This Data Processing Addendum ("DPA") forms part of the Rivulo Terms of Service ("Terms") between Rivulo Ltd (company number 16569958, registered office 63 Craddocks Avenue, Ashtead, KT21 1PE, United Kingdom) ("Rivulo", "Processor") and the Customer ("Controller"). It governs the Processing by Rivulo of Personal Data on the Controller's behalf in connection with the Service.

By accepting the Terms, or by using the Service, the Controller agrees to this DPA. No countersignature is required, but a signed copy is available on request by emailing legal@rivulo.ai.

Where there is a conflict between this DPA and the Terms, this DPA prevails in respect of the Processing of Personal Data.

1. Definitions

Terms defined in the Terms have the same meaning here. In addition:

"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and, where applicable to the Processing, the EU GDPR, in each case as amended or replaced from time to time.

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Category Data", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.

"Customer Personal Data" means Personal Data contained in Customer Data that Rivulo Processes on behalf of the Controller under the Terms.

"International Transfer" means a transfer of Personal Data from the United Kingdom (or, where relevant, the European Economic Area) to a third country not covered by an adequacy decision.

"Restricted Transfer Mechanism" means the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or any successor mechanism approved under Applicable Data Protection Law.

"Subprocessor" means a third party engaged by Rivulo to Process Customer Personal Data.

2. Roles and scope

2.1 Roles

In relation to Customer Personal Data, the Controller is the Controller and Rivulo is the Processor. Each party will comply with its obligations under Applicable Data Protection Law.

2.2 Scope

This DPA applies to the Processing of Customer Personal Data by Rivulo during the term of the Terms.

2.3 Details of Processing

The details of the Processing (subject matter, duration, nature and purpose, categories of Data Subjects, and types of Personal Data) are set out in Schedule 1.

3. The Controller's responsibilities

The Controller:

• warrants that it has a valid lawful basis under Applicable Data Protection Law for the Processing carried out by Rivulo under the Terms;

• is responsible for providing all required privacy notices to Data Subjects and, where required, obtaining consent;

• will give Rivulo only such Personal Data as is necessary for the provision of the Service and will not submit Special Category Data or criminal-offence data into the Service without first notifying Rivulo; and

• is responsible for the security of Personal Data in transit to and from the Service on the Controller's side (including credentials and API tokens configured by the Controller).

4. Rivulo's obligations

4.1 Instructions

Rivulo will Process Customer Personal Data only:

• (a) on the documented instructions of the Controller (the Terms, this DPA, the Service configuration, and any subsequent written instructions are each "documented instructions"); or

• (b) where required by law, in which case Rivulo will notify the Controller before Processing unless the law prohibits such notification.

If Rivulo considers that an instruction infringes Applicable Data Protection Law, it will inform the Controller.

4.2 Confidentiality

Rivulo will ensure that personnel authorised to Process Customer Personal Data are bound by appropriate obligations of confidentiality.

4.3 Security

Rivulo will implement appropriate technical and organisational measures to protect Customer Personal Data, as set out in Schedule 2. Rivulo may update these measures from time to time, provided the overall level of protection is not materially reduced.

4.4 Assistance with Data Subject Rights

Taking into account the nature of the Processing, Rivulo will assist the Controller by appropriate technical and organisational measures to enable the Controller to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts Rivulo directly in respect of Customer Personal Data, Rivulo will redirect the Data Subject to the Controller and notify the Controller without undue delay.

4.5 Assistance with obligations

Taking into account the nature of the Processing and the information available to Rivulo, Rivulo will assist the Controller with:

• notification of Personal Data Breaches;

• data protection impact assessments;

• prior consultation with Supervisory Authorities; and

• ensuring compliance with the security obligations in Articles 32 to 36 of the UK GDPR.

The Controller acknowledges that any such assistance that requires Rivulo to incur material cost or effort beyond its standard controls may be subject to reasonable additional charges, agreed in advance.

4.6 Return or deletion

On termination of the Terms or the relevant part of the Service, Rivulo will, at the Controller's choice, delete or return all Customer Personal Data to the Controller and delete existing copies, except to the extent retention is required by law. Unless the Controller requests return in writing within 30 days of termination, Rivulo will delete Customer Personal Data in accordance with its standard retention schedule.

4.7 Records and audit

Rivulo will make available to the Controller information necessary to demonstrate compliance with this DPA, which will typically take the form of current certifications (for example, ISO 27001 when achieved), audit reports, or security questionnaire responses. Where the information reasonably made available is insufficient, the Controller may, on at least 30 days' prior written notice and no more than once in any 12-month period (except where a Personal Data Breach has occurred or a Supervisory Authority requires), conduct an audit at its own cost, subject to reasonable confidentiality and security conditions.

5. Personal Data Breaches

Rivulo will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

• the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;

• the likely consequences of the breach;

• the measures taken or proposed to address the breach and mitigate its effects; and

• a contact point for further information.

Rivulo will cooperate with the Controller and provide reasonable assistance to enable the Controller to meet its own notification obligations.

6. Subprocessors

6.1 General authorisation

The Controller provides general written authorisation for Rivulo to engage Subprocessors, subject to the remainder of this Section 6.

6.2 Current Subprocessors

The Subprocessors currently engaged by Rivulo are listed in Schedule 3.

6.3 Change notification

Rivulo will give the Controller at least 30 days' prior notice before engaging a new Subprocessor that will Process Customer Personal Data, by email to the Administrator or by in-product notice.

6.4 Objection

The Controller may object, within the 30-day notice period, to the proposed engagement of a new Subprocessor on reasonable data-protection grounds. If the parties cannot agree a resolution within a further 30 days, the Controller may terminate the subscription in respect of the affected part of the Service and receive a pro-rata refund of pre-paid Fees for the unused portion of the subscription.

6.5 Flow-down and liability

Rivulo will impose on each Subprocessor data-protection obligations substantially equivalent to those in this DPA, and remains liable to the Controller for the acts and omissions of its Subprocessors in connection with Customer Personal Data.

6.6 Features involving Subprocessors without a confirmed transfer mechanism

Certain features of the Service may rely on a Subprocessor for which a Restricted Transfer Mechanism has not yet been confirmed ("Unconfirmed Subprocessor Features"). Where this is the case, Rivulo will:

• (a) clearly identify the relevant feature as an Unconfirmed Subprocessor Feature within the Service before any Customer Personal Data flows to that Subprocessor;

• (b) disclose the identity of the relevant Subprocessor, the nature of the transfer, and the absence of a confirmed Restricted Transfer Mechanism;

• (c) note that the Subprocessor applies its own security measures to protect data, but that Rivulo is not yet able to confirm that the standard legal safeguards required under Applicable Data Protection Law are in place for that transfer;

• (d) recommend that the Controller consult its data protection officer, legal team, or equivalent before enabling the feature if it is uncertain whether the transfer is lawful for its own Data Subjects; and

• (e) require the Controller to provide explicit in-product acknowledgement before enabling the feature.

By enabling an Unconfirmed Subprocessor Feature, the Controller acknowledges the absence of a confirmed transfer mechanism and accepts responsibility for ensuring that its use of that feature is lawful in respect of its own Data Subjects. Rivulo will continue to work to obtain an appropriate Restricted Transfer Mechanism and will notify the Controller when one is confirmed.

7. International transfers

7.1 Controller authorisation

The Controller authorises Rivulo and its Subprocessors to make International Transfers of Customer Personal Data where necessary to provide the Service, subject to this Section 7.

7.2 Safeguards

Where Rivulo or a Subprocessor makes an International Transfer, Rivulo will put in place, or rely on, an appropriate Restricted Transfer Mechanism, together with any supplementary measures required by Applicable Data Protection Law.

7.3 Controller-to-Processor clauses

Where required, the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses, as applicable) is incorporated by reference into this DPA between the Controller and Rivulo as exporter and importer respectively, and the parties will be deemed to have completed the relevant schedules using the information in this DPA (including Schedules 1, 2, and 3).

8. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms.

9. General

9.1 Term

This DPA takes effect on the date the Controller first accepts the Terms and continues for the duration of the Terms. Provisions that by their nature should survive termination will continue to apply after termination.

9.2 Order of precedence

In the event of conflict between this DPA and the Terms, this DPA prevails in respect of Personal Data Processing. In the event of conflict between this DPA and any Restricted Transfer Mechanism, the Restricted Transfer Mechanism prevails.

9.3 Changes

Rivulo may update this DPA from time to time to reflect changes in law, Subprocessors, or security measures, provided that no change will materially reduce the protections afforded to Customer Personal Data. Material changes will be notified in accordance with the Terms.

9.4 Governing law

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales, except where Applicable Data Protection Law requires otherwise.

Schedule 1 — Details of Processing

Subject matter of the Processing
Provision of the Rivulo workflow automation Service as described in the Terms.

Duration of the Processing
For the duration of the Controller's subscription to the Service, plus any period required for deletion or return under Section 4.6.

Nature and purpose of the Processing
To enable the Controller to build, configure, and run automated Workflows; to execute Workflows (which may involve API integrations, browser automation, and LLM inference); to store Controller configurations and outputs; to provide support; and to secure and monitor the Service.

Categories of Data Subjects (as determined by the Controller's use of the Service)

• The Controller's employees, contractors, and agents (as Authorised Users);

• The Controller's customers, prospects, or other end users about whom the Controller chooses to Process data through the Service;

• Any other categories of Data Subjects that the Controller chooses to introduce into the Service.

Types of Personal Data (as determined by the Controller's use of the Service)

• Contact data (name, email, phone number, job title);

• Account and authentication data (Authorised User credentials, session data);

• Third-party service credentials and OAuth tokens configured by the Controller;

• Any Personal Data contained in files, records, or inputs that the Controller submits to a Workflow;

• Any Personal Data contained in LLM prompts and outputs generated through Workflows.

The Controller is responsible for determining, and for ensuring it has a lawful basis for, the categories of Personal Data it Processes through the Service.

Special Category Data
The Service is not intended for Processing Special Category Data or criminal-offence data. The Controller must not submit such data without prior written notice to Rivulo.

Schedule 2 — Technical and organisational measures

Rivulo implements the following technical and organisational measures, which are maintained as part of its information security management system (aligned to ISO 27001:2022):

Access control

• Role-based access control (least privilege) for production systems;

• Multi-factor authentication for all personnel with access to production systems;

• Formal joiner/mover/leaver procedures with access reviews at least quarterly;

• Administrative access to Customer Personal Data logged.

Encryption

• Personal Data encrypted in transit using TLS 1.2 or higher;

• Personal Data encrypted at rest on production infrastructure and in backups;

• Full-disk encryption on all company-managed devices.

System security

• Hardened production environments on DigitalOcean and Vercel;

• Automatic security patching for supported infrastructure components;

• Separation of production, staging, and development environments;

• Secrets management for credentials and API keys.

Application security

• Secure software development lifecycle with independent QA testing or code review before merge to production;

• Automated vulnerability scanning of code and dependencies;

• Penetration testing for major releases or at least annually;

• OWASP-aligned coding practices.

Operations and monitoring

• Centralised logging and monitoring via Datadog;

• Intrusion and anomaly detection on production infrastructure;

• Documented incident response plan with defined roles and escalation paths;

• Business continuity and disaster recovery plan, tested at least annually.

Backups and resilience

• Automated encrypted backups with documented retention and restoration procedures;

• Regular backup restoration testing.

Vendor management

• Tiered vendor risk assessment before engagement;

• Written data processing agreements with all Subprocessors Processing Personal Data;

• At least annual review of Subprocessor security posture.

People

• Confidentiality obligations for all personnel;

• Annual security and privacy awareness training;

• Background checks where legally permitted;

• Formal off-boarding procedures including revocation of access within 24 hours.

Physical security

• Rivulo has no physical premises; all processing takes place on managed cloud infrastructure or personal devices under Rivulo's Acceptable Use and Workstation Security Policy.

Governance

• Designated Security and Privacy Owner;

• Documented policies reviewed at least annually;

• Quarterly management review of security and privacy posture;

• Register of Processing Activities maintained and reviewed quarterly.

Schedule 3 — Subprocessors

Rivulo engages the Subprocessors listed below to Process Customer Personal Data. The list is current as of the "Last updated" date at the top of this DPA and is maintained as part of Rivulo's Tool and Vendor Register.

Infrastructure

Subprocessor Service provided Location of Processing Transfer mechanism DigitalOcean, LLC Application hosting United States UK International Data Transfer Agreement / UK Addendum Vercel, Inc. Web application delivery United States UK International Data Transfer Agreement / UK Addendum

Workflow execution

Subprocessor Service provided Location of Processing Transfer mechanism Pipedream, Inc. API integration execution United States UK International Data Transfer Agreement / UK Addendum Browserbase, Inc. Browser automation execution United States None confirmed — see Section 6.6 Browser Use Browser automation execution United States None confirmed — see Section 6.6. IDTA provided to Browser Use as template agreement; pending execution.

LLM providers

Subprocessor Service provided Location of Processing Transfer mechanism Notes Anthropic, PBC LLM inference United States UK International Data Transfer Agreement / UK Addendum Zero Data Retention enabled OpenAI, LLC LLM inference United States UK International Data Transfer Agreement / UK Addendum No training on API inputs under standard terms Google LLC (Gemini) LLM inference United States UK International Data Transfer Agreement / UK Addendum No training on API inputs under paid-tier terms Mistral AI LLM inference France / EEA Adequacy (UK-EEA)

Business support

Subprocessor Service provided Location of Processing Transfer mechanism Stripe Payments UK Ltd Payment processing United States / Ireland UK International Data Transfer Agreement / UK Addendum Google LLC (Workspace) Email, documents, calendar United States UK International Data Transfer Agreement / UK Addendum Slack Technologies, LLC Internal messaging United States UK International Data Transfer Agreement / UK Addendum Notion Labs, Inc. Internal documentation and workspace United States UK International Data Transfer Agreement / UK Addendum Datadog, Inc. Logging and monitoring United States UK International Data Transfer Agreement / UK Addendum Attio Ltd Customer relationship management United Kingdom / United States UK International Data Transfer Agreement / UK Addendum for US processing

Contact

Questions about this DPA: privacy@rivulo.ai
Formal DPA requests (signed copy, amendments, notices): legal@rivulo.ai
Security incident reporting: security@rivulo.ai