Data Processing Addendum.

This Data Processing Addendum ("DPA") forms part of the master service agreement ("Agreement") between the customer ("Controller") and Brevor Tech, Inc. and its operating subsidiaries ("Processor") for the provision of Bridge products and related services ("Services"). It governs Processor's processing of personal data on behalf of Controller.

Capitalized terms not defined here have the meanings given in the Agreement or in applicable data protection law including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and other applicable laws.

In the event of a conflict between this DPA and the Agreement, this DPA controls as to the processing of personal data.

Controller is the controller of personal data processed through the Services. Processor processes personal data only on documented instructions from Controller, including the Agreement, this DPA, and deployment-specific configurations.

Where Controller acts as a processor on behalf of a third party (for example, a health system processing payer data), the parties acknowledge that Processor acts as a sub-processor. Processor's obligations under this DPA apply with equivalent effect.

Subject matter: processing of personal data necessary to provide the Services.

Duration: the term of the Agreement plus any post-termination period required for return or deletion.

Nature and purpose: behavioral routing, policy enforcement, audit logging, model gateway operations, and deployment support.

Categories of data subjects: Controller's employees, contractors, end users, customers, patients, members, students, citizens, or other persons whose data passes through the deployment.

Categories of personal data: as configured by Controller and described in the deployment-specific data inventory delivered at kickoff. May include identifiers, contact data, professional data, health data, financial data, and content of AI interactions.

Processor will: (a) process personal data only on Controller's documented instructions, including with regard to international transfers; (b) ensure persons authorized to process personal data are bound by appropriate confidentiality obligations; (c) implement the technical and organizational measures described at /security; (d) assist Controller in responding to data subject requests and supervisory authority inquiries; and (e) at Controller's election, delete or return all personal data at the end of the Services and delete existing copies unless retention is required by law.

Processor will not sell personal data, share personal data for cross-context behavioral advertising, or retain, use, or disclose personal data outside the direct business relationship between the parties.

Controller authorizes Processor to engage sub-processors listed at /security. Processor will provide at least thirty (30) days prior written notice (via the customer console or account team) before adding or replacing a sub-processor. Controller may object on reasonable data protection grounds; the parties will work in good faith to resolve any objection.

Processor remains responsible for the performance of sub-processors' obligations under this DPA.

Processor implements and maintains the technical and organizational measures described at /security, including encryption in transit and at rest, access controls, logging, vulnerability management, and personnel security.

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Controller's personal data, and will provide reasonable assistance in Controller's investigation, mitigation, and notification obligations.

Processor makes available current SOC 2 Type II, HITRUST, and ISO 27001 reports, and similar third-party attestations, to demonstrate compliance. Controller may, no more than once per twelve-month period and at Controller's expense, conduct an audit of Processor's processing under reasonable advance notice and during business hours, subject to confidentiality and reasonable security restrictions.

Supervisory authority audits are accommodated as required by law.

Where Controller's personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 or Module 3, as applicable, Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum by reference. Module selection and country list are recorded in the deployment-specific transfer impact assessment.

Single-tenant deployments support data residency in specified cloud regions; see deployment scoping documentation.

Processor will, to the extent legally permitted, promptly notify Controller of any data subject request received directly. Processor will not respond to such requests except on Controller's documented instructions or as required by law.

Processor will provide reasonable technical assistance, including through the Bridge audit and export interfaces, to enable Controller to fulfill its obligations to respond to data subject requests for access, correction, deletion, restriction, and portability.

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

This DPA takes effect on the effective date of the Agreement and remains in force for so long as Processor processes personal data on behalf of Controller. Termination of the Agreement terminates this DPA, except for provisions that by their nature survive (including return or deletion of personal data, confidentiality, and audit).

For DPA questions or to request the signed counterpart: legal@brevortech.com.