Version 1.0 · Effective June 3, 2026

Data Processing Addendum

This Data Processing Addendum (“DPA”) is Exhibit A to, and forms part of, the Terms of Service and Master Usage Agreement (the “Agreement”) between Resonance AI Technology, LLC (“Company,” “Res,” “we,” or “processor”) and the customer that has accepted the Agreement (“Customer,” “you,” or “controller”). It applies to the extent Company Processes Personal Data on Customer’s behalf in providing the Services. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), and U.S. state privacy laws including the California Consumer Privacy Act as amended (“CCPA”).

“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” “Personal Data Breach,” and “Supervisory Authority” have the meanings given in the EU GDPR. Equivalent terms such as “business,” “service provider,” “consumer,” “sell,” and “share” have the meanings given in the CCPA.

“Customer Personal Data” means Personal Data contained in User Content, in data within Connected Services, in Listening Data, or in other data that Company Processes on Customer’s behalf under the Agreement.

“SCCs” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

“Sub-processor” means any third party engaged by Company to Process Customer Personal Data.

2. Roles and Scope

2.1 Roles. As between the parties and with respect to Customer Personal Data, Customer is the Controller (or business) and Company is the Processor (or service provider) acting on Customer’s behalf. Where Customer is itself a processor acting for a third-party controller, Customer warrants that it has the authority to instruct Company on the controller’s behalf and to grant the authorizations in this DPA.

2.2 Scope. Company will Process Customer Personal Data only as a Processor, for the purposes set out in Annex I and as necessary to provide the Services and to comply with Customer’s documented instructions, including this DPA, the Agreement, and Customer’s use and configuration of the Services.

2.3 Company as controller. Company is an independent Controller of the Account, billing, and usage and operational data it Processes to operate, secure, and improve its Services and business, as described in the Privacy Policy. This DPA does not apply to that Processing.

3. Processing Instructions

3.1 Company will Process Customer Personal Data only on Customer’s documented instructions, including as set out in this DPA and the Agreement, unless required by applicable law, in which case Company will, where legally permitted, inform Customer of that requirement before Processing.

3.2 Company will inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Company has no obligation to provide legal advice.

3.3 No training; no sale. Company will not (a) use Customer Personal Data to train, fine-tune, or improve any general-purpose or shared machine-learning model, consistent with Section 3.3 of the Agreement; or (b) sell or share Customer Personal Data, or retain, use, or disclose it for any purpose other than performing the Services and the limited purposes permitted by Data Protection Laws.

4. Confidentiality

Company will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality, have received appropriate training, and are limited to those who need access to provide the Services.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, Company will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including the measures described in Annex II. Customer is responsible for its own configuration and use of the Services, including access controls and credentials within its Account.

6. Sub-processors

6.1 General authorization. Customer provides general authorization for Company to engage Sub-processors to Process Customer Personal Data. A current list of Sub-processors is set out in Annex III and as updated through the Services or the Privacy Policy.

6.2 Flow-down and liability. Company will impose on each Sub-processor data-protection obligations that are, in substance, no less protective than those in this DPA, and remains liable for each Sub-processor’s performance of those obligations.

6.3 Changes and objection. Company will give Customer at least thirty (30) days notice, which may be given by posting an updated list or by email, before authorizing a new Sub-processor to Process Customer Personal Data. Customer may object on reasonable data-protection grounds within that period. The parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected Services as its sole and exclusive remedy.

7. Data Subject Rights

Taking into account the nature of the Processing, Company will provide reasonable assistance, including through appropriate technical and organizational measures and the self-service features of the Services, to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws. If Company receives such a request directly, it will, unless legally prohibited, advise the Data Subject to contact Customer and will not otherwise respond except on Customer’s instructions.

8. Personal Data Breaches

Company will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to assist Customer in meeting its breach-notification obligations. Company’s notification is not an acknowledgment of fault or liability.

9. Data Protection Impact Assessments

Taking into account the nature of Processing and the information available to it, Company will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Laws.

10. Deletion and Return

On termination or expiry of the Agreement, Company will, at Customer’s choice, delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by applicable law. This is consistent with the retention and export window in Section 14.3 of the Agreement. Commercially reasonable backups are deleted in the ordinary course.

11. Audits and Information

Company will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the EU GDPR, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it authorizes. To the extent permitted by Data Protection Laws, the parties agree that Company may satisfy these obligations by providing audit reports, certifications, or summaries of its controls (for example, SOC 2 or equivalent, where available), and that any on-site inspection will be on reasonable prior notice, during business hours, no more than once per year (absent a Personal Data Breach or a Supervisory Authority requirement), subject to confidentiality, and at Customer’s expense.

12. International Transfers

12.1 Company may Process and transfer Customer Personal Data in the United States and other countries where it or its Sub-processors operate.

12.2 EEA transfers. Where Company Processes Customer Personal Data subject to the EU GDPR and transfers it to a country that does not benefit from an adequacy decision, the SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference and deemed completed as follows: (a) the optional docking clause in Clause 7 applies; (b) in Clause 9, Option 2 (general written authorization) applies, with the notice period in Section 6.3; (c) in Clause 11, the optional language does not apply; (d) in Clause 17, the SCCs are governed by the law of Ireland; (e) in Clause 18(b), disputes are resolved before the courts of Ireland; and (f) Annexes I, II, and III to the SCCs are populated by Annexes I, II, and III to this DPA. Where Customer acts as a processor on behalf of a third-party controller, Module Three (Processor to Processor) applies, with the necessary changes.

12.3 UK transfers. For transfers subject to the UK GDPR, the SCCs as incorporated above are modified by the UK International Data Transfer Addendum issued by the Information Commissioner’s Office, which is incorporated by reference and completed using the information in the Annexes.

12.4 Swiss transfers. For transfers subject to the Swiss FADP, the SCCs apply with the adaptations necessary under Swiss law, including references to the Swiss Federal Data Protection and Information Commissioner and to the FADP.

13. California (CCPA)

13.1 For Customer Personal Data subject to the CCPA, Customer is a business and Company is a service provider.

13.2 Company will Process such Personal Data solely to perform the Services and for the business purposes specified in this DPA and the Agreement, and will not: (a) sell or share it; (b) retain, use, or disclose it for any purpose other than the business purposes specified, or outside the direct business relationship with Customer; or (c) combine it with personal information from other sources, except as permitted by the CCPA.

13.3 Company certifies that it understands and will comply with these restrictions. Company will assist Customer in responding to consumer rights requests as set out in Section 7.

14. Liability

Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this Section limits any liability to Data Subjects under the SCCs to the extent the SCCs govern that liability.

15. General

15.1 Order of precedence. This DPA forms part of the Agreement. In the event of a conflict between this DPA and the body of the Agreement with respect to the Processing of Personal Data, this DPA controls. In the event of a conflict between this DPA and the SCCs, the SCCs control.

15.2 Term. This DPA takes effect on the effective date of the Agreement and continues until Company has ceased Processing Customer Personal Data.

15.3 Governing law. Except where Data Protection Laws or the SCCs require otherwise, this DPA is governed by the law that governs the Agreement.

Annex I: Description of Processing

A. List of parties

Data exporter: the Customer identified in the Agreement, acting as Controller, or where applicable as processor on behalf of a third-party controller.

Data importer: Resonance AI Technology, LLC, 7703 Sunnyside Avenue North, Seattle, Washington 98103, USA, acting as Processor. Contact: admin@tryres.ai.

B. Description of processing

  • Subject matter: Company’s provision of the Services under the Agreement.
  • Duration: the term of the Agreement plus the retention and deletion window in Section 14.3 of the Agreement.
  • Nature and purpose: hosting, storage, generation, analysis, transmission, publishing, and related Processing of Customer Personal Data to provide the AI content-generation, content- management-system publishing, and brand-intelligence features of the Services, including Processing by the Sub-processors listed in Annex III.
  • Types of Personal Data: identification and contact data (such as names, email addresses, and usernames); professional data (such as company and role); and any Personal Data that Customer includes in, or directs Company to Process from, its User Content, Connected Services, or Listening Data. Customer must not submit special categories of Personal Data except as expressly agreed in writing, and must not submit Protected Health Information except under an executed Business Associate Addendum (Exhibit B), as provided in Section 10.5 of the Agreement.
  • Categories of Data Subjects: Customer’s authorized users and personnel; Customer’s customers, prospects, and contacts; and individuals who are the authors or subjects of public content collected as Listening Data.
  • Frequency: continuous, for the duration of the Agreement.

C. Competent supervisory authority

Where the SCCs apply, the competent Supervisory Authority is determined in accordance with Clause 13 of the SCCs. For EEA transfers, this is the Supervisory Authority of the EEA member state in which the Customer or its EU representative is established or, where Customer is not established in the EEA, the Irish Data Protection Commission.

Annex II: Technical and Organizational Measures

Company maintains measures including:

  • Encryption of Customer Personal Data in transit (TLS) and at rest.
  • Logical access controls, role-based access, and least-privilege provisioning; authentication via OAuth and unique credentials.
  • Logical segregation of customer data within multi-tenant systems.
  • Network protections, monitoring, and logging.
  • Use of reputable cloud infrastructure providers (see Annex III) that maintain their own security certifications.
  • Personnel confidentiality obligations and security-awareness practices.
  • Backup and recovery processes, with backups deleted in the ordinary course.
  • Sub-processor due diligence and contractual data-protection terms.
  • Incident detection and response processes supporting the breach-notification obligations in Section 8.

Annex III: List of Sub-processors

Company engages the following Sub-processors to Process Customer Personal Data:

  • Anthropic. Claude models for content generation and analysis. United States.
  • OpenAI. Embeddings for semantic search; image generation. United States.
  • Google (Gemini and Cloud). Model-based content analysis; OAuth authentication. United States.
  • Perplexity. Web research for citation sourcing. United States.
  • Replicate. Image generation. United States.
  • Firecrawl. Web page and sitemap extraction. United States.
  • Serper. Search and news results. United States.
  • DataForSEO. Search-volume and SERP data. United States.
  • SE Ranking. Keyword and AI-search data. United States.
  • Apify. Collection of public brand mentions for Brand Intelligence. European Union.
  • Amazon Web Services. Cloud storage of uploaded images and processed content. United States.
  • MongoDB (Atlas). Database hosting. United States.
  • Vercel. Application hosting. United States.
  • Resend. Transactional email delivery. United States.
  • Stripe. Payment processing. United States.

The data and search providers above primarily Process Customer queries and publicly available content, and may incidentally Process Personal Data contained in that content.