Data Processing Agreement

For the purposes of this DPA and applicable data protection laws, the parties assume the following roles:

Labirinto processes personal data strictly to the extent necessary for the following purposes:

• Providing AI-powered tools, APIs, and platform functionality as agreed with the Customer
• Supporting platform operations, reliability, and security
• Fulfilling legal obligations applicable to Labirinto as a processor

Any processing beyond these purposes requires prior documented instruction from the Customer or applicable legal obligation.

Labirinto, acting as a data processor, will:

• Follow instructions — process personal data only on documented instructions from the Customer, unless required otherwise by applicable law
• Ensure confidentiality — bind all personnel authorized to process personal data to confidentiality obligations
• Implement security measures — apply appropriate technical and organizational measures as described in Section 7
• Assist with data subject requests — support the Customer in responding to requests from data subjects as described in Section 6
• Notify of data breaches — inform the Customer without undue delay upon becoming aware of a personal data breach, providing information sufficient to fulfill notification obligations
• Assist with compliance — provide reasonable assistance in conducting data protection impact assessments where required

Labirinto may engage third-party subprocessors (such as cloud infrastructure providers, hosting services, and analytics tools) to assist in providing the Services. Labirinto will:

• Impose data protection obligations on subprocessors no less protective than those in this DPA
• Remain liable to the Customer for subprocessor acts and omissions
• Inform Customers of any intended changes to subprocessors via policy updates or direct notification

Customers who object to a new subprocessor may notify Labirinto at privacy@labirinto.ai. Labirinto will work in good faith to resolve such objections.

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Brazil, Labirinto will ensure such transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Equivalent mechanisms under UK GDPR and Brazil's LGPD
• Adequacy decisions where applicable

Labirinto will provide reasonable assistance to enable the Customer to fulfill its obligations in responding to data subject requests, including:

• Access requests — providing copies of personal data held
• Deletion requests — erasing personal data as instructed
• Portability requests — exporting data in a structured, machine-readable format
• Restriction and objection — supporting Customer-directed restrictions on processing

Where Labirinto receives data subject requests directly, it will promptly redirect the request to the Customer unless prohibited by law.

Labirinto implements technical and organizational measures appropriate to the risk, including:

• Encryption — data encrypted in transit (TLS) and at rest
• Access control — role-based access with least-privilege principles
• Monitoring systems — continuous security monitoring and anomaly detection
• Incident response — documented procedures for breach identification and notification
• Vendor assessments — regular review of subprocessor security posture

Upon termination of the agreement or upon Customer instruction, Labirinto will, at the Customer's election:

• Securely delete all personal data processed on behalf of the Customer, or
• Return personal data to the Customer in a portable format

Labirinto may retain personal data beyond termination only to the extent required by applicable law, and only for as long as legally necessary. Any retained data remains subject to the obligations of this DPA.

Each party is responsible for its own acts and omissions in connection with personal data processing. Liability between the parties is allocated in accordance with applicable data protection law and the governing agreement.

Where a data subject suffers damage and brings a claim against Labirinto as processor, Labirinto may be exempt from liability if it can demonstrate it was not at fault for the event giving rise to the damage.

This DPA is governed by the laws of the State of Delaware, United States, except where applicable data protection law (such as GDPR or LGPD) mandates otherwise, in which case those laws will apply to the extent of the conflict.

For questions related to this DPA, data processing activities, or to submit Customer instructions, contact our Privacy team: