Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") is entered into between EasyEmpire AI ("Processor", "we", "us") and you ("Controller", "Customer") and governs the processing of personal data in connection with our services.

This DPA applies when EasyEmpire AI processes personal data on behalf of the Customer in the course of providing the EasyEmpire AI platform services, including but not limited to:

• AI-powered content generation and business automation
• Image, video, and audio generation services
• MCP (Model Context Protocol) server access for AI agents
• Brand asset and media library management
• Community marketplace and forum services
• EZ-Al™ assistant interactions

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection laws (including GDPR, CCPA).
• "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
• "Controller" means the entity that determines the purposes and means of processing personal data.
• "Processor" means the entity that processes personal data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates.

3. Roles and Responsibilities

Controller Responsibilities (You)

• Ensure you have a lawful basis for processing personal data through our services
• Provide necessary notices to and obtain required consents from data subjects
• Ensure the accuracy and completeness of personal data provided to us
• Comply with all applicable data protection laws in your jurisdiction
• Respond to data subject requests with our assistance as needed

Processor Responsibilities (EasyEmpire AI)

• Process personal data only on your documented instructions
• Ensure personnel authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Engage sub-processors only with your authorization and under written contracts
• Assist you in responding to data subject requests and regulatory inquiries
• Delete or return personal data upon termination of services, at your choice
• Make available information necessary to demonstrate compliance

4. Data Processing Details

Categories of Data Subjects

• Platform users and account holders
• AI agents accessing MCP services
• End users of generated content
• Marketplace service providers and clients
• Community and forum participants

Types of Personal Data Processed

• Identity Data: Name, username, email address, profile information
• Contact Data: Email, phone number, mailing address (for physical products)
• Content Data: User-generated content, AI assistant conversations, prompts
• Business Data: Business profiles, goals, brand assets, preferences
• Transaction Data: Payment details, order history, token transactions
• Usage Data: Feature usage, interaction patterns, session information
• Technical Data: IP address, device information, browser type
• Agent Data: Agent identifiers, API keys, tool execution logs

Purpose of Processing

• Providing and maintaining platform services
• Processing AI-generated content requests
• Managing user accounts and subscriptions
• Processing transactions and token operations
• Facilitating marketplace and community features
• Improving service quality and AI model performance
• Security monitoring and fraud prevention
• Legal compliance and regulatory obligations

Duration of Processing

Personal data will be processed for the duration of our service agreement with you, plus any retention period required by law or necessary for the establishment, exercise, or defense of legal claims.

5. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication, principle of least privilege
• Infrastructure Security: SOC 2 compliant cloud providers (Vercel, Railway, NeonDB)
• Network Security: Firewalls, DDoS protection, intrusion detection
• Data Isolation: Logical separation of customer data
• Backup and Recovery: Regular automated backups with point-in-time recovery
• Monitoring: 24/7 security monitoring and logging
• Personnel Security: Background checks, confidentiality agreements, security training
• Incident Response: Documented procedures for security incident handling

6. Sub-processors

You authorize us to engage the following categories of sub-processors to assist in providing our services. We maintain contracts with each sub-processor that impose data protection obligations no less protective than those in this DPA.

We will notify you of any intended changes to sub-processors, giving you the opportunity to object to such changes. If you have a reasonable objection, we will work with you to find an alternative solution.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests, including:

• Right of Access: Providing copies of personal data upon request
• Right to Rectification: Correcting inaccurate or incomplete data
• Right to Erasure: Deleting personal data ("right to be forgotten")
• Right to Restriction: Limiting processing of personal data
• Right to Data Portability: Providing data in machine-readable format
• Right to Object: Ceasing processing based on legitimate interests
• Rights Related to Automated Decision-Making: Human review of automated decisions

Users can exercise many of these rights directly through account settings or by contacting privacy@easyempire.ai.

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
• Provide details about the nature of the breach, categories and approximate number of affected data subjects
• Describe the likely consequences of the breach
• Describe measures taken or proposed to address the breach and mitigate effects
• Cooperate with you in meeting your notification obligations to supervisory authorities and data subjects
• Document all breaches, including facts, effects, and remedial actions taken

9. International Data Transfers

EasyEmpire AI is based in the United States. If you are located outside the United States, personal data will be transferred to and processed in the United States and other countries where our sub-processors operate.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved model clauses for data transfers
• Data Privacy Framework: Where applicable, certification under the EU-US Data Privacy Framework
• Supplementary Measures: Additional technical and organizational safeguards where required

Upon request, we can provide copies of the Standard Contractual Clauses or other transfer mechanisms in use.

10. Audit Rights

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

Audits may be conducted:

• Upon reasonable notice (minimum 30 days except in case of regulatory requirement)
• During normal business hours
• Subject to confidentiality obligations regarding our proprietary information
• At the requesting party's expense (unless audit reveals material non-compliance)

We may also provide third-party audit reports (e.g., SOC 2) or certifications as evidence of compliance.

11. Data Return and Deletion

Upon termination of our services or upon your request:

• We will return all personal data to you in a commonly used, machine-readable format, or
• Delete all personal data (including copies) unless retention is required by applicable law
• Instruct sub-processors to do the same
• Provide written certification of deletion upon request

Data export can be requested through your account settings or by contacting privacy@easyempire.ai.

12. MCP Server Specific Provisions

For AI agents accessing our MCP (Model Context Protocol) server, the following additional provisions apply:

Agent Data Processing

• Agent identifiers and API keys are stored securely and used only for authentication and rate limiting
• Tool execution logs are retained for 90 days for debugging and abuse prevention
• Session data (intents, shared context) expires after 24 hours of inactivity
• Generated content (images, videos, audio) is stored according to the associated user's retention settings

Trust and Attestation Data

• Agent reputation scores and attestation chains (isnad) are public by design
• Vouching and trust relationships between agents are visible to other platform participants
• Tool manifests declaring data access patterns are publicly viewable

Anonymous Agent Access

• Anonymous agents (using X-Agent-ID header only) have limited data retention (24 hours)
• No personal data is associated with anonymous agent sessions unless voluntarily provided
• Rate limits apply to prevent abuse

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of Florida, United States, without regard to its conflict of laws principles.

For data subjects in the European Economic Area, this DPA shall be interpreted in accordance with GDPR requirements, and any disputes may be brought before the competent courts of the data subject's country of residence.

14. Contact Information

For questions about this DPA or to exercise your rights:

Data Protection Contact: privacy@easyempire.ai

General Support: support@easyempireai.com

Address: EasyEmpire AI, 506 E Dakota St, Butler, MO 64730, United States