Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: The client engaging Velintis for M&A synergy analysis services ("you", "the Client").
• Data Processor: Velintis, the provider of AI-powered synergy analysis services ("Velintis", "we", "us").

This DPA governs the processing of personal data and confidential business information by Velintis on behalf of the Client in connection with the delivery of synergy analysis services.

Velintis processes the following categories of data on behalf of the Client:

• +Business documents uploaded to the platform including contracts, financial statements, org charts, and operational data
• +Personal data that may be contained within uploaded documents including names, salaries, headcount, and contact information of employees of the Client and target company
• +Metadata associated with uploaded documents including file names, upload timestamps, and processing status

Data is processed solely for the purpose of delivering the Velintis M&A synergy analysis service as agreed between the parties. Velintis will not process data for any other purpose without the prior written consent of the Client.

Velintis agrees to:

• +Process data only on documented instructions from the Client
• +Ensure that persons authorised to process data are bound by appropriate confidentiality obligations
• +Implement appropriate technical and organisational measures to ensure data security
• +Not engage sub-processors without prior consent of the Client, except as set out in Schedule 1
• +Assist the Client in responding to data subject rights requests
• +Delete or return all personal data to the Client upon completion of the engagement
• +Make available all information necessary to demonstrate compliance with this DPA

Velintis implements the following technical and organisational security measures:

• Encryption at rest: AES-256 server-side encryption for all files stored in AWS S3.
• Encryption in transit: TLS 1.3 for all data transferred between the client, the platform, and storage.
• Access control: Scoped IAM credentials restrict file access to the application. User authentication via Clerk with session-based access control.
• Data isolation: Each client engagement has its own isolated storage path. No cross-client access is possible at the storage layer.
• Audit logging: All upload events, processing events, and access are logged with timestamps.
• AI processing: Documents are processed via Anthropic Claude enterprise API in isolated sessions. Anthropic does not use submitted content to train AI models.

The Client provides general consent to Velintis engaging the following subprocessors. Velintis will notify the Client of any intended changes.

Velintis will delete all uploaded documents from storage within 30 days of engagement closure, or immediately upon written request from the Client. Engagement records and analysis outputs will be retained for up to 12 months for audit purposes unless otherwise agreed.

In the event of a personal data breach, Velintis will notify the Client without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

This DPA shall be governed by the laws of the jurisdiction agreed between the parties in the engagement letter. In the absence of such agreement, English law shall apply.