Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into by and between:

• Processor: Matthew Moser d/b/a JCIL.AI, 130 Bishop Allen Drive, 5th Floor, Cambridge, MA 02139, United States ("JCIL.AI")
• Controller: ____________________________________________ ("Customer"), located at ____________________________________________

This DPA is incorporated into and forms part of the Terms of Service (the "Agreement") between the parties.

• "Personal Information" has the meaning assigned to it by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA").
• "Process," "Processing" means any operation performed on Personal Information.
• "Services" means the JCIL.AI chat, JCIL Cloud API, and all related functionality.
• "Subprocessor" means any third party engaged by JCIL.AI to Process Personal Information on JCIL.AI's behalf.

JCIL.AI will Process Personal Information solely to provide the Services to Customer, as instructed by Customer through the Services and the Agreement. The duration of Processing matches the term of the Agreement and any retention periods required by law.

Categories of data subjects: Customer's end users (staff, members, students, congregants, visitors to Customer's web properties where a JCIL Cloud widget is deployed).

Categories of Personal Information: email address, display name, conversation content, IP address, approximate location derived from IP, payment method metadata (handled by Stripe), usage metrics, optional long-term memory derived from conversations.

JCIL.AI shall:

1. Process Personal Information only on documented instructions from Customer, including with regard to transfers to a third country;
2. Ensure that persons authorized to Process Personal Information are bound by confidentiality;
3. Implement the technical and organizational security measures described in Section 7 and in the JCIL.AI Security page;
4. Assist Customer, insofar as possible, in fulfilling Customer's obligations to respond to requests from data subjects exercising their rights under applicable law (including CCPA);
5. At Customer's choice, delete or return all Personal Information after the end of the provision of Services, except where applicable law requires storage;
6. Make available to Customer all information necessary to demonstrate compliance with this DPA.

Customer authorizes JCIL.AI to engage the Subprocessors listed on the Subprocessors page to Process Personal Information. JCIL.AI will give Customer 30 days' advance notice of any intended change to that list, via email to the address Customer supplies.

If Customer reasonably objects to a new Subprocessor, Customer may, as its sole remedy, terminate the Agreement by giving written notice within the notice period.

The parties acknowledge that JCIL.AI is a "Service Provider" to Customer within the meaning of Cal. Civ. Code § 1798.140(ag). JCIL.AI shall not:

• Sell or Share Personal Information (as those terms are defined in CCPA);
• Retain, use, or disclose Personal Information outside the direct business relationship between JCIL.AI and Customer;
• Retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, including for advertising or marketing purposes.

JCIL.AI certifies that it understands these restrictions and will comply with them.

JCIL.AI will maintain the security measures described on the JCIL.AI Security page, which include:

• TLS 1.3 in transit; AES-256 at rest via Supabase-managed Postgres and Supabase Storage
• Row Level Security on every user-scoped table; hashed API keys; HMAC-signed safety webhooks
• Layered moderation: Upstash Redis rate limiting, OpenAI Moderation API, local jailbreak detection, progressive violation penalties
• Default-deny on security infrastructure failure
• US-based infrastructure (Vercel iad1, Supabase us-east-2)

JCIL.AI shall notify Customer without undue delay after becoming aware of a Personal Information Breach affecting Customer's Personal Information. Notice shall include, at a minimum, the nature of the breach, likely consequences, and measures taken or proposed.

Taking into account the nature of the Processing, JCIL.AI shall assist Customer by appropriate technical and organizational measures, for the fulfillment of Customer's obligation to respond to requests for exercising data subject rights. Data export, deletion, and correction functionality is built into JCIL.AI account settings and the API.

This DPA shall remain in force as long as JCIL.AI Processes Personal Information on behalf of Customer. Upon termination of the Agreement, JCIL.AI shall, at Customer's option, delete or return all Personal Information in its possession and delete existing copies, except as required by applicable law.

This DPA is governed by the laws of the Commonwealth of Massachusetts, United States, without regard to conflict-of-laws principles. Any disputes shall be resolved in the state or federal courts located in Middlesex County, Massachusetts.