Last update: Feb 19, 2026

Last update: Feb 19, 2026

Last update: Feb 19, 2026

Data protection addendum

This Data Processing Addendum ("Addendum") between Oculon AI Inc. ("Oculon") and the Customer (as defined in the Agreement) forms part of the Oculon Terms of Service or such other written or electronic agreement incorporating this Addendum, in each case governing Customer's access to and use of the Services (the "Agreement"). This Addendum was last updated in February 2026.

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Oculon. For the purposes of this Addendum only, and except where otherwise indicated, references to "Customer" shall include Customer and such Affiliates.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. DEFINITIONS

In this Addendum, the following terms shall have the meanings set out below:

"Affiliate" means an entity that owns or controls, is owned or controlled by or is under common control or ownership with either Customer or Oculon, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

"Customer Personal Data" means any Personal Data provided by or made available by Customer to Oculon or collected by Oculon on behalf of Customer which is Processed by Oculon to perform the Services;

"Data Protection Laws" means any applicable federal, state, or local law regarding the processing of Personal Data, including without limitation the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), and any other applicable privacy, security, and data protection laws;

"Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;

"Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data;

"Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Oculon;

"Services" means the FP&A platform services and related services to be supplied by Oculon to Customer pursuant to the Agreement;

"Subprocessor" means any third-party service provider engaged by Oculon to Process Customer Personal Data in connection with the Services.

The terms "Business", "Business Purpose", "Commercial Purpose", "Contractor", "Controller", "Data Subject", "Personal Data Breach", "Processor", "Service Provider", "Sell", and "Share" have the same meanings as described in applicable Data Protection Laws.

Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.

2. SCOPE OF ADDENDUM

This Addendum applies to Oculon's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

3. ROLES OF THE PARTIES

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer acts as a Business or Controller, and Oculon acts as a Service Provider or Processor. This Addendum shall apply solely to the Processing of Customer Personal Data by Oculon acting as a Processor or Service Provider.

Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals, or others relating to any Security Incidents.

4. DATA PROCESSING TERMS

4.1 Customer Obligations

Customer shall:

(a) Comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data;

(b) Process Customer Personal Data within the Services and provide Oculon with instructions in accordance with applicable Data Protection Laws;

(c) Be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Oculon of Customer Personal Data;

(d) Not provide Oculon with any sensitive personal data, including data concerning health, religion, or any special categories of data, unless specifically agreed in writing.

4.2 Oculon Obligations

Oculon shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:

(a) Process Only on Instructions

Process Customer Personal Data only for the purposes of the Agreement, on the documented instructions of Customer, and for the specific purposes set out in Annex 1 to this Addendum. The Agreement, this Addendum, and Customer's use of the Services' features and functionality constitute Customer's written instructions to Oculon. Oculon shall:

  • Use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of Customer and for the specific Business Purpose of providing the Services;

  • Not Sell or Share Customer Personal Data;

  • Not use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with Customer or for any Commercial Purpose except as required or permitted by law;

  • Immediately inform Customer if Oculon determines it is no longer able to meet its obligations under Data Protection Laws or if an instruction infringes applicable Data Protection Laws;

(b) Limited Processing Rights

Process Customer Personal Data solely to the extent necessary to:

  • Perform the Business Purposes and obligations under the Agreement;

  • Operate, manage, test, maintain, and enhance the Services;

  • Disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification;

  • Protect the Services from threats to the Services or Customer Personal Data;

  • Comply with court orders or authorized governmental requests, provided prior notice is given to Customer where legally permissible;

(c) No Data Combination

Not combine Customer Personal Data which Oculon Processes on Customer's behalf with Personal Data received from or on behalf of another person, except as necessary to perform Business Purposes under the Agreement;

(d) Confidentiality

Ensure that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(e) Security Measures

Implement and maintain appropriate administrative, technical, and organizational security measures designed to ensure a level of security appropriate to the risk, including:

  • Encryption of Customer Personal Data in transit and at rest;

  • Ensuring ongoing confidentiality, integrity, availability, and resilience of Processing systems;

  • Restoring availability and access to Customer Personal Data in a timely manner in the event of an incident;

  • Regularly testing, assessing, and evaluating the effectiveness of security measures;

(f) Subprocessors

Customer hereby authorizes Oculon to engage Subprocessors, subject to:

  • Providing Customer at least thirty (30) days' advance written notice of any intended changes or additions to Subprocessors;

  • Including data protection obligations in contracts with each Subprocessor that are materially the same as those in this Addendum;

  • Remaining liable to Customer for any failure by each Subprocessor to fulfill its obligations;

Customer may object to a new Subprocessor within thirty (30) days of notice on reasonable data protection grounds. If no commercially reasonable solution can be found, either Party may terminate the relevant Services on written notice without penalty;

(g) Legally Binding Requests

To the extent legally permissible, promptly notify Customer of any legally binding requests for disclosure of Customer Personal Data by law enforcement or government authorities. Oculon shall maintain a record of all such disclosure requests;

(h) Data Subject Requests

To the extent legally permissible, promptly notify Customer of any communication from a Data Subject regarding Processing of Customer Personal Data or from any regulatory authority. Oculon shall not respond to such requests unless expressly authorized by Customer or required by law. Oculon shall provide reasonable assistance to Customer for fulfilling Data Subject rights requests;

(i) Security Incident Notification

Upon becoming aware of a Security Incident involving Customer Personal Data, notify Customer without undue delay and include all reasonably available information required by Customer to comply with its breach reporting obligations. Oculon shall take measures necessary to remedy or mitigate the effects of such Security Incident. Security Incidents do not include unsuccessful attempts that do not compromise Customer Personal Data security, including unsuccessful login attempts, port scans, or denial of service attacks;

(j) Compliance Assistance

Provide reasonable assistance to Customer with its obligations under applicable Data Protection Laws, taking into account the nature of Processing and information available to Oculon;

(k) Data Return or Deletion

Upon termination or expiry of the Agreement, at Customer's option, either return or securely delete all copies of Customer Personal Data, unless applicable law requires retention. Any retained data shall remain subject to confidentiality obligations;

(l) Records and Audits

Maintain necessary records to demonstrate compliance with this Addendum. Upon reasonable prior notice and during normal business hours, make available to Customer information reasonably necessary to demonstrate compliance, and allow for audits by Customer or an independent third-party auditor, provided such audits do not unreasonably disrupt Oculon's operations. Such audits may occur once per year unless required by a regulatory authority or in response to a Security Incident.

5. WARRANTIES

The Parties warrant that they and any staff and/or Subprocessors will comply with their respective obligations under Data Protection Laws for the term of this Agreement.

6. PRECEDENCE

The provisions of this Addendum are supplemental to the Agreement. In the event of any inconsistency, the order of precedence shall be: (a) this Addendum, (b) the Agreement. To the extent any provision contradicts applicable Data Protection Laws, the Data Protection Laws shall control.

7. INDEMNITY

To the extent permissible by law, Customer shall defend, indemnify, and hold harmless Oculon and its Affiliates from and against any claims, losses, damages, liabilities, fines, penalties, settlements, and costs (including reasonable legal fees) arising from any breach by Customer of this Addendum or of its obligations under applicable Data Protection Laws.

8. SEVERABILITY

If any provision of this Addendum is held unlawful or unenforceable, it shall not invalidate or render unenforceable any other provision of this Addendum.

9. MISCELLANEOUS

This Addendum addresses:

  • Privacy by design and default principles

  • Achieving security of Processing

  • Notification of Security Incidents to relevant authorities and Customer

  • Conducting privacy impact assessments where required by law

  • Assistance with regulatory consultations where required

For questions regarding data protection or to exercise Data Subject rights, contact:

Name: Shamin Aggarwal
Title: Chief Technology Officer and Chief Information Security Officer
Email: shamin@oculon.ai

ANNEX 1: DESCRIPTION OF PROCESSING ACTIVITIES

1. Parties

Data Exporter (Customer)

  • Name: As defined in the Agreement

  • Address: As set forth in the Order Form

  • Contact Person: As set forth in the Order Form

  • Activities: Recipient of FP&A platform Services provided by Oculon

  • Role: Controller/Business

Data Importer (Oculon)

  • Name: Oculon AI Inc.

  • Address: 612 West 137th Street Apt. 6 New York, NY, 10031 US

  • Contact Person: Shamin Aggarwal, Chief Technology Officer and Chief Information Security Officer

  • Email: shamin@oculon.ai

  • Activities: Provision of AI-native FP&A platform Services to Customer

  • Role: Processor/Service Provider

2. Processing Information

Categories of Data Subjects

  • Customer's authorized users of the Services

  • Customer's employees, contractors, and business contacts

Categories of Personal Data

Processed automatically by the Services:

  • Names

  • Email addresses

  • Job titles

  • User credentials and authentication data

Processed where provided by Customer in connection with FP&A services:

  • Financial data related to business operations

  • Employment information

  • Contact information

Sensitive Personal Data

None, unless specifically authorized by Customer in writing

Frequency of Transfer

Continuous during the term of the Agreement

Nature and Purpose of Processing

The provision of AI-native FP&A platform Services to Customer, including:

  • Financial planning and analysis

  • Data aggregation and reporting

  • AI-powered financial modeling and forecasting

  • Workflow automation

  • Dashboard and visualization services

Business Purposes (CCPA/CPRA)

  • Helping to ensure security and integrity to the extent reasonably necessary and proportionate

  • Debugging to identify and repair errors that impair existing intended functionality

  • Performing services on behalf of the Business, including maintaining or servicing accounts, providing customer service, processing transactions, verifying customer information, providing analytic services, providing storage, or providing similar services

  • Undertaking internal research for technological development and demonstration

  • Undertaking activities to verify or maintain the quality or safety of the Services

  • Retaining and employing Subprocessors where the Subprocessor meets the requirements under applicable Data Protection Laws

  • Building or improving the quality of Services provided to Customer

  • Preventing, detecting, or investigating data security incidents or protecting against malicious, deceptive, fraudulent, or illegal activity

Data Retention Period

Customer Personal Data will be retained for the duration of the Agreement and as specified in the Agreement, or as required by applicable law.

3. Technical and Organizational Security Measures

Security Management

  • Designation of qualified security personnel responsible for development, implementation, and maintenance of information security program

  • Management review and support of security policies updated at least annually

  • Regular independent third-party security assessments

  • Formal risk treatment program including vulnerability management and penetration testing

  • Incident management with root cause analysis and corrective action

Personnel Security

  • Background checks on employees with access to Customer Personal Data

  • Confidentiality agreements executed by all personnel

  • Required privacy and security training for all personnel

  • Access limited to authorized personnel on a need-to-know basis

Access Controls

  • Formal access management process for provisioning and de-provisioning access

  • Multi-factor authentication required for system access

  • Role-based access controls based on least privilege principle

  • Regular access reviews to ensure appropriate access levels

  • Unique user IDs and strong password policies

Infrastructure Security

  • Secure cloud infrastructure with redundancy and resilience

  • Regular vulnerability scanning and patch management

  • Security logging and monitoring enabled across systems

  • Disaster recovery and business continuity programs regularly tested

Data Security

  • Encryption of data in transit using industry-standard protocols (TLS/HTTPS)

  • Encryption of data at rest

  • Logical isolation of Customer data in multi-tenant environment

  • Secure data destruction processes upon data deletion

Network Security

  • Firewall protection for production environments

  • Intrusion detection and prevention systems

  • Regular security monitoring and incident response procedures

ANNEX 2: SUBPROCESSORS

Oculon currently engages the following Subprocessors:

  1. Cloud Infrastructure Provider: Azure

    • Service: Hosting and infrastructure services

    • Location: United States

  2. Authentication Services: Auth0

    • Service: User authentication and identity management

    • Location: United States

  3. Messaging service: Twillio

    • Service: User authentication and one time password service

    • Location: United States

  4. Internal Office suite: Google workspace

    • Service: email and internal work documentation

    • Location: United States

  5. Notes and project management: Notion

    • Service: Internal project management and issue tracking

    • Location: United States

Oculon will provide Customer with at least thirty (30) days' notice before changing Subprocessors as set forth in Section 4.2(f) of this Addendum.