Data Processing Addendum.

“Agreement” means the Master Services Agreement or Order Form entered into between Jottings, the consulting Firm, and the Client to which this Data Processing Addendum (“DPA”) is attached or incorporated by reference.

“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including GDPR, UK GDPR, CCPA/CPRA, and state-level US workplace monitoring statutes.

“Engagement” means a single 2–4 week observation conducted on the in-scope systems of a specific Client.

“Personal Data” has the meaning given in Applicable Data Protection Laws, and for purposes of this DPA includes all redacted observation data derived from the Observation Agent.

“Observation Agent” means the Jottings desktop software installed, under consent, on in-scope employee devices for the Engagement Window.

2.1 Jottings acts as the Processor of Personal Data derived from the Observation Agent.

2.2 The Client acts as the Controller of such Personal Data.

2.3 The Firm is a Joint Controller with the Client for the duration of the Engagement Window, solely for the purpose of receiving, editing, and delivering the final Report.

2.4 Each party shall comply with its obligations under Applicable Data Protection Laws.

This DPA applies for the duration of the Engagement Window and for the subsequent ninety (90) day retention period, after which Jottings shall purge all Engagement data in accordance with Section 12 (Return and Deletion).

Jottings shall Process Personal Data only on documented instructions from the Controller, including to: (i) operate the Observation Agent during the Engagement Window; (ii) generate redacted observation data, synthesize a Work Graph, and produce the Report; and (iii) purge Engagement data per Section 12.

Jottings shall not sell, rent, or Process Personal Data for advertising or profiling purposes. Jottings shall not use Personal Data to train general-purpose AI models.

The Client authorizes Jottings to engage the following Sub-Processors for the purposes indicated, subject to the terms of this DPA:

• Supabase, Inc. - database, authentication, object storage (US region).

• Amazon Web Services, Inc. - underlying infrastructure for Supabase and Report rendering (US region).

• Anthropic, PBC - LLM inference on redacted transcripts, zero-retention API configuration.

• OpenAI, LLC - LLM inference on redacted transcripts, zero-retention API configuration.

• Google LLC (Gemini API) - optional; enabled only on Controller request, zero-retention API configuration.

Jottings shall give the Controller thirty (30) days' prior written notice of any new Sub-Processor and shall impose substantially similar data-protection obligations on each Sub-Processor.

Jottings shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• On-device redaction of regex-matched PII, on-device NER, and OCR redaction prior to network transmission.

• Engagement-scoped encryption keys rotated at Engagement close.

• TLS 1.2+ in transit, AES-256 at rest.

• Least-privilege access controls and mandatory MFA for Jottings personnel.

• Centralized audit logging for all Processor access to Engagement data.

Jottings shall ensure that all personnel authorized to Process Personal Data have committed themselves to confidentiality obligations and have completed data-protection training.

Access to Engagement data is restricted to the minimum set of Jottings personnel required to operate the Service, and is logged per Section 6.

Jottings shall reasonably assist the Controller, at the Controller's expense, to respond to Data Subject requests under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, and portability - to the extent such requests relate to redacted observation data held by Jottings.

Jottings shall notify the Controller and the Firm without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach. Such notification shall include, to the extent known: the nature of the Breach, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address it.

Jottings shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including the most recent SOC 2 report (once available) and a current Sub-Processor list. No more than once per calendar year, and with thirty (30) days' prior written notice, the Controller may conduct or appoint an independent third party to conduct an on-site audit.

To the extent Processing involves the transfer of Personal Data out of the EEA, UK, or Switzerland, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), together with the UK International Data Transfer Addendum, are incorporated into this DPA by reference.

Within ninety (90) days of the close of an Engagement, Jottings shall purge all Engagement Personal Data from its systems and from its Sub-Processors. Purge shall generate a hashed attestation log, delivered to the Controller, certifying the deletion.

The final Report and its underlying methodology page may be retained by the Controller and the Firm indefinitely; no Personal Data is embedded in either.

Each party's liability arising from or in connection with this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws.

This DPA shall automatically terminate upon the later of (i) the expiration of the Engagement Window, or (ii) the completion of the purge described in Section 12.

This DPA shall be governed by the laws of the State of Delaware, without regard to its conflict-of-laws rules, except to the extent Applicable Data Protection Laws require otherwise.