Levo, Inc. Data Processing Agreement

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Use or applicable agreement (“Agreement”) between:

• Customer (Controller)
• Levo.ai (Processor)

This DPA governs the Processing of Personal Data by Levo.ai in connection with the Services.

1. PURPOSE OF THIS AGREEMENT

This DPA sets out the obligations of the Processor when Processing Personal Data on behalf of the Controller in accordance with:

• General Data Protection Regulation
• Applicable data protection laws

In case of conflict, this DPA shall prevail.

2. DEFINITIONS

All capitalized terms shall have meanings as defined under GDPR unless otherwise stated.

• Controller – determines purpose and means of processing
• Processor – processes data on behalf of Controller
• Sub-processor – third-party engaged by Processor
• Personal Data – any information relating to an identifiable individual

3. NATURE AND PURPOSE OF PROCESSING

Levo processes Personal Data strictly for:

• Providing API and AI security services
• Runtime monitoring and threat detection
• System performance and operational analytics

Important Clarification (Levo-Specific)

• Processing is limited to metadata and security signals
• Levo does not extract or store sensitive payload data by default
• Processing occurs within customer-controlled environments where applicable

4. CATEGORIES OF DATA

Data Subjects

• Customer employees
• Authorized users
• System users interacting with protected APIs or AI applications

Personal Data Types

• Name, email, user ID
• Device/IP metadata
• System interaction logs

Sensitive Data

• Levo does not intentionally collect sensitive personal data

5. DURATION OF PROCESSING

Processing shall continue:

• For the duration of the Agreement
• Or until deletion/return is requested by Controller

6. CONTROLLER OBLIGATIONS

The Controller shall:

• Ensure lawful basis for processing
• Provide privacy notice to data subjects
• Obtain required consents
• Notify Processor of:
  • Data subject requests
  • Regulatory actions
  • Consent withdrawals

7. PROCESSOR OBLIGATIONS

Levo shall:

• Process data only on documented instructions
• Assist in data subject rights fulfillment
• Implement appropriate security measures
• Maintain confidentiality and trained personnel

8. DATA SECURITY (CRITICAL DIFFERENTIATOR)

Levo implements:

Architectural Security Principles

• Privacy-first processing model
• No unnecessary data movement
• Minimal data collection

Technical Measures

• Encryption in transit (TLS 1.2+)
• Logical tenant isolation
• Role-based access control
• Multi-factor authentication
• Continuous monitoring and logging

Infrastructure

• Hosted on Amazon Web Services
• Multi-zone redundancy
• Disaster recovery and backup systems

9. SUB-PROCESSORS

Levo may engage sub-processors under strict obligations.

Current Sub-processors

• Amazon Web Services – Hosting infrastructure

Levo remains fully liable for sub-processor compliance.

10. DATA TRANSFERS

Where data is transferred outside the EEA:

• Standard Contractual Clauses (SCCs) are applied
• Equivalent protection standards are enforced

11. PERSONAL DATA BREACH

Levo shall:

• Notify Controller without undue delay
• Provide:
  • Incident details
  • Impact assessment
  • Mitigation steps

12. AUDIT RIGHTS

Controller may:

• Request compliance evidence
• Conduct audits with prior notice

13. RETURN AND DELETION

Upon termination:

• Data will be returned or deleted within 30 days
• Secure deletion processes will be followed

14. TECHNICAL & ORGANIZATIONAL MEASURES

Levo maintains:

• ISO-aligned security practices
• Vulnerability management
• Incident response systems
• Access control frameworks
• Regular security audits

15. AI-SPECIFIC DATA HANDLING (IMPORTANT ADDITION)

Levo ensures:

• No customer data is used to train AI models
• No prompt/response data is reused externally
• AI interactions remain customer-scoped and controlled