Data Protection Standard

Standard Data Processing Agreement | Version 2.0 | Last updated: 3 January 2026 | Governed by ADGM Law

This Data Processing Addendum ("DPA") forms part of, supplements, and is incorporated by reference into the Cozmo Terms of Service, master services agreement, order form, subscription terms, or other written or electronic agreement (the "Agreement") governing the provision of the Services by CozmoX AI Ltd, a company incorporated in the Abu Dhabi Global Market ("Cozmo," "we," or "us"), to the customer that accesses or uses the Services ("Customer" or "you"). Cozmo and Customer are each a "Party" and together the "Parties."

The Services include Cozmo's multimodal AI agent platform and products (including, as applicable, the products marketed as Cozmo and Tideline), which may process voice, visual (image, video, and document), and text inputs on Customer's behalf. Capitalized terms not defined in this DPA have the meaning given to them in the Agreement, or, failing that, in Applicable Data Protection Laws.

Acceptance

By accepting the Agreement, or by accessing or using the Services, Customer agrees to this DPA. Where an individual accepts this DPA on behalf of an entity, that individual represents that they have authority to bind the entity. This DPA does not require a handwritten or electronic signature to be effective, and any Standard Contractual Clauses incorporated by reference are deemed entered into by the Parties on Customer's acceptance of the Agreement. Cozmo may update this DPA from time to time in accordance with Section 15; the "Last updated" date above indicates the current version. Except to the extent expressly required by Applicable Data Protection Laws, in the event of any conflict between this DPA and the Agreement, the Agreement prevails, and nothing in this DPA expands Cozmo's obligations or reduces any right, license, protection, discretion, or limitation of liability reserved to Cozmo under the Agreement.

Definitions and Interpretation

Capitalized terms used but not defined in this DPA have the meaning given in the Agreement or, failing that, under Applicable Data Protection Laws.

"Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to a Party's Processing of Personal Data under the Agreement, including, to the extent applicable: (a) European Data Protection Laws; (b) the UK GDPR and the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection ("FADP"); (d) U.S. State Privacy Laws, including the California Consumer Privacy Act as amended ("CCPA"); (e) the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"); and (f) the Abu Dhabi Global Market Data Protection Regulations 2021 (the "ADGM DP Regulations"); in each case as amended, superseded, or replaced from time to time.

"Biometric Data" means Personal Data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, including voiceprints and other voice characteristics capable of uniquely identifying that person.

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data, and includes a "business" under the CCPA and any equivalent term under Applicable Data Protection Laws.

"Customer Personal Data" means any Personal Data that Cozmo Processes solely as a Processor on behalf of Customer in the course of providing the Services, as further described in Annex I.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, and includes a "consumer" under the CCPA and any equivalent term under Applicable Data Protection Laws.

"Data Subject Request" means a request by or on behalf of a Data Subject to exercise any right under Applicable Data Protection Laws.

"European Data Protection Laws" means Regulation (EU) 2016/679 (the "GDPR"), the e-Privacy Directive 2002/58/EC, and their national implementing laws within the European Economic Area ("EEA").

"EEA SCCs" means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.

"Personal Data" means any information relating to an identified or identifiable natural person Processed under the Agreement, and includes "personal information" under the CCPA.

"Personal Data Breach" or "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Process" and "Processing" have the meaning given under Applicable Data Protection Laws.

"Processor" means the entity that Processes Personal Data on behalf of a Controller, and includes a "service provider" or "contractor" under the CCPA.

"SCCs" means the EEA SCCs and/or the UK Addendum, as applicable to a given transfer.

"Services" means the products, software, and services provided by Cozmo to Customer under the Agreement.

"Special Category Data" means Personal Data revealing the categories described in Article 9 of the GDPR (including Biometric Data Processed to uniquely identify a person) and any equivalent sensitive category under Applicable Data Protection Laws.

"Sub-processor" means any third party (including Cozmo's affiliates) engaged by Cozmo to Process Customer Personal Data on Customer's behalf.

1.1 Interpretation

The terms "Commission," "Member State," and "Supervisory Authority" have the meaning given in the GDPR. The terms "Sell," "Share," "Business Purpose," and "Commercial Purpose" have the meaning given under U.S. State Privacy Laws. References to legislation include any amendment, replacement, or re-enactment of it.

Roles of the Parties and Scope

2.1 This DPA applies where, and to the extent that, Cozmo Processes Customer Personal Data as a Processor on behalf of Customer, where Customer acts either as a Controller or as a Processor on behalf of a third-party controller. Where Customer is a Processor, Cozmo acts as a Sub-processor.

2.2 As between the Parties, Customer is responsible for compliance with the obligations of a Controller under Applicable Data Protection Laws. In particular, Customer is responsible for establishing a lawful basis for the Processing and for providing all required notices to, and obtaining all required consents and authorizations from, Data Subjects (including callers, claimants, policyholders, account holders, and other end users whose data is captured by the Services) in respect of the Processing carried out by Cozmo.

2.3 Cozmo will comply with the obligations applicable to a Processor under Applicable Data Protection Laws in respect of its Processing of Customer Personal Data.

2.4 Where Customer acts as a Processor on behalf of a third-party controller, Customer: (a) is the sole point of contact for Cozmo; (b) will obtain all authorizations necessary for the Processing contemplated by this DPA; (c) will ensure the third-party controller provides all required notices and obtains all required consents; and (d) will issue all instructions and exercise all rights under this DPA on behalf of the third-party controller.

2.5 The subject matter, duration, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are set out in Annex I.

Cozmo's Processing of Customer Personal Data

3.1 Cozmo will Process Customer Personal Data for the purposes of providing the Services and as otherwise described in or contemplated by the Agreement and this DPA. Customer's documented instructions are constituted by the Agreement, this DPA, the applicable order form, and Customer's configuration and use of the Services.

3.2 Customer's instructions are deemed to include, and Customer authorizes, all Processing that Cozmo reasonably considers necessary, useful, or incidental to providing, operating, securing, supporting, analyzing, developing, and improving the Services and Cozmo's related technologies, as further described in Section 4. Cozmo determines the means of Processing in its discretion.

3.3 If Cozmo is required by law to Process Customer Personal Data other than as contemplated by this DPA, Cozmo may do so, and will inform Customer where it considers this appropriate and is legally permitted to do so.

Use of Data; Service Improvement; Ownership

4.1 Permitted Use

Customer authorizes Cozmo to, and Cozmo may, Process Customer Personal Data and any other data, content, inputs, and outputs made available through or generated by the Services, and any data, insights, learnings, configurations, or models derived from them, for the purposes of providing, operating, maintaining, securing, supporting, monitoring, analyzing, developing, enhancing, and improving the Services and Cozmo's other current and future products, technologies, models, and business operations, and for any other purpose described in or contemplated by the Agreement or this DPA.

4.2 Derived and De-Identified Data

Cozmo may create, compile, and retain aggregated, derived, learned, configured, statistical, and de-identified data and materials in connection with the Services. As between the Parties, all such data and materials, together with all software, models, algorithms, configurations, know-how, methods, and improvements developed, trained, refined, or otherwise generated in connection with the Services, are and remain owned exclusively by Cozmo, and Cozmo may use, retain, license, and otherwise exploit them for any lawful purpose, during and after the term of the Agreement, without restriction, accounting, or obligation to Customer.

4.3 Discretion and Flexibility

The means, methods, infrastructure, models, model providers, and Sub-processors used to deliver, secure, and improve the Services are selected and determined by Cozmo in its sole discretion and may change from time to time. Cozmo is not required to disclose the internal technical details of its Processing or of its products and models.

Confidentiality and Personnel

5.1 Cozmo will treat Customer Personal Data as Customer's Confidential Information under the Agreement and will not disclose it except as permitted by this DPA or required by law.

5.2 Cozmo will ensure that access to Customer Personal Data is limited to those personnel, contractors, and agents who need access to perform Cozmo's obligations, and that all such persons are bound by appropriate obligations of confidentiality and have received appropriate training in the protection of Personal Data.

Security

6.1 Cozmo will implement technical and organizational measures that it considers, in its reasonable discretion, appropriate to protect Customer Personal Data, having regard to the nature of the Services and generally accepted industry practice. A general, non-exhaustive description of the types of measures Cozmo may employ is set out in Annex II for information only.

6.2 Cozmo may add to, modify, or replace its security measures at any time in its discretion. The descriptions in Annex II do not create any specific or binding commitment, and Cozmo's sole security obligation is as set out in Section 6.1.

Sub-processors

7.1 General Authorization and Discretion

Customer grants Cozmo a general authorization to engage, appoint, replace, and remove Sub-processors (including Cozmo's affiliates) at any time and in Cozmo's discretion to Process Customer Personal Data in connection with the Services. A list of current Sub-processors may be made available by Cozmo on written request to founders@hellocozmo.ai.

7.2 Flow-Down

Cozmo will impose on its Sub-processors such data protection obligations as Cozmo considers appropriate. Cozmo's responsibility and liability for the acts and omissions of its Sub-processors is subject to, and limited by, the limitations and exclusions of liability set out in the Agreement and this DPA.

7.3 Notice and Objection

Cozmo may, but is not obligated to, notify Customer of changes to its Sub-processors. Customer's continued use of the Services constitutes acceptance of the then-current Sub-processors. To the extent Applicable Data Protection Laws require an objection right, Customer's sole and exclusive remedy is to terminate the affected portion of the Services on written notice within thirty (30) days, without refund or further liability of Cozmo.

Assistance with Data Subject Requests

8.1 Taking into account the nature of the Processing, Cozmo will provide such assistance in responding to Data Subject Requests as Cozmo reasonably determines to be practicable, to the extent required by Applicable Data Protection Laws, and at Customer's expense.

8.2 If Cozmo receives a Data Subject Request directly, it will, to the extent legally permitted, promptly inform the Data Subject that the request should be directed to Customer, and will not respond except on Customer's documented instructions or as required by law.

Security Incidents

9.1 Cozmo will notify Customer within a reasonable period after Cozmo has confirmed a Security Incident that Cozmo determines to be material and to materially affect Customer Personal Data.

9.2 The notification will include such information regarding the Security Incident as Cozmo considers appropriate and as is reasonably available to Cozmo at the time. Cozmo may provide information in phases as it becomes available.

9.3 Cozmo will provide reasonable assistance to Customer in connection with Customer's investigation and mitigation of a Security Incident. Cozmo's notification of, or response to, a Security Incident is not an acknowledgment of fault or liability.

Deletion and Retention of Customer Personal Data

10.1 This DPA terminates automatically on termination or expiry of the Agreement.

10.2 Following termination or expiry of the Agreement, Cozmo may delete or retain Customer Personal Data in accordance with its standard practices and applicable law. On Customer's written request, Cozmo will use commercially reasonable efforts to delete or return Customer Personal Data within a reasonable period, except to the extent retention is permitted under Section 10.3 or is otherwise consistent with Cozmo's rights under this DPA.

10.3 Notwithstanding the foregoing, Cozmo may retain (a) Customer Personal Data as permitted or required by law or for the establishment, exercise, or defense of legal claims; (b) Customer Personal Data contained in routine backups and archives, which will be overwritten or deleted in the ordinary course; and (c) any aggregated, derived, learned, or de-identified data and materials described in Section 4, which Cozmo may retain and use indefinitely.

10.4 On Customer's reasonable request, Cozmo will confirm its handling of Customer Personal Data in such manner as Cozmo considers appropriate.

Audits, Reports, and Impact Assessments

11.1 Cozmo may, at its discretion and subject to confidentiality obligations, make available a then-current third-party audit report or certification (such as a SOC 2 report or ISO/IEC 27001 certification) if and to the extent Cozmo holds one. The provision of such materials, where available, satisfies Customer's information, audit, and inspection rights in full to the maximum extent permitted by Applicable Data Protection Laws.

11.2 Customer has no right to conduct on-site audits or inspections of Cozmo's premises, systems, or personnel. To the extent an audit is strictly and unavoidably required by Applicable Data Protection Laws and cannot be satisfied under Section 11.1, the Parties will discuss in good faith a limited, remote, document-based review, subject to Cozmo's reasonable conditions, occurring no more than once in any twelve-month period, on reasonable prior written notice, in a manner that does not disrupt Cozmo's operations or require disclosure of other customers' data or Cozmo's confidential or proprietary information, and at Customer's expense.

11.3 Cozmo will provide such assistance with data protection impact assessments and prior consultations as Cozmo reasonably considers practicable, to the extent strictly required by Applicable Data Protection Laws and at Customer's expense.

International Data Transfers

12.1 Customer authorizes Cozmo to transfer Customer Personal Data outside the jurisdiction of origin where required to provide the Services, provided that such transfer is made: (a) to a jurisdiction recognized as providing an adequate level of protection by the relevant competent authority (including, for EEA-to-U.S. transfers, on the basis of the EU-U.S. Data Privacy Framework where applicable); (b) under the SCCs as completed by this Section 12; or (c) under another lawful transfer mechanism permitted by Applicable Data Protection Laws.

12.2 EEA Transfers

Where Customer Personal Data originating in the EEA is transferred to Cozmo in a country without an adequacy decision, the EEA SCCs are incorporated into this DPA and deemed entered into, completed as follows: (a) Module Two (Controller-to-Processor) applies where Customer is a Controller, and Module Three (Processor-to-Processor) applies where Customer is a Processor; (b) Cozmo is the "data importer" and Customer is the "data exporter"; (c) the docking clause in Clause 7 does not apply; (d) under Clause 9, Option 2 (general written authorization) applies, with the time period in Section 7.3; (e) the optional language in Clause 11(a) does not apply; (f) under Clause 17, the governing law is the law of Ireland; (g) under Clause 18(b), the courts of Ireland have jurisdiction; and (h) Annexes I and II serve as the corresponding Annexes to the EEA SCCs.

12.3 UK Transfers

Where Customer Personal Data subject to the UK GDPR is transferred, the UK Addendum is incorporated, with the "Approved EU SCCs" being the EEA SCCs as completed in Section 12.2.

12.4 Swiss Transfers

Where data is subject to the FADP, the EEA SCCs apply with references to the GDPR read as references to the FADP to the extent applicable; the competent authority is the Swiss Federal Data Protection and Information Commissioner; and "Member State" is interpreted so as not to deprive Data Subjects in Switzerland of the right to bring proceedings in their place of habitual residence.

12.5 UAE and ADGM Transfers

Transfers subject to the UAE PDPL or the ADGM DP Regulations will be made in accordance with the cross-border transfer provisions of those laws. As an entity incorporated in the Abu Dhabi Global Market, Cozmo will comply with its obligations under the ADGM DP Regulations in respect of such Processing.

12.6 If a transfer mechanism relied on under this Section 12 is invalidated, the Parties will work together in good faith to implement an alternative lawful mechanism without undue delay.

U.S. State Privacy Laws

13.1 This Section applies to the extent Cozmo Processes Customer Personal Data subject to the CCPA or other U.S. State Privacy Laws, in which case Cozmo acts as Customer's "service provider," "processor," or equivalent.

13.2 Cozmo will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose of providing the Services, or as otherwise permitted by U.S. State Privacy Laws; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between the Parties; or (d) combine Customer Personal Data with Personal Data from other sources, except as permitted by U.S. State Privacy Laws.

13.3 Cozmo will provide the level of privacy protection required of a service provider or processor under U.S. State Privacy Laws and will notify Customer if it determines it can no longer meet those obligations.

13.4 The Parties acknowledge that the exchange of Customer Personal Data is not part of any monetary or other valuable consideration exchanged under the Agreement.

Data Residency

14.1 Where Cozmo offers a data residency option for a particular jurisdiction, Customer may request that Customer Personal Data be hosted in that jurisdiction, subject to availability. Even where a residency option is selected, Customer Personal Data may be Processed outside the selected location to the extent necessary for: (a) the use of Sub-processors located elsewhere (subject to Sections 7 and 12); (b) support services; and (c) trust, safety, security, and content-moderation functions.

General

15.1 Order of Precedence

Except where Applicable Data Protection Laws expressly require otherwise, the Agreement prevails over this DPA in the event of any conflict. The SCCs prevail only to the extent of, and in respect of, the specific transfers they govern. Any ambiguity is to be resolved in a manner consistent with the rights, licenses, and protections reserved to Cozmo.

15.2 Limitation of Liability

To the maximum extent permitted by law, Cozmo's total aggregate liability arising out of or in connection with this DPA and its subject matter (including the SCCs) is subject to, and counts toward, the limitations and exclusions of liability set out in the Agreement. In no event will Cozmo be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of data, profits, revenue, business, or goodwill, arising out of or relating to this DPA, regardless of the theory of liability.

15.3 Indemnity

Customer will defend, indemnify, and hold harmless Cozmo and its affiliates, and their respective officers, directors, employees, and agents, from and against any and all claims, losses, liabilities, damages, fines, penalties, costs, and expenses (including reasonable legal fees) arising out of or relating to (a) Customer Personal Data or Customer's instructions; (b) Customer's use of the Services; (c) Customer's breach of this DPA, the Agreement, or Applicable Data Protection Laws; or (d) the absence, invalidity, or inadequacy of any notice, consent, authorization, or lawful basis for which Customer is responsible under Section 2.

15.4 Affiliates

Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, its authorized affiliates that use the Services, and is responsible for their acts and omissions.

15.5 Changes

Cozmo may amend, update, or replace this DPA at any time in its discretion, effective upon posting an updated version or providing notice to Customer. Customer's continued use of the Services after the effective date of any change constitutes acceptance of it.

15.6 Ownership

All rights in the Services, and in all data, materials, models, configurations, and improvements described in Section 4, are reserved to and retained by Cozmo. No rights are granted to Customer by implication, estoppel, or otherwise except as expressly set out in the Agreement.

15.7 Severability

If any provision of this DPA is held invalid or unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions remain in full force and effect.

15.8 Governing Law

Except where Applicable Data Protection Laws or the SCCs require otherwise, this DPA is governed by the governing law of the Agreement.

15.9 Term

This DPA remains in effect for as long as Cozmo Processes Customer Personal Data under the Agreement, and those provisions which by their nature should survive (including Sections 4, 10.3, 15.2, and 15.3) survive termination.

Annex I — Description of the Processing

A. List of Parties

Data exporter / Controller: The Customer that accepts the Agreement and uses the Services. Role: Controller, or Processor on behalf of a third-party controller. Identity and contact details are as provided in the Customer's account or the Agreement.

Data importer / Processor: CozmoX AI Ltd, incorporated in the Abu Dhabi Global Market. Role: Processor on behalf of Customer, or Sub-processor where Customer is a Processor. Contact: as set out in the "Contact" section below.

B. Description of the Processing

Categories of Data Subjects: Natural persons whose Personal Data is contained in content submitted to or generated by the Services, which may include: Customer's end customers, callers, claimants, policyholders, and account holders; Customer's personnel, agents, and authorized users; and third parties referenced in calls, documents, images, or recordings submitted to the Services.

Categories of Personal Data: Depending on Customer's configuration and use: identity and contact data; audio recordings of voice interactions and their transcripts; images, video, and documents (including photographs of property and damage, and uploaded documents); account, policy, claim, and transaction information; and communications content and metadata generated through interactions with the AI agents.

Special Category / sensitive data: Customer Personal Data may include Biometric Data (such as voiceprints and voice characteristics) and other categories where inherent in the inputs Customer submits. Customer is solely responsible for determining the lawful basis for, and obtaining any consents required for, the Processing of any such data. Cozmo applies such measures as it considers appropriate and assumes no enhanced or category-specific obligations beyond those generally applicable under this DPA.

Nature of the Processing: Hosting, storage, transmission, and AI-based Processing of voice, visual, and text inputs to operate multimodal AI agents, including speech recognition and synthesis, document and image understanding, retrieval, reasoning, and the generation of responses and actions, together with related support and security functions.

Purpose of the Processing: To provide, maintain, secure, support, and improve the Services in accordance with the Agreement, this DPA, and Customer's instructions, and as described in Section 4.

Frequency of the transfer: Continuous, for the duration of the Agreement.

Duration / retention: For the term of the Agreement and thereafter as set out in Section 10.

Sub-processor Processing: Sub-processors Process Customer Personal Data for the subject matter, nature, and duration described above and in the sub-processor list, to deliver and improve the Services.

C. Competent Supervisory Authority

For Data Subjects in the EEA, the competent Supervisory Authority is that of the EU Member State in which the data exporter is established, or, where the data exporter is not established in the EEA, the Irish Data Protection Commission. For the UK, the competent authority is the UK Information Commissioner's Office. For data subject to the FADP, the Swiss Federal Data Protection and Information Commissioner. For data subject to the ADGM DP Regulations, the ADGM Office of Data Protection.

Annex II — Technical and Organizational Measures

The following is a general, non-exhaustive, and non-binding description of the types of technical and organizational measures Cozmo may employ, provided for information only. It does not create any specific commitment; Cozmo's security obligation is as stated in Section 6. Cozmo may change these measures at any time in its discretion.

Access control: Role-based, least-privilege access to Customer Personal Data; unique user IDs, multi-factor authentication for administrative access, and prompt revocation on role change or departure.

Encryption: Encryption of Customer Personal Data in transit and at rest using industry-standard methods.

Network and application security: Segmented network architecture, firewalls, and monitoring; secure development practices and vulnerability management.

AI-specific controls: Selection of model providers, infrastructure, and processing methods at Cozmo's discretion; such filtering, guardrail, and separation controls as Cozmo considers appropriate from time to time.

Resilience and continuity: Data backup, redundancy, and disaster-recovery processes.

Logging and monitoring: Audit logging and security monitoring as Cozmo considers appropriate.

Incident management: An incident response process consistent with Section 9.

Vendor management: Due diligence and contractual flow-down for Sub-processors under Section 7.

Personnel: Confidentiality obligations and periodic security and privacy training.

Physical security: Reliance on data-center providers maintaining recognized physical and environmental controls.

Annex III — Sub-processors

Cozmo engages the categories of Sub-processors below to deliver and improve the Services. A current list may be made available by Cozmo on written request and is maintained in accordance with Section 7.

Cloud infrastructure / hosting: Hosting, storage, and compute for the Services.

AI / large language model providers: Generation of model outputs to power the AI agents.

Voice and telephony infrastructure: Real-time voice transport, telephony, and call connectivity.

Speech and transcription: Speech-to-text and text-to-speech processing.

Observability and security tooling: Logging, monitoring, error tracking, and security operations.

Communications / messaging: Delivery of notifications and messages where configured by Customer.

Questions about this DPA, or requests for a counter-signed copy for enterprise procurement, may be sent to founders@hellocozmo.ai. CozmoX AI Ltd is incorporated in the Abu Dhabi Global Market (ADGM).