Trust Center

Data Processing Agreement

Catalystium, Inc. — Rhenari Platform

United States and Canada · Exhibit to the Master Subscription AgreementEffective date: July 1, 2026Last updated: July 1, 2026

This Data Processing Agreement (the “DPA”) is entered into between Catalystium, Inc., a Delaware corporation (“Catalystium”), and the Customer identified in the Master Subscription Agreement (“Customer”). This DPA is an exhibit to, and forms part of, the Master Subscription Agreement between the Parties (the “Agreement”). It governs Catalystium's Processing of Personal Data contained in Customer Data in connection with the Service. Capitalized terms not defined here have the meanings given in the Agreement.

1. Definitions

Applicable Data Protection Laws means all privacy and data-protection laws applicable to the Processing of Personal Data under this DPA, including, in the United States, the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”) and other applicable U.S. state privacy laws, and, in Canada, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Quebec's Act respecting the protection of personal information in the private sector (“Law 25”).

Personal Data means information within Customer Data that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual, and that is Processed by Catalystium on behalf of Customer.

Sensitive Data means Personal Data that Applicable Data Protection Laws designate as sensitive or as requiring heightened protection.

Processing (and “Process”) means any operation performed on Personal Data, whether or not by automated means, including collection, use, storage, disclosure, and deletion.

Controller means the entity that determines the purposes and means of Processing Personal Data; references to “Controller” include a “business” under the CCPA and analogous roles under other Applicable Data Protection Laws.

Processor means the entity that Processes Personal Data on behalf of the Controller; references to “Processor” include a “service provider” under the CCPA and analogous roles under other Applicable Data Protection Laws.

Subprocessor means a third party engaged by Catalystium to Process Personal Data on Catalystium's behalf in connection with the Service.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed under this DPA.

Data Subject means the identified or identifiable individual to whom Personal Data relates, including a “consumer” under the CCPA and analogous terms under other Applicable Data Protection Laws.

De-Identified Data means data derived from Customer Data or the operation of the Service that has been processed to remove or obscure identifiers such that it cannot reasonably be used, alone or in combination with other information reasonably available to Catalystium, to identify a natural person.

2. Roles, Scope, and Instructions

2.1 Roles.

As between the Parties, Customer is the Controller of the Personal Data, and Catalystium acts as Processor. Where Customer is itself acting as a processor on behalf of a third-party controller, Customer warrants it has the authority and instructions necessary for Catalystium to Process the Personal Data under this DPA.

2.2 Processing on Documented Instructions.

Catalystium will Process Personal Data only on Customer's documented instructions, which consist of the Agreement, this DPA, the Order Form, the configuration choices Customer makes in the Service (including which data sources and channels are enabled), and any further written instructions Customer gives that the Parties agree to, except where Processing is required by law (in which case Catalystium will, where legally permitted, inform Customer of that requirement before Processing).

2.3 Details of Processing.

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1.

2.4 Customer Responsibilities.

Customer is responsible for the lawfulness of its instructions and of the Personal Data it provides or enables for Processing. Because the Service Processes data relating to Customer's personnel, Customer represents and warrants that it has provided all required notices to, and obtained all required consents and authorizations from, its personnel, and has established a lawful basis for the Processing, as further set out in the Agreement. Customer, and not Catalystium, determines whether any Personal Data constitutes Sensitive Data and instructs the Processing accordingly.

3. Catalystium Obligations as Processor

3.1 Confidentiality.

Catalystium will ensure that personnel authorized to Process Personal Data are bound by appropriate obligations of confidentiality and Process Personal Data only as necessary to provide and support the Service.

3.2 Security.

Catalystium will implement and maintain the technical and organizational measures described in Annex 2, designed to protect Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

3.3 Subprocessors.

Customer authorizes Catalystium to engage the Subprocessors listed in Annex 3, and to engage additional Subprocessors subject to this Section. Catalystium will impose on each Subprocessor data-protection obligations no less protective than those in this DPA, and will remain responsible for each Subprocessor's performance. Catalystium will give Customer at least thirty (30) days' prior notice of any intended addition or replacement of a Subprocessor by updating Annex 3 and the published Subprocessor List at rhenari.com/trust/subprocessors and notifying Customer by email to the Customer's account administrator. If Customer reasonably objects on data-protection grounds, the Parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected portion of the Service as its exclusive remedy.

3.4 Data Subject Requests.

Taking into account the nature of the Processing, Catalystium will provide reasonable assistance, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws. If Catalystium receives such a request directly, it will, unless legally prohibited, promptly inform the Data Subject to direct the request to Customer and notify Customer. Customer acknowledges that, because the Service pseudonymizes individual identifiers, surfaces only aggregated Outputs, and does not retain underlying content, Catalystium's ability to locate data relating to a specific individual may be limited.

3.5 Assistance.

Taking into account the nature of Processing and the information available to Catalystium, Catalystium will provide reasonable assistance to Customer with its obligations regarding security of Processing, Personal Data Breach notification, and data-protection impact assessments or analogous assessments required by Applicable Data Protection Laws.

3.6 Personal Data Breach.

Catalystium will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of and confirming a Personal Data Breach affecting Customer's Personal Data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed. Notification is not an acknowledgment of fault or liability.

3.7 Return and Deletion.

Upon expiration or termination of the Agreement, Catalystium will, at Customer's election and on request, make Customer Data available for export and then delete Personal Data in its possession, in accordance with the Agreement and Catalystium's retention practices. This obligation does not require deletion of (a) De-Identified Data, which Catalystium may retain and use as permitted by Section 7; (b) data Catalystium is required to retain by law; or (c) data in routine backups, which are overwritten or deleted in the ordinary course.

3.8 Records and Audit.

Catalystium will maintain records of its Processing sufficient to demonstrate compliance with this DPA and will make available to Customer information reasonably necessary to demonstrate that compliance. No more than once per twelve (12) months (or following a Personal Data Breach, or where required by a regulator), Customer may request an audit, which may be satisfied by Catalystium's then-current third-party audit reports, security certifications, or completed security questionnaires. Any on-site audit will be at Customer's expense, on reasonable prior notice, during business hours, subject to confidentiality, and conducted so as not to disrupt Catalystium's operations or compromise other customers' data.

4. CCPA / CPRA Service Provider Terms

This Section applies to Personal Data subject to the CCPA. Catalystium is a “service provider” and Processes Personal Data only on Customer's behalf for the business purposes set out in the Agreement and Annex 1. Catalystium will not:

  • sell or share Personal Data, as those terms are defined in the CCPA;
  • retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA, including outside the direct business relationship between the Parties;
  • combine Personal Data received from or on behalf of Customer with personal information Catalystium receives from or on behalf of others, or collects from its own interactions, except as permitted by the CCPA to perform a business purpose.

Catalystium certifies that it understands and will comply with the restrictions in this Section. Catalystium will notify Customer if it determines it can no longer meet its obligations under the CCPA. Customer may, on notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data. Catalystium will assist Customer in responding to verifiable consumer requests as set out in Section 3.4. Nothing in this Section restricts Catalystium's creation and use of De-Identified Data as permitted by Section 7 and the CCPA.

5. Other U.S. State Privacy Laws

To the extent other U.S. state privacy laws apply, Catalystium will Process Personal Data as a Processor in accordance with the obligations such laws impose on processors, including adhering to Customer's instructions; assisting Customer with Data Subject requests, security, and breach notification; maintaining confidentiality; engaging Subprocessors under written terms; and making available information necessary to demonstrate compliance. The obligations in Sections 3 and 4 are intended to satisfy these requirements; where a specific state law requires additional processor terms, those terms are incorporated by reference to the extent applicable.

6. Canada — PIPEDA and Quebec Law 25

6.1 Comparable Protection.

Where Personal Data is subject to PIPEDA or Quebec Law 25, Catalystium will provide protection comparable to that required of an organization transferring personal information to a third party for processing, including the security measures in Annex 2 and the confidentiality obligations in this DPA.

6.2 Confidentiality Incidents (Quebec).

Where Law 25 applies, Catalystium will assist Customer with its obligations regarding confidentiality incidents, including by notifying Customer of a confidentiality incident as set out in Section 3.6 so that Customer can assess risk of serious injury and meet any reporting obligations.

6.3 Transparency.

Catalystium will provide Customer, on reasonable request, information about the locations where Personal Data is Processed and the Subprocessors engaged, to support Customer's transparency obligations.

7. De-Identified and Derived Data

7.1 License Grant.

This Section mirrors and operationalizes the De-Identified and Derived Data license in the Agreement. Catalystium may create, retain, and use De-Identified Data derived from Customer Data and from the operation of the Service to (a) operate, maintain, secure, and improve the Service, and (b) conduct and publish research into organizational dynamics and cognitive sustainability in knowledge work, including the development and training of predictive models and algorithms. With respect to De-Identified Data, Catalystium will:

  • take reasonable measures to ensure the data cannot be associated with, or reasonably linked to, an identified or identifiable individual;
  • publicly commit to maintain and use the data in De-Identified form and not attempt to re-identify any individual, except where permitted to test the effectiveness of de-identification;
  • contractually obligate any recipient of De-Identified Data to comply with equivalent commitments; and
  • not disclose any individual’s data to that individual’s employer.

This license survives expiration or termination of the Agreement. Catalystium will not sell Customer Data.

7.2 Source-Specific Restrictions.

Catalystium's rights under Section 7.1 are subject to the terms of the third-party platforms from which Customer Data originates. Where a connected source is governed by platform terms that restrict the use of data obtained from it, Catalystium will use data from that source only as those terms permit. In particular, with respect to Customer Data obtained through the Google Workspace APIs, and any data aggregated, anonymized, or derived from it: (a) Catalystium may use such data to provide, operate, secure, and maintain the Service, and to personalize and improve the Service for Customer's own organization; and (b) Catalystium will not use, retain, or transfer such data to create, train, or improve any generalized or non-personalized machine-learning or artificial-intelligence model, or any model, baseline, or parameter applied for the benefit of other customers, consistent with the Google API Services User Data Policy, including its Limited Use requirements. This restriction applies notwithstanding de-identification of the data.

8. Employee Data Acknowledgment

The Parties acknowledge that the Service Processes data relating to Customer's personnel. Customer is responsible, as Controller, for establishing the lawful basis for such Processing, for providing notices to and, where required, obtaining consents from its personnel, and for any works-council, employee-representative, or other approvals required under applicable employment or labor law. Catalystium's role is limited to Processing on Customer's documented instructions as set out in this DPA, and Catalystium does not surface individual-level behavioral data to Customer's executives or managers.

9. International Data Transfers [Reserved]

This DPA covers Processing for Customers and Data Subjects in the United States and Canada. Transfers of Personal Data subject to the laws of the European Economic Area, the United Kingdom, or Switzerland are out of scope of this version. If and when such Processing is in scope, the Parties will enter into an addendum incorporating the applicable transfer mechanisms (for example, the EU Standard Contractual Clauses and the UK International Data Transfer Addendum) and any additional terms required by those laws.

10. General

10.1 Order of Precedence.

In the event of a conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA controls. In all other respects the Agreement remains in full force.

10.2 Liability.

Each Party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

10.3 Term.

This DPA takes effect on the effective date of the Agreement and continues until Catalystium has ceased all Processing of Personal Data under the Agreement and completed any return or deletion obligations, except for provisions that by their nature survive (including Section 7).

10.4 Governing Law.

This DPA is governed by the law stated in the Agreement (the State of Delaware), except where Applicable Data Protection Laws require otherwise.

Annex 1 — Details of Processing

Subject matter: Provision of the Rhenari decision-intelligence Service to Customer.

Duration: For the Subscription Term and any wind-down, return, or deletion period, except for De-Identified Data as permitted by Section 7.

Nature and purpose: Analysis of behavioral metadata and, where enabled by Customer, communication content from Customer's connected business systems to produce aggregated, team- and department-level scores (including Momentum and Confidence), insights, and alerts. Where content analysis is enabled, content is processed transiently in memory to produce structured outputs and is then discarded; only structured outputs are retained.

Categories of Data Subjects: Customer's personnel (employees, contractors, and similar individuals) whose activity occurs within the data sources Customer enables, and individuals identified within those sources.

Categories of Personal Data: As configured by Customer, which may include:

  • Identifiers and identity-mapping data (e.g., user/account identifiers, organizational role and department, drawn from the directory used as an org-graph seed);
  • Communication and collaboration metadata (e.g., message counts and timestamps, thread length, response patterns, meeting attendance and duration, recurrence);
  • Work-item and execution metadata (e.g., issue states, transitions, assignees, cycle-time data) from enabled engineering and project sources;
  • Where Customer enables content analysis: the content of messages and items in enabled channels and sources, processed transiently and not stored.

Sensitive Data: Not intended. Customer is responsible for determining whether any enabled source contains Sensitive Data and for instructing the Processing accordingly.

Frequency: Continuous/recurring for the duration of the Subscription Term, on the Service's scheduled processing cycles.

Processing locations: United States. The Service is hosted in primary and disaster-recovery regions within the United States. Region-specific residency commitments are governed contractually.

Annex 2 — Technical and Organizational Security Measures

Catalystium maintains the following measures. These measures may be updated as the Service evolves, provided protection is not materially reduced.

Access control and identity

  • Single sign-on through the customer’s own enterprise identity provider (for example, Microsoft Entra ID or Google Workspace) for user authentication; internal service-to-service authentication between platform components.
  • Role-based access control with a defined role model; access scoped by tenant and by department.
  • Strict tenant isolation: records and queries are scoped to a single tenant; analytical processing runs receive explicit tenant and department context; no cross-tenant data in a single processing operation.
  • Restricted, audited production data access for Catalystium personnel; time-bound “break-glass” access requiring justification and producing an audit trail.

Encryption and secret management

  • Encryption in transit using TLS 1.2 or higher across application, integration, and bot traffic; encryption of data at rest.
  • Integration secrets stored in a managed key vault, segregated from analytics datasets.

Data minimization and privacy architecture

  • Pseudonymization of individual identifiers before use in persistent analytics datasets wherever live identifiers are not required.
  • Ephemeral content processing: enabled content is processed in memory to produce structured outputs and then discarded; underlying content is not written to persistent storage.
  • Aggregation guardrails: outputs suppressed below a configurable minimum group size (default three); no individual-level behavioral analytics surfaced through dashboards or APIs; noise or differential-privacy controls applied where contractually or operationally required.
  • Content access logging: every content-access event is logged (tenant, channel, item reference, timestamp, consent mode, requesting function, and output) and available to Customer administrators on request.

Network and application security

  • Defined SaaS network boundary with private connectivity for platform-internal access, a web application firewall, approved-origin controls, and tenant-aware API rate limiting.
  • Strict schema validation of configuration, workflow, and trigger payloads.

Monitoring, resilience, and incident response

  • Centralized monitoring, diagnostics, and audit logging of authentication, configuration, secret access, and administrative actions.
  • Backup and recovery controls; multi-region resilience with a primary and disaster-recovery region.
  • A defined incident-response process with severity levels, escalation timelines, and customer-notification procedures.

Governance

  • Security-awareness and role-based operational controls for personnel; change-management and rollback controls for platform deployments.

Annex 3 — Approved Subprocessors

Catalystium engages the following Subprocessors to provide the Service. The Service uses a dual-cloud architecture, split by marketplace. Catalystium will update this list and notify Customer of changes as set out in Section 3.3. This Annex is kept consistent in substance with the standalone Subprocessor List published at rhenari.com/trust/subprocessors.

SubprocessorService providedProcessing location
Microsoft CorporationCloud infrastructure and platform hosting on Microsoft Azure — compute, storage, databases, key management, and analytics services (including Microsoft Fabric). AI model inference for the Service runs within the Azure environment (Azure OpenAI / Microsoft Foundry models) and does not leave the Azure boundary. Product notifications are delivered through Microsoft Teams and Microsoft Graph. Platform observability uses Azure Monitor, Application Insights, and Log Analytics.United States
Google LLC (Google Cloud)Cloud infrastructure for the Google-marketplace data plane on Google Cloud — managed databases (Cloud SQL for PostgreSQL and SQL Server), Secret Manager, key management (Cloud KMS), messaging (Pub/Sub), and monitoring and logging (Cloud Monitoring and Cloud Logging). Secure cloud-to-cloud connectivity uses Cross-Cloud Interconnect.United States