Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Pariom ("Pariom," "Processor") and the entity that has accepted Pariom's Terms of Service ("Customer," "Controller"). This DPA governs Pariom's processing of Personal Data on behalf of the Customer in connection with the Pariom services.

Pariom processes the following categories of data on Customer's behalf:

• Trial balance and general ledger data from connected accounting systems
• Account codes, vendor names, and transaction metadata (not line-item detail)
• User account information (name, email, role) for authentication
• Usage logs for audit and support purposes

Pariom does not process customer end-user data, payment card numbers, Social Security numbers, or health records.

Pariom processes Customer data solely to provide the Pariom services, including: generating variance memos, powering anomaly alerts, answering natural-language queries, computing benchmarks, and providing technical support. Pariom does not use Customer data to train models or for any purpose beyond service delivery.

Pariom implements appropriate technical and organizational measures, including: AES-256-GCM encryption at rest, TLS 1.3 in transit, dedicated single-tenant Postgres per Customer, infrastructure built on SOC 2-certified platforms (AWS, Supabase), and a 90-day immutable audit log of all data access events.

Pariom uses the sub-processors listed at pariom.ai/legal/subprocessors. Pariom will provide 30 days' notice before adding new sub-processors. Customer may object to a new sub-processor within that window; Pariom will make reasonable efforts to accommodate the objection or allow Customer to terminate without penalty.

To the extent Customer's employees or end-users exercise data subject rights under GDPR, CCPA, or applicable law, Pariom will assist Customer in fulfilling those requests within 30 days. Requests should be directed to security@pariom.ai.

Upon termination or Customer request, Pariom will delete all Customer data within 24 hours and provide written confirmation. This includes all derived data, model outputs, and cached trial balance data. Pariom retains audit logs for 90 days post-deletion per our data retention policy.

This DPA is governed by the laws of the State of Colorado, United States. For EU/UK customers, the Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and take precedence in the event of conflict.