Data Processing Agreement

1 Definitions

2 Scope of Processing

This DPA applies to the processing of Personal Data by MythicDot.AI as described in the Service Agreement. The nature and purpose of processing includes:

• Providing AI model inference services
• Processing API requests containing Personal Data
• Logging and monitoring for security and debugging purposes
• Customer support and service delivery

3 Processor Obligations

MythicDot.AI, as Processor, agrees to:

1. Process Personal Data only on documented instructions from the Controller
2. Ensure personnel processing data are bound by confidentiality obligations
3. Implement appropriate technical and organizational security measures
4. Engage sub-processors only with prior authorization and equivalent contractual obligations
5. Assist the Controller with data subject requests and regulatory compliance
6. Make available all information necessary to demonstrate compliance
7. Allow and contribute to audits conducted by the Controller
8. Delete or return all Personal Data upon termination of services

4 Controller Obligations

The Controller agrees to:

1. Ensure lawful basis for processing Personal Data
2. Provide clear instructions regarding the processing of Personal Data
3. Ensure compliance with applicable data protection laws
4. Notify MythicDot.AI of any data subject requests requiring assistance
5. Maintain appropriate privacy notices for data subjects

5 Sub-processors

The Controller authorizes MythicDot.AI to engage the following sub-processors:

MythicDot.AI will notify the Controller of any intended changes to sub-processors at least 30 days in advance.

6 Security Measures

MythicDot.AI implements and maintains the following security measures:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Control: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, DDoS protection
• Monitoring: 24/7 security monitoring and logging
• Testing: Regular penetration testing and vulnerability assessments
• Personnel: Background checks and security awareness training
• Physical: SOC 2 certified data centers with physical access controls

7 International Transfers

When Personal Data is transferred outside the European Economic Area, MythicDot.AI relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-US Data Privacy Framework certification (where applicable)
• Supplementary measures including encryption and access controls

Enterprise customers may request data residency in specific regions (US, EU, or Asia-Pacific).

8 Data Subject Rights

MythicDot.AI will assist the Controller in responding to data subject requests including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

Requests will be processed within 30 days of receipt.

9 Data Breach Notification

In the event of a Personal Data breach, MythicDot.AI will:

1. Notify the Controller without undue delay (within 72 hours of becoming aware)
2. Provide details including nature of breach, categories of data affected, and likely consequences
3. Describe measures taken or proposed to address the breach
4. Cooperate with the Controller in investigating and mitigating the breach

10 Data Deletion

Upon termination of the Service Agreement or upon Controller's request:

• MythicDot.AI will delete or return all Personal Data within 30 days
• Deletion will include all copies except as required by law
• MythicDot.AI will provide written confirmation of deletion upon request