Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by SchemaLabs on behalf of Customer through the Service, as defined under applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU GDPR, the UK GDPR, the California Consumer Privacy Act, and any other applicable data protection legislation.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Sub-Processor" means any third party engaged by SchemaLabs to process Personal Data on behalf of Customer.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "BYOL Endpoint" means a third-party large language model endpoint connected by Customer using Customer's own API credentials.
• "Fine-Tuned Checkpoint" (also referred to as the "Customer Endpoint" or "Model Endpoint") has the meaning set forth in the Schema Model License (Section 1).

2. Scope and purpose of processing

Subject matter. SchemaLabs processes Personal Data contained within Customer Data solely to provide the Service.

Duration. Processing continues for the duration of the Principal Agreement plus any retention period specified in Section 10.

Nature and purpose. Automated processing of Customer Data for inference, fine-tuning, and related analytical outputs using the Schema Models.

Categories of Data Subjects. As determined by Customer's uploaded data.

Types of Personal Data. As determined by Customer, excluding the categories prohibited under Use Policy §1.8.

3. Customer obligations

Customer is the Controller of Personal Data and is responsible for:

• Determining the lawful basis for processing
• Ensuring Customer Data is collected, provided to SchemaLabs, or made accessible through any external database or data source connected by Customer, in compliance with Data Protection Laws
• Providing required notices to Data Subjects
• Obtaining necessary consents
• Classifying the sensitivity of data before upload
• Complying with the prohibited data categories in our Use Policy §1.8

4. SchemaLabs obligations

SchemaLabs shall:

• Process Personal Data only on documented instructions from Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations
• Implement and maintain commercially reasonable technical and organizational security measures appropriate to a beta service, as described in Annex II
• Assist Customer in fulfilling Data Subject rights requests, to the extent reasonably able given the nature of the processing
• Assist Customer in conducting Data Protection Impact Assessments (DPIAs) where required under GDPR Article 35, by providing relevant information about the processing

5. Data isolation guarantee

SchemaLabs contractually guarantees:

• Each Customer's Fine-Tuned Checkpoint is an isolated instance, architecturally separated from the Base Model and from all other Customers' checkpoints
• Customer Data processed for inference is used only to serve Customer's requests against the Base Model or its Fine-Tuned Checkpoint and is not retained for training. Customer Data processed during fine-tuning is used exclusively to create the Customer's isolated checkpoint. Customer Data is never used to train, modify, improve, or update any Schema Base Model.
• Fine-Tuned Checkpoints are never merged, combined, or aggregated with the Base Model or with any other Customer's checkpoint
• Deleting a Fine-Tuned Checkpoint fully removes the Customer-specific adaptations

These properties are enforced by SchemaLabs' system architecture, not merely by policy.

6. Sub-Processors

Customer grants SchemaLabs general authorization to engage Sub-Processors. SchemaLabs maintains a current list at schemalabs.ai/sub-processors.

SchemaLabs will notify Customer at least fifteen (15) days in advance of adding or replacing any Sub-Processor by updating the Sub-Processor list and sending notification to the email address associated with Customer's account.

If Customer objects to a new Sub-Processor on reasonable data protection grounds, Customer may notify SchemaLabs in writing within ten (10) days of SchemaLabs' notice. SchemaLabs will use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available within thirty (30) days, Customer may terminate the affected Service.

BYOL Endpoints

When Customer connects a BYOL Endpoint, the third-party LLM provider is not a Sub-Processor of SchemaLabs. Customer is the controller directing the transmission of data to the BYOL Endpoint, and Customer's agreement with that provider governs.

7. Security measures

SchemaLabs shall implement and maintain the technical and organizational measures described in Annex II, appropriate to its stage of development as a beta service. SchemaLabs will continue to expand and mature these measures, including pursuing formal certification such as SOC 2 Type II as the company matures.

8. Security incident notification

SchemaLabs shall notify Customer without undue delay after becoming aware of a Security Incident affecting Customer's Personal Data. Where practicable and consistent with applicable law, SchemaLabs will provide notification within seventy-two (72) hours of becoming aware.

The notification shall include, to the extent available: (a) a description of the nature of the incident; (b) the likely consequences; (c) the measures taken or proposed to address the incident; and (d) the SchemaLabs point of contact for further information.

SchemaLabs shall cooperate with Customer to investigate, mitigate, and remediate the Security Incident.

Regulatory requests

If SchemaLabs receives a subpoena, court order, or other legally compulsory request for Customer Data, SchemaLabs will notify Customer promptly (and where practicable within five (5) business days), unless prohibited by law. SchemaLabs will provide Customer a reasonable opportunity to object to or seek a protective order against the disclosure before complying, to the extent legally permitted.

9. Audit rights

SchemaLabs shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

Independent third-party audit reports and certifications (such as SOC 2 and ISO 27001, where and when held by SchemaLabs) are the primary means by which SchemaLabs demonstrates compliance. SchemaLabs will make available such reports to Customer on request and under reasonable confidentiality terms.

Where Customer reasonably determines that the available third-party reports are insufficient to address a specific compliance question, Customer may conduct a documentary audit of SchemaLabs' processing activities, or appoint a qualified third-party auditor to do so, subject to all of the following:

• No more than once per twelve (12) month period
• At least thirty (30) days' prior written notice
• Conducted remotely through review of documents and controls; no physical access to SchemaLabs' production systems, data centers, or Sub-Processor infrastructure
• Conducted during normal business hours, in a manner that does not unreasonably interfere with SchemaLabs' operations
• The auditor must be mutually agreed in writing, must execute SchemaLabs' standard confidentiality agreement before any audit activity, and must not be a competitor of SchemaLabs or acting on behalf of a competitor
• Available to enterprise Customers with an executed MSA only; all other Customers (free, trial, and standard paid subscriptions) may rely on our publicly available Trust Center
• Audit costs are borne by Customer

For Customers acting as data exporters under the Standard Contractual Clauses, the mandatory audit and inspection rights granted by Clause 8.9 of the SCCs (see Annex III) additionally apply and prevail over this Section to the extent of any conflict.

10. Data deletion and return

Upon termination or expiration of the Principal Agreement, SchemaLabs shall, at Customer's election: (a) return Customer's Personal Data in a structured, commonly used, machine-readable format; or (b) delete Customer Personal Data, including Fine-Tuned Checkpoints.

SchemaLabs will work in good faith with Customer to complete deletion as soon as reasonably practicable and to honor all applicable legal requirements.

SchemaLabs may retain Personal Data beyond the deletion period only to the extent required by applicable law.

SchemaLabs shall provide written confirmation of deletion upon Customer's request.

Data portability for Fine-Tuned Checkpoints. Data portability obligations under GDPR Article 20 apply to Customer Data in its uploaded form. The Fine-Tuned Checkpoint is a derivative work created by blending Customer Data with SchemaLabs' proprietary Base Model weights and is not subject to data portability as a standalone artifact.

11. International data transfers

SchemaLabs processes all Personal Data in US-based Google Cloud Platform and Amazon Web Services infrastructure.

For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, the parties agree to the Standard Contractual Clauses (SCCs) as set forth in Annex III, which is the separate document DPA Annex III: Standard Contractual Clauses (Module Two).

For UK transfers, the SCCs incorporate the UK ICO's International Data Transfer Addendum.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Principal Agreement.

Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited by applicable law.

13. Term

This DPA remains in effect for the duration of the Principal Agreement.

14. Contact

SchemaLabs, Inc.

• Privacy: [email protected]
• Security: [email protected]
• Compliance: [email protected]
• Legal: [email protected]

I. Annex I: Details of Processing

Controller: Customer
Processor: SchemaLabs, Inc.

Subject Matter: Processing of Customer Data through the Schema Models for inference, fine-tuning, and related analytical outputs.

Duration: Duration of the Principal Agreement plus data deletion/return period.

Nature: Automated processing: data ingestion, model inference, fine-tuning, checkpoint creation, output generation.

Purpose: Providing the SchemaLabs Service.

Data Subjects: As determined by Customer's uploaded data.

Data Categories: As determined by Customer, excluding the categories prohibited under Use Policy §1.8.

II. Annex II: Technical and Organizational Security Measures

SchemaLabs maintains the following measures, appropriate to its stage of development:

• Encryption: Data encrypted in transit using TLS 1.2+ and at rest using AES-256. Encryption keys managed through Google Cloud KMS and AWS KMS.
• Access Controls: Role-based access control with principle of least privilege. Multi-factor authentication required for SchemaLabs personnel accessing production systems and Customer Data.
• Infrastructure: All processing on Google Cloud Platform and Amazon Web Services in US-based data centers. GCP and AWS each maintain SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and other certifications inherited at the infrastructure layer.
• Data Isolation: Per-customer Fine-Tuned Checkpoints are architecturally isolated at the model level.
• Audit Logging: Administrative actions, data access events, API requests, fine-tune jobs, and playground jobs are logged.
• Incident Response: Documented incident response process with defined escalation paths.
• Personnel: All SchemaLabs personnel with access to Customer Data are subject to confidentiality agreements.
• Backup and Recovery: Backups of Customer Data and Fine-Tuned Checkpoints are maintained as part of GCP and AWS infrastructure operations.
• Continuous Improvement: SchemaLabs is actively building out additional security controls, including SOC 2 Type II certification and formal penetration testing as the company matures.

III. Annex III: Standard Contractual Clauses

The completed Module Two SCCs (Controller to Processor), including supplementary measures for transfers to the United States, are set out in the separate document DPA Annex III: Standard Contractual Clauses (Module Two), incorporated by reference and available at schemalabs.ai/dpa-sccs or on request from [email protected].

For UK transfers, the parties incorporate the UK ICO's International Data Transfer Addendum.

IV. Annex IV: Sub-Processor List

Current as of the effective date. The live list at schemalabs.ai/sub-processors is the authoritative source and prevails over this table in the event of any conflict.

BYOL Endpoints connected by Customer are not Sub-Processors of SchemaLabs (see Section 6).