Data Processing Agreement

Controller means the Customer — the entity that determines the purposes and means of processing personal data. Processor means Centrali — the entity that processes personal data on behalf of the Controller. Data Subject means any identified or identifiable natural person whose personal data is processed through the Service. Personal Data means any information relating to an identified or identifiable natural person. Processing means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and deletion. Subprocessor means a third-party engaged by Centrali to process personal data in connection with the Service. GDPR means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR.

Subject matter: Centrali processes personal data stored by the Customer within workspaces on the Centrali platform, including records, files, and compute function inputs/outputs. Duration: For the duration of the Customer's use of the Service, plus any applicable retention period following termination. Nature and purpose: Providing the Centrali backend-as-a-service platform — storing, retrieving, indexing, and processing data as directed by the Customer via API. Categories of personal data: Any categories the Customer chooses to store — Centrali does not dictate or restrict the types of personal data stored by the Customer. Categories of Data Subjects: The Customer's end users, employees, or any other individuals whose personal data the Customer processes through the Service. The Customer acknowledges they are the Controller for all personal data stored within their workspaces. Centrali acts solely as a Processor, processing data only on the documented instructions of the Customer.

As the Controller, you are responsible for: • Having a lawful basis under applicable data protection law to process the personal data you store on Centrali • Providing required privacy notices and obtaining any necessary consents from your Data Subjects • Ensuring that your use of Centrali complies with applicable data protection laws in your jurisdiction • Not storing categories of data on Centrali that you are not legally permitted to process • Responding to Data Subject requests (see Section 7) in accordance with your legal obligations Centrali is not responsible for the lawfulness of the Customer's data processing activities.

Centrali commits to: • Process only on instructions: We will process personal data only as directed by you through your use of the Service and these Terms, unless required to do otherwise by law • Confidentiality: All Centrali personnel with access to personal data are bound by confidentiality obligations • Security: We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure (see our Security page at centrali.io/security) • Subprocessors: We will not engage subprocessors to process your data without your general authorization (granted by accepting these Terms) and will ensure subprocessors are bound by equivalent obligations • Assistance: We will assist you in fulfilling your obligations to respond to Data Subject requests and regulatory inquiries, to the extent technically feasible • Compliance evidence: We will provide information reasonably necessary to demonstrate compliance with this DPA upon written request • Notification of legal requests: Where legally permitted, we will notify you if we receive a legal demand to disclose personal data relating to your account

Centrali engages the following subprocessors to deliver the Service. All subprocessors are contractually bound to data protection obligations consistent with this DPA: Microsoft Azure — Cloud infrastructure, database hosting, and file storage Location: European Union and United States Purpose: Core platform infrastructure Stripe — Payment processing and subscription management Location: United States Purpose: Billing only; does not process workspace customer data Azure Communication Services — Transactional email delivery Location: United States Purpose: Sending account and system notifications Microsoft Azure DNS — Domain name system and DNS hosting Location: Global Purpose: DNS resolution for centrali.io We will provide at least 14 days notice before adding or replacing a Subprocessor that will process Customer personal data. Notice will be sent to your registered email address. If you object, you may terminate the affected services within that notice period. For a current subprocessor list, contact privacy@centrali.io.

As the Controller, you are responsible for responding to requests from your Data Subjects to exercise their rights (access, correction, deletion, portability, restriction). Centrali will: • Not respond directly to Data Subject requests unless authorized by you • Provide technical mechanisms (API access, workspace data export) that enable you to fulfill requests • Promptly notify you if we receive a direct request from one of your Data Subjects, so you can respond • Assist you in fulfilling deletion requests by deleting or anonymizing the relevant data within your workspace upon your instruction For workspace-level data deletion, use the platform's data management features or contact support@centrali.io with specific deletion instructions.

In the event of a personal data breach affecting your workspace data, Centrali will: • Notify you at your registered account email address within 72 hours of becoming aware of the breach • Provide, as soon as available: a description of the breach, categories and approximate volume of data affected, likely consequences, and measures taken or proposed to address it • Cooperate with your investigation and provide information necessary for your own regulatory reporting obligations Notification to you does not constitute an admission of fault or liability. You remain responsible for your own regulatory reporting obligations (e.g., notifying your supervisory authority or Data Subjects) within legally required timeframes.

Centrali implements the following measures to protect personal data: • Encryption in transit: All data transmitted over public networks uses TLS 1.2 or higher • Encryption at rest: All databases and file storage are encrypted at rest • Access control: Access to production systems is limited to authorized personnel on a need-to-know basis • Workspace isolation: Personal data is logically separated between Customer workspaces — cross-tenant access is structurally prevented • Backup and recovery: Automated backups with tested recovery procedures • Monitoring and logging: System-level logging and anomaly detection • Patch management: Security updates applied on a regular schedule Full details are available at centrali.io/security.

Upon termination of your account or a specific workspace: • Your workspace data (records, files, function definitions) will be deleted from active systems within 30 days • Backup copies will be purged within 90 days of termination • Billing records will be retained for the legally required period (7 years) but will be isolated from active processing You may request a data export before deletion by contacting support@centrali.io prior to termination. We will provide your data in a standard machine-readable format where technically feasible. Upon deletion, Centrali will confirm in writing that your data has been deleted, upon request.

You have the right to verify Centrali's compliance with this DPA. Centrali will: • Respond to reasonable written questionnaires about our data processing practices • Provide copies of relevant internal policies and certifications upon request • Allow on-site audits (or audits conducted by a mutually agreed third-party assessor) with reasonable advance notice of at least 30 days, no more than once per year, and at the Customer's expense Audit rights may be exercised by contacting security@centrali.io. We reserve the right to redact confidential information about other customers or third parties.

For DPA-related questions, data processing inquiries, or to request a signed DPA for enterprise agreements: privacy@centrali.io For security-specific concerns: security@centrali.io We respond to all DPA inquiries within 5 business days.