Data Processing Agreement — Gulp AI Inc.

Last updated on June 17, 2025

[Need a signed copy of this DPA (including the full text of the SCCs)? Contact us at privacy@osmosis.ai.]

This Data Processing Agreement ("DPA," "Agreement") forms part of the Contract for Services ("Principal Agreement") between the Customer (the "Controller") and Gulp AI Inc. ("Processor," "Osmosis") (each a "Party; collectively the "Parties").

In the event of a conflict between this Agreement and related agreements, including the Principal Agreement, the terms of this Agreement shall prevail.

WHEREAS

(A) The Customer acts as a Data Controller.

(B) The Customer wishes to use the Osmosis platform, which requires processing of personal data by the Processor.

(C) The Parties seek to implement a data processing agreement that complies with applicable Data Protection Laws.

(D) The Parties wish to lay down their rights and obligations.

1. Definitions and Interpretation

• "Agreement" means this Data Processing Agreement and its Annexes.
• "Data Protection Laws" means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection ("FADP"); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations ("CCPA"), and other applicable U.S. state and federal laws. For the avoidance of doubt, if the Processor's Processing activities involving Personal Data are not within the scope of a Data Protection Law, such law is not applicable for purposes of this DPA.
• "Data Privacy Frameworks" means the EU-U.S Data Privacy Framework ("EU-U.S. DPF"), the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF"), and the UK Extension to the EU-U.S. DPF ("UK Extension") as administered by the U.S. Department of Commerce.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also include a "consumer" as defined under Data Protection Laws.
• "EU SCCs": the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.
• "Customer Personal Data" means any Personal Data provided to or processed by Osmosis on behalf of the Customer.
• "Personal Data" includes "personal data," "personal information," "personally identifiable information," and analogous terms, as defined by applicable Data Protection Laws, that Osmosis Processes to provide the Platform under the Agreement.
• "Process," "Processing," "Processed," etc., mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Security Incident" means any confirmed breach of security that results in the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Platform," "Services" mean the Osmosis platform and related services provided by Osmosis as set out in the Principal Agreement.
• "Subprocessor" means any third party that Osmosis engages to Process Personal Data to provide the Platform.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and completed as set forth herein.
• The terms "Business," "Controller," "Processor," and "Service Provider" are defined as in Data Protection Laws. "Controller" is deemed to also refer to "Business," and "Processor" is deemed to also refer to "Service Provider".

2. Roles of the Parties; Scope and Purposes of Processing

2.1 Roles of the Parties: To the extent that Customer is the Controller of Personal Data, Osmosis is its Processor. To the extent that Customer is a Processor of Personal Data, Osmosis is its Subprocessor.

2.2 Scope and Purposes of Processing: This DPA applies to all Personal Data that Osmosis Processes to provide the Platform to Customer. Osmosis will Process Personal Data (i) in compliance with Data Protection Laws; (ii) on Customer's behalf and in accordance with Customer's instructions as set forth in this DPA and the Agreement; and (iii) to provide the Platform to Customer under the Agreement for the business purposes set forth in the Agreement and as set forth in this DPA, unless other Processing activities are required otherwise to comply with Data Protection Laws (in which case, Osmosis shall provide prior notice to Customer of such legal requirement, unless such law prohibits this disclosure).

2.3 Customer Rights: Customer retains the right to (i) take reasonable steps to ensure Osmosis Processes Personal Data in compliance with Data Protection Laws; and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data, including any use of Personal Data not expressly authorized in this DPA.

2.4 Customer Obligations: Where Customer is a Controller, Customer is responsible for providing any notices, obtaining any consents or authorizations, and otherwise satisfying its own compliance obligations with respect to the Processing of Personal Data under this DPA. Where Customer is a Processor, Customer represents to Osmosis that its provision of Personal Data to Osmosis is in compliance with Data Protection Laws and Customer's contractual obligations. Customer will not instruct Osmosis to Process Personal Data in a violation of Data Protection Laws or any third party's legal, contractual, or other rights. Customer in its sole discretion determines the categories and types of Personal Data that it provides to Osmosis through the Platform. Customer is responsible for secure and responsible use of the Platform and for determining that the Platform ensure a level of security appropriate to the risk in respect of Personal Data and agrees that the security and compliance measures set forth in the Agreement and this DPA are deemed sufficient.

3. Personal Data Processing Requirements

3.1 Restrictions on Processing: Osmosis will (i) not retain, use, or disclose Personal Data outside direct business relationship between Customer and Osmosis, or for any purpose (including any commercial purpose) not set forth in this DPA or the Agreement; (ii) not "sell" or "share" any Personal Data, or use Personal Data for purposes of "targeted advertising," as such terms are defined in Data Protection Laws; and (iii) comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that Osmosis receives from, or on behalf of, another person or persons, or that Osmosis collects from any interaction between it and any individual.

3.2 Confidentiality: Osmosis will ensure that the persons Processing the Personal Data are bound by obligations of confidentiality no less protective than those set forth in the Agreement or are under an appropriate statutory obligation of confidentiality.

3.3 Assistance: Osmosis will provide Customer with reasonable assistance (i) by implementing appropriate technical and organizational measures for the fulfillment of Customer's obligation to respond to requests for exercising Data Subjects' rights as set forth in Data Protection Laws, taking into account the nature of the Processing; and (ii) in performing any required data protection impact assessment of Processing or proposed Processing of Personal Data, and in consulting with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including any applicable obligation upon Osmosis to consult with a regulatory authority in relation to Osmosis' Processing or proposed Processing of Personal Data.

3.4 Notice Regarding Compliance and Instructions: Osmosis will promptly notify Customer if Osmosis determines that it can no longer meet its obligations under Data Protection Laws or if it believes that Customer's instructions violate Data Protection Laws, and Osmosis is not deemed to be in breach of this DPA if it declines to Process Personal Data in a way that Osmosis reasonably and in good faith believes would cause Osmosis to violate Data Protection Laws.

4. Data Security

Osmosis will use appropriate administrative, technical, physical, and organizational measures to protect Personal Data as set forth at https://osmosis.ai/legal/subprocessors. Osmosis will provide the level of protection for Personal Data that is required under Data Protection Laws. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk.

5. Security Incident

5.1 Notice: Osmosis will notify Customer of any Security Incident without undue delay or within the time period required under Data Protections Law. To the extent available, this notification will include Osmosis's then-current assessment of the following: (i) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) the likely consequences of the Security Incident; and (iii) measures taken or proposed to be taken by Osmosis to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects. Osmosis will provide timely and periodic updates to Customer as additional information regarding the Security Incident becomes available. Customer acknowledges that any updates may be based on incomplete information.

5.2 Responsibilities of the Parties: Osmosis will comply with the Security Incident-related obligations applicable to it under Data Protection Laws and will assist Customer in Customer's compliance with its Security Incident-related obligations. Osmosis will not assess the contents of Customer Data for the purpose of determining if such data is subject to any requirements under Data Protection Laws. Nothing in this DPA or in the EU SCCs will be construed to require Osmosis to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally.

6. Subprocessors

6.1 Authorization to Engage Subprocessors: Customer agrees that Osmosis may engage Subprocessors to Process the Personal Data on Osmosis' behalf to provide the Platform. A list of Osmosis's Subprocessors is available at https://osmosis.ai/legal/subprocessors. Osmosis will impose contractual obligations on any Subprocessor it appoints requiring it to protect Personal Data to standards that are no less protective than those set forth under this DPA. Osmosis shall remain fully liable to Customer for the performance of the Subprocessor's data protection obligations. The subprocessor agreements to be provided under Clause 9 of the EU SCCs may have all commercial information, or provisions unrelated to the Standard Contractual Clauses, redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon Customer's written request, no more than once annually.

6.2 Subprocessor Notice and Objections: Osmosis will notify Customer of new Subprocessors before authorizing such Subprocessor to process Customer Personal Data (or in the case of an emergency, as soon as reasonably practicable). Customer has fourteen (14) calendar days from such notice to make an objection on reasonable grounds relating to the protection of the Personal Data by notifying Osmosis at privacy@osmosis.ai. In the event Customer objects to a new Subprocessor, Osmosis will use commercially reasonable efforts to make available to Customer a change in the Platform or Customer's configuration or use of the Platform to avoid processing of Customer Personal Data by the objected-to new Subprocessor. If Osmosis is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable service contract(s) or the Agreement.

7. Data Transfers

7.1 Authorization to Transfer Personal Data: Customer authorizes Osmosis and its Subprocessors to make international transfers of Personal Data in accordance with this DPA and Data Protection Laws.

7.2 Order of Precedence: The Parties acknowledge that Data Protection Laws may require the Parties to implement certain safeguards (a "Transfer Mechanism") for Customer to transfer Personal Data to Osmosis. In the event a transfer of Personal Data is covered by more than one Transfer Mechanism, the transfer will be subject to a single Transfer Mechanism, in accordance with the following order of precedence: (i) the Data Privacy Frameworks; (ii) to the extent that the Data Privacy Frameworks do not apply to a given transfer or are invalidated, the EU SCCs and/or UK Addendum as set forth in Sections 7.4-7.6, as applicable; and (iii) if neither of the preceding is applicable, the Parties will cooperate in good faith to enter into an alternative Transfer Mechanism to the extent required by Data Protection Laws.

7.3 Data Privacy Frameworks: To the extent Osmosis processes Personal Data originating from the EEA, United Kingdom, or Switzerland and Osmosis is self-certified under the Data Privacy Frameworks, Osmosis will adhere to the Data Privacy Principles with respect to Personal Data transferred to Osmosis, as applicable.

7.4 EU SCCs: To the extent legally required, by entering into this DPA, Customer and Osmosis are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7.5 and 7.6 below) are deemed completed as follows:

• Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Osmosis (as a Processor), Module 3 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to Osmosis (as a Subprocessor), and Module 4 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to Osmosis (as a Controller);
• Clause 7 (the optional docking clause) is not included;
• Clause 9 (Use of sub-processors): Option 2 (General written authorization) will apply and the time period for prior notice of Subprocessor changes is set forth in Section 6 of this DPA;
• Clause 11 (Redress): The optional language will not apply;
• Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of Ireland;
• Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland;
• Annexes I (List of Parties) and II (Technical and organizational measures) are completed as set forth in Annex I and Annex II, respectively; and
• Annex III (List of subprocessors) is not applicable because the Parties have chosen General Authorization under Clause 9.

7.5 UK Addendum: To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:

• Table 1: The Parties’ details shall be the Parties to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement.
• Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7.4 of this DPA.
• Table 3: Annexes I and II are set forth in Annex I and Annex II below, respectively. Annex III is inapplicable.
• Table 4: Either Party may end this DPA as set out in Section 19 of the UK Addendum.

7.6 Transfers of Swiss Personal Data: For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7.4 of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term "member state" in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

8. Audits

8.1 Standard Audit Process: Osmosis will make available to Customer documentation, data, certifications, reports, and records ("Records") relating to Osmosis' Processing of Personal Data to demonstrate compliance with this DPA (an "Audit") provided the Agreement remains in effect and such audit is at Customer's sole expense. Customer may request an Audit upon fourteen (14) days' prior written notice to Osmosis, no more than once annually, except, in the event of a Security Incident occurring on Osmosis' systems, in which case Customer may request an Audit within a reasonable period of time following such Security Incident.

8.2 Written Requests and Inspections: If Customer has a reasonable objection that the Records provided are not sufficient to demonstrate Osmosis' compliance with this DPA, Customer may, as necessary: (i) request additional information from Osmosis in writing, and Osmosis will respond to such written requests in within a reasonable period of time ("Written Requests"); and (ii) only where Osmosis' responses to such Written Requests do not provide the necessary level of information required by Customer, request access to Osmosis' premises, systems and staff, upon twenty one (21) days prior written notice to Osmosis (an "Inspection") subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an auditor to conduct the Inspection, (c) the Inspection being carried out only during Osmosis' regular business hours, with minimal disruption to Osmosis' business operations, and (d) all costs associated with the Inspection being borne by Customer (including Osmosis' time in connection with facilitating the Inspection, charged at Osmosis' then-current rates). Inspections will be permitted no more than once annually, except in the event of a Security Incident.

9. Return or Destruction of Personal Data

Except to the extent required otherwise by Data Protection Laws, Osmosis will, at the choice of Customer and upon Customer' written request return to Customer and/or securely destroy all Personal Data, unless Data Protection Laws require Osmosis to retain Personal Data.

10. Survival; Amendments

The provisions of this DPA survive the termination or expiration of the Agreement for so long as Osmosis or its Subprocessors Process Personal Data. Osmosis may amend this DPA in order to comply with Data Protection Laws and will notify Customer of such changes. By continuing to use the Platform after the DPA has been updated, Customer is deemed to have agreed to the updated DPA.

ANNEX I — Details of Processing

A. List of Parties

Data exporter(s):

• Name: Customer, as identified in the Agreement.
• Address: As provided in the Agreement.
• Contact person's name, position and contact details: As provided in the Agreement.
• Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer's use of the Osmosis platform.
• Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
• Role (controller/processor): Controller or Processor, as relevant.

Data importer(s):

• Name: Gulp AI Inc.
• Address: 1522 Bond Street, Milpitas, CA 95035, United States of America
• Contact person's name, position and contact details: Kasey Zhang, CEO, privacy@osmosis.ai
• Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer's use of the Osmosis platform.
• Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
• Role (controller/processor): Processor or Subprocessor, as applicable.

B. Description of Transfer

• Categories of data subjects whose personal data is transferred: Users of the Osmosis platform, including customers, prospective customers, account holders, website visitors, and individuals interacting with Osmosis products or services.
• Categories of personal data transferred: Identifiers (e.g., name, email, IP address, user ID), contact details, account information, technical data (e.g., device information, browser type), usage data (e.g., interaction logs, session activity), location data, payment information (processed via Stripe), and any other personal data submitted by users through platform features. Sensitive data is not intentionally collected.
• Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A
• The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred on a continuous basis as part of the ongoing operation and delivery of the Osmosis platform.
• Nature of the processing: The data is collected, stored, transmitted, analyzed, and used to deliver platform functionality, support customer requests, provide analytics, process payments, monitor performance, and power AI-based features. Processing includes both automated and manual operations necessary to support service delivery, security, and compliance.
• Purpose(s) of the data transfer and further processing: To enable the secure delivery of Osmosis platform services, including real-time machine learning, user account management, product analytics, infrastructure provisioning, and billing. Transfers support the technical operation and business functionality of the platform, including improvement of product features and service experience.
• The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal data is retained for as long as necessary to fulfill the purposes outlined in Osmosis's Privacy Policy, including the provision of services, legal compliance, and internal analytics. When data is no longer required, it is securely deleted or anonymized. Criteria for retention include account activity status, regulatory requirements, and contractual obligations.
• For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Personal data is transferred to subprocessors to support Osmosis's infrastructure, analytics, payment processing, and AI services. The subject matter includes user data related to platform interactions, payment transactions, authentication, and technical logs. Processing involves storage, transmission, analysis, and operational use necessary to maintain and enhance platform functionality. The duration is aligned with the active provision of services, contract terms, or until deletion is requested or required by applicable regulations.

C. Competent Supervisory Authority

To the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.

ANNEX II — Technical and Organizational Security Measures

• Encryption of personal data: Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption or equivalent standards.
• Access controls and authentication: Access is limited to authorized personnel using role-based access controls (RBAC) and multi-factor authentication (MFA). Authentication is performed via secure OAuth 2.0 flows — no passwords are stored or managed directly.
• Pseudonymisation and data minimisation: Personal data is pseudonymised where appropriate. Only the minimum necessary data is collected and processed for the specified purpose.
• Confidentiality, integrity, availability, and resilience: Systems are designed for high availability and resilience. Disaster recovery and business continuity plans are in place to ensure prompt restoration of data access in case of incidents.
• Security monitoring and event logging: Continuous monitoring for unauthorized access and malicious activity. Detailed logs of system events and access to personal data are maintained.
• Regular testing and vulnerability management: Regular security testing, including vulnerability scanning and penetration testing, is conducted to identify and address risks.
• Protection of data during storage: Data stored on servers is encrypted, with strict access controls and monitoring of storage environments.
• Protection of data during transmission: Secure communication protocols (HTTPS, TLS) are used to protect data in transit across networks.
• Physical security of data processing locations: Data centres are secured with access controls, surveillance, and environmental protections, certified to international standards (e.g., ISO 27001).
• Data retention and erasure policies: Personal data is retained only as long as necessary and is securely deleted or anonymised upon request or after the data retention period expires.
• Accountability and governance measures: Internal policies govern data protection practices. Staff are trained on data security and privacy compliance obligations.
• Management of sub-processors: Sub-processors are contractually bound to implement equivalent security measures and are subject to data processing agreements, including SCCs where applicable.
• Assistance to the data exporter: The data importer will assist with data subject rights requests, incident notifications, and data protection impact assessments (DPIAs) as required by GDPR and these Clauses.