Subprocessors

A subprocessor is a third-party data processor engaged by ClosedLoop Labs LLC, doing business as "ClosedLoop AI" ("ClosedLoop," "we," "us," or "our") that has or potentially will have access to or process Service Data (which may contain Personal Data) on our behalf. ClosedLoop Labs LLC engages different types of subprocessors to perform various functions as explained in the tables below.

ClosedLoop Labs LLC refers to third parties that do not have access to or process Service Data but who are otherwise used to provide the Services as "subcontractors" and not subprocessors. Such subcontractors are not listed on this page.

ClosedLoop AI undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data. We assess each subprocessor's compliance certifications, security controls, data handling practices, and contractual commitments before engagement.

ClosedLoop AI requires its subprocessors to satisfy equivalent obligations as those required from ClosedLoop AI (as a Data Processor) as set forth in ClosedLoop AI's Data Processing Agreement ("DPA"), including but not limited to the requirements to:

• Process Personal Data in accordance with data controller's (i.e., Subscriber's) documented instructions (as communicated in writing to the relevant subprocessor by ClosedLoop AI).
• In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws.
• Provide regular training in security and data protection to personnel to whom they grant access to Personal Data.
• Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which ClosedLoop AI is contractually committed to adhere insofar as they are equally relevant to the subprocessor's processing of Personal Data on ClosedLoop AI's behalf) and maintain appropriate compliance certifications (such as SOC 2, ISO 27001, or equivalent) that evidence compliance with this obligation. ClosedLoop AI reviews subprocessors' security documentation, certifications, and audit reports as part of our due diligence process.
• Promptly inform ClosedLoop AI about any actual or potential security breach.
• Cooperate with ClosedLoop AI in order to deal with requests from data controllers, data subjects, or data protection authorities, as applicable.

This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate ClosedLoop AI's engagement process for subprocessors as well as to provide the actual list of third-party subprocessors used by ClosedLoop AI as of the date of this policy (which ClosedLoop AI may use in the delivery and support of its Services).

If you are a ClosedLoop AI Subscriber and wish to enter into our Data Processing Agreement (DPA), please review our Data Processing Agreement or contact us at [email protected].

For all Subscribers who have executed ClosedLoop AI's standard DPA, ClosedLoop AI will provide notice via this policy of updates to the list of subprocessors that are utilized or which ClosedLoop AI proposes to utilize to deliver its Services. ClosedLoop AI undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of subprocessing associated with the ClosedLoop AI Services.

Pursuant to the DPA, a Subscriber can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If Subscriber does not object during such time period, the new subprocessor(s) shall be deemed accepted.

If a Subscriber objects to the use of a subprocessor pursuant to the process provided under the DPA, ClosedLoop AI shall have the right to cure the objection through one of the following options (to be selected at ClosedLoop AI's sole discretion):

• ClosedLoop AI will cease to use the subprocessor with regard to Personal Data
• ClosedLoop AI will take the corrective steps requested by Subscriber in its objection (which remove Subscriber's objection) and proceed to use the subprocessor to process Personal Data
• ClosedLoop AI may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a ClosedLoop AI Service that would involve the use of the subprocessor to process Personal Data

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

ClosedLoop AI maintains the following data retention policies for Service Data processed by our subprocessors:

• Raw Customer Data: Retained for up to twelve (12) months, then automatically deleted unless a longer retention period is required by law or necessary for ongoing service delivery
• Processed Insights and Analytics: Retained for the duration of the subscription term and may be retained longer for ongoing service delivery, subject to customer deletion requests
• Audit Logs: Retained for two (2) years for security and compliance purposes
• Pattern Recognition Data: Raw signals retained for two (2) years, pattern history retained for five (5) years, strategic insights retained for three (3) years
• Account Data: Retained for the duration of the subscription term and deleted within thirty (30) days of account termination, unless a longer retention period is required by law

Subscribers may request deletion of their data at any time through their account settings or by contacting [email protected]. Data deletion requests will be processed promptly in accordance with our DPA and applicable data protection laws.

ClosedLoop AI implements comprehensive technical and organizational security measures to protect Service Data processed by our subprocessors:

• Encryption in Transit: All data transmitted to and from subprocessors is encrypted using TLS 1.3 or higher protocols
• Encryption at Rest: All data stored by subprocessors is encrypted using industry-standard encryption mechanisms, including Azure's encryption-at-rest capabilities
• Access Controls: Access to Service Data is restricted to authorized personnel only, with role-based access control (RBAC) and multi-factor authentication (MFA) where applicable
• Authentication: JWT-based authentication for API access, with optional two-factor authentication (2FA) for enhanced security
• Audit Logging: Comprehensive audit logging of all data access, modifications, and system activities, retained for two (2) years for security monitoring and compliance
• Secret Management: All API keys, credentials, and sensitive configuration data are stored in Azure Key Vault, with no hardcoded secrets in application code
• Network Security: Network-level security controls including firewalls, intrusion detection, and DDoS protection
• Regular Security Assessments: Ongoing security assessments, vulnerability scanning, and penetration testing

All subprocessors are contractually required to maintain equivalent security measures and to promptly notify ClosedLoop AI of any security incidents affecting Service Data.

ClosedLoop AI owns or controls access to the infrastructure that ClosedLoop AI uses to host Service Data submitted to the Services, other than as set forth below. Currently, the ClosedLoop AI production systems for the Services are located in Microsoft Azure cloud facilities in the United States. The Subscriber's Service Data remains in that region, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by ClosedLoop AI.

ClosedLoop AI works with certain third parties to provide specific functionality within the Services. These providers are the Subprocessors set forth below. In order to provide the relevant functionality, these Subprocessors access Service Data. Their use is limited to the indicated Services.