DATA PROCESSING ADDENDUM

(Self-Serve Subscriptions)
Last Updated: May 2, 2026

This Data Processing Addendum ("DPA") supplements and is incorporated into the Cirra AI Terms of Service (the "Agreement") between Cirra AI, Inc. ("Cirra AI") and the customer identified in the Agreement ("Customer"). This DPA applies where Cirra AI processes Personal Data on Customer's behalf in connection with the Services. If Customer has executed a separate master agreement with a negotiated DPA, that DPA controls instead of this one.

By accepting the Agreement and using the Services to process Personal Data, Customer agrees to this DPA. No signature is required.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement. "Data Protection Laws" means all laws and regulations applicable to processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"). "Personal Data," "Data Subject," "Controller," "Processor," "Personal Data Breach," and "Processing" have the meanings given in applicable Data Protection Laws. "Customer Personal Data" means Personal Data contained in Customer Data.

2. Roles of the Parties

With respect to Customer Personal Data: (a) Customer is the Controller (or, where applicable, a Processor for its own clients' data) and Cirra AI is the Processor; and (b) under CCPA/CPRA, Cirra AI acts as a Service Provider and not as a "third party," and the parties intend that no "sale" or "sharing" of Personal Data occurs under the Agreement.

3. Subject Matter, Duration, and Categories

Subject matter: provision of the Services. Duration: term of the Agreement plus any retention period under Section 9. Nature and purpose: processing necessary to deliver, support, secure, and improve the Services for Customer. Categories of Data Subjects: Customer's employees, contractors, customers, prospects, and end users whose data Customer submits to the Services. Categories of Personal Data: business contact details, account and authentication identifiers, Salesforce metadata that may include Personal Data, support communications, and other data Customer elects to submit.

Data Flow and Storage Characteristics. As of the effective date of this DPA, and unless changed by an Order or by a Service feature that Customer expressly enables (an "Opt-In Feature"):

(a) AI prompts and AI responses exchanged between Customer's AI client (such as Claude, ChatGPT, Cursor, or similar) and third-party foundation model providers do not transit, and are not accessible to, Cirra AI's systems. Cirra AI does not store, log, or have visibility into such prompts or responses.

(b) Customer Data accessed through the Services (including Salesforce records and metadata) transits Cirra AI's infrastructure to perform the requested operation. Cirra AI does not maintain a persistent product-level store of such Customer Data. Such data may, however, appear in: (i) backend server logs retained for operational, security, and debugging purposes for up to thirty (30) days; and (ii) short-lived response artifacts (for example, cached responses that exceed inline size limits) retained for up to one (1) hour. Cirra AI's frontend telemetry captures limited usage information (such as logins and page views) and does not include Customer Data; such telemetry is retained for up to ninety (90) days.

(c) OAuth access tokens and refresh tokens for systems connected to the Services (such as Salesforce orgs) are stored by Cirra AI in encrypted form to enable the Services to operate.

Cirra AI may from time to time introduce Opt-In Features that change the data flow or storage characteristics described above (for example, persistent change history, conversation logging, or AI-prompt facade functionality). Any such Opt-In Feature will be enabled only with Customer's express action and will be governed by the documentation and any feature-specific terms made available at the time of opt-in.

4. Cirra AI Obligations

Cirra AI shall:

• Process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, except as required by law (in which case Cirra AI shall, where legally permitted, inform Customer);
• Ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations;
• Implement and maintain technical and organizational measures appropriate to the nature of Customer Personal Data, as described at https://cirra.ai/legal/security or in equivalent published documentation;
• Assist Customer, taking into account the nature of processing, in responding to Data Subject requests under Section 6 and in meeting Customer's obligations under Articles 32–36 GDPR or analogous provisions;
• Notify Customer without undue delay, and where feasible no later than seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data;
• Promptly notify Customer in writing if Cirra AI determines that it can no longer meet its obligations under this DPA or applicable Data Protection Laws, including obligations under CCPA/CPRA;
• At Customer's direction, return or delete Customer Personal Data at the end of provision of Services as described in Section 9; and
• Make available to Customer information necessary to demonstrate compliance with this DPA, in the form of audit reports, security questionnaires, or comparable documentation.

5. Sub-Processors

Customer provides general written authorization for Cirra AI to engage sub-processors. Cirra AI maintains a current list of sub-processors at https://cirra.ai/legal/subprocessors, including the name, location, and processing activity of each sub-processor. Cirra AI will give Customer at least thirty (30) days' prior notice (which may be by updating the sub-processor list page with a subscription option, or by email to account administrators) of any new or replaced sub-processor handling Customer Personal Data. Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Customer's sole remedy is to terminate the affected Subscription Plan, with a pro-rata refund of pre-paid fees for the unused subscription term.

Sub-processors include cloud hosting providers, customer support and analytics tooling, and payment processors. Foundation model providers (such as Anthropic and OpenAI) and AI clients (such as Claude, ChatGPT, and Cursor) are operated by third parties whose services Customer engages directly; as of the effective date of this DPA, they are not Cirra AI sub-processors, as further described in Section 3 above. The current list at the URL above controls.

6. Data Subject Rights

Cirra AI will, taking into account the nature of the processing, provide reasonable assistance through appropriate technical and organizational measures, insofar as possible, to enable Customer to fulfill its obligations to respond to Data Subject requests under GDPR (access, rectification, erasure, restriction, portability, and objection) and to verifiable consumer requests under CCPA/CPRA (right to know, right to delete, right to correct, and right to opt out of sale or sharing). If Cirra AI receives a Data Subject or consumer request directed at Customer Data, Cirra AI will, where legally permitted, redirect the requestor to Customer without responding substantively.

7. International Data Transfers

Where transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country not deemed to provide an adequate level of protection occur, the parties agree that the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor, as applicable) and the UK International Data Transfer Addendum, in each case as in force at the time of transfer, are incorporated by reference, with the following selections: clause 7 (docking) applies; clause 9 option 2 (general written authorization) applies with the notice period in Section 5; clause 11 optional language is omitted; clause 17 governing law: Ireland; clause 18 forum: Ireland. The parties also rely on the EU-U.S. Data Privacy Framework and its UK and Swiss extensions where applicable certifications are in place.

8. CCPA / CPRA Provisions

To the extent Cirra AI processes Personal Information of California residents on Customer's behalf, Cirra AI: (a) is a Service Provider as defined under CCPA/CPRA; (b) shall not sell or share such Personal Information; (c) shall not retain, use, or disclose such Personal Information outside the direct business relationship with Customer or for any purpose other than the business purposes specified in the Agreement; (d) shall not combine such Personal Information with information received from other sources except as permitted by CPRA; and (e) shall comply with applicable obligations under CCPA/CPRA and provide the same level of privacy protection as required of businesses under CCPA/CPRA. Customer may, upon notice, take reasonable steps to stop and remediate unauthorized use of Personal Information.

9. Return and Deletion

Upon termination or expiration of the Agreement, Cirra AI will, at Customer's written direction made within thirty (30) days following such termination, return Customer Personal Data in a commercially reasonable format or securely delete it. After such period, Cirra AI may delete Customer Personal Data in the ordinary course, subject to retention required by law or contained in routine backup media that is overwritten in the ordinary course.

10. Order of Precedence

In the event of conflict between this DPA and the Agreement with respect to processing of Personal Data, this DPA prevails. In the event of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Questions about this DPA? Contact us at [email protected].