Data Processing Addendum

"Personal Data," "Data Subject," "Controller," and "Processor" have the meanings given in Article 4 GDPR. "Sub-processor" means any third party engaged by Processor to process Personal Data on Customer\'s behalf.

Customer is the Controller of Personal Data submitted to the Service. Processor will process Personal Data only on documented instructions from Customer (the Service configuration, support requests, and the Terms constitute such instructions), except where required by law.

Customer authorizes Processor\'s use of the following sub-processors:

• Stripe, Inc. — payment processing — US (with EU data residency where required)
• Brevo (sendinblue SAS) — transactional and marketing email — EU (France)
• Vercel Inc. — website hosting — US/EU edge
• Neon Inc. — managed Postgres — EU region for EU Customer data
• PostHog Inc. — product analytics — EU region

Processor will notify Customer at least 30 days before adding or replacing a sub-processor; Customer may object on reasonable grounds within 14 days.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), the UK International Data Transfer Addendum, and the Swiss equivalent, as applicable. The clauses are deemed incorporated by reference and prevail over conflicting terms.

• TLS 1.2+ for all network traffic.
• Encryption at rest for the application database (AES-256).
• License signing keys stored in a managed KMS; never in source control.
• Role-based access control for ModelXcel staff with audit logging.
• Annual penetration testing (post-launch); summary reports available under NDA.
• Incident response with notification to Customer within 72 hours of confirmed breach.

Processor will assist Customer in responding to data-subject requests (access, rectification, erasure, portability, objection) within five business days of Customer\'s written request. Tooling for self-service export and deletion is available in the account portal.

On reasonable written notice (and no more than once per 12 months), Customer may audit Processor\'s compliance with this DPA. Audits may be performed by independent third parties under NDA. Processor will provide reasonable assistance and access to relevant personnel and documentation.

On termination, Processor will return or delete all Customer Personal Data within 30 days, except where applicable law requires retention. A deletion certificate is available on request.

The liability provisions of the Terms apply to this DPA. The parties\' liability under the Standard Contractual Clauses is subject to the same caps, except where such limits are prohibited by law.

DPA execution and questions: legal@modelxcel.com. Privacy operations: privacy@modelxcel.com.