Data Processing Addendum

Effective date: May 2026

This Greenplaces Data Processing Addendum (“DPA”) supplements and forms part of the Master Subscription Agreement (“Agreement”) between Greenplaces and Customer and shall be effective as of the Effective Date of the Agreement (or, if later, the date Customer first provides Personal Data to Greenplaces). This DPA is incorporated into the Agreement by reference.

With respect to the Processing of Personal Data, the parties agree as follows:

1. Definitions. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. References herein to an “Order Form” include any “Subscription Schedule” or similar ordering document executed under the Agreement, the terms being synonymous for purposes of this DPA. As used in this DPA:

1.1 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.

1.2 “Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by Greenplaces or a Sub-processor.

1.3 “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data, and includes the term “Business” as defined under the CCPA.

1.4 “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller, and includes the term “Service Provider” as defined under the CCPA.

1.5 “Data Protection Laws” means GDPR and all U.S. federal and state data protection and privacy laws and regulations that apply to the Processing of Personal Data under this DPA, including, where applicable, CCPA, CPRA, and other U.S. state comprehensive privacy laws, in each case as amended or superseded from time to time.

“UK Data Protection Laws” means the UK GDPR and the Data Protection Act 2018.

1.6 “Data Subject” means the individual natural person to whom Personal Data relates.

1.7 “EEA” means the member states of the European Union, as well as Iceland, Liechtenstein, and Norway.

1.8 “EEA Restricted Transfer” means a transfer (or onward transfer) by Customer to Greenplaces of Personal Data originating in the EEA or Switzerland that is subject to GDPR or the Swiss Federal Act on Data Protection, where any required adequacy means can be met by entering into the EU Standard Contractual Clauses.

1.9 “EU Standard Contractual Clauses” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

1.10 “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any member state law implementing the same,.

1.11 “Personal Data” means any information relating to an identified or identifiable natural person that is (i), included in the Customer Inputs that Greenplaces Processes on behalf of Customer as a Data Processor in the course of providing the Services, and (ii) subject to the Data Protection Laws.

1.12 “Processing” has the meaning given to it in the Data Protection Laws and “process,” “processes” and “processed” shall be interpreted accordingly.

1.13 “Sensitive Data” means (i) Personal Data revealing a Data Subject’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or immigration status; (ii) government-issued personal identification numbers (including but not limited to social security numbers, driver’s license numbers, and passport numbers); (iii) credit or debit card numbers, personal identification numbers (PIN), passwords or other electronic identification numbers or other information a person uses for payment or to access personal or financial information; and (iv) genetic or biometric data used to uniquely identify a Data Subject.

1.14 “Services” means the products and services described in the Agreement and any Order Form or Schedule, including the Greenplaces Software and any Professional Services.

1.15 “Sub-processor” means any subcontractor engaged by Greenplaces to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement and that Processes Personal Data in connection therewith.

1.16 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0, issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 and in force as of 21 March 2022, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as revised by the UK Information Commissioner’s Office from time to time in accordance therewith.

1.17 “UK Restricted Transfer” means a transfer (or onward transfer) by Customer to Greenplaces of Personal Data originating in the United Kingdom that is subject to UK GDPR where any required adequacy means can be met by entering into the EU Standard Contractual Clauses and the UK Addendum.

2. Relationship with the Agreement.

2.1 The parties agree that this DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter of this DPA that the parties may previously have entered into in connection with the Services.

2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail.

2.3 Any claims brought under or in connection with this DPA are subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Agreement.

3. Roles of the Parties; Processing of Personal Data by Customer and Greenplaces.

3.1 As between Greenplaces and Customer, Customer is the Data Controller of Personal Data and Greenplaces is the Data Processor of Personal Data. Greenplaces shall Process Personal Data only as a Data Processor acting according to the instructions of Customer as reflected in this Agreement and this DPA. The subject matter of the Processing is the performance of the Services pursuant to the Agreement. The nature and purposes of the Processing, the types of Personal Data and categories of Data Subjects, and the duration of the Processing are specified in Schedule 1 (Details of the Processing) to this DPA.

3.2 Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Greenplaces; and (ii) it has provided notice and obtained all consents and rights necessary under Data Protection Laws for Greenplaces to Process Personal Data and provide the Services. Customer shall immediately notify Greenplaces and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.

3.3 Greenplaces shall Process Personal Data only for the purposes of performing and/or providing the Services, including for the purposes of: (a) setting up, operating, monitoring, and providing the Services, and improving the Services only through aggregated or de-identified data or through Processing that is necessary to maintain, secure, debug, validate, or enhance the Services for Customer and other customers in a manner permitted by Data Protection Laws; (b) communicating with Users; (c) testing, validating, debugging, and quality-checking Greenplaces’ data processing tools, including artificial intelligence extraction and calculation systems, solely to provide, maintain, secure, and improve the Services, subject to the AI Processing Controls in this DPA and without using Personal Data to train, fine-tune, or improve any third-party AI model; and (d) executing other agreed-upon written instructions of Customer.

3.4 Greenplaces shall Process Personal Data only for limited and specified purposes as set forth in the Agreement and this Addendum, and shall not otherwise:

3.4.1 “sell” or “share” Personal Data, as those terms are defined in applicable Data Protection Laws;

3.4.2 retain, use, or disclose Personal Data outside of the direct business relationship between Greenplaces and Customer; or

3.4.3 except as permitted by applicable Data Protection Laws, combine Personal Data that Greenplaces receives from or on behalf of Customer with personal information that Greenplaces receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject.

3.5 Greenplaces will comply with applicable Data Protection Laws and will provide a level of privacy protection for Personal Data consistent with the requirements of applicable Data Protection Laws. Greenplaces will promptly notify Customer if it makes a determination that it can no longer meet its obligations under this DPA or comply with applicable Data Protection Laws. Customer shall have the right, upon notice, including from Greenplaces pursuant to the preceding sentence, to take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Personal Data.

4. Data Security. Greenplaces shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Personal Data and Processing systems, in accordance with Greenplaces’ security standards, including, the security measures described in Schedule 2 (Technical and Organizational Security Measures) to this DPA. Notwithstanding the above, Customer agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Agreement.

5. Data Breach Response. Greenplaces shall notify Customer without undue delay after becoming aware of a Data Breach. Greenplaces shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Greenplaces deems necessary and reasonable in order to remediate the cause of such Data Breach. Greenplaces shall provide information related to the Data Breach as it becomes available to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with applicable Data Protection Laws.

6. Confidentiality of Data Processing. Greenplaces shall ensure that any person who is authorized by Greenplaces to Process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality.

7. Return or Deletion of Data. Upon termination or expiration of the Agreement, Greenplaces shall (at Customer’s election) delete or return, if feasible, to Customer all Personal Data remaining in its possession or control within thirty (30) days after Customer’s written request (for return) and within sixty (60) days after termination or expiration of the Agreement (for deletion). Upon Customer’s written request, Greenplaces shall provide written certification of deletion signed by an authorized officer, save that this requirement shall not apply: (i) to the extent Greenplaces is required by applicable law to retain some or all of the Personal Data; or (ii) to Personal Data Greenplaces has archived on back-up systems, which will be deleted in accordance with Greenplaces’ standard data retention policies and procedures. In all such cases, Greenplaces shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data. The terms of this DPA shall survive for so long as Greenplaces continues to retain any Personal Data.

8. Sub-processing. Customer hereby generally authorizes Greenplaces to engage Sub-processors to Process Personal Data on Customer’s behalf, including the Sub-processors currently engaged by Greenplaces and listed in Greenplaces’ then-current sub-processor list made available in Schedule 1. Greenplaces shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by this DPA and applicable Data Protection Laws; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Greenplaces to breach any of its obligations under this DPA. Greenplaces will notify Customer if it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this DPA, which may be done by email or by updating Greenplaces’ sub-processor webpage, provided Greenplaces makes available a reasonable mechanism for Customer to receive notice of new Sub-processors. If Customer objects to a new Sub-processor, Customer shall, within thirty (30) calendar days following Greenplaces’ notice, deliver a written objection to Greenplaces specifying Customer’s reasonable basis for concluding that Greenplaces’ proposed use of the Sub-processor would materially and adversely affect Customer’s compliance with applicable Data Protection Laws. If Customer does not deliver a written objection within such thirty (30) day period, Customer shall be deemed to have approved the new Sub-processor. Following a timely objection, the parties shall promptly meet and confer in good faith, including consideration of whether Greenplaces can engage an alternative Sub-processor. If the parties are unable to agree on a mutually acceptable resolution within thirty (30) days following Customer’s written objection, Customer may, as its sole and exclusive remedy, terminate the portion of the Services affected by the objected-to Sub-processor upon thirty (30) days’ prior written notice to Greenplaces and shall be entitled to a pro-rata refund of any pre-paid fees attributable to the unused remainder of the then-current Subscription Term for such terminated Services.

Greenplaces shall not, and shall ensure that no Sub-processor shall, use Personal Data to train, fine-tune, or otherwise improve its own or any third party’s models, algorithms, or services.

9. International Transfers.

9.1 Greenplaces may Process Personal Data in the United States and anywhere else in the world where Greenplaces or its Sub-processors maintain data Processing operations. Greenplaces shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws.

9.2 When Greenplaces’ performance or provision of the Services requires Greenplaces to act as the data importer with respect to an EEA Restricted Transfer, Greenplaces hereby enters into the EU Standard Contractual Clauses, which are incorporated by reference herein, with Customer. For the purpose of any such EEA Restricted Transfer, the EU Standard Contractual Clauses will be completed as follows:

9.2.1 Where the EU Standard Contractual Clauses require selection of a Module, Module Two (Transfer Controller to Processor) will apply.

9.2.2 For the purpose of Section II, Clause 8.1, the Agreement and this DPA constitute the final and complete instructions to Greenplaces for the Processing of Personal Data as of the date of this DPA. Any additional or alternate instructions must be mutually agreed upon separately in writing and signed by both parties.

9.2.3 For the purpose of Section II, Clause 8.9, the parties agree that any audits or inspections be conducted in accordance with the “Information to Demonstrate Compliance; Assessments” Section of this DPA.

9.2.4 For the purpose of Section II, Clause 9, the parties select Option 2 and agree that Greenplaces may engage Sub-processors in accordance with the “Sub-processing” section of this DPA.

9.2.5 For the purpose of Section IV, Clause 17, the parties select Option 2 and agree that the EU Standard Contractual Clauses shall be governed by the laws of Ireland.

9.2.6 For the purpose of Section IV, Clause 18, the parties agree that disputes arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland.

9.2.7 Annex I is deemed to be completed with the details set out in Schedule 1 to this DPA.

9.2.8 Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data) is deemed to be completed with the details set out in Schedule 2 to this DPA.

9.2.9 If and to the extent an EEA Restricted Transfer involves Personal Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the EU Standard Contractual Clauses are deemed to be supplemented with an additional annex that provides as follows:

(a) for purposes of Clause 13 and Annex I.C of the EU Standard Contractual Clauses, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;

(b) the term “member state” as used in the EU Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18.c;

9.3 When Greenplaces’ performance or provision of the Services requires Greenplaces to act as the data importer with respect to an UK Restricted Transfer, Greenplaces hereby enters into the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference herein, with Customer. For the purpose of any such UK Restricted Transfer, the UK Addendum will be completed as follows:

9.3.1 Table 1 of the UK Addendum is deemed to be completed with the parties’ details and contact information as set forth in Schedule 1 to this DPA.

9.3.2 For the purposes of Table 2 of the UK Addendum, the Addendum EU SCCs are the EU Standard Contractual Clauses entered into between Greenplaces and Customer under Section 9.2 of this DPA.

9.3.3 For the purposes of Table 3 of the UK Addendum, the Appendix Information is as set forth in Sections 9.2.7 and 9.2.8 of this DPA.

9.3.4 For the purposes of Table 4 of the UK Addendum, the parties select both the Importer and the Exporter, and agree that either of them may end the UK Addendum in accordance with Section 19 thereof.

10. Assistance with Data Subject Requests. To the extent Customer does not have the ability to independently fulfil its obligation to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data pursuant to applicable Data Protection Laws through functionality made available by Greenplaces to Customer through the Services, Greenplaces shall, to the extent possible, provide reasonable assistance to Customer with respect to Customer’s fulfillment of that obligation. To the extent Greenplaces directly receives any request from a Data Subject to exercise their rights under applicable Data Protection Laws with respect to the Personal Data, Greenplaces will promptly notify Customer and will not, except to the extent required by applicable law, respond to the request. Greenplaces shall acknowledge any Customer request for assistance under this Section within ten (10) business days of receipt and shall use commercially reasonable efforts to complete the requested action within thirty (30) calendar days, subject to extension as permitted under applicable Data Protection Laws.

11. Data Protection Impact Assessments; Prior Consultations with Supervisory Authorities. Upon Customer’s written request and to the extent Customer does not otherwise have access to the relevant information, Greenplaces shall provide reasonable cooperation and assistance to Customer in (a) carrying out data protection impact assessments and (b) consulting with supervisory authorities, in each case as required by applicable Data Protection Laws and relating to Customer’s use of the Services.

12. Information to Demonstrate Compliance; Assessments.

12.1 Greenplaces shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Personal Data, including responses to information security reviews, that are necessary to confirm Greenplaces’ compliance with this DPA. Without limiting the foregoing, Greenplaces shall make available to Customer, upon written request and subject to customary confidentiality obligations, its most recent SOC 2 Type 2 report (or a substantially equivalent third-party audit report) no more than once per twelve (12) month period. The parties agree that provision of such report, together with responses to reasonable follow-up questions, satisfies the information requirement set forth in this Section 12.1 and the audit obligations under Section 12.2 below, except where an audit is specifically required by applicable Data Protection Laws or by a Supervisory Authority.

12.2 To the extent information provided by Greenplaces under Section 12.1 of this DPA is not sufficient to enable Customer to satisfy its obligations under applicable Data Protection Laws, Greenplaces will cooperate with audits and inspections performed by Customer or a third party assessor of Customer reasonably acceptable to Greenplaces, provided that any audit or inspection: (i) may not be performed unless Customer reasonably determines that the information provided under Section 12.1 is insufficient to satisfy Customer’s obligations under applicable Data Protection Laws or an audit is required by applicable Data Protection Laws or a Supervisory Authority; (ii) must be conducted at Customer’s sole expense and subject to reasonable fees and costs charged by Greenplaces; (iii) may be conducted on no less than thirty (30) days’ prior written notice from Customer, at a date and time and for a duration mutually agreed by the parties; (iv) shall be limited to information and systems relevant to the Processing of Personal Data; and (v) must be performed in a manner that does not cause any damage, injury, or disruption to Greenplaces’ premises, equipment, personnel, or business. Notwithstanding the foregoing, Greenplaces will not be required to disclose any proprietary or privileged information to Customer or an agent or vendor of Customer in connection with any audit or inspection undertaken pursuant to this DPA.

13. Customer Obligations. Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Greenplaces so that Greenplaces may lawfully use, process, and transfer the Personal Data in accordance with the Agreement on the Customer’s behalf, and acknowledges that Greenplaces is reliant on Customer for direction as to the extent to which Greenplaces is entitled to use and process Personal Data. Customer shall not provide Sensitive Data to Greenplaces unless expressly identified in the applicable Order Form or otherwise approved by Greenplaces in writing. Customer shall defend, indemnify, and hold harmless Greenplaces and its affiliates and their respective officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to (a) Customer’s submission of Sensitive Data to Greenplaces in breach of this Section, (b) Customer’s failure to obtain and maintain all necessary rights, consents, and lawful bases required to transfer Personal Data to Greenplaces, or (c) any instructions provided by Customer that cause Greenplaces to violate applicable Data Protection Laws.

14. Miscellaneous

14.1 Except as may be otherwise provided under the EU Standard Contractual Clauses or the UK Addendum, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

14.2 Except to the extent otherwise required by the EU Standard Contractual Clauses or the UK Addendum, this DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

Schedule 1

A. List of Parties

Data Exporter(s):

Name: Customer, as defined in the Agreement.

Contact Details: The email and mailing address(es) for Customer’s primary contact person(s) as set out in the Order Form.

Activities relevant to the data transferred: Use of the Greenplaces Software.

Signature and Date: By entering into the Agreement and the DPA, Customer is deemed to have signed this Schedule 1.

Role: Controller

Data Importer:

Name: Green Places, Inc.

Contact Details: [email protected]

Activities relevant to the data transferred: Provision of the Greenplaces Software and related services.

Signature and Date: By entering into the Agreement and the DPA, Greenplaces is deemed to have signed this Schedule 1.

Role: Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred

Employees, contractors, and other representatives of Customer who are natural persons

Categories of personal data transferred

Business contact details (name, email, phone, job title, employer)
Account credentials and authentication identifiers
Professional information (job function, title, employee identifier)
Personal information embedded in Customer-uploaded operational records, including: utility bills and meter data, invoices and procurement records, employee commute and business travel records, internal policies and procedures, audit evidence, and vendor assessments
Device and usage information (IP address, device identifiers, log data)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not intended. Customer is prohibited from submitting Sensitive Data unless expressly identified in the applicable Order Form or otherwise approved by Greenplaces in writing. To the extent Sensitive Data is inadvertently included in Customer-uploaded materials, Greenplaces will Process such data only as necessary to provide the Services and subject to the technical and organizational measures in Schedule 2.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature and Purposes of Processing

Greenplaces will Process Personal Data as necessary to perform the Services under the Agreement, including for the purposes of: (a) setting up, operating, monitoring, providing, and improving the Services; (b) communicating with Users; (c) testing, validating, debugging, and quality-checking data processing tools, including artificial intelligence extraction and calculation systems, subject to the AI Processing Controls in this DPA; and (d) executing other agreed-upon written instructions of Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be processed and retained for the duration of the Agreement and thereafter only as permitted under Section 7 of this DPA, including for legal retention obligations and backup deletion cycles.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-processors will process Personal Data as necessary to perform the Services in accordance with the “Sub-Processing” section of the DPA, and will Process Personal Data for the duration of the Agreement.

As of the date of this DPA, the Sub-processors engaged by Greenplaces are as follows:

Provider	Purpose	Location
Amazon Web Services (AWS)	Primary cloud infrastructure and hosting (compute, storage, networking)	United States
Amazon RDS (AWS)	Managed relational database hosting	United States
Amazon S3 (AWS)	Object storage for customer-uploaded files and documents	United States
Amazon Bedrock (AWS)	AI processing services for automated data extraction, classification, and analysis	United States
Laravel Vapor	Serverless runtime and deployment management for AWS	United States
Deck	Utility data integration and OCR processing of PDFs	United States
Filestack / Flatfile / CSVBox	File upload and structured data ingestion	United States
Mailgun	Transactional and in-app email delivery	United States
Jira	Customer support ticketing and issue tracking	United States
Google Analytics	Anonymous product usage analytics	United States
Sentry	Application logging and monitoring	United States
AWS CloudWatch	Infrastructure logging and monitoring	United States
Flare	Application error tracking and alerting	United States
OpenAI	LLM-based analysis and data extraction	United States
Anthropic (Claude)	LLM-based expert workflows	United States
Google LLC (Gemini)	LLM-based AI services for internal tooling and employee productivity	United States

C. Competent Supervisory Authority

For purposes of the EU Standard Contractual Clauses, the competent supervisory authority will be the supervisory authority that has supervision over Customer in accordance with Clause 13 of the EU Standard Contractual Clauses.

Schedule 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Greenplaces has implemented and shall maintain an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, including the measures described below.

AI Processing Controls

Minimal data. Greenplaces sends only the minimum Customer Data necessary for a given AI task to its AI sub-processors.
No third-party training. Greenplaces’ agreements with third-party AI providers contractually prohibit those providers from using Customer Data to train, fine-tune, or otherwise improve their models.
No persistent storage by third parties. Any short-term retention by AI sub-processors is permitted solely for security, abuse monitoring, and operational safety purposes.
Enterprise agreements. Greenplaces maintains enterprise agreements with its AI providers that include contractual prohibitions on data retention and model training on Customer Data and impose confidentiality obligations consistent with this DPA.
Human review. AI-generated outputs in the Services are reviewed by a Greenplaces expert and/or by Customer before being incorporated into any report, disclosure, or deliverable.

Core AI processing of Customer Data is performed on Greenplaces’ AWS infrastructure, including Amazon Bedrock and self-hosted models within Greenplaces’ network. Third-party LLM providers (such as Anthropic, OpenAI, and Google) are used by Greenplaces for internal product development, employee productivity, and quality assurance purposes. Such providers do not process Customer Data in production Service workflows except where expressly identified in Greenplaces’ Sub-processor list.

Human Resources Security – policies and procedures designed to ensure the reliability of Greenplaces’ workforce, including:

Background and criminal history screening in accordance with applicable laws and regulations;
Execution of non-disclosure agreements; and
Completion of annual security awareness training which includes training on how to implement and comply with Greenplaces’ security program, and which all workforce members are required to undergo upon initial hire and annually thereafter.

Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:

Appropriate entry controls to limit access to authorized personnel, including where appropriate logging of access events.
Security cameras and intrusion detection systems in facilitates that store or process production data.
Processes and procedures to promptly remove facility access rights from terminated personnel.

System Access Controls – policies, procedures, and technical controls to ensure that all members of Greenplaces’ workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:

role-based access policies based on the principle of least privilege;
processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs; and
strong authentication procedures for production environments that require a username, password, and multifactor authentication.

Data Access Controls – policies, procedures, and technical controls to ensure the appropriate protection of data maintained by Greenplaces, including:

The implementation of protection and handling requirements based on the classification of data;
Role-based access controls based on the principle of least privilege; and
Encryption of Personal Data in transit over public networks using Transport Layer Security (TLS) and encryption of Personal Data at rest in production systems using AES-256 (or substantially equivalent industry-standard algorithm).

Security Incident Response – policies and procedures to detect, respond to, and otherwise address security incidents, including:

documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents;
documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats; and
annual review and testing of the incident response plan.

Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:

documented business continuity and disaster recovery plan that includes procedures to restore services, including to establish and verify alternative channels for communication and connectivity, to maintain the continuity of critical services, and to provide updates to customers;
documented policies and procedures for the backup and recovery of production systems and data; and
annual testing of Greenplaces’ business continuity and disaster recovery plan.

Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Greenplaces facility, and the movement of these items within a Greenplaces facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:

logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
regular reviews of the logs for unusual or suspicious activity.

Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including:

the use of encrypted VPNs to help ensure the security and integrity of the data passing over public networks;
protection of web-based traffic through industry-standard encryption protocols; and
deployment of antivirus software on servers, laptops, and desktops to detect and prevent the transmission of data or files that contain virus signatures recognized by the antivirus software.

Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Greenplaces’ security program.

Testing – Regular testing and monitoring of the effectiveness of Greenplaces’ security program, including through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.

Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Greenplaces’ security program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Greenplaces or the Personal Data, and Greenplaces’ own changing business arrangements.