Epps.ai — Data Processing Agreement

◆ Legal Documentation · Institutional Clients

Data Processing
Agreement

Document Type: Data Processing Agreement (DPA)
Version: 1.0 — Working Draft
Date: May 23, 2026
Data Processor: Olesya Epps, doing business as Epps.ai
Governing Framework: GDPR Article 28 · CCPA · California Privacy Rights Act (CPRA)
Status: Working draft — subject to legal review and mutual execution

◆ WORKING DRAFT — This DPA is a working draft prepared for transparency and readiness purposes. It reflects Epps.ai's current data architecture and commitments. It has not been reviewed by legal counsel and is not yet in effect. A lawyer-reviewed, mutually executed DPA will be provided prior to any paid enterprise engagement. Client-specific terms may be negotiated.

Parties

Agreement Between

Data Controller (Client)

Organization Name

Authorized Signatory Name & Title

Date of Execution

Data Processor (Epps.ai)

Olesya Epps · Founder & CEO · Epps.ai

olesya@epps.ai · (415) 466-5255

Date of Execution

This Data Processing Agreement ("DPA") is entered into between the organization identified above as Data Controller ("Client" or "Controller") and Olesya Epps, doing business as Epps.ai ("Processor"), and forms part of the Services Agreement or engagement letter between the parties (the "Principal Agreement"). In the event of conflict between this DPA and the Principal Agreement, this DPA shall govern with respect to data processing matters.

Article 1

Definitions

For purposes of this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Services
"Client Data" means all data, including Personal Data, inputted into the Epps.ai platform by or on behalf of the Client, including deal data, financial models, LP information, and organizational data
"Processing" means any operation performed on Client Data, including collection, storage, use, transmission, or deletion
"Sub-processor" means any third party engaged by Epps.ai to process Client Data on Epps.ai's behalf
"Applicable Data Protection Law" means GDPR (where applicable), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other applicable privacy laws
"Services" means the AI-powered real estate analysis, reporting, and workflow automation tools provided by Epps.ai

Article 2

Scope & Nature of Processing

◆ Processing Details

Category	Detail
Subject matter	AI-assisted real estate analysis, financial modeling, LP reporting, and workflow automation
Duration	For the term of the Principal Agreement, plus any retention period specified herein
Nature of processing	Session-scoped AI inference, report generation, data parsing, and output formatting
Purpose of processing	Delivery of advisory Services as specified in the Principal Agreement
Categories of data	Deal financial data, LP investor information, organizational data, contact information
Categories of data subjects	Client employees, LP investors (where LP data is inputted), deal counterparties

◆ Zero Persistence by Design: Epps.ai's core architecture is designed to minimize data processing. Tool inputs are processed within the browser session and are not written to Epps.ai's servers. The primary data processing event is the transmission of prompts to Anthropic's API for AI inference — a session-scoped operation with no data retention.

Article 3

Processor Obligations

Epps.ai, as Data Processor, agrees to:

Process Client Data only on documented instructions from the Controller, including those set out in the Principal Agreement and this DPA
Ensure that authorized personnel processing Client Data are bound by appropriate confidentiality obligations
Implement and maintain appropriate technical and organizational security measures as set out in Article 6
Not engage new Sub-processors without prior written consent of the Controller, except as set out in Article 7
Assist the Controller in responding to data subject requests under Applicable Data Protection Law
Delete or return all Client Data upon termination of the Principal Agreement, at the Controller's election
Provide all information reasonably necessary to demonstrate compliance with this DPA
Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach

No model training: Epps.ai expressly agrees that Client Data will not be used to train, fine-tune, evaluate, or improve any AI or machine learning model, whether operated by Epps.ai or any Sub-processor. This obligation survives termination of the Principal Agreement.

Article 4

Controller Obligations

The Controller agrees to:

Ensure it has a lawful basis for processing Personal Data before providing it to Epps.ai
Provide accurate and complete instructions for processing activities
Ensure that data subjects have been appropriately informed of processing activities where required by Applicable Data Protection Law
Not input into Epps.ai's tools data that is prohibited from transfer to third parties under applicable law or contractual obligation, without first obtaining appropriate consent or authorization

Article 5

US Data Residency & International Transfers

◆ US Data Residency Commitment: Epps.ai commits that all processing of Client Data, including AI inference via Anthropic's API, is performed on infrastructure located within the United States of America. Epps.ai does not route Client Data through servers located outside the United States.

Specifically:

Anthropic API: AI inference is performed via Anthropic's API, which processes data on US-based infrastructure. Anthropic does not transfer data outside the United States for standard API usage
Netlify: Platform hosting and form processing is performed on Netlify's US-based infrastructure
Browser-native processing: Excel and CSV file parsing occurs locally within the Controller's browser environment and is not transmitted to any server
No international sub-processors: Epps.ai does not currently engage sub-processors with non-US data processing locations

In the event Epps.ai engages a sub-processor that processes data outside the United States, Epps.ai will notify the Controller in writing at least 30 days in advance and provide appropriate safeguards (such as Standard Contractual Clauses) prior to any such transfer.

Article 6

Technical & Organizational Security Measures

Epps.ai implements the following security measures:

◆ Security Measures — Current Implementation

Measure	Implementation
Encryption in transit	TLS 1.2+ for all data transmitted between browser and Epps.ai infrastructure, and between Epps.ai and Anthropic API
Encryption at rest	No server-side storage of Client Data in current architecture. Contact form data stored by Netlify with standard encryption
Access control	Platform access restricted via password protection. Per-client credentials issued. Role-based access controls in development
Data minimization	Session-scoped processing — no Client Data retained after session end. Browser-native file parsing eliminates server upload
AI data isolation	Each session is independent. No cross-session or cross-client data exposure at AI inference level
Incident response	Controller notified within 72 hours of confirmed breach. Incident log maintained
Personnel	Processing limited to authorized personnel bound by confidentiality obligations
Sub-processor oversight	Sub-processors subject to equivalent data protection obligations

Article 7

Sub-Processors

The Controller hereby grants general written authorization for Epps.ai to engage the following Sub-processors as of the date of this DPA:

◆ Authorized Sub-Processors

Sub-processor	Purpose	Location
Anthropic, Inc.	AI inference and language model processing for tool outputs	United States
Netlify, Inc.	Platform hosting, CDN, and form submission processing	United States

Epps.ai will notify the Controller at least 30 days before engaging any new or replacement Sub-processor. The Controller may object to such changes in writing within 14 days of notification.

Article 8

Data Subject Rights & Cooperation

Epps.ai will, taking into account the nature of processing, assist the Controller by implementing appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to data subject requests, including requests for access, correction, deletion, portability, and objection.

Given that Epps.ai's zero-persistence architecture means the vast majority of Client Data inputs are not retained by Epps.ai after session end, most data subject deletion and access requests will be addressed by the Controller's own systems rather than through Epps.ai's infrastructure. For contact form data retained by Netlify, Epps.ai will cooperate with Controller to fulfill deletion requests within 30 days.

Article 9

Term, Termination & Data Return

This DPA is effective from the date of execution and remains in force for the duration of the Principal Agreement.

Upon termination or expiration of the Principal Agreement, Epps.ai will, at the Controller's election within 30 days of termination: (a) return all Client Data in a structured, machine-readable format; or (b) securely delete all Client Data in Epps.ai's possession. Given the zero-persistence architecture, the primary retention concern is contact form data, which will be deleted from Netlify's system upon written request.

Epps.ai may retain Client Data to the extent required by applicable law, provided it notifies the Controller of such retention requirement and limits processing to the minimum necessary.

Article 10

Governing Law & Liability

This DPA is governed by the laws of the State of California, consistent with the Principal Agreement. Any disputes arising under this DPA shall be resolved through the dispute resolution mechanism specified in the Principal Agreement.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Principal Agreement, except that neither party limits its liability for: (a) breach of its data protection obligations under Applicable Data Protection Law; or (b) gross negligence or willful misconduct.

For questions regarding this DPA, contact: olesya@epps.ai · (415) 466-5255

Execution

Signatures

By signing below, the parties agree to be bound by the terms of this Data Processing Agreement.

Data Controller (Client)

Signature

Printed Name & Title

Organization

Date

Data Processor (Epps.ai)

Signature · Olesya Epps

Founder & CEO · Epps.ai

olesya@epps.ai

Date