Data Processing Agreement

Last updated: February 17, 2026

1. Scope & Purpose

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between EmitIQ, Inc. (“Processor”) and the Customer (“Controller”) and governs the processing of personal data by EmitIQ on behalf of the Customer in connection with the EmitIQ carbon emissions tracking and compliance reporting platform (“Service”).

Definitions: “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given in the EU General Data Protection Regulation (GDPR) 2016/679 and, where applicable, the UK GDPR and Swiss Federal Act on Data Protection (FADP).

2. Processing Details

Types of Personal Data: Contact information (name, email, job title), company information, facility addresses, vendor/supplier contact details, IP addresses and device identifiers, and any personal data contained within documents uploaded for emissions data extraction.

Categories of Data Subjects: Customer employees and administrators, vendor/supplier contacts, and individuals whose personal data may be incidentally included in uploaded documents (e.g., utility account holders, invoice contacts).

Purpose of Processing: Providing the EmitIQ Service, including data ingestion, AI-powered document extraction, emissions calculation, compliance report generation, audit trail management, user authentication, and billing.

Duration: Personal data is processed for the duration of the service agreement. Emissions data and audit records are retained for seven (7) years post- termination per SB 253 regulatory requirements. All other personal data is deleted within thirty (30) days of account termination.

3. Processor Obligations

EmitIQ, as Processor, shall:

• Process Personal Data only on the documented instructions of the Controller, unless required by applicable law to do otherwise (in which case EmitIQ will inform the Controller before processing, unless prohibited by law).
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the technical and organizational security measures described in Section 8 of this DPA, in accordance with GDPR Article 32.
• Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights (access, rectification, erasure, portability, restriction, objection).
• Assist the Controller in ensuring compliance with the obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities (GDPR Articles 32–36).
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 9.

4. Sub-Processors

EmitIQ engages the following sub-processors. The Controller provides general written authorization for the engagement of these sub-processors. EmitIQ will notify the Controller at least thirty (30) days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

5. Data Subject Rights

EmitIQ will assist the Controller in responding to Data Subject requests (DSARs) including requests for access, rectification, erasure, restriction, portability, and objection. Upon receiving a DSAR directly, EmitIQ will promptly notify the Controller and will not respond to the Data Subject directly unless instructed by the Controller or required by law. EmitIQ will respond to Controller-initiated DSAR assistance requests within five (5) business days.

6. Data Breach Notification

EmitIQ will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data breach. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
• The name and contact details of EmitIQ's point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

EmitIQ will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

7. International Transfers

Personal Data is processed and stored in the United States (AWS US-West-2 region). For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, EmitIQ relies on the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914). The Controller may request a copy of the applicable SCCs by contacting [email protected].

8. Security Measures

In accordance with GDPR Article 32, EmitIQ implements the following technical and organizational measures:

• Encryption: AES-256 encryption at rest for all stored data; TLS 1.3 encryption in transit for all network communications.
• Pseudonymization & isolation: Multi-tenant architecture with row-level security (RLS) ensuring complete data isolation between customers.
• Confidentiality & access control: Role-based access control (RBAC), JWT authentication with httpOnly cookies, and principle of least privilege for all system access.
• Integrity & audit trails: Immutable audit logging of all data modifications with optional AWS QLDB blockchain verification for tamper-evidence.
• Availability & resilience: AWS Fargate with auto-scaling, multi-AZ RDS database deployments, automated backups, and disaster recovery procedures.
• Restoration: Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• Testing: Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures, including penetration testing and vulnerability assessments.

For full details, see our Security page.

9. Audit Rights

EmitIQ will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor mandated by the Controller. Audits shall be conducted with reasonable prior notice (not less than thirty (30) days), during normal business hours, and in a manner that does not unreasonably disrupt EmitIQ's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by EmitIQ. EmitIQ may satisfy audit requests by providing relevant SOC 2 Type II reports, ISO certifications, or equivalent third-party audit documentation.

10. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR or this DPA, in accordance with GDPR Article 82. EmitIQ's total aggregate liability under this DPA shall be subject to the limitation of liability set forth in the main Terms of Service agreement between the parties.

11. Term & Termination

This DPA is effective for the duration of the main Terms of Service agreement. Upon termination of the service agreement, EmitIQ will, at the Controller's election, delete or return all Personal Data within thirty (30) days, except where retention is required by applicable law (including the seven-year retention requirement for SB 253 emissions data and audit records). EmitIQ will certify deletion in writing upon the Controller's request.

12. Contact

For DPA inquiries, to execute this agreement, or to request a copy of our Standard Contractual Clauses, contact us at [email protected].