Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between AscendCore, Inc. (“Processor”) and the Customer (“Controller”) and governs the processing of Personal Data by ascendcore.ai on behalf of the Customer in connection with the Services.

This DPA applies where ascendcore.ai processes Personal Data that is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), or any other applicable data protection legislation (collectively, “Data Protection Laws”).

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

In this DPA, the following terms have the meanings given below:

• “Controller” means the Customer, who determines the purposes and means of processing Personal Data.
• “Processor” means AscendCore, Inc., which processes Personal Data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person that is submitted to the Services by or on behalf of the Controller.
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• “Data Subject” means the individual to whom Personal Data relates (typically, the Customer's employees or end users).
• “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.
• “Sub-processor” means any third party engaged by ascendcore.ai to process Personal Data in connection with the Services.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries as approved by the European Commission.

3. Roles and Responsibilities

The parties acknowledge that with respect to Personal Data processed through the Services:

• The Customer is the Controller and determines the purposes and means of processing.
• ascendcore.ai is the Processor and processes Personal Data solely on the documented instructions of the Controller.

Each party shall comply with its respective obligations under applicable Data Protection Laws. The Controller is responsible for: (a) ensuring it has a lawful basis for processing and for sharing Personal Data with ascendcore.ai; (b) providing required notices to Data Subjects; and (c) ensuring that its instructions to ascendcore.ai comply with applicable law.

4. Processing Instructions

ascendcore.ai shall process Personal Data only on documented instructions from the Controller, which are set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law. In such case, ascendcore.ai shall inform the Controller of that legal requirement before processing unless prohibited by law.

The nature, purpose, and subject matter of processing under this DPA is as follows:

• Nature: Storage, retrieval, analysis, and automated action on IT help desk data to resolve Tier-1 tickets
• Purpose: Delivery of the ascendcore.ai IT automation platform services
• Types of Personal Data: Employee identifiers (name, email, employee ID), IT ticket content, device identifiers, authentication and access log data
• Categories of Data Subjects: Customer's employees, contractors, and end users who submit IT support requests
• Duration: For the term of the Services agreement, subject to Section 9 (Retention and Deletion)

5. Confidentiality and Personnel

ascendcore.ai shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory). Access to Personal Data is restricted to personnel who require it to provide the Services and is governed by role-based access controls and the principle of least privilege.

6. Security Measures

ascendcore.ai shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, at minimum:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Isolation: Single-tenant architecture — each customer's data is logically and physically separated
• Access Control: Multi-factor authentication, RBAC, and privileged access management
• Monitoring: Continuous security monitoring, intrusion detection, and anomaly alerting
• Vulnerability Management: Regular penetration testing, patch management, and security assessments
• Incident Response: Documented incident response plan with defined escalation procedures
• Business Continuity: Redundant infrastructure and disaster recovery procedures

ascendcore.ai is on a structured path to SOC 2 Type II certification. Upon request, ascendcore.ai will provide the Controller with relevant evidence of security controls (e.g., audit reports, certifications) subject to confidentiality obligations.

7. Sub-processors

The Controller provides general authorization to ascendcore.ai to engage Sub-processors, subject to the conditions in this Section. ascendcore.ai maintains a current list of Sub-processors and will notify the Controller of any intended changes (additions or replacements) with at least 14 days' advance notice, giving the Controller the opportunity to object.

Current Sub-processors include the following categories of providers:

• Cloud infrastructure — hosting and storage of Customer Data in isolated tenant environments
• AI/ML services — used solely for intent classification (ticket triage); no Customer Data is retained by these providers beyond the immediate API call
• Email delivery — transactional notifications only; no Customer IT operational data is transmitted
• Security monitoring — log analysis and threat detection using anonymized or pseudonymized data

ascendcore.ai shall impose data protection obligations on all Sub-processors equivalent to those set out in this DPA and shall remain liable to the Controller for the performance of Sub-processors' obligations.

8. Data Subject Rights

ascendcore.ai shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures to fulfill the Controller's obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, portability, objection, and restriction).

If ascendcore.ai receives a request directly from a Data Subject, it will promptly forward the request to the Controller and will not respond to the Data Subject directly unless instructed by the Controller or required by law.

9. Retention and Deletion

ascendcore.ai does not retain Customer IT operational data beyond what is necessary to provide the Services. Specifically:

• Active processing data: Ticket content and associated Personal Data is retained only for the duration of the active automation workflow, after which it is deleted from processing systems
• Audit logs: Action logs (required for compliance and ITSM write-back) are retained for the duration of the contract
• Post-termination: Upon termination of the Services, Customer Data will be made available for export for 30 days, after which ascendcore.ai will securely delete all Customer Data and provide written confirmation upon request

The Controller may request deletion of specific Personal Data at any time by contacting legal@ascendcore.ai. ascendcore.ai will action such requests within 30 days.

10. Security Incidents

In the event of a confirmed Security Incident affecting Personal Data, ascendcore.ai shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the incident
• Provide the Controller with sufficient information to meet any applicable breach notification obligations, including: (a) nature of the incident; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate volume of Personal Data affected; (d) measures taken or proposed to address the incident
• Cooperate with the Controller and take reasonable steps to investigate, mitigate, and remediate the incident

Notification shall be sent to the Controller's designated security contact or, if none, the primary account email address.

11. Data Protection Impact Assessments

To the extent required under applicable Data Protection Laws, ascendcore.ai shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) and, where required, prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to ascendcore.ai.

12. International Data Transfers

ascendcore.ai is headquartered in the United States. To the extent the Services involve the transfer of Personal Data from the EEA, UK, or Switzerland to the United States or other countries not deemed adequate by the relevant authorities, the parties agree that such transfers are governed by the Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are incorporated herein by reference.

The applicable module of the SCCs is Module Two (Controller to Processor). For UK transfers, the UK International Data Transfer Addendum applies. For Swiss transfers, the Swiss Federal Act on Data Protection requirements apply.

ascendcore.ai will implement additional safeguards as may be required following a transfer impact assessment and will inform the Controller of any inability to comply with the SCCs or applicable transfer requirements.

13. Audits and Compliance

ascendcore.ai shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon 30 days' written notice (and no more than once per year unless a Security Incident has occurred), ascendcore.ai will allow for and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller, subject to:

• The auditor being subject to confidentiality obligations acceptable to ascendcore.ai
• The audit not materially disrupting ascendcore.ai's operations
• The Controller bearing the costs of any audit it requests

As an alternative to an on-site audit, ascendcore.ai may satisfy this obligation by providing relevant third-party audit reports (e.g., SOC 2) or security certifications, subject to confidentiality.

14. CCPA Provisions

To the extent the CCPA applies, ascendcore.ai acts as a “Service Provider” (as defined by the CCPA) with respect to Personal Information processed under this DPA. ascendcore.ai shall not:

• Sell or share Personal Information as defined under the CCPA
• Retain, use, or disclose Personal Information for any purpose other than the business purpose specified in the Terms of Service
• Retain, use, or disclose Personal Information outside of the direct business relationship between ascendcore.ai and the Controller

15. Term and Termination

This DPA is effective for as long as ascendcore.ai processes Personal Data on behalf of the Controller and shall automatically terminate upon termination of the Terms of Service. Obligations under this DPA that by their nature should survive (including confidentiality, security, and deletion obligations) shall survive termination.

16. Contact

For any questions regarding this DPA or data processing matters, please contact:

• Email: legal@ascendcore.ai
• Company: AscendCore, Inc.

Customers requiring a countersigned DPA for their procurement or compliance process may request one by emailing legal@ascendcore.ai.