DATA RESIDENCY ADDENDUM

DATA RESIDENCY ADDENDUM
Version 1.0
Effective Date: February 23, 2026
Syntari AI, Inc.
855 Boylston Street, Suite 1000
Boston, MA 02116

1. PURPOSE AND SCOPE
   This Data Residency Addendum (this "Addendum") supplements and is incorporated into the Data Processing Agreement (the "DPA") between Syntari AI, Inc. ("Company") and Customer, and governs the geographical location(s) where Customer Data will be stored, processed, and backed up. This Addendum establishes specific data residency requirements, available regional options, and mechanisms for compliance with applicable data protection and localization regulations.
   This Addendum applies to all Customer Data processed by Company in connection with the provision of the Syntari platform and its AI-powered features, including but not limited to analytics, recommendations, and insights generated through third-party AI providers.

2. DEFINITIONS
   In addition to terms defined in the DPA, the following definitions apply to this Addendum:
   "Data Residency": The specific geographical region(s) where Customer Data is stored, backed up, and replicated, as specified in a Data Residency Specification.
   "Data Localization": Legal or regulatory requirements that mandate the location where specific categories of data must be stored or processed.
   "Processing Location": Any geographical location where Customer Data is accessed, read, analyzed, transformed, or otherwise processed, including by third-party AI providers.
   "Storage Location": The physical or virtual data center(s) where Customer Data at rest is maintained and stored.
   "Transit Location": The geographical path(s) through which Customer Data travels during transmission between systems, services, or regions.

3. DEFAULT DATA RESIDENCY
   Unless Customer has selected an alternative regional option pursuant to Section 5, Customer Data will be stored and backed up in the United States as follows:
   3.1 Primary Storage
   ● AWS US-EAST-1 (N. Virginia, USA)
   ● AWS US-WEST-2 (Oregon, USA)
   3.2 Backup and Disaster Recovery
   ● AWS US-EAST-2 (Ohio, USA) for redundancy and failover
   3.3 AI Processing
   AI processing by third-party providers occurs in the United States, regardless of the primary storage region selected by Customer (see Section 4 for details).

4. AI PROVIDER DATA PROCESSING LOCATIONS
   Syntari leverages third-party AI providers to power its analytics and AI features. The following discloses the primary processing locations for each provider:
   AI Provider Primary Processing Location Secondary Location
   Anthropic (Claude) United States (US-based data centers) N/A – US only
   OpenAI (GPT) United States (US-based infrastructure) N/A – US only
   Google Cloud AI (Gemini) United States (configurable via Google Cloud regions) Available in US regions only for Syntari

4.1 AI Provider Data Processing Terms
Customer Data processed by AI providers may be temporarily retained by such providers for service improvement purposes. The following retention terms apply:
● Anthropic: Data may be retained for up to 30 days for model improvement and abuse detection
● OpenAI: Data may be retained per OpenAI's API data retention policy (typically 30 days)
● Google Cloud AI: Data retention depends on configured Google Cloud policies and agreements
4.2 Processing Disclosure
Customer acknowledges that use of AI features constitutes a data processing operation by third-party AI providers. All AI processing occurs in the United States. Customer Data will not be routed to non-US AI providers unless Customer explicitly requests such routing and complies with applicable data transfer regulations.
5. AVAILABLE REGIONAL OPTIONS
To meet varying regulatory and business requirements, Syntari offers the following regional storage options. AI processing remains US-based regardless of storage region selection. Customer must specify its selected region during onboarding.
5.1 United States Region (Default)
● Storage: AWS US-EAST-1, US-WEST-2
● Backup: AWS US-EAST-2
● AI Processing: United States providers
● Availability: All customers
5.2 European Union (EU) Region
● Storage: AWS EU-WEST-1 (Ireland), AWS EU-CENTRAL-1 (Frankfurt)
● Backup: EU-based AWS regions
● AI Processing: United States (data transferred for AI processing per Section 4)
● Availability: EU/EEA customers subject to GDPR
● Note: Selection of EU storage does not prevent AI processing in the United States
5.3 United Kingdom (UK) Region
● Storage: AWS EU-WEST-2 (London)
● Backup: EU-based AWS regions
● AI Processing: United States (data transferred for AI processing)
● Availability: UK customers subject to UK GDPR and Data Protection Act 2018
5.4 Canada Region
● Storage: AWS CA-CENTRAL-1 (Canada Central)
● Backup: Canada-based AWS regions
● AI Processing: United States (data transferred for AI processing)
● Availability: Canadian customers subject to PIPEDA and regulatory requirements
5.5 Important Limitation
Customer acknowledges that regardless of selected storage region, use of AI features will result in data transfer to and processing by US-based AI providers. If Customer requires that data never transit to the United States, Customer must disable all AI features and processing functionality.
6. TRANSFER MECHANISMS
Where Customer Data must be transferred across borders, including from EU/EEA to the United States for AI processing, Company relies on the following lawful transfer mechanisms:
6.1 EU-U.S. Data Privacy Framework
For transfers of personal data from the EU/EEA to the United States, Company and its AI provider subprocessors rely on the EU-U.S. Data Privacy Framework (DPF), which replaced the invalidated Privacy Shield framework. This framework establishes the adequacy of data protection in the United States for purposes of EU data transfer restrictions.
6.2 Standard Contractual Clauses
As a supplementary mechanism, Company incorporates the Standard Contractual Clauses (Module Two: Controller to Processor and Module Three: Processor to Sub-processor) as adopted by Commission Decision 2021/914 of June 4, 2021, with all necessary supplementary technical and organizational measures as required by the CJEU Schrems II decision.
6.3 UK International Data Transfer Agreement
For transfers of UK personal data to the United States, Company complies with the UK International Data Transfer Agreement (UK IDTA) and incorporates Standard Contractual Clauses as approved under UK data protection law.
6.4 Transfer Impact Assessments
Company has conducted Data Transfer Impact Assessments (DTIAs) and Transfer Impact Assessments (TIAs) evaluating the legal framework for data transfer to the United States, including assessment of US surveillance laws and adequacy of safeguards. Assessments are available upon request for regulatory audits or Data Subject Access Requests.
7. REGULATORY REQUIREMENTS
This Addendum reflects Company's commitment to compliance with applicable data protection and localization regulations:
7.1 GDPR Articles 44-49
Company ensures that transfers of personal data from the EU/EEA are executed only on the basis of lawful transfer mechanisms (DPF, SCCs) as required by GDPR Chapter V. Company conducts Transfer Impact Assessments for each transfer mechanism.
7.2 Schrems II Supplementary Measures
Following the CJEU Schrems II judgment, Company implements supplementary organizational and technical measures including:
● Data encryption in transit and at rest where technically feasible
● Data minimization principles for AI processing
● Pseudonymization of data where applicable
● Restricted access controls for foreign law enforcement requests
7.3 DORA (Digital Operational Resilience Act)
For financial services customers, Company complies with DORA's requirements regarding operational resilience, third-party risk management, and ICT incident reporting, including location-based resilience of critical data centers.
7.4 Insurance Regulatory Data Localization
Company acknowledges that insurance regulators in various jurisdictions (including certain US states) may impose data localization requirements. Customer is responsible for identifying and communicating applicable localization mandates to Company. Company will work with Customer to implement compliant storage configurations.
7.5 APRA CPS 234 (Australia)
For Australian financial services customers, Company acknowledges the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 regarding critical data residency in Australia. Customers subject to APRA CPS 234 should not select US or EU storage regions without explicit regulatory approval and should contact Company for Australian region availability (if available).
8. CUSTOMER CONTROLS
8.1 Data Region Selection
Customer may select its preferred data storage region during onboarding. Region selection should be made with consideration of applicable regulatory requirements and business needs. Region selection is documented in the Data Residency Specification.
8.2 Region Migration
Customer may request migration of data to an alternative region. Region migration requests must be submitted to privacy@syntari.ai. Company will provide a timeline and impact assessment for the requested migration. Migration timelines vary by data volume and may require a service window.
8.3 Data Residency Verification and Certification
Upon request, Company will provide certification of data residency, including:
● Confirmation of primary and backup storage locations
● Attestation of data center certifications (SOC 2, ISO 27001, etc.)
● Map of network routes used for data transmission
8.4 Audit Rights for Data Location
Customer retains the right to audit Company's data residency practices and storage locations, either through Company's third-party audit reports (SOC 2 Type II, etc.) or through direct audit. Audit requests should be submitted to dpo@syntari.ai and will be subject to customary audit procedures and confidentiality protections.
9. AI PROCESSING TRANSPARENCY
9.1 Disclosure of AI Processing Locations
Company discloses that all AI features involve transmission of Customer Data to third-party AI providers located in the United States, including:
● Anthropic (Claude) – US-based processing
● OpenAI (GPT) – US-based processing
● Google Cloud AI (Gemini) – US-based processing
9.2 AI Provider Retention and Deletion
Customer Data transmitted to AI providers may be retained temporarily (up to 30 days for Anthropic and OpenAI) for service improvement and abuse detection. After the retention period, AI providers will delete or anonymize such data. Company does not control AI provider retention beyond the terms of our agreements with such providers.
9.3 Customer Notification of AI Provider Location Changes
Should any AI provider change its primary processing location away from the United States, or expand processing to non-US locations, Company will provide Customer with prompt written notice (within 10 business days of becoming aware of such change) to privacy@syntari.ai and dpo@syntari.ai (as applicable). Customer may then request alternative AI providers or opt-out of AI features.
9.4 Opt-Out of Specific AI Providers
Customer may opt out of specific AI providers based on data location concerns. To opt out, Customer should submit a request to privacy@syntari.ai specifying which provider(s) to exclude. Company will configure the Syntari platform to disable features powered by the excluded provider(s). Opt-out requests may impact feature availability or functionality.
10. SUBPROCESSOR LOCATION MANAGEMENT
10.1 Sub-processor Location Requirements
Company may engage subprocessors to assist with data processing. All subprocessors must maintain Customer Data in locations consistent with this Addendum (or in the location(s) specified by Customer). Subprocessors must have adequate technical and organizational safeguards for data protection.
10.2 Notice of Sub-processor Changes
Company will provide Customer with written notice of any changes to subprocessor locations, including addition of new subprocessors or relocation of existing subprocessors, at least 30 days in advance. Notice will be sent to the Customer email address on record, and information will also be available at https://www.syntari.ai/subprocessors (or equivalent location).
10.3 Customer Objection Rights
Upon receiving notice of a sub-processor location change, Customer may object to the new location within 15 days by contacting privacy@syntari.ai. Grounds for objection include concerns about data protection adequacy in the new location. Company will work with Customer to address objections, which may include offering alternative subprocessors or storage locations.
11. GOVERNMENT ACCESS AND SURVEILLANCE
11.1 Transparency Reporting
Company acknowledges that data stored in the United States may be subject to access by US government agencies under US law, including FISA, the Patriot Act, and related authorities. Company publishes transparency reports regarding government data requests. Current and past transparency reports are available at https://www.syntari.ai/transparency (or equivalent location).
11.2 Customer Notification
When legally permitted, Company will notify Customer of government data requests within a reasonable timeframe. Notifications will include the nature of the request, the requesting agency, and the scope of data requested. Customer will be given an opportunity to seek legal remedies where permitted by law.
11.3 Legal Challenge Commitments
Company commits to challenging overbroad or unreasonable government data requests to the extent permitted by law. Company will not voluntarily disclose Customer Data to government agencies without legal process unless required by law.
11.4 Supplementary Technical Measures
To mitigate risks from government access, Company implements supplementary measures including:
● Encryption of data in transit and at rest (where technically and commercially feasible)
● Pseudonymization and tokenization of sensitive personal data
● Access controls limiting visibility of raw customer data to essential personnel only
● Data minimization in AI processing (limiting data transmitted to AI providers)
12. BREACH AND INCIDENT LOCATION REPORTING
12.1 Location-Specific Breach Notification
In the event of a data breach or security incident affecting Customer Data, Company will provide notification to Customer that includes:
● Identification of the storage or processing location(s) where the incident occurred
● Date and time of discovery of the incident
● Scope and nature of the breach, including types of data affected
● Measures taken to secure and recover data
● Expected timeline for remediation
12.2 Regulatory Notification by Jurisdiction
Company will support Customer's regulatory notification obligations by providing necessary information for breach notifications to authorities in Customer's jurisdiction, including:
● EU/EEA data protection authorities (GDPR Article 33 and 34 notifications)
● UK Information Commissioner's Office (UK GDPR and DPA 2018 notifications)
● Canadian privacy commissioners (PIPEDA notifications)
● US state attorneys general (state breach notification law notifications)
● Insurance regulatory bodies
● Financial services regulatory authorities
12.3 Customer Notification Timeline
Company will provide initial breach notification to Customer within 48 hours of discovery of the incident, or as required by applicable law, whichever is sooner. Follow-up detailed incident reports will be provided within 10 business days of initial notification.
13. TERM AND TERMINATION
This Addendum is effective as of the Effective Date and continues for the duration of the DPA. Upon termination of the DPA, Company's obligations under this Addendum cease, except that Company will continue to comply with data deletion obligations regarding Customer Data as provided in the DPA.
14. AMENDMENT AND MODIFICATION
Company may amend this Addendum upon 30 days' written notice to Customer. Material modifications to data residency, transfer mechanisms, or regulatory compliance will be subject to Customer's right to object per the DPA's subprocessor procedures (Section 10.3). Continued use of the Syntari platform following the amendment period constitutes acceptance of the amended terms.
15. CONTACT INFORMATION
For questions regarding data residency, regional options, or compliance with this Addendum, Customer should contact:

Privacy & Data Protection:
Email: privacy@syntari.ai
Data Protection Officer:
Email: dpo@syntari.ai
Security & Incident Response:
Email: security@syntari.ai
16. ENTIRE AGREEMENT
This Addendum constitutes the entire agreement between Company and Customer regarding data residency and location of processing. In the event of any conflict between this Addendum and the DPA, the provisions of this Addendum shall control with respect to data residency matters.

© 2026 Syntari International, Inc. All rights reserved.