v1.2 Updated November 19, 2025

‍

WingRep Master Subscription Agreement

‍

This Master Subscription Agreement (the “Agreement”) consists of these terms, each Order Form and all exhibits and amendments of any of the foregoing. The parties agree to be bound by the terms herein on execution of or electronic consent to each Order Form.

‍

1.     Defined Terms.

          1.1     “Account Data” means information about Customer or its Users that Customer or its Users provide to WingRep in connection with the creation or administration of a WingRep account. For example, Account Data includes names, email addresses, phone numbers, and billing information associated with a WingRep account, but does not include Customer Content.

‍

          1.2     “Customer Content” means, other than Service Metrics and Account Data, all Input and other information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or any User through the Service.

‍

          1.3     “Documentation” means the operator, user, and technical manuals and documentation made available in connection with the Service.

‍

          1.4     “Fees” means all fees payable by Customer to WingRep identified on each Order Form.

‍

          1.5     “Input” means a User’s interaction, request or input to influence the Output.

‍

          1.6     “Order Form” means each order form, statement of work or comparable document regarding the provision of the Service that has been executed by WingRep and Customer.

‍

          1.7     “Output” means output (including Output and content) provided to Customer or any User in in response to Customer’s Input.

‍

          1.8     “Service(s)” means WingRep’s proprietary software-as-a-service offering, as described on each Order Form. 

‍

          1.9     “Service Metrics” means data and information related to Customer’s or its Users’ use of the Service that is used by WingRep in an aggregate and/or de-identified manner such that it does not identify an individual or Customer, and for which WingRep has implemented technical safeguards and business processes to prohibit reidentification of such data.

‍

          1.10     “Services” means professional services specific to WingRep and its affiliates provided to Customer pursuant to the applicable Order Form(s).

‍

          1.11     “Subscription Term” means the period of Customer’s subscription to use the Service identified on each Order Form.

‍

          1.12     “Users” means Customer’s employees, consultants, contractors, end users and agents who are authorized by Customer to use the Service in accordance with this Agreement.

‍

2.    Access and Use.

          2.1     Access. Subject to and conditioned on Customer’s compliance with this Agreement, WingRep hereby grants Customer and its affiliates a non-exclusive, non-transferable (except in compliance with Section 10.4) right during each Subscription Term identified on each Order Form for Customer and its Users to access and use the Service solely for internal purposes in connection with Customer’s authorized use of the Service. 

‍

          2.2     Restrictions. Customer shall not use or make the Service for any purposes beyond the scope of the access granted in this Agreement and the applicable Order Form. Without limiting the generality of the foregoing, except as expressly agreed by WingRep and Customer in this Agreement or the applicable Order Form, Customer shall not, and shall not permit any Users to: (a) copy, modify, or create derivative works of Service, in whole or in part; (b) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Service, in whole or in part; (c) frame, mirror, sell, resell, market, sublicense, publish, distribute, reproduce, assign, transfer, rent, lease or loan any portion of the Service to any other person or entity, or otherwise allow any person or entity to use the Service for any purpose other than for the benefit of Customer in accordance with this Agreement; (d) remove proprietary notices from the Service ; (e) use the Service in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property or other right of any person, or that violates any applicable laws or regulations; (f) access or search the Service (or download any data or content contained therein or transmitted thereby) through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers or any other similar data mining tools) other than software or Service features provided by WingRep for use expressly for such purposes; or (g) use the Output, Service, Documentation or any other WingRep Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services, or to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Service .

‍

          2.3     Disclosures. Customer represents and warrants that at all times during the Subscription Term it will provide its end users of the Service with sufficient notice of: (a) their interaction with an AI system rather than a human (for instance, by referencing to an “AI powered virtual agent”) in the end user chat interface; and (b) the recording of end user interactions as contemplated by the Agreement, which shall include incorporation of a Consumer Recording Notice (as defined below) in the end user chat interface. For the purpose of this paragraph, “Consumer Recording Notice” means an adequate notice to end users of the recording of their interactions with the Service, as required by law.

‍

          2.4     Suspension. Notwithstanding anything to the contrary in this Agreement, WingRep may temporarily suspend Customer’s and any User’s access to any portion of the Service for a suspected or actual breach of this Agreement. WingRep shall use commercially reasonable efforts to provide written notice of any suspension to Customer and to provide updates regarding resumption of access to the Service following any suspension. Although WingRep does not monitor Customer Content, if WingRep becomes aware of any Customer Content that WingRep reasonably believes is in violation of this Agreement, WingRep may investigate the allegation and determine in its sole discretion whether to act (including removal or disabling of access to Customer Content), but has no liability or responsibility to a User to do so. Customer agrees to cooperate with WingRep in good faith in any such investigation upon WingRep’s request.

‍

          2.5     Customer Responsibilities. 

                        (a)     Customer is responsible for its use of the Service. Customer will implement and maintain reasonable and appropriate measures designed to help secure its access to and use of the Service. If Customer discovers any vulnerabilities or breaches as a result of its use of the Service, Customer must immediately contact WingRep and provide details of the vulnerability or breach. As between WingRep and Customer, Customer shall be solely responsible for compliance with any notification obligations that may be required with respect to Customer Content under applicable laws or regulations. 

                        (b)     Customer further acknowledges that artificial intelligence and machine learning are rapidly evolving fields of study, and that:

                                    (i)     Output may not always be accurate. Customer should not rely on Output as a sole source of truth or factual information, or as a substitute for professional advice.

                                    (ii)     Customer must evaluate Output for accuracy and appropriateness for its use case, including using human review as appropriate, before using or sharing Output from the Services.

                                    (iii)     Customer must not use any Output relating to a person for any purpose that could have a legal or material impact on that person, such as making credit, educational, employment, housing, insurance, legal, medical, or other important decisions about them.

‍

3.     Fees.

           3.1     Customer shall pay WingRep all Fees in US dollars on or before the due date set forth in the applicable Order Form (and if no due date is set forth therein, no later than 30 days after the receipt of each invoice) without offset or deduction. All payments are non-cancelable and non-refundable. All amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on WingRep’s income. If Customer fails to make any payment when due, WingRep may suspend the Service and Services until all payments are made in full. Customer will reimburse WingRep for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest.

‍

4.     Confidentiality.

           4.1     Confidential Information. From time to time during the term of this Agreement, either party may disclose or make available to the other party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, in each case, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure (“Confidential Information”). 

‍

           4.2     Exceptions. Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving party at the time of disclosure; (c) rightfully obtained by the receiving party on a non-confidential basis from a third party; or (d) independently developed by the receiving party. 

‍

           4.3     Nondisclosure. The receiving party shall safeguard the disclosing party’s Confidential Information using the same degree of care (but not less than reasonable care) that it uses to protects its own Confidential information and not disclose the disclosing party’s Confidential Information to any person or entity, except to the receiving party employees or vendors who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations hereunder and who are bound by written agreements with use and nondisclosure restrictions at least as protective of the Confidential Information as those set forth herein. Notwithstanding the foregoing, each party may disclose Confidential Information to the limited extent required in order to comply with a valid and effective subpoena or court order, provided that the receiving party immediately notifies the disclosing party (to the extent permitted) of the existence, terms and circumstances surrounding such a request so that the disclosing party may seek appropriate protective action. 

‍

           4.4     Return. On the expiration or termination of the Agreement, the receiving party shall promptly return to the disclosing party all copies, whether in written, electronic, or other form or media, of the disclosing party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing party that such Confidential Information has been destroyed. Notwithstanding the foregoing, the receiving party may retain disclosing party Confidential Information if necessary to comply with any obligations under applicable law or reasonable corporate governance requirements. The receiving party shall: (a) maintain the protections described above regarding such information as long as the receiving party retains it, (b) not use such information for any purpose inconsistent with this Agreement, and (c) return or destroy such information when it is no longer needed.

‍

5.     Intellectual Property.

           5.1     No Ownership Assignment. This Agreement is for SaaS use rights. Neither party will assign ownership rights in any of its assets to the other pursuant to this Agreement, and neither party grants the other any rights or licenses not expressly set out in this Agreement.

‍

           5.2     What Customer Owns. Customer owns all right, title and interest in and to the Customer Content, Output, and all intellectual property rights related thereto. 

‍

           5.3     What WingRep Owns. Other than the rights specifically granted to Customer herein, WingRep owns and retains all right, title and interest in and to: (a) the Service, including the underlying software, algorithms, interfaces, technology, data, tools, know-how, processes and methods (i) used to provide or deliver the foregoing; or (ii) resulting from provision of the Service; (b) all improvements, modifications or enhancements to, or derivative works of, the foregoing, regardless of inventorship or authorship, excluding Customer Content and Output; and (c) all intellectual property rights in and to any of the foregoing.

‍

           5.4     Feedback. If Customer or any of its employees or contractors sends or transmits any communications or materials to WingRep by mail, email, telephone, or otherwise, suggesting or recommending changes to the Service (“Feedback”), WingRep is free to use and exploit such Feedback irrespective of any other obligation or limitation between the parties governing such Feedback. 

‍

           5.5     Service Metrics. Notwithstanding anything to the contrary, Customer acknowledges and agrees that WingRep may monitor Customer’s use of the Service, collect and compile Service Metrics. WingRep may use such Service Metrics for its own business purposes during the term of this Agreement and thereafter.

‍

6.     Representations and Warranties.

           6.1     Authority. Each of WingRep and Customer represents and warrants that: (a) it has the full right, power and authority to enter into and fully perform this Agreement; (b) the person signing this Agreement on its behalf is a duly authorized representative of such party who has in fact been authorized to execute this Agreement; (c) its entry herein does not violate any other agreement by which it is bound; and (d) it is a legal entity in good standing in the jurisdiction of its formation.

‍

           6.2     Service and Services Operation. The Service will operate substantially in conformity with the Documentation [and the support and uptime SLA found at -------.com], and will be provided in a good and workmanlike manner consistent with applicable industry standards. As Customer’s sole and exclusive remedy and WingRep’s entire liability for any breach of the foregoing warranty, WingRep will promptly re-perform any Services that fail to meet this limited warranty. 

‍

           6.3     Protection of Customer Content. WingRep will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Content in accordance with its security Documentation, which will be made available to Customer on request, and WingRep’s Data Processing Addendum attached as Exhibit A. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Customer Content by WingRep personnel except: (a) to provide the Service and to prevent or address service or technical problems, or (b) as Customer expressly permits in writing.

‍

           6.4     Customer Content. Customer represents, warrants and covenants to WingRep that it owns or has and will have the necessary rights and consents in and relating to the Customer Content so that, as received and used by WingRep in accordance with this Agreement, Customer Content will not violate any applicable laws, infringe, misappropriate, or otherwise violate any intellectual property or other rights of any third party, violate any applicable laws or regulations or cause a breach of any agreement or obligations between Customer and any third-party. 

‍

           6.5     Export Restrictions. Each party affirms that it is not named on, owned by, or acting on behalf of any U.S. government denied-party list, and it agrees to comply fully with all relevant export control and sanctions laws and regulations of the United States (“Export Laws”) to ensure that neither the Services, software, any Customer Content, nor any technical data related thereto is: (a) used, exported or re-exported directly or indirectly in violation of Export Laws; or (b) used for any purposes prohibited by the Export Laws, including, but not limited to, nuclear, chemical, or biological weapons proliferation, missile systems or technology, or restricted unmanned aerial vehicle applications. Customer will complete all undertakings required by Export Laws, including obtaining any necessary export license or other governmental approval. 

‍

           6.6     AI Training. WingRep represents, warrants and covenants to Customer that it shall not train any AI model using Customer Content except as expressly agreed with Customer or otherwise for Customer’s exclusive benefit.

‍

           6.7     Disclaimers. 

                        (a)     EXCEPT FOR THE LIMITED WARRANTIES SET FORTH IN THIS AGREEMENT, THE SERVICE IS PROVIDED “AS IS” AND WINGREP HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. WINGREP SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANTIES SET FORTH IN THIS AGREEMENT, WINGREP MAKES NO WARRANTY OF ANY KIND THAT THE SERVICE, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE. 

                        (b)     DUE TO THE NATURE OF MACHINE LEARNING, OUTPUT MAY NOT BE UNIQUE ACROSS USERS, AND THE SERVICE MAY GENERATE THE SAME OR SIMILAR OUTPUT FOR OTHER USERS. USE OF THE SERVICE MAY RESULT IN INCORRECT OUTPUT THAT DOES NOT ACCURATELY REFLECT REALITY. CUSTOMER MUST EVALUATE THE CONTENT, NATURE, TONE AND ACCURACY OF ANY OUTPUT AS APPROPRIATE FOR CUSTOMER’S USE CASE, INCLUDING BY USING HUMAN REVIEW OF THE OUTPUT. CUSTOMER UNDERSTANDS AND AGREES THAT THE OUTPUT MAY CONTAIN “HALLUCINATIONS” AND MAY BE INACCURATE, OBJECTIONABLE, INAPPROPRIATE, OR OTHERWISE UNSUITED TO CUSTOMER’S OR ANY USER’S PURPOSE. THE ACCURACY, QUALITY AND COMPLIANCE WITH APPLICABLE LAW OF THE OUTPUT IS DEPENDENT UPON AND COMMENSURATE WITH THAT OF THE INPUT PROVIDED AND CUSTOMER’S COMPLIANCE WITH THIS AGREEMENT.

‍

7.     Indemnification.

          7.1     By WingRep. WingRep shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (“Losses”) incurred by Customer that result from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) that the Service infringes or misappropriates such third party’s intellectual property rights, provided that Customer promptly notifies WingRep in writing of such Third-Party Claim, cooperates with WingRep, and allows WingRep sole authority to control the defense and settlement of such Third-Party Claim. If a Third-Party Claim is made or appears possible, WingRep will modify or replace the Service, or component or part thereof, to make it non-infringing, or obtain the right for Customer to continue use. If WingRep determines that neither alternative is reasonably available, WingRep may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer and refund to Customer any unused, prepaid fees paid by Customer for the remainder of the then-current Subscription Term. WingRep will have no indemnification obligation if the alleged infringement arises from: (a) use of the Service in combination with data, software, hardware, equipment, or technology not provided or authorized in writing by WingRep; (b) modifications to the Service not made by WingRep; or (c) Customer Content. THIS SECTION 7.1 SETS FORTH CUSTOMER’S SOLE REMEDIES AND WINGREP’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICE INFRINGES, MISAPPROPRIATES, OR OTHERWISE VIOLATES A THIRD PARTY’S INTELLECTUAL PROPERTY RIGHTS.

‍

          7.2     By Customer. Customer shall indemnify, hold harmless, and, defend WingRep from and against any Losses resulting from Third-Party Claims that the Customer Content, or any use thereof in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights or rights of publicity or privacy, or results in the violation of any applicable law or regulation; provided that WingRep promptly notifies the Customer in writing of such Third-Party Claim, cooperates with the Customer, and allows Customer sole authority to control the defense and settlement of such Third-Party Claim. Subject to Section 7.3, Customer shall inform WingRep of any such settlement and give WingRep the possibility to review it before finally agreeing to such a settlement. This section 7.2 sets forth WingRep’s sole remedies and Customer’s sole liability for any threatened or alleged Losses resulting from the Third-Party Claims identified in this section. 

‍

          7.3     The indemnifying party may not settle any Third-Party Claim without the indemnified party’s prior written approval unless the settlement is for a monetary amount that does not require payment by the indemnified party, unconditionally releases the indemnified party from all liability without prejudice, does not require any admission by the indemnified party, and does not place restrictions upon the indemnified party’s business, products or services.

‍

8.     Limitations of Liability.

           8.1     No Consequential Damages. To the extent permitted by law, in no event will a party be liable under or in connection with this agreement under any legal or equitable theory, including breach of contract, tort (including negligence), strict liability, and otherwise, for any: (a) consequential, incidental, indirect, exemplary, special, enhanced, or punitive damages; (b) increased costs, diminution in value or lost business, production, revenues, or profits; (c) loss of goodwill or reputation; or (d) cost of replacement goods or services, in each case regardless of whether such party was advised of the possibility of such losses or damages or such losses or damages were otherwise foreseeable. 

‍

           8.2     Direct Damages. To the extent permitted by law, in no event will either party’s total cumulative aggregate liability to the other exceed the fees paid or payable by Customer to WingRep in the 12 month period preceding the first event giving rise to liability. The existence of more than one claim will not enlarge this limit.

‍

           8.3     Exceptions. The foregoing exclusions and limits in this section do not apply to Customer’s payment obligations, or liability or obligations arising out of or related to infringement or misappropriation of the other party’s intellectual property rights, or loss or damage caused by a party’s gross negligence or willful misconduct.

‍

9.     Term and Termination.

           9.1     Term. This Agreement will continue from the Effective Date until the earlier of: (a) the expiration of all Service subscriptions, or (b) termination pursuant to Section 9.2 below.

‍

           9.2     Termination. In addition to any other remedies it may have, either party may terminate this Agreement upon written notice if the other party: (a) materially breaches any of the terms or conditions of this Agreement and fails to cure such breach within 30 days after written notice describing the breach; or (b) files for bankruptcy or is the subject of an involuntary filing in bankruptcy (in the latter case, which filing is not discharged within 60 days) or makes an assignment for the benefit of creditors or a trustee is appointed over all or a substantial portion of its assets. 

‍

           9.3     Effect of Termination. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Service and comply with the obligations in Section 4 regarding return or destruction of Confidential Information. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination or entitle Customer to any refund. Customer will have reasonable access to, and the ability to reasonably export, its Customer Content for a period of 30 days following such termination or expiration, after which WingRep shall delete, destroy, or return all copies of information retained on the Service provided by Customer.

‍

           9.4     Survival. This Section 9.4 and Sections 2.2, 4, 5, 7, 8 and 10, and each other provision that by its nature should survive termination, will survive any termination or expiration of this Agreement for any reason.

‍

10.     Miscellaneous.

              10.1     Entire Agreement. This Agreement constitutes the entire agreement and understanding between WingRep and Customer with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. This Agreement shall supersede the terms of any purchase order or other business form. If accepted by WingRep in lieu of or in addition to WingRep’s Order Form, Customer’s purchase order shall be binding only as to the following terms: (a) the Services ordered and (b) the appropriately calculated fees due.

‍

              10.2     Notices. All notices made pursuant to this Agreement shall be in writing and shall be deemed effectively given upon the earlier of actual receipt, or (a) personal delivery to the party to be notified, (b) on the day of delivery, if sent by electronic mail with no notice of delivery failure, (c) five days after having been sent by registered or certified mail, return receipt requested, postage prepaid, or (d) one business day after deposit with a nationally recognized overnight courier, freight prepaid, specifying next business day delivery, with written verification of receipt. 

‍

              10.3     Interpretation, Waiver. The words “hereof,” “herein,” and “hereunder” and words of similar import, when used in this Agreement, will refer to this Agreement as a whole and not to any particular provision of this Agreement. A word importing the singular includes the plural and vice versa. Gendered pronouns are used for convenience and are intended to refer the masculine or feminine, as applicable. Whenever the words “include,” “includes” or “including” are used in this Agreement, they will be deemed to be followed by the words “without limitation,” unless preceded by the word “not”. The invalidity, illegality, or unenforceability of any provision herein does not affect any other provision herein or the validity, legality, or enforceability of such provision in any other jurisdiction. Any failure to act by either party with respect to a breach of this Agreement by Customer or others does not constitute a waiver and will not limit such party’s rights with respect to such breach or any subsequent breaches. 

‍

              10.4     Assignment. This Agreement is personal to Customer and may not be assigned or transferred for any reason by Customer whatsoever without WingRep’s prior written consent and any action or conduct in violation of the foregoing will be void and without effect. WingRep expressly reserves the right to assign this Agreement and to delegate any of its obligations hereunder. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the parties and their respective successors and permitted assigns. 

‍

              10.5     Governing Law and Venue. This Agreement is governed by and construed in accordance with the internal laws of the State of California without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any other jurisdiction. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in San Francisco County, California and the parties irrevocably consent to the personal jurisdiction and venue therein. 

‍

              10.6     Amendments. All amendments or modifications to this Agreement must be made only by a written document executed by duly authorized representatives of the parties. To the extent that any term of an Order Form conflicts with any of the terms of this Agreement, then the Order Form supersedes this Agreement with respect to such conflicting terms. 

‍

              10.7     Independent Parties. Nothing in this Agreement will be construed to create a partnership, joint venture or agency relationship between the parties. Neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent. Except as expressly set forth in this Agreement, the exercise by either party of any remedy under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.

‍

              10.8     Counterparts. This Agreement may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

‍

‍

Exhibit A

SelfActualize.AI Data Processing Addendum

This Data Processing Addendum (the “DPA”), is incorporated into and forms part of the written or electronic agreement (the “Agreement”) pursuant to which SelfActualize.ai, Inc., dba WingRep.ai (“WingRep”) provides services to the party identified therein as the “Customer”. Capitalized terms used in this DPA but not defined herein shall have the meanings set forth in the Agreement.

‍

1.     Definitions

“Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable: 

             “EU Data Protection Law”: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC), each as implemented and transposed into local law by any EU member states.

             “Swiss DPA”: the Swiss Federal Act on Data Protection 1992 (including as amended or superseded).

             “UK Data Protection Law”: the UK Data Protection Act and GDPR as incorporated into UK law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

             “US Data Protection Law”: all applicable comprehensive state data protection laws and regulations in each case as may be amended or superseded from time to time, including the California Privacy Rights  Act (“CPRA”); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Delaware Personal Data Privacy Act; Indiana Consumer Data Protection Act; Iowa Consumer Data Protection Act; Montana Consumer Data Privacy Act; Oregon Consumer Privacy Act; Tennessee Information Protection Act; Texas Data Privacy and Security Act; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act.

             Applicable Law excludes those laws applicable to Excluded Data as defined in the Agreement.

‍

“Controller” means a “controller” or “business,” as such terms or analogous variations thereof are defined under Applicable Privacy Laws, that, alone or jointly with others, determines the purposes for and means of Processing.

“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. 

“Personal Data” means any information, including opinions, relating to an identified or identifiable natural person. “Customer Personal Data” shall mean Personal Data that is provided to SelfActualize.AI by or on behalf of Customer. 

“Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, alignment or combination, restriction, erasure or destruction.

“Processor” means a “service provider” or “processor,” as such terms or analogous variations thereof are defined under Applicable Privacy Laws, that Process personal data or information on behalf of another company.

“Standard Contractual Clauses” or “SCCs” means: (i) where EU Data Protection Law or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where UK Data Protection Law applies, standard data protection clauses adopted pursuant to or permitted under UK Data Protection Law (“UK SCCs”).

“Subprocessor” means any third party engaged by SelfActualize.AI for the Processing of Customer Personal Data in connection with the Service and may include SelfActualize.AI’s affiliates and subsidiaries.

‍

2.     Applicability; SelfActualize.AI as Processor or Subprocessor

This DPA applies only to the extent SelfActualize.AI Processes Personal Data of End Users that is subject to Applicable Privacy Laws. Customer is (or represents that it is acting with full authority on behalf of) the Controller and SelfActualize.AI is the Processor with respect to the Customer Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints SelfActualize.AI as Customer’s subprocessor, which shall not change the obligations of either Customer or SelfActualize.AI under this DPA.‍

‍

3.     Customer’s Instructions to SelfActualize.AI

           3.1     Purpose Limitation. SelfActualize.AI will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in this DPA, unless obligated to do otherwise by Applicable Privacy Law. In such case, SelfActualize.AI will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. SelfActualize.AI shall only Process Customer Personal Data for the following purposes: (i) Processing as reasonably required to provide the Service and perform SelfActualize.AI’s obligations under the Agreement and this DPA, and as otherwise agreed by the Parties; (ii) Processing initiated by Customer and its users in their use of the Service; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement and Applicable Privacy Laws; and (iv) as otherwise required by Applicable Privacy Laws. Further details regarding SelfActualize.AI’s Processing operations are set forth in Annex 1. 

‍

           3.2     Lawful Instructions. Customer shall, in its use of the Service, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will not instruct SelfActualize.AI to Process Personal Data in violation of Applicable Privacy Law. SelfActualize.AI has no obligation to monitor the compliance of Customer’s use of the Service with Applicable Privacy Law, though SelfActualize.AI will immediately inform Customer if, in SelfActualize.AI’s opinion, an instruction from Customer infringes Applicable Privacy Law. The Agreement and this DPA, along with Customer’s configuration and use of the Service, are Customer’s complete instructions to SelfActualize.AI in relation to the Processing of Customer Personal Data. 

‍

           3.3     CPRA Requirements. With respect to Customer Personal Data to which the CPRA applies (capitalized terms used in this section having the meanings provided in CPRA): 

                        (a) SelfActualize.AI shall act as a Service Provider to Customer and shall collect, access, maintain, use, process, and transfer Customer Personal Data solely for the purpose of performing SelfActualize.AI’s obligations under this Agreement for or on behalf of Customer and for no commercial purpose other than the performance of such obligations. 

                       (b) SelfActualize.AI shall not Sell or Share, disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another business or third party without Customer’s prior written consent unless and to the extent that such disclosure is made to a Subcontractor for a business purpose, provided that SelfActualize.AI has entered into a written agreement with the Subcontractor which imposes substantively the same obligations on the Subcontractor with regard to their processing of Customer Personal Data as are imposed on SelfActualize.AI under this DPA and the Agreement. Notwithstanding the foregoing, nothing in this DPA shall restrict SelfActualize.AI’s ability to disclose Customer Personal Data to comply with applicable laws; provided that if such disclosure is required, SelfActualize.AI will promptly notify Customer of the request for disclosure unless such notification is prohibited by applicable law or a legally binding order.

‍

4.     Subprocessing

           4.1     Subprocessors. Customer acknowledges and agrees that SelfActualize.AI’s affiliates and certain third parties may be retained as Subprocessors to Process Customer Personal Data on SelfActualize.AI’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Service. SelfActualize.AI’s third-party Subprocessors as of the DPA Effective Date are listed on Annex 2 (the “Subprocessor List”). Prior to a Subprocessor’s Processing of Customer Personal Data, SelfActualize.AI will impose contractual obligations on the Subprocessor substantially the same as those imposed on SelfActualize.AI under this DPA. SelfActualize.AI remains liable for its Subprocessors’ performance under this DPA to the same extent SelfActualize.AI is liable for its own performance hereunder. 

‍

           4.2     Notification. SelfActualize.AI will update the Subprocessor List with any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. The subprocessor agreements to be provided under Clause 5(j) of the Standard Contractual Clauses may have all commercial information or provisions unrelated to the Standard Contractual Clauses redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon written request.

‍

           4.3     Right to Object. Customer may reasonably object to SelfActualize.AI’s use of a new Subprocessor by notifying SelfActualize.AI in writing within ten business days after receipt of SelfActualize.AI’s notice. In its objection, Customer shall explain its reasonable grounds for objection. In the event Customer objects to a new Subprocessor, SelfActualize.AI will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Customer Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If SelfActualize.AI is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, Customer may terminate Customer’s subscription to the Service.

‍

           4.4     Emergency Replacement. SelfActualize.AI may replace a Subprocessor if the need for the change is urgent and necessary to provide the Service. In such instance, SelfActualize.AI shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to Section 4.3 above.

‍‍

5.     Assistance & Cooperation

           5.1     Security. SelfActualize.AI will provide reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Applicable Privacy Law relevant to SelfActualize.AI’s role in Processing the Customer Personal Data, taking into account the nature of Processing and the information available to SelfActualize.AI, by implementing technical and organizational measures set forth in the Agreement, without prejudice to SelfActualize.AI’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Personal Data. SelfActualize.AI will ensure that the persons SelfActualize.AI authorizes to Process the Customer Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

‍

           5.2     Personal Data Breach Notification & Response. SelfActualize.AI will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Privacy Law. Taking into account the nature of Processing and the information available to SelfActualize.AI, SelfActualize.AI will assist Customer by informing it of a Personal Data Breach without undue delay. SelfActualize.AI will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include SelfActualize.AI’s then-current assessment of the following, which may be based on incomplete information: 

                        (a)     the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned; 

                        (b)     the likely consequences of the Personal Data Breach; and 

                        (c)     measures taken or proposed to be taken by SelfActualize.AI to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

                SelfActualize.AI will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Nothing in this DPA or in the Standard Contractual Clauses shall be construed to require SelfActualize.AI to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

‍

6.     Responding to Data Subjects 

           6.1     Data Subjects’ Rights. SelfActualize.AI shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Applicable Privacy Law, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. 

‍

           6.2     Data Subject Requests. In the event such inquiry, communication or request is made directly to SelfActualize.AI, SelfActualize.AI shall promptly inform Customer by providing the full details of the request. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data.

           6.3     Data Protection Impact Assessments and Prior Consultation. SelfActualize.AI shall, to the extent required by Applicable Privacy Law, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under Data Protection Laws.

‍

7.     Data Transfers 

          7.1     Customer authorizes SelfActualize.AI and its Subprocessors to make international transfers of the Customer Personal Data in accordance with this DPA so long as Applicable Privacy Law for such transfers is respected.

          7.2     For transfers of Customer Personal Data under this DPA from the EEA to countries which do not ensure an adequate level of data protection within the meaning of Applicable Privacy Law of the foregoing territories, to the extent such transfers are subject to such Applicable Privacy Law, the Standard Contractual Clauses shall apply. In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail. 

‍

           7.3     By entering into this DPA, the Parties are deemed to be signing the Standard Contractual Clauses and its applicable Annexes. The Standard Contractual Clauses will be deemed completed as follows: 

                       (a)     Customer is the “exporter”, whose contact information is set forth below;

                       (b)     SelfActualize.AI is the “importer”, whose contact information is set forth below;

                       (c)     Module Two will apply to the extent that Customer is a controller of the Personal Data, and Module Three will apply to the extent that Customer is a processor of the Personal Data on behalf of a third-party controller;

                       (d)     in Clause 7, the optional docking clause will not apply;

                       (f)     in Clause 11, the optional language will not apply;

                       (e)     in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Clause 9 of this Addendum;

                       Annexes I - III will be deemed completed with the information set out in Annexes 1 - 3 to this DPA.

‍

          7.4     EU SCCs. Personal Data from the European Union will be governed by the EU SCCs, completed as follows:

                       (a)     in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

                       (b)     in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;

‍

          7.5     UK SCCs. Personal Data transfers from the United Kingdom will be governed by the UK SCCs and the UK International Data Transfer Addendum (the “IDTA”), completed as follows.

                       (a)     In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement and this DPA.

                       (b)     The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA. 

                       (c)     References to the EU, member states and GDPR are amended mutatis mutandis to refer to the United Kingdom and UK Data Protection Law.

                       (d)     In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.

‍

          7.6     Swiss SCCs. Personal Data transfers from Switzerland will be governed by the EU SCCs amended as follows: 

                       (a)     references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; 

                       (b)     references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA, 

                       (c)     references to ‘EU’, ‘Union’, and ‘Member State’ will be deemed replaced with ‘Switzerland’, 

                       (d)     references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), 

                       (e)     In Clause 17, the EU SCCs will be governed by the laws of Switzerland, and 

                       (f)     Clause 18(b), disputes will be resolved before the competent courts of Switzerland.

‍

          7.7     If any provision of the Agreement (including this Addendum) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

‍

8.     Audits

Upon request, SelfActualize.AI will respond to any written audit questions submitted to it by Customer and meet by teleconference or in person (at Customer’s expense) to address follow up questions (and, where Customer is a processor, its controller), provided that Customer will not exercise this right more than once per year, except if and when required by instruction of a regulator or data protection authority with jurisdiction over Customer, its business and the Customer Data processed by the Services.

‍

9.     Return or Destruction of Personal Data

On termination of the Agreement, within a reasonable time following Customer’s written request, SelfActualize.AI shall securely destroy or return Customer Personal Data to Customer. Notwithstanding the foregoing, this provision will not require SelfActualize.AI to delete Customer Personal Data from archival and back-up files except as provided by SelfActualize.AI’s internal data deletion practices and as required by Applicable Privacy Law. 

‍

10.     Liability

Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each Party and each Party’s affiliates under this DPA or the Standard Contractual Clauses shall be subject to any aggregate limitations on liability set out in the Agreement, except to the extent prohibited by Applicable Privacy Law. 

‍

11.     General

Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

Annex 1

This Annex forms part of the Standard Contractual Clauses. 

‍

LIST OF PARTIES

‍Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

‍

‍

‍

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

‍

‍

‍

В. DESCRIPTION OF TRANSFER 

‍

‍

‍

C. COMPETENT SUPERVISORY AUTHORITY

‍

‍

‍

Annex 2 Subprocessor List (as of the DPA Effective Date)

‍

‍

‍

Annex 3 Technical and Organizational Security Measures

‍

1. Infrastructure, Hosting & Encryption
SelfActualize.AI stores all Customer Personal Data within Amazon Web Services (AWS) in the us-west-2 (Oregon, USA) region. Services such as Amazon Aurora, S3, and CloudFront are used for data persistence and delivery. All customer data is encrypted at rest using AES-256 and in transit via TLS 1.2 or higher.

2. Access Control & Network Security
Our cloud environment is protected by a suite of AWS defenses, including a Web Application Firewall (WAF) and GuardDuty for continuous threat detection. The platform is built on a secure network design using VPCs and tight security groups. Access to Customer Personal Data is governed by Role-Based Access Control (RBAC) based on the principle of least privilege, with mandatory multi-factor authentication (MFA) for all privileged access. Non-interactive backend processes use scoped AWS IAM roles. Access is reviewed at least quarterly.

3. Tenant Data Isolation
SelfActualize.AI enforces strict tenant isolation at every layer. This is achieved via application-layer authorization in AWS AppSync, object-level permissions in S3, and Row-Level Security (RLS) policies in the database. No shared tenant access is permitted at the database level; all queries are programmatically restricted to tenant-specific data using enforced RLS conditions.

4. Secure AI & LLM Usage
SelfActualize.AI leverages Amazon Bedrock to provide generative AI features powered by models such as Amazon Titan, Anthropic Claude, and Meta Llama. As guaranteed by our enterprise license, Customer Personal Data processed through these services is not used to train, fine-tune, or otherwise improve the underlying models. All interactions occur through Bedrock's stateless inference endpoints, which do not retain inputs or outputs. We also enable AWS Bedrock Guardrails to limit the exposure of sensitive data in prompts. SelfActualize.AI implements strict application-layer controls to limit the exposure of sensitive or identifiable data in AI prompts, and these services are used solely for the benefit of the customer in accordance with contractual terms.

5. Data Deletion, Retention & Governance
Upon termination and written request, SelfActualize.AI will securely destroy Customer Personal Data using AWS-native tools. Per our policy, we only retain data for as long as is operationally or legally necessary, with logs retained for a minimum of 90 days. Supporting internal policies, including encryption standards and access control procedures, are available to customers upon request under a non-disclosure agreement.

‍

‍

Contact

‍

If you have any questions about our Services, or to report any violations of these Terms or Privacy Policy, please contact us at contact@wingrep.ai.