Data Processing Addendum

1. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Special Categories" have the meanings given in the General Data Protection Regulation 2016/679 ("GDPR"). "UK GDPR" means the GDPR as retained in UK law. "Customer" means the entity entering into a subscription agreement with CMG Labs LLC ("Sortio", "us", "we"). "Customer Data" means Personal Data that Customer provides to Sortio for Processing.

2. Scope and roles

Customer is the Controller of Customer Data. Sortio is the Processor and Processes Customer Data only on documented instructions from Customer, which are reflected in the Sortio subscription agreement, this DPA, and Customer's use of the product features.

3. Processor obligations

• Process Customer Data only on documented instructions from Customer.
• Ensure that personnel authorized to Process Customer Data are bound by confidentiality.
• Implement appropriate technical and organizational measures (see Annex 1).
• Assist Customer with Data Subject requests, data protection impact assessments, and consultations with supervisory authorities.
• At Customer's choice, delete or return Customer Data after the end of the provision of services, except where retention is required by law.
• Make available all information necessary to demonstrate compliance with Article 28 GDPR.

4. Sub-processing

Customer authorizes Sortio to engage the sub-processors listed on our public Sub-processors page. Sortio gives Customer at least 30 days' notice of any new or replacement sub-processor through the Sub-processors page or by email. Customer may object on reasonable data protection grounds; if a resolution cannot be reached, Customer may terminate the affected service for the remainder of the term and receive a pro-rata refund of prepaid fees. Sortio imposes data protection obligations on each sub-processor that are no less protective than those in this DPA.

5. International transfers

Customer Data is Processed in the United States and, where indicated on the Sub-processors page, in other regions. For transfers of Personal Data of EEA, Swiss, or UK Data Subjects to the United States, the parties incorporate the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor), with the optional docking clause and the option for the importer to be subject to GDPR. The UK International Data Transfer Addendum applies where the UK GDPR governs. Where a sub-processor self-certifies under the EU-US Data Privacy Framework or its UK / Swiss extensions, that mechanism applies in addition to the SCCs.

Sortio has carried out a transfer impact assessment and applies the supplementary measures described in Annex 1 to mitigate risks identified in Schrems II.

6. Security

Sortio implements the technical and organizational measures described in Annex 1, including encryption in transit (TLS 1.2 or higher), encryption at rest (default disk-level encryption on managed providers including Neon Postgres and Google Cloud Storage), role-based access controls with least-privilege defaults, audit logging on production systems, secret rotation, and code-signed release artifacts for the desktop application.

7. Cooperation with Data Subjects and authorities

Sortio assists Customer in responding to Data Subject requests under Articles 12 to 22 of the GDPR. Where a Data Subject contacts Sortio directly with a request relating to Customer Data, Sortio forwards the request to Customer and does not respond substantively without Customer's instruction, except as required by law. Sortio cooperates with reasonable requests from competent supervisory authorities.

8. Personal data breach notification

Sortio notifies Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data, providing the information required by Article 33(3) GDPR to the extent then known and updating Customer as further information becomes available. Notifications do not constitute an admission of fault or liability.

9. Audit rights

Once per year, on at least 30 days' written notice and during business hours, Customer (or a mutually agreed independent third-party auditor bound by confidentiality) may audit Sortio's compliance with this DPA. To minimize disruption, Sortio may satisfy audit requests by providing recent third-party audit reports (such as the SOC 2 report once Sortio's planned 2026 audit completes), a completed CAIQ, or a documented response to a written audit questionnaire.

10. Termination and deletion

On termination of the subscription agreement, and on Customer's request, Sortio deletes or returns all Customer Data within 30 days, except for backups and audit logs subject to standard retention windows. Where retention is required by law (for example, tax records), Sortio continues to apply the technical and organizational measures of this DPA to retained data until deletion.

11. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the subscription agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law (including direct liability of either party to Data Subjects under Article 82 GDPR).

12. General

In the event of a conflict between this DPA and the subscription agreement, this DPA prevails to the extent the conflict concerns the Processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Annex 1: Technical and organizational measures (summary)

• Encryption in transit using TLS 1.2 or higher between client and server, and between Sortio and all sub-processors.
• Encryption at rest on managed data stores (Neon Postgres, Google Cloud Storage, GCS buckets and Cloud SQL).
• Role-based access control with least-privilege defaults; production access limited to a small named list and reviewed at least quarterly.
• Audit logging on production systems; secret rotation through Google Secret Manager.
• Code-signed release artifacts for the desktop application.
• Vulnerability scanning on first-party code and dependency upgrades on a regular cadence.
• Documented incident response process and breach notification path.
• Annual review of the supplementary measures described above in light of evolving Schrems II guidance.

Annex 2: Categories of data and Data Subjects

• Data Subjects: Customer's employees, contractors, and any individuals whose Personal Data appears in files or filenames that Customer chooses to Process through Sortio.
• Categories of Personal Data: identifiers (name, email, account identifiers), commercial information, electronic network activity, content of files (only if Customer enables content-sorting features).
• Special categories: Sortio is not designed to Process special categories of data (GDPR Article 9) or data subject to HIPAA, FERPA, ITAR, or PCI DSS. Customer must not submit such data unless the parties agree separately in writing.
• Frequency: Continuous, for the duration of the subscription.
• Nature of Processing: Storage, organization, classification, transmission to LLM sub-processors for inference, retrieval.