Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between limit.md, Inc. ("limit.md", "we", "us" or "Processor") and the customer entity that has accepted our Terms of Service(the "Customer", "you" or "Controller") (together, the "Agreement") governing the provision of the limit.md platform, which issues Visa virtual cards for AI agents with network-level spend controls (the "Services"). This DPA reflects the parties' agreement on the Processing of Personal Data in connection with the Services.

Where there is any conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails. This DPA supplements, but does not replace, the commitments described in our Privacy Policy.

1. Introduction and scope

This DPA applies to the Processing of Personal Data by limit.md on your behalf where such Processing is subject to Data Protection Laws, including Regulation (EU) 2016/679 (the "GDPR"), the GDPR as incorporated into the law of the United Kingdom (the "UK GDPR"), the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the "CCPA" and, together with the foregoing, the "Data Protection Laws").

For the purposes of the Services, the parties acknowledge that you act as the Controller (or business) and limit.md acts as the Processor (or service provider) with respect to Customer Personal Data. Each party will comply with its respective obligations under the Data Protection Laws. Where limit.md determines the means and purposes of Processing in its capacity as a regulated card program manager and a Visa program participant — for example, to meet its own legal, anti-money-laundering, network-rule, and fraud-prevention obligations — limit.md acts as an independent controller, and such Processing is governed by our Privacy Policy rather than this DPA.

2. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or the Data Protection Laws. In this DPA:

• "Personal Data"means any information relating to an identified or identifiable natural person that is Processed by limit.md on your behalf under the Agreement ("Customer Personal Data").
• "Processing" means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, storage, use, disclosure, transmission, or erasure.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by limit.md to Process Customer Personal Data in the course of providing the Services.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
• "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses approved by the European Commission and, where relevant, the UK International Data Transfer Addendum.

3. Roles and responsibilities of the parties

You are responsible for the lawfulness of the Customer Personal Data you provide to limit.md and for ensuring that you have a valid legal basis and any necessary notices, consents, or authorizations to disclose that data to us and to instruct us to Process it for the purposes contemplated by the Agreement.

limit.md is responsible for Processing Customer Personal Data only as described in this DPA and your documented instructions, and for implementing and maintaining the technical and organizational measures set out in Section 6. Each party will appoint a point of contact for data protection matters and respond to the other party's reasonable requests in connection with this DPA.

4. Scope and purpose of Processing

limit.md will Process Customer Personal Data only to provide, maintain, secure, and support the Services and as otherwise instructed by you in writing. The details of the Processing are set out in the Annex to this DPA, which forms an integral part of it.

4.1 Documented instructions

Your complete instructions for the Processing of Customer Personal Data are contained in the Agreement, this DPA, your configuration and use of the Services (including the spend policies, card controls, and limits you define), and any subsequent written instructions you give. limit.md will notify you if, in its opinion, an instruction infringes the Data Protection Laws, unless prohibited from doing so by law.

5. Processor obligations

• Process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case limit.md will inform you of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest).
• Ensure that persons authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality and have received adequate data protection training.
• Implement and maintain the technical and organizational measures described in Section 6.
• Assist you, taking into account the nature of the Processing, in fulfilling your obligations to respond to Data Subject requests and to ensure compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• Make available to you the information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.

6. Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, limit.md implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:

• Encryption — encryption of Customer Personal Data in transit using TLS 1.2 or higher and encryption at rest using AES-256 or an equivalent standard.
• Access controls — role-based access control, least-privilege access, multi-factor authentication for administrative access, and logging and monitoring of access to systems that Process Customer Personal Data.
• Card data protection — card data is tokenized and handled by our PCI-DSS Level 1 certified processor (Stripe); primary account numbers and sensitive authentication data never touch limit.md systems.
• Independent assurance — limit.md has a SOC 2 Type II audit in progress covering the security, availability, and confidentiality of the Services. The resulting report will be made available, and refreshed on at least an annual basis, once completed.
• Resilience and recovery — measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems, and to restore availability and access to Personal Data in a timely manner after an incident.
• Testing — regular testing, assessment, and evaluation of the effectiveness of these measures, including vulnerability scanning and periodic penetration testing.

7. Sub-processors

You provide a general authorization for limit.md to engage Sub-processors to Process Customer Personal Data in connection with the Services. limit.md's current Sub-processors include providers of cloud infrastructure and hosting, the card-issuing processors and bank partners that operate the Visa card program, transactional email delivery, and customer support tooling.

limit.md imposes data protection obligations on each Sub-processor that are no less protective than those set out in this DPA and remains liable for the acts and omissions of its Sub-processors. limit.md maintains an up-to-date list of Sub-processors and will give you at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor, giving you the opportunity to object on reasonable data protection grounds. To request the current Sub-processor list or to register an objection, contact privacy@limit.md.

8. International data transfers

limit.md primarily Processes and stores Customer Personal Data in the United States. Where the provision of the Services involves a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, such transfer will be governed by the Standard Contractual Clauses, which are hereby incorporated into this DPA by reference and completed with the information set out in this DPA and its Annex.

For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies. limit.md will implement supplementary measures where necessary to ensure a level of protection essentially equivalent to that guaranteed within the EEA.

9. Data subject rights assistance

Taking into account the nature of the Processing, limit.md will provide reasonable assistance through appropriate technical and organizational measures to help you respond to requests from Data Subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection under the Data Protection Laws. If limit.md receives a request directly from a Data Subject relating to Customer Personal Data, it will, unless legally required to act, promptly forward the request to you and will not respond except on your documented instructions.

10. Personal Data Breach notification

limit.md will notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notice will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its effects. limit.md will cooperate with you and take reasonable steps to assist in your investigation, mitigation, and remediation of the breach.

11. Audit rights

limit.md will make available to you the information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you. To minimize disruption, limit.md may satisfy audit requests by providing its PCI-DSS attestation of compliance, its SOC 2 Type II report once the audit (in progress) is complete, and responses to a reasonable data protection questionnaire. Where these are insufficient to address a specific, documented compliance concern, the parties will agree on the timing, scope, and conduct of an on-site audit, no more than once per year (absent a Personal Data Breach or regulatory requirement), conducted on reasonable prior notice and subject to confidentiality obligations.

12. Return and deletion of data

Upon termination or expiry of the Agreement, limit.md will, at your choice, delete or return all Customer Personal Data and delete existing copies, unless applicable law — including financial recordkeeping, anti-money-laundering, and card network rule requirements — requires continued retention. Where data must be retained, limit.md will retain it only for the period and purpose required by law and will protect it in accordance with this DPA. You may export your data through the Services during the applicable retention window described in our Privacy Policy.

13. Liability and contact

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. Nothing in this DPA limits any liability that cannot be limited under the Data Protection Laws.

For any questions about this DPA, to exercise data protection rights, or to contact our privacy team, email privacy@limit.md or hello@limit.md, or write to limit.md, Inc., San Jose, California, USA.

Annex — Details of Processing

Categories of Data Subjects

• Your authorized administrators, developers, and other personnel who use the Services.
• Cardholders and account owners on whose behalf virtual cards are issued.
• Individuals associated with merchants and counterparties involved in transactions processed through the Services.

Categories of Personal Data

• Identification and contact data, such as name, email address, and account identifiers.
• Authentication data, such as hashed credentials, API key identifiers, and session information.
• Card and transaction data, such as tokenized card references, transaction amount, currency, merchant, timestamp, spend-policy decision, and authorization status.
• Technical and usage data, such as IP address, device and browser information, and audit logs of agent activity and policy decisions.

The Services are not intended for the Processing of special categories of Personal Data. You agree not to provide such data to limit.md for Processing under this DPA.

Nature and purpose of Processing

Provision of the limit.md Services, including issuing and managing virtual cards for AI agents, evaluating transactions against your configured spend limits and policies, authorizing or declining transactions at the network level, maintaining audit logs, and providing related security, support, and reporting functions.

Duration of Processing

For the duration of the Agreement, plus any period during which limit.md is required to retain Customer Personal Data under applicable law or card network rules, after which the data is deleted or returned in accordance with Section 12.