Data Processing Addendum (DPA)

This DPA forms part of the master agreement or other written or electronic terms between CoSkip, Inc. (“CoSkip”) and the customer entity (“Customer”) governing Customer's use of CoSkip's Services. It applies where CoSkip processes Personal Data on behalf of Customer subject to Applicable Data Protection Law (e.g., GDPR/UK GDPR, CPRA).

Capitalised terms not defined here have the meaning in the Agreement.

“Applicable Data Protection Law” means laws and regulations relating to data protection, privacy, and processing of Personal Data, including GDPR/UK GDPR and CPRA, in each case as amended.

“SCCs” means the Standard Contractual Clauses applicable to international transfers under GDPR (EU 2021/914) and the UK Addendum/IDTA, as applicable.

“Personal Data”, “Controller/Processor”, “Data Subject”, and “Processing” have the meanings set out in GDPR/UK GDPR.

Customer is the Controller (or Business); CoSkip is the Processor (or Service Provider). CoSkip will process Personal Data only on documented instructions from Customer, including as set out in this DPA and the Agreement.

CoSkip processes Personal Data to provide, secure, and improve the Services (e.g., voice guidance, optional AR overlays, automated proof-of-work capture), to provide support, and to meet legal obligations. Details are set out in Annex I.

CoSkip implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as described in Annex II. CoSkip ensures personnel are bound by confidentiality obligations.

Customer authorises CoSkip to engage Subprocessors to support the Services. CoSkip will impose data protection terms on Subprocessors no less protective than this DPA and will remain responsible for their performance. The current list is available at coskip.com/subprocessors. CoSkip will provide notice of changes and allow Customer to object on reasonable grounds.

Where CoSkip transfers Personal Data internationally, CoSkip will ensure appropriate safeguards, including SCCs (EU Modules 2/3 as applicable) and the UK Addendum/IDTA, and implement supplementary measures if required.

Taking into account the nature of processing, CoSkip will assist Customer by appropriate technical and organisational measures to fulfil Data Subject requests (access, deletion, etc.) as required by law.

CoSkip will notify Customer without undue delay after becoming aware of a Personal Data Breach, and provide information reasonably required for Customer to meet its obligations.

Upon request and subject to confidentiality, CoSkip will make available information necessary to demonstrate compliance and allow for audits (including by an independent auditor mandated by Customer) no more than annually, unless required by a competent authority or following a material incident.

Upon termination or expiry of the Services, CoSkip will delete or return Personal Data in accordance with Customer's instructions and the Agreement, unless retention is required by law. Where offered, Customer may enable zero-retention settings for specific features.

This DPA remains in effect while CoSkip processes Personal Data for Customer. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding data protection. The SCCs prevail over this DPA where applicable.

Subject matter: Provision of CoSkip Services (voice guidance, optional AR overlays, automated proof-of-work capture) to Customer.

Duration: Term of the Agreement and as otherwise required by law.

Nature & purpose: Hosting, storage, transmission, analysis, and support to deliver the Services and security thereof.

Categories of Personal Data: identifiers (name, email, role), usage data (device/app events), approximate location, operational content submitted by Users (e.g., proof photos/videos, timestamps, signatures) as configured by Customer.

Categories of Data Subjects: Customer's authorised users (e.g., technicians, managers), Customer's clients' personnel where applicable.

Special categories: Not intended to be processed. Customer shall not submit special categories unless the parties agree in writing.

• Access controls: SSO/SAML support; least-privilege; role-based access; MFA for admin access; logging and review.
• Data in transit: TLS 1.2+; certificate management; API auth.
• Data at rest: Encrypted storage for applicable services; key management via cloud KMS.
• On-device by default: Where supported, voice guidance and recognition operate on device/edge.
• Zero-retention options: Admin settings to discard transient audio/images post-processing.
• Resilience: Backups for critical metadata; disaster recovery procedures; redundancy.
• Secure development: Code review, dependency scanning, vulnerability management.
• Vendor management: Subprocessor due diligence, DPA/SCCs, least-data principle.
• Incident response: Defined IR plan; detection, response and notification workflow.
• Personnel: Security training; confidentiality agreements.

See coskip.com/subprocessors for the authoritative, always-current list and change log.