This Data Processing Agreement ("DPA") is entered into between Closai, Inc., a Delaware corporation ("Closai"), and the Enterprise Partner identified in the applicable Order Form ("Enterprise Partner"). This DPA is incorporated into and forms part of the Closai Enterprise Partner Terms of Service (closai.io/partner-terms) and the applicable Order Form. In the event of a conflict between this DPA and the Enterprise Partner Terms, this DPA controls with respect to data processing matters.

ROLES & SCOPE

Data Roles

The parties acknowledge and agree to the following data roles with respect to personal data processed under this DPA:

• Closai is the data controller with respect to all End User Personal Data collected through the Closai Platform, including data collected via OAuth connections, email sync, and purchase history enrichment. Closai determines the purposes and means of processing End User Personal Data independently of any Enterprise Partner relationship.

• Enterprise Partner is a data recipient and independent data controller with respect to Enriched Data once it is received into Enterprise Partner's own systems. Enterprise Partner determines how it uses, stores, and processes Enriched Data within its own environment and is independently responsible for compliance with applicable privacy laws with respect to that use.

• This DPA does not establish a controller-processor relationship in which Closai processes data on behalf of Enterprise Partner. Enterprise Partner does not instruct Closai on how to process End User Personal Data. Closai shares Enriched Data outputs with Enterprise Partner as a downstream licensed recipient only.

Scope

This DPA governs:

• The sharing of Enriched Data from Closai to Enterprise Partner

• Enterprise Partner's obligations with respect to Enriched Data received from Closai

• The parties' respective responsibilities under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other applicable privacy laws (collectively, "Data Protection Laws")

DEFINITIONS

"Personal Data" has the meaning given in applicable Data Protection Laws — generally, any information relating to an identified or identifiable natural person.

"Enriched Data" means purchase history, style affinity signals, wardrobe insights, and other outputs derived from End User accounts that Closai makes available to Enterprise Partner under the applicable Order Form. Enriched Data may contain Personal Data to the extent it is attributable to identifiable individuals.

"End User" means an individual who has connected their accounts to the Closai Platform, consented to Closai's Privacy Policy and Terms of Use, and authorized the sharing of Enriched Data with Enterprise Partner.

"Data Protection Laws" means all applicable laws and regulations relating to the processing, privacy, and use of Personal Data, as amended from time to time.

"Sub-processor" means any third party engaged by Enterprise Partner to process Enriched Data on Enterprise Partner's behalf.

CLOSAI'S OBLIGATIONS AS DATA CONTROLLER

Lawful Basis

Closai will ensure it has a valid lawful basis under applicable Data Protection Laws for sharing Enriched Data with Enterprise Partner. Closai's primary lawful basis for processing End User Personal Data is explicit consent, obtained at the time the End User connects their accounts to the Platform.

End User Rights

Closai is responsible for receiving and fulfilling data subject rights requests from End Users with respect to their Personal Data held by Closai, including requests to access, correct, delete, or port their data. Enterprise Partner shall promptly forward to Closai any such requests it receives from End Users at contact@closai.io and shall not attempt to respond to such requests on Closai's behalf.

Consent Withdrawal & Revocation

If an End User withdraws consent or revokes Closai's access to their accounts, Closai will notify Enterprise Partner and cease sharing that End User's Enriched Data. Enterprise Partner shall cease use of and delete that End User's Enriched Data from its systems within thirty (30) days of receiving such notification.

Data Accuracy

Closai will use commercially reasonable efforts to ensure Enriched Data is accurate and up to date at the time of sharing. Closai does not warrant the completeness or real-time accuracy of Enriched Data, as it is derived from third-party sources.

Security

Closai will implement and maintain appropriate technical and organizational measures to protect End User Personal Data against unauthorized access, disclosure, alteration, or destruction, commensurate with the risk involved.

Enterprise Partner's Obligations

Independent Controller Responsibilities

As an independent data controller with respect to Enriched Data in its systems, Enterprise Partner is solely responsible for:

• Ensuring its use of Enriched Data complies with all applicable Data Protection Laws

• Establishing and maintaining its own lawful basis for processing Enriched Data within its systems (which may rely on Closai's upstream consent, subject to the scope of that consent)

• Maintaining a privacy policy that accurately discloses to its customers its receipt and use of Enriched Data from Closai

• Responding to any data subject rights requests from its own customers that relate to Enterprise Partner's independent use of Enriched Data

Permitted Use

Enterprise Partner shall use Enriched Data solely for the purposes defined in the applicable Order Form. Enterprise Partner shall not:

• Process Enriched Data for any purpose that exceeds the scope of End User consent obtained by Closai

• Sell, license, or share Enriched Data with any third party except as permitted under the Enterprise Partner Terms

• Use Enriched Data to train machine learning models or build data products

• Attempt to re-identify individuals from de-identified or aggregated data

Security Measures

Enterprise Partner shall implement appropriate technical and organizational measures to protect Enriched Data in its systems against unauthorized access, loss, or disclosure. At a minimum, this includes:

• Encryption of Enriched Data at rest and in transit

• Access controls limiting Enriched Data to authorized personnel only

• Prompt notification to Closai (within 48 hours) of any actual or suspected security incident affecting Enriched Data

Sub-processors

Enterprise Partner may engage Sub-processors to process Enriched Data only where:

• The Sub-processor is bound by data protection obligations no less protective than those in this DPA

• Enterprise Partner remains fully liable for the acts and omissions of its Sub-processors

• Enterprise Partner notifies Closai of any Sub-processors processing Enriched Data upon request

Retention & Deletion

Enterprise Partner shall retain Enriched Data only for as long as necessary for the purposes defined in the Order Form. Upon termination of the applicable Order Form, Enterprise Partner shall delete all Enriched Data as set out in Section 8.4 of the Enterprise Partner Terms and provide written certification of deletion upon Closai's request.

CCPA-Specific Terms

Service Provider Designation

For purposes of the CCPA/CPRA, Enterprise Partner acknowledges that it receives Enriched Data from Closai as an independent business, not as a "service provider" acting on Closai's behalf. Enterprise Partner is independently responsible for its own CCPA compliance with respect to its use of Enriched Data.

No Sale

Enterprise Partner shall not sell or share (as defined under CCPA/CPRA) Enriched Data to any third party. Enterprise Partner shall not use Enriched Data outside of the business purpose specified in the applicable Order Form, as required under CCPA's business purpose limitation.

End User Opt-Outs

If an End User exercises their right to opt out of the sharing of their Personal Data with Enterprise Partner, Closai will notify Enterprise Partner and cease sharing that End User's Enriched Data. Enterprise Partner shall honor such opt-outs within fifteen (15) business days of notification.

GDPR / UK GDPR-Specific Terms

Applicability

This Section 6 applies where Enriched Data includes Personal Data of individuals located in the European Economic Area (EEA) or United Kingdom.

Standard Contractual Clauses

Where Closai transfers Enriched Data containing EEA or UK Personal Data to Enterprise Partner located in a jurisdiction not recognized as providing adequate data protection (including the United States), such transfer is governed by the Standard Contractual Clauses (SCCs) for controller-to-controller transfers as approved by the European Commission (Module One), incorporated herein by reference. The parties agree to execute any additional documentation required to give effect to the SCCs upon request.

Data Subject Rights

Each party is responsible for responding to data subject rights requests relating to Personal Data under its own control. Where an Enterprise Partner receives a request from an EEA or UK data subject relating to Personal Data held by Closai, Enterprise Partner shall forward that request to Closai within five (5) business days.

Data Protection Impact Assessment

If Enterprise Partner's processing of Enriched Data is likely to result in a high risk to the rights and freedoms of individuals, Enterprise Partner shall conduct a Data Protection Impact Assessment (DPIA) and shall cooperate with Closai to provide any information reasonably required.

Breach Notification

Enterprise Partner shall notify Closai within 48 hours of becoming aware of any personal data breach affecting Enriched Data, providing sufficient detail for Closai to assess its own notification obligations under applicable Data Protection Laws.

General

Term

This DPA remains in effect for the duration of the applicable Order Form and for as long as Enterprise Partner retains any Enriched Data.

Governing Law

This DPA is governed by the laws of the State of New York, consistent with the Enterprise Partner Terms, except where applicable Data Protection Laws require otherwise.

Conflict

In the event of a conflict between this DPA and the Enterprise Partner Terms of Service, this DPA controls with respect to all data processing matters.

Updates

Closai may update this DPA from time to time to reflect changes in applicable Data Protection Laws or its data practices. Enterprise Partners will be notified of material updates with at least thirty (30) days' prior written notice.