Data Processing Addendum (DPA)

Effective Date: November 17, 2025

This Data Processing Addendum ("DPA") forms part of the agreement between Stewart Industrial Automation ("Processor") and the customer or client ("Controller") and describes the Processing of Personal Data by the Processor on behalf of the Controller.

1. Roles

• Controller: The party that determines the purposes and means of the Processing of Personal Data.
• Processor: Stewart Industrial Automation, acting on behalf of the Controller.

2. Purpose and Scope

The Processor will process Personal Data only for the purposes described in the main agreement and in accordance with Controller's documented instructions.

3. Categories of Data & Data Subjects

• Categories of Personal Data: Contact information, job titles, project files, email content, date/time of bookings, and other data submitted by Controller or its End Users.
• Data Subjects: Controller’s employees, contractors, customers, or other individuals whose data is included in Controller-provided materials.

4. Security Measures

The Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including access controls, encryption in transit, and regular backups.

5. Subprocessing

The Processor may engage subprocessors to assist in processing Personal Data. The Processor will ensure contractual obligations with subprocessors mirror this DPA.

Current Authorized Subprocessors:

• Amazon Web Services (AWS Amplify) - Website hosting and content delivery (United States)
• Formspree, Inc. - Form submission processing and email delivery (United States)
• Google LLC (Google Analytics) - Website analytics (if enabled) (United States)

The Processor will notify the Controller of any intended changes to subprocessors, giving the Controller an opportunity to object to such changes. Updates to this list will be published at: [website URL or upon request].

6. Data Transfer

If Personal Data is transferred across borders, Processor will ensure such transfers comply with applicable law and implement safeguards (standard contractual clauses, etc.) where required.

7. Data Retention

Personal Data will be retained only as long as necessary to fulfill the purposes of the main agreement or to comply with legal obligations. On termination, data will be deleted or returned per Controller instructions.

8. Data Subject Rights

Processor will assist Controller in responding to Data Subject requests (access, correction, deletion) insofar as practical and permitted by law.

9. Audits

Controller may, upon reasonable notice, audit Processor’s compliance with this DPA or receive relevant audit reports/certifications.

10. Liability & Remedies

Liability and remedies for breaches of this DPA will be governed by the main agreement and applicable law.

11. Governing Law & Jurisdiction

This DPA is governed by the laws of the State of Ohio, except that GDPR, UK-GDPR, and CCPA requirements take precedence where applicable to the Controller's jurisdiction. For disputes, the parties consent to jurisdiction in Ohio courts.

12. Contact

For data protection inquiries: admin@stewart-industrial-automation.com

---

This DPA is a template. Parties should seek legal advice to tailor it to their specific regulatory requirements (e.g., GDPR, UK GDPR, CCPA) before signing.

13. GDPR & CCPA-specific Provisions (Illustrative)

13.1 GDPR

• The Processor will only process Personal Data on documented instructions from the Controller.
• The Processor will implement appropriate safeguards to meet GDPR requirements, including assisting the Controller with data subject rights, data breach notifications, and DPIAs where applicable.
• Where transfers of Personal Data outside the EEA/UK are necessary, the Processor will rely on an appropriate transfer mechanism (e.g., Standard Contractual Clauses) or ensure an adequate level of protection.

13.2 CCPA / CPRA (California)

• For services involving California residents' personal information, the Processor will provide reasonable assistance to the Controller to carry out data subject requests required under CCPA/CPRA.
• The Processor will not sell Personal Information and will implement contractual restrictions to prevent unauthorized sale or disclosure.

Note: These illustrative provisions are not exhaustive. Parties operating under GDPR/CCPA should customize the DPA with legal counsel.

---