Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("Terms") between MEGAMOUNT and the Customer.

This DPA applies to all users of the Services, whether they use a free or paid plan. A signed version may be provided upon request at privacy@index10.com.

The parties expressly acknowledge and agree that:

• This DPA does not establish a joint controllership arrangement under Article 26 of the GDPR
• Each party remains solely responsible for its own compliance with Data Protection Laws in respect of its separate processing activities
• MEGAMOUNT processes Customer Data solely on behalf of and under the instructions of the Customer
• MEGAMOUNT may process Service Data, log data, aggregated data, and de-identified data as an independent controller solely for analytics, security, billing, and product-development purposes
• MEGAMOUNT does not perform automated decision-making producing legal or similarly significant effects within the meaning of Article 22 of the GDPR

1. Definitions

Capitalized terms used in this DPA have the meaning assigned to them in the Terms. In addition:

• "Data Protection Laws": all applicable laws and regulations relating to data protection, including the GDPR, French implementing laws, and any other applicable law
• "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data
• "Customer Data": any personal data processed by MEGAMOUNT or its Sub-processors on behalf of the Customer in connection with the provision of the Services
• "Service Data": any data relating to the use, support and/or operation of the Services, collected directly by MEGAMOUNT from and/or about users of the Services or the Customer's use of the Services, for MEGAMOUNT's own purposes
• "Data Subject": a natural person whose personal data is processed
• "Data Breach": a confirmed breach of MEGAMOUNT's security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data in MEGAMOUNT's possession, custody or control
• "Sub-processor": any processor engaged by MEGAMOUNT to process Customer Data on behalf of the Customer
• "Standard Contractual Clauses" or "SCCs": the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, based on Commission Decision (EU) 2021/914 of 4 June 2021

The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach" shall have the same meanings as set out in Article 4 of the GDPR.

For Customer Data: the Customer acts as a controller and MEGAMOUNT acts as a processor.

2. Subject Matter, Activities and Duration

• MEGAMOUNT shall process Customer Data only on the Customer's documented instructions as defined in Annex 1
• MEGAMOUNT may refuse, suspend, or propose commercially reasonable alternatives to any instruction it reasonably believes would breach this DPA, Data Protection Laws or materially compromise the security, confidentiality, availability, or performance of the Services
• MEGAMOUNT shall retain Customer Data transmitted through the Services as set forth in Annex 1. Data retention periods for other services shall be as specified in the applicable Terms
• This DPA shall remain in effect for the duration of the Terms

3. Customer Obligations

• In its capacity as a controller, the Customer confirms that it is entitled to provide access to Customer Data and shall maintain throughout the term all necessary rights, consents and authorizations. The Customer has a lawful basis and any necessary approvals from Data Subjects for MEGAMOUNT's performance of the Services
• The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which the Customer acquired personal data
• The Customer shall comply with all applicable Data Protection Laws. Without prejudice to MEGAMOUNT's obligations in this DPA, the Customer acknowledges that it is responsible for certain configurations and design decisions for the Services and is responsible for implementing those configurations and design decisions in a secure manner that complies with Data Protection Laws
• The Customer shall reasonably cooperate with MEGAMOUNT to assist in performing any of its obligations with regard to any requests from Data Subjects and will reimburse MEGAMOUNT for any reasonable, documented costs incurred
• The Customer agrees that, without limiting MEGAMOUNT's obligations, the Customer is solely responsible for its use of the Services, including:
  • Making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of Customer Data
  • Securing account authentication credentials, systems and devices used to access the Services
  • Backing up Customer Data
• The Customer agrees that the Services, the Security Measures provided by MEGAMOUNT, and MEGAMOUNT's commitments under this DPA are adequate to meet the Customer's needs, including with respect to any security obligations under Data Protection Laws, and provide a level of security appropriate to the risk in respect of Customer Data
• The Customer is solely responsible for the security, testing, validation and compliance of any application, code, infrastructure or configuration generated, deployed or published using the Services, including those generated by artificial intelligence. MEGAMOUNT does not warrant the absence of vulnerabilities, bugs, security flaws or GDPR non-compliance in generated applications.
• The Customer shall not provide any data classified as sensitive to MEGAMOUNT. For the avoidance of doubt, the Customer agrees not to upload, input, or otherwise provide any protected health information, financial account numbers, government identifiers, biometric data, or any other sensitive categories of data

4. MEGAMOUNT's Obligations

• MEGAMOUNT shall process personal data solely in accordance with the Customer's documented instructions, for the following limited purposes:
  • Performance of the Services under the terms of the Terms
  • Setting up, operating, and monitoring the underlying infrastructure required to provide the Services
  • Processing initiated by authorized users of the Customer in their use of the Services
  • Executing documented instructions of the Customer provided such instructions relate to and are consistent with the Services
  • Addressing service issues or technical problems
  • Meeting any express requirement under Data Protection Laws, in which case MEGAMOUNT shall inform the Customer of that legal requirement before processing, unless prohibited by law
• MEGAMOUNT will report to the Customer without undue delay any request, demand or order received from a competent supervisory authority or a Data Subject relating to the processing of personal data on the Customer's behalf
• Subject to applicable legal retention obligations, upon termination of the Terms, MEGAMOUNT will return to the Customer or delete any personal data that has been processed on the Customer's behalf under this DPA
• MEGAMOUNT will only rely on personnel who are contractually or by statutory obligation bound to maintain confidentiality and take reasonable steps to ensure that access to personal data is limited to those personnel who require such access
• MEGAMOUNT will promptly inform the Customer if, in its opinion, any instruction or request violates Data Protection Laws, and MEGAMOUNT disclaims any obligation or liability with regard to any such instructions or requests
• Implement appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk
• Taking into account the nature of the processing and the information available, assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, including with respect to data security, breach notification, data protection impact assessments (DPIAs) and prior consultation with the supervisory authority
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and to allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. The Customer shall submit any audit request with reasonable notice of at least thirty (30) business days to privacy@index10.com. Audits shall be carried out during normal business hours, without disrupting MEGAMOUNT's operations, and the Customer shall bear the reasonable costs associated with the requested assistance. MEGAMOUNT may refuse any auditor who is a direct competitor or require a prior confidentiality agreement. The Customer may also, in lieu of an on-site audit, accept an independent audit report or certification provided by MEGAMOUNT

5. Security

In connection with its processing of personal data, MEGAMOUNT shall provide and maintain appropriate administrative, physical, technical and organizational security measures, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, including:

• Encryption of communications (TLS)
• Access controls and authentication systems
• Data hosting within the European Union (EU-North and EU-Central)
• Technical monitoring and logging
• Isolation of user project execution environments

The Customer acknowledges and agrees that no system is completely secure and that MEGAMOUNT does not warrant the complete absence of vulnerabilities or the absolute impossibility of a data breach.

The Customer remains solely responsible for evaluating the adequacy of the security measures to its own needs, regulatory requirements and contractual obligations.

6. Data Breach Notification

• MEGAMOUNT will inform the Customer without undue delay after confirming a Data Breach affecting Customer Data, following this process:
  • MEGAMOUNT shall investigate the breach and take reasonable measures to identify its root cause(s), where such breach is caused by MEGAMOUNT or a MEGAMOUNT Sub-processor
  • As information is collected or becomes available, to the extent legally permitted, MEGAMOUNT shall provide the Customer with a description of the Data Breach, the type of data involved, and other information the Customer may reasonably request concerning affected Data Subjects
  • MEGAMOUNT will provide the Customer with follow-up reports on a timely basis, as reasonably requested by the Customer
• MEGAMOUNT's notification of or response to a Data Breach shall not be construed as MEGAMOUNT's acknowledgement of any fault or liability with respect to the Data Breach
• The obligations set out above will not apply to the extent that the Data Breach is caused by the Customer, the Customer's Affiliates or anyone acting for the Customer

7. Sub-processing

• MEGAMOUNT shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors through updating the list available in Annex 2. This list is updated at least annually
• MEGAMOUNT may continue to use those Sub-processors already engaged as of the date of this DPA
• In the event that the Customer does not wish to consent to the use of a new Sub-processor, the Customer may notify MEGAMOUNT within twenty (20) business days, stating reasonable grounds relating to the protection of Customer Data by contacting privacy@index10.com
• In such cases, the Customer and MEGAMOUNT shall work together in good faith to find a mutually acceptable resolution. If the parties are unable to reach a resolution within a reasonable timeframe, the Customer may, as its sole and exclusive remedy, terminate the Terms by providing written notice to MEGAMOUNT and receive a pro-rata refund of any prepaid fees
• Where MEGAMOUNT engages another processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract

8. International Data Transfers

• MEGAMOUNT shall not transfer Customer Data to a third country or international organization unless:
  • The transfer is to a country or organization that has been deemed to provide an adequate level of protection by the European Commission or applicable regulatory authority
  • The transfer is covered by appropriate safeguards such as standard data protection clauses, approved codes of conduct, or certification mechanisms
  • The Customer has given its explicit consent to the transfer after having been informed of the potential risks
• For transfers outside the EEA, the parties agree that such transfers are made pursuant to the SCCs (Module 2 — controller to processor), with France as the reference Member State, which are deemed incorporated into this DPA by reference
• MEGAMOUNT represents, to its knowledge and as of the date of this DPA:
  • That it has not received any formal legal requests from any government intelligence or security service for access to Customer Data
  • If, after the date of this DPA, MEGAMOUNT receives any such request, it shall attempt to redirect the government agency to request that data directly from the Customer and shall give the Customer reasonable notice of the demand, unless legally prohibited from doing so

9. Service Data

• The Customer acknowledges and agrees that MEGAMOUNT may collect, use and disclose Service Data for its own business purposes, including:
  • Accounting, tax, billing, audit, and compliance purposes
  • To provide, improve, develop, optimize and maintain the Services; to investigate fraud, spam, wrongful or unlawful use of the Services
  • For analytics, security and platform improvement purposes
  • As otherwise permitted or required by Data Protection Laws
• For the avoidance of doubt, Service Data is not "Customer Data" and the obligations set out in this DPA do not apply to MEGAMOUNT's processing of Service Data. MEGAMOUNT may retain Service Data for as long as it has a legitimate business need, may disclose Service Data to its Affiliates and Sub-processors for the purposes set out in this Section, and may create, commercialize, and publish anonymized, aggregated, or de-identified data from Service Data, provided that such data does not identify the Customer or any individual Data Subject
• The Customer acknowledges that no royalty, fee, or other remuneration is due for MEGAMOUNT's processing of Service Data under this Section, and the Customer has no right to opt out of such processing so long as it remains a customer of the Services

10. Use of Customer Data for Artificial Intelligence and Machine Learning

• MEGAMOUNT shall not use any Customer Data for the purpose of training, retraining, fine-tuning, or otherwise developing any of its own Artificial Intelligence (AI) or Machine Learning (ML) models
• Customer Data shall be processed solely for the purposes of providing, maintaining, securing, and supporting the Services as described in this DPA, in accordance with documented instructions and applicable data protection laws
• MEGAMOUNT uses third-party AI providers (Anthropic, OpenAI) for code generation and image generation. User prompts and content are transmitted to these providers and processed in accordance with their respective commercial terms, with retention periods of up to 30 days for security, abuse prevention and compliance purposes. The Customer is hereby informed and expressly accepts that MEGAMOUNT acts as a technical intermediary and that each AI provider's subsequent use of data is the sole responsibility of that provider in accordance with its own privacy policies and contractual terms
• MEGAMOUNT may process de-identified and aggregated information derived from Customer Data (Service Data) only for statistical reporting, security analysis, or operational insights—provided that such information cannot be used to identify the Customer, its end users, or any natural person, and is not used for AI/ML training

11. Return and Deletion

• Upon termination of the Terms, MEGAMOUNT shall immediately discontinue all processing of Customer Data, other than secure storage or any processing expressly permitted under this DPA
• Within thirty (30) calendar days after the termination of the Terms, the Customer may instruct MEGAMOUNT, in writing, to return or delete all Customer Data then in MEGAMOUNT's possession or control, unless Data Protection Laws require storage of Customer Data
• If no such instruction is received within thirty (30) calendar days, MEGAMOUNT may, at its discretion, permanently delete or irreversibly anonymize Customer Data in accordance with the retention periods defined in Annex 1
• Should manual data export or custom deletion procedures require more than two (2) person-hours of effort, MEGAMOUNT reserves the right to invoice the documented costs at professional-services rates applicable at the time of the request, subject to any restrictions imposed by Data Protection Laws

12. Governing Law and Jurisdiction

This DPA, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with French law.

13. Indemnity

• The Customer undertakes to defend, indemnify and hold harmless MEGAMOUNT and its affiliates against any third-party claim, investigation, fine, loss or reasonable legal expense resulting exclusively from: (i) the Customer's own instructions, configurations or design choices, (ii) the Customer's failure to establish or maintain a valid legal basis or to obtain the required consents, (iii) the provision of data to MEGAMOUNT in the circumstances described in Section 3, or (iv) any violation of this DPA or of applicable data-protection legislation attributable to the Customer. For the avoidance of doubt, this obligation does not extend to any failure, negligence or fault on the part of MEGAMOUNT in discharging its own obligations. MEGAMOUNT shall promptly notify the Customer in writing and provide reasonable cooperation; the Customer may assume conduct of the defence but shall not accept any settlement that acknowledges liability on the part of MEGAMOUNT or imposes non-monetary obligations on MEGAMOUNT without MEGAMOUNT's prior written agreement
• To the maximum extent allowed by applicable law, the Customer waives any right of recourse and shall defend, indemnify and hold harmless MEGAMOUNT against any claim, fine or loss resulting from the Customer's own failure to implement or maintain the security measures set out in this DPA

14. Limitation of Liability

• The Parties' liability under this DPA shall be limited in accordance with the provisions of the Terms of Service
• The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under Data Protection Laws
• Neither Party shall, under any circumstances, be liable to the other for any loss of profits, revenue, goodwill, business opportunity, business interruption, loss, alteration or corruption of data, or for any indirect, special, incidental, punitive, exemplary or consequential damages of any kind, regardless of the legal theory invoked and even if the Party had been notified of the possibility of such damages. These limitations apply cumulatively across both this DPA and the Terms, regardless of how many claims are brought or their nature, and remain in effect even if any limited remedy fails its essential purpose
• The limitations and exclusions set out in this Section do not apply to indemnification obligations owed by either Party under this DPA or the Terms of Service
• To the maximum extent permitted by law, MEGAMOUNT does not warrant any specific level of security. The Services are provided "AS IS". MEGAMOUNT's total liability shall in no event exceed the amounts actually paid by the Customer to MEGAMOUNT in the 12 months preceding the event giving rise to the claim.

15. Miscellaneous

• In the event of inconsistencies between the provisions of this DPA and the Terms, the provisions of this DPA shall prevail
• If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force, and the Parties shall replace the invalid provision with a valid one that most closely reflects the Parties' original intent
• The Parties agree that this DPA, together with the Terms of Service and the policies incorporated therein by reference, constitutes the entire understanding between the Parties with respect to the processing of personal data and supersedes all prior agreements or understandings, whether written or oral, relating to such processing. In case of conflict between the DPA and the Terms, the DPA prevails solely with respect to data processing matters

Contact

For any questions regarding this DPA or data protection, you may contact:

Email: privacy@index10.com
Address: MEGAMOUNT, 30 BOULEVARD DE SEBASTOPOL, 75004 PARIS, France

Annex 1: Description of Processing

Parties

Data exporter:

• Name: The Customer (the natural or legal person who accepted the Index 10 Terms of Service)
• Address: As provided during registration
• Role: Controller

Data importer:

• Name: MEGAMOUNT
• Address: 30 BOULEVARD DE SEBASTOPOL, 75004 PARIS, France
• Contact: privacy@index10.com
• Role: Processor

Subject matter of processing

Provision of the Index 10 platform enabling the generation of web applications through artificial intelligence, including hosting, storage, code generation, deployment and project management.

Nature of processing

Collection, recording, organization, structuring, storage, consultation, use, communication, erasure of data.

Purposes of processing

• Provision of Index 10 Services, including account creation and billing
• Code and application generation via artificial intelligence
• Hosting and deployment of user projects
• Technical support and maintenance
• Fraud prevention and abuse detection

Categories of data

• Identification data (first name, last name, email address)
• Account and authentication data (credentials, session tokens)
• Generated content (source code, prompts, AI conversations)
• Project data (file structure, configurations, installed modules)
• Collaboration data (invitations, permissions, team roles)
• Billing data (payment details via Stripe, payment history)
• Technical data (IP addresses, user-agent, cookies, session identifiers)
• Technical logs and usage metadata (access logs, error events, performance metrics)
• Cloud hosting data (database schemas, stored files, Index10 Cloud resource consumption metrics)

Categories of data subjects

• Users of the Index 10 platform and their collaborators (application creators, project managers, technical or non-technical teams, freelancers, employees, contractors, or any other person authorized by the Customer)
• End users of applications generated by Customers (if applicable)

Retention period

• Customer Data: Retained for the duration of the Terms and deleted upon written request from the Customer within 30 days following termination, unless legally required to retain
• Prompts and conversations: Retained while the account is active, unless deletion is requested by the Customer
• Service Data: Retained indefinitely in anonymized and aggregated form
• Security logs: Retained for a maximum period of 90 days, unless legally required otherwise

Annex 2: List of Sub-processors

MEGAMOUNT engages the following sub-processors for the provision of the Services:

This list is updated regularly. For the most recent list, contact privacy@index10.com.

For transfers outside the European Economic Area, MEGAMOUNT ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses or an adequacy decision of the European Commission.