Data Processing Agreement

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person processed by Llewellyn Systems on behalf of Customer through the Services.
• “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• “Sub-processor” means any third party engaged by Llewellyn Systems to process Personal Data on behalf of Customer.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter. Llewellyn Systems processes Personal Data solely to provide the Services, including AI-driven compliance automation, KYC/AML screening, fraud detection, risk assessment, SOX compliance monitoring, and audit management through our six specialized compliance agents.

2.2 Categories of Data Subjects. Employees and contractors of Customer; Customer's end-users and clients; regulatory contacts; beneficial owners and authorized signatories.

2.3 Types of Personal Data. Names, email addresses, business contact information; KYC documentation and identity verification data; financial transaction metadata; compliance workflow data and audit trail records.

3. Obligations of the Processor

Llewellyn Systems shall:

• Process Personal Data only on documented instructions from Customer, unless required by applicable law;
• Ensure that personnel authorized to process Personal Data are bound by obligations of confidentiality;
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
• Not engage any Sub-processor without prior specific or general written authorization from Customer;
• Assist Customer in fulfilling obligations to respond to data subject requests;
• Make available to Customer all information necessary to demonstrate compliance with this DPA;
• Delete or return all Personal Data upon termination of the Services, at Customer's election.

4. Obligations of the Controller

Customer shall:

• Ensure that it has a lawful basis for processing Personal Data and for instructing Llewellyn Systems to process on its behalf;
• Provide clear and documented processing instructions;
• Ensure compliance with applicable data protection laws in its jurisdiction;
• Notify Llewellyn Systems of any changes to applicable data protection requirements that may affect the processing.

5. Sub-processors

5.1 Authorization. Customer provides general authorization for Llewellyn Systems to engage Sub-processors, subject to the requirements in this section.

5.2 Notification. Llewellyn Systems shall notify Customer at least thirty (30) days prior to adding or replacing a Sub-processor, providing the opportunity to object on reasonable data protection grounds.

5.3 Obligations. Llewellyn Systems shall impose data protection obligations on each Sub-processor that are no less protective than those set forth in this DPA and shall remain fully liable for the Sub-processor's compliance.

6. Security Measures

Llewellyn Systems implements and maintains the following security measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256);
• SOC 2 Type II certified infrastructure;
• Role-based access control and principle of least privilege;
• Regular security audits, vulnerability assessments, and penetration testing;
• Incident detection, response, and recovery procedures;
• Employee security awareness training and background checks;
• Physical security controls at data center facilities.

7. Data Breach Notification

7.1 Notification. Llewellyn Systems shall notify Customer without undue delay (and in any event within 48 hours) upon becoming aware of a Data Breach affecting Customer Personal Data.

7.2 Contents. The notification shall include: the nature of the breach; categories and approximate number of affected data subjects and records; likely consequences; measures taken or proposed to address the breach and mitigate its effects.

8. International Data Transfers

8.1 Transfer Mechanisms. Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, Llewellyn Systems shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms.

8.2 Data Localization. Upon request, Llewellyn Systems offers on-premise deployment options allowing Customer to maintain all data processing within their specified geographic region.

9. Data Subject Rights

Llewellyn Systems shall assist Customer in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection laws, including the right of access, rectification, erasure, restriction, portability, and objection. Llewellyn Systems shall promptly notify Customer of any data subject request received directly and shall not respond to such requests without Customer's prior authorization, unless required by law.

10. Audit Rights

10.1 Right to Audit. Customer has the right to audit Llewellyn Systems' compliance with this DPA. Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and no more than once per calendar year unless required by a supervisory authority.

10.2 Certifications. Llewellyn Systems shall make available relevant certifications, audit reports (including SOC 2 Type II), and other compliance documentation upon request to demonstrate compliance with this DPA.

11. Contact

Llewellyn Systems Inc
2601 Blanding Ave, Ste C248, Alameda, CA 94501
DPO: solstaff@soundoflife.media
Legal: legal@llewellynsystems.com