Enclave | Data Processing Agreement

Data Processing Agreement

Last updated: March 21, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement (“Agreement”) between the entity that executed the agreement and Enclave AI Inc. d/b/a Enclave (“Enclave”). Unless otherwise defined in this DPA, all capitalized terms used in this DPA will have the meanings given to them in the the Agreement.

1. Scope

1.1 Roles of Parties. With respect to Customer Data that constitutes “personal data,” “personal information,” “personally identifiable information,” or any analogous term under applicable Data Protection Law (“Customer Personal Data”), (a) Customer is the “controller” and “business” (as such terms are defined under applicable Data Protection Law) and Enclave is the “processor” and “service provider” (as such terms are defined under applicable Data Protection Law). Each Party will comply with its respective obligations under applicable privacy and data protection law (“Data Protection Law”) in connection with the Services and Customer Personal Data.

1.2 Scope of Processing. The subject matter, nature and purpose of Enclave’s Processing of Customer Personal Data, the types of Customer Personal Data Processed by Enclave, and categories of applicable data subjects are set out in Schedule I.

1.3 Conflicts in Interpretation. If there is any inconsistency or conflict between terms of this DPA (“DPA”) and the other terms of the Agreement, the terms of this DPA will control to the extent of such inconsistency or conflict.

2. Customer Personal Data

2.1 Customer Personal Data Processing. Enclave will only Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions, which are set forth in this DPA, the Agreement, or otherwise provided by Customer to Enclave in writing (“Documented Instructions”). Unless prohibited by applicable Law, Enclave will inform Customer if Enclave is subject to a legal obligation that requires Enclave to Process Customer Personal Data in contravention of Customer’s Documented Instructions.

2.2 Enclave Responsibilities: Enclave will not (a) “sell” or “share” (as such terms are defined in the California Consumer Privacy Act (“CCPA”)) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than in accordance with the Documented Instructions, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Enclave, nor (d) except as otherwise permitted under applicable Data Protection Law, combine Customer Personal Data with personal data that Enclave receives from or on behalf of any third party.

3. Subprocessors

3.1 Authorization. Customer provides general authorization for Enclave to engage the following subprocessors as described at https://enclave.ai/trust/subprocessors (“Subprocessors”). Enclave will (a) enter into a contractual agreement with each Subprocessor that imposes data protection obligations that are substantially as protective as Enclave’s obligations under this DPA to the extent applicable to the nature of the services provided by such Subprocessor and (b) remain responsible for the acts and omissions of the Subprocessors’ Processing of Customer Personal Data under this DPA.

3.2 Notice of New Subprocessors. Enclave will provide Customer reasonable advance notice prior to appointing any new Subprocessor. Customer may object to the appointment of such new Subprocessor within 15 days of the date of such notice on reasonable privacy or security grounds by providing Enclave written notice of its objection. In the event that Customer objects to Enclave’s appointment of a new Subprocessor, Customer and Enclave will work together in good faith to address any such objection.

4. Assistance

4.1 Data Subject Rights. Enclave will (a) promptly forward to Customer any request it receives from “data subjects” or “consumers” (as such terms are defined under applicable Data Protection Law) to exercise their rights under applicable Data Protection Law relating to Customer Personal Data, (b) advise such data subjects and consumers to submit such requests directly to Customer, and (c) provide Customer with reasonable assistance as necessary for Customer to fulfil its obligations under applicable Data Protection Laws to respond to such requests.

4.2 Cooperation. Taking into account the nature of the Processing, Enclave will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligations under applicable Data Protection Laws, including to conduct data protection impact assessments and consultations with regulatory authorities. Enclave may charge Customer a reasonable fee for such assistance under this Section 4.2.

5. Security

5.1 Security Measures. Enclave has implemented and will maintain reasonable and appropriate technical and organization security measures designed to protect the security of Customer Personal Data as described on Enclave’s Trust Center at https://enclave.ai/trust (“Security Measures”). The Parties acknowledge that the Security Measures provide an appropriate level of security for the risks of the Processing of Customer Personal Data under the Agreement. Enclave may update or modify the Security Measures provided that such updates and modifications do not materially decrease the overall security of the Services.

5.2 Security Incident. Enclave will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of any breach of Enclave’s security leading to the accidental or unauthorized access to, or disclosure or use of, Customer Personal Data (“Security Incident”). Enclave will assist Customer in complying with Customer’s obligations under applicable Data Protection Law by making reasonable efforts to provide Customer with information relating to the Security Incident. Enclave will also use reasonable efforts to investigate the Security Incident and mitigate the effects and remediate the causes of the Security Incident.

5.3 Audit Reports and Certifications. Enclave is audited against established industry standards. Upon Customer’s written request, Enclave will provide to Customer with Enclave’s audit reports or certifications, or other information reasonably necessary to demonstrate compliance with this DPA.

5.4 Audits. Upon Customer’s written request, no more than once every 12 months, Enclave will permit Customer to audit Enclave’s controls applicable to its Processing of Customer Personal Data and compliance with this DPA (“Audit”), provided that such Audit is conducted at Customer’s sole cost, during normal business hours, in a manner that causes minimal disruption, and in accordance with mutually agreed upon scope and terms.

6. International Data Transfers

6.1 Data Transfers. Customer authorizes Enclave to conduct transfers of Customer Personal Data to countries deemed to have an adequate level of data protection by the European Commission or the applicable competent regulatory authority on the basis of adequate safeguards in accordance with Data Protection Law or pursuant to (a) the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time (“EU SCCs”) or (b) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time (“UK Addendum”).

6.2 EU Data Transfers. For transfers of Customer Personal Data from the European Union, Enclave and Customer conclude Module 2 (controller-to-processor) of the EU SCCs and, if Customer is a processor on behalf of a third-party controller, Module 3 (Processor-to-Subprocessor) of the EU SCCs, which are incorporated herein and completed as follows: (a) the “data exporter” is Customer; (b) the “data importer” is Enclave; (c) the optional docking clause in Clause 7 is implemented; (d) option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 3.2; (e) the optional redress clause in Clause 11(a) is struck; (f) option 1 in Clause 17 is implemented; (g) the governing law is the law of Ireland and the courts in Clause 18(b) are the Courts of Dublin, Ireland; and (h) Annex I and Annex II to Module 2 and 3 of the EU SCCs are Schedule I and the Security Measures respectively. For transfers of Customer Personal Data from Switzerland, any dispute arising from these EU SCCs relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland and data subjects who have their habitual residence in Switzerland may bring claims under the EU SCCs before the courts of Switzerland.

6.3 UK Data Transfers. For transfers of Customer Personal Data from the United Kingdom, Enclave and Customer conclude the UK Addendum, which is incorporated herein and completed as follows: (a) in Table 1, the “Exporter” is Customer and the “Importer” is Enclave, their details are set forth in this DPA and the Agreement; (b) in Table 2, the first option is selected and the “Approved EU SCCs” are the EU SCCs referred to in Section 6.2; (c) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Schedule I and the Security Measures respectively; and (d) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

Schedule I — Description of Processing

1. List of Parties

Data exporter:
Name: Customer.
Activities relevant to the data transferred under these Clauses: Customer receives the Services as described in the Agreement and Customer provides Customer Personal Data to Enclave in that context.
Role (controller/processor): Controller.

Data importer:
Name: Enclave.
Activities relevant to the data transferred under these Clauses: Enclave provides the Services to Customer as described in the Agreement and Processes Customer Personal Data on behalf of Customer in that context.
Role (controller/processor): Processor on behalf of Customer.

2. Categories of Data Subjects

Customer and Customer’s users.

3. Categories of Personal Data Transferred

Customer Personal Data, the content of which is determined and controlled by Customer and its Users.

4. Sensitive Data Transferred (If Applicable)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A.

5. Frequency of the Transfer

The frequency of the International Data Transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.

6. Nature of the Processing

The Customer Personal Data will be processed and transferred as described in the Agreement and DPA.

7. PURPOSE(S) OF THE INTERNATIONAL DATA TRANSFER AND FURTHER PROCESSING

The Customer Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement and DPA.

8. Duration of Processing

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

9. Sub-Processor Transfers

For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and DPA. The Processing will take place for the duration of the Agreement.

10. Competent Supervisory Authority

The competent authority for the Processing of Customer Personal Data relating to data subjects located in the EEA is the Supervisory Authority of Ireland.

The competent authority for the Processing of Customer Personal Data relating to data subjects located in the UK is the UK Information Commissioner.

The competent authority for the Processing of Customer Personal Data relating to data subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

11. Technical and Organizational Measures

Enclave will implement security safeguards designed to protect the security, confidentiality and integrity of Personal Data as described on Enclave’s Trust Center at https://enclave.ai/trust.