Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AHI Networks Inc. ("Processor") and the user ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Ralpha platform.

This DPA applies where and only to the extent that Ralpha processes personal data on behalf of the Controller in the course of providing the Service, and such personal data is subject to data protection laws of the European Union, the European Economic Area, or their member states ("EU Data Protection Laws").

2. Data Categories and Subjects

2.1 Categories of Data Subjects

• Registered users of the Controller's account
• Team members invited by the Controller
• Individuals depicted in reference images uploaded by the Controller

2.2 Categories of Personal Data

• Account information: email address, display name, avatar
• Authentication data: hashed passwords, OAuth tokens, session identifiers
• Usage data: IP addresses, browser information, feature usage logs
• Content data: uploaded images, text prompts, generated renders
• Financial data: payment method identifiers (tokenized), transaction history
• Communication data: support messages, chat conversations

3. Processing Purposes

The Processor shall process personal data solely for the following purposes:

• Providing the Ralpha scene generation service
• Managing user accounts and authentication
• Processing payments and managing subscriptions
• Providing customer support
• Ensuring platform security and preventing abuse
• Complying with legal obligations
• Service improvement and analytics (with consent)

4. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Not engage another processor without prior written authorization
• Assist the Controller with data subject rights requests
• Assist the Controller with data protection impact assessments
• Delete or return all personal data upon termination of the agreement
• Make available all information necessary to demonstrate compliance

5. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors:

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object. Objections must be raised within 30 days.

6. Security Measures

The Processor implements the following technical and organizational measures:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Argon2id password hashing
• Role-based access control (RBAC)
• Multi-factor authentication for admin access
• Regular security audits and penetration testing
• Automated vulnerability scanning
• 24/7 infrastructure monitoring and alerting
• Data backup with geo-redundancy
• Incident response procedures documented and tested

7. Data Transfer Mechanisms

For transfers of personal data from the EU/EEA to the United States, the Processor relies on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) adopted by the European Commission.

The Processor commits to conducting Transfer Impact Assessments for any new sub-processors located outside the EU/EEA and implementing supplementary measures where necessary.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Notification shall include:

• Description of the nature of the breach
• Categories and approximate number of affected data subjects
• Categories and approximate number of affected records
• Likely consequences of the breach
• Measures taken or proposed to address and mitigate the breach

Target notification time is 48 hours, well within the GDPR 72-hour requirement for Controller to notify supervisory authorities.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA, subject to reasonable notice (at least 30 days) and scope limitations. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations. The Processor may charge reasonable costs for audit assistance. The Controller may appoint a qualified independent third party to conduct audits on its behalf.

10. Term and Termination

This DPA shall remain in effect for the duration of the Processor's processing of personal data on behalf of the Controller. Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies within 90 days, unless applicable law requires storage.