Legal · DPA Annex III

Standard Contractual Clauses

SchemaLabs, Inc. · Module Two: Controller-to-Processor

Effective date
May 13, 2026
Parent
Data Processing Agreement

This Annex III incorporates the Standard Contractual Clauses (SCCs) adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, specifically Module Two (Controller-to-Processor), as referenced in Section 11 of the SchemaLabs Data Processing Agreement.

For transfers from the United Kingdom, this Annex incorporates the International Data Transfer Addendum issued by the UK Information Commissioner's Office, dated 21 March 2022.

For transfers from Switzerland, equivalent measures apply under the Swiss Federal Data Protection Act and the FDPIC's guidance on transfers to the United States.

Capitalised terms used in this Annex (including "Principal Agreement," "Customer Data," "Sub-Processor," and others) have the meanings set forth in the Data Processing Agreement.

1. Incorporation by reference

The parties, Customer (as "data exporter" and Controller) and SchemaLabs, Inc. (as "data importer" and Processor), hereby incorporate by reference the SCCs Module Two, including all clauses thereof (Clauses 1 through 18), into this Annex and into the Data Processing Agreement.

In the event of a conflict between the SCCs and any other provision of the DPA or the Principal Agreement, the SCCs prevail solely with respect to international transfers of personal data from the EEA, the United Kingdom, or Switzerland.

The full text of the SCCs is available at:

2. Module election

The parties have selected Module Two: Controller to Processor as the applicable module.

3. Docking clause (Clause 7)

The optional docking clause does apply. Additional entities may accede to these SCCs as a data exporter or data importer at any time, by completing the appendices and signing the SCCs. Such accession does not require the consent of the original parties beyond what is required under applicable law.

4. Sub-processor authorisation (Clause 9)

Option 2 (general written authorisation) applies. The data importer has the data exporter's general authorisation for the engagement of sub-processor(s) from the agreed list of sub-processors. SchemaLabs maintains a current list at schemalabs.ai/sub-processors.

The data importer shall specifically inform the data exporter in writing of any intended changes to the list through the addition or replacement of sub-processors at least fifteen (15) days in advance, thereby giving the data exporter sufficient time to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

5. Independent dispute resolution body (Clause 11)

The optional language permitting data subjects to lodge a complaint with an independent dispute resolution body does not apply for this Module unless required by applicable law.

6. Governing law (Clause 17)

These SCCs are governed by the law of one of the EU Member States, provided that such law allows for third-party beneficiary rights. The parties select the laws of Ireland.

7. Choice of forum and jurisdiction (Clause 18)

Any dispute arising from these SCCs shall be resolved by the courts of Ireland.

A. Appendix: Description of the Transfer

A. List of Parties

Data Exporter (Customer / Controller):

  • Name: As identified in the Principal Agreement (the Master Services Agreement, Terms of Service, or Order Form executed between the parties)
  • Address: As specified in the Principal Agreement
  • Contact: As specified in the Principal Agreement; Data Protection Officer or equivalent contact where applicable
  • Activities relevant to the data transferred: Customer's business activities, in which Customer uploads data containing personal data, or connects an external data source, to SchemaLabs for processing through the Service
  • Role: Controller

Data Importer (SchemaLabs / Processor):

  • Name: SchemaLabs, Inc.
  • Address: c/o Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States
  • Contact: [email protected]
  • Activities relevant to the data transferred: Provision of the Schema Models, our tabular data foundation models, and related Service, including data ingestion, model inference, fine-tuning, checkpoint creation, and output generation
  • Role: Processor

The data exporter is responsible for assessing the legality of the transfer under its local law, for establishing the lawful basis for processing, and for providing all required notices to data subjects.

B. Description of Transfer

Categories of data subjects whose personal data is transferred:

Individuals whose data is contained within Customer's uploaded datasets or connected data sources. Depending on Customer's business and the data Customer uploads or connects, these data subjects may include: Customer's employees, contractors, end users, customers, prospects, patients, policyholders, beneficiaries, applicants, or other individuals whose data is in Customer's possession and which Customer chooses to make available to the Service.

Categories of personal data transferred:

As determined by Customer. Customer Data may include:

  • Identifiers (name, email address, customer ID, internal identifiers)
  • Contact information (address, phone number)
  • Demographic information (age, location, language preference)
  • Transactional and behavioral data
  • Financial records (account balances, transaction history; excluding payment card data which is prohibited under the Use Policy)
  • Employment-related data (role, department, tenure)
  • Other categories present in Customer's uploaded datasets

Customer is prohibited from uploading the following categories without specific written agreement with SchemaLabs (see Use Policy §1.8): GDPR Article 9 special category data, Protected Health Information, payment card data, government identifiers, children's data, export-controlled or classified information, attorney-client privileged communications.

Sensitive data transferred (special categories under GDPR Art. 9 or criminal-conviction data under Art. 10):

Not anticipated. Customer is contractually prohibited from uploading special category data without a separate written agreement (see Use Policy §1.8; example: a HIPAA Business Associate Agreement). Where such agreement is in place, the additional safeguards specified in that agreement apply.

Frequency of the transfer:

Continuous. Personal data is transferred as Customer uploads it to the Service and as Customer queries the Service.

Nature of the processing:

Automated processing for the purpose of providing the Service, including:

  • Data ingestion and validation
  • Model inference (running predictions / classifications against Customer Data)
  • Fine-tuning (creating Customer-specific Fine-Tuned Checkpoints from Customer Data)
  • Output generation
  • Storage of Customer Data and Fine-Tuned Checkpoints
  • Audit logging of access and processing events

Purpose of the data transfer and further processing:

To provide the Service to Customer in accordance with the Principal Agreement. Customer Data is not used for any purpose other than providing the Service to Customer. Customer Data is not used to train, improve, or modify any Schema Base Model or any other customer's Fine-Tuned Checkpoint.

Period for which the personal data will be retained:

Personal data is retained for the duration of the Principal Agreement plus the deletion/return period specified in DPA Section 10. SchemaLabs deletes Personal Data as soon as reasonably practicable following termination, except where a longer retention is required by applicable law. Backups containing Personal Data are encrypted at rest, are inaccessible for production use once the underlying account is closed, and are purged on the next backup retention cycle.

For transfers to Sub-Processors: Each Sub-Processor processes the categories of personal data and for the duration described in the Sub-Processor list at schemalabs.ai/sub-processors.

C. Competent Supervisory Authority

The data exporter's competent supervisory authority is the supervisory authority of the EU Member State in which the data exporter is established or, where the data exporter is not established in the EU, the supervisory authority designated in accordance with GDPR Article 27 (if any).

Where the data exporter is established in the EU but has Article 56(1) main establishment in a Member State other than its registered office, the lead supervisory authority is the supervisory authority of the main establishment.

For data exporters in the United Kingdom: the UK Information Commissioner's Office (ICO).

For data exporters in Switzerland: the Federal Data Protection and Information Commissioner (FDPIC).

D. Technical and Organisational Measures

The technical and organisational measures implemented by the data importer to ensure the security of personal data are set out in Annex II of the SchemaLabs Data Processing Agreement, and include without limitation:

Pseudonymisation and encryption of personal data:

  • All Customer Data encrypted in transit using TLS 1.2 or later
  • All Customer Data encrypted at rest using AES-256
  • Encryption keys managed through Google Cloud KMS and AWS KMS with regular rotation
  • Customer-specific Fine-Tuned Checkpoints architecturally isolated to prevent cross-customer access

Ensuring ongoing confidentiality, integrity, availability and resilience:

  • Architectural data isolation at the model level. No shared state between customer environments
  • Role-based access controls (RBAC) with principle of least privilege
  • Multi-factor authentication required for SchemaLabs personnel accessing production systems and Customer Data
  • Regular access reviews
  • Audit logging of all administrative actions, data access events, API requests, fine-tune jobs, and playground jobs (retained 90 days for active accounts; deleted following account deletion)

Restoring availability and access in a timely manner:

  • Regular backups of Customer Data and Fine-Tuned Checkpoints
  • Recovery procedures tested regularly

Regular testing, assessing, and evaluating the effectiveness of measures:

  • Regular penetration testing
  • Regular vulnerability scanning and patching
  • Regular review of security policies and controls

Measures for ensuring data minimisation:

  • Customer Data is processed only for the purposes specified in the Principal Agreement
  • Usage logs do not contain Customer Data content
  • Telemetry used for service improvement is aggregated and anonymized

Measures for ensuring data quality:

  • Data is processed without modification (except as required for inference or fine-tuning at Customer's request)
  • Customer remains the controller and the source of truth for the underlying personal data

Measures for ensuring limited data retention:

  • Customer Data and Fine-Tuned Checkpoints deleted following termination of the Principal Agreement in accordance with DPA Section 10
  • Usage logs retained for ninety (90) days for active accounts; deleted following account deletion

Measures for ensuring accountability:

  • Documented incident response plan
  • Designated incident commander and communications lead
  • 72-hour breach notification commitment in the DPA

Measures for allowing data portability and ensuring erasure:

  • Customer may export Customer Data via the API while Customer's account is active, and on written request within thirty (30) days following termination, in the format provided by Customer or a substantially equivalent format
  • Deletion process described in DPA Section 10

Measures to be taken by the (sub-)processor to be able to provide assistance to the controller:

  • Privacy contact at [email protected]
  • DPIA Support Package available on request
  • Assistance with data subject rights requests as required by Article 28(3)(e)

E. Sub-Processors

The list of sub-processors authorised by the data exporter to process personal data is maintained at:

schemalabs.ai/sub-processors

Current sub-processors (as of the effective date of this Annex):

Sub-Processor Location Purpose Onward Transfer Mechanism
Google Cloud Platform (Google LLC) United States Cloud infrastructure: compute, storage, networking, key management EU SCCs (Module Three: Processor-to-Processor); Google DPA
Amazon Web Services (Amazon.com, Inc.) United States Cloud infrastructure: compute, storage, networking, key management EU SCCs (Module Three: Processor-to-Processor); AWS DPA
Stripe, Inc. United States Payment processing EU SCCs; Stripe DPA

BYOL Endpoints: when Customer connects a third-party large language model endpoint (such as OpenAI, Anthropic, Google Gemini, or Mistral) through the Service, the third-party provider is not a Sub-Processor of SchemaLabs. The transmission of data to those providers is directed by Customer, governed by Customer's agreement with the provider, and conducted outside SchemaLabs' processor relationship with Customer.

8. Supplementary Measures for Transfers to the United States

In accordance with the European Data Protection Board's recommendations following the Schrems II judgment (Case C-311/18), SchemaLabs has assessed the law and practice of the United States as the country of destination, and has implemented the following supplementary measures to ensure that the level of protection afforded to personal data is essentially equivalent to that guaranteed within the EEA:

Technical measures:

  • End-to-end encryption (TLS 1.2+ in transit, AES-256 at rest)
  • Customer-specific data isolation that prevents bulk government access
  • No backdoors or special access pathways for any government or third party
  • Customer Data is encrypted at rest in all backups and archives using AES-256

Organisational measures:

  • Documented policy of challenging any government request for Customer Data that is overbroad, unsubstantiated, or otherwise unlawful
  • Notification to the affected customer of any government request for their Customer Data within five (5) business days, where legally permitted (see DPA §8 Regulatory requests)
  • Personnel training on responding to government requests

Contractual measures:

  • Commitment to challenge unlawful or overbroad government access requests
  • Commitment to notify the data exporter of any request for Customer Data, where legally permitted, before complying
  • Commitment to provide the data exporter with reasonable opportunity to object or seek a protective order
  • Where a government request conflicts with this DPA or Customer's documented instructions, SchemaLabs may seek judicial review or guidance before complying, to the extent legally permissible

A separate Transfer Impact Assessment is available on request to enterprise customers, documenting the analysis of US law as it applies to the data transferred under this DPA. The Transfer Impact Assessment represents SchemaLabs' good-faith analysis as of the date of preparation and is not a guarantee of any specific legal outcome; SchemaLabs may update the analysis as US or EU law evolves.

The technical, organisational, and contractual measures described in this Section 8 are current as of the effective date of this Annex and may be updated as appropriate to the threat landscape and applicable legal and industry best practices.

9. Effective date and modifications

This Annex III is effective as of the date of the Principal Agreement or the date Customer first uploads personal data to the Service, whichever is earlier.

The Module Two clauses themselves (Clauses 1 through 18) may not be modified, in accordance with European Commission Implementing Decision (EU) 2021/914. SchemaLabs may update the surrounding Appendix and Supplementary Measures (including the description of transfer, technical and organisational measures, and the list of Sub-Processors) by publishing an updated version of this Annex at schemalabs.ai/dpa-sccs. The current published version applies to all transfers made on or after its effective date.

10. Signatures

These SCCs are deemed signed and entered into by both parties upon Customer's acceptance of the Data Processing Agreement (whether by clicking acceptance, executing a Master Services Agreement, or first uploading personal data to the Service).

11. Contact

SchemaLabs, Inc.