Data Processing Addendum (DPA)

CoreNeural

Last Updated: 25th Feb 2026

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the agreement between CoreNeural (“Processor”, “we”, “our”, or “us”) and the customer organization (“Controller”, “Customer”) governing the processing of personal data in connection with the use of the CoreNeural platform and services (the “Services”).

This DPA reflects the parties’ agreement regarding the processing of personal data in compliance with applicable data protection laws, including:

• General Data Protection Regulation (GDPR)
• UK GDPR
• California Consumer Privacy Act (CCPA/CPRA)
• India Digital Personal Data Protection Act (DPDP)
• Other applicable global data protection laws

2. Definitions

For the purposes of this DPA:

• Controller means the entity that determines the purposes and means of processing personal data.
• Processor means the entity processing personal data on behalf of the Controller.
• Personal Data means any information relating to an identified or identifiable natural person.
• Customer Data means all data, documents, content, and information uploaded, stored, or processed within the CoreNeural platform by the Customer.
• Subprocessor means any third party engaged by CoreNeural to process personal data on behalf of the Customer.
• Applicable Data Protection Laws means all laws and regulations governing personal data processing applicable to the parties.

3. Scope and Roles of the Parties

3.1 Controller and Processor Relationship

• The Customer acts as the Data Controller.
• CoreNeural acts as the Data Processor.
• CoreNeural processes Personal Data solely on behalf of and in accordance with the documented instructions of the Customer, as set forth in the applicable service agreement and this DPA.

3.2 Nature of Processing

CoreNeural provides a private enterprise AI intelligence platform that processes Customer Data for purposes including:

• Enterprise knowledge search and retrieval
• AI-powered analysis and summarization
• Workflow automation and document intelligence
• Secure internal collaboration and reporting

Processing may involve automated analysis and AI-assisted generation of outputs based solely on Customer-provided data and authorized sources.

4. Categories of Data Subjects and Personal Data

4.1 Categories of Data Subjects

Depending on Customer usage, data subjects may include:

• Employees and contractors
• Customers and clients of the Customer
• Business partners or vendors
• Authorized users of the platform

4.2 Categories of Personal Data

Personal Data processed may include:

• Names and professional contact details
• Organizational role or job title
• Communications and internal documents
• User account and authentication data
• Any other data uploaded by the Customer into the Services

Customers are solely responsible for ensuring that all Personal Data provided is lawful and appropriate for processing.

5. Processing Instructions

CoreNeural shall:

• Process Personal Data only on documented instructions from the Customer
• Not process Personal Data for its own independent purposes
• Not sell or share Customer Data with third parties except as authorized under this DPA

Customer instructions include:

• Platform configuration settings
• Access control and permission assignments
• Queries and workflows initiated by authorized users

6. Confidentiality and Personnel Access

CoreNeural ensures that:

• Personnel authorized to process Personal Data are bound by confidentiality obligations
• Access to Personal Data is limited to individuals who require such access to perform their duties
• Appropriate access controls and authentication mechanisms are enforced

7. Security Measures

CoreNeural implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Role-based access control (RBAC)
• Tenant isolation across organizations
• Secure authentication and identity management
• Audit logging and activity monitoring
• Network and infrastructure security protections
• Regular security reviews and risk assessments

These measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

8. Subprocessors

8.1 Authorization

The Customer authorizes CoreNeural to engage subprocessors to provide infrastructure, hosting, analytics, or AI processing components necessary to deliver the Services.

8.2 Subprocessor Obligations

CoreNeural ensures that each Subprocessor:

• Is bound by written agreements imposing data protection obligations no less protective than those set forth in this DPA
• Processes Personal Data only for the purpose of providing the Services
• Implements appropriate technical and organizational security measures
• A current list of subprocessors may be provided upon written request

9. International Data Transfers

Personal Data may be processed in multiple jurisdictions where CoreNeural or its subprocessors operate.

Where Personal Data is transferred outside the originating jurisdiction, CoreNeural will implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• Contractual confidentiality and data protection obligations
• Secure encrypted transfer protocols

10. Assistance with Data Subject Rights

To the extent required by Applicable Data Protection Laws, CoreNeural shall reasonably assist the Customer in fulfilling obligations to respond to requests from data subjects, including:

• Access requests
• Rectification requests
• Deletion or erasure requests
• Restriction or objection to processing
• Data portability requests

Such assistance will be provided taking into account the nature of processing and the information available to CoreNeural.

11. Personal Data Breach Notification

In the event of a confirmed Personal Data Breach affecting Customer Data, CoreNeural shall:

• Notify the Customer without undue delay after becoming aware of the breach
• Provide available details regarding the nature and impact of the breach
• Take reasonable steps to mitigate and remediate the breach

Notification does not constitute an admission of fault or liability.

12. Data Retention and Deletion

CoreNeural retains Personal Data only for the duration necessary to provide the Services and comply with contractual and legal obligations.

Upon termination or expiration of the Services, CoreNeural shall:

• Delete or return Personal Data to the Customer, as agreed
• Retain only such data as required by applicable law or legitimate archival obligations

13. Audits and Compliance

CoreNeural shall make available to the Customer reasonable information necessary to demonstrate compliance with this DPA and applicable data protection laws.

Where contractually required, Customers may request audits or assessments, subject to:

• Reasonable advance notice
• Confidentiality obligations
• Limitations to protect the security and integrity of the platform and other customers

14. Customer Responsibilities

The Customer agrees to:

• Ensure lawful collection and provision of Personal Data
• Obtain necessary consents and permissions
• Configure appropriate access and retention settings
• Use the Services in compliance with applicable laws and regulations

The Customer remains responsible for determining the legal basis for processing Personal Data.

15. Liability and Indemnity

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the applicable service agreement or Terms and Conditions.

Customers shall indemnify CoreNeural for claims arising from unlawful or unauthorized Personal Data processing instructions provided by the Customer.

16. Term and Termination

This DPA shall remain in effect for as long as CoreNeural processes Personal Data on behalf of the Customer.

Termination of the underlying service agreement shall automatically terminate this DPA, except for provisions relating to confidentiality, liability, and data deletion, which shall survive termination.

17. Governing Law

This DPA shall be governed by and construed in accordance with the governing law specified in the applicable Terms and Conditions or Commercial SaaS Agreement, unless otherwise required by applicable data protection laws.

18. Contact Information

For questions regarding this DPA or data protection practices, contact:

CoreNeural Data Protection Team

Email: support@coreneural.ai

Address: 68, Akashneem Marg, Gurgaon - 122002