notification Method
‍fileAI shall notify Customer via:Email to the security contact(s) specified in the Order Form or subsequently designated by Customer in writing; andAny additional notification method specified in the Order Form or otherwise agreed in writing.

5.3   Notification Content
‍The notification shall describe, to the extent known at the time of notification:
- The nature of the Personal Data Breach, including where possible: (i) categories and approximate number of affected data subjects; and (ii) categories and approximate number of affected Customer Personal Data records;
- The name and contact details of fileAI's data protection officer or other point of contact for further information;
- The likely consequences of the Personal Data Breach;The measures taken or proposed to be taken by fileAI to address the breach, including measures to mitigate its possible adverse effects.

5.4   Phased Notification
‍If all information required under Section 5.3 is not available within the twenty-four (24) hour notification period, fileAI shall: (a) provide initial notification with available information within 24 hours; and (b) provide subsequent notifications with additional information as it becomes available, without undue delay.

5.5   Breach Investigation and Assistance
‍fileAI shall:
- Promptly investigate the Personal Data Breach and take reasonable steps to remediate and mitigate harm;
- Provide reasonable cooperation and assistance to Customer to enable Customer to comply with its obligations under Articles 33 and 34 of the GDPR or equivalent Data Privacy Laws, including: (i) assisting with breach impact assessment; (ii) providing information for regulatory notifications; and (iii) coordinating communications with affected data subjects if required;
- Provide Customer with regular updates on the status of the investigation and remediation efforts.

5.6   Breach Documentation
‍fileAI shall document all Personal Data Breaches, including facts, effects, and remedial actions taken. fileAI shall make such documentation available to Customer and competent Supervisory Authorities upon request.

5.7   No Admission of Liability
‍fileAI's notification of a potential or actual Personal Data Breach shall not constitute an acknowledgment of fault or liability by fileAI, and shall be without prejudice to any defenses fileAI may have.

6.1   General Obligation
‍Taking into account the nature of the Processing, fileAI shall provide reasonable assistance to Customer in responding to requests from data subjects exercising their rights under Data Privacy Laws, including rights of access, rectification, erasure, data portability, restriction of processing, objection, and rights related to automated decision-making.

‍6.2   Response Time
‍fileAI shall respond to Customer's requests for assistance within ten (10) business days of receipt, or such shorter period as required by Data Privacy Laws to enable Customer to comply with its obligations.

6.3   Direct Requests
‍fileAI shall not respond directly to data subject requests unless required by applicable law, in which case fileAI shall: (a) promptly inform Customer of the request; (b) decline to respond if legally permitted; and (c) cooperate with Customer's handling of the request.

6.4   Standard vs. Custom Assistance

7.1   DPIA Assistance
‍Upon Customer's reasonable written request, fileAI shall provide available information to assist Customer in conducting Data Protection Impact Assessments (DPIAs) or prior consultations with Supervisory Authorities where required by Data Privacy Laws.
‍
‍7.2   Scope of Assistance
‍Such assistance shall be limited to information relating to:
- fileAI's Processing activities and purposes;
- Description of technical and organizational security measures implemented by fileAI;
- Information about Sub-processors and data flows;
- Relevant portions of fileAI's security certifications and audit reports.

7.3   Limitations
fileAI is not responsible for: (a) conducting DPIAs on Customer's behalf; (b) assessing Customer's specific compliance obligations under Data Privacy Laws; or (c) providing legal advice regarding Customer's obligations. Customer is solely responsible for determining whether a DPIA is required and for conducting such assessment.

8.1   Post-Termination Options
Upon termination or expiration of the Agreement, fileAI shall, at Customer's written election, either: (a) delete all Customer Personal Data; or (b) return all Customer Personal Data to Customer in a commercially reasonable format.

8.2   Timeline
fileAI shall complete deletion or return within thirty (30) days after the effective date of termination, except where retention is required by applicable law.
‍
8.3   Certification
Upon Customer's written request, fileAI shall certify in writing that it has complied with Section 8.1.
‍
8.4   Backup Retention
fileAI may retain Customer Personal Data in archived backup systems for up to one hundred eighty (180) days following termination, after which such data shall be securely deleted. Customer Personal Data retained in backups shall remain subject to the confidentiality and security obligations of this DPA.
‍
8.5   Legal Retention
Where applicable law requires fileAI to retain Customer Personal Data (e.g., tax, accounting, or regulatory requirements), such data shall:
- Be retained only to the extent and for the period required by law;
- Remain subject to all confidentiality and security obligations under this DPA;
- Not be Processed for any purpose other than compliance with the legal retention requirement;
- Be deleted immediately upon expiration of the legal retention period.

8.6   Export Functionality
During the thirty (30) day post-termination period, Customer may use standard export functionality of the Services to retrieve Customer Data, subject to payment of any outstanding fees.

9.1   Information Provision
‍fileAI shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Data Privacy Laws.

9.2   Audit Methods
‍Customer may verify fileAI's compliance through the following methods (in order of preference):

9.3   fileAI's Right to Substitute
‍fileAI may fulfill audit requirements by providing third-party audit reports (SOC 2 Type II, ISO/IEC 27001, or equivalent) in lieu of on-site inspections, provided such reports reasonably address the compliance areas Customer seeks to audit.

9.4   Costs
‍fileAI shall bear costs of providing third-party reports and responding to standard security questionnaires. Customer shall bear all costs of on-site audits, including reasonable fees for fileAI personnel time required beyond ordinary cooperation.

9.5   Confidentiality
‍All audit findings and fileAI confidential information disclosed during audits shall be subject to the confidentiality provisions of the Agreement. Customer shall, and shall cause its auditors to, treat all audit findings and information obtained as Confidential Information.

9.6   Regulatory Audits
‍If Customer is subject to regulatory audit requirements and a Supervisory Authority or other regulatory body requires direct audit of fileAI, the parties shall cooperate in good faith to accommodate such regulatory audits, subject to reasonable confidentiality protections and operational constraints.

10.1   Application of Standard Contractual Clauses
‍For transfers of Customer Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized by the European Commission (or UK or Swiss authorities, as applicable) as providing adequate data protection, the Standard Contractual Clauses referenced in Attachment 1 to this DPA shall apply.

10.2   UK and Swiss Transfers

10.3   Alternative Transfer Mechanisms
‍Where appropriate and available, fileAI may alternatively rely on other lawful transfer mechanisms under Data Privacy Laws, including:
- European Commission adequacy decisions;
- Approved Binding Corporate Rules;
- UK International Data Transfer Agreement/Addendum;
- Swiss Federal Data Protection and Information Commissioner approved mechanisms;
- EU-US Data Privacy Framework certification (if and when fileAI obtains such certification);
- Other lawful transfer mechanisms recognized under applicable Data Privacy Laws.

10.4   Supplementary Measures
‍fileAI implements technical and organizational measures supplementary to the Standard Contractual Clauses to ensure appropriate protection of Customer Personal Data, including:
- Encryption in transit and at rest as described in Section 3.1 and Annex II to this DPA;
- Access controls and authentication measures;
- Security monitoring and incident detection;
- Contractual protections with Sub-processors;
- Data minimization and pseudonymization where appropriate to the Processing.

10.5   Transfer Impact Assessment Support
‍Upon Customer's reasonable written request, fileAI shall provide available information to assist Customer in conducting a transfer impact assessment pursuant to GDPR or other applicable Data Privacy Laws, including:
- Countries to which Customer Personal Data may be transferred or accessible;
- Supplementary security measures implemented by fileAI;
- Information about data localization options (if available);
- General assessment of laws in transfer destinations that may impact data protection.

10.6   Government Access Requests
‍If fileAI receives a legally binding request from a government authority or law enforcement agency for access to Customer Personal Data, fileAI shall, to the extent legally permitted:
- Notify Customer promptly of the request, unless legally prohibited from doing so;
- Challenge the request if it appears unlawful, overly broad, or otherwise inappropriate;
- Provide only the minimum Customer Personal Data required by law;
- Document the request and fileAI's response.

10.7   Data Storage and Processing Locations

11.1   fileAI's Data Protection Contact
fileAI has designated the following contact for data protection inquiries and matters relating to this DPA:
‍
Data Protection Officer / Privacy Contact
Email: privacy@file.ai or dpo@file.ai
Address: 33 Pekin Street, Singapore 048763
‍
11.2   Scope of Contact
Customer may contact fileAI's data protection team regarding:
- Compliance with this DPA or Data Privacy Laws;
- Data subject rights requests;
- Personal Data Breaches;
- Privacy and data protection inquiries;
- Questions about fileAI's Processing of Customer Personal Data.

11.3   Customer's Data Protection Contact
Customer shall designate in the Order Form (or subsequently notify fileAI in writing of):
- Administrative contact for general inquiries;
- Security contact for Personal Data Breach notifications;
- Data Protection Officer contact (if Customer has appointed a DPO).

12.1   fileAI Liability
fileAI shall be liable to Customer for damages arising from fileAI's breach of this DPA or Data Privacy Laws to the extent provided in, and subject to the limitations set forth in, the Agreement.
‍
12.2   Regulatory Fines and Penalties‍

12.3 No Exclusion of Liability
Nothing in this DPA or the Agreement shall exclude or limit either party's liability to the extent such exclusion or limitation is prohibited by applicable Data Privacy Laws, including liability for: (a) data protection violations; (b) fraud or fraudulent misrepresentation; or (c) gross negligence or willful misconduct.
‍
12.4 Relationship to Agreement
Except as expressly modified by this Section 12, all indemnification obligations, liability limitations, and exclusions set forth in the Agreement shall apply to claims arising under or relating to this DPA.

13.1   Term
This DPA shall commence on the Effective Date of the Agreement and shall remain in effect for so long as fileAI Processes Customer Personal Data on behalf of Customer, unless earlier terminated in accordance with this Section 13 or the Agreement.

13.2 Effect of Agreement Termination
‍Upon termination or expiration of the Agreement, this DPA shall automatically terminate, subject to the survival provisions in Section 13.4.

13.3 Termination for Breach
‍Either party may terminate this DPA (and, at its option, the Agreement) if the other party materially breaches this DPA and fails to cure such breach within thirty (30) days of receiving written notice thereof.

13.4 Survival
‍The following provisions shall survive termination or expiration of this DPA:
- Section 8 (Return and Deletion of Personal Data);
- Section 11 (Data Protection Contacts);
- Section 12 (Liability);
- Section 14 (General Provisions);
- Any other provision that by its nature is intended to survive termination.

14.1   Relationship to Agreement
‍This DPA supplements and forms an integral part of the Agreement. In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement with respect to the subject matter of this DPA, the provisions of this DPA shall prevail.

‍14.2   Amendments
‍fileAI may update this DPA from time to time to reflect: (a) changes in Data Privacy Laws; (b) guidance from Supervisory Authorities; (c) changes to fileAI's security practices that do not materially reduce protections; or (d) other changes necessary for compliance or business purposes. fileAI shall provide Customer with reasonable advance notice of material changes via email or posting to fileAI's website. Customer's continued use of the Services after the effective date of such changes constitutes acceptance of the updated DPA.

14.3   Severability
‍If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its intent to the maximum extent possible. If such modification is not possible, the provision shall be severed, and the remaining provisions of this DPA shall remain in full force and effect.

14.4   Governing Law and Jurisdiction
‍Except as otherwise required by Data Privacy Laws or specified in the Standard Contractual Clauses, this DPA shall be governed by the laws specified in the Agreement. Any disputes arising out of or relating to this DPA shall be subject to the dispute resolution provisions set forth in the Agreement.

14.5 Order of Precedence
‍In the event of any conflict or inconsistency among the documents comprising the parties' agreement, the following order of precedence shall apply (from highest to lowest):Standard Contractual Clauses (Attachment 1), to the extent applicable;This Data Processing Agreement;The fileAI Subscription Agreement;Order Forms.

14.6 Entire Agreement
‍This DPA, together with the Agreement and any Attachments hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements concerning such subject matter.

14.7 Counterparts and Electronic Signatures
‍This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures and electronically delivered signatures shall have the same force and effect as original signatures.

The parties hereby enter into and incorporate by reference the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), as may be amended or replaced from time to time, which shall be deemed completed with the specific Modules and Annexes set forth in this DPA.  

For purposes of Module Two (Controller to Processor), the parties make the following selections and specifications:

Selected Options and Specifications
CLAUSE 7 (Docking Clause): The optional docking clause IS INCLUDED.

‍CLAUSE 9 (Use of sub-processors): OPTION 2 (General written authorization) is selected.
- The time period for prior notice of sub-processor changes: thirty (30) days
- Sub-processor list is maintained at: https://www.fileai.com/subprocessors

‍CLAUSE 11 (Redress): The optional redress clause is OMITTED (parties are not public authorities).

‍CLAUSE 17 (Governing law): The laws of Ireland shall govern the Clauses.

‍CLAUSE 18 (Choice of forum and jurisdiction): The courts of Ireland shall have jurisdiction.

A. LIST OF PARTIES

Data Exporter (Controller)
Name: Customer as identified in the Order Form
Address: As specified in the Order Form
Contact person: Administrative contact specified in the Order Form
Activities relevant to the data transferred: Use of cloud-based document processing and automation services
Role: Controller

Data Importer (Processor)
Name: Bluesheets Pte. Ltd. (trading as fileAI)
Address: 33 Pekin Street, Singapore 048763
Contact person: privacy@file.ai; legal@file.ai
Activities relevant to the data transferred: Provision of cloud-based document processing and automation services, including AI-powered document analysis, classification, extraction, hosting, and technical support
Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:
- Customer's employees, contractors, consultants, and agents who use the Services;
- Customer's customers and end users (if Customer uploads documents containing such individuals' data to the Services);
- Any other individuals whose Personal Data is included in documents or data Customer uploads to the Services.
‍
Categories of personal data transferred:
- Identification data: names, email addresses, phone numbers, business addresses;
- Professional data: job titles, employer/company name, department, employee identification numbers;
- Credentials: usernames, encrypted/hashed passwords, authentication tokens;
- Usage data: IP addresses, device identifiers, browser type and version, access times, log data, session identifiers;
- Document contents: any Personal Data contained in documents uploaded by Customer to the Services (may include contact details, financial information, contractual information, business records, or other data depending on Customer's use of the Services);
- Communication data: if Customer uses communication features of the Services, messages and associated metadata;
- Other data: any other Personal Data Customer chooses to include in Customer Data uploaded to or processed through the Services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:
None. Customer is prohibited under the Agreement from uploading special categories of Personal Data as defined in GDPR Article 9 (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, data concerning sex life or sexual orientation) or Personal Data relating to criminal convictions and offences (GDPR Article 10) without fileAI's prior written consent.

If Customer uploads such data despite this restriction, Customer: (a) remains solely responsible for compliance with all applicable legal requirements, including obtaining necessary consents and legal bases; (b) warrants it has implemented appropriate safeguards; and (c) indemnifies fileAI for any claims arising from such Processing.

The frequency of the transfer:
Continuous throughout the term of the Agreement. Customer Personal Data is transferred whenever Customer or its authorized users upload documents or data to the Services, use the Services to process documents, or access the Services.

Nature of the processing:
- Cloud-based hosting and storage of Customer documents and data;
- AI-powered document analysis, classification, information extraction, and pattern recognition;
- Document automation, workflow processing, and task management;
- Optical character recognition (OCR) and text extraction from documents;
- Document search, retrieval, and organization;
- System monitoring, logging, maintenance, and technical support;
- Troubleshooting, error resolution, and performance optimization;
- Service improvements and feature development using aggregated, anonymized, non-identifiable data only (unless Customer provides separate consent for use of identifiable data).

Purpose(s) of the data transfer and further processing:
- To provide the Services as described in the Agreement;
- To fulfill fileAI's contractual obligations under the Agreement;
- To provide technical support and customer service to Customer;
- To comply with fileAI's legal obligations (e.g., tax reporting, regulatory compliance);
- To establish, exercise, or defend legal claims.

The period for which the personal data will be retained:
Customer Personal Data will be retained for:
- The duration of the Agreement;
- Plus a post-termination period of thirty (30) to one hundred eighty (180) days for backup retention and business continuity purposes (as described in Section 8 of the DPA);
- Plus any additional period required by applicable law (e.g., tax, accounting, regulatory retention requirements), during which data will be retained solely for legal compliance purposes and subject to continued confidentiality and security protections.

For transfers to (sub-) processors:
Subject to Section 4 of the DPA and Clause 9 of these Standard Contractual Clauses, fileAI may engage Sub-processors to perform specific Processing activities.

Current Sub-processor list is available at: https://www.fileai.com/subprocessors

See Annex III for list of authorized Sub-processors.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses:

Where Customer is established in the European Union, the competent Supervisory Authority shall be the data protection authority in the EU Member State where Customer is established.

Where Customer is established in multiple EU Member States, the competent Supervisory Authority shall be Customer's lead supervisory authority pursuant to GDPR Article 56.

Where Customer is not established in the EU but the GDPR applies to the Processing, the competent Supervisory Authority shall be determined in accordance with GDPR Article 3(2).

INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

fileAI implements the following technical and organizational measures to ensure appropriate security of Customer Personal Data:

1. MEASURES OF PSEUDONYMISATION AND ENCRYPTION OF PERSONAL DATA
‍
Encryption in Transit: TLS 1.2 or higher for all data transmissions between Customer and fileAI systems, and between fileAI systems and Sub-processors.

‍Encryption at Rest: AES-256 or equivalent industry-standard encryption for Customer Personal Data stored in databases, file systems, and backup systems.

‍Password Protection: Industry-standard hashing algorithms (bcrypt, Argon2, PBKDF2, or equivalent) for password storage. Passwords are never stored in plaintext.

‍Encryption Key Management: Cryptographic keys are securely generated, stored, and rotated in accordance with industry best practices. Keys are protected using hardware security modules (HSMs) or equivalent key management systems.

2. MEASURES FOR ENSURING ONGOING CONFIDENTIALITY, INTEGRITY, AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES

Access Controls:
- Role-based access control (RBAC) limiting access to Customer Personal Data based on job function and business need;
- Multi-factor authentication (MFA) required for all administrative accounts and privileged access to production systems;
- Principle of least privilege enforced - access granted only to minimum necessary resources;
- Regular access reviews and prompt de-provisioning upon termination of employment or change of role;
- Unique user credentials for each individual - no shared accounts;
- Session timeouts and automatic logout after periods of inactivity.

System Integrity:
- Intrusion detection and prevention systems (IDS/IPS) monitoring network traffic;
- Anti-malware and antivirus protection on all systems;
- Regular security patching and updates applied to operating systems, applications, and dependencies;
- Secure software development lifecycle (SSDLC) incorporating security requirements, threat modeling, secure coding practices, and security testing;
- Code reviews incorporating security considerations;
- Vulnerability scanning and penetration testing conducted regularly;
- Web application firewall (WAF) protecting internet-facing applications.

Availability and Resilience:
- Redundant infrastructure deployed across multiple availability zones within cloud regions;
- Load balancing and auto-scaling to maintain performance during traffic spikes;
- Automated health checks and failover mechanisms;
- Business continuity and disaster recovery plans documented and tested;
- Uptime monitoring with automated alerting for incidents;
- Incident response procedures with defined escalation paths and responsibilities.

Network Security:
- Firewalls configured to deny traffic by default with explicit allow rules;
- Network segmentation separating production, development, and corporate networks;
- Virtual private cloud (VPC) architecture with private subnets for sensitive systems;
- DDoS protection services at network edge;
- Encrypted VPN required for remote administrative access;
- Regular network security assessments and configuration reviews.

3. MEASURES FOR ENSURING THE ABILITY TO RESTORE THE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT

- Automated backups of Customer Personal Data performed daily (minimum frequency);
- Backup data stored in geographically distributed locations separate from primary data centers;
- Backup encryption using same or equivalent standards as production data;
- Documented and tested backup restoration procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO);
- Annual disaster recovery testing exercises;
- High availability architecture minimizing single points of failure;
- Incident response plan addressing data restoration scenarios.

4. PROCESSES FOR REGULARLY TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANIZATIONAL MEASURES

- Continuous security monitoring and logging of system activities;
- Security Information and Event Management (SIEM) system aggregating and analyzing security logs;
- Regular vulnerability scanning of systems and applications (at least quarterly);
- Annual penetration testing conducted by qualified independent third parties;
- Security awareness training for all employees upon hire and annually thereafter;
- Phishing simulation exercises to test employee awareness;
- Tabletop exercises for incident response, business continuity, and disaster recovery plans;
- Security incident post-mortems with documented lessons learned and corrective actions;
- Annual SOC 2 Type II audits by independent certified public accountants;
- ISO/IEC 27001 certification audits - if applicable;
- Regular reviews and updates of security policies and procedures.

5. MEASURES FOR USER IDENTIFICATION AND AUTHORISATION

- Unique user accounts provisioned for each individual with access to systems;
- Strong password policies enforced (minimum length, complexity requirements, prohibition of common passwords);
- Multi-factor authentication (MFA) required for privileged administrative access;
- Conditional access policies based on user role, device posture, and network location;
- Session management with secure session tokens and automatic expiration;
- Audit logging of all authentication events (successful and failed login attempts);
- Anomaly detection for unusual authentication patterns;
- Just-in-time (JIT) privileged access provisioning for temporary elevated permissions.

6. MEASURES FOR THE PROTECTION OF DATA DURING TRANSMISSION
‍
- TLS 1.2 or higher (preferably TLS 1.3) for all data transmissions;
- Strong cipher suites configured, weak ciphers disabled;
- Certificate-based authentication for system-to-system communications;
- Encrypted API communications between Services components and with third-party services;
- Secure file transfer protocols (SFTP, HTTPS) for data uploads and downloads;
- Network-level encryption (IPsec VPN) for site-to-site connectivity where applicable.

7. MEASURES FOR THE PROTECTION OF DATA DURING STORAGE
‍
- AES-256 encryption at rest for all Customer Personal Data in databases and file storage;
- Encrypted storage volumes for virtual machines and containers;
- Logical data segregation in multi-tenant environments using customer-specific encryption keys or namespaces;
- Data classification and handling procedures based on sensitivity;
- Secure data deletion procedures using cryptographic erasure or multi-pass overwriting;
- Media sanitization for physical storage devices prior to disposal or reuse (DoD 5220.22-M or equivalent standards);
- Access controls on storage systems limiting access to authorized personnel only.

8. MEASURES FOR ENSURING PHYSICAL SECURITY OF LOCATIONS AT WHICH PERSONAL DATA ARE PROCESSED
‍
- fileAI utilizes third-party data centers (cloud infrastructure providers) that maintain:24/7 physical security with trained security personnel;
- Perimeter fencing and vehicle access controls;
- Biometric access controls and badge-based entry systems;
- Video surveillance (CCTV) of facility perimeters and interior spaces;
- Visitor management procedures requiring sign-in, escort, and badge issuance;
- Environmental controls including fire suppression, temperature regulation, and humidity control;
- Uninterruptible power supply (UPS) and backup generators;
- Physical access logs and regular audits;
- Compliance with industry-standard physical security certifications (SOC 2, ISO 27001, etc.).fileAI's office locations implement appropriate physical security including access controls, visitor logs, and clean desk policies.

9. MEASURES FOR ENSURING EVENTS LOGGING
‍
- Comprehensive audit logging of system access and user activities;
- Logs include: authentication events, data access, administrative changes, security events, API calls, configuration changes;
- Centralized log management and aggregation using SIEM system;
- Log retention in accordance with security policies and regulatory requirements;
- Automated log analysis for security anomaly detection and alerting;
- Tamper-resistant logging mechanisms preventing unauthorized log modification or deletion;
- Regular log reviews by security team;Log data encrypted in transit and at rest.

10. MEASURES FOR ENSURING SYSTEM CONFIGURATION, INCLUDING DEFAULT CONFIGURATION

- Hardened system configurations following industry best practices (CIS Benchmarks, vendor hardening guides);
- Default deny firewall rules with explicit allow rules for necessary services only;
- Unnecessary services and ports disabled;
- Secure baseline configurations for operating systems, applications, and network devices;
- Configuration management using infrastructure-as-code and version control;
- Change management procedures requiring review and approval for system modifications;
- Configuration drift detection and automated remediation;
- Regular security configuration reviews and audits;
- Separation of production, staging, and development environments.

11. MEASURES FOR INTERNAL IT AND IT SECURITY GOVERNANCE AND MANAGEMENT
‍
- Information Security Policy reviewed and approved by senior management annually;
- Information security governance committee with executive representation;
- Security strategy aligned with business objectives and risk appetite;
- Risk assessment and risk management processes conducted regularly;
- Vendor risk management program for assessing and monitoring third-party providers;
- Security incident response plan with defined roles, responsibilities, and escalation procedures;
- Business continuity management system (BCMS) addressing operational resilience;
- Background checks for employees with privileged access (to extent permitted by law);
- Confidentiality and acceptable use agreements signed by all employees;
- Separation of duties for critical functions;
- Security metrics and KPIs reported to management.

12. MEASURES FOR CERTIFICATION/ASSURANCE OF PROCESSES AND PRODUCTS
‍
- SOC 2 Type II certification (renewed annually) covering Security, Availability, and Confidentiality Trust Services Criteria;
- ISO/IEC 27001:2013 Information Security Management System certification - if applicable;
- Compliance with cloud provider security certifications and attestations (AWS, Google Cloud, Azure certifications);
- Regular third-party security assessments and audits;
- Adherence to industry frameworks (NIST Cybersecurity Framework, OWASP, etc.);
- Participation in responsible disclosure and bug bounty programs.

13. MEASURES FOR ENSURING DATA MINIMISATION

- Customer Personal Data collected and processed only to the extent necessary to provide the Services;
- Data retention policies limiting retention to necessary periods;Automated data lifecycle management with deletion upon expiration of retention periods;
- Pseudonymization and anonymization where appropriate to Processing purposes;
- Aggregation of data for analytics purposes where individual-level data not required.

14. MEASURES FOR ENSURING DATA QUALITY

- Data validation at ingestion to ensure accuracy and completeness;
- Customer maintains primary responsibility for accuracy of Customer Data uploaded to Services;
- fileAI provides tools enabling Customer to correct or update data;
- Regular data quality monitoring and anomaly detection.

15. MEASURES FOR ENSURING LIMITED DATA RETENTION

See Section 8 of the Data Processing Agreement and Section B of Annex I for data retention periods.

16. MEASURES FOR ENSURING ACCOUNTABILITY

- Clear assignment of data protection responsibilities within fileAI organization;
- Data Protection Officer or privacy contact designated and accessible to data subjects and authorities;
- Privacy by design and by default incorporated into product development;
- Data Protection Impact Assessments (DPIAs) conducted for high-risk Processing activities;
- Records of Processing Activities maintained pursuant to GDPR Article 30;
- Cooperation with Supervisory Authorities and data subjects;Documentation of compliance with Data Privacy Laws.

‍For additional details on fileAI's security measures, see the Security Exhibit to the Agreement.