LeaderCoreAI Data Processing Agreement

1. Parties and Scope

1.1 Parties

This Data Processing Agreement ("DPA") is between: Blue Horizon Training S.R.L., Intrarea Biserica Albă 3, Ap. 6, 010298, Bucharest, Romania, CUI RO43434054 ("Vendor" or "Processor"); and the business entity identified as Customer in the relevant order form or subscription arrangement, whether concluded with Vendor or with an authorised reseller ("Customer" or "Controller").

1.2 Incorporation

This DPA forms part of: the LeaderCoreAI Platform Terms (Flow-Through for Indirect Sales – B2B Only), and any commercial agreement or order under which Customer acquires subscriptions to the LeaderCoreAI Platform, whether such order is concluded with Vendor directly or via an authorised reseller ("Reseller").

1.3 Indirect Sales

Where Customer purchases via a Reseller, this DPA is a separate and direct agreement between Vendor (as Processor) and Customer (as Controller) for the processing of personal data in connection with Customer's use of the Platform. Reseller is not a party to this DPA, but remains responsible for its own processing activities as described in Customer's agreement with the Reseller.

1.4 Role of the Parties

For the Processing of Personal Data described in this DPA, Customer is the Controller, Vendor is the Processor, and Vendor may engage Sub-processors as set out herein.

1.5 Precedence

In case of conflict between this DPA and other terms between the parties regarding data protection, this DPA prevails to the extent of the conflict.

1.6 Country-Specific Addenda

Where Customer Data includes Personal Data of data subjects located in jurisdictions with data protection laws that impose requirements beyond or different from the GDPR, Vendor may make available country-specific addenda. The following country-specific addenda are hereby incorporated into this DPA and apply automatically, without further action by either party, to the extent their respective scope conditions are met:

• (a) UK Data Protection Addendum, available at https://leadercore.ai/legal/uk-dpa-addendum, which applies whenever and to the extent that Customer Data includes Personal Data of data subjects subject to UK Data Protection Laws (as defined in that Addendum).

Vendor may add further country-specific addenda from time to time in accordance with Clause 14.2 (Amendments), by publishing them at a URL referenced in this Clause 1.6 or otherwise notifying Customer. Where a country-specific addendum is incorporated under this Clause 1.6, it forms part of this DPA, and in case of conflict with this DPA regarding the processing of Personal Data covered by that addendum, the addendum prevails.

2. Definitions

Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), in the Platform Terms, or as defined below:

• "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
• "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority" and "Personal Data Breach" have the meanings given in the GDPR.
• "Platform" means the LeaderCoreAI AI-powered leadership simulation platform as defined in the Platform Terms.
• "Customer Data" means Personal Data for which Customer is Controller and which Vendor processes on Customer's behalf in providing the Platform.
• "Sub-processor" means another processor engaged by Vendor to process Customer Data.
• "Applicable Data Protection Law" means the GDPR, and any other data protection or privacy law that applies to the processing of Customer Data under this DPA, including where applicable through a country-specific addendum (e.g., the UK GDPR and Data Protection Act 2018).

3. Subject Matter, Duration, Nature and Purpose of Processing

3.1 Subject Matter

Vendor processes Customer Data solely to provide the Platform, related services and support to Customer in accordance with the Platform Terms and this DPA.

3.2 Duration

This DPA applies for as long as Vendor processes Customer Data on behalf of Customer under any active Subscription Term and during subsequent deletion/anonymisation periods described in the Platform Terms.

3.3 Nature and Purpose

The Processing includes collection, storage, organisation, retrieval, use, analysis, transmission, display and deletion, as necessary to:

• register and authenticate users;
• run training simulations and capture user responses;
• generate scores, feedback and reports;
• provide dashboards and analytics to authorised HR/Admin users;
• maintain security, monitor misuse, perform troubleshooting and quality improvements (in aggregated/pseudonymised form); and
• comply with applicable legal obligations.

3.4 Type of Personal Data and Categories of Data Subjects

Typical categories are described in Annex 1 and align with the Platform Terms (Clause 10).

3.5 Retention

Retention periods and deletion/anonymisation practices follow the schedule set out in the Platform Terms (currently Clause 10.3), as updated from time to time, and are deemed incorporated into this DPA.

4. Controller's Instructions

4.1

Vendor shall process Customer Data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law (or other Applicable Data Protection Law). In that case, Vendor shall inform Customer of that legal requirement before processing, unless the law prohibits such information.

4.2

The Platform Terms, this DPA (together with any applicable country-specific addendum) and Customer's documented configuration and use of the Platform constitute Customer's complete and final instructions to Vendor.

4.3

If Vendor reasonably believes an instruction infringes the GDPR or other Applicable Data Protection Law, Vendor will inform Customer without undue delay and may suspend the relevant processing until Customer confirms or modifies the instruction.

5. Confidentiality and Personnel

5.1

Vendor shall ensure that persons authorised to process Customer Data are subject to appropriate confidentiality obligations (whether contractual or statutory).

5.2

Vendor shall ensure that such personnel only access Customer Data to the extent necessary to perform their role in providing the Platform.

6. Security of Processing

6.1

Vendor shall implement and maintain appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as required by Article 32 GDPR (and equivalent provisions of any other Applicable Data Protection Law).

6.2

These measures include, where appropriate, measures relating to:

• access control and authentication;
• encryption in transit and at rest (where reasonably feasible);
• network and application security;
• logging and monitoring of security-relevant events;
• regular backup and recovery procedures;
• secure development and change-management practices; and
• incident response and business continuity processes.

6.3

A summary of the technical and organisational measures is set out in Annex 2. Customer is responsible for reviewing this summary and determining whether it satisfies Customer's own security requirements.

7. Sub-processors

7.1

Customer authorises Vendor to appoint Sub-processors for the purposes described in this DPA, subject to the conditions below.

7.2

Vendor shall:

• ensure that Sub-processors are bound by written agreements imposing obligations that are no less protective of Customer Data than this DPA; and
• remain responsible to Customer for the performance of each Sub-processor's obligations.

7.3

Vendor shall maintain a list of current Sub-processors and their relevant processing locations in Annex 3 (or at a URL referenced in Annex 3). Vendor may update this list from time to time.

7.4

Vendor shall provide notice (e.g. via email or posting on a Sub-processor list URL) of any intended addition or replacement of Sub-processors, giving Customer at least 14 days to object. Customer may object on reasonable grounds relating to data protection; in that case the parties will discuss in good faith. If no mutually acceptable solution is found, Customer may, as a sole and exclusive remedy, terminate the affected subscription(s) by written notice, with a pro-rated refund for any prepaid unused Subscription Term.

8. International Transfers

8.1

Vendor shall process Customer Data within the European Economic Area (EEA) or other countries recognised by the European Commission as providing an adequate level of protection, except as necessary to use authorised Sub-processors.

8.2

Where Customer Data is transferred to a country without an adequacy decision, Vendor shall ensure that appropriate safeguards under Article 46 GDPR are in place, such as:

• EU Standard Contractual Clauses (controller-to-processor) between Customer and Vendor or between Vendor and its Sub-processors; and/or
• other mechanisms permitted by Applicable Data Protection Law.

8.3

Where Customer Data is subject to non-EU data protection laws that impose separate transfer requirements (e.g., the UK GDPR), the applicable country-specific addendum shall specify the transfer mechanisms for that jurisdiction.

8.4

Upon Customer's reasonable request, Vendor will provide information about the applicable transfer mechanism for specific Sub-processors listed in Annex 3.

9. Assistance to Customer

9.1 Data Subject Requests

Taking into account the nature of the Processing, Vendor shall assist Customer, by appropriate technical and organisational measures and where reasonably possible, in responding to Data Subjects' requests to exercise their rights under Chapter III GDPR (and equivalent provisions of any other Applicable Data Protection Law), including access, rectification, erasure, restriction, portability and objection.

• If a Data Subject contacts Vendor directly with such a request, Vendor will, where it can identify the Customer concerned, forward the request to Customer without undue delay.
• Vendor shall not respond directly on Customer's behalf unless authorised or legally required to do so.

9.2 Compliance and Impact Assessments

Taking into account the nature of Processing and the information available to Vendor, Vendor shall provide reasonable assistance to Customer in:

• ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation) and equivalent provisions of any other Applicable Data Protection Law, and
• responding to inquiries or inspections by Supervisory Authorities relating to the Processing covered by this DPA.

9.3

Vendor may charge a reasonable fee for assistance under this Clause 9 if requests are manifestly unfounded, excessive or repetitive, or if they require effort beyond what is customary for comparable B2B SaaS services.

10. Personal Data Breach Notification

10.1

Vendor shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach involving Customer Data.

10.2

Such notice shall include, to the extent reasonably available:

• a description of the nature of the Personal Data Breach;
• categories and approximate number of Data Subjects and data records concerned;
• likely consequences of the breach; and
• measures taken or proposed by Vendor to address the breach and to mitigate possible adverse effects.

10.3

Customer is responsible for fulfilling any legal notification obligations to Supervisory Authorities and Data Subjects, unless Applicable Data Protection Law expressly requires Vendor to do so.

11. Return and Deletion of Data

11.1

At the end of the relevant Subscription Term (or upon earlier termination in accordance with the Platform Terms), Vendor shall delete or anonymise Customer Data in accordance with the retention schedule in the Platform Terms, unless EU or Member State law (or other Applicable Data Protection Law) requires storage of certain data.

11.2

During the active Subscription Term, Customer may export or request export of certain data via in-product features or reasonable assistance from Vendor, as described in the Platform Terms.

11.3

Upon Customer's written request within the applicable retention period, Vendor shall confirm deletion or anonymisation of Customer Data processed as Processor, subject to any legal obligations to retain data.

12. Audit Rights

12.1

Vendor shall provide Customer with all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR (and equivalent provisions of any other Applicable Data Protection Law), including:

• responses to security and compliance questionnaires;
• copies of relevant third-party certifications or audit reports (e.g. ISO, SOC), if available; or
• high-level descriptions of its controls and procedures.

12.2 Audit and Information Rights

• (a) Vendor will make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA and Article 28 GDPR, for example by providing written descriptions of its technical and organisational measures, responses to security/privacy questionnaires, or relevant third-party audit reports or certifications (if available).
• (b) If, after reviewing such information, Customer still reasonably considers that it needs an audit, Vendor shall allow and reasonably cooperate with an audit of the processing activities covered by this DPA to the extent required by Article 28(3)(h) GDPR. Any such audit shall:
  • – be subject to at least 30 days' prior written notice;
  • – be carried out during normal business hours;
  • – be limited in scope to what is necessary to verify compliance with this DPA; and
  • – be subject to appropriate confidentiality undertakings.
• (c) Customer is responsible for its own audit costs. Vendor may charge a reasonable fee for time spent by its personnel on audits, particularly where audits are requested more than once in any 12-month period, unless an additional audit is required by a Supervisory Authority.

13. Liability and Limitation

13.1

The limitations of liability in the Platform Terms and any applicable commercial agreement between the parties apply to this DPA and all claims arising from or in connection with it, to the maximum extent permitted by law.

13.2

Nothing in this DPA excludes or limits liability where such exclusion or limitation is not allowed under Applicable Data Protection Law or other applicable law.

14. Miscellaneous

14.1 Governing Law and Jurisdiction

This DPA is governed by Romanian law and subject to the exclusive jurisdiction of the courts of Bucharest, without prejudice to mandatory provisions of Applicable Data Protection Law (including the rights of data subjects and Supervisory Authorities under such law).

14.2 Amendments

Vendor may update this DPA to reflect changes in law or industry practice. Material updates affecting Customer's data protection rights or Vendor's data protection obligations will be communicated via the Platform Terms URL or by other reasonable means at least 30 days before taking effect. If Customer objects to a material update, Customer may terminate the affected subscription(s) by written notice within that 30-day period, with a pro-rated refund for any prepaid unused Subscription Term. If Customer does not object within that period, the updated DPA shall apply.

14.3 Severability

If any provision of this DPA is held invalid, the remaining provisions remain in effect.

Annex 1 – Description of Processing

Categories of Data Subjects

• Employees, contractors and other authorised users of Customer and its affiliates who access the Platform (including HR/Admin users).
• Reseller staff only to the extent they use the Platform as users of a Customer tenant.

Types of Personal Data

• Identification data: name, business email address, role/department, organisation, country.
• Account data: username, authentication data (hashed passwords if stored by Vendor, access tokens), subscription key used, seat allocations, last login time.
• Simulation interaction data: free-text responses, selections, scenario choices, timestamps, scores, grading outputs and feedback texts.
• Usage and telemetry data: feature usage, event logs, performance metrics, error messages.
• Audit and security logs: login attempts, IP addresses only for demo account creation/fraud prevention, consent and click-wrap acceptance events.

Special Categories of Data

The Platform is not intended to process special categories of data within the meaning of Article 9 GDPR (e.g. health data, religious beliefs) or criminal offence data. Customer shall instruct users not to enter such data into free-text fields. If such data is incidentally submitted, Vendor will take reasonable steps to delete it upon becoming aware of its presence, and will not intentionally use it for profiling or any other purpose.

Processing Operations

• Collection via user registration and interaction with the Platform;
• Storage, organisation and retrieval in databases and logs;
• Analysis (e.g. generating scores, feedback and aggregated analytics);
• AI-powered processing of conversation text inputs for leadership scenario simulations (via Vertex AI on Google Cloud Platform, within the EEA);
• Pseudonymisation/aggregation for analytics;
• Deletion or anonymisation following retention periods.

Duration

For the Subscription Term and the post-termination retention periods described in the Platform Terms.

Annex 2 – Technical and Organisational Measures (TOMs)

Vendor implements, among others, the following measures (adapted as needed over time):

• Access control: role-based access to production systems; unique user accounts; least-privilege principles; periodic access reviews.
• Authentication: strong authentication mechanisms for internal staff; password policies for Customer users.
• Infrastructure security: use of reputable cloud providers with physical and environmental security; network segmentation; firewalls and security groups.
• Encryption: encryption of data in transit using TLS; encryption at rest using industry-standard algorithms, where reasonably feasible.
• Logging and monitoring: logging of security-relevant events; automated alerts for suspicious activity; retention of logs for security analysis in line with the Platform Terms.
• Backup and recovery: regular backups of critical databases; tested restore procedures; geo-redundant or regionally redundant storage depending on provider.
• Development security: use of version control; code reviews; dependency management; vulnerability scanning; separation of development, staging and production environments where appropriate.
• Incident management: documented incident response process; defined roles and escalation paths; post-incident reviews.
• Organisational controls: confidentiality obligations for staff; security and privacy awareness training; policies covering acceptable use, device security and data handling.

Annex 3 – Authorised Sub-processors and Locations

Vendor uses the Sub-processors listed below, each providing infrastructure or services necessary to operate the Platform:

Vendor will keep this Annex up to date. Any changes to Sub-processors will be communicated in accordance with Clause 7 of this DPA.