Data Processing Addendum (DPA) ============================== TEMPLATE — NOT LEGAL ADVICE. This document is a sample template provided for informational purposes only. It is not legal advice, not an offer, and not an executed agreement. It may not fit your jurisdiction, your regulatory obligations, or the specifics of your engagement. Have it reviewed and adapted by qualified legal counsel before use. Enhanced Language & Cultural Services, LLC (d/b/a Lingfaro) makes no warranty, express or implied, regarding this template and disclaims all liability for its use. ------------------------------------------------------------------------ DATA PROCESSING ADDENDUM (TEMPLATE) This Data Processing Addendum ("DPA") supplements the agreement between [CLIENT LEGAL NAME] ("Controller") and Enhanced Language & Cultural Services, LLC, d/b/a Lingfaro ("Processor"), effective [EFFECTIVE DATE]. 1. SCOPE AND ROLES Controller determines the purposes and means of processing Personal Data. Processor processes Personal Data only on Controller's documented instructions, including those set out in this DPA and the underlying agreement. 2. NATURE OF PROCESSING 2.1 Subject matter: interpreter dispatch and related services. 2.2 Categories of data subjects: Controller's staff and authorized users; limited end-client identifiers needed to schedule sessions. 2.3 Categories of Personal Data: names, business contact details, account identifiers, scheduling metadata (language, modality, time, location). 2.4 Processor is designed to avoid receiving special-category or clinical content during ordinary use. 3. CONFIDENTIALITY Processor ensures persons authorized to process Personal Data are bound by confidentiality obligations. 4. SECURITY Processor implements appropriate technical and organizational measures, including encryption in transit and at rest, access controls, and logging, appropriate to the risk. 5. SUB-PROCESSORS Controller authorizes Processor to engage sub-processors for payments, authentication, transactional email, hosting, product analytics, and trusted timestamping. Processor maintains a current, public list of named sub-processors at https://lingfaro.com/subprocessors/ and imposes data-protection terms on each sub-processor no less protective than this DPA. 6. DATA SUBJECT RIGHTS Processor assists Controller, by appropriate measures, in responding to requests to exercise data-subject rights, taking into account the nature of the processing. 7. PERSONAL DATA BREACH Processor notifies Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's data, and provides information reasonably available to assist Controller's own notification obligations. 8. DELETION AND RETURN On termination, Processor deletes or returns Personal Data at Controller's choice, except where retention is required by law. 9. AUDITS Processor makes available information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by Controller or an auditor it mandates, subject to reasonable confidentiality and scheduling terms. 10. GOVERNING LAW This DPA is governed by the laws of the State of Minnesota, without prejudice to mandatory data-protection laws applicable to Controller. CONTROLLER PROCESSOR (LINGFARO) By: ____________________________ By: ____________________________ Name: __________________________ Name: __________________________ Title: _________________________ Title: _________________________ Date: __________________________ Date: __________________________