Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the RetrieveIT.AI Terms of Service (the "Agreement") between Customer ("Controller") and OutcomeOps LLC dba RetrieveIT.AI ("Processor").

Categories of Data

Purpose of Processing

Processor processes Personal Data solely to:

• Provide the RetrieveIT.AI service as described in the Agreement
• Authenticate users and manage access control
• Generate AI-powered search responses
• Track usage for billing purposes
• Maintain security and prevent abuse

Processing Location

All data is processed and stored in Amazon Web Services (AWS) US-West-2 region (Oregon, United States).

Duration

Processing continues for the term of the Agreement plus:

• 30 days after termination (data available for export)
• 90 days total before permanent deletion

Security Measures

Personnel

Processor ensures that personnel authorized to process Personal Data:

• Are bound by confidentiality obligations
• Receive appropriate security training
• Access data only as necessary to perform their duties

Processing Limitations

Processor shall:

• Process Personal Data only on documented instructions from Customer
• Not process Personal Data for any purpose other than providing the Service
• Not sell, rent, or share Personal Data with third parties for their own purposes

Authorized Sub-processors

Integration Providers

GitHub, Google, Atlassian, and Microsoft are not sub-processors. They are third-party services that Customer authorizes via OAuth. Data flows from these services into the Service, not the reverse.

Sub-processor Changes

Processor will:

• Maintain an up-to-date list of sub-processors
• Notify Customer of new sub-processors by updating the list
• Allow Customer 30 days to object to a new sub-processor
• If Customer objects and no resolution is reached, Customer may terminate the Agreement

Notification Timeline

Processor will notify Customer of any Security Incident within 72 hours of becoming aware of the incident, via email to the organization administrator's registered email address.

Notification Contents

Notification will include, to the extent known:

• Nature of the incident and categories of data affected
• Approximate number of Data Subjects affected
• Likely consequences of the incident
• Measures taken or proposed to address the incident

Cooperation

Processor will:

• Investigate the incident and take remedial measures
• Provide reasonable assistance to Customer in meeting regulatory notification obligations
• Document the incident and remediation steps

Data Subject Requests

Customer may fulfill Data Subject requests (access, correction, deletion, portability) through:

• The Service's user interface (self-service)
• Contacting Processor at privacy@retrieveit.ai

Processor will assist Customer in responding to requests within 30 days.

Data Access

Customer can access their data at any time through:

• Dashboard viewing of account information
• Document download functionality
• Conversation history export

Data Deletion

Customer can delete data through:

• Individual document/conversation deletion in the UI
• Account deletion (removes all associated data)
• Written request to privacy@retrieveit.ai

Audit Rights

Customer may:

• Request Processor's security documentation and certifications
• Request evidence of compliance with this DPA
• Conduct audits with 30 days written notice (at Customer's expense)

Processor will provide:

• SOC 2 Type II report (when available)
• Penetration test summaries (upon request, under NDA)
• Security questionnaire responses

Customer may export or delete their data at any time via the Service.

Upon Termination

Deletion Verification

Upon written request, Processor will provide written confirmation that Customer data has been deleted from:

• Primary storage systems (S3, DynamoDB)
• Vector embeddings (S3 Vectors)
• Backup systems (if any)

Exceptions

Processor may retain data as required by law, but only for the minimum period necessary and with appropriate safeguards.

Customer Data

All Customer data is treated as Confidential Information. Processor shall:

• Not disclose Customer data to third parties except as authorized
• Use Customer data only to provide the Service
• Implement appropriate access controls

Permitted Disclosures

Processor may disclose Customer data:

• To authorized sub-processors as necessary to provide the Service
• As required by law, regulation, or legal process
• To protect the rights, property, or safety of Processor or others

Legal Demands

If Processor receives a legal demand for Customer data, Processor will:

• Notify Customer promptly (unless prohibited by law)
• Provide only the minimum data legally required
• Assist Customer in seeking protective orders

Each party's total liability under this DPA is subject to the limitation of liability provisions in the Agreement.

In no event shall Processor's aggregate liability exceed the greater of the fees paid by Customer in the twelve (12) months preceding the claim, or $10,000 USD.

Neither party shall be liable for:

• Indirect, incidental, special, or consequential damages
• Loss of profits, revenue, data, or business opportunities
• Damages arising from Customer's breach of the Agreement

This DPA is effective as of the date Customer accepts the Agreement and continues for the term of the Agreement.

Survival

The following sections survive termination:

• Section 5 (Security Incident Notification) — for incidents discovered post-termination
• Section 7 (Data Return and Deletion) — until deletion is complete
• Section 8 (Confidentiality) — indefinitely
• Section 9 (Liability) — indefinitely

Governing Law

This DPA is governed by the laws of the State of Nevada, United States, consistent with the Agreement.