Data Processing Agreement

Capitalised terms have the meaning given in the Terms of Service. In this DPA:

• UK GDPR means the General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• EU GDPR means Regulation (EU) 2016/679.
• Data Protection Laws means the UK GDPR, EU GDPR, Data Protection Act 2018, PECR 2003, and any other data protection law applicable to the Services.
• Personal Data, Processing, Controller, Processor, Data Subject have the meanings in Article 4 UK GDPR.

The parties acknowledge that for personal data Client uploads into the Services in connection with Expert evaluations, Client is the Controller and Nxted is the Processor (or sub-Processor where Client is itself a Processor). For all other personal data (e.g. Client's own administrative account data), Nxted is Controller as set out in the Privacy Policy.

The subject-matter is the provision of AI evaluation Services by Nxted to Client. The duration runs for as long as the Services are provided plus the post-termination retention period in the Terms of Service. The nature is reading, scoring, and reporting on Client's AI outputs. The purpose is to deliver evaluation reports and structured datasets to Client.

The Personal Data and Data Subject categories are set out in Schedule 1 (Client to complete on first upload). Typical categories include individuals named in Client's training prompts or AI outputs, end users of Client's AI system, and Client's internal staff who manage the engagement.

Nxted notifies Client of a Personal Data breach without undue delay and not later than 48 hours after Nxted becomes aware of it. The notice includes the categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

For transfers of Personal Data from the UK to a country without an adequacy decision, the parties incorporate by reference the UK International Data Transfer Agreement (IDTA), Module 2 (Controller to Processor). For transfers from the EU, the parties incorporate Module 2 of the European Commission Standard Contractual Clauses (Decision 2021/914) with the UK Addendum where the data is also subject to UK law.

India is the principal recipient country for our contributor network. A Transfer Risk Assessment is published in the Privacy Policy and available in full on request.

The liability provisions of the Terms of Service apply to this DPA, with the following clarification: nothing in the liability cap limits a party's liability for unlawful Processing of Personal Data that results in a fine imposed on the other party under the Data Protection Laws to the extent the fine arises from the first party's own breach.

To be completed by Client at first upload. Default values apply where Client provides none:

• Data Subjects: end users of Client's AI system; individuals named in prompts/outputs.
• Categories of Personal Data: names, identifiers, free-text content potentially containing personal data; no special category data unless agreed in writing.
• Frequency: continuous over the engagement.
• Duration: as the Services.

Summary; full detail in the Security Whitepaper.

• Pseudonymisation and encryption: AES-256 at rest; TLS 1.3 in transit; per-tenant envelope encryption keys.
• Confidentiality, integrity, availability, resilience: ISO 27001-aligned ISMS; documented backup and recovery; AWS London region primary.
• Restoration: RPO 24h, RTO 8h for application data.
• Testing and evaluation: quarterly external penetration testing; continuous vulnerability scanning.
• Access control: mandatory MFA, RBAC, least-privilege, segregation between application and biometric data stores, audit logging.