Data Processing Addendum

Latest Updated: July 9, 2026

DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") forms part of the Subscription Agreement, Software License Agreement, Order Form, or other written agreement (the "Agreement") between the Customer and Unstructured Technologies, Inc. ("Unstructured"). This DPA is incorporated by reference into the Agreement and takes effect upon execution of the Agreement unless the Agreement expressly requires separate execution. Capitalized terms used in this DPA have the meanings assigned in the Agreement unless otherwise defined herein.

This DPA applies only to the extent Unstructured processes Customer Personal Data as a Processor on Customer’s behalf in connection with the Services. For general SaaS and Dedicated Instance deployments, this DPA applies to Unstructured’s hosting, operation, maintenance, and support of the Services. For customer-hosted deployments, including in-VPC, on-premises, and other self-hosted deployments, this DPA applies only to the extent Unstructured actually processes Customer Personal Data, such as where Customer provides support materials containing Personal Data, requests implementation or troubleshooting assistance involving Personal Data, or grants Unstructured access to systems or environments containing Personal Data.

DEFINITIONS

For purposes of this DPA:

"Account Data" means information that Unstructured collects and processes as an independent data controller in connection with Customer's use of the Services, including user credentials, contact information, usage and analytics data, support communications, billing information, and other data related to Customer's account and use of the Services.

"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including without limitation: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and UK Data Protection Act 2018; (c) the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA"); (d) other U.S. state privacy laws including but not limited to Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act; (e) the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and applicable Canadian provincial privacy legislation, including Quebec's Act Respecting the Protection of Personal Information in the Private Sector; and (f) any successor or replacement legislation.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Customer Personal Data" means Personal Data contained within Customer Data that Unstructured processes on Customer’s behalf in connection with the provision, support, maintenance, or security of the Services. Customer Personal Data includes Personal Data contained in support requests, troubleshooting materials, diagnostic files, or other materials made available by Customer to Unstructured in connection with support or professional services.

"Customer-Hosted Deployment" means a deployment model in which the Services are deployed in Customer’s cloud environment, virtual private cloud, on-premises environment, or other infrastructure controlled by Customer rather than hosted by Unstructured.

"Data Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Model Clauses" means (a) the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and (b) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, as issued by the UK Information Commissioner's Office.

"Personal Data" has the meaning set forth in the GDPR and also includes "personal information," "personally identifiable information," and similar terms as defined under other Applicable Data Protection Laws.

"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

"Subprocessor" means any Processor engaged by Unstructured to assist in fulfilling its obligations with respect to Customer Personal Data under this DPA.

1. ROLES AND RESPONSIBILITIES

1.1. Roles. With respect to Customer Personal Data processed under this DPA, Customer is the Controller and Unstructured is the Processor, except to the extent Customer acts as a Processor on behalf of another Controller, in which case Unstructured will act as Customer’s subprocessor. Unstructured shall process Customer Personal Data solely in accordance with Customer's documented instructions as set forth in the Agreement and this DPA. The scope of processing is limited to the provision of the Services as described in the Agreement.

1.2. Deployment-Specific Scope.

A) For general SaaS and Dedicated Instance deployments, Unstructured processes Customer Personal Data to host, operate, secure, maintain, and support the Services as described in the Agreement.

B) For any Customer-Hosted Deployment, Unstructured does not, solely by virtue of licensing or deploying software in Customer's environment, process all data residing in that environment. In a Customer-Hosted Deployment, this DPA applies only to the extent Unstructured actually processes Customer Personal Data, including where Customer requests support, implementation, maintenance, troubleshooting, or other services that involve Customer Personal Data, provides logs, diagnostics, screenshots, exports, or similar materials containing Customer Personal Data, grants Unstructured remote or other access to systems or environments containing Customer Personal Data, or where the Licensed Software transmits operational data (such as source connection records or query logs) to Unstructured as part of the Services. In such cases, Unstructured's processing is limited to the scope of access and data made available by Customer and only as necessary to perform the requested support, maintenance, or professional services.

C) If Unstructured does not receive, access, or otherwise process Customer Personal Data in connection with a Customer-Hosted Deployment, this DPA does not independently create any obligation for Unstructured to process Customer Personal Data for that deployment. Nothing in this DPA requires Unstructured to access or process Customer Personal Data in a Customer-Hosted Deployment except as expressly requested or authorized by Customer.

1.3. Account Data. With respect to Account Data that does not constitute Customer Personal Data, Unstructured is an independent Controller and determines the purposes and means of processing such data, including for platform operation, security monitoring, usage analytics, customer support, billing administration, legal compliance, and other legitimate business purposes related to the provision of the Services. Customer acknowledges that Unstructured's Privacy Policy governs the processing of Account Data.

1.4. Processing Details. The details of the processing are described in Annex I, including the deployment-specific processing scenarios covered by this DPA.

1.5. Customer Obligations. Customer represents and warrants that: (a) it has all necessary rights and lawful bases to provide Customer Personal Data to Unstructured for processing under this DPA; (b) it has provided all required notices and obtained all necessary consents for such processing; (c) the Customer Personal Data is accurate and up-to-date to the extent required for the Services; (d) it will not submit to the Services any special categories of Personal Data or other prohibited data types except as expressly permitted by the Agreement or with Unstructured’s prior written agreement; and (e) for any Customer-Hosted Deployment, Customer is responsible for determining whether and when to provide support materials or grant access that may make Customer Personal Data available to Unstructured.

2. UNSTRUCTURED OBLIGATIONS AS PROCESSOR

The obligations in this Section 2 apply solely to Unstructured's processing of Customer Personal Data as a Processor.

2.1. Unstructured shall process Customer Personal Data only in accordance with Customer's documented instructions as set forth in the Agreement, this DPA, and any applicable Professional Services Statement of Work (including, where authorized, Custom Model Development). If Unstructured believes that a Customer instruction violates Applicable Data Protection Laws, it will notify Customer, but Unstructured has no obligation to monitor Customer's instructions for legal compliance.

2.2. Confidentiality. To the extent required by Applicable Data Protection Laws, Unstructured shall ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

2.3 Security Measures. Unstructured shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data as described in the Customer Data Security Practices published at https://unstructured.io/legal. Unstructured maintains relevant security certifications, including SOC 2 Type 2 and ISO 27001, which demonstrate adherence to industry security standards. Current certifications and audit reports are available through Unstructured's trust portal at https://trust.unstructured.io/.

2.4. Subprocessors. Customer provides general authorization for Unstructured to engage Subprocessors to process Customer Personal Data. Unstructured will maintain a list of current Subprocessors, including deployment-model applicability where relevant, available upon request, or on Unstructured’s website. Unstructured will provide at least fifteen (15) days' advance notice of any new Subprocessor either by email notification to Customer's designated contact or by posting an updated list on Unstructured's website. Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within fifteen (15) days of notification. If Customer objects and the parties cannot resolve the objection within a reasonable time, either party may terminate only the affected Services.

For general SaaS and Dedicated Instance deployments, Subprocessors may include hosting, infrastructure, monitoring, logging, security, and support providers used to operate the Services, and third-party AI providers used in connection with Unstructured-Managed AI Services (applicable to SaaS deployments only, as defined in the Agreement). For Customer-Hosted Deployments, Subprocessors are limited to those used in connection with the processing actually performed by Unstructured for that deployment, such as support communications, ticketing systems, secure file transfer tools, remote access tools, or other agreed support or professional services, and do not include Customer's own cloud providers or other vendors engaged directly by Customer.

Unstructured will enter into written agreements with Subprocessors containing data protection obligations substantially as protective of Customer Personal Data as those in this DPA.

2.5. Data Subject Rights. Unstructured will notify Customer promptly upon receipt of any data subject request relating to Customer Personal Data. To the extent required by Applicable Data Protection Laws, Unstructured will provide reasonable assistance to Customer in responding to such requests using standard technical measures available through the Services. Any assistance beyond standard platform functionality shall be provided at Customer's expense at Unstructured's then-current professional services rates.

2.6. Data Incident Notification. Unstructured will notify Customer without undue delay after becoming aware of a Data Incident affecting Customer Personal Data. To the extent required by Applicable Data Protection Laws, Unstructured will provide reasonably available information about the incident to assist Customer in meeting its notification obligations. Any assistance beyond standard notification shall be at Customer's expense. Unstructured retains sole control over breach communications to third parties unless Applicable Data Protection Laws require otherwise.

2.7. Data Protection Impact Assessments. To the extent required by Applicable Data Protection Laws, and upon Customer's reasonable written request, Unstructured will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities relating to Customer's use of the Services. All such assistance shall be provided at Customer's sole expense at Unstructured's then-current professional services rates.

2.8. Deletion and Return. Upon termination of the Agreement or Customer's written request, Unstructured will delete Customer Personal Data in its possession or control within thirty (30) days following the expiration of the post-termination Data Access Period set forth in the Agreement and Security Practices (currently ninety (90) days) unless retention is required by applicable law. For Customer-Hosted Deployments, this obligation applies only to Customer Personal Data actually processed by Unstructured, such as support materials, diagnostics, or other data provided to Unstructured, and does not apply to data stored in Customer-controlled environments. Customer is responsible for exporting any required data prior to termination of the Agreement.

3. AUDITS

3.1. Certifications and Reports. Upon reasonable request, Unstructured will provide Customer with copies of relevant certifications (such as SOC 2 and ISO 27001) and summaries of audit reports, which may be redacted to protect confidential information and other customers' information. Copies of current certifications are also available through Unstructured's trust portal at https://trust.unstructured.io/.

3.2. Security Questionnaires. Unstructured will respond to reasonable written security questionnaires from Customer, provided that such requests do not occur more than once annually.

3.3. On-Site Audits. Customer may conduct on-site audits of Unstructured's facilities only if: (a) the certifications and reports provided under Section 4.1 are insufficient to demonstrate compliance; (b) an audit is required by a supervisory authority; or (c) following a confirmed Data Incident affecting Customer Personal Data.

3.4. Audit Conditions. Any on-site audit must be conducted: (a) upon at least thirty (30) days' advance written notice; (b) during Unstructured's business hours; (c) in a manner that does not unreasonably interfere with Unstructured's business operations; (d) at Customer's sole expense, including all costs incurred by Unstructured; (e) by auditors bound by written confidentiality obligations; (f) with scope limited to matters relating to Customer Personal Data; and (g) with results kept confidential to Unstructured except as required by law.

3.5. Satisfaction of Audit Rights. Customer's audit rights shall be satisfied by Unstructured's provision of certifications and reports under Section 4.1 unless the circumstances described in Section 4.3 apply.

4. CCPA AND US STATE LAW PROVISIONS

4.1. Service Provider Relationship. For Customer Personal Data subject to CCPA, CPRA, and other applicable U.S. state privacy laws, Unstructured acts as Customer's "service provider," "processor," or equivalent designation under such laws.

4.2. Processing Restrictions. Unstructured will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside the direct business relationship between Unstructured and Customer; or (c) combine Customer Personal Data with personal information received from other sources, except as permitted by the applicable state law, as necessary to provide the Services, or as expressly authorized in a Professional Services Statement of Work for Custom Model Development (and only to the extent the resulting model weights do not contain identifiable Personal Data).

4.3. Compliance Certification. Unstructured certifies that it understands and will comply with the restrictions set forth in this Section 4.

4.4. Compliance Verification. Customer may take reasonable steps to verify Unstructured's compliance with this Section 4 in accordance with the audit procedures set forth in Section 3.

4.5. Inability to Comply. Unstructured will notify Customer if it determines that it can no longer meet its obligations under this Section 4.

5. INTERNATIONAL DATA TRANSFERS

5.1. Transfer Scope. Customer authorizes Unstructured to transfer Customer Personal Data only as reasonably necessary to provide the Services and perform its obligations under the Agreement and this DPA, including for support, maintenance, security, and the use of applicable Subprocessors.

5.2. Deployment-Specific Transfer Context. Customer acknowledges that the applicable transfer pathways may differ by deployment model. For general SaaS and Dedicated Instance deployments, Customer Personal Data may be processed in the region selected for the deployment, but remote access by Unstructured personnel or Subprocessors for support, maintenance, security, or troubleshooting may occur from other jurisdictions. For Customer-Hosted Deployments, transfers may arise if Customer provides support materials containing Customer Personal Data or grants Unstructured or its Subprocessors access to systems or environments containing Customer Personal Data.

5.3. Transfer Mechanisms. Where required by Applicable Data Protection Laws, transfers will be subject to appropriate transfer mechanisms, including adequacy decisions, Model Clauses, binding corporate rules, or other legally valid transfer mechanisms.

5.4. Supplementary Measures. Unstructured implements and maintains appropriate technical and organizational measures, including those described in Annex II, to protect Customer Personal Data transferred pursuant to the Model Clauses, taking into account the nature of the processing and the risks associated with cross-border access, including remote access for support purposes.

5.5. EU/EEA Transfers. For transfers of Personal Data from the EU/EEA to countries not subject to an adequacy decision, the Standard Contractual Clauses set forth in Annex III (Module 2: Controller-to-Processor transfers, or Module 3 where Customer acts as a Processor) are incorporated by reference and deemed executed upon execution of the Agreement.

5.6. UK Transfers. For transfers of Personal Data from the UK to countries not subject to an adequacy decision, the UK International Data Transfer Addendum set forth in Annex III is incorporated by reference and deemed executed upon execution of the Agreement.

5.7. Switzerland Transfers. For transfers of Personal Data from Switzerland, the Standard Contractual Clauses apply with the modifications set forth in Annex III.

5.8. Model Clauses Completion. The parties' details for purposes of the Model Clauses are as set forth in the Agreement and any applicable Order Form. Annexes I and II to this DPA serve to complete the corresponding annexes to the Model Clauses. The competent supervisory authority shall be determined in accordance with the Standard Contractual Clauses and Applicable Data Protection Laws. The Model Clauses are governed by Irish law, and the competent courts of Ireland have jurisdiction over disputes, except as otherwise required by Annex III for UK or Swiss transfers.

5.9. Adequacy Decisions. The Model Clauses shall not apply to transfers covered by a valid adequacy decision.

5.10. Precedence. In case of conflict between this DPA and the Model Clauses for transfers subject to the Model Clauses, the Model Clauses shall prevail.

6. GENERAL

6.1. Conflicts. This DPA shall prevail over the Agreement with respect to data protection matters. The Model Clauses shall prevail over this DPA for transfers subject to the Model Clauses.

6.2. Liability. Any liability arising under this DPA shall be subject to the limitation of liability provisions in the Agreement, and the aggregate liability cap set forth in the Agreement shall apply to the combined liability under the Agreement and this DPA.

6.3. Severability. If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA shall remain in full force and effect.

6.4. Amendments. Unstructured may update this DPA from time to time to ensure compliance with Applicable Data Protection Laws by providing thirty (30) days' advance notice to Customer. Customer's continued use of the Services after such notice constitutes acceptance of the updated DPA.

6.5. Third Party Beneficiaries. This DPA does not create any third-party beneficiary rights except as required by the Model Clauses with respect to data subjects.

ANNEX I

PROCESSING DETAILS

Part A: List of Parties

Data exporter: Customer, as identified in the Agreement and any applicable Order Form.

Data importer: Unstructured Technologies, Inc., a Delaware corporation with address at 7589 Horseshoe Bar Road, Loomis, CA 95650, email: privacy@unstructured.io.

Contact person(s) responsible for data protection: privacy@unstructured.io.

Activities relevant to the data transferred: Customer is the Controller of Customer Personal Data. Unstructured is the Processor providing data processing services through the platform as described in the Agreement.

Role (controller/processor): As specified in this DPA.

Part B: Description of Transfer

  • Categories of data subjects whose personal data is transferred: As determined by Customer's use of the Services and the applicable deployment model, which may include Customer's employees, support users, contractors, customers, business contacts, and other individuals about whom Customer submits data to the Services.
  • Categories of personal data transferred: As determined by the data Customer chooses to submit to the Services or make available to Unstructured through the Services, which may include names, contact information, employment-related data, identification numbers, communications content, document contents, metadata, system logs, diagnostic information and other data types selected by Customer.
  • Sensitive data transferred (if applicable) and applied restrictions or safeguards: The Services are not designed to process special categories of Personal Data. If Customer submits such data contrary to the Agreement, Customer is responsible for ensuring appropriate lawful bases and implementing additional safeguards as required by Applicable Data Protection Laws.
  • Frequency of the transfer: (i) For general SaaS and Dedicated Instance deployments: continuous or episodic, as determined by Customer's use of the Services. (ii) For Customer-Hosted Deployments: occasional and limited to instances where Customer requests support, troubleshooting, or other services involving Customer Personal Data.
  • Nature of the processing:
    i) For general SaaS and Dedicated Instance deployments: collection, storage, organization, retrieval, analysis, transformation, and other processing activities necessary to provide, secure, maintain, and support the Services, including data transformation and processing operations, workflow automation, support diagnostics, and troubleshooting, and transmission of Customer Data to third-party AI providers for document transformation, extraction, and embedding operations (such data is processed transiently by the AI provider and not retained beyond the API call). Where authorized under a Professional Services Statement of Work, processing may also include training, fine-tuning, and validation of machine learning models using Customer Data, subject to the data handling requirements in the applicable Statement of Work and Security Practices. Where Customer uses Unstructured's knowledge assistant or document search features ("Foundation"), processing also includes connecting to Customer-designated data sources via Customer-authorized credentials, ingesting and indexing documents from those sources, maintaining a persistent searchable index, and executing natural-language queries against the resulting index to return relevant results to Authorized Users.
    ii) For Customer-Hosted Deployments: limited, incidental processing consisting of accessing, reviewing, and analyzing Customer Personal Data made available by Customer in connection with support, troubleshooting, maintenance, or professional services, including logs, diagnostics, and similar materials. Such processing is temporary and limited to the duration and scope of the applicable support activity. Where Customer deploys Foundation or similar knowledge assistant features in a Customer-Hosted Deployment, the core processing activities (connecting to Customer-designated data sources, ingesting and indexing documents, and executing queries against the index) are performed by the Licensed Software within Customer's environment and are under Customer's control as Controller. Unstructured's processing as Processor in this context is limited to: (a) receiving and processing operational telemetry transmitted by the Licensed Software, which may include source connection records, query metadata, and Authorized User identifiers, for purposes of support, security, billing, and compliance; and (b) any access to Customer's environment granted by Customer for support or troubleshooting purposes.
  • Purpose(s) of the data transfer and further processing: To provide, secure, maintain and support the Services as described in the Agreement and to perform related support and professional services requested by Customer.
  • Period for which the personal data will be retained:
    (i) For general SaaS and Dedicated Instance deployments: for the duration of the Agreement and through the post-termination Data Access Period and deletion period set forth in the Agreement and Security Practices, unless longer retention is required by applicable law. For Customer Personal Data processed through Foundation indexing, retention continues for the duration of the applicable source connection; upon disconnection of a source or deletion of the index by Customer, Unstructured will delete the indexed data in accordance with its standard deletion practices.
    (ii) For Customer-Hosted Deployments: only for the duration necessary to provide the applicable support, troubleshooting, or professional services, after which such data is deleted in accordance with Unstructured's standard support data retention practices, unless retention is required by applicable law. For operational telemetry received from Foundation deployments in Customer-Hosted environments, Unstructured retains such data only for so long as reasonably necessary for support, security, billing, and compliance purposes.

Part C: Competent Supervisory Authority

For transfers originating from the EU/EEA: The Irish Data Protection Commission.

For transfers originating from the UK: The UK Information Commissioner's Office.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES

The technical and organizational measures implemented by Unstructured are as described in the Customer Data Security Practices published at https://unstructured.io/legal (the "Security Practices"), as updated from time to time in accordance with the Agreement.

The Security Practices describe Unstructured's measures for encryption, access controls, network security, vulnerability management, incident response, data handling and retention, AI-specific security controls, personnel security, and certifications.

The Security Practices also serve as the description of technical and organizational measures for purposes of the Standard Contractual Clauses incorporated in Annex III.

ANNEX III

INTERNATIONAL TRANSFER MECHANISMS

Section 1: EU Standard Contractual Clauses

For transfers of Personal Data from the EU/EEA subject to the GDPR, Module 2 (Controller-to-Processor transfers) of the Standard Contractual Clauses applies where Customer acts as Controller, and Module 3 (Processor-to-Processor transfers) applies where Customer acts as Processor, in each case with the following specifications:

  • For Clause 9, Option 2 (general authorization) applies with notification requirements as set forth in Section 2.4 of this DPA
  • The optional language in Clause 11 does not apply
  • Under Clause 17, the Standard Contractual Clauses are governed by Irish law
  • Under Clause 18, disputes shall be resolved by the courts of Ireland
  • The docking clause in Clause 7 applies

Section 2: UK International Data Transfer Addendum

For transfers of Personal Data from the UK, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0 applies with the following specifications:

  • Tables 1, 2, and 3 are completed using the information set forth in this DPA and its Annexes
  • Under Table 4, neither party may end the Addendum when it has been incorporated into this DPA

Section 3: Switzerland Transfers

For transfers of Personal Data from Switzerland, the Standard Contractual Clauses apply with the following modifications:

  • References to the GDPR are understood to also refer to the Swiss Federal Act on Data Protection (FADP)
  • References to "Member State" include Switzerland
  • The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC)
  • For transfers governed by Swiss law, Swiss law governs and Swiss courts have jurisdiction

For a full list of legal documentation, click here.