Legal

Data Processing Addendum

Last updated: July 6, 2026

This Data Processing Addendum (this “DPA”) forms part of the Customer Terms and Conditions or other written agreement between Explore Interfaces Inc. (“Context”) and Customer governing Customer’s use of the Services (the “Agreement”), and applies where and to the extent Context processes Customer Personal Data on behalf of Customer in providing the Services.

Definitions

Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. In this DPA:

Customer Personal Data” means Personal Data contained in Customer Data that Context processes on behalf of Customer in the course of providing the Services.

Data Protection Laws” means all laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including, to the extent applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”), the Swiss Federal Act on Data Protection, and US state privacy laws such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).

Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914, as amended or replaced from time to time.

Subprocessor” means a third party engaged by Context to process Customer Personal Data on Context’s behalf in connection with the Services.

The terms “controller,” “processor,” “data subject,” “processing,” and “personal data breach” have the meanings given to them (or to the nearest equivalent terms) under applicable Data Protection Laws.

Scope and Roles

Roles of the Parties

As between the Parties and with respect to Customer Personal Data, Customer is the controller (or, where Customer acts on behalf of a third-party controller, a processor) and Context is Customer’s processor (or subprocessor, as applicable). Each Party will comply with its respective obligations under applicable Data Protection Laws.

Details of Processing

The subject matter, duration, nature, and purpose of the processing, and the types of personal data and categories of data subjects, are described in Annex 1 to this DPA.

Customer Obligations

Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired. Customer represents and warrants that it has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws for Context to process Customer Personal Data pursuant to the Agreement and this DPA. Customer will not submit to the Services any Sensitive Data or special categories of personal data except as expressly permitted under the Agreement.

Processing Instructions

Context will process Customer Personal Data only on Customer’s documented instructions, including with regard to transfers of Customer Personal Data to a third country, unless required to do otherwise by applicable law (in which case Context will inform Customer of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest). The Agreement, this DPA, and Customer’s use and configuration of the Services constitute Customer’s complete documented instructions to Context. Additional or alternate instructions require the Parties’ prior written agreement. Context will promptly inform Customer if, in Context’s opinion, an instruction infringes applicable Data Protection Laws.

Confidentiality

Context will ensure that all personnel authorized to process Customer Personal Data are bound by written or statutory obligations of confidentiality with respect to such data, and that access to Customer Personal Data is limited to personnel who require such access to perform the Services.

Security

Context will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include, at a minimum, the measures described in Annex 2 to this DPA. Context may update the measures from time to time, provided such updates do not materially reduce the overall level of protection of Customer Personal Data.

Subprocessors

General Authorization

Customer provides Context with general written authorization to engage Subprocessors in connection with the provision of the Services. Context’s current list of Subprocessors is available at context.ai/subprocessors.

Obligations

Context will: (i) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective of Customer Personal Data than those set out in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remain responsible for each Subprocessor’s compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Context to breach any of its obligations under this DPA.

Changes; Objection

Context will provide Customer with notice of any new Subprocessor (including by updating the page referenced in Section 6.1 and providing a mechanism to receive notice of updates) at least ten (10) days before the new Subprocessor processes Customer Personal Data. Customer may object on reasonable, data-protection-related grounds by notifying Context in writing within such notice period. Following an objection, the Parties will discuss the concern in good faith; if Context cannot reasonably accommodate the objection, Customer may terminate the affected Services on written notice and receive a pro-rata refund of any prepaid, unused Fees for the terminated portion of the Subscription Period.

Data Subject Requests

Taking into account the nature of the processing, Context will assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to requests from data subjects exercising their rights under Data Protection Laws. If Context receives a request from a data subject relating to Customer Personal Data, Context will (to the extent legally permitted) promptly direct the data subject to Customer and will not respond to the request except on Customer’s documented instructions or as required by applicable law.

Personal Data Breaches

Context will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and will provide Customer with information reasonably available to Context to assist Customer in meeting its breach-notification obligations under Data Protection Laws. Context will take reasonable steps to contain, investigate, and mitigate the effects of the breach. Context’s notification of or response to a personal data breach will not be construed as an acknowledgment by Context of any fault or liability with respect to the breach.

Impact Assessments and Assistance

Taking into account the nature of the processing and the information available to Context, Context will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Data Protection Laws, in each case solely in relation to the processing of Customer Personal Data under this DPA.

International Transfers

Context may transfer and process Customer Personal Data in the United States and other jurisdictions where Context or its Subprocessors maintain operations, subject to this Section. To the extent Customer Personal Data is subject to the GDPR, UK GDPR, or Swiss data protection law and is transferred to a country not recognized as providing an adequate level of protection, the Parties agree that: (i) the SCCs (Module Two: controller to processor, or Module Three: processor to processor, as applicable) are incorporated into this DPA by reference, with Customer as “data exporter” and Context as “data importer,” and with Annexes 1 and 2 of this DPA serving as Annexes I and II of the SCCs; (ii) with respect to transfers subject to the UK GDPR, the SCCs apply as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office; and (iii) with respect to transfers subject to Swiss law, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner. If the SCCs conflict with this DPA, the SCCs control to the extent of the conflict.

Deletion and Return of Data

Upon expiration or termination of the Agreement, Context will, at Customer’s election made within thirty (30) days of such expiration or termination, delete or return to Customer all Customer Personal Data in Context’s possession or control, and delete existing copies, except to the extent retention is required by applicable law or the data is retained in routine backups, in which case Context will continue to protect such data in accordance with this DPA and delete it in accordance with Context’s standard deletion schedules.

Audits and Reports

Context will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including (where available) summaries of third-party audit reports and security certifications. No more than once per twelve (12) month period and on at least thirty (30) days’ prior written notice, Customer may audit Context’s compliance with this DPA, at Customer’s expense, during normal business hours, in a manner that does not disrupt Context’s business, and subject to Context’s confidentiality and security requirements. The Parties agree that, where adequate, audits will be satisfied by Context providing its then-current audit reports or certifications.

US State Privacy Laws

To the extent Customer Personal Data is subject to the CCPA or other US state privacy laws under which Context acts as a “service provider,” “processor,” or equivalent: Context will not (i) sell or share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, or outside of the direct business relationship between the Parties; or (iii) combine Customer Personal Data with personal information that Context receives from or on behalf of another person, except as permitted by applicable law. Context certifies that it understands and will comply with the restrictions in this Section, will notify Customer if it determines it can no longer meet its obligations under applicable US state privacy laws, and grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

General Provisions

This DPA is subject to the terms of the Agreement, including, without limitation, its limitations of liability, which apply to the Parties’ aggregate liability under the Agreement and this DPA together. In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA controls to the extent of the conflict. This DPA will remain in effect for as long as Context processes Customer Personal Data on behalf of Customer. Questions about this DPA may be directed to legal@context.ai.

Annex 1: Details of Processing

Subject matter and duration

The provision of the Services under the Agreement, for the duration of the Subscription Period and any period thereafter during which Context processes Customer Personal Data in accordance with this DPA.

Nature and purpose of processing

Hosting, storage, retrieval, analysis (including through AI technologies as described in the Agreement), transmission, and other processing operations necessary to provide, maintain, secure, and support the Services in accordance with the Agreement and Customer’s configuration and use of the Services.

Categories of data subjects

Customer’s Authorized Users; Customer’s employees, contractors, customers, end users, and other individuals whose Personal Data is contained in Customer Data submitted to the Services by or on behalf of Customer.

Types of personal data

Personal Data contained in Customer Data, as determined and controlled by Customer in its sole discretion, which may include names, business and personal contact information, account identifiers, user content, and any other Personal Data submitted to the Services. The Services are not designed for, and Customer agrees not to submit, Sensitive Data.

Frequency of transfer

Continuous, for the duration described above.

Annex 2: Security Measures

Context maintains a written information security program that includes, at a minimum:

  • Encryption of Customer Personal Data in transit using TLS and at rest using industry-standard encryption.

  • Logical access controls, including role-based access, least-privilege provisioning, multi-factor authentication for administrative access, and prompt revocation of access on personnel role change or departure.

  • Network and infrastructure security controls, including segmentation, firewalling, and hardened configurations hosted with leading cloud infrastructure providers.

  • Vulnerability management, including periodic scanning, patching processes, and third-party penetration testing.

  • Logging and monitoring designed to detect unauthorized access to or use of the Services.

  • Personnel measures, including background checks where permitted by law, confidentiality obligations, and security awareness training.

  • Business continuity and disaster recovery procedures, including backups and periodic testing.

  • A documented incident response plan covering identification, containment, investigation, remediation, and notification.