Controller and processor.
In writing.

This Data Processing Agreement ("DPA") is entered into between PT LARAS TEKNOLOGI INTERNATIONAL, registered in Kabupaten Langkat, Republic of Indonesia ("Laras"), acting as Data Processor, and the customer entity that has accepted the Master Service Agreement or Terms of Service governing access to the Laras platform ("Client"), acting as Data Controller. This DPA supplements and forms part of the Master Service Agreement ("MSA"), available at https://larasx.com/legal/terms. It takes effect on the Effective Date of the MSA or, if later, the date Client first uploads or transmits Personal Data through the Laras service. To the extent this DPA conflicts with the MSA on matters of data protection, this DPA controls.

Terms used in this DPA carry the meanings given to them under Applicable Data Protection Law. "Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, whether automated or not. "Controller" means the entity that determines the purposes and means of Processing. "Processor" means the entity that Processes Personal Data on behalf of the Controller. "Sub-Processor" means a third-party Processor engaged by Laras to assist in Processing Personal Data on Client's behalf. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. "Applicable Data Protection Law" means all laws and regulations applicable to Processing under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act ("CCPA") and its successor regulations, Indonesia's Personal Data Protection Law (UU 27/2022, "UU PDP"), and equivalent laws of other jurisdictions where Client or its End-Users reside. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries under Article 46 GDPR.

Client is the Controller of Personal Data Processed under this DPA; Laras is the Processor. Laras Processes Personal Data only on Client's documented instructions, including those set out in the MSA, this DPA, and the Client's configuration of the Laras platform (workspace settings, connected channels, autonomy contract, approval thresholds). The categories of Data Subjects are Client's End-Users, including Client's customers, prospective customers, leads, contacts, and where applicable Client's personnel acting on Client's behalf. The categories of Personal Data and the nature and purpose of Processing are described in Annex 1 and in the Laras Privacy Policy at https://larasx.com/legal/privacy. If Laras is required by law to Process Personal Data otherwise than on Client's instructions, Laras will inform Client of that legal requirement before Processing unless the relevant law prohibits such notice on important grounds of public interest.

Laras commits to the following obligations under Article 28 GDPR and equivalent provisions of Applicable Data Protection Law. (a) Process Personal Data only on Client's documented instructions, including with regard to transfers to a third country, unless required to do otherwise by law. (b) Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations of a contractual or statutory nature. (c) Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 3. (d) Assist Client, by appropriate technical and organizational measures and insofar as possible, with the fulfillment of Client's obligation to respond to Data Subject requests. (e) Assist Client in ensuring compliance with security, breach notification, Data Protection Impact Assessment, and prior consultation obligations under Articles 32 to 36 GDPR or equivalent. (f) Make available to Client information necessary to demonstrate compliance with this DPA. (g) Notify Client of any Data Breach without undue delay and in any event within 72 hours of confirmed awareness. (h) At Client's choice, delete or return all Personal Data to Client after termination of the services, subject to the carve-outs in the Deletion or return of data Section.

Client authorizes Laras to engage the Sub-Processors listed in Annex 2 and at https://larasx.com/legal/subprocessors as of the Effective Date. Laras will give Client at least 30 days' prior notice of the addition or replacement of a Sub-Processor by updating the live Sub-Processor list and, on request, by email notification. Client may object to a new Sub-Processor on reasonable, legitimate data protection grounds within that notice period; if Laras cannot accommodate the objection through reasonable alternative arrangements, Client may terminate the affected service on written notice without further liability for the affected portion. Laras imposes data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA and remains liable to Client for the performance of each Sub-Processor's obligations to the extent such Sub-Processor acts within the scope of Laras' instructions. Client acknowledges that Laras shall not be responsible for any data incidents or liabilities solely attributable to Sub-Processors' acts or omissions, provided Laras has complied with this Section.

Scope. Where the Client has connected a Meta surface, this Section governs Processing of Personal Data received through the Meta WhatsApp Business Platform API, the Meta Instagram Graph API, the Meta Messenger Platform (Facebook Page Messenger API), and the Meta Threads API ("Meta Platform Data"). Purpose. Laras Processes Meta Platform Data on the Client's documented instructions to operate the AI worker that auto-replies to customer messages on the Client's (or where applicable, the Partner's) brand, follows up sales, delivers service answers, and keeps a verifiable audit trail. Retention. Meta Platform Data message content is retained for 24 months from the date of receipt unless a shorter period is configured by the Client; OAuth access tokens and refresh tokens issued by Meta are deleted within 30 days of disconnect, and immediately on a verified Meta data-deletion callback or on Partner offboarding. Deletion rights. End-Users may exercise deletion rights through the disconnect flow at /app/settings/integrations, through the Meta-issued data-deletion callback (https://larasx.com/api/meta/data-deletion), or by emailing help@larasx.com for a verified manual review (7 working days). A confirmation code is returned for each Meta-callback request and is queryable at https://larasx.com/data-deletion-status/<confirmation_code>. Compliance. Processing of Meta Platform Data is subject to Meta's Platform Terms and Developer Policies in addition to this DPA; in the event of a conflict on Meta-specific obligations, Meta's policies control to the extent required by Meta.

Laras implements and maintains the technical and organizational measures described in Annex 3, which include at minimum: encryption of Personal Data in transit (TLS 1.2 or higher, with TLS 1.3 preferred) and at rest (AES-256 or equivalent); role-based access control with least-privilege provisioning and multi-factor authentication for administrative access; tenant isolation via Postgres Row Level Security with explicit tenant scoping; immutable audit logging of every business decision, model call, and external send; mandatory confidentiality and data-handling training for all personnel with access to Personal Data; documented vendor due diligence for each Sub-Processor; and business continuity and disaster recovery procedures with documented backup, restore, and failover targets. Laras reviews and updates these measures regularly to reflect the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks to Data Subjects, in line with Article 32 GDPR.

Taking into account the nature of the Processing, Laras assists Client by appropriate technical and organizational measures, insofar as this is possible, to fulfill Client's obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of Processing, data portability, and objection. Where a Data Subject submits a rights request directly to Laras concerning Personal Data Processed on behalf of Client, Laras will forward the request to Client without undue delay and will not respond on the merits unless instructed by Client or required by law. Routine assistance is provided at no additional cost. Where the volume or complexity of assistance materially exceeds routine handling, Laras may charge Client reasonable cost-recovery fees, communicated in advance.

Laras will notify Client without undue delay, and in any event within 72 hours of confirmed awareness, of any Data Breach affecting Personal Data Processed under this DPA. The notification will include, to the extent then known: the nature of the Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; the likely consequences of the Data Breach; the measures taken or proposed to address the Data Breach and mitigate its adverse effects; and the contact point at Laras for further information. Where it is not possible to provide all such information at once, the information may be provided in phases without undue further delay. Laras will cooperate with Client and provide reasonable assistance in Client's notifications to supervisory authorities and affected Data Subjects. Unless required by law to do so directly, Laras will not notify supervisory authorities or Data Subjects on its own behalf concerning a Data Breach affecting Personal Data Processed for Client.

Client acknowledges that delivery of the Laras service requires Personal Data to be transferred to and Processed in jurisdictions outside Client's primary jurisdiction, including the Republic of Singapore (primary application data residency), the United States, the European Union, and other regions where Sub-Processors operate. For transfers of Personal Data subject to the GDPR or UK GDPR from the European Economic Area, the United Kingdom, or Switzerland to a third country not benefiting from an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses (Module Two: Controller-to-Processor) approved under Commission Implementing Decision (EU) 2021/914, with Client as data exporter and Laras as data importer. For transfers from the United Kingdom, the UK International Data Transfer Addendum is incorporated by reference. For transfers from other jurisdictions, the parties rely on appropriate safeguards available under Applicable Data Protection Law, including supplementary contractual measures with Sub-Processors. Client authorizes such transfers by entering into this DPA.

Client may, no more than once per calendar year and on at least 30 days' prior written notice, audit Laras' compliance with this DPA, either itself or through an independent third-party auditor that is not a competitor of Laras and that is bound by appropriate confidentiality obligations. Audits shall be conducted during regular business hours, in a manner that does not unreasonably interfere with Laras' operations, and at Client's expense, unless the audit reveals a material breach of this DPA, in which case Laras shall bear its own reasonable costs. In lieu of an on-site audit, Laras may provide Client with then-current security documentation, available third-party attestations if any, and responses to a reasonable security questionnaire. Laras does not claim a certification unless that certification has been issued. Additional audit rights granted under the SCCs are not limited by this Section.

On termination of the services under the MSA, Laras will, at Client's written choice expressed within 30 days of termination, delete or return to Client all Personal Data Processed under this DPA. Absent a timely Client instruction, Laras will delete. Deletion from primary production systems will be completed within 30 days of termination or of Client's instruction, whichever is later. Personal Data residing in backup media will be deleted within 90 days following the regular backup rotation cycle. Laras may retain Personal Data to the extent and for as long as required by Applicable Data Protection Law (for example, billing and tax records, anti-fraud records, regulatory archiving obligations) or where required to defend legal claims, and the retained data will remain protected by the obligations of this DPA until deleted.

Each party shall be liable to the other for damages arising out of its breach of this DPA, subject to the aggregate liability caps and exclusions set out in the MSA. Without limiting the foregoing, Laras is not liable for damages arising from (a) Client's instructions where those instructions cause the Processing to be unlawful or where Laras has notified Client in writing that such instructions infringe Applicable Data Protection Law; (b) Client's breach of its obligations as Controller; or (c) acts or omissions of Sub-Processors to the extent excluded under Section 5. Nothing in this DPA limits either party's liability where such limitation is prohibited by Applicable Data Protection Law, including liability owed to Data Subjects under Article 82 GDPR.

This DPA takes effect on the Effective Date and remains in force for the duration of the MSA and for as long as Laras Processes Personal Data on Client's behalf. Provisions that by their nature should survive termination, including obligations relating to data deletion and return, confidentiality, audit cooperation, breach notification of incidents occurring during the term, and liability, will survive termination for the period necessary to give them effect, and in any event for the period required by Applicable Data Protection Law.

In case of conflict between this DPA and the MSA on matters of data protection, this DPA controls. In case of conflict between this DPA and the Standard Contractual Clauses, the SCCs control. This DPA is governed by the law specified in the MSA, except that the SCCs are governed by the law of an EU Member State as required by their terms. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force, and the parties will negotiate in good faith to replace the invalid provision with a valid one that most closely reflects the original intent. No failure or delay in exercising any right under this DPA operates as a waiver of that right. Amendments to this DPA must be in writing and signed by authorized representatives of both parties, except that Laras may update the Sub-Processor list and Annex 3 to reflect the then-current operating practice with notice as set out in Section 5.

Subject matter of Processing: provision of the Laras AI business operating layer service, including workspace management, brand context grounding, channel integration, drafting and dispatch of customer-facing communications, decision logging, and outcome analysis. Duration of Processing: the term of Client's engagement with Laras under the MSA, plus the retention and deletion windows described in the Deletion or return of data Section and in the Privacy Policy. Nature and purpose of Processing: as described in Section 5 of the Privacy Policy (https://larasx.com/legal/privacy). Categories of Personal Data: workspace identity data; brand and operating context; OAuth access and refresh tokens for connected platforms (including WhatsApp Business Platform, Instagram Graph API, Facebook Page Messenger API, Threads API, Stripe, and Xendit); WhatsApp message bodies (text, voice notes, images, attachments) and associated end-user contact identifiers; WABA phone numbers; Instagram Direct Message bodies, public comments on the Client's own Instagram posts, Instagram handles, and Instagram-Scoped User IDs (IGSID); Facebook Page Messenger message bodies, Facebook Page IDs, and Page-Scoped User IDs (PSID); Threads message bodies and Threads user identifiers; outbound action records including drafts, approvals, send logs, and decision rationale; CRM and customer history; billing metadata; voice product audio segments and derived transcripts where the Laras Voice product is enabled. Special categories of Personal Data: none are intentionally Processed; Client undertakes not to upload special-category data without prior written agreement with Laras and appropriate additional safeguards. Categories of Data Subjects: Client (including Client's personnel acting on Client's behalf), Partners (where the Service is distributed through the partner program), and Client's End-Users including customers-of-Partner (customers, prospective customers, leads, contacts).

The authoritative list of Sub-Processors authorized by Client under Section 5 — including processing function, processing region, and certification posture — is maintained at https://larasx.com/legal/subprocessors and forms part of this Annex by reference. As of the Effective Date the list includes, without limitation: Supabase (managed Postgres database, authentication, and object storage); Vercel (application hosting and CDN); Meta Platforms (WhatsApp Business Platform API, Instagram Graph API, Facebook Page Messenger API, Threads API); Resend (transactional email); Stripe (payment processing); foundation-model inference providers that may process message content, namely DeepSeek (analytical reasoning), Qwen via Alibaba Cloud DashScope at the Singapore international endpoint, with compute that may execute in Alibaba Cloud regions including mainland China (customer-facing language and vision), Kimi by Moonshot AI in China (creative-generation tasks), and Anthropic (legacy features pending migration); Voyage AI (text embeddings for retrieval and brand-context indexing); Fish Audio (voice synthesis / TTS) and Soniox (speech recognition / STT) for the Laras Voice product; Cloudflare R2 (object storage and CDN); and a self-hosted Qdrant vector retrieval system operated by Laras. The specific legal entity, region, and contract type for each provider is published at the subprocessor URL above. Each Sub-Processor is bound by data protection obligations consistent with this DPA through a written agreement (or, in the case of self-hosted components, operated by Laras under its own controls). Laras will provide at least 30 days advance email notice before adding a new Sub-Processor or making a material change to that list.

Access control: role-based access control with least-privilege provisioning; multi-factor authentication required for administrative access to production systems; separation of duties between application personnel and infrastructure personnel; quarterly access review for production roles. Pseudonymization and minimization: pseudonymization applied where feasible without degrading service quality; data minimization enforced at ingestion through schema-level constraints and at the application layer. Encryption: AES-256 (or stronger) at rest for primary database and backups via managed-provider disk encryption; sensitive token columns stored as encrypted bytea where applicable; TLS 1.2 minimum (TLS 1.3 preferred) for all client and platform API traffic. Confidentiality: all personnel with access to Personal Data are bound by written confidentiality undertakings; non-disclosure obligations survive termination of engagement. Integrity: input validation on all externally received payloads; immutable audit logs for governance decisions, model calls, approvals, and external sends; tamper-evident storage of consent and authorization events. Availability: automated daily backups with documented restore procedures; documented disaster recovery and business continuity procedures with annual review; managed-provider infrastructure with documented SLA targets. Resilience: real-time monitoring of error rates, latency, and security signals; documented incident response runbook with on-call coverage; post-incident review and corrective-action tracking. Regular testing and assessment: routine vulnerability scanning of dependencies and infrastructure; dependency update cadence; periodic third-party security review where commercially reasonable. Vendor management: written DPA, security review, and ongoing oversight for every Sub-Processor with access to Personal Data; published Sub-Processor list with advance change notification.