Data Processing Addendum

• Personal Data means information relating to an identified or identifiable natural person processed by Kedros on behalf of the Customer through the Service.
• Processing, Data Subject, Controller, Processor, and Sub-processor have the meanings given under DPDP Act 2023, GDPR, or equivalent law.
• Service means the Proparion product and related services described at proparion.com.

The subject matter of processing is the operation of Proparion. Duration matches the Subscription term plus a 30-day post-termination data-export window.

• The Customer is the Controller of all Personal Data uploaded to or generated within its account.
• Kedros is the Processor and processes Personal Data only on documented instructions from the Customer (the act of using the Service constitutes such instructions).
• Customer is responsible for the lawfulness of any Personal Data it submits to the Service.

• Categories of Personal Data: account identifiers (name, email, role), uploaded customer content (proposals, RFPs, drafts, edits, citations), usage logs, billing metadata.
• Categories of Data Subjects:Customer's employees, contractors, end users, and any natural persons referenced in customer content.
• Special / sensitive categories: Customer shall not upload special-category data (health, biometric, financial-account credentials, etc.) without a separate agreement.

Customer authorises Kedros to engage sub-processors listed at /subprocessors, each bound by data-protection terms substantively equivalent to this DPA. Kedros remains liable for sub-processor acts as if they were its own.

Kedros will notify Customer at least 30 days in advance of adding a new sub-processor processing Personal Data. The Customer may object on reasonable grounds; if an alternative cannot be agreed within 14 days, the Customer may terminate the Subscription with a pro-rated refund of any prepaid amounts.

Kedros implements appropriate technical and organisational measures to protect Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Postgres Row-Level Security per organisation; access keyed to authenticated session JWT.
• Role-based access controls; principle of least privilege for Kedros personnel.
• Append-only audit logs of every state-changing action.
• Standard-Webhooks signature verification for billing events.
• Annual review of vendor security postures and penetration tests as warranted by scale.

Full details at /security.

Customer data is stored at rest in India (AP-South-1, Mumbai). Kedros may transfer Personal Data to its sub-processors in other regions for processing only (LLM inference, edge serving). For such transfers, Kedros relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA.
• Equivalent transfer mechanisms required under the DPDP Act 2023 and other applicable laws once promulgated.

Kedros provides Customer with self-service tools (account settings, export endpoints, support requests) that enable the Customer to fulfil its obligations to respond to Data Subject requests under applicable law (access, rectification, erasure, restriction, portability, objection).

If a Data Subject contacts Kedros directly, we will refer them to the Customer (Controller) and assist Customer at cost.

On becoming aware of a confirmed Personal Data breach affecting Customer Personal Data, Kedros will notify the Customer's designated contact within 72 hours, providing the information required under DPDP Act / GDPR Article 33 to the extent known.

Customer may, no more than once per year and on at least 30 days' written notice, request reasonable evidence of Kedros's compliance with this DPA, including:

• Then-current security overview at /security.
• Sub-processor list, certifications, and SOC 2 / ISO 27001 reports of relevant sub-processors (subject to NDA).
• Written responses to a reasonable security questionnaire.

In-person audits are at Customer's expense and require mutually agreed scope and timing.

On termination, Kedros will:

• Provide Customer with self-service export of all Customer Data for 30 days post-termination.
• After the export window, delete Customer Data from active systems within 30 days, and from backups within a further 90 days.
• Retain only the minimum data required to comply with legal obligations (e.g. tax records — 7 years per Indian law).

Liability under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA limits a party's liability for intentional misconduct or for matters that cannot be limited under applicable law.

This DPA is governed by the laws of India and is subject to the dispute-resolution mechanism in the Terms of Service. For Customers established in the EEA / UK, Standard Contractual Clauses are governed by their own choice-of-law provisions.

This DPA forms part of and is incorporated into the Terms of Service. In the event of conflict between this DPA and the Terms of Service in respect of Personal Data, this DPA prevails.

Data protection inquiries: write to hello@proparion.com with subject "Data Protection".