This Data Processing Addendum ("DPA") forms part of the Terms of Service between Cogaid Solutions Private Limited ("Processor", "MakersFuel", "we") and the customer using the Service to process personal data of third parties ("Controller", "you"). It applies whenever you use the Service, and in particular MakersClaw AI employees, to process personal data for which you act as controller under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, or equivalent data protection laws.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR, including "personal data", "processing", "controller", "processor", "data subject", and "supervisory authority". "Customer Personal Data" means personal data that MakersFuel processes on your behalf under the Terms of Service.

2. Roles and scope

You are the Controller of the Customer Personal Data. MakersFuel is the Processor. MakersFuel will process Customer Personal Data only:

• on your documented instructions;
• for the purpose of providing the Service as described in the Terms of Service;
• for the duration of your use of the Service; and
• in accordance with applicable data protection law, including the GDPR and the UK GDPR.

MakersFuel will notify you if, in its opinion, an instruction infringes applicable data protection law.

3. Nature of processing

Subject matter: operation of MakersFuel community features and MakersClaw AI employees.

Duration: for as long as you use the Service, plus any retention periods required by law.

Nature and purpose of processing: hosting, transmitting, routing, storing, and displaying Customer Personal Data; forwarding messages and content to upstream AI model providers to generate responses; delivering responses back to end users on connected messaging channels; maintaining audit logs.

Categories of data subjects: your customers, end users, employees, or other individuals who interact with the AI employee you operate.

Categories of personal data: identifiers (username, handle, email where provided), message content, file attachments, channel metadata, and any other data you choose to submit to the Service.

4. Confidentiality

MakersFuel ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and have received appropriate training on their obligations.

5. Security

MakersFuel implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption of data in transit (TLS) and at rest for databases and storage; access controls and least-privilege administration; isolated per-tenant infrastructure for MakersClaw instances; regular backups; logging and monitoring; incident response procedures; and vendor security reviews. Details of our security posture are summarized in the Privacy Policy and available on request.

6. Subprocessors

You authorize MakersFuel to engage the subprocessors listed in the Privacy Policy (Supabase, Google Cloud Platform, DigitalOcean, Paddle, Assistiv AI, Resend, Sanity, PostHog, Google Analytics) for the purposes described there. MakersFuel enters into written agreements with each subprocessor that impose data-protection obligations substantially equivalent to those in this DPA. We will give you reasonable prior notice of any intended addition or replacement of subprocessors; if you object on reasonable data-protection grounds, you may terminate the affected Service and receive a pro-rata refund for any prepaid, unused portion.

7. Data subject requests

Taking into account the nature of the processing, MakersFuel will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the GDPR (including access, rectification, erasure, restriction, objection, and portability). If a data subject contacts MakersFuel directly regarding personal data that you control, we will forward the request to you and cooperate reasonably.

8. Personal data breach notification

MakersFuel will notify you without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. You remain responsible for any notifications to supervisory authorities and affected data subjects that are required of you as Controller.

9. Data protection impact assessments

MakersFuel will provide reasonable assistance, at your cost, in connection with data protection impact assessments and prior consultations with supervisory authorities that you are required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and information available to MakersFuel.

10. International data transfers

Customer Personal Data is processed primarily in the United States. Where Customer Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, such transfers are carried out under the European Commission's Standard Contractual Clauses (SCCs) of 4 June 2021 (Module Two: Controller-to-Processor), with the UK International Data Transfer Addendum where applicable. By entering into this DPA, you and MakersFuel are deemed to have entered into the SCCs and the UK Addendum with the modules and options required for the processing described in this DPA. The governing law and forum of the SCCs are the laws of the Republic of Ireland and the courts of Ireland, unless mandatory law provides otherwise.

11. Deletion or return of data

Customer Personal Data is deleted on termination as follows:

• User-initiated termination: when you delete a MakersClaw instance or your account, all associated Customer Personal Data is deleted immediately. No grace period applies.
• Termination due to payment failure: Customer Personal Data is retained for a 15-day grace period to allow you to update your payment method, after which it is deleted.
• Return of data: on written request received before termination takes effect, MakersFuel will provide a machine-readable export of Customer Personal Data in a commonly used format prior to deletion.

Standard backup rotation will overwrite Customer Personal Data according to our normal backup cycle after deletion. Records that MakersFuel is required by law to retain (for example, billing records under tax law) are retained only for the statutory period and used solely for those legal purposes.

12. Audits

On your reasonable written request, and no more than once every twelve months (or more frequently if required by a supervisory authority or in the event of a material breach), MakersFuel will make available information necessary to demonstrate compliance with this DPA, including third-party certifications, penetration test summaries, and responses to reasonable security questionnaires. Audits beyond that require mutual agreement on scope, timing, and cost.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

14. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Customer Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

15. Contact

Data protection questions, requests, and breach notifications should be sent to [email protected]. EU/EEA data subjects and supervisory authorities may also contact our EU Representative, listed in the Privacy Policy.