Data Processing Agreement

The subject matter of this DPA is the processing of Personal Data by Codaiq on behalf of the Customer for the sole purpose of providing the Codaiq platform services as described in the Agreement. This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to the post-termination obligations set out in section 13.

Codaiq processes Personal Data on behalf of the Customer for the following purposes:

• AI-driven generation of website content, code, copy, images and structural templates based on Customer prompts;
• Hosting, deployment and content delivery of generated websites to end-users;
• Lead capture, contact-form processing and storage of end-user submissions on Customer-published websites;
• Product, traffic and conversion analytics of Customer's published websites;
• Account, billing and support operations relating to the Customer's use of the platform.

The Personal Data processed under this DPA includes:

• Customer data: contact name, business email, account credentials (hashed), billing address, VAT number, IP address, device and browser metadata, two-factor authentication secrets (AES-256-GCM encrypted at rest).
• Customer's end-user data captured through Customer-published websites: name, email, phone number, message content, IP address, user-agent, referrer, behavioural events (page views, clicks, scroll depth, form submissions), and any additional fields configured by the Customer in their forms.

• Customer's employees, contractors, agents and authorised users of the Codaiq platform;
• Visitors, prospects and customers of the Customer's published websites (collectively, "End-Users").

Codaiq, as Processor, undertakes the following obligations:

• Documented instructions (Art. 28(3)(a) GDPR): Codaiq shall process Personal Data only on the documented instructions of the Customer, including transfers of Personal Data to a third country, unless required by Union or Member State law to which Codaiq is subject. The Agreement, this DPA and any reasonable instructions issued through the Codaiq admin panel constitute documented instructions.
• Confidentiality (Art. 28(3)(b) GDPR): Codaiq shall ensure that personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security (Art. 28(3)(c) and Art. 32 GDPR): Codaiq shall implement the technical and organisational measures described in Annex 2.
• Sub-processor engagement (Art. 28(3)(d) GDPR): Codaiq shall comply with section 7 of this DPA when engaging sub-processors.
• Assistance with data-subject requests (Art. 28(3)(e) GDPR): Codaiq shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects exercising their rights under Chapter III GDPR.
• Assistance with Art. 32-36 obligations (Art. 28(3)(f) GDPR): Codaiq shall assist the Customer in ensuring compliance with security obligations, personal-data-breach notification, communications to data subjects, data-protection impact assessments and prior consultation with supervisory authorities.
• Return or deletion on termination (Art. 28(3)(g) GDPR): See section 13.
• Audit (Art. 28(3)(h) GDPR): See section 11.

The Customer grants Codaiq a general written authorisation to engage sub-processors in accordance with Article 28(2) GDPR. The current list of authorised sub-processors is maintained at codaiq.com/subprocessors and forms Annex 1 to this DPA.

Codaiq shall provide the Customer with at least 30 days' prior notice of any intended addition or replacement of sub-processors, giving the Customer the opportunity to object. To receive change notifications, email info@codaiq.com with the subject "Subprocessor notifications".

If the Customer reasonably objects to a new sub-processor on data-protection grounds, the Customer may terminate the affected services without penalty by giving written notice within the 30-day notice window. Codaiq shall impose on each sub-processor data protection obligations no less protective than those set out in this DPA.

Where Codaiq transfers Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom that is not the subject of an adequacy decision (in particular to sub-processors located in the United States, including OpenAI Inc., Anthropic PBC, Vercel Inc., MongoDB Inc., Sentry, Resend, Upstash, Inngest and Railway), such transfers shall be governed by:

• The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (Controller-to-Processor), incorporated by reference, with Customer as data exporter and the sub-processor as data importer;
• The UK International Data Transfer Addendum (IDTA) to the EU SCCs, where the transfer is subject to UK GDPR;
• Where applicable, the EU-US Data Privacy Framework certification of the receiving entity (e.g. Stripe, Google).

Codaiq has carried out and documented transfer impact assessments and applies supplementary measures (encryption in transit and at rest, pseudonymisation where feasible, access controls, transparency reports) in accordance with the Schrems II requirements.

Codaiq shall, taking into account the nature of the processing and to the extent reasonably possible, assist the Customer in responding to requests from data subjects (Art. 15-22 GDPR) within 14 calendar days of receiving a written request from the Customer. Standard data-export and account-deletion functions are available in the Codaiq admin panel for self-service execution.

Codaiq shall notify the Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer data, in accordance with Article 33(2) GDPR. The notification shall include, to the extent available:

• The nature of the breach, categories and approximate number of data subjects and records concerned;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate adverse effects;
• Name and contact details of the Codaiq contact point.

Codaiq shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. In practice, this is satisfied by:

• An annual written self-audit report (technical and organisational measures, security controls, sub-processor list) provided on request;
• SOC 2 Type II reports once available (on the Codaiq roadmap);
• On-site or remote audits by the Customer or an independent third-party auditor bound by confidentiality, with at least 30 calendar days' prior written notice, no more than once per twelve-month period, during normal business hours and without disruption to Codaiq's operations. The Customer shall bear the costs of the audit unless the audit reveals material non-compliance.

Each party's liability under or in connection with this DPA shall be subject to and limited by the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits liability that cannot be limited under applicable law, including liability for damage caused by intentional misconduct or gross negligence.

This DPA is co-terminus with the Agreement. Upon termination or expiry of the Agreement, Codaiq shall, at the choice of the Customer notified in writing within 30 days of termination:

• Return all Personal Data to the Customer in a structured, commonly used, machine-readable format; or
• Delete all Personal Data and existing copies, unless Union or Member State law requires storage of the Personal Data.

Where no instruction is received within 30 days of termination, Codaiq shall delete all Customer Personal Data and provide written confirmation of deletion within a further 30 days. Routine encrypted backups may be retained for up to 90 days and shall be overwritten or deleted in the ordinary course.

The current list of authorised sub-processors is maintained at codaiq.com/subprocessors and is incorporated into this DPA by reference. It is updated whenever a sub-processor is added, removed or changed, with prior notice provided in accordance with section 7.

In accordance with Article 32 GDPR, Codaiq implements the following technical and organisational measures:

Confidentiality

• Encryption at rest: AES-256 on MongoDB Atlas managed clusters; AES-256-GCM for two-factor authentication secrets and other sensitive fields.
• Encryption in transit: TLS 1.2 or higher enforced on all public endpoints; HSTS preloaded; perfect forward secrecy.
• Password storage: bcrypt with a work factor of at least 12; no plain-text storage or transmission of credentials.
• Access controls: Role-based access control (RBAC) with the principle of least privilege; mandatory multi-factor authentication for all administrative accounts; production access on a need-to-know basis.
• Network segmentation: Private VPCs, firewalled database access, IP allow-listing for administrative interfaces.

Integrity

• Audit logging of administrative actions and access to Personal Data; logs retained for 90 days minimum.
• Code review and signed deployments; immutable build artefacts.
• Anti-malware and dependency vulnerability scanning in CI.

Availability and Resilience

• Automated daily backups with point-in-time recovery for the production database.
• Multi-region content delivery via Vercel edge network.
• Documented disaster-recovery and business-continuity plan, tested at least annually.

Process for Regular Testing

• Quarterly internal security reviews.
• Annual third-party penetration tests once contracted.
• Incident-response plan with documented severity tiers, escalation paths and post-mortems.

Personnel

• Background checks where legally permitted.
• Contractual confidentiality obligations on all employees and contractors.
• Mandatory data-protection and security training on onboarding and annually.