Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the master services agreement ("Agreement") between the customer ("Controller") and Physicore Ltd, operator of the Kleum platform ("Processor"), and applies to the extent Processor processes personal data on behalf of Controller in delivering the services. Capitalised terms not defined here have the meanings given in the UK GDPR, the EU GDPR, or the Agreement.

1. Subject matter, duration, nature, and purpose

Subject matter: production of physical-AI training data, including egocentric capture, teleoperation, annotation, quality review, and delivery. Duration: the term of the Agreement plus any agreed wind-down period. Nature and purpose: as described in the applicable order form or statement of work.

2. Types of data and categories of data subjects

Personal data: contributor identifiers, contractor records, and any personal data incidental to or contained within captured material as defined in the brief. Categories of data subjects: Controller's personnel and end users, Kleum contributors, and incidental third parties present in captured environments.

3. Processor obligations

• Process personal data only on documented instructions from Controller.
• Ensure that personnel authorised to process personal data are bound by confidentiality obligations and trained appropriately.
• Implement and maintain appropriate technical and organisational measures (see Annex II), including encryption in transit and at rest, role-based access controls, audit logging, and segregated environments.
• Assist Controller in responding to data subject requests, in carrying out data protection impact assessments, and in consulting supervisory authorities where required.
• Notify Controller without undue delay (and in any event within 72 hours) on becoming aware of a personal data breach affecting Controller data.

4. Subprocessors

Controller authorises the engagement of subprocessors listed at kleum.com/legal/dpa/subprocessors, and any replacement or additional subprocessors notified to Controller with at least 30 days' notice. Controller may object on reasonable, documented grounds within the notice period; the parties will work in good faith to resolve the objection or terminate the affected services without penalty. Processor remains liable for the acts and omissions of its subprocessors.

5. International transfers

Where personal data is transferred outside the UK or EEA to a country without an adequacy decision, the parties will implement the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (Module Two or Three as applicable), or another lawful transfer mechanism, together with any supplementary measures required by applicable guidance.

6. Audit

Processor will make available all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including independent certifications and audit reports. Controller may carry out audits, including inspections, no more than once per 12 months (save where required by a regulator or following a confirmed material breach), on reasonable advance notice and subject to confidentiality.

7. Return and deletion

On termination of the services, Processor will, at Controller's choice, return or securely delete all personal data processed on its behalf, unless retention is required by law, in which case Processor will continue to protect the data and process it only for the retention purpose.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement, save that nothing in the Agreement limits either party's liability for fines imposed by a competent supervisory authority or for losses suffered by data subjects in each case attributable to that party's breach of applicable data protection law.

9. Conflict and signature

In the event of conflict between this DPA and the Agreement, this DPA prevails in respect of the processing of personal data. A signed counterpart of this DPA is available on request.

10. Contact

To request a signed copy or to raise a data protection matter, email contact@kleum.com.