This Data Processing Agreement (the “DPA”) forms part of the principal agreement governing the provision of the Loonar platform and related services between:

• Controller: The customer entity that has entered into a contract for the use of Loonar (the “Principal Agreement”)

• Processor: Loonar ApS, CVR 46064933, registered office at Vesterbrogade 192, 2.10., 1800 Frederiksberg, Copenhagen, Denmark (the “Processor”)

Controller and Processor are each a “Party” and together the “Parties”.

1. Purpose, scope and precedence

1.1 This DPA sets out the rights and obligations of the Parties when Processor processes Personal Data on behalf of Controller in connection with the provision of the Loonar platform and related services under the Principal Agreement.

1.2 The DPA is intended to meet the requirements of Article 28 of Regulation (EU) 2016/679 (the GDPR) for contracts between controllers and processors.

1.3 The subject matter, nature and purpose of the processing, the categories of data subjects and personal data, and the duration of the processing are described in Appendix B (Description of Processing).

1.4 In case of conflict between this DPA and the Principal Agreement on matters relating to data protection, this DPA prevails.

1.5 This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller under the Principal Agreement.

2. Roles of the Parties and instructions

2.1 Controller is the data controller with respect to the Personal Data and determines the purposes and means of the processing.

2.2. Controller is responsible for ensuring that the processing of Personal Data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions, and this DPA.

2.3 Controller shall be responsible for ensuring that the processing of Personal Data, which the Processor is instructed to perform, has a legal basis in accordance with the GDPR.

2.4 Processor is the data processor and shall only process Personal Data on documented instructions from Controller, as described in this DPA, in the Principal Agreement and in Appendix A Cybersecurity, unless required to do so by applicable law. In that case, Processor shall inform Controller of that legal requirement before processing, unless the law prohibits such information.

2.5 If Processor considers that an instruction from Controller infringes the GDPR or other applicable data protection laws, Processor shall inform Controller without undue delay and may suspend the relevant processing until the instruction is confirmed, amended or withdrawn.

3. Confidentiality

3.1 Processor shall ensure that persons authorised to process Personal Data on its behalf are subject to an appropriate duty of confidentiality, whether contractual or statutory.

3.2. Processor shall ensure that such persons only have access to Personal Data to the extent strictly necessary to perform their tasks for Processor and Controller, in accordance with the principle of least privilege. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access shall be withdrawn if access is no longer necessary. Such access shall be solely for the purposes of maintaining and developing the platform and shall not be used in any other way.

3.3. Processor shall at the request of the Controller demonstrate that the concerned persons under the Processor’s authority are subject to the duty of confidentiality specified in Clause 3.1.

4. Security of processing

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR.

4.2 Processor’s technical and organisational security measures are described in Appendix A (Cybersecurity). The Processing is EU-centric: the Platform is deployed in EU regions only and, where the Processor uses third-party services for provision of the Platform, such services are configured to use EU endpoints. Notwithstanding the foregoing, if any processing occurs outside the EEA, Switzerland, or the United Kingdom, Loonar maintains an unbroken chain of compliance by selecting Sub-processors that align with EU GDPR requirements regardless of their geographic location

4.3 Processor shall regularly review and update its technical and organisational measures to address changes in risks, technology and regulatory expectations. Any material reduction in the overall level of protection shall not be implemented without Controller’s prior written consent.

5. Use of Sub-processors

5.1 Controller grants Processor general authorisation to engage third parties as sub-processors for the processing of Personal Data on behalf of Controller (each a “Sub-processor”), subject to the conditions in this section and in Appendix C (Sub-processors).

5.2 Processor shall enter into a written contract with each Sub-processor that imposes data protection obligations which are no less protective than those set out in this DPA, including appropriate technical and organisational measures.

5.3 Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations regarding the processing of Personal Data.

5.4 Processor shall maintain an up-to-date list of Sub-processors and make it available to Controller as described in Appendix C.

5.5 Processor shall notify Controller in advance of any intended addition or replacement of a Sub-processor. The notice shall include the Sub-processor’s name, the location(s) where the relevant Processing will be performed, and a brief description of the Processing activities the Sub-processor will carry out. Notice may be given by email or other written means, including posting an update to a website or portal provided Controller has a mechanism to receive notice of the update.

5.6 Processor shall ensure each Sub-processor is bound by written terms imposing data protection obligations no less protective than those in this DPA, including as applicable confidentiality, security measures, restrictions on onward transfers, assistance obligations, and deletion/return.

5.7 Controller may object in writing within fourteen (14) days of receiving notice. Any objection must be limited to reasonable grounds related to data protection, including the Sub-processor’s demonstrable failure to provide the same or a reasonably comparable level of protection for Controller’s Personal Data as that provided under this DPA and applicable data protection law (a “Reasonable Objection”).

5.8 If Controller raises a Reasonable Objection, Processor shall use reasonable efforts to address the objection or propose an alternative Sub-processor. If the Parties cannot resolve the objection within thirty (30) days of Processor’s receipt of it, Controller may terminate the affected Services on written notice, without penalty, as its sole and exclusive remedy.

6. Data residency, data flow and international transfers

6.1 By design, Controller data is stored and backed up in data centers located in the European Union, unless otherwise agreed in writing. Further details on hosting and data residency controls are set out in Appendix A (Cybersecurity).

6.2 Documents such as RFQs, proposals and technical attachments uploaded to the Platform are stored within Controller’s own tenant environment, and processing for search and analysis take place within this environment. Further details on tenant isolation and related security controls are set out in Appendix A (Cybersecurity).

6.3 When a user initiates a query or workflow that uses AI capabilities, the Processor transmits only the relevant text excerpts and necessary context from within the Controller's tenant to the relevant AI models. Full documents are not sent to external AI providers. Further details on excerpting and AI data-flow controls are set out in Appendix A (Cybersecurity).

6.4 These excerpts are transmitted over encrypted connections to the relevant AI models, and are not used for purposes other than processing the request, such as model training or improvement of general purpose models. Further details on encryption and third-party AI processing safeguards are set out in Appendix A (Cybersecurity).

6.5 Processor does not use Controller’s data, prompts or outputs for model training or for improving general purpose models, and outputs remain dedicated to Controller’s own tenant without re-use for other customers. Further details are set out in Appendix A (Cybersecurity).

6.6 International transfers (EEA, UK, Switzerland). Loonar ApS shall ensure that any personal data processed outside the EEA, the UK, or Switzerland (a “Restricted Transfer”) is conducted in accordance with Chapter V of the GDPR. We rely on:

6.6.1. Adequacy Decisions: Transfers to territories recognized by the European Commission as offering essentially equivalent protection. In these cases, a Transfer Impact Assessment (TIA) is not required.

6.6.2. Article 46 Tools and Transfer Impact Assessment (TIA): In the absence of an adequacy decision, we utilize EU Standard Contractual Clauses (SCCs) and conduct a mandatory TIA to evaluate the effectiveness of the tool against local laws.

6.6.3 UK transfers. Where a Restricted Transfer is subject to UK data protection law, the EU SCCs shall apply as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (in force 21 March 2022), or any successor mechanism.

6.6.4 Swiss transfers. Where a Restricted Transfer is subject to Swiss data protection law, the EU SCCs shall apply with the following modifications: (a) references to the GDPR are construed as references to the Swiss Federal Act on Data Protection (“FADP”); (b) references to the “competent supervisory authority” are construed as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC); (c) where the transfer is subject to both the GDPR and the FADP, supervisory authority references apply accordingly; (d) “personal data” includes data of legal entities to the extent protected under the FADP; and (e) Clause 18(c) is construed to permit data subjects in Switzerland to bring proceedings in Switzerland.

7. Assistance to Controller

7.1 Taking into account the nature of the processing and the information available to Processor, Processor shall assist Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling Controller’s obligations to respond to requests from data subjects to exercise their rights under Chapter III GDPR.

7.2 Processor shall promptly notify Controller if Processor receives a request from a data subject that appears to relate to Personal Data processed on behalf of Controller. Processor shall not respond directly to such a request unless authorised or required by law, in which case Processor shall inform Controller, unless prohibited by law.

7.3 Processor shall, taking into account the nature of the processing and the information available to Processor, assist Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR, including obligations relating to security, data protection impact assessments and prior consultation with supervisory authorities.

8. Personal data breaches

8.1 Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Controller.

8.2 The notification shall include sufficient information to enable Controller to meet its obligations under Articles 33 and 34 GDPR, to the extent such information is available to Processor, including at least:

• a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned

• a description of the likely consequences of the Personal Data Breach

• a description of measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects

8.3 Processor shall cooperate with Controller and take reasonable steps as directed by Controller to assist in the investigation, mitigation and remediation of the Personal Data Breach.

9. Return and deletion of data

9.1 Upon termination or expiry of the Services involving the Processing of Personal Data, and at the choice of the Controller, the Processor shall return to the Controller or delete all Personal Data (including copies) Processed on behalf of the Controller, unless the Processor is required by applicable law to retain some or all of the Personal Data. 

9.2 Deletion shall be performed in accordance with the Processor’s deletion and retention procedures described in Appendix A (Cybersecurity), including the handling of archival copies and backups as part of standard retention and restoration cycles.

9.3 Processor shall provide Controller with written confirmation upon completion of the requested deletion, upon request by Controller.

10. Audit and inspection

10.1 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this DPA and shall allow for, and contribute to, audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable prior notice, at reasonable intervals and during normal business hours.

10.2 Audits shall be conducted in a manner that does not unreasonably interfere with Processor’s business operations and shall be subject to customary confidentiality protections. Controller shall bear its own costs and any third party auditor costs. Controller shall bear the costs of its own personnel and resources used for any audit. If Controller chooses to use an external auditor, Controller is responsible for all costs and expenses of that auditor.

10.3 Processor may satisfy audit obligations under this section by providing third party audit reports, certifications or summaries of security assessments that are relevant to the services, where these provide a level of assurance that is at least equivalent to on site inspections.

11. Liability and indemnity

11.1 As set out in the Principal Agreement, each Party’s liability and any indemnity obligations arising from or in connection with this DPA (including any Processing performed under Controller’s instructions) are subject to the limitations and exclusions set out in the Principal Agreement, and this DPA does not create any additional liability or indemnity obligations. Nothing in this DPA excludes or limits either Party’s liability where such exclusion or limitation is not permitted under applicable law.

12. Term and termination

12.1 This DPA enters into force upon signature by both Parties or upon the effective date of the Principal Agreement, whichever is earlier, to the extent Processor processes Personal Data on behalf of Controller.

12.2 This DPA remains in force for as long as Processor processes Personal Data on behalf of Controller under the Principal Agreement.

12.3 Termination of the Principal Agreement automatically results in termination of this DPA, except for provisions which by their nature are intended to survive, including obligations regarding confidentiality, data deletion and liability.

13. Governing law and jurisdiction

13.1 This DPA is governed by the same law that governs the Principal Agreement.

13.2 Any disputes arising from or in connection with this DPA shall be subject to the same jurisdiction and dispute resolution mechanism as set out in the Principal Agreement.

14. Contact points

14.1 Each Party shall designate contact points for data protection matters, including, where applicable, the contact details of any data protection officer. These may be updated by either Party by written notice.

Appendix A - Cybersecurity 

This appendix explains the cybersecurity approach on which Loonar is built. More information on how data is processed is available in the Data Processing Agreement at: loonar-ai.com/dpa. 

A.1 Hosting, architecture and EU data residency

EU data residency: all Client data is stored and backed up in data centres located in the European Union, unless otherwise agreed in writing.

Architecture and security controls are designed in line with ISO 27001 information security management principles, including risk based controls for confidentiality, integrity and availability.

Network posture is private by default, with no direct inbound public access to core application components and controlled outbound connectivity only to approved services.

Tenant isolation is enforced at application, database and object storage level so that Client data is logically segregated from all other customers.

Secrets such as keys and credentials are stored in dedicated secret management services with restricted access and are never embedded in source code or container images.

A.2 Data flow and Zero Data Retention

Documents such as RFQs, past proposals and technical attachments are uploaded to Loonar and stored in encrypted storage within the Client tenant. Indexing (text and, where applicable, structured metadata) happens only inside this environment.

When a user asks a question or runs an analysis, Loonar selects only the minimum, relevant excerpts from the stored documents and uses them to build the request to the AI models; the full document set is never sent to external providers.

These excerpts are transmitted to AI model providers over encrypted connections and processed in strict Zero Data Retention (ZDR) mode: prompts and outputs are not stored persistently and are not available for training or later reuse by the provider.

The resulting answers are stored only inside Loonar, within the Client tenant. Client data and AI generated responses remain inside Loonar and are not shared with other customers.

A.3 AI models and data use guarantees

Loonar ApS does not use Client data, prompts or responses to train or improve any internal or external AI model.

AI providers are contractually required to operate in Zero Data Retention mode for the Client tenant: prompts and outputs are processed only to generate the response and are not logged as content or reused for training.

Provider and sub processor lists, together with applicable technical and organisational measures, are described in the Loonar ApS Data Processing Agreement (DPA) and associated sub processor register.

A.4 Data protection, GDPR and privacy

Roles, responsibilities and legal bases for personal data processing are governed by the Loonar ApS DPA referenced in Section 5.3 (https://loonar-ai.com/dpa)

Loonar ApS applies data minimisation and purpose limitation, collecting and processing only the information needed to deliver the service and to operate, secure and support the platform.

Data subject rights, including access, rectification, restriction and deletion, are supported via administrative tools or documented support processes as described in the DPA.

Upon contract termination and after any requested exports, Client data is deleted from production systems, subject to legally required retention.

A.5 Authentication and access control

Identity: the platform uses platform managed authentication; no third party identity provider is required.

Multi factor authentication (MFA) is available and can be enforced for all or selected users according to Client policy.

Role based access control follows a least privilege model; access to administrative functions and sensitive features is restricted to authorised users and is periodically reviewed.

Session management includes reasonable timeouts and session invalidation on logout or credential change.

A.6 Logging and audit

Security relevant events such as authentication attempts, document access, configuration changes, export operations and AI model calls are logged.

Logs are stored in dedicated log storage with access controls and integrity protection and are retained for a limited period consistent with legal and contractual requirements.

A.7 Security operations and preventive controls

The service operates on cloud infrastructure with hardened baselines for operating systems, containers and dependencies.

Preventive controls include network edge protection and traffic filtering, for example distributed denial of service (DDoS) mitigation, firewalls and web application firewall protections, as well as vulnerability and dependency scanning and regular secret rotation.

Vulnerability management processes are in place to identify known issues and remediate them based on risk and criticality.

A.8 Integrations and content sources

Client repositories such as file shares or document management systems remain the system of record. Loonar indexes or caches only what is needed to deliver search and AI functionality.

Connectors are configured with least privilege scopes so that only required folders, libraries or projects are accessible.

Large binary assets or content not needed for analysis are excluded from indexing where possible.

A.9 Backups, business continuity and disaster recovery

Core metadata and index structures are backed up periodically and backups are encrypted at rest and in transit.

Restoration procedures are documented and tested periodically to verify recoverability.

Business continuity and disaster recovery plans define recovery objectives and the general response to major incidents affecting platform availability.

A.10 Data export and portability

Client administrators can request export of documents, metadata and configuration in commonly used formats.

After termination or expiry and completion of any requested export, Loonar ApS deletes Client data from production systems, subject to legal retention obligations and the DPA (https://loonar-ai.com/dpa).

A.11 Vendor management

Third party providers such as hosting platforms and AI model vendors are subject to security and data protection due diligence, including review of public security documentation and contractual commitments.

Loonar ApS maintains a register of sub processors and makes it available as set out in the DPA.

Appendix B - Description of Processing

B.1 Subject matter, nature and purpose of processing

Processor provides a hosted SaaS platform, Loonar, which supports Controller’s RFQ and proposal processes by storing, indexing and analysing Controller’s documents and related data, including through AI supported features such as requirement extraction, deviation analysis and technical clarifications.

B.2 Categories of data subjects

Depending on Controller’s use of the services, Personal Data may concern the following categories of data subjects:

• Employees, contractors and other staff of Controller

• Employees and representatives of Controller’s customers, suppliers and other business partners

• Other individuals whose Personal Data appears in documents that Controller uploads to the platform

B.3 Categories of Personal Data

Personal Data processed may include:

• Identification and contact details such as name, job title, role, email address, phone number, employer

• Business related information contained in RFQs, proposals, contracts and correspondence, where such information relates to an identified or identifiable natural person

• Technical and project related comments or annotations linked to users or other individuals

• Authentication and usage related data such as login identifiers, roles, activity logs and audit trails

Special categories of data are not intended to be processed. Controller is responsible for avoiding the upload of sensitive personal data unless necessary and lawfully justified. If special categories of data are processed, this will be under the Controller's responsibility and instructions.

B.4 Processing operations

Processing may include:

• Collection, receiving and uploading of data into the platform

• Storage, organisation and structuring

• Indexing, searching and retrieval

• Use of AI models on selected text excerpts for analysis and content generation

• Display of results, reports and exports

• Transmission of limited prompts and excerpts to AI providers under Zero Data Retention mode

• Backup, restoration, logging and security monitoring

B.5 Duration

Processing takes place for the term of the Principal Agreement and any data retention period agreed between the Parties, after which Personal Data is returned or deleted in accordance with section 9 of this DPA.

Appendix C - Sub-Processors

Processor currently uses or may use the following categories of Sub-processors:

• Infrastructure and hosting providers operating EU based data centres

• Managed database and storage providers in the EU

• AI model providers that process limited text excerpts under Zero Data Retention and no training commitments

• Monitoring, logging and alerting service providers

• Email and notification service providers

C.1 Sub-processor Registry

Sub-processor: Google LLC (“Google Cloud”)

Primary Transfer Mechanism: Adequacy Decision: Active certification under the EU-U.S. Data Privacy Framework (DPF), including the UK Extension and Swiss-U.S. DPF.

TIA Requirement: Not Required: A TIA is not mandatory for transfers to countries/entities covered by an adequacy decision, as the legal framework has been pre-vetted by the European Commission.

Fallback Safeguards & Documentation: EU SCCs: Module 3 (Processor to Processor). Applicable SCC: https://cloud.google.com/terms/sccs/eu-p2c?hl=en 

Sub-processor: LandingAI, Inc. ("LandingAI")

Primary Transfer Mechanism: Adequacy Decision: EU-hosted deployment; all data stored and processed within EU data centres. LandingAI, Inc. is a US-based entity; for any processing elements routed to the US, reliance is placed on the EU-U.S. Data Privacy Framework (DPF).

TIA Requirement: Not Required for EU-resident processing. TIA performed for any non-EU processing element.

Fallback Safeguards & Documentation: EU SCCs: Available upon request. EU data residency configuration ensures data at rest and in transit remains within the EU.