Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between SwarmEngines LLC ("Processor," "SwarmEngines") and Customer ("Controller"). It governs Processor's processing of Personal Data on behalf of Controller in connection with the Services.

Where required by applicable law (including GDPR Article 28, UK GDPR, Swiss FADP, or analogous laws), this DPA satisfies contractual data-protection requirements.

• "Personal Data" means information relating to an identified or identifiable natural person that Customer provides to, or is processed through, the Services.
• "Processing" means any operation performed on Personal Data (collection, storage, transmission, deletion, etc.).
• "Data Subject" means the natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by Processor to process Personal Data.
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" means the EU Commission's 2021 SCCs and the UK International Data Transfer Addendum where applicable.

Customer is the Controller and SwarmEngines is the Processor of Personal Data processed through the Services.

Each party is responsible for compliance with its obligations under applicable data-protection laws. Customer is responsible for the lawfulness of its Processing, the transparency of its notices to Data Subjects, and the validity of any consents obtained.

SwarmEngines processes Personal Data only on documented instructions from Customer, including the instructions embedded in the configuration of each activated skill and the Terms of Service.

SwarmEngines will notify Customer if, in its opinion, an instruction infringes applicable data-protection law.

SwarmEngines ensures that personnel authorized to process Personal Data are bound by written confidentiality obligations and receive regular training on data-protection and security practices.

SwarmEngines implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in transit: TLS 1.2+ for all network communication.
• Encryption at rest: AWS KMS with customer-managed keys for credential vaults and session data.
• Tenant isolation: each skill execution runs in a fresh AWS Firecracker MicroVM that is destroyed at end-of-run.
• Access control: principle of least privilege, IAM policies per AgentCore runtime, SSO with hardware-token MFA for personnel.
• Logging and monitoring: immutable audit logs, automated anomaly detection, 24×7 error alerting.
• Patch and vulnerability management: critical patches within 14 days, continuous dependency scanning.
• Backup and recovery: automated daily snapshots with point-in-time restore, tested at least quarterly.
• Incident response: defined runbook, on-call rotation, post-mortem discipline.

A current summary is maintained at /security. SwarmEngines may update measures to incorporate advancing state-of-the-art provided protection is not materially reduced.

Customer gives general authorization to SwarmEngines to engage sub-processors, provided each sub-processor is bound by a written agreement imposing data-protection obligations at least as protective as those in this DPA.

A current list of sub-processors is maintained at /sub-processors. SwarmEngines will notify Customer at least 30 days before adding or replacing a sub-processor that processes Personal Data, via the email address on file and via that page. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the Services for a prorated refund.

SwarmEngines provides tools in the dashboard that enable Customer to access, correct, delete, or export Personal Data without SwarmEngines' involvement.

Where Customer cannot address a Data Subject request through those tools, SwarmEngines will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures. Customer reimburses reasonable costs of assistance exceeding standard dashboard capabilities.

If SwarmEngines receives a request directly from a Data Subject, it will forward the request to Customer without undue delay and not respond unless authorized.

SwarmEngines will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notice will include, to the extent known:

• Nature of the breach, categories and approximate number of Data Subjects affected.
• Likely consequences.
• Measures taken or proposed to mitigate effects.
• Contact point for further information.

SwarmEngines will cooperate with Customer's reasonable requests for further information needed to meet Customer's regulatory notification obligations.

SwarmEngines is located in the United States and primarily processes data in AWS us-west-2 (Oregon, USA). When Personal Data of Data Subjects in the EEA, UK, or Switzerland is transferred to the US or other jurisdictions not subject to an adequacy decision:

• EU SCCs (Commission Decision 2021/914) are incorporated into this DPA for transfers from the EEA. Module Two applies (Controller-to-Processor).
• UK International Data Transfer Addendum is incorporated for transfers from the UK.
• Swiss FADP references are read to apply mutatis mutandis for Swiss transfers.

In the event of conflict between the SCCs and other provisions, the SCCs prevail.

SwarmEngines provides Customer with information reasonably necessary to demonstrate compliance with this DPA, including most-recent security documentation (SOC 2 report when available), penetration-test summary, and sub-processor list.

Once per year (or after a breach), Customer may request a written questionnaire or, for Scale and Company tier customers, an on-site audit with at least 30 days' notice, conducted at Customer's expense during business hours in a manner that does not unreasonably disrupt the Services. Customer and SwarmEngines must agree on scope, and auditors must sign confidentiality obligations at least as protective as this DPA.

On termination or at Customer's request, SwarmEngines will, at Customer's choice, delete or return all Personal Data within 30 days, except to the extent legal obligations require retention. Sub-processors are required to do likewise.

Deletion includes overwrite-on-deletion for active stores and cryptographic shredding of encryption keys for backups, making the data irrecoverable within standard backup cycles (typically 30 additional days).

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits either party's liability for breach of data-protection laws where liability cannot lawfully be limited.

This DPA takes effect on the same date as the Terms of Service and continues until the Terms are terminated. Provisions that by their nature are intended to survive termination (including international transfer safeguards and return/deletion) continue in force.