Data Processing Agreement

This Data Processing Agreement (this “DPA”) is entered into between Enso Insights (“Enso Insights”) and the entity (“Customer”) that is party to the Master Subscription Agreement or other written agreement with Enso Insights that references this DPA (the “Agreement”). This DPA is incorporated into and forms part of that Agreement. Capitalized terms used but not defined in this DPA (or in another document referenced by this DPA) will have the meanings given to them in the Agreement. In the event of a conflict between this DPA and any other provision of the Agreement with respect to the Processing of Personal Data, this DPA controls.

1. Data processing, subject matter, and roles

1.1 Data processing

In the course of providing the Services to Customer pursuant to the Agreement, Enso Insights may Process Customer Data that constitutes “personal data,” “personal information,” “personally identifiable information,” or an analogous term under applicable Law (“Customer Personal Data”). The Parties agree to comply with this DPA and all privacy and data-protection laws applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, those of the European Union and its member states, the European Economic Area, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act as amended by the California Privacy Rights Act, or “CCPA”) (collectively, “Data Protection Laws”).

1.2 Subject matter

The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

1.3 Roles

Customer is a “Controller” or “Business” (as such terms are defined under applicable Data Protection Law) and appoints Enso Insights as a “Processor” or “Service Provider” on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers and Businesses, including providing notices to and obtaining consents from Data Subjects where required. If Customer is itself a Processor on behalf of a Controller (a “Third-Party Controller”), then Customer (i) is the single point of contact for Enso Insights, (ii) must obtain all necessary authorizations from such Third-Party Controller, and (iii) undertakes to issue all instructions and exercise all rights on behalf of such Third-Party Controller.

2. Processing instructions

Enso Insights shall Process Customer Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with this DPA, the Agreement, and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Enso Insights shall promptly notify Customer if, in its opinion, an instruction infringes Data Protection Law.

3. Personnel

Enso Insights restricts access to Customer Personal Data to personnel with a need to know in connection with providing the Services, who are bound by confidentiality obligations under their employment or contractor agreement and who are briefed on Enso Insights’s data-handling practices. Access to Customer Personal Data is granted on a least-privilege basis and material access events are logged through the underlying infrastructure providers’ built-in audit logging.

4. Service-provider obligations (CCPA)

Except as permitted by applicable Data Protection Law or this DPA, Enso Insights is prohibited from:

1. retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer’s documented instructions;
2. retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties;
3. combining Customer Personal Data with personal information obtained from, or on behalf of, sources other than Customer; and
4. Selling or Sharing (as such terms are defined under applicable Data Protection Laws) Customer Personal Data for cross-context behavioral advertising or any other purpose.

Enso Insights certifies that it understands and will comply with the restrictions set forth in this Section.

5. Security and security incidents

5.1 Security

Enso Insights will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Customer Personal Data, including the measures set forth in Annex II. Enso Insights will continuously evolve these measures as the threat landscape and applicable industry standards change.

5.2 Security-incident notification

Enso Insights will notify Customer without undue delay after confirming any unauthorized access to, or other Processing in violation of this DPA of, Customer Personal Data (a “Security Incident”). Notification will be made by email to the Customer’s designated security or billing contact and will include the information then available to Enso Insights; additional details will follow as they are confirmed by investigation. The Parties acknowledge that, as Customer is the Controller, the obligation to notify supervisory authorities or affected Data Subjects within any specific statutory period rests with Customer. Enso Insights will provide reasonable assistance to support Customer in meeting those obligations.

5.3 Security-incident response

Enso Insights will take reasonable measures in response to a Security Incident, including (i) taking measures designed to mitigate the Security Incident and prevent its recurrence, (ii) providing Customer with reasonable information relating to the Security Incident known to Enso Insights, and (iii) providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws (including Customer’s notification obligations to regulators and affected Data Subjects).

5.4 Vulnerability management

Enso Insights reviews application dependencies on a periodic basis and applies security patches on a risk-prioritized basis. As Enso Insights’s security program matures, it expects to introduce automated dependency vulnerability monitoring and to engage qualified third parties to perform periodic penetration testing of the production environment; once available, summary results may be shared with enterprise customers under NDA on request.

5.5 Encryption

Enso Insights will encrypt Customer Personal Data in transit using TLS 1.2 or equivalent and at rest using AES-256 or equivalent, in each case in accordance with industry-accepted standards and current security protocols.

6. Subprocessing

6.1 Subprocessors

Customer hereby authorizes Enso Insights to engage any Processor that processes Customer Personal Data on behalf of Enso Insights (each, a “Subprocessor”). A current list of Enso Insights’s Subprocessors is set forth in Annex III and is updated at https://www.ensoinsights.us/legal/subprocessors.

6.2 Subprocessor terms

Enso Insights uses commercially reasonable efforts to engage each Subprocessor under written terms (which may consist of the Subprocessor’s standard terms of service, privacy policy, and data processing addendum, supplemented by any negotiated agreement) that establish data-protection obligations consistent with those in this DPA, including with respect to the Processing of Customer Personal Data, the security of Customer Personal Data, the handling of Security Incidents, and the obligations of personnel. On request, Enso Insights will identify the operative terms applicable to a given Subprocessor.

6.3 Subprocessor changes

Enso Insights will provide notice to Customer of any intended addition or replacement of a Subprocessor at least 30 days before authorizing the new Subprocessor to Process Customer Personal Data, by updating the public Subprocessors list and (for customers who have subscribed to subprocessor-update notifications by emailing legal@ensoinsights.us) by email. Customer may object to the addition of a Subprocessor on reasonable grounds that the appointment of such Subprocessor will result in a material violation of Data Protection Law by providing written notice detailing the grounds of such objection within 30 days following Enso Insights’s notification. Customer and Enso Insights will work together in good faith to address Customer’s objection. If Enso Insights chooses to retain such new Subprocessor, either Party may terminate the relevant parts of the Services that use such Subprocessor within 30 days; in such event Enso Insights will refund any pre-paid, unused Fees attributable to the terminated portion of the Term.

7. Assistance

Taking into account the nature of the Processing, and the information available to Enso Insights, Enso Insights will provide reasonable assistance to Customer, including through appropriate technical and organizational measures, to enable Customer to:

• respond to requests from Data Subjects or Consumers (as defined under applicable Data Protection Laws) to exercise their rights of access, rectification, erasure, restriction, portability, and objection;
• conduct data-protection impact assessments and prior consultations with regulators where required by Article 35–36 of the GDPR or analogous provisions; and
• respond to inquiries, complaints, and investigations from supervisory or regulatory authorities.

If Enso Insights receives a request from a Data Subject relating to Customer Personal Data, Enso Insights will, where lawful, promptly forward such request to Customer and will not respond directly except to acknowledge receipt and to inform the Data Subject that the request has been forwarded to the Controller.

8. Audit

Upon Customer’s reasonable written request, Enso Insights will permit Customer, at Customer’s expense, to audit Enso Insights’s applicable controls and compliance with this DPA (an “Audit”), provided such Audit is (a) conducted by Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Enso Insights, (b) Customer and Enso Insights mutually agree on reasonable details of the Audit, including the start date, scope and duration of, and security and confidentiality controls applicable to, such Audit, (c) the Audit does not interfere unreasonably with Enso Insights’s operations or other customers’ use of the Services, and (d) a similar Audit has not already been conducted within the 12 months prior, unless required by a supervisory authority or other regulatory authority responsible for the enforcement of Data Protection Law. Customer will pay all reasonable costs and expenses incurred by Enso Insights in connection with any such Audit. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and confirming compliance with the requirements of this DPA. To the extent available, Enso Insights may satisfy Customer’s audit rights through provision of third-party audit reports (e.g., SOC 2) under NDA, in lieu of an on-site or on-platform audit.

9. International data transfers

9.1 European data transfers

Enso Insights will obtain Customer’s specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission (an “International Data Transfer”). Customer hereby authorizes Enso Insights to conduct International Data Transfers outside the EEA or Switzerland:

• to any country subject to a valid adequacy decision of the European Commission;
• on the basis of an organization’s binding corporate rules approved by EEA Supervisory Authorities; and
• to any data importer with whom Enso Insights has entered into the EU Standard Contractual Clauses (“SCCs”).

9.2 European transfer mechanism

Customer and Enso Insights conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Enso Insights; the optional docking clause in Clause 7 is implemented; Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; and Annexes I, II, and III to this DPA are incorporated into the SCCs as Annexes I.A, I.B, II, and III as applicable. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland, and references to the GDPR shall be understood to include the Swiss Federal Act on Data Protection (FADP) where applicable.

9.3 UK data transfers

Customer hereby authorizes Enso Insights to perform International Data Transfers outside the UK subject to the requirements of the UK Data Protection Act 2018 and the UK GDPR:

• to any country subject to a valid adequacy decision issued by the UK Government;
• on the basis of an organization’s binding corporate rules approved by the UK Information Commissioner; and
• to any data importer with whom Enso Insights has entered into the UK International Data Transfer Addendum (the “UK Addendum”) or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.

9.4 UK transfer mechanism

Customer and Enso Insights conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Enso Insights, their details being set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes I (A and B), II, and III to the “Approved EU SCCs” are Annexes I, II, and III to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

10. Return and deletion

Following the date of expiration or earlier termination of the Agreement, Enso Insights will, at Customer’s election (specified by written notice within 30 days of termination), promptly return or delete all Customer Personal Data; provided, however, that Enso Insights may retain copies of Customer Personal Data (a) as expressly agreed by the Parties, (b) as required by applicable Law, or (c) to the extent contained in standard backups, which copies will remain subject to the protections of this DPA until they are purged in the ordinary course of backup rotation (no later than 30 days after deletion of the live copy).

Annex I — Description of the transfer

A. List of parties

Data exporter

• Name: Customer (as defined in the Agreement).
• Activities relevant to the data transferred under these Clauses: Customer receives the Services from Enso Insights as described in the Agreement and provides Customer Personal Data to Enso Insights in that context.
• Role (Controller / Processor): Controller, or Processor on behalf of Third-Party Controller.

Data importer

• Name: Enso Insights, a registered trade name of Enso Labs LLC.
• Legal form and place of formation: Texas limited liability company, United States.
• Activities relevant to the data transferred under these Clauses: Enso Insights provides the Services to Customer as described in the Agreement and Processes Customer Personal Data on behalf of Customer in that context.
• Role (Controller / Processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller.
• Data-protection contact: legal@ensoinsights.us (Attn: Legal & Privacy).

B. Description of international data transfer

Categories of Data Subjects whose Customer Personal Data is transferred

• Customer’s personnel, staff, contractors, and authorized Users of the Services;
• Other natural persons identified in audit prompts or Customer Data submitted by Customer (which Customer represents are limited and lawfully obtained).

Categories of Customer Personal Data transferred

• Identifiers (name, email address, organization, role);
• Account credentials (passwordless OTP tokens, session tokens);
• Audit inputs (brand names, competitor names, market context, free-text instructions);
• Audit outputs (scorecards, reports, executive summaries) generated for Customer;
• Communications between Customer and Enso Insights;
• Technical data (IP address, user-agent, request metadata, server logs).

Sensitive data transferred

None expected. Enso Insights does not knowingly Process special categories of personal data (Article 9 GDPR) or sensitive personal information (CCPA §1798.140(ae)). Customer agrees not to submit such data to the Services.

Frequency of the transfer

On a continuous basis for the duration of the Agreement.

Nature of the processing

Storage, retrieval, transmission to upstream AI Engines under zero-data-retention APIs, generation of audit outputs, archival, return, and deletion — as further described in the Agreement.

Purpose(s) of the international data transfer and further Processing

The provision of the Services to Customer as described in the Agreement.

Retention period

Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable Laws (including statutes of limitation and tax-record retention obligations) and Data Protection Law. Specific retention periods are set forth in Enso Insights’s Privacy Policy.

For International Data Transfers to (Sub)Processors, also specify subject matter, nature, and duration of the Processing

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. Competent supervisory authority

• The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
• The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner’s Office.
• The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

Annex II — Technical and organizational measures

Enso Insights implements security safeguards designed to protect Customer Personal Data from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse, or damage. The Services are built on the underlying controls of established cloud infrastructure providers, each of which maintains its own independent security attestations. The current list of those providers is identified in Annex III and on our public Subprocessors page. The specific measures include:

Access control

• Passwordless one-time-password (OTP) authentication for end-user access; multi-factor authentication required for all Enso Insights personnel.
• Row-level security policies enforced at the database layer scoping every query by user identity. A bug in application code cannot leak data to another tenant.
• Least-privilege role-based access controls for personnel; production access is granted only to a small number of engineers who require it for their job function and is logged.
• Written confidentiality obligations for all personnel and contractors with access to Customer Personal Data.

Encryption

• TLS 1.2 or higher (currently TLS 1.3) for all data in transit.
• AES-256 encryption for all data at rest, including database storage and backups.
• Encryption keys are managed by our underlying cloud infrastructure providers and rotated according to industry-standard schedules.

Network security

• Production environment served from a globally distributed edge platform with DDoS protection enabled by default.
• Database access is mediated through the application tier using least-privilege service credentials.
• Edge-platform managed firewall on public endpoints; application-level rate-limiting and abuse-signal monitoring on user-initiated audit endpoints.

Application security

• Input validation and output encoding to prevent injection attacks.
• CSRF protection on state-changing requests.
• Secure session management; session tokens expire and are rotated.
• Periodic dependency review; security patches applied on a risk-prioritized basis.
• Static analysis (TypeScript strict mode, ESLint security rules) and self-review on all changes prior to deployment.

Logging and monitoring

• Application logs, database audit logs, and authentication logs are retained through the underlying infrastructure providers for security and incident-response purposes for the period defined by each provider’s defaults for our subscription tier.
• Operational alerting on infrastructure-level events surfaced by our hosting and database providers (e.g., service outages, deployment failures, database health).

Backup and disaster recovery

• Database backups are performed by our infrastructure provider in accordance with that provider’s documented backup policies for our subscription tier (which may include daily snapshots and, on higher tiers, point-in-time recovery).
• The application tier is served from a globally distributed edge platform that provides automated failover for the static and serverless layers.
• Enso Insights does not commit to a specific recovery time objective (RTO) or recovery point objective (RPO) at this time. Customers requiring contractually committed RTO/RPO should contact us to discuss whether a custom arrangement is available.

Vendor management

• All subprocessors are bound by written contracts imposing data-protection obligations consistent with this DPA.
• Subprocessors are evaluated before engagement and reviewed on a periodic, risk-based basis, including review of their public security attestations (e.g., SOC 2 / ISO 27001) where available.

Incident response

• Enso Insights maintains an internal incident-response process covering detection, containment, eradication, recovery, and post-incident review.
• Customer notification of confirmed Security Incidents affecting Customer Personal Data is governed by Section 5.2 (without undue delay after Enso Insights becomes aware).

AI-specific controls

• Enso Insights selects upstream AI Engines whose published API terms prohibit training on customer inputs by default, and where the underlying provider supports it, enables non-training and minimum-retention configurations.
• Enso Insights does not itself train any AI or machine-learning model on Customer Data.

Annex III — Subprocessors

Customer authorizes Enso Insights to engage the following Subprocessors. The current list is also published at https://www.ensoinsights.us/legal/subprocessors and is updated when subprocessors are added or removed.