Corvio Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between NeoFlux AI Pte. Ltd. (“Processor” or “NeoFlux”) and the Customer identified in the applicable Order Form (“Controller” or “Customer”) (together, the “Parties”) and applies to the extent NeoFlux processes Personal Data on behalf of Customer in the course of providing the Service under the Terms and any Order Form (the “Agreement”); in the event of conflict, this DPA governs with respect to data protection and processing obligations.

1. Definitions

“Data Protection Laws” means applicable privacy and data protection laws and regulations, including Singapore’s Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU/UK GDPR and implementing laws; “Personal Data” has the meaning in Data Protection Laws; “Customer Content” means Content submitted to the Service under Customer’s enterprise account; “Subprocessor” means a third party engaged by NeoFlux to process Personal Data on behalf of Customer; “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Roles and Scope

Customer is the Controller of Personal Data contained in Customer Content, and NeoFlux is the Processor; Customer instructs NeoFlux to process Personal Data solely to provide the Service, including hosting, storage, retrieval, AI-enabled transformations requested by Customer, and support, and such instructions are documented in the Agreement and this DPA; NeoFlux shall not process Personal Data for purposes other than as instructed, except as required by law, in which case NeoFlux shall inform Customer (unless prohibited).

3. Details of Processing (Annex 1)

The subject matter, duration, nature, and purpose of processing, types of Personal Data, and categories of data subjects are described in Annex 1.

4. Processor Obligations

NeoFlux shall: (i) ensure personnel authorized to process Personal Data are bound by confidentiality obligations; (ii) implement appropriate technical and organizational measures to protect Personal Data against Security Incidents, as described in Annex 2; (iii) assist Customer, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests from data subjects under applicable law; (iv) assist Customer in ensuring compliance with obligations relating to security, breach notifications, impact assessments, and prior consultations, as reasonably requested and where applicable; (v) upon termination of the Service, delete or return Personal Data in accordance with the Agreement and this DPA, subject to retention required by law; and (vi) make available information reasonably necessary to demonstrate compliance with this DPA and allow audits as described herein.

5. Subprocessors

Customer authorizes NeoFlux to engage Subprocessors to process Personal Data, provided NeoFlux maintains a list of Subprocessors (the “Subprocessor List”) and provides notice of material changes where required; NeoFlux will impose data protection obligations on Subprocessors that are no less protective than those set forth in this DPA, and NeoFlux remains responsible for Subprocessors’ performance of their obligations.

6. International Transfers

Where processing involves transfer of Personal Data to jurisdictions outside the country of origin, NeoFlux will implement appropriate safeguards as required by Data Protection Laws, which may include contractual clauses, supplementary measures, and ensuring Subprocessors provide adequate protections.

7. Security Incident Notification

NeoFlux shall notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and shall provide information reasonably necessary for Customer to meet breach notification obligations, including, where available, the nature of the incident, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the incident; NeoFlux’s notification will not be construed as an admission of fault.

8. Audits

Upon Customer’s written request, and no more than once annually unless a Security Incident has occurred or required by regulator, NeoFlux will provide reasonable information to demonstrate compliance and may, at NeoFlux’s discretion, satisfy audit requests by providing third-party audit reports, certifications, or summaries; where an on-site audit is necessary and agreed, it shall be conducted during normal business hours with reasonable notice, limited scope, and subject to confidentiality and security constraints, and Customer shall bear its costs and NeoFlux’s reasonable assistance costs.

9. Data Subject Requests

If NeoFlux receives a request from a data subject relating to Personal Data processed under this DPA, NeoFlux will, to the extent legally permitted, direct the data subject to Customer and will not respond substantively except as instructed by Customer or required by law.

10. Deletion and Return

Upon termination or expiration of the Service, NeoFlux will, within a commercially reasonable period, delete Customer Personal Data from active systems and, upon request, provide export mechanisms for Customer Content, subject to technical feasibility; NeoFlux may retain limited Personal Data in backups for a limited retention period consistent with disaster recovery practices and legal obligations, during which such data will be protected and isolated from active processing.

11. AI Processing and Training Commitment

For enterprise accounts governed by this DPA, NeoFlux will not use Customer Content, including Personal Data contained therein, to train general-purpose models, except where Customer has explicitly opted in via an Order Form or written amendment; NeoFlux may process Customer Content to provide the Service, including generating Output and maintaining indexes, embeddings, or similar representations necessary for retrieval and functionality within the Customer’s environment.

12. Liability

Liability arising under this DPA shall be subject to the limitations of liability set forth in the Agreement, unless prohibited by applicable law.

Annex 1: Details of Processing

Subject Matter: Provision of an AI-enabled workspace and knowledge organization service, including storage, retrieval, processing, transformation, generation of Output, indexing, and support.

Duration: For the term of the Agreement plus any retention period required for backups, security, or legal compliance.

Nature of Processing: Collection, storage, organization, retrieval, transformation, generation, and deletion of Content; access limited to authorized processing for support and security.

Purpose: To provide, maintain, secure, and support the Service under the Agreement.

Types of Personal Data: Customer Content may include identifiers, contact data, professional data, communications, and any other personal data submitted by Customer; special categories should not be submitted unless Customer has a lawful basis and informs NeoFlux if required for additional safeguards.

Categories of Data Subjects: Customer’s employees, contractors, users, clients, and other individuals whose data is included in Customer Content.

Annex 2: Security Measures

NeoFlux maintains measures such as logical access controls, least-privilege, authentication safeguards, encryption in transit, encryption at rest where supported, monitoring and logging, vulnerability management, incident response procedures, and backup and disaster recovery controls, with specific implementation details described in Security Documentation made available to Customer under NDA or via trust portal if offered.