Legal · For business customers

Data Processing Addendum

Effective Date: [Effective Date]

This DPA forms part of the agreement between Leny, a California corporation ("Leny", "Processor") and the customer identified in the Order Form or signature block ("Customer", "Controller") (together, the "Parties") governing Customer's use of Leny's services (the "Services") (the "Agreement").

Execution. This DPA is effective upon (a) Customer's execution of an Order Form that incorporates this DPA by reference; (b) Customer's countersignature below; or (c) Customer's continued use of the Services after the Effective Date where Customer is a business user. For Customers that require a wet-ink or e-signed copy, contact info@leny.ai.

Order of precedence. In the event of a conflict, the documents will prevail in this order: (1) the EU Standard Contractual Clauses and any UK Addendum incorporated under Section 11; (2) this DPA; (3) the main Agreement; (4) any Order Form. This DPA does not apply to Protected Health Information ("PHI") subject to HIPAA — for PHI, the Parties must execute a separate Business Associate Agreement, which controls over this DPA with respect to PHI.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement, GDPR, or applicable Data Protection Laws.

• 1.1 "Affiliate" means any entity controlling, controlled by, or under common control with a Party.
• 1.2 "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its regulations.
• 1.3 "Controller" means the natural or legal person that determines the purposes and means of Processing of Personal Data; includes a "business" under the CCPA.
• 1.4 "Customer Personal Data" means Personal Data that Leny Processes on behalf of Customer in providing the Services.
• 1.5 "Data Protection Laws" means all laws applicable to a Party's Processing of Personal Data, including the EU GDPR (Regulation 2016/679), the UK GDPR and Data Protection Act 2018, the Swiss FADP, the CCPA, and other US state privacy laws (e.g., VCDPA, CPA, CTDPA, UCPA, TDPSA).
• 1.6 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates; includes a "consumer" under the CCPA.
• 1.7 "EU SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• 1.8 "GDPR" means the EU General Data Protection Regulation (Regulation 2016/679) and, where applicable, the UK GDPR.
• 1.9 "Personal Data" has the meaning given in applicable Data Protection Laws; includes "personal information" under the CCPA.
• 1.10 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• 1.11 "Processing" (and "Process") means any operation performed on Personal Data, whether or not by automated means.
• 1.12 "Processor" means the entity that Processes Personal Data on behalf of the Controller; includes a "service provider" under the CCPA.
• 1.13 "Restricted Transfer" means a transfer of Personal Data from the EEA, UK, or Switzerland to a country not subject to an adequacy decision.
• 1.14 "Sub-processor" means any third party engaged by Leny to Process Customer Personal Data.
• 1.15 "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office under section 119A of the UK Data Protection Act 2018.

2. Roles and scope

2.1 Roles. With respect to Customer Personal Data, the Parties acknowledge that Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Leny is the Processor (or sub-processor). Where Customer acts as a Processor for a third-party Controller, Customer represents it has all necessary authority to engage Leny on behalf of that Controller and to bind it to this DPA.

2.2 Scope. This DPA applies to all Processing of Customer Personal Data by Leny in the course of providing the Services.

2.3 Customer compliance. Customer warrants that (a) it has provided all required notices and obtained all required consents and lawful bases for Leny's Processing of Customer Personal Data under the Agreement; (b) its instructions to Leny comply with Data Protection Laws; and (c) it will not transmit any special category data, children's data, or PHI through the Services unless expressly permitted by the Agreement and, where applicable, a separate BAA.

3. Processing details

The subject matter, duration, nature and purpose of Processing, categories of Data Subjects, and types of Personal Data are set out in Annex 1. Processing will continue for the term of the Agreement and for any post-termination period required to comply with Section 12.

4. Customer instructions and compliance

4.1 Documented instructions. Leny will Process Customer Personal Data only on Customer's documented instructions, which include this DPA, the Agreement, the Order Form, and Customer's use of the Services in accordance with their documentation. Leny will not Process Customer Personal Data for any other purpose, including for its own commercial benefit, except as required by applicable law.

4.2 Required by law. If Leny is required by EU, Member State, UK, US federal or state, or other applicable law to Process Customer Personal Data outside Customer's instructions, Leny will (where legally permitted) inform Customer before Processing.

4.3 Unlawful instructions. Leny will inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Leny may suspend Processing of an instruction it reasonably believes to be unlawful pending resolution.

4.4 AI/model training. Leny will not use Customer Personal Data to train, fine-tune, or improve generalized machine-learning models made available to other customers, except where data is irreversibly de-identified in accordance with applicable law and the CCPA's de-identification standard.

5. Confidentiality

Leny will ensure that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and will limit access to those personnel who need it to provide the Services.

6. Security measures

6.1 Leny will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Personal Data Breaches, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, in accordance with Annex 2 and Article 32 GDPR.

6.2 Leny may update its security measures from time to time, provided the level of protection is not materially decreased.

7. Sub-processors

7.1 General authorization. Customer provides Leny with general authorization to engage Sub-processors to Process Customer Personal Data, subject to this Section 7. The list of current Sub-processors is set out in Annex 3.

7.2 Flow-down. Leny will (a) impose on each Sub-processor written obligations no less protective than those in this DPA; and (b) remain liable to Customer for the acts and omissions of its Sub-processors to the same extent as if performed by Leny.

7.3 Notice of changes. Leny will provide Customer at least thirty (30) days' prior notice of any new or replacement Sub-processor by [updating the Sub-processor page at [URL] / email to Customer's designated contact]. Customer may subscribe to notifications at [URL].

7.4 Right to object. Customer may object on reasonable data-protection grounds within fifteen (15) days of notice. The Parties will work in good faith to resolve the objection. If not resolved, Customer may, as its sole remedy, terminate the affected Services for cause without penalty by written notice to Leny.

8. Data subject requests

8.1 Leny will, taking into account the nature of the Processing, provide reasonable assistance through appropriate technical and organizational measures to enable Customer to fulfill requests by Data Subjects to exercise their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection).

8.2 If Leny receives a request directly from a Data Subject relating to Customer Personal Data, Leny will (where lawful) promptly redirect the Data Subject to Customer and notify Customer.

9. Personal data breaches

9.1 Leny will notify Customer of a Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware.

9.2 The notice will include, to the extent then known: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) likely consequences; (c) measures taken or proposed to address the breach and mitigate its effects; and (d) the contact point for further information. Leny may provide information in phases as it becomes available.

9.3 Leny will reasonably cooperate with Customer in investigation, mitigation, and any required notifications to supervisory authorities or Data Subjects. Leny's notice is not an acknowledgment of fault or liability.

10. Data Protection Impact Assessments

Leny will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities required under Articles 35–36 GDPR, taking into account the nature of the Processing and information available to Leny.

11. International data transfers

11.1 Restricted Transfers from the EEA. Where Leny's Processing of Customer Personal Data involves a Restricted Transfer from the EEA, the EU SCCs are incorporated by reference and apply as follows:

• (a) Module Two (Controller-to-Processor) where Customer is a Controller;
• (b) Module Three (Processor-to-Processor) where Customer is itself a Processor;
• (c) Clause 7 (docking) applies; Clause 9(a) Option 2 (general authorization) applies, with the time period in Section 7.3 above; Clause 11 optional language is excluded; Clause 17 Option 1 applies, governed by the law of Ireland; Clause 18 specifies the courts of Ireland;
• (d) Annexes I, II, and III of the SCCs are populated by Annexes 1, 2, and 3 of this DPA.

11.2 UK transfers. For Restricted Transfers from the UK, the UK Addendum is incorporated, with the EU SCCs as the Approved EU SCCs. Tables 1, 2, and 3 are populated by reference to this DPA's Annexes; Table 4 — neither party may end the Addendum.

11.3 Swiss transfers. For Restricted Transfers from Switzerland, the EU SCCs apply with references to GDPR construed as references to the Swiss FADP and the competent supervisory authority being the Swiss FDPIC.

11.4 Data Privacy Framework. Where Leny self-certifies under the EU-US, UK Extension, and/or Swiss-US Data Privacy Framework ("DPF"), Leny will Process Customer Personal Data transferred from the EEA, UK, or Switzerland in accordance with its DPF commitments, and DPF certification may serve as an alternative transfer mechanism to the SCCs.

11.5 Conflicts. In the event of a conflict between the SCCs/UK Addendum and this DPA, the SCCs/UK Addendum prevail.

12. Return or deletion of personal data

12.1 Upon termination or expiration of the Agreement, Leny will, at Customer's choice, delete or return all Customer Personal Data, and delete existing copies, within ninety (90) days of termination, unless EU, UK, US, or other applicable law requires retention.

12.2 Backup copies will be deleted in the ordinary course of Leny's backup rotation, not to exceed [180] days, and will remain subject to this DPA until deletion.

13. Audits

13.1 Leny will make available to Customer information necessary to demonstrate compliance with Article 28 GDPR, including by providing copies of its most recent third-party audit reports and certifications (e.g., [SOC 2 Type II / ISO 27001 / HITRUST]) upon written request and subject to confidentiality.

13.2 Where the foregoing is not sufficient to demonstrate compliance, Customer may, no more than once per twelve (12) months (or more frequently if required by a supervisory authority or following a Personal Data Breach), conduct an audit on at least thirty (30) days' prior written notice, during business hours, in a manner that does not unreasonably interfere with Leny's operations, and subject to confidentiality. Customer will bear its own costs and reimburse Leny's reasonable costs of the audit.

13.3 Audits must not access other customers' data, Leny's source code, or trade secrets.

14. CCPA service-provider terms

14.1 With respect to Customer Personal Data subject to the CCPA, the Parties acknowledge that Customer is a "business" and Leny is a "service provider" as defined in the CCPA.

14.2 Leny will not:

• (a) Sell or share Customer Personal Data (as those terms are defined in the CCPA);
• (b) Retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, including any commercial purpose;
• (c) Retain, use, or disclose Customer Personal Data outside the direct business relationship between the Parties; or
• (d) Combine Customer Personal Data with personal information received from or on behalf of any other person, or collected from Leny's own interaction with the Data Subject, except as expressly permitted by 11 CCR § 7050(b).

14.3 Leny will (a) comply with applicable obligations under the CCPA and provide the same level of privacy protection as required of Customer; (b) notify Customer if it determines it can no longer meet its obligations; and (c) permit Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

14.4 Leny certifies that it understands the restrictions in this Section 14.

15. Liability

15.1 Each Party's aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability and exclusion of damages provisions in the Agreement. Where the Agreement does not specify, each Party's aggregate liability is capped at the fees paid or payable by Customer to Leny under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

15.2 The Parties acknowledge that the liability cap and exclusions in the Agreement and this DPA represent an agreed allocation of risk and are commercially negotiated. The Parties may agree mutual carve-outs for breaches of confidentiality, data protection obligations, indemnification obligations, and gross negligence or willful misconduct, as set out in the Agreement.

15.3 Indemnification. Each Party's indemnification obligations relating to Personal Data are set out in the Agreement. Where not addressed, each Party will indemnify the other against third-party claims, including regulatory fines, arising from the indemnifying Party's material breach of this DPA, subject to the cap in Section 15.1.

15.4 Liability of one Party to a Data Subject under the EU SCCs is subject to the apportionment provisions of those SCCs and does not increase the cap in Section 15.1 as between the Parties.

16. General

16.1 Order of precedence. In the event of a conflict, the order set out in the Introduction applies.

16.2 Governing law. This DPA is governed by the law specified in the Agreement, except that (a) the EU SCCs are governed as specified in Section 11, and (b) where required by Data Protection Laws, the law of the relevant EU Member State, the UK, Switzerland, or the State of California applies.

16.3 Severability. If any provision is held invalid or unenforceable, the remaining provisions remain in effect.

16.4 No third-party beneficiaries, except as expressly provided in the EU SCCs or required by Data Protection Laws.

16.5 Updates. Leny may update this DPA from time to time to reflect changes in Data Protection Laws or its Sub-processors. Material changes will be notified to Customer at least thirty (30) days in advance.

16.6 Notices under this DPA must be sent to Leny at info@leny.ai and to Customer at the contact specified in the Agreement.

Annex 1 — Details of processing

A. List of Parties

• Data Exporter (Controller): Customer, as identified in the Agreement / Order Form. Contact: [Customer DPO / privacy contact]. Role: Controller (or Processor on behalf of a third-party Controller). Activities relevant to transfer: Use of the Services. Signature/date: Per Agreement.
• Data Importer (Processor): Leny, 7660H Fay Ave, Suite 504, La Jolla, CA 92037, California, USA. Contact: info@leny.ai. Role: Processor. Activities relevant to transfer: Provision of the AI health-companion Services (consumer chat and clinician-assistant features). Signature/date: Per Agreement.

B. Description of Processing

C. Competent Supervisory Authority

For EU SCC purposes, the supervisory authority is the Irish Data Protection Commission, or such other authority as required under Clause 13 of the EU SCCs.

Annex 2 — Technical and organizational security measures

Leny implements and maintains the following measures, as may be updated from time to time provided the level of protection is not materially decreased:

1. Encryption.
   • (a) Data in transit: TLS 1.2 or higher for all external connections.
   • (b) Data at rest: AES-256 encryption for production data stores and backups.
2. Access control.
   • (a) Role-based access control (RBAC) with least-privilege provisioning.
   • (b) Multi-factor authentication (MFA) required for all administrative access to production systems.
   • (c) Quarterly access reviews; prompt deprovisioning on personnel changes.
   • (d) Centralized identity and SSO for internal systems.
3. Network and infrastructure security.
   • (a) Hosting in [AWS] facilities benefiting from physical security controls (24/7 monitoring, biometric access).
   • (b) Logical network segmentation; security groups and private subnets for production workloads.
   • (c) Web application firewall and DDoS protection at the perimeter.
4. Logging and monitoring.
   • (a) Centralized application, system, and access logging.
   • (b) Continuous security monitoring and alerting on anomalous events.
   • (c) Log retention consistent with applicable legal and operational requirements.
5. Vulnerability management.
   • (a) Automated dependency and container scanning in CI/CD.
   • (b) Periodic third-party penetration testing (at least annually).
   • (c) Documented patch management and remediation SLAs based on severity.
6. Secure development.
   • (a) Code review required for production changes.
   • (b) Secrets management via a managed secrets store.
   • (c) Separation of development, staging, and production environments.
7. Personnel security.
   • (a) Background checks for personnel with access to Customer Personal Data, where permitted by law.
   • (b) Mandatory annual security and privacy training.
   • (c) Written confidentiality obligations.
8. Business continuity and disaster recovery.
   • (a) Documented BC/DR plan with periodic testing.
   • (b) Encrypted, geographically redundant backups.
9. Incident response.
   • (a) Documented incident-response plan with defined roles and communications procedures.
   • (b) Post-incident review process.
10. Vendor management.
    • (a) Risk-based due diligence on Sub-processors.
    • (b) Written data-protection terms with all Sub-processors handling Customer Personal Data.
11. Data minimization and segregation.
    • (a) Logical separation of Customer data by tenant.
    • (b) De-identification or pseudonymization where feasible.
12. Compliance assurance.
    • (a) Maintenance of independent attestations such as [SOC 2 Type II / ISO 27001 / HITRUST] (target / in progress).

Annex 3 — Approved sub-processors

The following Sub-processors are approved as of the Effective Date:

The current Sub-processor list is maintained at [https://leny.ai/sub-processors] and may be updated in accordance with Section 7.