Data Processing Addendum

Last updated: April 6, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between AETHERIA LABS PRIVATE LIMITED ("Lexsis AI", "we", "our", or "us") and the customer ("Customer", "you", or "Controller") that has accepted Lexsis AI's Terms of Service or entered into a separate written agreement governing the use of the Lexsis AI platform (the "Agreement"). This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Services.

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Laws.

"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA/CPRA"), and India's Digital Personal Data Protection Act, 2023 ("DPDP").
"Personal Data" means any information relating to an identified or identifiable natural person that Lexsis AI processes on behalf of Customer in connection with the Services.
"Controller", "Processor", "Data Subject", "Processing", "Personal Data Breach" have the meanings given in the GDPR (and equivalent terms in other Applicable Data Protection Laws).
"Subprocessor" means any third party engaged by Lexsis AI to process Personal Data in connection with the Services. The current list is available at https://www.trylexsis.com/subprocessors.
"Standard Contractual Clauses" or "SCCs" means the EU Commission's standard contractual clauses for the transfer of Personal Data to third countries, adopted under Decision (EU) 2021/914.

Roles of the Parties

The parties acknowledge that, with respect to the processing of Personal Data under the Agreement:

Customer is the Controller of Personal Data it submits or makes available to the Services, including data ingested from Connected Sources and any End User data processed by AI Agents.
Lexsis AI is the Processor acting on Customer's documented instructions.

Where Customer acts as a processor on behalf of a third party, Customer warrants that it has the necessary authority to instruct Lexsis AI as a sub-processor of that third party.

Scope and Purpose of Processing

Lexsis AI will process Personal Data only:

For the purpose of providing, maintaining, and improving the Services as described in the Agreement
In accordance with Customer's documented instructions, including those set out in this DPA and the Agreement
As required to comply with applicable law, in which case Lexsis AI will inform Customer of that legal requirement before processing, unless prohibited from doing so

The subject matter, nature and purpose of processing, categories of Data Subjects, and types of Personal Data are set out in Annex A.

Customer Responsibilities

Customer is responsible for:

Ensuring that it has a valid legal basis for processing Personal Data and for transferring it to Lexsis AI
Providing all required notices and obtaining all required consents from Data Subjects
Configuring the Services and Connected Sources so that only the Personal Data necessary for Customer's purposes is shared with Lexsis AI
The accuracy, quality, and legality of the Personal Data and the means by which it was acquired
Disclosing to End Users when they are interacting with AI Agents, where required by law

Lexsis AI Obligations

Lexsis AI will:

Process Personal Data only on documented instructions from Customer
Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations
Implement and maintain the technical and organizational measures described in Annex B
Assist Customer, taking into account the nature of processing, with the fulfilment of Customer's obligations to respond to Data Subject requests
Assist Customer with data protection impact assessments and prior consultations with supervisory authorities, where reasonably required
Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide reasonable cooperation in investigating and mitigating it
Make available to Customer information reasonably necessary to demonstrate compliance with this DPA

Subprocessors

Customer provides general authorization for Lexsis AI to engage Subprocessors to process Personal Data, subject to the following:

Lexsis AI maintains a current list of Subprocessors at https://www.trylexsis.com/subprocessors
Lexsis AI imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA
Lexsis AI remains liable for the acts and omissions of its Subprocessors as it would be for its own
Lexsis AI will provide reasonable advance notice of any new Subprocessor (by updating the Subprocessors page or by email to the account's primary contact). Customer may object on reasonable data protection grounds within thirty (30) days; if the objection cannot be reasonably resolved, Customer may terminate the affected Services as its sole remedy.

International Data Transfers

Where Lexsis AI transfers Personal Data outside the country of origin, it will ensure that an appropriate transfer mechanism is in place, including, where applicable, the Standard Contractual Clauses, the UK International Data Transfer Addendum, or other valid transfer mechanism recognized under Applicable Data Protection Laws. The SCCs are incorporated by reference, with the parties electing Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable, and with the docking clause and option for general subprocessor authorization activated.

Data Subject Rights

Lexsis AI will, taking into account the nature of the processing, provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. If Lexsis AI receives a Data Subject request directly, it will refer the Data Subject to Customer without responding to the substance of the request, unless required by law.

Personal Data Breach Notification

In the event of a Personal Data Breach affecting Customer Personal Data, Lexsis AI will:

Notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the breach
Provide reasonably available information to enable Customer to meet its own breach-notification obligations, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed
Reasonably cooperate in investigating, mitigating, and remediating the breach

Notification of, or response to, a Personal Data Breach is not an acknowledgement by Lexsis AI of any fault or liability.

Audits

Lexsis AI will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and certifications where available. Customer may, at its own cost and on reasonable prior notice, conduct an audit of Lexsis AI's processing of Personal Data, subject to:

Audits being carried out no more than once per year, except in the case of a confirmed Personal Data Breach or where required by a competent supervisory authority
The auditor signing appropriate confidentiality undertakings
Audits being conducted during business hours, with minimal disruption to Lexsis AI's operations
Customer providing Lexsis AI with the audit report and any findings

Return and Deletion of Personal Data

On termination or expiry of the Agreement, Lexsis AI will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf, and delete existing copies, unless retention is required by applicable law. Customer may export its data through the Services prior to termination. After the post-termination period set out in the Agreement (or, if not specified, thirty (30) days), Lexsis AI will delete Personal Data from active systems; backup copies will be deleted in line with our standard backup retention cycle.

Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability to Data Subjects under Applicable Data Protection Laws.

Order of Precedence; Survival

In the event of a conflict between this DPA, the SCCs, and the Agreement, the order of precedence is: (1) the SCCs (where applicable), (2) this DPA, (3) the Agreement. This DPA survives termination of the Agreement for as long as Lexsis AI processes Personal Data on Customer's behalf.

Updates to this DPA

We may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or to our processing practices. Material changes will be communicated through the platform or by email to the account's primary contact. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

Annex A — Details of Processing

Subject matter: Provision of the Lexsis AI platform and Services as described in the Agreement.

Duration: For the term of the Agreement and any post-termination period necessary to return or delete Personal Data.

Nature and purpose of processing: Ingesting, storing, indexing, analyzing, and surfacing customer signals; powering AI features (including AI Agents that respond to End Users on Customer's behalf); generating dashboards, reports, and recommendations; supporting integrations and exports.

Categories of Data Subjects:

Customer's authorized users and employees
Customer's End Users (including past, current, and prospective customers)
Authors of customer reviews, support tickets, surveys, and social mentions

Categories of Personal Data:

Identifiers (name, email, phone number, account ID, IP address)
Customer-service and conversation content (messages, attachments, voice/audio where enabled)
Reviews, ratings, and survey responses
Transactional and behavioral data from connected ecommerce and analytics platforms
Account, role, and authentication metadata

Special categories of Personal Data: Customer should not submit special-category data (e.g., health, biometric, or other sensitive data under GDPR Art. 9) to the Services unless expressly agreed in writing. Where such data is incidentally present in connected sources (for example, in supplement-related support conversations), Customer is responsible for ensuring an appropriate legal basis.

Annex B — Technical and Organizational Measures

Lexsis AI maintains a security program designed to protect the confidentiality, integrity, and availability of Personal Data, including:

Encryption of Personal Data in transit (TLS 1.2+) and at rest
Access controls including role-based access, least privilege, and multi-factor authentication for administrative access
Secure development practices, including code review, dependency scanning, and vulnerability management
Logging and monitoring of access to systems and Personal Data
Network security controls including firewalls, segregation of environments, and protected administrative interfaces
Backup and recovery procedures and tested business-continuity plans
Personnel measures, including background checks where permitted by law, confidentiality obligations, and security training
Subprocessor management including due diligence and contractual data-protection obligations
Incident response procedures, including breach detection, escalation, and notification

A more detailed description of our security program is available on request to enterprise customers under appropriate confidentiality undertakings.

Annex C — Subprocessors

The current list of authorized Subprocessors is published at https://www.trylexsis.com/subprocessors and updated from time to time in accordance with the Subprocessors section above.

Contact Us

For questions about this DPA, to exercise rights under Applicable Data Protection Laws, or to request a countersigned copy:

Company: AETHERIA LABS PRIVATE LIMITED

Address: Flat No. A2 203, Balewadi, palladion society, N.I.A., Pune City, Pune- 411045, Maharashtra

Email: enterprise@trylexsis.com