Data Processing Addendum

1.1 This DPA applies to Personal Information that Dino RD&C processes on behalf of Customer in connection with the Service.

1.2 Roles. Customer is the Business (and where applicable the Controller) of Personal Information processed through the Service. Dino RD&C is a Service Provider (CCPA/CPRA), Processor (Virginia, Colorado, Connecticut, Utah, and similar state laws), or analogous role as defined under the relevant US state privacy law.

1.3 Local-first architecture. Most Personal Information processed via BOS is stored on Customer’s Appliance and is not transmitted to Dino RD&C. The narrow categories of information that Dino RD&C does receive are described in Section 4 and in the Privacy Policy.

• “Personal Information” has the meaning given in the applicable US state privacy law (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MTCDPA, DPDPA, MODPA, NHCPA, NJDPA, ICDPA, INDPA, TIPA, MNCDPA, RICDPA).
• “Sensitive Personal Information” has the meaning given in those laws.
• “Process” means any operation performed on Personal Information.
• “Subprocessor” means any third party engaged by Dino RD&C to Process Personal Information on its behalf.

3.1 Dino RD&C will Process Personal Information only:

• (a) on Customer’s documented instructions, including the instructions reflected in the Service configuration and the Order Form;
• (b) as necessary to provide and improve the Service consistent with Section 4 of this DPA and Section 5 of the Privacy Policy;
• (c) as necessary to comply with applicable law.

3.2 Dino RD&C will not:

• (a) “sell” or “share” Personal Information as those terms are defined under CCPA/CPRA;
• (b) Process Personal Information for any business or commercial purpose other than as set out in this DPA, the Terms of Service, or the Privacy Policy;
• (c) Process Personal Information outside the direct business relationship between Dino RD&C and Customer;
• (d) combine Personal Information received from Customer with Personal Information received from any other source for any cross-customer purpose;
• (e) use Personal Information to train, fine-tune, or refine cross-customer AI models or skills.

3.3 Dino RD&C will notify Customer if Dino RD&C concludes it can no longer meet its obligations under applicable law. Customer may, on receipt of such notice or on reasonable belief that Dino RD&C is processing Personal Information in violation of law, take reasonable and appropriate steps to stop or remediate the unauthorized Processing.

The narrow categories of Personal Information that Dino RD&C receives in connection with the Service are:

Customer Data on the Appliance (CRM records, voice recordings, transcripts, messages, jobs, quotes, invoices, AI memories) is not transmitted to Dino RD&C in the ordinary course of business. It is processed locally by the Software on Customer’s Appliance.

If Customer enables the optional cloud backup add-on, Customer Data is encrypted, transmitted, and stored as described in the add-on documentation. Dino RD&C does not access cloud-backup contents for any purpose other than to deliver the backup service.

5.1 Customer authorizes Dino RD&C to engage Subprocessors to assist in performing the Service. The current list is published at dinoaihost.com/subprocessors.

5.2 Dino RD&C will:

• (a) impose written contractual obligations on each Subprocessor that are at least as protective of Personal Information as those set out in this DPA;
• (b) remain responsible for each Subprocessor’s performance of those obligations.

5.3 Notice of new Subprocessors. Dino RD&C will give Customer at least thirty (30) days’ notice before engaging a new Subprocessor that will Process Customer’s Personal Information. Customer may subscribe to subprocessor-change notifications by emailing [email protected]. If Customer reasonably objects to a new Subprocessor on Personal Information protection grounds, the parties will work together to find a commercially reasonable resolution. If no resolution is reached, Customer may terminate the affected portion of the Service for cause.

5.4 Customer-direct integrations. Stripe, Twilio, Gmail, and similar third-party services that Customer signs up for directly are not Dino RD&C Subprocessors. Customer’s relationship with those services is governed by Customer’s agreement with each provider.

6.1 Dino RD&C will, taking into account the nature of the Processing, provide reasonable assistance to Customer in responding to verifiable consumer requests for access, deletion, correction, portability, and other rights under applicable US state privacy laws.

6.2 If Dino RD&C receives a data subject request directly, it will (where lawful) inform the data subject that the request must be directed to Customer, and forward the request to Customer.

6.3 Customer is responsible for verifying the identity of requestors and for determining how to respond.

7.1 Dino RD&C will implement and maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Personal Information. Dino RD&C’s current measures are described in Schedule 1.

7.2 Dino RD&C will ensure that personnel authorized to Process Personal Information are bound by appropriate confidentiality obligations.

8.1 Dino RD&C will notify Customer without undue delay, and in any case within seventy-two (72) hours, after Dino RD&C confirms a Personal Information breach affecting Customer’s Personal Information.

8.2 Notification will include, to the extent known: the nature of the breach, the categories and approximate volume of records and individuals concerned, the likely consequences, and the measures taken or proposed.

8.3 Dino RD&C will provide reasonable cooperation in Customer’s investigation, mitigation, regulatory notifications, and individual notices.

The Service is currently delivered in the United States. If Dino RD&C expands the Service outside the United States in the future, Dino RD&C will update this DPA to address the applicable transfer mechanisms.

10.1 Customer may, on reasonable prior written notice and not more than once per twelve (12) months (except where required following a confirmed Personal Information breach or a regulatory inquiry), request information reasonably necessary to verify Dino RD&C’s compliance with this DPA.

10.2 Dino RD&C will respond by providing written documentation of its security practices, the most recent applicable third-party assessments (if any), and reasonable answers to written questions. Onsite audit is not currently offered. As Dino RD&C matures, certifications such as SOC 2 may be added; the absence of certification does not relieve Dino RD&C of its obligations under this DPA.

10.3 Audit information is Dino RD&C’s confidential information.

11.1 On termination of the Terms of Service, Customer Data on the Appliance is unaffected — the Appliance is Customer’s property and the data remains under Customer’s control.

11.2 With respect to any Personal Information held by Dino RD&C (license activation, telemetry, crash reports, support logs, marketing-site contact records), Customer may request return or deletion. Dino RD&C will return or delete the Personal Information within thirty (30) days, except where retention is required by law (in which case Dino RD&C will retain the Personal Information only for the legally required period and only for the legally required purpose).

11.3 Dino RD&C is not required to delete Personal Information that has been securely aggregated and de-identified and is no longer reasonably linkable to any individual.

This is a material commitment incorporated into this DPA: Dino RD&C does not use Customer’s Personal Information or Customer Data to train, fine-tune, or refine AI models, skills, or prompts that benefit any other customer. All distillation, refinement, and personalization happens on Customer’s Appliance.

If Dino RD&C ever proposes to change this commitment, the change will be opt-in only, after at least thirty (30) days’ written notice to Customer.

13.1 In the event of conflict between this DPA and the Terms of Service, this DPA prevails as to the Processing of Personal Information.

13.2 This DPA remains in force for as long as Dino RD&C Processes Personal Information of Customer.

• Encryption at rest: AES-256-GCM for secrets and credentials handled by Dino RD&C systems.
• Encryption in transit: TLS 1.2+ for all Customer-facing endpoints; mTLS or signed-payload validation for webhook relays.
• Access controls: role-based access in BOS and in Dino RD&C’s internal tooling; least-privilege enforcement; multi-factor authentication for personnel accounts.
• Authentication for support access: authenticated, customer-authorized Tailscale sessions; per-session logging.
• Audit logging: administrative and remote-support actions logged on the Appliance and on Dino RD&C systems; retained for seven (7) years.
• Endpoint management: Apple Business Manager + Mosyle MDM lockdown of Appliances; signed updates only.
• Vulnerability management: routine review of subprocessor security posture; documented vulnerability disclosure program at dinoaihost.com/security-disclosure.
• Personnel: confidentiality obligations and security training for all personnel with access to Personal Information.

The current Subprocessor list is maintained at dinoaihost.com/subprocessors.