Data Processing Addendum

Last Updated: February 17, 2026

This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Service (the "Agreement") between Buji Development Corporation, a Wyoming corporation with its principal office at 1712 Pioneer Ave. Ste. 500, Cheyenne, WY 82001 ("Processor," "we," "us," or "our"), and the subscriber or entity using the Agent Midas platform ("Controller," "you," or "your"). This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Agent Midas services. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data processing matters.

1. Scope

1.1 Applicability

This DPA applies to the processing of Personal Data that is subject to the protection of one or more of the following data protection laws and regulations:

• The European Union General Data Protection Regulation (EU) 2016/679 ("GDPR")
• The United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018
• The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA")
• The Swiss Federal Act on Data Protection ("FADP")
• The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, "LGPD")
• Any other applicable data protection or privacy law that requires the execution of a data processing agreement between controller and processor

1.2 Roles of the Parties

For the purposes of this DPA, the Controller determines the purposes and means of processing Personal Data, and the Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Agent Midas platform services as described in the Agreement. Where the Processor processes Personal Data for its own purposes (such as billing, account management, or service improvement), it acts as an independent controller with respect to such processing, subject to its Privacy Policy.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement or in applicable data protection law.

2.1 Personal Data

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller in connection with the Agent Midas services. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

2.2 Processing

"Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

2.3 Controller

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this DPA, the Controller is the subscriber or entity that has entered into the Agreement with the Processor.

2.4 Processor

"Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In this DPA, the Processor is Buji Development Corporation, operating the Agent Midas platform.

2.5 Data Subject

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates. In the context of the Agent Midas platform, Data Subjects may include the Controller's end users, customers, employees, or other individuals whose data is processed through the platform.

2.6 Sub-Processor

"Sub-Processor" means any third-party entity engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Agent Midas services. The current list of authorized Sub-Processors is set forth in Section 5.

3. Processing Details

3.1 Nature and Purpose of Processing

The Processor processes Personal Data for the purpose of providing the Agent Midas platform services as described in the Agreement, including:

• Account creation, authentication, and access management
• Subscription management and payment processing
• Delivery of AI-powered analytics, signals, and market intelligence
• Processing of user-submitted data through AI models for generating insights and recommendations
• Customer support and communication
• Platform performance monitoring, error detection, and service improvement
• Compliance with legal and regulatory obligations

3.2 Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise required by applicable law. Upon termination of the Agreement, the Processor shall, at the Controller's election, either delete or return all Personal Data to the Controller within thirty (30) days, and delete existing copies unless applicable law requires retention. The Processor shall certify in writing that deletion has been completed upon the Controller's request.

3.3 Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

• Subscribers and account holders of the Agent Midas platform
• Employees, contractors, and authorized users of subscriber organizations
• End users who interact with applications built on the Agent Midas platform
• Individuals whose data is submitted to the platform by the Controller for processing

3.4 Categories of Personal Data

The following categories of Personal Data may be processed under this DPA:

• Contact information (name, email address, phone number, mailing address)
• Account credentials (username, hashed passwords, authentication tokens)
• Billing and payment information (processed through Stripe; the Processor does not store full payment card numbers)
• Usage data (platform interactions, feature usage, session data, IP addresses)
• Device and browser information (user agent, operating system, screen resolution)
• User-generated content and data submitted to the platform for AI processing
• Communication records (support tickets, emails, in-app messages)

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Agreement and this DPA constitute the Controller's complete instructions to the Processor at the time of execution. The Controller may provide additional written instructions consistent with the Agreement, and the Processor shall comply with such instructions to the extent technically feasible and commercially reasonable.

4.2 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, at a minimum:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 or equivalent
• Role-based access controls limiting access to Personal Data to authorized personnel only
• Multi-factor authentication for administrative access to systems containing Personal Data
• Regular security assessments, penetration testing, and vulnerability scanning
• Incident detection and response procedures with defined escalation paths
• Business continuity and disaster recovery measures with regular backup testing
• Employee security training and confidentiality agreements

4.3 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data are bound by enforceable obligations of confidentiality, whether through contractual duty, statutory obligation, or professional ethics. The Processor shall limit access to Personal Data to those personnel who require access for the performance of the services under the Agreement.

4.4 Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law, including but not limited to the right of access, rectification, erasure, restriction of processing, data portability, and objection. The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly, and shall not respond to such request except on the Controller's documented instructions or as required by applicable law.

4.5 Assistance with Compliance

Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with its obligations regarding data protection impact assessments, prior consultations with supervisory authorities, and notifications to supervisory authorities and Data Subjects in connection with Personal Data breaches, as required under applicable data protection law.

4.6 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable data protection law. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice of at least thirty (30) days and conducted during normal business hours. Audits shall not unreasonably interfere with the Processor's business operations.

5. Sub-Processors

5.1 General Authorization

The Controller provides the Processor with general written authorization to engage Sub-Processors for the processing of Personal Data in connection with the Agent Midas services, subject to the requirements of this Section 5. The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set forth in this DPA.

5.2 Current Sub-Processors

The following Sub-Processors are authorized to process Personal Data as of the effective date of this DPA:

5.3 Notification of Changes

The Processor shall notify the Controller in writing at least thirty (30) days prior to the addition or replacement of any Sub-Processor. The notice shall identify the proposed Sub-Processor, the processing activities to be performed, and the location of processing. The Controller may object to the proposed Sub-Processor on reasonable grounds relating to data protection within fifteen (15) days of receiving the notification. If the Controller objects and the parties are unable to resolve the objection, the Controller may terminate the affected services without penalty.

5.4 Sub-Processor Liability

The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations under the data processing terms. Where a Sub-Processor fails to fulfill its data protection obligations, the Processor shall be liable to the Controller for the acts and omissions of the Sub-Processor as if they were the Processor's own acts and omissions.

6. International Transfers

6.1 Transfer Mechanisms

Where Personal Data originating from the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to a country that has not been recognized as providing an adequate level of data protection, the Processor shall ensure that appropriate safeguards are in place in accordance with applicable data protection law. The Processor relies on the following transfer mechanisms:

• EU-U.S. Data Privacy Framework: Where the Sub-Processor is certified under the EU-U.S. Data Privacy Framework, the UK Extension, or the Swiss-U.S. Data Privacy Framework, such certification serves as the basis for the transfer.
• Standard Contractual Clauses (SCCs): Where the EU-U.S. Data Privacy Framework does not apply, the Processor enters into the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with the relevant Sub-Processor, incorporating Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as appropriate.
• UK International Data Transfer Addendum: For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) is incorporated.

6.2 Transfer Impact Assessments

The Processor shall conduct a transfer impact assessment for each international transfer of Personal Data to evaluate whether the laws of the destination country provide an adequate level of protection. Where the assessment identifies risks, the Processor shall implement supplementary measures (such as encryption, pseudonymization, or contractual safeguards) to ensure that the level of protection is not undermined. The Processor shall make summaries of transfer impact assessments available to the Controller upon request.

6.3 Government Access Requests

If the Processor receives a legally binding request from a government authority or law enforcement agency for access to Personal Data processed under this DPA, the Processor shall: (a) notify the Controller promptly, unless prohibited by law; (b) challenge the request if there are reasonable grounds to consider it unlawful; and (c) provide the minimum amount of information permissible when responding to the request.

7. Data Breach Notification

7.1 Notification Timing

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of any Personal Data breach that affects Personal Data processed under this DPA. Notification shall be provided to the Controller's designated contact via email, with follow-up confirmation in writing.

7.2 Contents of Notification

The breach notification shall include, to the extent known at the time of notification, the following information:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's data protection contact from whom further information may be obtained
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
• A timeline of events, including when the breach occurred, when it was discovered, and the actions taken in response

7.3 Ongoing Obligations

Where it is not possible to provide all information at the time of initial notification, the Processor shall provide information in phases as it becomes available, without further undue delay. The Processor shall cooperate fully with the Controller in investigating, remediating, and mitigating the effects of the breach, and shall assist the Controller in complying with its obligations to notify supervisory authorities and affected Data Subjects under applicable data protection law.

7.4 Record-Keeping

The Processor shall maintain a record of all Personal Data breaches, including the facts surrounding the breach, its effects, and the remedial actions taken, in accordance with Article 33(5) of the GDPR. This record shall be made available to the Controller and supervisory authorities upon request.

8. AI-Specific Processing Provisions

8.1 No Use for AI Model Training

The Processor shall not use Personal Data processed under this DPA for the purpose of training, fine-tuning, or improving any artificial intelligence model, machine learning algorithm, or large language model, whether owned by the Processor or any third party, unless the Controller provides explicit prior written consent for such use. This prohibition extends to all Sub-Processors engaged by the Processor. The Processor shall ensure that all AI Sub-Processors (including Anthropic, OpenAI, and Google Cloud) are contractually bound to refrain from using Controller data for model training purposes.

8.2 AI Input and Output Data

When Personal Data is submitted to AI models for processing (e.g., for generating analytics, insights, or recommendations), the Processor shall:

• Minimize the Personal Data included in AI prompts to only what is necessary for the specific processing task
• Not retain AI-generated outputs that contain Personal Data beyond the period necessary to deliver the service to the Controller
• Ensure that AI processing does not result in automated decisions that produce legal effects or similarly significant effects on Data Subjects without appropriate safeguards, including the right to obtain human intervention
• Log and audit AI processing activities involving Personal Data in accordance with the Processor's security measures

8.3 Algorithmic Transparency

Upon the Controller's written request, the Processor shall provide meaningful information about the logic involved in any automated processing of Personal Data, including the significance and envisaged consequences of such processing for the Data Subject. This obligation applies in particular where AI-generated outputs are used to make or inform decisions about Data Subjects. The Processor shall maintain documentation describing the general functionality, purposes, and data flows of AI systems that process Personal Data under this DPA.

8.4 AI Sub-Processor Data Handling

The Processor represents that, as of the effective date of this DPA, the following data handling commitments are in place with AI Sub-Processors:

• Anthropic (Claude): API inputs and outputs are not used for model training; data is deleted within 30 days of processing
• OpenAI: API inputs and outputs are not used for model training when accessed via the API; data retention follows OpenAI's API data usage policy
• Google Cloud (Gemini): Customer data processed via the Gemini API is not used to improve Google products; data is handled under Google Cloud's data processing terms

The Processor shall monitor changes to AI Sub-Processor data handling policies and notify the Controller of any material changes within fifteen (15) days of becoming aware of such changes.