CognitiveView Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the CognitiveView

Terms of Service or any other agreement (the “Agreement”) between CognitiveView and the Customer governing the provision and use of the CognitiveView Services (the “Service”).

‍1. Parties and ScopeThis DPA applies when Customer Data is processed by CognitiveView in the course of providing the Service.Region
Contracting EntityData-Protection Law
United StatesCognitiveView Inc., Austin TX
CCPA / CPRA (California Privacy Rights Act)Australia
CognitiveView Pty Ltd (ABN 54 629 780 338), Melbourne VIC
Privacy Act 1988 (AU)India
CognitiveView Pvt Ltd, Bhubaneswar OdishaDigital Personal Data Protection Act 2023All othersCognitiveView Inc., Austin TXEU GDPR / UK GDPR

‍2. DefinitionsTerms like Controller, Processor, Sub-Processor, Data Subject, Personal Data, and Processing have the meanings in the applicable Data-Protection Law. “Customer Data” means any Personal Data submitted to or generated within the Service by or for Customer.

3. Roles of the PartiesCustomer acts as Controller (or Business under CCPA).
‍CognitiveView acts as Processor (or Service Provider / Data Processor).Both parties will comply with applicable Data-Protection Law.

‍4. Processing Instructions
‍CognitiveView shall:Process Customer Data only on documented instructions from Customer as described in the Agreement, this DPA, or Customer’s in-product settings;not process Customer Data for any purpose other than providing and improving the Service;not “sell” or “share” Customer Data as defined by CCPA/CPRA;ensure that all persons authorized to process Customer Data are bound by confidentiality.

‍5. Nature and Purpose of Processing
‍PurposeDescriptionService DeliveryHosting, storage, configuration, incident resolution, usage analytics, and related technical operations.Security & ComplianceMonitoring, logging, backup, and investigation of security events.Product ImprovementAggregated and anonymized analytics to enhance performance and reliability (never to train external models).Support ServicesCustomer-initiated support requests and diagnostics.
‍Data Types: identifiers, business contact details, authentication data, usage logs, metadata, uploaded documents or policies.Data Subjects: Customer’s employees, contractors, clients, or vendors as configured by Customer.

6. Sub-Processors CognitiveView may engage Sub-Processors to support the Service.A current list is available at: https://www.cognitiveview.com/subprocessors.
CognitiveView will notify Customer of new Sub-Processors and allow objection for reasonable privacy grounds within 30 days.CognitiveView ensures each Sub-Processor is bound by written terms offering equivalent data-protection obligations.7. International TransfersCognitiveView may transfer Customer Data globally subject to adequate safeguards:EU/EEA → US / Other: Standard Contractual Clauses (EU 2021/914, Modules 2 & 3).UK → US / Other: UK International Data Transfer Addendum (IDTA).Australia / India / Other: transfers follow applicable local adequacy or contractual mechanisms.CognitiveView will provide executed SCCs/IDTA upon request.

‍8. SecurityCognitiveView maintains an information-security program aligned to ISO 27001 / SOC 2, including:Encryption in transit and at rest;Logical access controls & MFA;Network segmentation & firewalls;Vulnerability and penetration testing;Employee security awareness & background screening;Incident response and logging.A high-level overview is available at https://www.cognitiveview.com/security.

‍9. Personal Data BreachCognitiveView will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach. The notice will include details to assist Customer in meeting legal obligations. CognitiveView will cooperate in remediation and investigation.

‍10. Assistance to CustomerTaking into account the nature of Processing and information available, CognitiveView will assist Customer to:Respond to Data-Subject requests (access, correction, deletion, portability, objection);Carry out DPIAs and prior consultations with regulators;Demonstrate compliance with Data-Protection Law.

‍11. Return or Deletion
‍At termination or upon Customer’s written request, CognitiveView shall delete or return all Customer Data (at Customer’s choice) within 30 days, unless retention is required by law. Deletion includes removal from active systems and subsequent overwriting of backups per retention schedule.

‍12. Audits
‍Upon reasonable written notice (no more than once per year and subject to confidentiality), Customer may review available audit reports or request a virtual audit.Third-party audits may be conducted by an independent auditor bound by confidentiality and limited to verifying compliance with this DPA.

‍13. CCPA / CPRA-Specific Terms
‍CognitiveView shall:Act solely as a Service Provider under CCPA/CPRA;not combine Customer Data with data obtained from other sources except as permitted for Service delivery;provide assistance for Consumer rights requests to the extent applicable.

14. India DPDP Act 2023CognitiveView Pvt Ltd will act as a Data Processor under DPDP 2023. Customer is the Data Fiduciary. CognitiveView will:process only on lawful instructions;implement reasonable security safeguards;notify Customer and the Data Protection Board of any breach if required;ensure onward transfers are covered by equivalent protection.

‍15. LiabilityEach party’s aggregate liability arising from this DPA is subject to the limitation of liability set forth in the Agreement.

16. Duration and TerminationThis DPA remains in effect for as long as CognitiveView processes Customer Data under the Agreement.

‍17. Contact for Data ProtectionCognitiveView Privacy Office
Email: sales@cognitiveview.com
Mailing Address: CognitiveView Inc., Austin, Texas USA