Data Processing Agreement

Effective Date: May 27, 2026 · Last Updated: June 5, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lexonica Inc. ("Processor," "we," "us") and the customer ("Controller," "you") who uses the ReputationCalc platform (the "Service").

This DPA applies where and to the extent Lexonica processes Personal Data on behalf of the Controller in the course of providing the Service, and such processing is subject to applicable Data Protection Laws.

1. Definitions

• "Data Protection Laws" means GDPR, UK GDPR, PIPEDA, CCPA/CPRA, and any other applicable data protection legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by Lexonica on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by Lexonica to process Personal Data on behalf of the Controller.
• "Data Breach" means any unauthorized or unlawful access to, or acquisition, disclosure, or loss of, Personal Data.

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data submitted to the Service. Lexonica acts solely as Processor, processing Personal Data on behalf of and under the documented instructions of the Controller, except where required by applicable law.

Lexonica shall have no independent responsibility for determining the purposes or legality of processing. The Controller retains sole responsibility for compliance with applicable Data Protection Laws with respect to Personal Data submitted to the Service, including the lawfulness of collection, the accuracy of data, the provision of required notices, and the obtaining of required consents.

Where Lexonica reasonably believes that a Controller's processing instruction infringes applicable Data Protection Laws, Lexonica shall promptly notify the Controller and may suspend processing of the affected Personal Data until the Controller provides clarification or amended instructions. Lexonica shall not be liable for any delay or failure to process resulting from such suspension.

3. Details of Processing

Data Accuracy

Personal Data processed through the Service — particularly data obtained from third-party sanctions databases, adverse media sources, court records, and company registries — may be inaccurate, incomplete, outdated, or contain errors. Screening results may produce false positives or false negatives. Lexonica does not independently verify the accuracy of third-party data and makes no representations or warranties regarding such data. The Controller is solely responsible for independently verifying all processing outputs before making any compliance, legal, or business decision.

4. Controller Obligations

The Controller shall:

• Ensure it has a lawful basis under applicable Data Protection Laws for submitting Personal Data to the Service
• Provide any required notices to, and obtain any required consents from, Data Subjects whose Personal Data is processed through the Service
• Ensure that its instructions to Lexonica comply with applicable Data Protection Laws
• Be solely responsible for the accuracy, quality, legality, and relevance of the Personal Data submitted
• Respond to and fulfill all Data Subject requests relating to Personal Data the Controller has submitted to the Service
• Maintain its own compliance program and independent legal counsel as necessary for its regulatory obligations

The Controller assumes full responsibility and liability for the legality, accuracy, and use of Personal Data, including any decisions, actions, or outcomes based on processing performed by Lexonica through the Service. Lexonica does not guarantee that the Service or its processing activities will ensure the Controller's compliance with applicable Data Protection Laws. The Service is designed to assist — not replace — the Controller's own compliance programs, and does not constitute legal, regulatory, or compliance advice.

5. Processor Obligations

Lexonica shall:

• Process Personal Data only in accordance with the Controller's documented instructions, unless required by applicable law to do otherwise
• Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations
• Implement and maintain commercially reasonable technical and organizational security measures as described in our Privacy Policy
• Assist the Controller, at the Controller's cost and using commercially reasonable efforts, in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible and proportionate
• Assist the Controller, at the Controller's cost and using commercially reasonable efforts, in ensuring compliance with obligations related to data protection impact assessments and prior consultations with supervisory authorities, where applicable and to the extent that such assistance relates to the processing performed by Lexonica
• At the Controller's choice, delete or return all Personal Data upon termination of the Service, except where retention is required by applicable law
• Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA

Security Disclaimer

While Lexonica implements commercially reasonable security measures, Lexonica does not guarantee that the Service will be secure or free from unauthorized access, data breaches, vulnerabilities, or other security threats. The limitations of liability set out in Section 10 of this DPA and in the Terms of Service apply to all security-related matters. For the avoidance of doubt, Lexonica shall not be liable for Data Breaches caused by the Controller's own security practices, the Controller's failure to maintain the confidentiality of its credentials, or the independent actions of third parties beyond Lexonica's reasonable control.

6. Sub-processors

The Controller provides general written authorization for Lexonica to engage Sub-processors. Lexonica maintains the following Sub-processors:

Lexonica will notify the Controller of any intended addition or replacement of Sub-processors by updating this page. If the Controller has a reasonable objection, the Controller may contact us within 30 days of notification. Where the objection cannot be resolved, the Controller may terminate the affected Service.

Lexonica shall impose on each Sub-processor data protection obligations no less protective than those in this DPA. However, Lexonica shall not be liable for the independent acts, omissions, or failures of Sub-processors, provided that Lexonica has complied with its Sub-processor selection and oversight obligations under this DPA. To the extent permitted by law, claims arising from a Sub-processor's independent acts or omissions shall be directed to the Sub-processor.

7. International Data Transfers

Where Personal Data is transferred to a jurisdiction outside the Controller's jurisdiction, Lexonica implements appropriate safeguards as described in Section 10 of our Privacy Policy, including Standard Contractual Clauses where required.

8. Data Breach Notification

Lexonica shall notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Data Breach affecting Personal Data processed under this DPA. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of the point of contact for further information
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach and mitigate its effects

9. Audits

Lexonica shall make available to the Controller, upon reasonable written request and subject to appropriate confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with at least 30 days' prior written notice, during normal business hours, and at the Controller's expense.

Audits shall be subject to the following conditions:

• Audits shall not include access to systems, data, or information belonging to other customers of Lexonica
• Auditors shall not have access to trade secrets, proprietary algorithms, security configurations, or source code
• Audits must not unreasonably disrupt Lexonica's normal business operations
• Third-party auditors must execute a confidentiality agreement acceptable to Lexonica before commencing any audit activities
• Lexonica may, at its sole discretion, satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or written attestations in lieu of on-site access

10. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

Controller Indemnification. The Controller shall indemnify, defend, and hold harmless Lexonica, its officers, directors, employees, and agents from and against any and all claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or related to:

• The Controller's breach of applicable Data Protection Laws
• The Controller's breach of its obligations under this DPA
• The Controller's processing instructions that violate applicable law
• Any regulatory investigation, enforcement action, or third-party claim resulting from the Controller's use of the Service or the Personal Data submitted by the Controller
• The Controller's failure to maintain a lawful basis for processing, to provide required notices, or to obtain required consents

This indemnification obligation survives termination of this DPA and is in addition to (and does not limit) the indemnification obligations in the Terms of Service.

11. Term and Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, Lexonica shall delete or return all Personal Data within 90 days, unless retention is required by applicable law, in which case the retained data will continue to be protected under this DPA.

12. Governing Law

This DPA is governed by the same law that governs the Terms of Service (the laws of the Province of New Brunswick and the federal laws of Canada).

13. Contact

For questions about this DPA or to exercise rights related to data processing, please contact:

Lexonica Inc.
New Brunswick, Canada
Email: tim@lexonica.com

14. Processing of Publicly Available Data

The parties acknowledge that the Service generates reputation reports by aggregating publicly available information from third-party sources. With respect to such processing:

Scope of Processing

• The Service is designed exclusively for generating reports on legal entities (companies, organizations, government bodies). Reports may incidentally reference natural persons in their professional capacity in connection with the entity being analyzed;
• The Processor (Lexonica Inc.) collects data exclusively from publicly accessible sources and does not obtain personal data through covert means, data brokers, or non-public channels;
• The Controller is solely responsible for ensuring their use of the Service and any reports comply with applicable law, including data protection law regarding any natural persons incidentally referenced in entity reports.

AI Sub-Processing and Accuracy

• The Processor uses third-party AI model providers (sub-processors) to analyze and summarize publicly available data. These AI models may produce inaccurate, incomplete, or fabricated outputs;
• The Processor does not warrant the accuracy of AI-generated content and cannot be held responsible for errors, hallucinations, or misrepresentations introduced by AI sub-processors;
• The Controller acknowledges that AI-generated reports are informational summaries, not verified statements of fact, and agrees to independently verify any information before acting upon it.

Limitation of Liability for Third-Party Content

To the maximum extent permitted by applicable law, the Processor shall not be liable to the Controller, any data subject, or any third party for:

• Inaccurate, outdated, or defamatory information originating from publicly available third-party sources;
• AI-generated inaccuracies, hallucinations, or mischaracterizations;
• Any use, distribution, or reliance on reports by the Controller or any recipient with whom the Controller shares report content;
• Claims by screened entities or individuals based on the content of reports generated at the Controller's request.

Controller Indemnification

The Controller agrees to indemnify, defend, and hold harmless the Processor from any claims, damages, or expenses arising from: (a) the Controller's decision to generate a report about a specific entity or individual; (b) the Controller's distribution or use of report content; (c) any violation of applicable data protection law by the Controller in connection with their use of reports.

---

By using ReputationCalc, you acknowledge that this Data Processing Agreement applies to your use of the Service where Lexonica processes Personal Data on your behalf.