Data Processing Agreement

Effective date: April 9, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Alfred Roger Michael Jones, trading as AccessLayer ("AccessLayer") and the customer entity or person using the Services ("Customer").

This DPA applies where AccessLayer processes Personal Data on behalf of Customer in connection with the Services.

Roles

Customer is the controller or processor, as applicable, of Personal Data submitted to the Services.

AccessLayer acts as a processor or subprocessor, as applicable, when processing Personal Data on Customer's behalf to provide the Services.

Subject Matter and Duration

The subject matter of processing is the provision of the AccessLayer Services, including connector access, data retrieval, temporary caching, analytics workflows, dashboarding, query execution, AI-assisted features, support, security, and related operations.

Processing continues for the duration of the applicable customer agreement and for any limited post-termination period required for deletion, backup cycling, legal retention, security, or dispute resolution.

Nature and Purpose of Processing

AccessLayer processes Personal Data only to:

• provide, maintain, and secure the Services;
• retrieve and process Customer-authorized third-party data;
• host, cache, store, organize, analyze, transmit, and display Customer Data;
• provide AI-assisted features requested by Customer users;
• prevent abuse and maintain reliability; and
• provide support and comply with law.

Categories of Data and Data Subjects

Categories of Personal Data may include:

• user account and profile data;
• identifiers and contact details;
• authentication and session data;
• connector configuration data;
• content contained in connected data sources;
• prompts, query text, results, dashboards, and chat history; and
• usage, telemetry, and support data.

Data subjects may include Customer's employees, contractors, agents, end users, customers, prospects, suppliers, and other persons whose data Customer chooses to process through the Services.

Customer Instructions

AccessLayer will process Personal Data only on documented instructions from Customer, including as reflected in the customer agreement, use of the Services, support requests, and configuration choices made by Customer and its authorized users.

Customer instructs AccessLayer to use subprocessors, including AI providers, hosting providers, database providers, payment providers, support providers, analytics providers, and security providers, where reasonably necessary to provide the Services.

Confidentiality

AccessLayer will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

Security Measures

AccessLayer will implement reasonable technical and organizational measures designed to protect Personal Data, taking into account the nature of the processing and the risks involved.

These measures may include encryption in transit, encryption at rest, access controls, backups, incident response processes, and related safeguards.

Subprocessors

Customer authorizes AccessLayer to engage subprocessors.

AccessLayer may maintain a separate subprocessor list and may update subprocessors from time to time. AccessLayer will remain responsible for the performance of its subprocessors to the extent required by applicable law and contract.

Subprocessor categories may include:

• cloud hosting and infrastructure;
• DNS and networking;
• database, storage, and caching;
• authentication and identity;
• email delivery;
• payments and billing;
• analytics, telemetry, and error monitoring; and
• AI model and routing providers.

International Transfers

Customer authorizes AccessLayer and its subprocessors to process Personal Data in jurisdictions where they operate, subject to lawful transfer mechanisms where required.

Assistance

Taking into account the nature of the processing and information available to AccessLayer, AccessLayer will provide reasonable assistance to Customer with:

• data subject requests;
• security incident response;
• data protection impact assessments; and
• consultations with regulators,

to the extent required by applicable law and to the extent Customer cannot reasonably fulfill those obligations without AccessLayer's assistance.

Security Incidents

AccessLayer will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Personal Data processed under this DPA, and will provide reasonably available information to assist Customer in meeting applicable obligations.

A Security Incident does not include unsuccessful attempts or events that do not materially compromise Personal Data.

Deletion and Return

Upon termination of the Services or Customer's request, AccessLayer will delete or return Personal Data in accordance with the Services configuration and retention practices, unless retention is required by law or reasonably necessary for security, billing, fraud prevention, or dispute resolution.

AccessLayer generally aims to delete customer content from active systems within 30 days and from backups or residual systems within up to 90 days.

Audit Information

AccessLayer will provide reasonable information about its privacy and security practices upon written request, subject to confidentiality, proportionality, and operational burden. Any audit rights will be limited to reasonable and appropriate methods, such as documentation review, questionnaires, or summaries, unless otherwise required by law or separately agreed.

Liability

This DPA is subject to the liability limitations in the main customer agreement, and does not independently expand liability.

Contact

Privacy requests relating to this DPA may be sent to alfie@accesslayer.ai.