Data Processing Agreement

1. Data Processing, Subject Matter, and Roles

Geol.ai provides a Generative Engine Optimization platform that analyzes web content and generates optimization outputs. In the course of delivering these services, Geol.ai may process Customer Data that constitutes personal data ("Customer Personal Data").

Roles. For the purposes of this DPA, the Customer acts as the Controller (or "Business" under the California Consumer Privacy Act) and Geol.ai acts as the Processor (or "Service Provider" under CCPA). Each party agrees to comply with its obligations under applicable Data Protection Laws.

Applicable Data Protection Laws. This DPA addresses obligations under: the EU General Data Protection Regulation (EU 2016/679) ("EU GDPR"), the UK General Data Protection Regulation as incorporated by the UK Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and the Swiss Federal Act on Data Protection ("Swiss DPA"), in each case as applicable to the processing of Customer Personal Data.

The details of the processing (nature, purpose, duration, categories of data subjects, and types of personal data) are described in Annex I of this DPA.

2. Processing Instructions

Geol.ai will process Customer Personal Data only in accordance with the Customer's documented instructions. The Customer's instructions are set out in this DPA, the applicable service agreement, and any subsequent written instructions mutually agreed upon by the parties.

If Geol.ai believes that an instruction from the Customer infringes applicable Data Protection Laws, Geol.ai will promptly notify the Customer and may suspend performance of the relevant instruction until the Customer modifies or confirms it.

Geol.ai will not process Customer Personal Data for any purpose other than as necessary to perform the services and fulfill its obligations under the service agreement, unless required to do so by applicable law. In such a case, Geol.ai will inform the Customer of the legal requirement before processing, unless prohibited by law from doing so.

3. Personnel

All Geol.ai personnel who are authorized to process Customer Personal Data are bound by written confidentiality obligations. These obligations survive the termination of such personnel's engagement with Geol.ai.

Geol.ai ensures that access to Customer Personal Data is limited to those personnel who require such access to perform the services. Geol.ai maintains appropriate access controls and conducts periodic reviews of access permissions to ensure that only authorized individuals can access Customer Personal Data.

4. CCPA Limitations

To the extent that Geol.ai processes Customer Personal Data that is subject to the CCPA, Geol.ai will not:

• Retain, use, or disclose Customer Personal Data for any purpose other than performing the services specified in the service agreement, including any commercial purpose other than providing the services
• Retain, use, or disclose Customer Personal Data outside the direct business relationship between Geol.ai and the Customer
• Combine Customer Personal Data with personal information received from other sources or collected from Geol.ai's own interactions with individuals, except as expressly permitted by the CCPA
• "Sell" or "Share" Customer Personal Data as those terms are defined under the CCPA

Geol.ai certifies that it understands and will comply with these restrictions. Geol.ai grants the Customer the right to take reasonable and appropriate steps to ensure that Geol.ai uses Customer Personal Data in a manner consistent with the Customer's obligations under the CCPA.

5. Security and Security Incidents

Security Measures. Geol.ai implements and maintains reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex II of this DPA.

Security Incidents. If Geol.ai becomes aware of a confirmed security incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data ("Security Incident"), Geol.ai will:

• Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the Security Incident
• Provide the Customer with sufficient information to enable the Customer to meet its obligations to report the incident to supervisory authorities or affected data subjects, as required under applicable Data Protection Laws
• Take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from it
• Cooperate with the Customer and provide such additional information as the Customer may reasonably request regarding the Security Incident

Geol.ai's notification of a Security Incident is not an acknowledgment of fault or liability.

6. Subprocessing

The Customer authorizes Geol.ai to engage the subprocessors listed in Annex III of this DPA for the purposes described therein. Geol.ai maintains a current list of subprocessors and will make it available to the Customer upon request.

New Subprocessors. Geol.ai will provide the Customer with at least 30 days' advance written notice before engaging any new subprocessor. If the Customer objects to a new subprocessor on reasonable grounds relating to data protection, the parties will discuss the concern in good faith. If the parties cannot resolve the objection, the Customer may terminate the affected services without penalty.

Subprocessor Obligations. Geol.ai imposes data protection obligations on each subprocessor that are no less protective than those set out in this DPA. Geol.ai remains responsible for the acts and omissions of its subprocessors to the same extent as if Geol.ai were performing the services directly.

7. Assistance

Geol.ai will provide reasonable assistance to the Customer in fulfilling its obligations under applicable Data Protection Laws, taking into account the nature of the processing and the information available to Geol.ai. This assistance includes:

• Data Subject Rights. Assisting the Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, portability, restriction, and objection)
• Data Protection Impact Assessments ("DPIAs"). Providing information reasonably necessary for the Customer to conduct DPIAs related to the Customer's use of the services
• Prior Consultations. Providing information reasonably necessary for the Customer to engage in prior consultations with supervisory authorities where required

If Geol.ai receives a request from a data subject directly, Geol.ai will promptly redirect the request to the Customer, unless otherwise instructed.

8. Audit

Upon the Customer's written request, and no more than once per twelve-month period, Geol.ai will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.

The Customer (or its appointed independent third-party auditor) may conduct an audit of Geol.ai's processing activities, subject to the following conditions:

• The Customer provides at least 30 days' prior written notice
• The audit is conducted during normal business hours and does not unreasonably disrupt Geol.ai's operations
• The auditor is bound by appropriate confidentiality obligations
• The scope of the audit is limited to Geol.ai's processing of Customer Personal Data under this DPA

Geol.ai may satisfy audit requests by providing relevant certifications, audit reports, or other documentation that reasonably demonstrates compliance, provided such documentation adequately addresses the Customer's concerns.

9. International Transfers

Customer Personal Data may be transferred to and processed in countries outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland. Geol.ai ensures that such transfers are made in compliance with applicable Data Protection Laws by implementing appropriate safeguards.

EU/EEA Transfers. For transfers of Customer Personal Data from the EEA to the United States or other countries not recognized by the European Commission as providing adequate data protection, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply as the transfer mechanism. This DPA incorporates those clauses by reference, with the Customer as the data exporter and Geol.ai as the data importer.

UK Transfers. For transfers of Customer Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Standard Contractual Clauses (issued by the UK Information Commissioner) shall apply as the transfer mechanism.

Swiss Transfers. For transfers of Customer Personal Data from Switzerland, the Standard Contractual Clauses shall apply with the modifications necessary to comply with the Swiss Federal Act on Data Protection.

10. Return and Deletion

Upon termination or expiration of the service agreement, or upon the Customer's written request, Geol.ai will (at the Customer's election) return or delete all Customer Personal Data in its possession within 30 days, unless applicable law requires further retention.

Geol.ai will provide the Customer with the ability to export Customer Personal Data prior to deletion. After the 30-day period, Geol.ai will delete all remaining copies of Customer Personal Data from its systems, except where retention is required by applicable law.

Where Geol.ai is required by applicable law to retain any Customer Personal Data, Geol.ai will isolate and protect such data from further processing and will delete it when the retention obligation expires.