Data Processing Addendum

1.1“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”), as defined in GDPR Article 4(1).

1.2“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction, as defined in GDPR Article 4(2).

1.3“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data, as defined in GDPR Article 4(7). For purposes of this DPA, Customer is the Controller.

1.4“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8). For purposes of this DPA, Seismic Swift AI is the Processor.

1.5“Sub-processor” means any third party engaged by Seismic Swift AI to process Personal Data on behalf of Customer.

1.6“Data Subject” means the identified or identifiable natural person to whom Personal Data relates, as defined in GDPR Article 4(1).

1.7“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries adopted pursuant to European Commission Decision 2021/914 of 4 June 2021.

1.8“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as referenced in GDPR Article 4(12).

1.9“Customer Data” means all data, including Personal Data, uploaded by Customer to, stored in, or processed through the Service.

2.1Subject Matter. Seismic Swift AI processes Personal Data solely for the purpose of providing the Service as described in the governing agreement and as further instructed by Customer from time to time in writing.

2.2Nature and Purpose of Processing. The processing activities include: hosting and storage of Customer Data on Azure infrastructure; authentication and authorisation of Authorised Users; operation of AI inference pipelines and workflow orchestration; generation and delivery of interpretation outputs; provision of human-in-the-loop review capabilities; and maintenance of cryptographic audit logs.

2.3Categories of Personal Data. The categories of Personal Data processed under this DPA include: (a) Account and identity data: full name, business email address, job title, employer name, telephone number; (b) Access and usage data: IP addresses, device identifiers, browser type, session identifiers, API usage logs, feature interaction data; (c) Professional correspondence: support tickets, email communications, chat records; and (d) Any Personal Data contained within Customer Data uploaded by Customer (Seismic Swift AI processes such data solely as instructed by Customer).

2.4Categories of Data Subjects. Customer's employees, contractors, consultants, and authorised users who access and use the Service; and any natural persons whose Personal Data is contained within Customer Data.

2.5Duration. Seismic Swift AI processes Personal Data for the duration of the Subscription Term and for such additional periods as may be required to fulfil legal retention obligations or to comply with Customer's documented instructions, subject to Section 11 of this DPA.

3.1Customer, acting as Controller, shall: (a) ensure that it has established one or more lawful bases under GDPR Article 6 for each category of Personal Data processed pursuant to this DPA; (b) provide Data Subjects with all required notices and information regarding the processing of their Personal Data in accordance with GDPR Articles 13 and 14; (c) obtain any necessary consents, authorisations, or permissions from Data Subjects as required by applicable law; and (d) ensure that its processing instructions to Seismic Swift AI comply with all applicable data protection laws.

3.2Customer shall promptly inform Seismic Swift AI if any processing instruction given by Customer would, in Customer's assessment, infringe GDPR or other applicable data protection law. Similarly, Seismic Swift AI shall inform Customer without undue delay if Seismic Swift AI reasonably believes that any instruction from Customer infringes GDPR or other applicable data protection law (GDPR Article 28(3)(h)).

3.3Customer is responsible for the accuracy, integrity, and legality of Personal Data and Customer Data it provides to Seismic Swift AI, and for the means by which such data was collected and by which Customer obtained the right to transfer it for processing.

3.4Customer shall promptly notify Seismic Swift AI of any changes to its processing instructions or any changes in applicable law that affect Seismic Swift AI's processing obligations under this DPA.

4.1Instructions. Seismic Swift AI shall process Personal Data only on documented instructions from Customer, including with regard to any transfer of Personal Data to a third country or international organisation, unless required to do so by European Union or Member State law to which Seismic Swift AI is subject. In such cases, Seismic Swift AI shall inform Customer of that legal requirement before processing, unless prohibited by law on important grounds of public interest.

4.2Confidentiality. Seismic Swift AI shall ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations and are permitted to process such data only on a need-to-know basis consistent with the purposes of this DPA. All Seismic Swift AI employees and contractors with access to Personal Data are required to sign confidentiality agreements and complete annual data protection training.

4.3Security. Seismic Swift AI shall implement and maintain the technical and organisational security measures described in Section 7, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons.

4.4Sub-processors. Seismic Swift AI shall not engage Sub-processors without the prior general written authorisation of Customer as described in Section 5, and shall impose equivalent data protection obligations on each Sub-processor.

4.5Assistance with Controller Obligations. Seismic Swift AI shall assist Customer in: (a) responding to Data Subject requests (Section 9); (b) ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Seismic Swift AI; and (c) conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities where required.

4.6Demonstration of Compliance. Seismic Swift AI shall make available to Customer all information necessary to demonstrate compliance with its obligations under GDPR Article 28 and shall allow for and contribute to audits as described in Section 10.

4.7No Independent Use. Seismic Swift AI shall not process Personal Data for any purpose other than performing its obligations under the governing agreement and this DPA. Seismic Swift AI shall not use Personal Data for profiling, commercial purposes, marketing, or any purpose unrelated to the Service.

5.1Customer provides general written authorisation for Seismic Swift AI to engage the Sub-processors listed in this Section 5 and as updated from time to time, subject to the conditions set out below.

5.2Seismic Swift AI currently engages the following Sub-processors in connection with the Service:

5.3Seismic Swift AI shall provide Customer with at least thirty (30) days' prior written notice before adding or replacing any Sub-processor that will process Personal Data. Customer may object to any such change within fourteen (14) days of receiving notice by providing written notice to legal@seismicswiftai.com detailing the legitimate grounds for objection. The parties shall negotiate in good faith to resolve the objection. If resolution is not possible within thirty (30) days, Customer may terminate the affected portion of the Service upon written notice.

5.4Seismic Swift AI shall impose data protection obligations on each Sub-processor by contract that are at least as protective as those set out in this DPA. Seismic Swift AI shall remain fully liable to Customer for the performance or non-performance of its Sub-processors' data protection obligations under this DPA (GDPR Article 28(4)).

5.5A complete and current list of Sub-processors is maintained at seismicswiftai.com/legal/sub-processors. Customers may subscribe to email notifications of Sub-processor changes through their account settings.

6.1To the extent that Seismic Swift AI processes Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland in a country not deemed to provide an adequate level of data protection, the parties agree to rely on the Standard Contractual Clauses (SCCs) adopted by European Commission Decision 2021/914 (Module Two: Controller-to-Processor), which are hereby incorporated into this DPA by reference.

6.2For purposes of the SCCs: (a) Customer is the data exporter; (b) Seismic Swift AI is the data importer; (c) the governing law selected in Clause 17 shall be the law of the Member State in which the data exporter is established, or if the data exporter is not established in an EU Member State, the law of Ireland; (d) disputes shall be submitted to the courts of the jurisdiction of the governing law; and (e) the Annex to the SCCs shall be populated with the information set forth in Section 2 of this DPA.

6.3For transfers from the United Kingdom, the parties incorporate the International Data Transfer Addendum (UK Addendum) issued by the UK Information Commissioner's Office, which is hereby incorporated into this DPA by reference.

6.4Seismic Swift AI has conducted Transfer Impact Assessments (TIAs) covering its primary data processing operations in the United States and has determined that, together with the supplementary technical and contractual measures described in Section 7, the SCCs provide an adequate level of protection for Personal Data transferred to the United States. Copies of Seismic Swift AI's TIA methodology are available to Enterprise customers upon request under a non-disclosure agreement.

6.5Data Residency. Enterprise customers may elect to configure their subscription such that Customer Data is stored and processed exclusively within a specified Azure geographic region (e.g., West Europe, East US). Customer may request region-lock configuration by contacting their account representative. Seismic Swift AI will not transfer Customer Data outside the designated region without Customer's prior written consent, except as required by applicable law.

7.1In accordance with GDPR Article 32, Seismic Swift AI implements and maintains the following technical and organisational security measures, taking into account the state of the art and the risks presented by the processing:

7.2Encryption. All Personal Data is encrypted at rest using AES-256 with keys managed through Azure Key Vault under a customer-managed key (CMK) model for Enterprise customers. All data in transit is encrypted using TLS 1.3. Encryption keys are rotated at least annually.

7.3Access Control and Authentication. Role-based access control (RBAC) with strict tenant isolation ensuring no cross-tenant data access. Multi-factor authentication (MFA) required for all administrative and privileged access. Principle of least privilege enforced through automated provisioning and quarterly access reviews. All privileged access sessions are recorded and audited.

7.4Audit Logging and Integrity. Cryptographic audit chains with Ed25519 digital signatures recording all data access, modification, and deletion events. Audit logs are immutable and retained for a minimum of seven (7) years. SOC 2 Type II certification (Security, Availability, and Confidentiality trust service criteria) is maintained by annual audit.

7.5Network Security. Azure Virtual Network with private endpoints for all data services; no direct public internet exposure of storage or database services. Web Application Firewall (WAF) with OWASP Core Rule Set. Azure DDoS Protection Standard. Network segmentation with security groups enforcing least-privilege traffic flows.

7.6Vulnerability Management. Annual penetration testing by an independent qualified third-party security firm. Continuous automated software composition analysis (SCA) for vulnerable dependencies. Responsible disclosure and bug bounty programme. Remediation SLAs: Critical vulnerabilities within 24 hours, High within 7 days, Medium within 30 days.

7.7Business Continuity and Resilience. Geo-redundant storage replication across Azure Availability Zones. Automated failover with RPO of 1 hour and RTO of 4 hours for Enterprise customers. DR procedures tested semi-annually. Infrastructure-as-code with immutable deployments to eliminate configuration drift.

7.8Personnel and Organisational Measures. Background verification for all employees and contractors with access to Personal Data. Annual mandatory information security and data protection training. Confidentiality agreements with all personnel. Incident response procedures reviewed and tested annually. Security incident response team (SIRT) on-call 24/7.

8.1Seismic Swift AI shall notify Customer of any Security Incident without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the incident, in accordance with GDPR Article 33. Where it is not possible to provide complete information within 72 hours, Seismic Swift AI shall provide an initial notification with available information and subsequently provide supplemental information as it becomes available.

8.2The initial notification shall include, to the extent known at the time: (a) the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of the Data Protection Officer or designated security contact; (c) the likely consequences of the Security Incident; (d) the measures taken or proposed to address the incident, including measures to mitigate its possible adverse effects.

8.3Seismic Swift AI shall: (a) promptly take all reasonable steps to contain and remediate the Security Incident; (b) cooperate with Customer in the investigation of the Security Incident; (c) provide Customer with updates at least every twenty-four (24) hours until the incident is resolved; and (d) within fourteen (14) days of resolution, provide Customer with a written post-incident report describing the root cause, impact, and remediation measures implemented.

8.4Customer is solely responsible for notifying affected Data Subjects and supervisory authorities as required by applicable law. Seismic Swift AI shall provide reasonable assistance to Customer in fulfilling such notification obligations. Seismic Swift AI's notification of a Security Incident shall not be construed as an acknowledgement of fault, liability, or negligence on Seismic Swift AI's part.

8.5Seismic Swift AI shall maintain a record of all Security Incidents, their investigation, and resolution, and shall make such records available to Customer upon reasonable request for audit purposes.

9.1Seismic Swift AI shall assist Customer in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under GDPR Chapter III, including the rights of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21).

9.2Where Seismic Swift AI provides self-service tools enabling Customer to export, rectify, restrict, or delete Personal Data through the Service, Customer shall use such tools to the extent practicable before submitting a manual assistance request to Seismic Swift AI. Where self-service capabilities are insufficient, Seismic Swift AI shall respond to Customer's written assistance requests within ten (10) business days.

9.3If Seismic Swift AI receives a data subject request directly, it shall promptly redirect the request to Customer without responding directly to the Data Subject, except to acknowledge receipt. Seismic Swift AI shall not respond to a Data Subject request on Customer's behalf except upon Customer's documented authorisation.

9.4Seismic Swift AI shall provide Customer with commercially reasonable technical assistance to enable Customer to fulfil its DPIA obligations under GDPR Article 35, including by providing relevant information about the security measures and data flows described in this DPA.

10.1Seismic Swift AI shall make available to Customer all information necessary to demonstrate compliance with the obligations set forth in GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Customer or a qualified, independent third-party auditor mandated by Customer, subject to the conditions in this Section 10.

10.2Customer shall provide Seismic Swift AI with at least thirty (30) days' prior written notice of any requested audit, specifying: (a) the scope of the audit; (b) the identity of any third-party auditor; and (c) the proposed audit dates. Customer shall ensure that any third-party auditor is bound by a confidentiality agreement at least as protective as Seismic Swift AI's own confidentiality obligations.

10.3Audits shall: (a) be conducted during normal business hours and with minimum disruption to Seismic Swift AI's operations; (b) occur no more than once per calendar year (unless required by a supervisory authority following a Security Incident or regulatory investigation); (c) not include access to systems or data belonging to other customers of Seismic Swift AI; and (d) be conducted at Customer's expense.

10.4Documentation in Lieu of On-Site Audit. As an alternative or supplement to on-site audit, Seismic Swift AI shall upon request provide Customer with: (a) its most recent SOC 2 Type II audit report; (b) a summary of the most recent third-party penetration test; (c) relevant certifications (ISO 27001, if applicable); and (d) responses to a Customer-provided data security questionnaire. Customer agrees that review of such documentation shall constitute satisfaction of audit rights unless material deficiencies are identified that require further investigation.

11.1Upon termination or expiration of the governing agreement, Seismic Swift AI shall, at Customer's election made within thirty (30) days of the termination date: (a) return all Customer Data to Customer in a standard, commonly used, machine-readable format (JSON, CSV, or supported export format as applicable); or (b) securely delete all Customer Data, including all backups and copies, in accordance with NIST Special Publication 800-88 Revision 1 (“Guidelines for Media Sanitization”) cryptographic erasure standards.

11.2If Customer fails to make an election within thirty (30) days, Seismic Swift AI shall securely delete all Customer Data within ninety (90) days of the termination date.

11.3Seismic Swift AI shall promptly provide Customer with a written Deletion Certificate confirming: (a) the date and method of deletion; (b) the categories of data deleted; (c) confirmation that all copies (including backups, disaster recovery replicas, and sub-processor copies) have been deleted; and (d) the name and title of the Seismic Swift AI officer certifying the deletion.

11.4Notwithstanding the foregoing, Seismic Swift AI may retain Personal Data to the extent and for the period required by applicable law (e.g., financial records for tax purposes; security incident records for regulatory compliance). Such retained data shall be clearly segregated, processed only for the lawful purpose requiring retention, and deleted promptly when the retention obligation expires. Seismic Swift AI shall notify Customer in writing of any such retention and its legal basis.

12.1This DPA shall become effective on the date of execution of the governing agreement or Order Form and shall remain in effect for the duration of the Subscription Term, plus any period during which Seismic Swift AI retains Personal Data pursuant to Sections 11.1 through 11.4.

12.2This DPA shall terminate automatically upon the completion of Seismic Swift AI's obligations under Section 11 (Data Deletion), unless earlier terminated by mutual written agreement of the parties.

12.3The obligations set forth in Sections 4 (Processor Obligations), 7 (Security Measures), 8 (Breach Notification), 9 (Data Subject Rights), 10 (Audit Rights), and 11 (Data Deletion) shall survive termination or expiration of this DPA for so long as Seismic Swift AI retains any Personal Data subject to this DPA.