Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection law.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose

The Processor shall process Personal Data only on documented instructions from the Controller, as necessary to provide the Service. The categories of data subjects, types of Personal Data, and purposes of processing are as described in the Service agreement and the SuperIntern Privacy Policy.

3. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Not engage another processor (sub-processor) without prior written authorization of the Controller.
• Assist the Controller in fulfilling its obligations to respond to data subject requests.
• Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service.
• Make available to the Controller all information necessary to demonstrate compliance with these obligations.

4. Security Measures

The Processor implements the following technical and organizational security measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and role-based permissions
• Monitoring, logging, and audit trails
• Multi-factor authentication
• Regular security assessments and penetration testing
• Secure infrastructure providers with appropriate certifications

5. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

A current list of sub-processors is maintained at superintern.ai/sub-processor-list.

Where the Processor engages a sub-processor, the Processor shall impose the same data protection obligations as set out in this DPA on the sub-processor by way of contract. The Processor shall remain liable for the performance of its sub-processors.

6. International Data Transfers

Where Personal Data is transferred outside the UK or European Economic Area, the Processor shall ensure appropriate safeguards are in place, including:

• EU-US Data Privacy Framework (DPF) for DPF-certified US providers
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary technical measures including encryption and access controls

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting Personal Data processed under this DPA. Such notification shall include, to the extent available, the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Data Subject Rights

The Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

9. Data Retention and Deletion

Upon termination of the Service agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies unless applicable law requires storage of the Personal Data. Specific retention periods are described in the SuperIntern Privacy Policy.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Where the Controller is established in the EU, the GDPR and relevant local implementation laws shall apply as appropriate.

11. Contact

For questions regarding this Data Processing Agreement: support@superintern.ai

Subject: "DPA Inquiry"

© 2025–2026 Houly Ltd (trading as Ammo AI). All rights reserved.