Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the entity identified as the Controller in the applicable order form or service agreement ("Controller") and PZX (CNPJ: 62.054.402/0001-26), headquartered in the State of São Paulo, Brazil ("Operator"), and forms part of the agreement governing the use of Konn ("Agreement").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018).

"Processing" means any operation performed on Personal Data, including collection, storage, use, access, transmission, and deletion.

"Controller" means the natural or legal person who has decision-making authority over the Processing of Personal Data.

"Operator" means the natural or legal person who processes Personal Data on behalf of the Controller, pursuant to the Controller's instructions.

"Data Subject" means the natural person to whom the Personal Data relates.

"Suboperator" means any third party engaged by the Operator to process Personal Data on behalf of the Controller.

"Services" means the Konn platform and any related features made available by PZX under the Agreement.

2. Scope and Relationship

This DPA governs the processing of Personal Data by PZX in its capacity as Operator, on behalf of the Controller, in connection with the provision of the Services.

The Controller determines the purposes and means of processing. PZX processes Personal Data solely to provide and operate the Services, in accordance with the Controller's instructions as set out in this DPA and the Agreement.

3. Nature, Purpose, and Duration of Processing

Nature: storage, organization, indexing, semantic processing, retrieval, and display of content submitted by the Controller and its authorized users.

Purpose: provision of the Konn platform, including document management, knowledge graph, semantic search, and AI-assisted contextual features.

Duration: for the term of the Agreement. Upon termination, the provisions of Section 12 apply.

4. Categories of Personal Data and Data Subjects

The categories of Personal Data processed under this DPA depend on the content submitted by the Controller. They may include, without limitation:

• Identification and contact data: names, email addresses, and professional information of the Controller's users and any individuals mentioned in uploaded content;

• Organizational data: team structures, roles, and internal communications;

• Content data: documents, notes, and knowledge entries that may contain Personal Data about the Controller's employees, clients, or third parties.

The Controller acknowledges that PZX cannot control or predict the categories of Personal Data contained in content uploaded to the Services. The Controller is responsible for ensuring that all Personal Data submitted to the Services has a valid legal basis for processing under applicable law.

The Data Subjects are primarily the Controller's employees and authorized users, and potentially third parties whose data appears in content uploaded by the Controller.

5. Operator Obligations

PZX, as Operator, shall:

5.1 Follow instructions: process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. PZX will notify the Controller if it believes an instruction violates applicable law, before proceeding.

5.2 Confidentiality: ensure that authorized personnel processing Personal Data are bound by confidentiality obligations.

5.3 Security: implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Section 8.

5.4 Suboperators: engage Suboperators only in accordance with Section 7.

5.5 Data Subject rights: assist the Controller in responding to Data Subject rights requests, as described in Section 9.

5.6 Deletion: delete or return Personal Data upon termination, as described in Section 12.

5.7 Audit: make available the information necessary to demonstrate compliance with this DPA, as described in Section 11.

5.8 Incident notification: notify the Controller without undue delay, and no later than 72 hours after becoming aware, of any confirmed security incident involving Personal Data processed under this DPA. The notification will include the nature of the incident, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.

6. Controller Obligations

The Controller shall:

6.1 Legal basis: ensure that all Personal Data submitted to the Services has a valid legal basis for processing under applicable law, including data about third parties uploaded as part of documents or knowledge content.

6.2 Accuracy: provide accurate and up-to-date instructions and ensure that Personal Data submitted is adequate and relevant for the intended purpose.

6.3 Data Subject rights: handle Data Subject requests directed to the Controller and coordinate with PZX where the Operator's assistance is required.

6.4 Compliance: comply with all applicable data protection laws in its capacity as Controller, including obtaining any required consents from Data Subjects.

7. Suboperators

7.1 Current Suboperators

The Controller authorizes PZX to engage the following Suboperators in connection with the Services:

7.2 Future Suboperators

PZX may engage additional AI model providers (including, without limitation, providers of reranking, embedding, or audio processing services) as the Services evolve. PZX will notify the Controller of any intended addition or replacement of Suboperators at least 30 days in advance.

The Controller may object to a new Suboperator on reasonable data protection grounds by notifying PZX in writing within 15 days of receiving notice. If the parties cannot resolve the objection, the Controller may terminate the Agreement without penalty, with 30 days' written notice.

7.3 Suboperator obligations

PZX shall impose data protection obligations on all Suboperators equivalent to those set out in this DPA. PZX remains liable to the Controller for the performance of Suboperators' obligations.

8. Security Measures

PZX implements the following technical and organizational measures to protect Personal Data:

• Encryption of data in transit (TLS) and at rest;

• Tenant isolation — each Controller's data is logically separated from other tenants;

• Role-based access control limiting access to authorized personnel;

• Security monitoring and logging;

• Regular access reviews.

PZX may update these measures over time, provided that updates do not materially reduce the overall level of protection.

9. Data Subject Rights

PZX will assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under applicable law, including requests for access, correction, deletion, portability, and opposition.

The Controller is responsible for receiving and initially evaluating Data Subject requests. Where fulfilling a request requires action by PZX, the Controller will submit the request to PZX via the contact channel in Section 13. PZX will respond within 15 business days.

10. International Data Transfers

Personal Data processed under this DPA may be transferred to and processed in countries outside Brazil, including the United States, where PZX's Suboperators operate. Such transfers are conducted based on adequate contractual safeguards in accordance with Article 33 of the LGPD.

For Controllers subject to the GDPR, transfers to Suboperators outside the European Economic Area are governed by the applicable transfer mechanisms, including Standard Contractual Clauses where required.

11. Audit Rights

Upon the Controller's written request, PZX will make available information reasonably necessary to demonstrate compliance with this DPA. PZX may fulfill this obligation by providing up-to-date certifications, security documentation, or summary audit reports.

The Controller may request an on-site audit no more than once per calendar year, with at least 30 days' written notice and at the Controller's cost. Any audit must be conducted in a manner that does not disrupt PZX's operations or compromise the security or confidentiality of other customers' data.

12. Term, Termination, and Data Deletion

This DPA remains in force for the duration of the Agreement.

Upon termination or expiration of the Agreement:

• The Controller will have 30 days to export its data from the Services;

• After this period, PZX will delete all Personal Data processed under this DPA within 30 days, including copies held by Suboperators where technically feasible;

• PZX will provide written confirmation of deletion upon the Controller's request;

• PZX may retain Personal Data beyond this period solely to the extent required by applicable law, in which case the data will remain subject to the confidentiality obligations of this DPA.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Agreement. Nothing in this DPA limits either party's liability for obligations that cannot be excluded or limited under applicable data protection law.

14. Governing Law

This DPA is governed by the laws of the Federative Republic of Brazil, in particular the LGPD (Law No. 13,709/2018). Any disputes arising from this DPA that cannot be resolved amicably shall be submitted to the courts of the District of São Paulo, State of São Paulo.

15. Contact

For matters relating to this DPA, data subject rights requests, or security incidents:

• Email: [email protected]

• Website: pzx.app

Data Protection Officer:

• Name: Filipe Albuquerque Brauns Cazelgrandi

• Email: [email protected]

Annex A — Processing Details

This annex supplements Section 3 and may be updated by mutual written agreement to reflect changes in the Services.