Transform Your Business with AI-Powered Consulting

Praxis: Your virtual consultant for actionable insights and tailored strategies.

Praxis AI

PRAXIS DATA PROCESSING ADDENDUM (DPA)

PRAXIS DATA PROCESSING ADDENDUM (DPA)
Effective Date: February 12, 2026
Last Updated: February 12, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Jeffrey Michael Capital, LLC (“JMC,” “Processor,” “Service Provider”) and the customer identified in the applicable Order Form (“Customer,” “Controller,” “Business”). This DPA applies when JMC processes personal data included in Customer Content on behalf of Customer in connection with Praxis.

If there is a conflict between this DPA and the Praxis SaaS Terms of Service or any Order Form, this DPA controls with respect to processing of personal data.

1) DEFINITIONS
“Applicable Data Protection Law” means laws applicable to the processing of personal data under this DPA, including (as applicable) U.S. state privacy laws (such as California CPRA), and, if applicable to Customer, GDPR/UK GDPR.
“Personal Data” means information that identifies or relates to an identifiable person and is included in Customer Content.
“Processing” means any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).
“Subprocessor” means a third party engaged by JMC to process Personal Data on behalf of Customer.
“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by JMC.

2) ROLES AND SCOPE
2.1 Roles. Customer is the Controller/Business (or, where applicable, Processor acting on behalf of its own Controller) and JMC is Processor/Service Provider processing Personal Data on behalf of Customer.
2.2 Customer instructions. JMC will process Personal Data only on documented instructions from Customer as necessary to provide Praxis, including the instructions inherent in Customer's use of the Service and any Order Form. Customer may issue additional documented instructions in writing, subject to feasibility and any mutually agreed fees.
2.3 No “selling” or “sharing.” JMC will not sell Personal Data. JMC will not retain, use, or disclose Personal Data for purposes other than providing the Service and related support, security, and compliance, except as permitted by Applicable Data Protection Law.

3) DETAILS OF PROCESSING (EXHIBIT A SUMMARY)
Subject matter: Provision of Praxis decision-intelligence services.
Duration: Subscription term plus retention/deletion periods in the agreement.
Nature and purpose: Hosting and processing Customer Content to generate Outputs and provide the Service; maintaining security; support; legal compliance.
Categories of data subjects: Customer's employees, contractors, applicants, clients, vendors, and other individuals whose Personal Data is included in Customer Content.
Categories of Personal Data: May include identifiers (name, email), employment/workforce information, compensation/HR fields (as uploaded by Customer), sales/customer records, operational data, and any other Personal Data contained in Customer Content uploaded by Customer.
Special categories / sensitive data: Not intended; Customer must not upload Restricted Data (including PHI and biometric identifiers) unless expressly authorized in writing with appropriate addenda.

4) CONFIDENTIALITY
JMC will ensure personnel authorized to process Personal Data are bound by confidentiality obligations.

5) SECURITY MEASURES
5.1 Security program. JMC will maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, loss, and misuse.
5.2 Access controls. JMC will implement access controls and limit access to Personal Data to personnel with a need to know for support and operations.
5.3 Customer responsibilities. Customer is responsible for its own access controls, credential management, user provisioning, and determining what Personal Data to upload.
5.4 No absolute security. No system is completely secure; JMC does not guarantee unauthorized access will never occur.

6) SUBPROCESSORS
6.1 Authorization. Customer authorizes JMC to engage Subprocessors to provide and support Praxis.
6.2 Obligations. JMC will require Subprocessors to protect Personal Data with obligations substantially similar to this DPA.
6.3 Subprocessor list and notice. JMC will maintain a current list of Subprocessors (including categories of services provided) and will provide notice of material changes by posting an update or providing reasonable notice through the Service.
6.4 Objection. Customer may object to a new Subprocessor on reasonable, documented grounds relating to data protection by providing notice within ten (10) business days of the update. If the parties cannot resolve the objection, Customer may terminate the affected Service (without penalty for unused, prepaid fees for the remainder of the term for the affected portion), subject to any limitations in the Order Form.

7) SECURITY INCIDENTS
7.1 Notification. JMC will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Personal Data.
7.2 Information. JMC will provide information reasonably necessary for Customer to meet its incident notification obligations, to the extent available, and will take reasonable steps to contain and remediate.
7.3 Customer notice obligations. Customer is responsible for determining whether it must notify regulators or individuals and for making required notifications.

8) ASSISTANCE
JMC will provide reasonable assistance to Customer in responding to:
(a) requests from individuals to exercise rights under Applicable Data Protection Law (e.g., access, deletion), to the extent JMC can identify the data and the request pertains to Praxis; and
(b) inquiries from regulators, where required by law, taking into account the nature of processing and information available.

9) AUDITS
9.1 Evidence of controls. Upon request, JMC will provide reasonable information about its security measures. Where available, JMC may provide summaries, questionnaires, or third-party audit reports as a substitute for onsite audits.
9.2 Audit limitations. Any audit (if permitted) will be: (a) limited in scope; (b) subject to confidentiality; (c) conducted during business hours with reasonable notice; and (d) not more than once annually unless required due to a Security Incident.

10) DATA RETURN AND DELETION
Upon termination or expiration of the Services, JMC will delete Personal Data included in Customer Content from active systems within a reasonable time, subject to:
(a) Customer's ability to export data during any post-termination export period;
(b) legally required retention; and
(c) limited backups that may persist for a reasonable period and are protected by security controls.

11) INTERNATIONAL TRANSFERS
If Personal Data is transferred from the EEA/UK/Switzerland to a country not recognized as providing adequate protection, the parties will implement appropriate safeguards (e.g., Standard Contractual Clauses and, where applicable, the UK Addendum) upon request and as applicable.

12) CALIFORNIA (CPRA) TERMS (IF APPLICABLE)
To the extent the CPRA applies:
(a) JMC is a “service provider”/“contractor” processing personal information on behalf of Customer.
(b) JMC will not sell or share personal information, and will not retain, use, or disclose personal information for any purpose other than providing the Services, except as permitted by CPRA.
(c) JMC will support Customer's reasonable requests to help Customer comply with CPRA obligations, consistent with this DPA.

13) LIABILITY
Liability under this DPA will be subject to the limitations of liability in the Praxis SaaS Terms of Service and/or applicable Order Form, unless otherwise required by Applicable Data Protection Law.

14) CONTACT
For DPA notices and privacy requests related to Praxis processing:
privacy@jeffreymichaelcapital.com
Legal notices:
legal@jeffreymichaelcapital.com

EXHIBIT A - PROCESSING DETAILS (REFERENCE)
See Section 3 above.