DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA"), available at agewarden.ai/data-processing-agreement, supplements the Customer Agreement between ConstanceAI, Inc. ("Processor") and Customer ("Controller") and governs Processor's processing of End User voice-verification personal data on Controller's behalf. Business contact, account, and billing data is handled as described in the Customer Agreement and Privacy Policy. Use of the service is also subject to the Acceptable Use Policy.

1 Scope and roles

Controller determines the purposes and means of age verification for its End Users. Processor provides the AGEWARDEN service, which processes End User voice data to perform age estimation on Controller's behalf.

This DPA applies to the End User voice-verification processing described in Annex 1.

2 Processing instructions

Processor will process personal data only on Controller's documented instructions, defined by this DPA and the Customer Agreement. The instruction is: process End User voice data to produce a binary age estimation result, then permanently delete all voice data and derived features within the Retention Window. "Retention Window" means a maximum period of one hour from capture, within which the data is designed and operated to be permanently deleted and beyond which it is in no case retained.

If Processor believes an instruction infringes applicable data protection law, it will inform Controller without delay.

3 Categories of data and data subjects

Set out in Annex 1.

4 Duration

Processing occurs for the duration of the Customer Agreement. Each processing operation (one Verification) is subject to the Retention Window defined in Section 2: all End User voice data and derived features are permanently deleted within a maximum of one hour from capture and are in no case retained beyond it.

5 Security measures

Processor implements the following technical and organizational measures:

• Voice data is encrypted in transit (TLS 1.2 or higher; TLS 1.3 where deployed) and, if transiently persisted during processing, encrypted at rest.
• Voice data and derived features are processed in ephemeral runtime environments; no durable biometric store exists.
• Voice data and all derived acoustic features are permanently deleted within the Retention Window (maximum one hour from capture) and are in no case retained beyond it.
• The AGEWARDEN widget runs in an isolated iframe. Controller's website cannot access the microphone feed or intercept voice data.
• No End User identifiers (name, email, IP address, device fingerprint) are recorded in AGEWARDEN application audit logs, and Processor does not use such identifiers to build End User profiles. Transient infrastructure-layer processing (for example, edge or load-balancer access logs maintained by Processor's cloud sub-processor for security and operational integrity) is not used to identify End Users and is itself subject to short, commercially reasonable retention.
• Access to processing infrastructure is restricted to authorized personnel with multi-factor authentication.
• Persistent application audit logs do not include End User identifiers, voice data, or derived acoustic features.

6 Sub-processors

Processor uses the following sub-processors:

Processor will notify Controller at least 30 days before engaging a new sub-processor, via the email address on file. Controller may object to a new sub-processor by notifying Processor within 14 days. If the objection cannot be resolved, Controller may terminate the Customer Agreement.

All sub-processors are bound by written agreements imposing data protection obligations equivalent to those in this DPA.

7 International transfers

Voice data is currently processed in the United States. For transfers of personal data from the EEA, the United Kingdom, or Switzerland to the United States, Processor relies primarily on the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), for transfers governed by GDPR; the UK Addendum to the EU SCCs issued by the ICO under section 119A of the Data Protection Act 2018 (version B1.0) for transfers governed by UK GDPR; and the Swiss FADP adaptations described in Annex 2 for transfers governed by Swiss law. These mechanisms are incorporated into this DPA by reference in Annex 2.

Where Processor holds an active EU-US Data Privacy Framework certification (or its UK Extension or the Swiss-US Data Privacy Framework, as applicable), that mechanism applies as a supplemental basis for the affected transfers. If Processor's DPF certification is invalidated, suspended, repealed, lapses, or is withdrawn, transfers continue under the Standard Contractual Clauses, the UK Addendum, and the Swiss adaptations described in Annex 2, without further action by either party.

If Processor offers regional voice processing, this DPA will be updated to reflect available regions.

8 Data subject rights

If Processor receives a request from a data subject exercising rights under GDPR, CCPA, or equivalent law, Processor will promptly notify Controller and assist Controller in responding. Processor does not "sell" or "share" personal data within the meaning of the California Consumer Privacy Act (as amended by the CPRA) or equivalent state privacy statutes.

For the End User voice-verification flow, voice data is subject to the Retention Window (maximum one hour) and Processor records no End User identifiers in its application audit logs, so most data subject requests (access, deletion, portability) relating to that flow will, in practice, be moot by the time they are received. For such requests, Processor will inform the data subject that no responsive voice data or End User identifiers are held from that flow and direct them to Controller.

Business contact, account, and billing data is handled under the Privacy Policy and the rights afforded to the relevant individuals under applicable law.

GDPR Article 22 assistance. Controller handles any human review or access decision. Processor will forward requests received directly and provide available Verification information reasonably needed for Controller's review.

9 Breach notification

Processor will notify Controller without undue delay (and within 72 hours) after becoming aware of a personal data breach affecting data processed under this DPA. Initial notice will include information then available and will be supplemented as Processor learns more.

Because End User voice data is subject to the Retention Window (maximum one hour), the period during which such data is exposed to a potential breach is materially limited to the processing window.

10 Audit rights

Controller may audit Processor's compliance with this DPA once per year on 30 days' written notice. Audits will be conducted during business hours, will not unreasonably interfere with Processor's operations, and are subject to confidentiality, security, privilege, and protection of other customers' information.

Processor will provide relevant certifications, audit reports (SOC 2 when available), or other evidence of compliance upon reasonable request and subject to the same limits. Where this information reasonably addresses Controller's audit requirements, an on-site audit is not required.

11 Deletion

Upon termination of the Customer Agreement, Processor will delete personal data processed under this DPA from active systems within 90 days, except records retained for law, billing, dispute, security, or non-identifying audit purposes. End User voice data is in any event subject to the Retention Window (maximum one hour from each Verification) and is permanently deleted within it regardless of account status. Application audit records that do not include End User identifiers, voice data, or derived acoustic features may be retained for regulatory compliance.

12 Liability

Each party's liability under this DPA is subject to the limitations set out in the Customer Agreement.

Amendments to this DPA are governed by the amendment procedure in Section 16 of the Customer Agreement.

Annex 1: Description of processing

Subject matter: Age estimation from voice for End Users of Controller's website or application.

Duration: For the duration of the Customer Agreement. Individual processing operations are subject to the Retention Window (maximum one hour) defined in Section 2.

Nature and purpose: Voice audio is captured from End Users, transmitted over encrypted connections, processed using machine learning models to estimate age, and permanently deleted within the Retention Window (maximum one hour, never retained beyond it). A binary pass/fail result is returned to Controller. Application audit logs do not include End User identifiers, voice data, or derived acoustic features.

Types of personal data

End User voice-verification data:

• Short voice audio sample (permanently deleted within the Retention Window, maximum one hour)
• Acoustic features derived from voice (numerical values indicating age-related characteristics; permanently deleted within the Retention Window, maximum one hour)
• Technical metadata (browser type, device type, ephemeral session identifiers; no IP addresses are recorded in AGEWARDEN application audit logs)

Business contact, account, and billing data handled outside the End User voice flow:

• Billing/account contact email address provided by Controller's authorized representative at Checkout (processed by Stripe, Inc. and, for account-recovery messages, by Amazon SES)
• The associated Stripe customer record (Stripe-assigned customer identifier, subscription, and payment-method status; Processor does not store card numbers)
• An ephemeral account-recovery token, time-limited and single-use, generated only when an account-recovery magic link is requested

Categories of data subjects

• End Users of Controller's website or application who use the AGEWARDEN widget (voice-verification data).
• Controller's authorized representative(s) who sign up for and administer the AGEWARDEN account (account and billing data).

Special categories of data: Where applicable, voice data may be treated as biometric, special-category, or sensitive data. Controller is responsible for the lawful basis and required notices or consents. Processing is limited to age estimation; no voiceprints or speaker profiles are created or persisted; no derived biometric feature is retained beyond the Retention Window.

Annex 2: International transfer mechanisms

For transfers of personal data from the EEA, the United Kingdom, or Switzerland to the United States (or any other country not the subject of an adequacy decision), the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"), Module Two (Transfer Controller to Processor), apply and are incorporated into this DPA by reference. Controller is the "data exporter"; Processor (ConstanceAI, Inc.) is the "data importer."

SCC incorporation and execution

The SCCs are incorporated by reference into this DPA. Customer's acceptance of this DPA via Stripe Checkout (or any successor self-service signup mechanism) constitutes execution of Annex I.A of the SCCs.

For purposes of Annex I.A, the data exporter's name, address, and contact details are those provided by Customer during account creation, as updated in the billing portal or provided to ConstanceAI on request.

If Customer requires a separately signed copy of the SCCs in the official EU template format, ConstanceAI will provide such copy on request.

Deemed-completion mapping

The SCC Annexes are deemed completed by reference to this DPA as follows:

The following operative elections apply unless the parties agree otherwise in the Customer Agreement:

• Clause 7 (Docking clause): not included.
• Clause 9 (Use of sub-processors): OPTION 2 (GENERAL WRITTEN AUTHORISATION) applies. Processor's current sub-processors are listed in Annex III below; the notice period for changes is the 30-day period stated in Section 6 of this DPA.
• Clause 11 (Redress): the optional independent-dispute-resolution language is not included.
• Clause 17 (Governing law): the law of Ireland.
• Clause 18 (Forum and jurisdiction): the courts of Ireland.

Where any provision of this DPA conflicts with the EU SCCs, the EU SCCs prevail in respect of transfers governed by them.

Annex I

IA: List of Parties

Data exporter (Controller):

• Name: [Controller legal name, as provided during account creation or on request]
• Address: [Controller registered address, as provided during account creation or on request]
• Contact person name, position, contact details: [Controller data-protection contact: name / title / email]
• Activities relevant to the transfer: deploying the AGEWARDEN voice age-estimation widget to its End Users and determining the purposes and means of that age verification.
• Role: Controller.
• Signature and date: to be completed on execution of the Customer Agreement.

Where Customer has not designated a data-protection contact, it defaults to the account-holder email of record, as updated in the billing portal.

Data importer (Processor):

• Name: ConstanceAI, Inc.
• Address: 3245 Geary Blvd #590843, San Francisco, CA 94118, United States.
• Contact person name, position, contact details: Legal, legal@constance.ai.
• Activities relevant to the transfer: providing the AGEWARDEN service: processing End User voice data to perform age estimation on Controller's behalf, as described in Annex 1 of this DPA.
• Role: Processor.
• Signature and date: to be completed on execution of the Customer Agreement.

IB: Description of Transfer

• Categories of data subjects: End Users of Controller's website or application who use the AGEWARDEN widget. (Customer-side account/billing data subjects, Controller's authorized representative(s), are addressed under the Customer Agreement and Privacy Policy and are not the subject of the End User voice transfer described here.)
• Categories of personal data: End User voice audio; acoustic features derived from voice (numerical values indicating age-related characteristics); technical metadata (browser type, device type, ephemeral session identifiers; no IP addresses recorded in AGEWARDEN application audit logs). See Annex 1 of this DPA.
• Sensitive data: Where applicable, voice data may be treated as biometric, special-category, or sensitive data. Controller is responsible for the lawful basis and required notices or consents. Processing is strictly limited to age estimation; no durable voiceprints or speaker profiles are created or stored. Safeguards include ephemeral runtime processing, encryption in transit (TLS 1.2+) and, if transiently persisted during processing, encryption at rest, a one-hour retention ceiling, widget isolation, no End User identifiers in application logs, and MFA-restricted access (see Annex II).
• Frequency of the transfer: on a continuous / on-demand basis, each time an End User initiates a Verification.
• Nature of the processing: capture, encrypted transmission, machine-learning-based acoustic analysis for voice-based age estimation, return of a binary pass/fail result, and permanent deletion within the maximum one-hour retention window.
• Purpose of the transfer and further processing: to perform voice-based age estimation on the Controller's behalf so the Controller can satisfy its own age-assurance obligations.
• Retention period: End User voice data and derived features are subject to a maximum retention window of one hour and are not retained beyond it; application audit logs that do not include End User identifiers, voice data, or derived acoustic features may be retained for regulatory compliance.
• For transfers to sub-processors: subject matter, nature, and duration of processing as set out in Annex III.

IC: Competent Supervisory Authority

The competent supervisory authority is [Controller's competent EEA supervisory authority], i.e. the supervisory authority of the EEA Member State in which the data exporter is established or, where the data exporter is not established in the EEA, the supervisory authority of the Member State in which the data exporter's EU representative under GDPR Article 27 is established (or, failing that, the Member State in which the data subjects whose data is transferred are located).

Annex II: Technical and Organisational Measures

The data importer applies the technical and organisational measures set out in Section 5, summarised here for the SCCs:

• Ephemeral processing: End User voice audio and derived acoustic features are processed in ephemeral runtime environments; no durable biometric-feature store exists.
• Encryption in transit and at rest: voice data is encrypted in transit (TLS 1.2 or higher; TLS 1.3 where deployed) and encrypted at rest if transiently persisted during processing.
• One-hour application-layer ceiling, no durable biometric store: voice data and derived acoustic features are permanently deleted within one hour; no voiceprint, speaker embedding, or other biometric template is stored.
• The AGEWARDEN widget runs in an isolated iframe; the Controller's website cannot access the microphone feed or intercept voice data.
• No End User identifiers (name, email, IP address, device fingerprint) are recorded in AGEWARDEN application audit logs, and such identifiers are not used to profile End Users.
• Access to processing infrastructure is restricted to authorised personnel using multi-factor authentication.
• Persistent application audit logs do not include End User identifiers, voice data, or derived acoustic features.
• Measures for ensuring sub-processor compliance: written agreements imposing data-protection obligations equivalent to this DPA (Section 6 / EU SCC Clause 9).

These measures are calibrated to the sensitivity of the data described in Annex I.B.

Annex III: List of Sub-processors

The Controller has authorised the use of the following sub-processors (mirroring Section 6 of this DPA):

UK Addendum to the EU SCCs

For transfers subject to UK data protection law (UK GDPR), the parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, version B1.0, in force 21 March 2022 (the "UK Addendum").

• UK Addendum Table 1 (Parties): the data exporter and data importer are as stated in Annex I.A above.
• UK Addendum Table 2 (Selected SCCs, Modules and Clauses): the EU SCCs incorporated above (Decision 2021/914), Module Two (Controller to Processor), with the elections stated above.
• UK Addendum Table 3 (Appendix Information): Annex 1A (List of Parties) = Annex I.A above; Annex 1B (Description of Transfer) = Annex I.B above; Annex II (Technical and Organisational Measures) = Annex II above; Annex III (Sub-processors) = Annex III above.
• UK Addendum Table 4 (Ending the Addendum when the Approved Addendum changes): neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

The UK Addendum amends the EU SCCs to the extent necessary so that they operate for transfers under UK GDPR, with the ICO as competent supervisory authority and references construed in accordance with UK law.

Swiss Addendum (FADP)

For transfers subject to Swiss data protection law (the Federal Act on Data Protection, "FADP"), the EU SCCs above apply with the following standard adaptations: (a) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers governed by the FADP (and the supervisory authority identified in Annex I.C for transfers governed by the GDPR); (b) references to the GDPR are to be understood as references to the FADP insofar as the transfer is governed by Swiss law; and (c) the term "Member State" must not be interpreted to exclude data subjects in Switzerland from enforcing their rights in their place of habitual residence.