Data Processing Addendum

Overview

This Data Processing Addendum (“Addendum”) supplements the Terms of Use and any other applicable agreement (the “Agreement”) between Zypsy Inc. d/b/a Levian (“Levian” or “Processor”) and the Customer (“Controller”). This Addendum applies to Levian’s processing of Personal Data in connection with the Services.

1. Purpose and Roles

Levian acts as a data processor, processing Personal Data solely on behalf of and in accordance with the Customer’s instructions, and as necessary to provide, maintain, and improve the Services. The Customer is the data controller. Both parties agree to comply with their respective obligations under applicable data protection laws, including GDPR, UK GDPR, and CCPA/CPRA.

2. Scope of Processing

Levian processes Personal Data only as necessary to provide, maintain, and improve its services under the Agreement.

Data categories may include: identifiers (e.g., name, email), account information, usage data, uploaded files, and interaction logs.

Exclusions — Levian’s Services are not intended for, and Levian will not be liable for, processing of sensitive or special categories of data, regulated data, or data subject to sector-specific regulations (including health, biometric, insurance, educational, government, or minors’ data, social security numbers, government-issued IDs, or payment card numbers). The Customer agrees not to submit such data unless Levian has expressly agreed in writing, and is responsible for any consequences arising from such submission.

3. Subprocessors

Levian uses third-party service providers (“Subprocessors”) to host, operate, secure, and improve the Services. Current Subprocessors may include cloud hosting, database, authentication, AI model, monitoring, email, and productivity providers.

A current list of Subprocessors is available on request. Customers will be notified of material changes to the Subprocessor list and may object within 10 days based on reasonable grounds.

4. Data Subject Rights

Levian will provide reasonable assistance to the Customer in responding to requests by data subjects, such as access, deletion, or correction of Personal Data, as required under GDPR or CCPA.

5. Return or Deletion of Data

Upon written request or termination of the Agreement, Levian will delete or return Personal Data, subject to retention periods required by law or for security, backup, audit, or other legitimate business purposes. Deletion from backup systems may occur on a delayed cycle.

6. Cross-Border Transfers

If Personal Data is transferred outside the EU/UK, Levian will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legal mechanisms.

7. Security

Levian maintains reasonable technical and organizational security measures appropriate to the risk, which may include encryption, access controls, audit logging, and employee confidentiality obligations.

8. Use of Data for Service and Model Improvement

Levian may process Customer data, including uploaded financial statements, transaction exports, and business files, to provide, secure, maintain, support, and improve the Services.

Levian may use data derived from Customer data for product analytics, benchmarking, service improvement, and improvement of Levian Models only after such data has been anonymized, de-identified, aggregated, or otherwise transformed so that it does not reasonably identify the Customer, its users, individuals, or specific uploaded files.

Levian will not use Customer-identifiable uploaded files to train third-party AI models for the third-party provider’s own purposes, unless expressly disclosed and agreed in writing.

This use is subject to applicable opt-outs and the terms of the Agreement. Enterprise or negotiated agreements may further restrict or prohibit such use.

9. Breach Notification

Levian will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide available details to support mitigation or regulatory reporting.

10. Customer Obligations

The Customer is responsible for ensuring it has all necessary rights and lawful bases to provide Personal Data to Levian and to use the Services as intended, including not submitting restricted or regulated data.

11. Liability

Levian’s liability under this Addendum is subject to the limitations and exclusions set forth in the Agreement.

12. Miscellaneous

This Addendum prevails over any conflicting terms in the Agreement relating to Personal Data processing. This Addendum may be amended in writing by both parties.