Data Processing Agreement

This Data Processing Agreement ("DPA") supplements our Terms of Service and Privacy Policy and applies where Number One Son Software ("Processor", "we") processes personal data on behalf of you ("Controller", "you") in connection with MultiPowerAI services. This DPA complies with Article 28 of the GDPR and equivalent data protection laws.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4. "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion. "Sub-processor" means a third party engaged by us to process Personal Data on your behalf. "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.

Subject matter: Provision of AI agent trust, identity, and commerce platform services. Duration: For the term of your service agreement plus 30 days for deletion. Nature and purpose: Authentication, trust scoring, identity verification, transaction processing, attestation generation, and API service delivery. Categories of data subjects: Your employees, contractors, and end users who interact with your AI agents. Types of Personal Data: Email addresses, names, IP addresses, API usage logs, payment information (processed by Stripe), and KYC verification results.

We shall: process Personal Data only on your documented instructions (including those in the Terms of Service); ensure persons authorized to process data are bound by confidentiality; implement appropriate technical and organizational security measures; not engage sub-processors without your prior general authorization (listed below); assist you in responding to data subject rights requests; delete or return all Personal Data at your choice upon termination; make available all information necessary to demonstrate compliance; and allow and contribute to audits conducted by you or an auditor you mandate (with reasonable notice).

We implement: encryption in transit (TLS 1.2+) and at rest; SHA-256 hashing of secret keys; access controls with API key authentication; rate limiting and abuse detection; regular security reviews; infrastructure on SOC 2 compliant hosting (Vercel); database encryption on Neon PostgreSQL; and incident response procedures.

You provide general authorization for the following sub-processors. We will notify you before adding new sub-processors, giving you 30 days to object.

Vercel Inc. — Application hosting and edge network (USA). Neon Inc. — PostgreSQL database hosting (USA). Stripe Inc. — Payment processing and identity verification (USA). Coinbase Inc. — Cryptocurrency payment processing (USA). OpenRouter — AI model inference routing (USA).

Each sub-processor is bound by data protection obligations no less protective than this DPA.

Personal Data is primarily processed in the United States. For transfers from the EEA/UK, we rely on: Standard Contractual Clauses (SCCs) as adopted by the European Commission; sub-processors' own GDPR compliance mechanisms (Stripe and Vercel maintain EU SCCs); and supplementary technical measures (encryption, pseudonymization).

Upon becoming aware of a Data Breach, we shall: notify you without undue delay and in any event within 72 hours; provide details including nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach. We will cooperate with your own breach notification obligations.

We will assist you in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) by: providing technical capabilities to export or delete data; responding to your instructions within 10 business days; and not responding directly to data subjects unless instructed by you.

Both parties acknowledge that data published to Base L2 blockchain (attestation hashes, soulbound NFT metadata) is technically irreversible. The Controller is responsible for ensuring no Personal Data (as defined by GDPR) is included in data submitted for on-chain publication. The Processor will provide clear warnings before any on-chain operation.

This DPA is effective for the duration of the underlying service agreement. Upon termination, we will delete all Personal Data within 30 days, except: data required for legal compliance (retained per our retention schedule); and blockchain data which cannot be deleted due to technical immutability.

Data Protection Contact: privacy@multipowerai.com

Number One Son Software — MultiPowerAI

To execute a signed DPA, contact sales@multipowerai.com with subject "DPA Request".