Legal / Data Processing Addendum

Data Processing Addendum

Last updated 27 May 2026 Operator Preworshipped Ltd t/a Jizoku Company 14167295

This DPA governs Jizoku's Processing of Customer Personal Data in connection with the Service. It is intended to satisfy the requirements of Article 28 of the UK GDPR and, where applicable, Article 28 of the EU GDPR.

If Customer and Jizoku have entered into a separate written agreement, order form, pilot agreement, enterprise agreement, statement of work, master services agreement, security addendum, data transfer addendum, or other written contract, this DPA is incorporated into that agreement unless the parties expressly agree otherwise in writing.

Section 01

Important Terms

This section summarises the core processing terms. The detailed legal terms follow below.

Topic Position
Data processing roles For Customer Personal Data, Customer is the Controller and Jizoku is the Processor. Where Customer acts as a Processor for a third-party Controller, Jizoku acts as Customer's Subprocessor.
Processing purpose Jizoku processes Customer Personal Data to provide, operate, secure, support, maintain, improve, and administer the Service, including AI-enabled materials intelligence, BOM analysis, product review, workflow automation, report generation, and related functionality.
Processing instructions Customer instructs Jizoku through the Agreement, this DPA, product documentation, account settings, order forms, support requests, and actions taken by Customer and authorised users in the Service.
Customer Personal Data Personal Data contained in Customer Content, including uploaded files, prompts, BOMs, tech packs, product documents, supplier data, comments, annotations, outputs, account/workspace metadata, and related technical information.
Data subjects Customer personnel, authorised users, supplier personnel, manufacturer/factory contacts, certification/audit contacts, consultants, contractors, product or sourcing contacts, and any other individuals whose Personal Data Customer submits to the Service.
Model training Jizoku will not use Customer Content or Customer Personal Data to train third-party foundation models unless Customer expressly opts in or agrees otherwise in writing. Jizoku will not train its own proprietary models on raw Customer Content by default, but may use aggregated or de-identified derived patterns to improve materials intelligence, unless an enterprise agreement states otherwise.
Sale of data Jizoku will not sell Customer Personal Data and will not use Customer Personal Data for targeted advertising or cross-context behavioural advertising.
Subprocessors Customer gives Jizoku general written authorisation to use Subprocessors. Jizoku remains responsible for Subprocessor performance in accordance with this DPA.
Security Jizoku will implement appropriate technical and organisational measures designed to protect Customer Personal Data. Current measures are set out in Schedule 2.
Retention Jizoku will delete or return Customer Personal Data following termination or on reasonable request, unless retention is required by law or permitted under this DPA.
International transfers Restricted transfers will be supported by appropriate transfer mechanisms, including the EU SCCs and UK Addendum where applicable.
Contact Data protection notices and DPA enquiries should be sent to dpa@jizoku.ai.

Section 02

Definitions

In this DPA:

"Agreement" means the Jizoku Terms of Service, order form, pilot agreement, enterprise agreement, statement of work, master services agreement, or other written agreement governing Customer's use of the Service.

"Applicable Data Protection Laws" means all privacy, data protection, electronic communications, and cybersecurity laws applicable to the Processing of Customer Personal Data under this DPA, including where applicable the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, the EU GDPR, EU Member State data protection laws, Swiss data protection law, US State Privacy Laws, and any successor or replacement legislation.

"Customer Content" means any data, files, prompts, text, images, sketches, CAD files, tech packs, bills of materials, product specifications, supplier information, certification information, brand policies, design standards, sustainability objectives, compliance requirements, queries, instructions, comments, annotations, outputs, or other content submitted, uploaded, connected, imported, transmitted, generated, or otherwise made available to or through the Service by or on behalf of Customer.

"Customer Personal Data" means Personal Data contained in Customer Content that Jizoku Processes on behalf of Customer as a Processor or Subprocessor.

"Data Subject", "Controller", "Processor", "Personal Data", "Personal Data Breach", "Processing", and "Subprocessor" have the meanings given to them under Applicable Data Protection Laws.

"Data Transfer Mechanism" means a lawful mechanism for transferring Personal Data internationally under Applicable Data Protection Laws, including adequacy regulations, the EU Standard Contractual Clauses, the UK Addendum, the UK International Data Transfer Agreement, the Swiss addendum or adaptations, the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, or any replacement mechanism.

"De-identified Derived Insights" means aggregated, statistical, technical, operational, or de-identified information derived from Customer Content or use of the Service that does not identify Customer, Customer personnel, Data Subjects, Customer confidential information, or Customer Personal Data, and cannot reasonably be used to reconstruct Customer Content or Customer Personal Data.

"EU GDPR" means Regulation (EU) 2016/679. "EU SCCs" means the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914, as amended. "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner. "UK GDPR" has the meaning given in section 3 of the Data Protection Act 2018. "US State Privacy Laws" means US state privacy laws applicable to the Processing of Customer Personal Data, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, and similar comprehensive state privacy laws.

Section 03

Scope and Order of Precedence

This DPA applies only to Jizoku's Processing of Customer Personal Data as a Processor or Subprocessor on behalf of Customer.

This DPA does not apply to Personal Data for which Jizoku acts as an independent Controller, including account registration data, billing data, payment records, business contact data, website analytics, marketing data, sales communications, security logs used for Jizoku's own security purposes, legal records, and general business administration data.

To the extent of any conflict or inconsistency between this DPA and the Agreement regarding Processing of Customer Personal Data, this DPA will prevail. To the extent of any conflict between this DPA and any applicable EU SCCs, UK Addendum, UK International Data Transfer Agreement, or other mandatory transfer mechanism, the transfer mechanism will prevail for the relevant restricted transfer.

Section 04

Data Processing Roles

For Customer Personal Data:

  1. Customer is the Controller and Jizoku is the Processor; or
  2. where Customer acts as Processor on behalf of a third-party Controller, Jizoku acts as Customer's Subprocessor.

Customer determines the purposes and means of Processing Customer Personal Data. Jizoku processes Customer Personal Data only on Customer's Instructions, except where required by applicable law.

Customer is responsible for ensuring that it has all rights, notices, consents, permissions, lawful bases, contractual authorisations, and instructions necessary to submit Customer Personal Data to the Service and permit Jizoku to Process it in accordance with this DPA.

Where Customer acts as Processor on behalf of a third-party Controller, Customer represents and warrants that:

  1. Customer's Instructions to Jizoku are authorised by the relevant Controller;
  2. Customer's agreement with the relevant Controller permits Customer to engage Jizoku as a Subprocessor;
  3. Customer will pass through any relevant Controller instructions to Jizoku;
  4. Customer remains responsible for communications with the relevant Controller unless otherwise agreed in writing.

Section 05

Details of Processing

The details of Processing are set out in Schedule 1.

The subject matter, duration, nature, purpose, categories of Personal Data, categories of Data Subjects, and Customer obligations and rights may be further specified in the Agreement, order form, product documentation, Customer's configuration of the Service, or applicable privacy notices.

Section 06

Processing Requirements

As Processor or Subprocessor, Jizoku will:

  1. Process Customer Personal Data only on Customer's Instructions and only as necessary to provide, maintain, secure, support, administer, and improve the Service, or as otherwise permitted by this DPA;
  2. promptly notify Customer if Jizoku cannot comply with a material requirement of this DPA;
  3. promptly inform Customer if, in Jizoku's opinion, an Instruction infringes Applicable Data Protection Laws, unless prohibited by law;
  4. ensure that persons authorised by Jizoku to Process Customer Personal Data are subject to appropriate confidentiality obligations;
  5. implement appropriate technical and organisational measures designed to protect Customer Personal Data;
  6. assist Customer with Data Subject requests, Personal Data Breaches, impact assessments, and regulatory consultations as required by Applicable Data Protection Laws and this DPA;
  7. comply with applicable restrictions on engaging Subprocessors;
  8. delete or return Customer Personal Data in accordance with this DPA.

Customer instructs Jizoku to Process Customer Personal Data as necessary to provide, operate, host, secure, monitor, maintain, support, and administer the Service; ingest, parse, classify, transform, analyse, index, retrieve, summarise, and generate outputs from Customer Content; provide AI-assisted materials intelligence, product review, BOM analysis, component decomposition, material pathway analysis, supplier and certification review, circularity analysis, report generation, workflow automation, and related functionality; provide technical support, debugging, troubleshooting, abuse prevention, security monitoring, incident response, and reliability monitoring; and comply with applicable law, court orders, regulatory requirements, and lawful governmental requests.

Section 07

Required Processing

If Jizoku is required by applicable law to Process Customer Personal Data outside Customer's Instructions, Jizoku will inform Customer of that legal requirement before Processing, unless Jizoku is legally prohibited from doing so.

Where legally permitted, Jizoku will disclose only the minimum Customer Personal Data reasonably necessary to comply with the applicable legal requirement.

Section 08

Confidentiality

Jizoku will ensure that personnel, contractors, affiliates, and other persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations, whether contractual, statutory, professional, or otherwise.

Jizoku will limit access to Customer Personal Data to personnel, contractors, affiliates, and Subprocessors who need access for the purposes of providing, securing, supporting, improving, or administering the Service in accordance with this DPA.

Section 09

Security

Jizoku will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

The current technical and organisational measures are described in Schedule 2. Jizoku may update those measures from time to time, provided that the updates do not materially reduce the overall level of protection for Customer Personal Data.

Customer acknowledges that security is a shared responsibility. Customer is responsible for managing its own users, roles, permissions, and access controls; ensuring Customer personnel use the Service securely; ensuring Customer does not upload unnecessary, excessive, prohibited, or highly sensitive Personal Data; and configuring available privacy, retention, access, and administrative controls appropriately.

Customer must not include Customer Personal Data in technical support tickets, ordinary email correspondence, sales communications, screenshots, or informal channels unless expressly agreed with Jizoku or reasonably necessary for support, security, legal, or compliance purposes.

Section 10

AI Data Governance

10.1 Training and Product Improvement

Jizoku's data governance position:

  1. Third-party foundation models: Jizoku will not use Customer Content or Customer Personal Data to train third-party foundation models unless Customer expressly opts in or agrees otherwise in writing.
  2. Raw Customer Content: Jizoku will not train Jizoku proprietary models on raw Customer Content or raw Customer Personal Data by default.
  3. Customer-identifying data: Jizoku will not train on Customer Personal Data, Customer-specific supplier lists, Customer-specific BOMs, unreleased product designs, or other Customer-identifying confidential information where that training would identify Customer, Customer personnel, or Data Subjects.
  4. De-identified improvement: Jizoku may use De-identified Derived Insights to improve materials intelligence, taxonomy, retrieval quality, ranking, substitution logic, regulatory mapping, and product performance.
  5. Enterprise controls: Where agreed in an enterprise order form or written agreement, Customer may receive additional controls including stricter retention, restricted model routing, tenant-level isolation, or no-training commitments.

10.2 Model Providers

Where the Service uses third-party AI model providers, Jizoku may transmit Customer Content, prompts, metadata, and outputs to those providers solely as necessary to provide the Service. Jizoku will use reasonable efforts to configure model providers so that Customer Content and Customer Personal Data are not used by those providers to train their models.

10.3 Temporary Processing and Caching

Jizoku may temporarily cache, buffer, store, or retain Customer Content and Customer Personal Data where necessary to provide the Service, reduce latency, maintain workflow state, enable retrieval, provide support, detect abuse, maintain security, debug errors, or comply with law. Temporary Processing will be limited to what is reasonably necessary for the Service.

10.4 Embeddings, Indices and Derived Technical Data

Where Customer enables or uses features that require search, retrieval, memory, product history, or workflow continuity, Jizoku may create embeddings, vector representations, metadata, summaries, logs, technical indices, and structured artefacts derived from Customer Content. Such derived technical data may be retained to provide the Service. Jizoku will not use derived technical data to reconstruct, disclose, or train on Customer Personal Data except as permitted by this DPA.

10.5 Aggregated and De-identified Data

Jizoku may process aggregated, statistical, or de-identified data to operate, secure, analyse, and improve the Service, provided such data does not identify Customer, Data Subjects, or Customer Personal Data. Jizoku will not attempt to re-identify de-identified data except where necessary to test or validate de-identification controls or as required by law.

10.6 No Sale or Targeted Advertising

Jizoku will not sell Customer Personal Data. Jizoku will not use Customer Personal Data for targeted advertising, cross-context behavioural advertising, or advertising profile enrichment.

Section 11

Subprocessors

Customer gives Jizoku general written authorisation to engage Subprocessors to Process Customer Personal Data in connection with the Service. Jizoku may maintain a list of Subprocessors on its website, trust page, or legal page. The current list is set out in Schedule 3.

Jizoku may add or replace Subprocessors from time to time. Unless otherwise agreed in writing, Customer may object to a new Subprocessor on reasonable data protection grounds by notifying Jizoku in writing at dpa@jizoku.ai within 15 days of receiving notice. If Customer objects, the parties will work in good faith to resolve the objection.

Jizoku will enter into written agreements with Subprocessors imposing data protection obligations substantially equivalent to those imposed on Jizoku under this DPA. Jizoku remains responsible to Customer for the performance of its Subprocessors' data protection obligations in relation to Customer Personal Data.

Section 12

Notices to Customer

Jizoku will notify Customer, to the extent legally permitted, if Jizoku receives:

  1. a legally binding request for disclosure of Customer Personal Data from a law enforcement authority, court, regulator, government agency, or public authority;
  2. any notice, inquiry, investigation, complaint, or enforcement communication from a Supervisory Authority specifically relating to Customer Personal Data;
  3. a request, complaint, or inquiry from a Data Subject exercising rights under Applicable Data Protection Laws in relation to Customer Personal Data.

Other than to request clarification or confirm that a request should be directed to Customer, Jizoku will not respond to Data Subject requests concerning Customer Personal Data without Customer's prior authorisation unless legally required.

Section 13

Data Subject Rights

Taking into account the nature of the Processing, Jizoku will provide reasonable assistance to Customer, by appropriate technical and organisational measures where possible, to help Customer respond to requests from Data Subjects exercising rights under Applicable Data Protection Laws.

Customer is responsible for verifying the identity of Data Subjects, determining whether a request is valid, assessing applicable exemptions, and responding to the request. Where Customer can access, correct, export, restrict, or delete Customer Personal Data through the Service, Customer is responsible for doing so directly.

Section 14

Personal Data Breach

Jizoku will notify Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

The notification will include, to the extent known:

  1. a description of the nature of the Personal Data Breach;
  2. the categories and approximate number of affected Data Subjects;
  3. the categories and approximate number of affected Personal Data records;
  4. the likely consequences of the Personal Data Breach;
  5. measures taken or proposed to address and mitigate the Personal Data Breach.

Jizoku's notification of or response to a Personal Data Breach is not an acknowledgement of fault, liability, or breach of contract. Customer is responsible for determining whether it must notify a Supervisory Authority, Data Subjects, customers, regulators, or other parties.

Section 15

Assistance to Customer and Audits

Taking into account the nature of Processing and the information available to Jizoku, Jizoku will provide reasonable assistance to Customer with: responding to Data Subject requests; security of Processing; Personal Data Breach notification obligations; data protection impact assessments; prior consultation with Supervisory Authorities; responding to regulatory enquiries; and demonstrating compliance with Article 28 or equivalent processor obligations.

Jizoku may satisfy information and audit obligations by providing security summaries, compliance documentation, audit reports, penetration test summaries, certifications, Subprocessor lists, technical and organisational measures, or other relevant materials.

Customer may request an audit no more than once in any 12-month period, unless required by a Supervisory Authority or following a confirmed Personal Data Breach affecting Customer Personal Data. Any audit must be conducted during normal business hours with reasonable prior written notice, must avoid disruption to Jizoku's business, systems, and other customers, and must be limited to information reasonably necessary to verify Jizoku's compliance with this DPA.

Section 16

US Specific Data Protection Obligations

To the extent US State Privacy Laws apply, Jizoku will act as a service provider, processor, or contractor, and certifies that it will:

  1. Process Customer Personal Data only for the purposes described in this DPA, the Agreement, Customer's Instructions, or as otherwise permitted by applicable law;
  2. not sell or share Customer Personal Data as defined under applicable US State Privacy Laws;
  3. not retain, use, or disclose Customer Personal Data outside the direct business relationship unless permitted by applicable law;
  4. not use Customer Personal Data for targeted advertising or cross-context behavioural advertising;
  5. provide a level of privacy protection consistent with applicable US State Privacy Laws;
  6. not combine Customer Personal Data with Personal Data from another customer except as permitted by applicable law or directed by Customer;
  7. not attempt to re-identify de-identified data except to test or validate de-identification controls or as required by law.

Section 17

Customer Obligations

Customer represents, warrants, and covenants that:

  1. Customer has and will maintain all rights, consents, authorisations, lawful bases, notices, and permissions necessary to provide Customer Personal Data to Jizoku and authorise Processing under this DPA;
  2. Customer's Instructions are lawful and complete;
  3. Customer will use the Service and configure its workspace, users, access controls, integrations, retention settings, and workflows in compliance with Applicable Data Protection Laws;
  4. Customer will not provide unnecessary, excessive, or prohibited Personal Data to Jizoku;
  5. Customer will not submit special-category Personal Data, criminal-offence data, children's data, protected health information, payment card data, biometric data, government identifiers, or other highly sensitive Personal Data unless expressly agreed in writing by Jizoku and supported by appropriate safeguards;
  6. Customer is responsible for reviewing AI-generated outputs before using them in any legal, regulatory, compliance, employment, product, supplier, procurement, sustainability, labelling, consumer-facing, or commercial context.

Section 18

Return and Deletion of Customer Personal Data

Upon termination or expiry of the Agreement, or upon Customer's reasonable written request, Jizoku will delete or return Customer Personal Data in accordance with Customer's Instructions, unless applicable law requires retention.

Unless otherwise agreed in writing, Jizoku will use reasonable efforts to delete or return active production copies of Customer Personal Data within 30 days following termination of the Service or Customer's valid deletion request. Customer Personal Data retained in backups, disaster recovery systems, archived logs, or security records will be deleted or overwritten in accordance with Jizoku's ordinary retention cycles and, where reasonably practicable, within 90 days.

Customer acknowledges that de-identified or aggregated data that no longer identifies Customer, Data Subjects, or Customer Personal Data may be retained in accordance with this DPA.

Section 19

Cross-Border Data Transfers

Customer authorises Jizoku and its Subprocessors to Process Customer Personal Data in the United Kingdom, the European Economic Area, the United States, and other jurisdictions where Jizoku or its Subprocessors operate, subject to Applicable Data Protection Laws and appropriate transfer safeguards.

Where Processing involves a restricted transfer from the EEA to a country not recognised as providing adequate protection, the EU SCCs will apply: Module Two where Customer is a Controller and Jizoku is a Processor; Module Three where Customer is a Processor and Jizoku is a Subprocessor. The optional docking clause applies.

Where Processing involves a restricted transfer from the United Kingdom to a country not recognised as providing adequate protection, the UK Addendum will apply together with the EU SCCs unless another lawful Data Transfer Mechanism applies.

The parties will cooperate in good faith to implement additional measures reasonably required for lawful international transfers, including transfer risk assessments, supplementary safeguards, or updated Data Transfer Mechanisms.

Section 20

Regulatory and Government Requests

If Jizoku receives a legally binding request from a public authority, court, regulator, law enforcement agency, or governmental body for disclosure of Customer Personal Data, Jizoku will, unless legally prohibited: promptly notify Customer; provide Customer with information reasonably necessary to allow Customer to seek protective measures; and disclose only the minimum Customer Personal Data required by law.

Jizoku may challenge requests where it reasonably believes they are unlawful, overbroad, inconsistent with applicable transfer safeguards, or otherwise inappropriate.

Section 21

Future AI and Data Regulations

If new legislation, regulation, guidance, or binding regulatory requirements materially affect the use of artificial intelligence systems, automated processing, product-data workflows, sustainability-data processing, or Customer Personal Data under this DPA, the parties agree to review this DPA in good faith.

If amendments are reasonably required to maintain compliance with applicable law, the parties will negotiate in good faith to implement appropriate amendments. If any provision of this DPA is inconsistent with mandatory future regulations, that provision will be interpreted in a manner consistent with the applicable law where possible, or deemed modified or severed to the minimum extent necessary.

Section 22

Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability in the Agreement, except to the extent prohibited by Applicable Data Protection Laws. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

Section 23

Term and Termination

This DPA remains in effect for as long as Jizoku Processes Customer Personal Data on behalf of Customer. Termination or expiry of the Agreement will not affect either party's obligations under this DPA for as long as Customer Personal Data remains in Jizoku's possession or control.

Section 24

Changes to this DPA

Jizoku may update this DPA from time to time where necessary to reflect changes to the Service, Applicable Data Protection Laws, Subprocessors, security practices, transfer mechanisms, AI governance practices, or regulatory guidance.

Where required by the Agreement or Applicable Data Protection Laws, Jizoku will provide notice of material changes. Customer's continued use of the Service after the effective date of an updated DPA constitutes acceptance of the updated DPA, unless otherwise required by law or agreed in writing.

Schedule 1

Details of Processing

1. Subject Matter

The subject matter of Processing is Jizoku's provision of AI-enabled materials intelligence, product review, BOM analysis, design workflow assistance, sustainability research, compliance-risk surfacing, report generation, support, hosting, security, and related services to Customer.

2. Duration

The duration of Processing is the term of the Agreement and any period during which Jizoku Processes Customer Personal Data on behalf of Customer, including retention, deletion, backup, export, legal, or compliance periods.

3. Nature and Purpose

Jizoku may perform the following Processing operations:

  1. receiving, uploading, hosting, storing, retrieving, and displaying Customer Content;
  2. parsing, extracting, classifying, tagging, structuring, and transforming files and prompts;
  3. analysing product descriptions, BOMs, tech packs, sketches, specifications, supplier information, certification information, design requirements, and sustainability objectives;
  4. generating AI-assisted outputs, reports, summaries, recommendations, alternative pathways, questions, warnings, and explanations;
  5. creating embeddings, vector representations, metadata, indices, workflow histories, structured outputs, and product decision memory where enabled;
  6. routing data to authorised Subprocessors and model providers;
  7. authenticating users and enforcing permissions;
  8. providing customer support, debugging, monitoring, error logging, abuse prevention, security monitoring, and incident response;
  9. complying with legal and contractual obligations.

4. Categories of Data Subjects

  • Customer personnel, employees, contractors, consultants, agents, and authorised users;
  • supplier, manufacturer, factory, logistics, certification, audit, procurement, or compliance contacts;
  • designer, buyer, product, sustainability, legal, finance, sourcing, or operations contacts;
  • any other individuals whose Personal Data Customer submits to the Service.

5. Categories of Personal Data

  • names; business email addresses; business telephone numbers;
  • job titles, roles, departments, employer information, and reporting lines;
  • account identifiers and user IDs;
  • business communications, comments, annotations, and instructions;
  • supplier, manufacturer, factory, certification, and audit contacts;
  • product, procurement, sourcing, audit, legal, regulatory, or compliance notes containing Personal Data;
  • uploaded files, prompts, queries, outputs, reports, annotations, or metadata containing Personal Data;
  • IP addresses, device identifiers, access logs, usage logs, timestamps, and technical metadata where processed on behalf of Customer.

6. Sensitive Data

The Service is not designed to process special-category Personal Data, criminal-offence data, children's data, protected health information, biometric data, payment card data, government identifiers, or other highly sensitive Personal Data. Customer must not submit such data unless expressly agreed in writing and supported by additional safeguards.

Schedule 2

Technical and Organisational Measures

1. Access Control

  • Role-based access controls with least-privilege access principles.
  • Unique user accounts where technically feasible.
  • Administrative access limited to authorised personnel with periodic review.
  • Revocation of access following role changes or termination.

2. Authentication

  • Multi-factor authentication required for Jizoku personnel with administrative access to production systems.
  • Multi-factor authentication made available to Customer administrators where supported by the applicable plan.
  • Secure session management and protection against unauthorised account access.

3. Encryption

  • Encryption in transit using TLS or equivalent protocols.
  • Encryption at rest for production databases, storage systems, and backups containing Customer Personal Data.
  • Secure key management practices appropriate to the relevant infrastructure.

4. Infrastructure Security

  • Use of reputable cloud infrastructure providers with network-level protections and segmentation.
  • Patch management, vulnerability management, and secure configuration of production environments.

5. Application Security

  • Secure software development practices, code review, and testing proportionate to the relevant release.
  • Input validation, authentication checks, and authorisation checks.
  • Separation between production and development environments where appropriate.

6. Logging and Monitoring

  • Security, access, and operational logs where appropriate.
  • Monitoring for suspicious access, abuse, and system anomalies.
  • Controls to limit unnecessary exposure of Customer Content in logs.

7. AI and Model Governance

  • No training on Customer Content or Customer Personal Data by default.
  • Use of no-training, zero-data-retention, or enterprise privacy model-provider configurations where available and appropriate.
  • Routing to authorised model providers and infrastructure providers.
  • Separation between Customer Content and aggregated or de-identified analytics.

8. Personnel Security

  • Confidentiality obligations for personnel with access to Customer Personal Data.
  • Access restricted to personnel with a business need, with offboarding procedures to remove access.

9. Incident Response

  • Internal processes for identifying, investigating, escalating, and remediating security incidents.
  • Procedures for assessing whether an incident constitutes a Personal Data Breach.
  • Customer notification procedures in accordance with this DPA.

10. Business Continuity

  • Backup, recovery, and resilience measures appropriate to the Service.
  • Use of cloud-provider availability and redundancy features where appropriate.
  • Operational monitoring and service restoration procedures.
Schedule 3

Subprocessor List

This Schedule lists Jizoku's initial subprocessors. Jizoku may update this list from time to time in accordance with Section 11.

Subprocessor Category Purpose Personal Data Processed Location Transfer Mechanism
Vercel Inc. Cloud hosting Hosting the web application, deployment, serverless functions, edge delivery, logs and infrastructure security Account/workspace metadata, IP addresses, device/browser data, application logs, Customer Content where routed through hosted application functions United States and global infrastructure locations EU SCCs, UK Addendum
Supabase, Inc. Database & auth Postgres database, file storage, authentication, application metadata, vector search, edge functions, backups User account data, workspace metadata, Customer Content, Customer Personal Data in uploaded files/prompts/outputs, embeddings, logs UK/EEA region preferred; support and operational processing may occur in the United States EU SCCs, UK Addendum
OpenAI, L.L.C. AI model Model inference, reasoning, classification, summarisation, extraction, embedding or output generation where OpenAI models are selected Prompts, uploaded content or excerpts, workflow context, metadata and outputs submitted for inference United States and other locations used by OpenAI and its subprocessors EU SCCs, UK Addendum
Anthropic, PBC AI model Model inference, reasoning, classification, summarisation, extraction and output generation where Anthropic models are selected Prompts, uploaded content or excerpts, workflow context, metadata and outputs submitted for inference United States and other locations used by Anthropic and its subprocessors EU SCCs, UK Addendum
Google LLC / Google Cloud AI model & cloud Gemini/Vertex AI model inference where selected; optional cloud infrastructure, security, logging, storage or workspace services Prompts, uploaded content or excerpts, workflow context, metadata, outputs, account/admin data and support communications depending on enabled services United States, EEA and global infrastructure locations EU SCCs, UK Addendum, Google Cloud DPA
Stripe Payments Europe, Ltd. / Stripe, Inc. Payments Payment processing, subscription billing, invoicing, tax calculation, receipts and payment-related fraud prevention Billing name, email address, company details, payment metadata, transaction data and invoice information EEA, United Kingdom, United States and other Stripe processing locations EU SCCs, UK Addendum, Stripe DPA
Functional Software, Inc. d/b/a Sentry Error tracking Error logging, crash reporting, performance monitoring, reliability diagnostics and security investigation User IDs, IP addresses, device/browser data, application logs, error traces and limited Customer Content if included in error payloads United States and other locations used by Sentry and its subprocessors EU SCCs, UK Addendum, Sentry DPA
PostHog Inc. Analytics Product usage analytics, event tracking, feature adoption, funnel analysis, performance analytics and product improvement User IDs, account/workspace metadata, IP addresses, device/browser data, usage events and analytics identifiers United States, EEA or selected hosting region depending on configuration EU SCCs, UK Addendum, PostHog DPA
Google Workspace / Google LLC Business ops Business email, internal documents, customer communications, legal notices and support correspondence Business contact details, email communications, attachments voluntarily sent by Customer, legal/admin correspondence United States, EEA and global infrastructure locations EU SCCs, UK Addendum, Google data processing terms
Schedule 4

International Transfer Terms

Where the EU SCCs apply:

Parties

Data exporter: Customer  ·  Data importer: Preworshipped Ltd trading as Jizoku

Modules

  1. Module Two applies where Customer is a Controller and Jizoku is a Processor.
  2. Module Three applies where Customer is a Processor and Jizoku is a Subprocessor.

Clause 7 — Docking Clause

The optional docking clause applies.

Clause 9 — Subprocessors

The parties select Option 2: General written authorisation. Jizoku will provide notice of changes to Subprocessors in accordance with Section 11 of this DPA.

Clause 11 — Redress

The optional language does not apply unless expressly agreed in writing.

Clause 17 — Governing Law

For EU transfers, the EU SCCs will be governed by the law of an EU Member State that allows for third-party beneficiary rights. Unless otherwise agreed, the parties select the law of Ireland. For UK transfers, the UK Addendum applies and modifies the EU SCCs as required under UK law.

Clause 18 — Jurisdiction

For EU transfers, the parties select the courts of Ireland unless otherwise required by the EU SCCs. For UK transfers, the UK Addendum applies and modifies the EU SCCs as required under UK law.

Annexes

  • Annex I — Processing Details: Set out in Schedule 1.
  • Annex II — Technical and Organisational Measures: Set out in Schedule 2.
  • Annex III — Subprocessors: Set out in Schedule 3 and any published or notified Subprocessor list.
Schedule 5

Optional Enterprise Privacy Controls

Where included in Customer's plan, order form, or written agreement, Jizoku may offer additional enterprise controls, including:

  1. organisation-level privacy mode;
  2. no-training commitment for Customer Content;
  3. model-provider restrictions and approved-provider routing;
  4. restricted retention periods and configurable deletion windows;
  5. private workspace controls and audit logs;
  6. SSO or SAML/OIDC authentication;
  7. SCIM provisioning and admin-level user management;
  8. data residency options;
  9. dedicated customer knowledge graph or tenant-level isolation;
  10. private deployment or dedicated infrastructure;
  11. customer-managed keys or enhanced encryption, where technically supported;
  12. custom Subprocessor restrictions;
  13. custom support access controls;
  14. enhanced security review documentation.

These controls apply only where expressly made available in the relevant plan, order form, or written agreement.