The DPA, BAA, and sub-processor list.

This Data Processing Addendum (“DPA”) is between Vaarak Technologies (“Humane AI,” the Processor) and the legal entity named on an active Humane AI subscription or a signed Master Services Agreement (“Customer,” the Controller).

This DPA is auto-incorporated into our Terms of Service for all paid plans. For Enterprise contracts or where your procurement process requires a countersigned PDF, email legal@humaneai.vaarak.com — we will return a signed copy within 3 business days.

If any term in the signed MSA conflicts with this DPA, the signed MSA controls. For EU / UK data subjects, Standard Contractual Clauses (Module 2, Controller-to- Processor, Commission Decision 2021/914/EU) are incorporated by reference as if set out in full.

• “Applicable Data Protection Law” — GDPR (EU 2016/679), UK GDPR, Data Protection Act 2018, CCPA / CPRA, Indian DPDP Act 2023, and any successor laws.
• “Customer Data,” “Personal Data,” “Data Subject,” “Processing,” “Controller,” “Processor,” “Sub-processor,” and “Supervisory Authority” have the meanings given under the Applicable Data Protection Law.
• “PHI” — Protected Health Information as defined by HIPAA, 45 CFR §160.103.
• “SCCs” — the EU Standard Contractual Clauses approved by the European Commission in 2021.

Subject matter

Humane AI provides a behavioral intelligence layer that augments LLM calls with persistent memory and deterministic safety gates. Processing Customer Data is necessary to provide the Service described in the Terms.

Duration

For as long as the Customer holds an active subscription, plus any wind-down period required to fulfil return-or-delete obligations.

Types of data

• Customer account data (name, email, organization).
• End-user identifiers (external_id, optional display_name).
• Conversation messages the Customer submits.
• Derived behavioral signals (mood / energy / trust / familiarity / sentiment).
• Usage and billing metadata.
• Opt-in: semantic memories in MemPalace.

Categories of data subjects

• Customer's authorized employees and contractors.
• Customer's end users (patients, customers, agents, depending on deployment).

Processing instructions

The Customer's instructions are the Terms, this DPA, any signed MSA, and the documented configuration the Customer sets in the dashboard or via API. Humane AI will not process Personal Data for any other purpose unless required by law, in which case we'll notify the Customer unless the law prohibits such notice.

Humane AI implements and maintains the technical and organizational measures described at /security and summarized in Annex II below. These include, at minimum:

• TLS 1.3 in transit, encryption at rest.
• Bcrypt password hashing, HttpOnly + Secure session cookies.
• Tenant-scoped data access enforced at the ORM layer.
• HMAC-SHA256 webhook signing with 5-minute skew tolerance.
• SSRF guards on every outbound fetch.
• Audit logging of admin actions (2-year retention).
• Dependency scanning (Trivy) + SCA (Dependabot) in CI.
• Immutable off-host backups with quarterly restore tests.
• Role-based production access, tmux-recorded operator sessions.

Humane AI requires all personnel with access to Customer Data to sign confidentiality agreements and complete annual security training.

The Customer gives general authorization for Humane AI to engage Sub-processors for the purposes described below. Humane AI will notify the Customer at least 30 days before adding or replacing a Sub-processor that processes Customer Data — the live list below is the notification of record, and the page carries a dateModified in its structured data for transparency.

Current Sub-processors (Annex III):

The Customer may object to a new Sub-processor on reasonable Data Protection grounds during the 30-day notice period. If the objection is not resolved within 15 business days, the Customer may terminate the affected Service and receive a pro-rata refund of prepaid fees.

Where Humane AI transfers Personal Data from the EU, EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is protected by the Standard Contractual Clauses (Module 2 for processor-to-processor transfers under SCCs (EU) 2021/914, and the UK International Data Transfer Addendum where applicable), incorporated by reference into this DPA and into Humane AI's agreements with its Sub-processors.

Primary compute lives in Mumbai, India. LLM providers you route traffic to may receive Customer Data in the United States or other regions of the provider's choosing, for the sole purpose of producing a response. No Sub-processor uses Customer Data to train general-purpose models without explicit Customer consent.

Humane AI provides programmatic endpoints to help the Customer fulfil Data Subject requests:

• GET /api/privacy/export/{external_id} — access / portability.
• DELETE /api/privacy/erase/{external_id} — erasure.
• Profile fields are editable from the dashboard — rectification.
• End-user status can be set to paused — restriction of processing.

If Humane AI receives a Data Subject request directly, we will route it to the Customer without substantive response, within 5 business days.

Humane AI will notify the Customer of a Personal Data breach affecting Customer Data without undue delay and in any case within 24 hours of confirmation. The notification will include, where known: nature of the breach, categories and approximate number of data subjects / records, likely consequences, measures taken or proposed, and a point of contact.

Humane AI will assist the Customer in its own notification obligations to Supervisory Authorities and Data Subjects, including providing the necessary forensic information on reasonable request.

Humane AI will make available to the Customer all information reasonably necessary to demonstrate compliance with Art. 28 GDPR, including SOC 2 reports once available, pen- test executive summaries, and third-party audit letters.

On reasonable prior written notice (≥ 30 days), no more than once per 12 months, the Customer may conduct an on-site audit limited to the facilities directly relevant to Humane AI's Processing of Customer Data, during business hours, in a manner that doesn't disrupt operations. For more frequent or intrusive inspections, the Customer agrees to bear reasonable costs.

On termination of the Service, Humane AI will, at the Customer's election, return all Customer Data via the export endpoint (or an S3 export for large datasets) and then delete it from active systems within 30 days, and from backups within the next 60 days as encrypted backups age out of rotation.

Humane AI may retain aggregated or de-identified metrics, or Customer Data whose retention is required by law, provided that the retained data is segregated and remains subject to the security obligations in Section 4.

Where the Customer is a HIPAA Covered Entity or Business Associate, and is on the Scale plan or a signed Enterprise MSA, this section operates as the Business Associate Agreement (BAA) required by 45 CFR §164.504(e). Under this BAA:

• Humane AI will not use or further disclose PHI other than as permitted or required by this BAA, the Terms, or as required by law.
• Humane AI will implement appropriate administrative, physical, and technical safeguards in accordance with 45 CFR §164.308 / §312 — documented at /security.
• Humane AI will report breaches of unsecured PHI to the Customer without unreasonable delay, and in any case within 24 hours.
• Humane AI will ensure that any Sub-processor that creates, receives, maintains, or transmits PHI on behalf of Humane AI agrees to the same restrictions and conditions.
• Humane AI will make PHI and our books and records available to the Secretary of Health and Human Services on reasonable request for purposes of determining Customer compliance with HIPAA.
• On termination, Humane AI will return or destroy all PHI, including all copies in backup systems once they age out of rotation.

The BAA applies only to traffic that the Customer explicitly routes through a HIPAA-eligible sub-processor configuration — typically by selecting an LLM provider that offers its own BAA (for example, Azure OpenAI or AWS Bedrock with a signed BAA on the downstream account).

Each party's liability under this DPA is subject to the overall limitation of liability in the Terms, except that no limitation applies to willful misconduct, gross negligence, breach of confidentiality, or obligations that cannot be limited under applicable law.

This DPA is effective on the date the Customer first accepts the Terms. No separate signature is required for standard subscription plans; the published version on this page is incorporated by reference.

For procurement processes that require a countersigned PDF — including most Enterprise engagements — email legal@humaneai.vaarak.com. We will return a signed copy within 3 business days.