Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Data Controller") and Stratnetic ("Processor" or "Data Processor") for the processing of personal data under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Stratnetic on behalf of Customer in connection with the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or destruction.
• "Data Controller" means the entity that determines the purposes and means of Processing Personal Data. In the context of this DPA, the Customer is typically the Data Controller.
• "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller. Stratnetic acts as the Data Processor.
• "Subprocessor" means any third party engaged by Stratnetic to Process Personal Data.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy, data protection, and data security, including GDPR, CCPA, and similar laws.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Services" means the services provided by Stratnetic as described in the Terms of Service.
• "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Applicability

2.1 Application of DPA

This DPA applies where and to the extent that Stratnetic Processes Personal Data on behalf of Customer in the course of providing Services, and such Personal Data is subject to Data Protection Laws.

2.2 Relationship to Terms of Service

This DPA is supplemental to and forms an integral part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service regarding the Processing of Personal Data, this DPA shall prevail.

2.3 Duration

This DPA shall remain in effect as long as Stratnetic Processes Personal Data on behalf of Customer, or until terminated in accordance with the Terms of Service.

3. Processing of Personal Data

3.1 Roles and Responsibilities

The parties acknowledge and agree that:

• Customer is the Data Controller of Personal Data;
• Stratnetic is the Data Processor acting on behalf of Customer;
• Stratnetic shall Process Personal Data only on documented instructions from Customer, except where required by applicable law.

3.2 Processing Instructions

Customer instructs Stratnetic to Process Personal Data for the following purposes:

• Providing the Services as described in the Terms of Service
• Processing documents through AI-powered analysis tools
• Matching grant opportunities to organizational profiles
• Conducting accessibility compliance scans
• Managing Customer accounts and subscriptions
• Processing payments and maintaining billing records
• Providing customer support
• Complying with legal obligations

3.3 Details of Processing

A detailed description of the Processing activities is set forth in Annex A to this DPA.

3.4 Compliance with Instructions

Stratnetic shall:

• Process Personal Data only in accordance with Customer's documented instructions;
• Immediately inform Customer if, in Stratnetic's opinion, an instruction violates Data Protection Laws;
• Not Process Personal Data for any other purpose unless required by applicable law.

4. Processor Obligations

4.1 Confidentiality

Stratnetic shall ensure that all personnel authorized to Process Personal Data:

• Are subject to appropriate confidentiality obligations;
• Have received appropriate training on Data Protection Laws;
• Process Personal Data only as instructed by Customer or as required by law.

4.2 Security Measures

Stratnetic shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, as detailed in our Security Statement and Annex B to this DPA.

4.3 Assistance to Customer

Stratnetic shall, taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligations to respond to requests from Data Subjects.

4.4 Compliance Assistance

Stratnetic shall assist Customer in ensuring compliance with Customer's obligations under Data Protection Laws, including:

• Security of Processing (GDPR Article 32)
• Data breach notifications (GDPR Articles 33-34)
• Data protection impact assessments (GDPR Article 35)
• Prior consultations with supervisory authorities (GDPR Article 36)

5. Data Controller Responsibilities

5.1 Controller Obligations

Customer shall:

• Comply with all applicable Data Protection Laws in its use of the Services;
• Ensure it has all necessary rights and consents to provide Personal Data to Stratnetic for Processing;
• Provide clear and complete instructions for the Processing of Personal Data;
• Ensure the accuracy and appropriateness of Personal Data provided;
• Maintain all necessary notices and obtain all necessary consents for the Processing.

5.2 Processing Instructions

Customer is responsible for:

• Providing lawful instructions for Processing;
• Ensuring instructions comply with Data Protection Laws;
• Updating instructions as necessary;
• Responding to Data Subject requests and inquiries.

6. Subprocessors

6.1 Authorized Subprocessors

Customer provides general authorization for Stratnetic to engage Subprocessors to Process Personal Data. Current Subprocessors are listed in Annex C to this DPA.

6.2 Current Subprocessors

Stratnetic currently uses the following Subprocessors:

• OpenAI: AI processing for document analysis and grant matching
• Stripe: Payment processing and subscription management
• Cloud Infrastructure Providers: Hosting and data storage
• Email Service Providers: Transactional email delivery

6.3 Subprocessor Obligations

When engaging Subprocessors, Stratnetic shall:

• Conduct due diligence to ensure Subprocessor's ability to meet data protection obligations;
• Impose data protection obligations on Subprocessors that are no less protective than this DPA;
• Remain fully liable to Customer for the performance of Subprocessor obligations;
• Enter into written agreements with Subprocessors containing terms substantially similar to this DPA.

6.4 Notification of Changes

Stratnetic shall provide Customer with at least 30 days' prior notice of:

• Addition of new Subprocessors
• Replacement of existing Subprocessors

Customer may object to the use of a new Subprocessor on reasonable data protection grounds by notifying Stratnetic within 10 days of notice.

6.5 Objection to Subprocessors

If Customer objects to a Subprocessor, the parties shall work together in good faith to find a commercially reasonable solution. If no solution can be found, Customer may terminate the affected Services without penalty.

7. Data Subject Rights

7.1 Data Subject Requests

Stratnetic shall, to the extent legally permitted and taking into account the nature of the Processing, assist Customer in fulfilling Customer's obligations to respond to Data Subject requests, including:

• Access to Personal Data
• Rectification of inaccurate Personal Data
• Erasure of Personal Data ("right to be forgotten")
• Restriction of Processing
• Data portability
• Objection to Processing
• Automated decision-making

7.2 Request Handling

If Stratnetic receives a Data Subject request:

• Stratnetic shall promptly notify Customer of the request;
• Stratnetic shall not respond to the request except on documented instructions from Customer or as required by applicable law;
• Customer shall be responsible for responding to the Data Subject request;
• Stratnetic shall provide reasonable assistance to Customer in responding to the request.

7.3 Fees for Assistance

Stratnetic's assistance with Data Subject requests is included in the Services. However, if Customer requires extensive assistance that exceeds reasonable efforts, Stratnetic may charge reasonable fees for such additional assistance.

8. Security Measures

8.1 Technical and Organizational Measures

Stratnetic implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Pseudonymization and encryption of Personal Data
• Ongoing confidentiality, integrity, availability, and resilience of systems
• Timely restoration of data availability following an incident
• Regular testing and evaluation of security effectiveness

8.2 Security Standards

Detailed security measures are described in our Security Statement and Annex B to this DPA, including:

• Data encryption in transit and at rest
• Access controls and authentication
• Security monitoring and incident response
• Regular security assessments and audits
• Employee security training

8.3 Security Updates

Stratnetic shall review and update security measures regularly to maintain appropriate protection against evolving threats.

9. Data Breach Notification

9.1 Notification Obligation

In the event of a Security Incident, Stratnetic shall:

• Notify Customer without undue delay and, where feasible, within 72 hours of becoming aware;
• Provide sufficient information to allow Customer to meet any obligations to report or inform Data Subjects under Data Protection Laws;
• Take reasonable steps to mitigate the effects and minimize any damage;
• Provide timely information and cooperation as Customer may reasonably require.

9.2 Breach Information

Stratnetic's notification shall include, to the extent available:

• Nature of the Security Incident, including categories and approximate number of affected Data Subjects
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident
• Contact point for further information
• Measures taken to mitigate possible adverse effects

9.3 Investigation and Remediation

Stratnetic shall:

• Investigate the Security Incident promptly and thoroughly
• Provide Customer with regular updates on the investigation
• Take appropriate measures to remediate or mitigate the effects
• Implement measures to prevent future similar incidents

9.4 Customer Obligations

Customer is responsible for:

• Notifying supervisory authorities as required by Data Protection Laws
• Notifying affected Data Subjects as required by Data Protection Laws
• Determining whether the Security Incident requires notification under applicable law

10. Audits and Compliance

10.1 Audit Rights

Stratnetic shall make available to Customer all information necessary to demonstrate compliance with obligations under this DPA and Data Protection Laws.

10.2 Information Requests

Customer may request information about Stratnetic's compliance with this DPA by contacting legal@stratnetic.com. Stratnetic shall respond to reasonable requests within 30 days.

10.3 On-Site Audits

Upon reasonable written notice and subject to confidentiality obligations, Customer may conduct audits or inspections to verify Stratnetic's compliance with this DPA, provided that:

• Such audits are conducted no more than once per year, except in case of a Security Incident
• Audits are conducted during normal business hours
• Audits do not unreasonably interfere with Stratnetic's business operations
• Customer bears all costs associated with such audits

10.4 Third-Party Audit Reports

In lieu of on-site audits, Stratnetic may provide Customer with:

• SOC 2 Type II reports (for infrastructure providers)
• Third-party security assessment reports
• ISO 27001 certificates
• Other relevant compliance certifications

11. International Data Transfers

11.1 Data Storage Location

Personal Data is primarily stored and processed in data centers located in the United States.

11.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA) to countries not deemed to provide adequate protection under GDPR, Stratnetic relies on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): EU-approved SCCs as set forth in Annex D
• Additional Safeguards: Technical and organizational measures as described in Annex B
• Data Minimization: Processing only necessary Personal Data

11.3 UK and Swiss Transfers

For transfers from the UK and Switzerland, Stratnetic complies with applicable addendums to the Standard Contractual Clauses.

11.4 Changes to Transfer Mechanisms

If changes in law or regulatory guidance affect the adequacy of data transfer mechanisms, Stratnetic shall work with Customer to implement alternative compliant mechanisms.

12. Data Deletion and Return

12.1 Data Deletion

Upon termination or expiration of the Services, or upon Customer's written request, Stratnetic shall:

• Delete all Personal Data in its possession or control within 90 days;
• Ensure that any Subprocessors delete all Personal Data;
• Certify in writing to Customer that such deletion has occurred.

12.2 Data Return

Prior to deletion, Customer may request return of Personal Data in a commonly used format. Stratnetic shall use commercially reasonable efforts to return the data within 30 days of the request.

12.3 Exceptions

Stratnetic may retain Personal Data to the extent required by applicable law, provided that Stratnetic shall:

• Isolate and protect such Personal Data from further Processing
• Maintain confidentiality
• Only Process to the extent required by law
• Delete when the legal retention obligation expires

12.4 Zero-Retention Processing

For documents processed through our AI tools with zero-retention enabled:

• Documents are automatically deleted immediately after processing
• No manual deletion request is required
• Only explicitly saved results are retained in Customer's account

13. Liability and Indemnification

13.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except where Data Protection Laws prohibit such limitations.

13.2 Processor Liability

Stratnetic shall be liable only for damages caused by Processing that:

• Violates obligations specifically directed to Data Processors under Data Protection Laws, or
• Acts outside or contrary to lawful instructions from Customer

13.3 Indemnification

Stratnetic shall indemnify and hold harmless Customer from and against claims arising from Stratnetic's breach of this DPA, except to the extent caused by Customer's failure to comply with its obligations.

14. Term and Termination

14.1 Term

This DPA shall commence on the date Customer first uses the Services and shall remain in effect until termination of all Services or until all Personal Data has been deleted or returned, whichever is later.

14.2 Termination

Either party may terminate this DPA:

• Upon termination of the Terms of Service
• If the other party materially breaches this DPA and fails to cure within 30 days of written notice
• If required by Data Protection Laws or supervisory authority

14.3 Effect of Termination

Upon termination:

• Stratnetic shall cease all Processing of Personal Data
• Stratnetic shall delete or return Personal Data as described in Section 12
• Obligations regarding confidentiality, security, and deletion shall survive

15. Annexes

The following annexes form an integral part of this DPA:

Annex A: Details of Processing

Subject Matter	Processing of Personal Data in connection with Stratnetic's AI-powered document analysis, grant matching, and compliance scanning services
Duration	The term of the Services as set forth in the Terms of Service
Nature and Purpose	Account management and authentication Processing documents through AI analysis Generating grant recommendations Conducting accessibility compliance scans Payment processing and billing Customer support and service delivery
Types of Personal Data	Contact information (name, email, phone) Organization information Account credentials Payment information Usage data and analytics Documents and content uploaded by Customer IP addresses and device information
Categories of Data Subjects	Customer's employees and representatives Customer's clients or constituents (if included in uploaded documents) Users authorized by Customer to access the Services

Annex B: Technical and Organizational Security Measures

Detailed security measures are provided in our Security Statement and include:

Technical Measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication mechanisms
• Network security (firewalls, IDS/IPS, DDoS protection)
• Regular security patching and updates
• Secure software development lifecycle
• Regular vulnerability scanning and penetration testing

Organizational Measures

• Information security policies and procedures
• Employee confidentiality agreements
• Security awareness training
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular security audits and assessments

Annex C: List of Subprocessors

Subprocessor	Service	Location	Purpose
OpenAI	AI Processing	United States	Document analysis, grant matching, and AI-powered features
Stripe	Payment Processing	United States	Payment processing and subscription management
Cloud Infrastructure Provider	Hosting	United States	Infrastructure hosting and data storage
Email Service Provider	Communications	United States	Transactional email delivery

Note: This list may be updated from time to time. Customers will be notified of changes as described in Section 6.4 of this DPA.

Annex D: Standard Contractual Clauses

For transfers of Personal Data from the EEA, UK, or Switzerland, the parties agree to be bound by the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), as applicable and as supplemented by this DPA.

---

---

This Data Processing Agreement is effective as of November 7, 2025 and is incorporated into Stratnetic's Terms of Service. By using our services, you agree to the terms of this DPA.