AMARI · Data Processing Addendum

EXHIBIT B

DATA PROCESSING ADDENDUM

to the Master Service Agreement between Wisdom Agent Inc. and Client

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Master Service Agreement ("MSA") between Wisdom Agent Inc. ("Provider") and the entity identified as Client in the MSA ("Client"). Capitalized terms not defined in this DPA have the meanings given in the MSA.

This DPA reflects the parties' agreement regarding the processing of Personal Data by Provider on behalf of Client in connection with the Service, as required by Applicable Data Protection Law.

1. DEFINITIONS

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (revised nFADP, effective September 1, 2023), CCPA/CPRA, and any other applicable state, national, or international data protection legislation.
"Controller" means the entity that determines the purposes and means of the processing of Personal Data.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Provider on behalf of Client in connection with the Service, including any Personal Data contained within Documents and Source Materials submitted for verification.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to controllers and processors established in third countries, covering transfers between controllers and processors and between processors and sub-processors, as approved by the European Commission in Decision 2021/914 (as updated or replaced from time to time).
"Sub-processor" means any third party engaged by Provider to process Personal Data on behalf of Client.
"UK GDPR" means the GDPR as retained in United Kingdom law pursuant to the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

2. ROLES AND SCOPE OF PROCESSING

2.1 Client is the Controller and Provider is the Processor with respect to Personal Data processed under this DPA.

2.2 Provider shall process Personal Data only on behalf of Client and only in accordance with Client's documented instructions as set forth in this DPA and the MSA. The parties agree that the MSA (including this DPA) constitutes Client's primary documented instructions to Provider regarding the processing of Personal Data. Client may issue additional written instructions consistent with the terms of this DPA and the MSA.

2.3 If Provider believes that an instruction from Client infringes Applicable Data Protection Law, Provider shall promptly notify Client and shall not be required to carry out the instruction until Client has confirmed or modified it.

2.4 Provider shall not process Personal Data for any purpose other than performing the verification services described in Section 2 of the MSA.

3. DETAILS OF PROCESSING

3.1 Subject Matter and Duration

The subject matter of the processing is the provision of document verification services as described in the MSA. The duration of the processing is the term of the MSA plus any period required for deletion or return of Personal Data as specified in this DPA.

3.2 Nature and Purpose of Processing

Provider processes Personal Data contained in Documents and Source Materials submitted by Client solely to perform the verification analysis requested by Client. Processing activities include: (a) receiving and loading Documents and Source Materials into working memory; (b) transmitting document content to the Anthropic API for verification analysis; (c) assembling and returning verification results (Verified Outputs and Audit Trails) to Client; and (d) discarding all document content from memory upon completion of the verification run.

3.3 Types of Personal Data

Personal Data processed may include any personal data contained within Documents and Source Materials submitted by Client for verification, which may include but is not limited to: names, addresses, contact information, identification numbers, financial information, employment information, health information (if submitted by Client, subject to the conditions in Section 3.5 below), and any other personal data present in legal documents.

3.4 Categories of Data Subjects

Data subjects may include any individuals whose personal data is contained within Documents and Source Materials, which may include but is not limited to: Client's clients, counterparties, employees, officers, directors, beneficiaries, witnesses, and other individuals referenced in legal documents.

3.5 Special Category Data

To the extent that Documents or Source Materials submitted by Client contain health data or other special categories of personal data within the meaning of Article 9(1) of the GDPR, Client, as Controller, represents and warrants that: (a) an applicable condition under Article 9(2) of the GDPR (or equivalent provision under other Applicable Data Protection Law) exists for such processing; (b) Client has identified and documented the applicable Article 9(2) condition prior to submitting such data to the Service; and (c) Client shall provide Provider with written confirmation of the applicable Article 9(2) condition upon request. Client shall not submit special category data to the Service unless and until Client has confirmed that an applicable Article 9(2) condition is satisfied.

4. PROVIDER OBLIGATIONS

4.1 Documented Instructions. Provider shall process Personal Data only in accordance with Client's documented instructions, unless required to do otherwise by Applicable Data Protection Law, in which case Provider shall inform Client of that legal requirement before processing (unless prohibited by law from doing so).

4.2 Confidentiality. Provider shall ensure that all persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Provider's confidentiality obligations under Section 7 of the MSA apply to all Personal Data processed under this DPA.

4.3 Security Measures. Provider shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, as described in Schedule 2 to this DPA. These measures include:

Encryption of Personal Data in transit using TLS 1.2 or higher for all connections (Client to AMARI, AMARI to Anthropic API);
In-memory-only processing of document content — no document content is written to persistent storage (disk, database, or file system) at any point during or after the verification run;
No logging of document content — usage logs contain metadata only (timestamps, page counts, quality scores, practice area used) and never document text;
Access controls limiting employee and contractor access to systems on a need-to-know basis;
Encrypted storage of authentication credentials;
Incident response procedures for security events;
Employee training on data protection and confidentiality obligations.

4.4 Sub-processing. Provider shall not engage any Sub-processor to process Personal Data without Client's prior authorization, subject to the terms of Section 7 of this DPA.

4.5 Data Subject Rights Assistance. Taking into account the nature of the processing, Provider shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, data portability, objection, and the right not to be subject to solely automated decision-making under Article 22 of the GDPR (to the extent applicable to the processing activities performed under this DPA). If Provider receives a request from a Data Subject directly, Provider shall promptly redirect the Data Subject to Client and notify Client of the request, unless otherwise prohibited by law. Provider shall not respond to a Data Subject request directly except on Client's documented instructions.

4.6 Data Protection Impact Assessments and Controller Notification Assistance. Provider shall provide reasonable assistance to Client with any data protection impact assessments and prior consultations with supervisory authorities that Client is required to carry out under Articles 35 and 36 of the GDPR (or equivalent provisions under other Applicable Data Protection Law), taking into account the nature of the processing and the information available to Provider.

In addition, as required by Article 28(3)(f) of the GDPR, Provider shall assist Client in fulfilling Client's obligations under Articles 33 and 34 of the GDPR, including: (a) providing Client with the information necessary for Client to notify the competent supervisory authority of a Personal Data Breach in accordance with Article 33 of the GDPR; and (b) providing Client with the information necessary for Client to communicate a Personal Data Breach to affected Data Subjects in accordance with Article 34 of the GDPR. Such assistance shall be provided promptly and in accordance with the notification timelines set out in Section 5 of this DPA.

4.7 Deletion and Return. Upon termination or expiration of the MSA, or upon Client's earlier written request, Provider shall, at Client's election, delete or return all Personal Data to Client and delete existing copies, in accordance with Article 28(3)(g) of the GDPR, unless Applicable Data Protection Law requires retention of the Personal Data. With respect to document content: because Provider processes documents in memory only and does not retain document content after the verification run completes (per Section 7.3 of the MSA), no document content exists for deletion or return after the verification run. Account information and usage metadata shall be deleted within 30 days of termination or expiration of the MSA, or within 30 days of Client's earlier written request during the term, as specified in Section 7.7(c) of the MSA. Provider shall certify deletion in writing upon Client's request.

4.8 Audit Rights. Provider shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in Article 28(3)(h) of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Client or a qualified third-party auditor mandated by Client. Provider shall immediately inform Client if, in Provider's opinion, an instruction under this Section 4.8 infringes Applicable Data Protection Law.

Audits shall be conducted as follows:

Client shall provide at least 30 days' prior written notice of any audit request, unless a shorter period is required by a supervisory authority or necessitated by a Personal Data Breach;
Audits shall be conducted during normal business hours and shall not unreasonably interfere with Provider's operations;
Client shall bear its own costs of any audit, except that Provider shall bear the costs of any audit triggered by Provider's breach of this DPA;
The auditor shall be bound by confidentiality obligations at least as protective as those in Section 7 of the MSA;
Client may conduct no more than one audit per calendar year, unless additional audits are required by a supervisory authority or are necessitated by a Personal Data Breach;
Provider may satisfy audit requests by providing relevant certifications, audit reports, or SOC 2 reports, which Client agrees to accept in lieu of an on-site audit unless Client has reasonable grounds to believe that such reports are insufficient or such reports are not available, in which case Client retains the right to conduct an on-site audit.

5. PERSONAL DATA BREACH NOTIFICATION

5.1 Provider shall notify Client without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Provider acknowledges that applicable US state breach notification laws (including, without limitation, California Civil Code §1798.82) may impose additional or different notification obligations on Client as Controller. Provider shall cooperate with and assist Client in meeting any such US state breach notification obligations, including by providing timely information necessary for Client to comply with applicable state law notification timelines and content requirements.

5.2 The notification shall include, to the extent known at the time of notification:

A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
The name and contact details of Provider's data protection officer where applicable, or of another contact point where more information can be obtained;
A description of the likely consequences of the Personal Data Breach;
A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

5.3 Where it is not possible to provide all information at the same time, Provider shall provide the information in phases without undue further delay.

5.4 Client, as Controller, is solely responsible for determining whether to notify any supervisory authority or Data Subjects of a Personal Data Breach in accordance with Applicable Data Protection Law. Provider shall cooperate with Client in investigating and remediating any Personal Data Breach and shall provide reasonable assistance to Client in fulfilling Client's notification obligations.

6. INTERNATIONAL DATA TRANSFERS

6.1 Provider shall not transfer Personal Data to any country outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland without ensuring that an adequate transfer mechanism is in place as required by Articles 44 and 46 of the GDPR and equivalent provisions under other Applicable Data Protection Law.

6.2 The parties acknowledge that the verification process involves the transmission of document content to the Anthropic API, which is operated by Anthropic, PBC, a company based in the United States. To the extent that such transmission constitutes a transfer of Personal Data outside the EEA, the United Kingdom, or Switzerland, the following transfer mechanism applies:

Provider has entered into Standard Contractual Clauses (Module Three: Processor to Sub-processor) with Anthropic, PBC, incorporating the supplementary measures described in Schedule 3 to this DPA. The SCCs serve as the primary transfer mechanism for transfers to Anthropic, PBC. Prior to relying on the SCCs, Provider has conducted and shall maintain a Transfer Impact Assessment ("TIA") (reference: TIA-AMARI-ANTHROPIC-001, conducted prior to the Effective Date, concluding that the supplementary measures described in Schedule 3 — including in-transit encryption, contractual prohibitions on data retention and model training use, and Anthropic's obligation to notify Provider of law enforcement disclosure requests — are sufficient to ensure an essentially equivalent level of protection for the transferred Personal Data notwithstanding U.S. surveillance law considerations) evaluating the laws and practices of the United States as they affect the transfer of Personal Data to Anthropic, PBC, in accordance with the requirements of Schrems II (C-311/18) and EDPB Recommendations 01/2020. The TIA, together with the supplementary measures in Schedule 3, forms the basis for Provider's determination that the SCCs provide an adequate level of protection for the transferred Personal Data. Provider shall review and update the TIA whenever there is a material change in the legal landscape affecting the transfer;
To the extent Anthropic, PBC is verified as a current participant in the EU-U.S. Data Privacy Framework (European Commission Adequacy Decision (EU) 2023/1795, or any successor framework) — as confirmed by Provider through checks of the official DPF list maintained by the U.S. Department of Commerce conducted no less frequently than quarterly and promptly upon any indication that Anthropic's certification status may have changed — such verified participation provides a supplementary basis for the transfer. Provider shall monitor Anthropic's DPF certification status and scope on at least a quarterly basis and shall promptly notify Client if Anthropic's certification lapses or no longer covers the relevant data types. The SCCs remain in place as the primary transfer mechanism regardless of DPF status, and Provider shall not rely on DPF participation as the sole basis for any transfer;
Provider shall monitor the legal landscape for international data transfers and shall promptly notify Client if any transfer mechanism relied upon is invalidated or materially affected by a court decision, regulatory guidance, or legislative change.

6.3 For transfers subject to the UK GDPR, the parties agree that the International Data Transfer Addendum issued by the UK Information Commissioner's Office (Version B1.0, effective 21 March 2022) ("UK Addendum") shall apply, and the SCCs referenced in Section 6.2 are deemed modified as required by the UK Addendum.

6.4 For transfers subject to the Swiss Federal Act on Data Protection, the SCCs referenced in Section 6.2 shall apply with the modifications required by Swiss law, including recognition of the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.

7. SUB-PROCESSORS

7.1 Current Sub-processors. Client hereby grants general written authorization for Provider to engage the Sub-processors listed in Schedule 1 to this DPA, which constitutes the definitive and operative listing of Sub-processors, including their roles, locations, and the scope of Personal Data processed. Schedule 1 is incorporated into this DPA by reference.

7.2 New Sub-processors. Provider shall notify Client at least 30 days before engaging any new Sub-processor or replacing any existing Sub-processor that processes Personal Data (including document content). The notification shall identify the Sub-processor, its role, location, and the scope of Personal Data to be processed.

7.3 Objection Right. Client may object to the engagement of a new or replacement Sub-processor on reasonable data-protection grounds by providing written notice to Provider within 15 days of receiving the notification under Section 7.2. The 15-day objection window runs from the date of Client's receipt of the Section 7.2 notification. Any objection received after 15 days but before the 30-day notice period has expired will be treated as timely if Provider has not yet engaged the Sub-processor. Silence by Client after the 15-day period constitutes deemed acceptance of the new or replacement Sub-processor. Reasonable data-protection grounds include, without limitation: (a) the Sub-processor's jurisdiction lacks an adequate level of data protection under Applicable Data Protection Law and no appropriate transfer mechanism is available; (b) the Sub-processor has a documented history of data protection failures; or (c) the engagement would conflict with Client's obligations under Applicable Data Protection Law.

7.4 Resolution of Objections. If Client objects under Section 7.3, Provider shall use commercially reasonable efforts to: (a) make available a change in the Service that avoids the use of the objected-to Sub-processor; or (b) recommend a commercially reasonable alternative Sub-processor. If Provider cannot accommodate the objection within 30 days, Client may terminate the portion of the Service that relies on the objected-to Sub-processor without penalty, and Provider shall refund any prepaid fees allocable to the terminated services for the remainder of the then-current term, as provided in Section 7.6 of the MSA.

7.5 Sub-processor Obligations. Provider shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; (b) remain fully liable to Client for the acts and omissions of each Sub-processor as if they were the acts and omissions of Provider; and (c) conduct appropriate due diligence on each Sub-processor's data protection practices before engagement and periodically thereafter.

7.6 Pending Engagement. Provider shall not permit a new or replacement Sub-processor to begin processing Personal Data until: (a) the 30-day notice period under Section 7.2 has expired without Client objecting; or (b) any objection has been resolved under Section 7.4.

8. CCPA/CPRA PROVISIONS

8.1 To the extent that Provider processes Personal Data subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), Provider is a "Service Provider" as defined under the CCPA pursuant to Cal. Civ. Code §1798.140(ag). Personal Data is disclosed to Provider for the following specific business purpose as defined under CCPA §1798.140(e): performing document verification services on behalf of Client, which constitutes the performance of services on behalf of the business pursuant to a written contract, as specified in CCPA §1798.140(e).

8.2 Provider shall not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the verification services specified in the MSA, including any commercial purpose other than providing the Service; or (c) retain, use, or disclose Personal Data outside of the direct business relationship between Provider and Client.

8.3 Provider certifies that it understands and will comply with the restrictions in Section 8.2.

8.4 Provider shall assist Client in responding to verifiable consumer requests under the CCPA, including requests to know, delete, and correct inaccurate personal information pursuant to Cal. Civ. Code §1798.106, and requests to limit the use and disclosure of sensitive personal information pursuant to Cal. Civ. Code §1798.121.

9. HIPAA PROVISIONS

9.1 Provider is not HIPAA-certified. The Service is not designed for processing Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

9.2 Client shall not submit Documents or Source Materials containing PHI to the Service unless Client and Provider have executed a separate Business Associate Agreement ("BAA") in compliance with HIPAA.

9.3 If Client requires HIPAA-compliant processing, Client shall contact Provider at security@getamari.ai to discuss BAA terms before submitting any PHI. In the absence of an executed BAA, Client is solely responsible for any HIPAA violations arising from the submission of PHI to the Service.

10. GENERAL PROVISIONS

10.1 Governing Law. This DPA shall be governed by the same governing law as the MSA (State of Delaware), except that where Applicable Data Protection Law requires a different governing law for the SCCs or any transfer mechanism — including as required by Clause 17 of Commission Decision 2021/914, which mandates that the SCCs be governed by the law of an EU Member State that allows for third-party beneficiary rights — the law of Ireland shall govern the SCCs and any such transfer mechanism provision.

10.2 Conflict. In the event of any conflict between this DPA and the MSA, this DPA shall prevail with respect to the processing of Personal Data.

10.3 Liability. The liability of each party under this DPA is subject to the limitations of liability set forth in Section 11 of the MSA, except that: (a) liability for breaches of this DPA is not subject to the aggregate liability cap under Section 11.3(c) of the MSA and is uncapped (subject only to applicable law), and liability for breaches of confidentiality obligations under Section 7 of the MSA is separately excluded from such cap as provided therein — these are distinct categories and a breach of this DPA does not constitute a breach of confidentiality obligations solely by virtue of this provision; and (b) nothing in this DPA limits either party's liability to Data Subjects under Applicable Data Protection Law.

10.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

10.5 Term. This DPA shall remain in effect for as long as Provider processes Personal Data on behalf of Client. Obligations that by their nature should survive termination (including Sections 4.7, 4.8, 5, 6, 7, 8, and 9) shall survive termination of this DPA and the MSA.

SCHEDULE 1: SUB-PROCESSOR LIST

As of the Effective Date, Provider engages the following Sub-processors:

Anthropic, PBC — LLM API for verification analysis — San Francisco, CA, USA — Document content (in transit, not retained; not used for model training) Hetzner Online GmbH — Cloud server infrastructure — Falkenstein/Nuremberg, Germany — Server hosting; document data in memory only; Hetzner does not access server memory Stripe, Inc. — Payment processing — San Francisco, CA, USA — Billing and payment data; no document content Auth0 / Okta, Inc. — Authentication services — Bellevue, WA, USA — Email, login credentials; no document content

Provider shall maintain an up-to-date list of Sub-processors at getamari.ai/subprocessors and shall notify Client of changes per Section 7.2 of this DPA.

SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL MEASURES

A. Data Minimization and Processing Architecture

In-memory-only processing: Document content and Source Material content are loaded into server memory for the duration of the verification run and discarded upon completion. No document content is written to disk, database, or file system at any point.
No content logging: Usage logs contain metadata only (timestamps, page counts, quality scores, practice area used). Document text is never logged.
Isolation: Each verification run is isolated. One user's documents are never accessible to another user.
Server restart destruction: All in-memory data is destroyed upon server restart.

B. Encryption

In transit: TLS 1.2 or higher on all connections (Client to AMARI server, AMARI server to Anthropic API).
At rest: Not applicable to document content (not stored). Account data and credentials stored in encrypted databases.

C. Access Controls

Authentication: OAuth 2.0 for MCP connector; account credentials for REST API.
Employee access: Limited on need-to-know basis. No routine employee access to verification processing systems during operation.
OAuth tokens: Encrypted at rest; revoked upon connector disconnect.

D. Incident Response

Incident response procedures maintained and tested.
72-hour breach notification to affected clients (per Section 5 of this DPA).
Post-incident review and remediation.

E. Personnel

All employees and contractors with access to systems processing Personal Data are bound by confidentiality agreements.
Regular data protection training for relevant personnel.

SCHEDULE 3: SUPPLEMENTARY MEASURES FOR INTERNATIONAL TRANSFERS

In addition to the safeguards provided by the Standard Contractual Clauses, Provider implements the following supplementary measures for transfers of Personal Data to Anthropic, PBC (United States):

A. Technical Measures

All data transmitted to Anthropic is encrypted in transit using TLS 1.2 or higher.
Document content is transmitted to Anthropic solely for the purpose of generating verification analysis and is not retained by Anthropic beyond the API request/response cycle.
Provider's commercial API agreement with Anthropic contractually prohibits Anthropic from using Client document content for model training or any purpose other than serving the API request, in accordance with GDPR Article 28(3)(a) (which requires that a processor process personal data only on documented instructions from the controller).

B. Organizational Measures

Provider has assessed Anthropic's data protection practices and has determined them to be adequate for the processing activities described in this DPA.
Provider monitors legal developments affecting international data transfers and will notify Client promptly if any transfer mechanism is invalidated or materially affected.
Provider will suspend transfers to Anthropic if Provider determines that Anthropic can no longer ensure adequate protection of Personal Data, and will notify Client of such suspension.

C. Contractual Measures

Provider's agreement with Anthropic includes provisions requiring Anthropic to: (i) process data only as instructed by Provider; (ii) implement appropriate security measures; (iii) not retain document content beyond serving the API request; (iv) not use document content for model training; and (v) cooperate with Provider in responding to data subject requests and supervisory authority inquiries.
Provider's agreement with Anthropic requires Anthropic to notify Provider promptly of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited.

SIGNATURES

This DPA is effective as of the Effective Date of the MSA and is incorporated into the MSA by reference.

WISDOM AGENT INC. (Provider) By: ______________________________ Name: Dr. Reza Olfati-Saber, Title: Founder & CEO, Date: _____

[CLIENT LEGAL NAME] (Client / Controller) By: ______________________________ Name: _____, Title: _____, Date: _____