Data Processing Agreement

Refine Technologies, Inc.

131 Continental Drive, Suite 305, Newark, DE 19713, USA

Contact: Yann Calvó López, CEO

Security contact: security@refine.ink

The legal entity accepting the Agreement and this DPA.

Processor (or Sub-processor where Customer is itself a Processor). See Section 3.

Controller (or Processor where acting on behalf of a Controller).

Refine's AI-assisted research feedback platform and related services, as described at refine.ink.

Published at https://trust.refine.ink/resources. Provider is currently undergoing ISO 27001:2022 and SOC 2 Type I and Type II audits. Current certification status is published on the Trust Center.

security@refine.ink

Published at https://trust.refine.ink/subprocessors. Provider will give at least 10 business days' written notice of any addition or replacement.

Customer shall not submit, upload, or otherwise transmit through the Service any (i) Special Category Data as defined in Article 9 of the GDPR, (ii) Protected Health Information (PHI) as defined under HIPAA, or (iii) financial account data, in each case without prior written agreement from Provider. Customer is solely responsible for compliance with this restriction and for ensuring that documents submitted to the Service do not contain such data.

The Service is not designed or intended to process the data categories described above, and Provider does not undertake any obligation to monitor, detect, or filter submissions for such data. If Provider becomes aware that restricted data has been submitted, Provider will notify Customer and the parties will cooperate in good faith to delete or return such data as soon as reasonably practicable and in any event within 30 days of Provider's discovery.

Continuous, for the duration of the Agreement.

Provider will process Customer Personal Data for as long as required to deliver the Service or as required by Applicable Laws. Following termination of the Agreement, Provider will delete or return Customer Personal Data in accordance with Section 8 of this DPA.

Provider will not use Customer Personal Data, uploaded documents, or any derived data to train, fine-tune, validate, or improve any artificial intelligence or machine learning model, whether operated by Provider or any Subprocessor. Uploaded papers are processed solely to deliver feedback reports to the submitting researcher.

The supervisory authority of the data exporter, determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

The EEA member state in which Customer's relevant establishment is located, or Ireland where Customer has no EEA establishment.

Module Two (Controller to Processor) applies where Customer is a Controller. Module Three (Processor to Sub-processor) applies where Customer is a Processor. Both modules apply with: Clause 7 docking clause not applicable; Clause 9 Option 2 (general written authorization), minimum 10 business days' notice; Clause 11 optional language not included; Clause 13 square brackets removed; governing law and jurisdiction per the Governing Member State row above.

Where UK GDPR applies, the UK Addendum (ICO IDTA) applies. Neither party may terminate the UK Addendum under Section 19. Parties will work in good faith to update if the ICO issues a revised Approved Addendum.

Where Swiss law applies, references to GDPR in the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act, and supervisory authority includes the Swiss FDPIC.

The following measures supplement and are incorporated into the Security Policy referenced in Section 2.

Provider relies on Microsoft Azure for physical infrastructure; Azure maintains physical security controls including restricted access, surveillance, and environmental safeguards at data center facilities.

Where Customer is a Controller of Customer Personal Data, Provider acts as a Processor processing Personal Data on behalf of Customer.

Where Customer is itself a Processor of Customer Personal Data, Provider acts as a Subprocessor.

Part 1, Section 3 of this DPA describes the subject matter, nature, purpose, and duration of Processing, and the categories of Personal Data and Data Subjects.

Customer instructs Provider to process Customer Personal Data: (a) to provide and maintain the Service; (b) as specified through Customer's use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions acknowledged by Provider. Provider will abide by these instructions unless prohibited by Applicable Laws and will immediately inform Customer if it is unable to follow the Processing instructions.

Customer will only give instructions that comply with Applicable Laws.

If Provider updates the Service to include new products, features, or functionality, Provider may update the categories described in Part 1, Section 3 by notifying Customer of the changes.

Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws governing its own Processing and will ensure its agreement with the relevant Controller imposes equivalent obligations.

Customer has complied with and will continue to comply with all Applicable Data Protection Laws in its provision of Customer Personal Data to Provider, including making required disclosures, obtaining necessary consents, and implementing relevant safeguards.

Provider will not transfer Customer Personal Data to a Subprocessor unless that Subprocessor is listed in the Approved Subprocessors list. Provider will give Customer at least 10 business days' written notice of any intended addition or replacement. Customer has 30 days after notice to object in writing; absent an objection, Customer is deemed to accept the change. Provider and Customer will cooperate in good faith to resolve any timely objection.

If the parties are unable to resolve Customer's timely objection within 60 days after Customer's written objection, Customer may terminate the portion of the Agreement affected by the Subprocessor change for cause upon 30 days' written notice to Provider. Termination under this Section is Customer's sole and exclusive remedy for an unresolved Subprocessor objection.

Provider will have a written agreement with each Subprocessor that limits the Subprocessor's access to and use of Customer Personal Data to what is required to perform the subcontracted obligations, and that imposes data protection obligations at least as protective as this DPA. Where GDPR applies, Provider's agreements with Subprocessors will incorporate the obligations referred to in Article 28(3) of the GDPR.

Provider remains fully liable for the acts and omissions of its Subprocessors in Processing Customer Personal Data. Provider will notify Customer of any material failure by a Subprocessor to fulfill its obligations under its agreement with Provider.

Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. Where Provider transfers Customer Personal Data to a territory without an adequacy decision, Provider will implement appropriate safeguards consistent with Applicable Data Protection Laws.

Where the GDPR governs the transfer, the transfer is from Customer within the EEA to Provider outside the EEA, and no adequacy decision applies, the parties are deemed to have signed the EEA SCCs and their Annexes, as set out in Part 1, Section 4.

Where UK GDPR governs the transfer, the transfer is from Customer within the United Kingdom to Provider outside the United Kingdom, and no adequacy decision applies, the parties are deemed to have signed the UK Addendum, as completed in Part 1, Section 4.

Where Swiss law governs the international nature of the transfer, the EEA SCCs apply as modified in Part 1, Section 4.

Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and will allow for and contribute to audits and inspections. Provider may restrict access to information that would negatively impact its intellectual property rights, confidentiality obligations, or other legal obligations. Customer agrees to exercise its audit rights solely through the reporting and due diligence mechanisms in Sections 11.2 and 11.3.

Provider will maintain compliance records for 3 years after the DPA ends.

Provider is regularly audited against the standards defined in the Security Policy by independent third-party auditors. Upon written request, Provider will provide Customer, on a confidential basis, a summary copy of its then-current audit report.

In addition to audit reports, Provider will respond to reasonable written requests for information to confirm compliance with this DPA, including responses to information security, due diligence, and audit questionnaires. Such requests must be directed to security@refine.ink and may be made no more than once per calendar year.

If Provider receives an inquiry or request relating to Customer Personal Data from a third party (including a regulator or data subject), Provider will notify Customer promptly and will not respond without Customer's prior consent, except as required by Applicable Law. Provider will follow Customer's reasonable instructions on handling such requests.

If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of the transfer of their Personal Data to Provider, Provider will assist Customer in fulfilling that request.

Where required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting data protection impact assessments (DPIAs) and data transfer impact assessments (DTIAs), and in consulting with relevant supervisory authorities, taking into account the nature of Processing and the Customer Personal Data involved.

Provider will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Service and will comply with such instructions as soon as reasonably practicable, except where further storage is required by Applicable Law.

After the Agreement expires or is terminated, Provider will return or delete Customer Personal Data at Customer's instruction, without undue delay and in any event within sixty (60) days following the later of (i) termination or expiry of the Agreement, or (ii) Customer's written request, unless further storage is required or authorized by Applicable Law. Where return or destruction is impracticable or prohibited, Provider will make reasonable efforts to prevent further Processing and will continue to protect the Customer Personal Data in its possession.

Where the parties have entered into EEA SCCs or the UK Addendum as part of this DPA, Provider will provide a certification of deletion as described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer requests one.

To the maximum extent permitted under Applicable Data Protection Laws, each party's total cumulative liability to the other arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

Any claims made against Provider or its Affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

This DPA does not limit any liability to an individual in respect of that individual's data protection rights under Applicable Data Protection Laws, or any liability between the parties for violations of the EEA SCCs or the UK Addendum.