Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between the business customer (“Customer”) and AlphaSmith, Inc. [TBD: counsel input] (“AlphaSmith”) for use of the AlphaSmith platform. It governs AlphaSmith’s processing of Customer Personal Data on Customer’s behalf. Effective date: April 17, 2026.

1. Roles and subject matter

For Customer Personal Data processed through the Services, Customer is the Controller and AlphaSmith is the Processor. Where Customer acts as a Processor on behalf of a further Controller, AlphaSmith acts as a Sub-Processor. The subject matter of processing is the provision of the Services described in the Terms of Service; the duration is the term of that agreement.

2. Scope of processing

• Categories of data subjects: Customer’s authorized users, administrators, and end-users whose portfolio or usage data is processed.
• Categories of personal data: identifiers (name, email), authentication metadata, usage and log data, portfolio and trading data, and support communications.
• Nature and purpose: hosting, security, analytics, alerting, AI-driven forecasting, billing, and support.

3. Processor obligations

AlphaSmith will: (a) process Customer Personal Data only on Customer’s documented instructions, including those given through the Services; (b) ensure personnel authorized to process Customer Personal Data are bound by confidentiality; (c) implement appropriate technical and organizational measures as described in our Information Security Statement; (d) assist Customer with data-subject rights, data-protection impact assessments, and prior consultations, at Customer’s cost where disproportionate; and (e) on termination, return or delete Customer Personal Data at Customer’s choice, subject to legal retention obligations.

4. Sub-processors

Customer authorizes AlphaSmith to engage sub-processors. Current sub-processors include:

• Stripe, Inc. — payment processing (U.S.).
• Twilio SendGrid, Inc. — transactional email (U.S.).
• Anthropic, PBC — AI model inference for daily briefings (U.S.).
• InMotion Hosting, Inc. — application hosting (U.S.).
• RunPod, Inc. — compute and analytics hosting (U.S.).
• Market-data vendors supplying price and fundamental data (U.S.).

AlphaSmith flows down substantially equivalent data-protection obligations to each sub-processor. We will notify Customer of material changes to the sub-processor list at least 30 days before they take effect; Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith on a resolution.

A current list of sub-processors is maintained at /legal/sub-processors (coming shortly) and is date-stamped on each update. Customers may subscribe to sub-processor change notifications by emailing privacy@alphasmith.ai with the subject line “Subscribe sub-processor updates.” We will notify subscribed customers by email at least 30 days before engaging any new sub-processor for regulated data processing, including the identity of the sub-processor, the categories of data involved, and the processing location.

5. International transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to jurisdictions without an adequacy decision, AlphaSmith relies on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures as warranted.

6. Security incidents

AlphaSmith will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing information reasonably available about the nature of the breach, likely consequences, and measures taken or proposed.

7. Data-subject rights

Taking into account the nature of the processing, AlphaSmith will provide reasonable assistance to Customer in responding to data-subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.

8. Audit rights

AlphaSmith will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports where available (such as SOC 2 once complete [TBD: counsel input]). On reasonable written notice, Customer may conduct an on-site audit at its expense, subject to confidentiality and scheduling requirements, not more than once every 12 months except in the case of a material incident.

9. Return or deletion

On termination or expiration of the main agreement, AlphaSmith will, within 30 days and at Customer’s choice, return or securely delete Customer Personal Data, except to the extent retention is required by law. Residual backup copies are deleted according to our standard backup rotation.

10. Liability

Each party’s liability under this DPA is subject to the liability limitations of the main agreement.

11. Contact

Requests for execution of this DPA, sub-processor lists, or security documentation should be sent to privacy@alphasmith.ai.