Privacy policy

Version 2.1 | Effective from May 15, 2026 | Current version always available at https://perspectis.ai/privacy

This Data Processing Agreement (“DPA”) is published by Perspectis AI, Inc at perspectis.ai and is incorporated by reference into the SaaS Services Agreement (or equivalent master agreement) entered into between Service Provider and Customer (the “Principal Agreement”). This DPA is incorporated into the Principal Agreement by reference. The version in force as at the effective date of the Principal Agreement applies, subject to any updates made in accordance with Clause 16.6.

In the event of conflict between this DPA and the Principal Agreement with respect to the processing of personal data, this DPA prevails.

Approach. This DPA sets a single high-watermark standard that satisfies the most demanding applicable requirement across all jurisdictions in which the parties operate, including the United Kingdom (UK GDPR / DPA 2018), the European Economic Area (EU GDPR), Canada (PIPEDA and Quebec Law 25), and the United States (CCPA/CPRA and applicable state laws). Where a specific mechanism is legally required — such as standard contractual clauses for international transfers — it is addressed in Clause 8. In all other respects, a single obligation applies regardless of the jurisdiction involved.

Legal professional privilege. Customer Data may contain information subject to legal professional privilege, solicitor-client privilege, or attorney-client privilege. Service Provider’s enhanced obligations in respect of such material are set out in Clause 12.

Definitions

In this DPA:

“Anonymised Data” means data that has been irreversibly de-identified such that no individual can reasonably be identified from it, whether alone or in combination with other information, in accordance with applicable privacy law standards.

“Applicable Data Protection Law” means all privacy and data protection laws applicable to the Processing of Personal Data under this DPA, including (without limitation): the UK GDPR and Data Protection Act 2018; EU GDPR (Regulation (EU) 2016/679); Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial equivalents including Quebec’s Law 25; and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and other applicable US state privacy laws. Where two or more laws impose different standards for the same obligation, Service Provider shall comply with the most demanding standard.

“Customer Data” has the meaning given in the Principal Agreement and includes all Personal Data contained in it.

“Individual” means any natural person whose Personal Data is processed under this DPA. The terms Data Subject, Consumer, and Individual are used interchangeably.

“Personal Data” means any information relating to an identified or identifiable individual, as defined under Applicable Data Protection Law in the relevant jurisdiction. The terms Personal Data and Personal Information are used interchangeably.

“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

“Privacy Officer” means the individual designated by Service Provider to oversee compliance with Applicable Data Protection Law.

“Processing” (and cognate terms) has the meaning given under Applicable Data Protection Law.

“Restricted Transfer” means any transfer of Personal Data to a country that does not benefit from an adequacy decision or equivalent finding under Applicable Data Protection Law.

“SCCs” means the EU standard contractual clauses for the transfer of personal data to third countries (Commission Decision 2021/914/EU).

“Sensitive Personal Data” means Special Categories of Personal Data under UK GDPR / EU GDPR; Sensitive Personal Information under the CCPA/CPRA; and equivalent categories under other Applicable Data Protection Laws.

“Sub-Processor” means any third party engaged by Service Provider to process Personal Data on Customer’s behalf.

“Sub-Processor List” means the current list of approved Sub-Processors maintained by Service Provider on its website, as updated from time to time in accordance with Clause 7.

“TOMs” means the Technical and Organisational Measures set out in Annex 2.

“UK IDTA” means the UK International Data Transfer Agreement issued by the ICO under s.119A of the DPA 2018.

Roles and Appointment

Customer is the Controller (or equivalent under Applicable Data Protection Law); Service Provider is the Processor or Service Provider (or equivalent). Service Provider shall Process Personal Data only on Customer’s documented instructions.

For the purposes of the CCPA/CPRA, Service Provider acts as a Service Provider (not a Third Party or Business) and certifies that it: (a) shall not Sell or Share Personal Data; (b) shall not use Personal Data for any purpose other than providing the Services; (c) shall not combine Personal Data received under this DPA with personal data from other sources except as permitted by applicable law; and (d) understands and will comply with these restrictions.

Service Provider shall promptly notify Customer if, in its reasonable opinion, any instruction would infringe Applicable Data Protection Law.

Customer Obligations

Customer warrants that it has, and shall at all times maintain, a lawful basis under Applicable Data Protection Law for each category of Personal Data submitted to the Platform, including (where required) valid consent, a legitimate interest assessment, or other applicable legal ground.

Customer is solely responsible for the accuracy, quality, and legality of all Personal Data submitted to the Platform and for the lawfulness of all processing instructions given to Service Provider. Service Provider is not required to independently verify the legality of Customer’s instructions but shall comply with its notification obligation under Clause 2.3.

Customer shall not submit Sensitive Personal Data to the Platform without prior written notice to Service Provider and agreement on appropriate additional safeguards. In the absence of such notice and agreement, Service Provider shall have no liability in respect of any Sensitive Personal Data submitted to the Platform.

Customer shall maintain its own privacy notices, records of processing activities, and individual rights processes as required by Applicable Data Protection Law. Customer acknowledges that Service Provider’s obligations under this DPA are limited to providing reasonable technical assistance and do not extend to fulfilling Customer’s own compliance obligations as Controller.

Customer shall indemnify and hold harmless Service Provider from and against any losses, claims, damages, liabilities, fines, penalties, costs, and expenses (including reasonable legal fees) arising from or in connection with: (a) Customer’s failure to comply with its obligations as Controller under Applicable Data Protection Law; (b) Customer’s breach of the warranties in this Clause 3; or (c) any processing instructions given by Customer that infringe Applicable Data Protection Law, provided that Service Provider has complied with its notification obligation under Clause 2.3 in respect of the relevant instruction.

Processing Instructions and Confidentiality

Service Provider shall Process Personal Data only on Customer’s documented instructions, as set out in this DPA, the Principal Agreement, Order Forms, and any further written instructions.

Customer’s configuration of the Platform — including feature activation, retention settings, user permissions, data residency selections, AI feature enablement, and integration settings — constitutes documented instructions for the purposes of this DPA. Service Provider shall not be required to obtain a separate written instruction for each processing activity that is a natural consequence of Customer’s use of the Platform in accordance with its configuration.

Service Provider shall ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations and have received training on their data protection obligations.

Access to Personal Data shall be limited to personnel who require it to perform the Services, on a least-privilege basis.

Service Provider shall not disclose Personal Data to any third party (including law enforcement or government authorities) without Customer’s prior written consent, except where required by law. Where disclosure is legally compelled, Service Provider shall (to the extent permitted) give Customer advance notice and cooperate with any reasonable protective measures.

Service Provider shall designate a Privacy Officer and a data protection contact (where required), and shall notify Customer of their contact details upon request.

Individual Rights

Service Provider acknowledges that Individuals may have rights under Applicable Data Protection Law including rights of: access; rectification or correction; erasure or deletion; restriction or opt-out of processing; data portability; objection; opt-out of sale or sharing; limiting use of Sensitive Personal Data; and the right not to be subject to solely automated decisions with significant effects.

Service Provider shall notify Customer within 3 Business Days of receiving any rights request directly from an Individual and shall not respond directly without Customer’s authorisation.

Service Provider shall provide the technical assistance (search, export, deletion, and correction capabilities) reasonably required for Customer to respond to any Individual rights request within the applicable statutory deadline. The target response window is 30 days from receipt of the verified request.

Service Provider shall not discriminate against any Individual for exercising their rights under Applicable Data Protection Law.

Security

Service Provider shall implement and maintain the TOMs set out in Annex 2, designed to meet the requirements of Applicable Data Protection Law (including the reasonable security standard under CCPA/CPRA, Article 32 of the UK/EU GDPR, and PIPEDA Principle 7).

Service Provider shall regularly test, assess, and evaluate the effectiveness of the TOMs and update them as necessary, taking into account the state of the art, costs, and the nature of the Processing.

Service Provider shall notify Customer promptly of any actual or suspected vulnerability that may compromise the security of Personal Data, and shall take immediate remedial action.

Sub-Processors

Customer grants general authorisation to engage the Sub-Processors listed in Annex 3. Service Provider maintains a current list of approved Sub-Processors on its website (the “Sub-Processor List”), together with details of the processing undertaken by each.

Service Provider will post notice of any proposed new Sub-Processor appointment, or any material change to an existing Sub-Processor’s activities, on its website before the appointment or change takes effect. Customers who subscribe to sub-processor update notifications (by emailing [NEW DPA EMAIL ADDRESS]) will receive notice of each such posting.

Where the parties are unable to resolve the objection within 30 days, Service Provider shall use reasonable endeavours to make available an alternative configuration of the affected Services that does not involve the objected Sub-Processor. Where no such alternative configuration is reasonably available and the objected Sub-Processor is essential to the core functionality of the Services as described in the applicable Order Form, Customer may terminate the affected Order Form without penalty on 30 days' written notice. For the avoidance of doubt, a Sub-Processor shall only be considered essential to core functionality where removal of that Sub-Processor would render the material features described in the applicable Order Form inoperable.

Service Provider shall impose on each Sub-Processor, by written contract, data protection obligations equivalent to those in this DPA, including obligations that satisfy Applicable Data Protection Law in each jurisdiction where Personal Data is processed.

Service Provider remains fully liable to Customer for the acts and omissions of its Sub-Processors as if they were Service Provider’s own.

International Transfers

Master obligation. The parties will have in effect an appropriate Transfer Mechanism in respect of any Restricted Transfer before that transfer occurs. “Transfer Mechanism” means the Standard Contractual Clauses, the UK IDTA, an adequacy decision, or any other mechanism that has the effect of permitting the transfer in accordance with Applicable Data Protection Law.

EEA transfers. In the event of any EEA Restricted Transfer where Customer Personal Data is transferred from Customer as Controller to Service Provider as Processor, the parties shall comply with the EU SCCs (Module 2, Controller-to-Processor, Commission Decision 2021/914), which are incorporated into this DPA by reference and activated automatically upon the occurrence of such a transfer. The parties’ selections for optional provisions are: Clause 7 (docking clause) applies; Clause 9(a) Option 2 (general written authorisation) applies with a 30-day notice period consistent with the Sub-Processors clause of this DPA; Clause 11(a) optional redress mechanism does not apply.

UK transfers. In the event of any UK Restricted Transfer, the parties shall comply with the UK IDTA incorporating the EU SCCs with the UK Addendum (issued by the ICO under s.119A of the Data Protection Act 2018), which are incorporated into this DPA by reference and activated automatically upon the occurrence of such a transfer. Party details and processing descriptions for the purposes of the UK IDTA are as set out in the Principal Agreement and Annex 1 of this DPA respectively.

Customer-elected processing locations. All processing occurs by default within the jurisdiction selected by Customer in the Order Form. Where Customer activates a feature or selects a model that requires processing in a different jurisdiction, Customer’s affirmative selection constitutes a documented instruction to transfer and an acknowledgment of the processing location. Service Provider shall identify the processing jurisdiction to Customer at the point of feature or model selection. Service Provider shall ensure the applicable Transfer Mechanism is in place before any such transfer occurs.

Sub-processor transfers. Where Service Provider engages a Sub-processor that requires a cross-border transfer, Service Provider shall ensure the applicable Transfer Mechanism is in place between Service Provider and that Sub-processor before the transfer occurs. For EEA Processor-to-Processor transfers, the EU SCCs (Module 3) shall apply. For UK Processor-to-Processor transfers, the applicable module of the UK Addendum shall apply.

Canada. Transfers of Personal Data subject to PIPEDA or Quebec Law 25 shall be subject to contractual protections ensuring a standard of protection comparable to that required by Canadian law, in accordance with s.10.3 of PIPEDA. No cross-border Transfer Mechanism is required where Canada is both the origin and destination jurisdiction.

United States. No cross-border Transfer Mechanism is required for processing that originates and remains within the United States. The CCPA Service Provider designation in Clause 2 applies to all US domestic processing.

Auto-update. Where any Transfer Mechanism is updated, amended, or replaced by a competent authority, the updated mechanism shall automatically replace the prior mechanism under this DPA from the date Service Provider issues notice to Customer, and shall be binding on the parties from the date specified in that notice. Service Provider shall issue such notice without undue delay following publication of the updated mechanism.

Processing details for SCC purposes. The information required by Annex I of the EU SCCs (list of parties and description of transfer) is set out as follows: data exporter details are as identified in the Principal Agreement and Order Form; data importer details are as set out in the document header of this DPA; the description of processing activities and categories of personal data are as set out in Annex 1 of this DPA. Technical and organisational measures for the purposes of Annex II of the EU SCCs are as set out in Annex 2 of this DPA.

Security Incidents and Breach Notification

Service Provider shall notify Customer without undue delay, and in any event within 24 hours of becoming aware of a confirmed or reasonably suspected Personal Data Breach. Notification shall be to Customer’s designated contact and shall include all information then available that Customer requires to meet its own notification obligations under Applicable Data Protection Law.

Service Provider shall provide Customer with a written incident report within 30 days of containment, covering: root cause; data categories and estimated volumes affected; remedial steps taken and planned; and any changes to the TOMs.

Service Provider shall maintain a log of all security incidents (including those below reportable thresholds) and make it available to Customer upon request.

Notification of a breach does not constitute an admission of fault or liability by either party.

Privacy Impact Assessments

Service Provider shall provide Customer with reasonable assistance to carry out any privacy impact assessment or data protection impact assessment required under Applicable Data Protection Law, including descriptions of the Processing activities, TOMs, sub-processor details, and other relevant information.

Where Service Provider introduces any new system, technology, or service involving the Processing of Personal Data, Service Provider shall conduct its own privacy impact assessment and provide a summary to Customer upon request.

Service Provider shall assist Customer with any required prior consultation of a supervisory authority or data protection authority.

Audit Rights

Service Provider shall make available all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

Not more than once per calendar year (absent reasonable grounds to suspect a material breach), and upon 30 days’ written notice, Customer may: (a) require Service Provider to complete a written compliance questionnaire; or (b) at Customer’s cost, conduct or commission an independent audit of Service Provider’s processing activities and TOMs.

Service Provider may satisfy its audit obligation by providing current third-party audit reports (SOC 2 Type II, ISO 27001 certificate, or equivalent) where such reports are sufficient to demonstrate compliance with the relevant obligation.

Legal Professional Privilege

Service Provider acknowledges that Customer Data may include information subject to legal professional privilege, solicitor-client privilege, or attorney-client privilege (collectively, “Privileged Material”).

In relation to Privileged Material, Service Provider shall: (a) not access, use, disclose, or process it except to the extent strictly necessary to provide the Services; (b) maintain access controls and access logs; (c) not disclose it to any third party without Customer’s prior written consent; and (d) notify Customer immediately upon any actual or threatened compelled disclosure.

Service Provider shall support Customer’s compliance with professional conduct rules and regulatory requirements applicable to Customer in its operating jurisdictions.

The obligations in this Clause 12 survive termination of the Principal Agreement for as long as Privileged Material remains in Service Provider’s possession or control, and for a minimum of 7 years following termination.

AI and Automated Processing

Service Provider shall not use Customer Data to train, fine-tune, or improve any AI or machine-learning model without Customer’s prior written consent. For the avoidance of doubt, this prohibition does not apply to Anonymised Data that cannot reasonably be used to identify any individual. This prohibition applies equally to Feedback (as defined in the Principal Agreement) and to Service Provider Data generated from Customer’s use of the Platform.

Service Provider may use aggregated, fully anonymised, and non-reversible usage data (including system performance metrics, feature utilisation patterns, and error logs that contain no Personal Data and from which no Customer or Individual can be identified) to improve the performance, reliability, and functionality of the Services. Such use does not constitute Processing of Personal Data or Customer Data, does not constitute training of any AI or machine-learning model on Customer Data, and is not subject to the restrictions in Clause 13.1. Customer may request written confirmation at any time that its Customer Data and Personal Data have not been used for model training.

Service Provider shall, upon request and at least annually, disclose the identity and version of any AI models processing Personal Data, confirm whether any Customer Data has been used for training, and provide information about any automated decision-making with significant effects on Individuals.

Service Provider shall maintain an AI register and make it available to Customer upon request.

Return and Deletion

Upon termination or expiry of the Principal Agreement, Service Provider shall:

(a) for 30 days following termination or expiry, make Customer Data available for export in industry-standard formats (CSV, JSON, Excel) at no additional charge, in accordance with the export mechanics set out in the Principal Agreement;

(b) following the expiry of the 30-day export window, securely delete all Customer Data, including all copies held by Sub-Processors and all applicable backups, by overwriting or otherwise rendering the data permanently inaccessible, unless: (i) otherwise agreed in writing by Customer; (ii) retention is required to resolve active legal disputes or regulatory proceedings; or (iii) applicable law requires further retention - in which case Service Provider shall: (A) notify Customer in writing in advance of its intention to retain such data and the legal basis for doing so; (B) retain only the minimum data required for the minimum period required by law; and (C) apply the same protective measures to retained data as apply during the Term;

(c) proactively provide Customer with written certification of deletion, including confirmation that Sub-Processor copies and backups have been deleted, within 30 days of completion, and additionally upon Customer's written request at any time;

d) upon Customer's written request, provide reasonable evidence of the deletion methodology applied.

Service Provider shall process verifiable Individual deletion requests within the deadline required by Applicable Data Protection Law, applying the most demanding applicable standard and in no event exceeding 45 days.

The obligations in this Clause 14 survive termination of the Principal Agreement until completion and certification of deletion.

Term and Termination

This DPA takes effect on the date on which the Principal Agreement takes effect and runs co-terminously with the Principal Agreement.

The following obligations survive termination: Clause 4 (Confidentiality) — 5 years; Clause 9 (Breach Notification) — 7 years; Clause 12 (Privilege) — for as long as Privileged Material remains in Service Provider’s possession or control, and for a minimum of 7 years following termination; Clause 14 (Deletion) — until completion and certification.

Either party may terminate this DPA for the other’s material breach on 30 days’ written notice, and failure to cure within that period where the breach is capable of remedy.

General

Limitation of Liability. (a) Service Provider’s aggregate liability under or in connection with this DPA (including for any Personal Data Breach) shall not exceed the liability cap set out in the Principal Agreement. (b) This cap applies regardless of whether the claim is brought in contract, tort (including negligence), under statute, or otherwise, and is inclusive of (not additional to) any liability arising under the Principal Agreement. (c) Where a supervisory authority, Individual, or other third party brings a claim against either party in connection with the Processing of Personal Data under this DPA, the parties shall cooperate in good faith and each party shall bear liability attributable to its own acts or omissions. Nothing in this Clause 16.1 excludes or limits liability that cannot be excluded or limited under Applicable Data Protection Law.

Service Provider shall maintain cyber liability and data protection insurance in commercially reasonable amounts throughout the term of the Principal Agreement and shall provide evidence of such cover to Customer upon written request.

Governing Law and Jurisdiction. This DPA is governed by the same law as the Principal Agreement. In the event that the Principal Agreement does not specify a governing law, this DPA shall be governed by the laws of the State of New York, without regard to its conflict of laws provisions. The parties submit to the non-exclusive jurisdiction of the courts of the State of New York. Nothing in this clause affects either party’s rights or obligations under Applicable Data Protection Law in any other jurisdiction.

This DPA, together with its Annexes, constitutes the entire agreement between the parties relating to the processing of Personal Data under the Principal Agreement and supersedes all prior agreements on the same subject matter.

All notices under this DPA shall be in writing and delivered to the contact details specified in the Principal Agreement or, for data protection matters, to support@perspectis.ai.

Standard Terms and Amendment. (a) This DPA is Service Provider’s standard data processing terms, published on its website and incorporated by reference into the Principal Agreement. (b) Service Provider may update this DPA from time to time by posting a revised version on its website, with at least 30 days’ prior notice to Customer via email or in-product notification. (c) The revised version takes effect at the end of the notice period unless Customer notifies Service Provider of a material objection in writing within that period. (d) If Customer objects and the parties cannot resolve the objection within a further 14 days, either party may terminate the affected Services on reasonable notice without penalty. (e) Service Provider may make amendments without notice where required by changes in Applicable Data Protection Law, supervisory authority guidance, or court order, provided such amendments do not materially reduce Customer’s protections under this DPA. (f) Customer-specific amendments to this DPA are only binding if signed in writing by a director or authorised signatory of Service Provider and expressly stated to supersede the relevant provision of this DPA.

Standard Processing Description. (a) The Standard Processing Description in Annex 1 reflects Service Provider’s standard platform processing activities carried out in providing the Services. (b) Where Customer’s specific processing activities differ materially from that description, the parties shall record the differences in the Order Form or a written addendum to this DPA. (c) Customer is responsible for maintaining its own records of processing activities (including records required under Article 30 of the UK/EU GDPR and equivalent requirements under other Applicable Data Protection Law) in its capacity as Controller.

ANNEX 1

Description of Processing Activities

This Standard Processing Description reflects the processing activities carried out by Service Provider in providing the Services. Customer-specific variations, where applicable, are recorded in the relevant Order Form.

A. Subject Matter

Provision of SaaS-based legal technology services including autonomous time-tracking, matter management, AI-assisted document review, LEDES-compliant billing, and related services, as described in the Principal Agreement and applicable Order Forms.

B. Duration

For the term of the Principal Agreement and any applicable Order Form or SOW, plus any legally required retention period.

C. Nature and Purpose

Hosting, storage, and processing of Customer Data to provide the Services; access control and identity management; analytics and reporting for Customer’s internal use; technical support (on Customer request only); optional AI/LLM processing if enabled by Customer; and security monitoring and incident response.

D. Categories of Individuals

Customer’s personnel (lawyers, paralegals, administrative staff); Customer’s clients and counterparties (to the extent included in Customer Data); end-users of the Services; and other individuals whose personal data is submitted to the Platform.

E. Categories of Personal Data

Contact and identification data (names, email addresses, phone numbers, job titles); usage and access data (login times, feature usage, session logs); time-entry and matter data (including narrative descriptions of legal work); document metadata (and, where AI features are enabled, document content); billing and invoice data; and such other personal data as Customer submits to the Platform from time to time.

F. Sensitive / Special Categories

Service Provider does not intentionally process Sensitive Personal Data. To the extent Customer Data incidentally contains such data, the provisions of Clause 3.3 apply.

ANNEX 2

Technical and Organisational Measures

These measures are designed to satisfy the security requirements of Applicable Data Protection Law, including the reasonable security standard (CCPA/CPRA), Article 32 (UK/EU GDPR), and the Safeguards Principle (PIPEDA). They are aligned with CIS Controls and NIST SP 800-53.

Control Domain

Measures Implemented

Access Control

Role-based access control (RBAC); principle of least privilege; MFA enforced for all privileged accounts; regular access reviews; unique user IDs; no shared credentials; PAM tooling.

Encryption — At Rest

AES-256 for all stored Customer Data; encrypted backups; AWS S3 SSE; encryption keys via AWS KMS with annual rotation.

Encryption — In Transit

TLS 1.2 minimum (TLS 1.3 preferred); HTTPS enforced; AWS Certificate Manager; HSTS enabled.

Network Security

Firewall and WAF; network segmentation; VPC isolation; IDS/IPS; DDoS mitigation; regular port scans and vulnerability assessments.

Vulnerability & Patch Management

Automated vulnerability scanning; critical/high patches within 30 days; annual third-party penetration testing; findings tracked to remediation.

Incident Detection & Response

24/7 SIEM monitoring and alerting; documented incident response plan; designated response team; tabletop exercises; Customer notification within 72 hours of confirmed breach.

Business Continuity & Backup

Daily automated backups; 30-day retention; geo-redundant storage; RTO < 4 hours, RPO < 24 hours for Tier 1 services; annual continuity testing.

Physical Security

Production infrastructure in AWS data centres with ISO 27001 and SOC 2 Type II certified physical controls (24/7 guards, CCTV, biometric access, environmental controls).

Personnel Security

Pre-employment background checks; confidentiality agreements; mandatory annual data protection training; access revoked within 24 hours of departure.

Supplier Management

Due diligence before engagement; contractual data protection obligations flowed down to all sub-processors; annual security posture review.

Privacy Programme

Designated Privacy Officer; privacy management programme; privacy-by-default implemented in the Platform.

Certifications

Service Provider is currently implementing an information security management programme aligned with ISO/IEC 27001 principles. Service Provider intends to obtain SOC 2 Type II certification and will notify Customer when certification is achieved. Current third-party security assessment reports are available on written request subject to a non-disclosure obligation.

Data Minimisation & Retention

Collection limited to what is necessary; automated deletion within 30 days of export window; configurable retention settings in the Platform.

ANNEX 3

Approved Sub-Processors

The following Sub-Processors are approved as at the date on which the Principal Agreement takes effect and are published on the Sub-Processor List on Service Provider’s website. Service Provider shall ensure each is bound by data protection obligations equivalent to this DPA. Customers may subscribe to sub-processor update notifications by emailing dataprivacy@perspectis.ai.

Sub-Processor

Service / Purpose

Processing Location(s)

Safeguard

Amazon Web Services (AWS)

Primary cloud hosting, storage, compute, database

Canada (ca-central-1) — default; UK (eu-west-2); US (us-east-1) if enabled

AWS DPA; ISO 27001, SOC 2 Type II; SCCs / UK IDTA / PIPEDA transfer agreement as applicable

OpenAI, L.L.C.

AI / LLM processing (optional — off by default)

United States

No model training on Customer Data; SCCs / UK IDTA / PIPEDA agreement as applicable

Microsoft Azure (Azure OpenAI)

Enterprise AI / LLM — residency option

Canada, UK, or EU (configurable)

Microsoft DPA; ISO 27001 / SOC 2; residency selectable in Order Form

Microsoft Azure (Speech Services)

Voice / speech transcription (optional)

Configurable (Canada / UK / US preferred)

Microsoft DPA; enabled only if Customer activates feature

Confido Legal (if enabled)

Payment processing for billing integrations

Canada / United States

PCI-DSS compliant; used only if payment integration enabled