Data Processing Addendum (DPA)

for the VueX Service

This Data Processing Addendum (the “DPA”) is entered into between Vueron Technology Co., Ltd. (the “Company”) and the customer that has agreed to the VueX Terms of Service (the “Terms”) and uses the VueX Service (the “Customer”). This DPA governs the rights and obligations of the parties with respect to the processing of personal data and Customer Data in connection with the use of the Service.

This DPA forms an integral part of the Terms and shall be interpreted together with the Terms, any applicable order form, purchase order (PO), or other individual agreements.

Article 1 (Purpose)

The purpose of this DPA is to define the scope, methods, safeguards, and responsibilities related to the processing of personal data and related data by the Company on behalf of the Customer in connection with the Customer’s use of the VueX Service.

Article 2 (Definitions)

Capitalized terms used but not defined in this DPA shall have the meanings set forth in the Terms. In addition, the following definitions apply:

1. “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws, including the Korean Personal Information Protection Act and the GDPR.
2. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, retention, organization, analysis, transmission, disclosure, and deletion.
3. “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, which under this DPA refers to the Customer.
4. “Processor” means the entity that Processes Personal Data on behalf of the Controller, which under this DPA refers to the Company.
5. “Sub-processor” means any third party engaged by the Company to perform Processing activities on behalf of the Customer under the Company’s instructions.

Article 3 (Roles and Status)

1. The Customer acts as the Controller with respect to Personal Data processed in connection with the use of the Service.
2. The Company acts as the Processor and Processes Personal Data solely on behalf of and in accordance with the instructions of the Customer.
3. Nothing in this DPA shall be construed to establish a joint controller relationship between the parties.

Article 4 (Scope of Personal Data Processing)

The Company shall Process Personal Data within the following scope:

1. Purposes of Processing
   • Provision and operation of the VueX Service
   • Data storage, backup, format conversion, labeling, and execution of AI inference and training
   • Service quality improvement, error analysis, and technical support
   • Compliance with applicable laws and maintenance of security
2. Types of Personal Data Processed
   • Account information: name, email address, organization information
   • Personal data that may be included in the course of using the Service
     (e.g., identifiable elements contained in video or sensor data)
   • Log data and access records
3. Categories of Data Subjects
   • The Customer’s employees, agents, customers, or other data subjects

Article 5 (Use of Data for AI Performance Improvement – Optional Consent)

1. Principle
   The Company does not use Customer Data for the training, research, or analysis of its general-purpose AI models, algorithms, or service-wide performance improvement.
2. Exception Based on Explicit Consent
   Notwithstanding the foregoing, where the Customer has explicitly provided prior consent (opt-in) via a separate checkbox on the VueX sign-up screen or account settings, the Company may use Customer Data solely for the following purposes:
   • Improving the accuracy, performance, and stability of the VueX Service and AI models
   • Enhancing the quality of AI features such as auto-labeling, object detection, classification, and tracking
   • Research and development of new features and AI technologies
3. De-identification and Safeguards
   Where Personal Data is included, the Company shall apply pseudonymization or anonymization measures in accordance with applicable law and shall not use the data in a manner that identifies a specific individual or Customer.
4. Use Restrictions
   The Company shall not use Customer Data processed under this Article for:
   • Sale, transfer, or disclosure to third parties
   • Reuse in an identifiable manner for any specific Customer
   • Development of customized models or services for third parties that compete with the Customer
5. Withdrawal of Consent
   The Customer may withdraw its consent at any time through account settings or by written request to the Company. Upon withdrawal, the Company shall promptly cease using newly collected or processed data for the purposes described in this Article.
   Withdrawal shall not affect Processing lawfully performed prior to such withdrawal.
6. Relationship to Service Use
   Refusal or withdrawal of consent under this Article shall not restrict the Customer’s access to or use of the Service. However, certain advanced features, benefits, or participation in performance improvement programs may not be available.

Article 6 (Customer Obligations)

1. The Customer shall ensure that it has obtained all necessary legal bases, consents, and authorizations for the collection, use, disclosure, and cross-border transfer of Personal Data prior to uploading or requesting Processing of such data through the Service.
2. The Customer shall implement appropriate safeguards, such as anonymization, masking, or blurring, where required.
3. The Customer shall bear primary responsibility for responding to data subject requests regarding their rights.

Article 7 (Company Obligations)

1. The Company shall Process Personal Data only in accordance with the Customer’s documented instructions.
2. The Company shall not Process Personal Data for purposes other than those specified in this DPA and the Terms.
3. The Company shall comply with all applicable data protection laws in connection with the Processing of Personal Data.

Article 8 (Security Measures)

The Company shall implement appropriate technical and organizational measures to protect Personal Data, including:

1. Encryption during transmission and storage
2. Access controls and management of access logs
3. Logical separation of data
4. Internal security policies and employee training
5. Incident response procedures and monitoring systems

Article 9 (Sub-processors)

1. The Customer authorizes the Company to engage Sub-processors for the provision of the Service.
2. The Company shall impose data protection obligations on Sub-processors that are substantially equivalent to those set forth in this DPA.
3. The Company shall notify the Customer by reasonable means of any material changes to its Sub-processors.

Article 10 (Data Localization and Cross-Border Transfers)

1. General Principle

• The Company shall, as a general principle, Process and store Personal Data within the geographic region in which such Personal Data is collected or where the Customer is established.

2. Personal Data Subject to the GDPR

• Where Personal Data is subject to the GDPR and originates from the European Economic Area (EEA), the Company shall Process and store such Personal Data within the EEA and shall not transfer such Personal Data outside the EEA.

3. Personal Data Originating Outside the EEA

• Where Personal Data originates from jurisdictions outside the EEA, the Company shall Process and store such Personal Data within the region reasonably designated for such jurisdiction and shall not transfer such Personal Data outside such region.

4. Limited Exceptions

• Notwithstanding Articles 10.1 through 10.3, the Company may transfer Personal Data outside the applicable region only where all of the following conditions are met:

1. such transfer is strictly necessary for the provision or maintenance of the Service;
2. such transfer is permitted under applicable data protection laws; and
3. appropriate technical, contractual, and organizational safeguards are implemented in advance.
4. GDPR-Specific Safeguards

• Where a transfer of Personal Data subject to the GDPR outside the EEA is exceptionally required, such transfer shall be conducted in accordance with Chapter V of the GDPR, including the use of Standard Contractual Clauses or other lawful transfer mechanisms recognized under applicable law.

6. No Transfer Based Solely on Consent

• The Customer’s consent or acknowledgment shall not, by itself, constitute a legal basis for the cross-border transfer of Personal Data.

Article 11 (Personal Data Breach)

1. Upon becoming aware of a Personal Data breach, the Company shall notify the Customer without undue delay to the extent permitted by applicable law.
2. The Company shall reasonably cooperate with the Customer in investigating and remediating the breach.

Article 12 (Return and Deletion of Personal Data)

1. Upon termination of the Service or upon the Customer’s request, the Company shall delete or return Personal Data in accordance with applicable law and the Terms.
2. Personal Data subject to statutory retention obligations shall be retained for the required period and deleted thereafter.
3. Deleted data may not be recoverable due to technical limitations.

Article 13 (Audit Rights)

1. The Customer may request information regarding the Company’s Processing of Personal Data within a reasonable scope.
2. Any audit shall be conducted in a manner that does not unreasonably interfere with the Company’s operations or compromise its security or trade secrets.

Article 14 (Liability and Indemnification)

1. Liability arising out of or in connection with this DPA shall be subject to the limitations of liability set forth in the Terms or applicable individual agreements.
2. The Company shall not be liable for damages arising from the Customer’s instructions or violations of applicable law by the Customer.

Article 15 (Order of Precedence)

In the event of any conflict between this DPA and the Terms or other documents, this DPA shall prevail with respect to matters concerning the Processing of Personal Data.

Article 16 (Governing Law and Jurisdiction)

This DPA shall be governed by the laws of the Republic of Korea, and disputes arising in connection with this DPA shall be subject to the jurisdiction specified in the Terms.

Article 17 (Effectiveness)

This DPA shall become effective upon the Customer’s acceptance of the Terms and use of the VueX Service and shall apply together with the Terms to the extent related to the Processing of Personal Data.