This Data Processing Addendum (“DPA”) forms part of the Service Agreement / Terms of Service (“Agreement”) between ClearNetCrop, Inc holder of Seleqt.ai (“Processor”) and the customer (“Controller”). It applies when Processor processes Personal Data on behalf of Controller under the Agreement.

1. Roles and Processing Instructions

The Processor processes personal data solely as a processor on behalf of the Controller and only on the Controller’s documented instructions, unless required by applicable law (in which case the Processor informs the Controller beforehand, unless prohibited).
The Processor shall not process personal data for its own purposes, including no independent commercial reuse, and shall adhere strictly to purpose limitation.

2. Subject-Matter, Duration, Nature and Purpose

The subject-matter and duration of the processing are as set out in the main agreement.
The nature and purpose of the processing are to provide the SaaS platform services.
The types of personal data and categories of data subjects are limited to those necessary for the services (e.g., contact data, account data, usage data). These are described in more detail in the main agreement.

3. Security of Processing

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include encryption, access controls, logging, and monitoring (as further detailed in the Processor's security documentation or the main agreement, where applicable). The Processor may update these measures provided the overall level of protection is not materially decreased.

4. Confidentiality

The Processor shall ensure that persons authorized to process personal data (including personnel and contractors) are bound by confidentiality obligations or appropriate statutory duties.

5. Sub-processors

The Processor may engage sub-processors only with prior general or specific written authorisation from the Controller.
If authorized, the Processor shall impose the same data protection obligations on sub-processors as set out in this DPA and remain fully liable for their compliance.
The Processor shall notify the Controller of any new sub-processor engagement at least 15 days in advance (via update to the list or direct notice). The Controller may object on reasonable grounds related to data protection within 15 days; the parties shall discuss in good faith, and if unresolved, the Controller may terminate the affected services as its sole remedy.

6. Assistance with Data Subject Rights

The Processor shall assist the Controller, where possible and taking into account the nature of the processing, in responding to data subject requests under Chapter III GDPR (e.g., access, rectification, erasure). This includes prompt notification of any received request and technical/organizational measures to enable response (without responding directly unless legally required).

7. Assistance with Controller Obligations

The Processor shall assist the Controller, taking into account the nature of the processing, in complying with obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of a personal data breach affecting Controller data.
The notification shall include: the nature of the breach; categories and approximate number of data subjects and personal data concerned; likely consequences; and measures taken or proposed to address the breach and mitigate effects.

9. Data Deletion or Return

At the end of the provision of services (or earlier upon termination), at the Controller’s choice, the Processor shall delete or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage. Reasonable assistance for data export/transition may be provided.

10. Audit and Compliance Information

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.
The Processor shall contribute to audits or inspections by the Controller or an authorised auditor, subject to reasonable conditions (e.g., advance notice of at least 30 days, confidentiality, no disruption to business, limited frequency unless grounds exist).

11. International Transfers

Any transfer of personal data to a third country or international organization shall be subject to appropriate safeguards under Chapter V GDPR, such as Standard Contractual Clauses (SCCs), adequacy decisions, or (where applicable) the EU–US Data Privacy Framework. The parties agree to execute or incorporate the relevant SCCs/module as needed for Restricted Transfers.

12. General

This DPA shall be governed by the laws of the state of Illinois, USA (consistent with the main Agreement), unless applicable data protection laws (including the GDPR) require otherwise for matters of GDPR compliance.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection laws.
In case of conflict between this DPA and the main agreement on data protection matters, this DPA prevails to the extent required for compliance.