privacy-policy

HEUREKA LABS, INC. PRIVACY POLICY Effective Date: March 4, 2026

This Privacy Policy describes how Heureka Labs, Inc., a Delaware corporation (“Heureka Labs,” “Company,” “we,” “us,” or “our”), collects, uses, stores, shares, and protects information in connection with your use of the Heureka Labs Platform. The Platform includes but is not limited to desktop applications, software, and web interfaces. By using the Platform, you agree to the terms of this Privacy Policy.

  1. INFORMATION WE COLLECT 1.1 Information You Provide • Account registration data: name, email address, institutional affiliation, role/title; • Organizational information: institution name, billing information, administrative contacts, additional information voluntarily provided by Users or Organizations, such as notes, context, policies, preferences, or institutional configurations; • User Data: research files, data, text, code, notes, and other content uploaded or created on the Platform, including those used for projects and backups; • Response quality feedback: optional ratings (e.g., helpful / not helpful) and any associated voluntary free-text comments submitted through in-Platform feedback tools regarding agent responses and Outputs; • Communications: support requests, feedback, and correspondence with Heureka Labs. 1.2 Information Collected Automatically • Usage data: features accessed, agent interactions, Credit consumption, session duration; • Device and technical data: device type, operating system, browser type, IP address, device identifiers; • Device permission data: where User has affirmatively granted permission for hardware device access, relevant content (e.g., storage, audio, visual) and session-level records of such access (duration, feature context) solely to the extent necessary for Platform operation and security monitoring; • Log data: access logs, error reports, performance data; • Backup data: backups and project data, as applicable; • Platform memory data: conversation context retained within a User’s account to personalize interactions, subject to User’s control settings. • Update and version data: current installed version of the Software, available Update versions, and User’s Update deferral status, collected to support Update delivery, security monitoring, and compliance with Section 7.1 of the EULA. 1.3 Data We Do Not Collect or Process Heureka Labs currently prohibits the upload of Protected Health Information (“PHI”) as defined under 45 C.F.R. § 160.103, and of personally identifiable information (“PII”) of research subjects or other identified or identifiable natural persons, to the Platform. Heureka Labs does not screen uploads for the presence of PHI or PII. In the event Heureka Labs discovers that PHI or PII has been uploaded in violation of this prohibition, Heureka Labs will follow the remediation process described in Section 4.5 of the Terms of Service. Users are solely responsible for ensuring that data uploaded to the Platform does not contain PHI or PII in violation of the Terms of Service. 1.4 Cookies and Similar Technologies When you access the Platform through a web browser, Heureka Labs and its service providers may use cookies, web beacons, pixel tags, local storage objects, and similar tracking technologies (collectively, “Cookies”) to collect and store certain information. Types of Cookies. Heureka Labs may use the following categories of Cookies in connection with the web-based Platform interface: (a) Strictly Necessary Cookies. Essential for Platform operation and cannot be disabled. These include Cookies that maintain authenticated sessions, store session tokens, enable security and fraud prevention, and preserve in-session preferences. No consent is required for these Cookies as they are necessary to provide the service. (b) Functional Cookies. Enable enhanced functionality and cross-session personalization, including remembering Account preferences. Disabling these Cookies may limit Platform functionality. (c) Analytics Cookies. Heureka Labs may use analytics Cookies to collect aggregated, de-identified information about how users interact with the Platform web interface, including pages visited, features used, session duration, and navigation paths. This data is used to improve Platform functionality and user experience as described in Sections 2 and 4.12 of the Terms of Service. (d) Third-Party Service Cookies. Certain embedded third-party services may set their own Cookies when you interact with those services. These Cookies are governed by the respective third party’s own privacy policy. Consent and Legal Basis. (a) EU/UK Users. Heureka Labs will request your consent before placing non-strictly-necessary Cookies on your device, in accordance with the ePrivacy Directive and applicable national legislation. You may provide or withdraw consent at any time. Withdrawal of consent is prospective only. Strictly necessary Cookies are placed on the basis of necessity to provide the service and do not require consent. (b) California Users. Heureka Labs does not use Cookies for targeted advertising or cross-context behavioral advertising. Analytics Cookies use only de-identified and aggregated data. If Heureka Labs’s practices change to include Cookies that constitute “sale” or “sharing” of personal information under California law, a “Do Not Sell or Share My Personal Information” mechanism will be made available prior to implementing such changes. (c) All Other Users. Users not covered by the EU/UK or California consent provisions above may manage Cookie preferences through browser settings. Disabling certain Cookies may affect Platform web interface functionality. Retention Periods. Strictly necessary session Cookies are deleted when you close your browser. Authentication Cookies persist for the duration of your authenticated session, up to thirty (30) days. Analytics Cookies persist for periods aligned with general retention policies, up to twenty-four (24) months. All Cookie retention periods are reviewed periodically and updated as required by applicable law. Managing Cookies. Users may manage Cookies through browser settings. Most browsers allow you to refuse all Cookies, accept certain categories, or delete stored Cookies. Disabling Cookies may affect your ability to use certain Platform web interface features.

  2. HOW WE USE INFORMATION We use the information we collect to: • Provide, operate, and improve the Platform; • Process Credit purchases and manage accounts; • Authenticate users and maintain security; • Provide customer support; • Monitor for security threats, unauthorized access, and Terms violations; • Conduct internal analytics for quality assurance; • Send service-related communications, including Terms updates; • Comply with legal obligations and enforce Terms; • Analyze optional Response Ratings submitted by Users to assess and improve the quality, accuracy, and relevance of Platform agent responses, identify systematic issues, and provide training signals for Platform models, as further described in EULA Section 5.11. This use is distinct from the prohibition on training AI models using User Data or Outputs described in Section 3 below; • Use your organization’s name, logo, and branding in promotional and marketing materials as described in EULA Section 4.3, subject to the opt-out right described therein. Heureka Labs may use aggregated, de-identified usage data such as feature interactions, tool usage patterns, and workflow analytics to improve Platform functionality, user experience, and product development. This use does not involve training AI models on User Data or Outputs.

  3. HOW WE DO NOT USE INFORMATION We commit to the following: • We do NOT train AI models using User Data or Outputs, except pursuant to an explicitly executed Statement of Work or written agreement for custom model development; where the User or User’s Organization has independently published such data or Outputs in a peer-reviewed journal, public preprint repository, public dataset repository, or equivalent public venue, in which case Heureka Labs may use the published version of such data for model training to the same extent as any other member of the public; or where the Response Ratings feature is enabled and User has individually rated specific Outputs, in which case Heureka Labs may use the specific Outputs that User has individually rated, together with the associated Rating signal, to train or improve Heureka Labs’s AI models for the limited purpose of improving response quality. This exception applies only to Outputs that User has actively rated through the Response Ratings feature. User may withdraw consent to this use by disabling the Response Ratings feature in Platform Settings at any time; • We do NOT sell User Data to third parties; • We do NOT share User Data with other Users without explicit User consent.

  4. HOW WE SHARE INFORMATION 4.1 With Service Providers We may share information with trusted third-party vendors assisting in Platform operations (e.g., cloud hosting, payment processing). These vendors are bound by confidentiality obligations and may only use data to provide services on our behalf. 4.2 With Other Users User Data is private. Data is shared with other Users only when a User explicitly shares a project (via the Platform or shared workspaces) and adds other Users as collaborators. 4.3 With Organizations For Users affiliated with an Account, the Organization’s administrators may access account-level administrative information (e.g., Credit usage) but such administrators do not have access to individual User Data, unless shared by the User, pursuant to a specific, documented written consent provided by the User, or where required by applicable law. 4.4 Agent Third-Party Calls Platform agents may make network calls to authorized third-party services to perform research tasks. Data passed to third-party services is limited to what is necessary for the task. User consents to such calls by using the relevant features. 4.5 Legal Requirements We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Heureka Labs, our users, or the public. 4.6 Business Transfers In connection with a merger, acquisition, or sale of assets, User information may be transferred to the acquiring entity, subject to equivalent privacy protections.

  5. DATA STORAGE AND RETENTION 5.1 Cloud Storage User Data on Heureka Labs’s cloud servers is retained indefinitely unless deleted by User or until Account termination. At least thirty (30) days’ notice will precede any planned deletion by Heureka Labs. Upon termination with notice under Section 7.2 of the Terms of Service, User has read-only download access to accessible, non-breaching User Data during the final five (5) days of the thirty (30) day notice period (the “Download Window”), with all access terminating at the end of the notice period. Upon immediate termination, Heureka Labs will, at its sole discretion and where appropriate given the circumstances of termination, provide a separate five (5) calendar day download window for accessible, non-breaching User Data. Notwithstanding the foregoing, data generated in violation of Heureka Labs’s Terms of Service or EULA may be deleted immediately upon Account termination, subject to applicable legal hold, regulatory, or law enforcement preservation requirements. One archival backup copy may be retained for a commercially reasonable period following Account closure in accordance with standard backup rotation processes described in Section 5.3 of this Policy. 5.2 Local Storage Files on User’s local device are the User’s sole responsibility. 5.3 Backup and Archives Heureka Labs maintains standard cloud backup and archival processes. A backup copy of User Data may exist even after User deletion and will be purged in the ordinary course of backup rotation. Backup copies of data generated in violation of Heureka Labs’s Terms of Service or EULA are subject to deletion outside the ordinary backup rotation cycle upon Account termination for cause, consistent with Heureka Labs’s rights under EULA Section 8.4(d) and subject to any applicable legal hold or regulatory preservation requirements. 5.4 Usage Analytics Data Aggregated, de-identified usage analytics data is retained for a period not to exceed twenty-four (24) months, after which it is deleted or further anonymized in the ordinary course of Platform operations.

  6. SECURITY 6.1 We implement commercially reasonable administrative, technical, and physical security measures to protect User Data against unauthorized access, alteration, disclosure, or destruction. 6.2 We implement mechanisms to limit the risk associated with code execution on the Platform to protect User data and systems. 6.3 No security system is impenetrable. We cannot guarantee absolute security of User Data. 6.4 In the event of a confirmed security breach affecting User Data, we will make commercially reasonable efforts to notify affected Users in a timely manner in accordance with applicable law.

  7. PLATFORM REVIEW AND MONITORING Heureka Labs reserves the right to review User profiles, Account activity, and usage data for security monitoring, incident response, customer service, technical support, quality assurance, marketing and communications related to Heureka Labs’s Platform and services, experience enhancement, aggregated usage analytics as described in Section 2 of this Policy, and investigation of potential Terms violations. Such review may be conducted by automated systems or human staff.

  8. USER RIGHTS AND CONTROLS 8.1 Access and Correction Users may access and update account information through Platform settings. 8.2 Data Deletion Users may delete User Data from cloud storage at any time through the Platform. Account closure requests may be submitted to support@heurekalabs.co. 8.3 Memory Controls (a) Web Interface. Users accessing the Platform via the web interface may toggle conversation memory features on or off per conversation in Account settings. (b) Desktop Software — Local Memory. For Users accessing the Platform via the desktop Software, conversation memory is stored as Local Memory files on User’s local device as described in EULA Section 5.9(b). Local Memory may be disabled through the Platform’s memory management interface settings for desktop Software use. Disabling Local Memory prevents storage of new conversational context but does not automatically delete previously stored Local Memory files; User must delete existing files separately as described above. Users may delete Local Memory files at any time directly through User’s local filesystem. Heureka Labs cannot access Local Memory stored on User’s local device absent cloud backup or sync features enabled by User. Deleted Local Memory is not recoverable. 8.4 Data Portability Users may download accessible User Data during active account status at any time through the Platform. Upon termination with notice under Section 7.2 of the Terms of Service, download access continues in read-only form during the Download Window, the final five (5) days of the thirty (30) day notice period, with all access terminating at the end of the notice period. Upon immediate termination under Section 7.2, Heureka Labs will, at its sole discretion and where appropriate given the circumstances of termination, provide a separate five (5) calendar day download window for accessible, non-breaching User Data. Data generated in violation of Heureka Labs’s Terms of Service or EULA is not accessible following termination of any kind. Notwithstanding the foregoing, data generated in violation of the Terms or the EULA may be deleted immediately upon Account termination, subject to any applicable legal hold, regulatory preservation, or law enforcement disclosure obligations, as further described in EULA Section 8.4(d). Heureka Labs may retain a single archival or backup copy in standard backup systems for a commercially reasonable period following Account closure. For EU/UK Users, the right to data portability under GDPR Article 20 is addressed in Section 9.2 of this Policy and the GDPR Data Processing Addendum. 8.5 Analytics Processing (a) US Users. For Users located in the United States, participation in Heureka Labs’s aggregated, de-identified usage analytics program is a condition of Platform use. Such analytics are described in Section 2 of this Privacy Policy and do not involve training AI models on User Data or Outputs, except pursuant to an explicitly executed Statement of Work or written agreement for custom model development; or where the User or User’s Organization has independently published such data or Outputs in a peer-reviewed journal, public preprint repository, public dataset repository, or equivalent public venue, in which case Heureka Labs may use the published version of such data for model training to the same extent as any other member of the public. US Users do not have a right to opt out of this processing under applicable federal or state law as currently applicable to this type of de-identified, aggregated analytics activity. (b) EU/UK Users. Users located in the European Economic Area or United Kingdom have the right under GDPR/UK GDPR Article 21 to object to processing of personal data based on legitimate interests, including the analytics processing described in Section 2. EU/UK Users may exercise this right by contacting support@heurekalabs.co. Heureka Labs will honor such objections within thirty (30) days in accordance with applicable law. Exercise of this right may limit certain personalization features of the Platform that depend on usage pattern analysis. (c) California Users. Nothing in Section 8.5(a) limits any rights California Users may have under the California Consumer Privacy Act (CCPA/CPRA) with respect to personal information as defined under that statute. California Users with CCPA/CPRA inquiries may contact support@heurekalabs.co.

  9. GDPR AND UK GDPR (EU/UK USERS) For Users located in the European Economic Area (“EEA”) or United Kingdom, the GDPR Data Processing Addendum (“DPA”), available as Exhibit A to these Terms or upon request at support@heurekalabs.co, governs the processing of personal data. The following summary applies: 9.1 Legal Bases for Processing We process personal data on the following legal bases: • Contract performance: processing necessary to provide Platform services; • Legitimate interests: security monitoring, fraud prevention, Platform performance analytics, collection and use of optional Response Ratings for Platform quality improvement and training signal purposes (EULA Section 5.11), use of User and Organization names and marks in marketing and communications (EULA 4.3), and aggregated usage analytics for Platform improvement; • Legal obligation: compliance with applicable laws; • Consent: where required by applicable law. 9.2 EU/UK User Rights EU and UK Users have the following rights under GDPR/UK GDPR: • Right of access to personal data we hold; • Right to rectification of inaccurate data; • Right to erasure (subject to legal exceptions); • Right to restriction of processing; • Right to data portability; • Right to object to processing based on legitimate interests; • Right to withdraw consent where processing is consent-based. To exercise these rights, contact support@heurekalabs.co. We will respond within thirty (30) days. 9.3 Data Transfers Transfers of personal data from the EEA or UK to the U.S. or other third countries will be made using appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses where applicable. 9.4 Supervisory Authority EU/UK Users have the right to lodge a complaint with their local data protection supervisory authority.

  10. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA) This Section applies to California residents whose personal information is collected, used, or disclosed by Heureka Labs in connection with the Platform. To the extent of any conflict between this Section and other provisions of this Privacy Policy, this Section controls for California residents. 10.1 Applicability and Threshold Status The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”), imposes obligations on businesses that meet certain thresholds, including annual gross revenue exceeding $25,000,000, annual purchase, sale, receipt, or sharing of personal information of 100,000 or more California consumers or households, or deriving 50% or more of annual revenue from selling or sharing California consumers’ personal information. Heureka Labs will implement the rights and obligations described in this Section upon crossing any applicable CCPA/CPRA threshold. California residents may contact support@heurekalabs.co at any time to inquire about Heureka Labs’s current threshold status. 10.2 Categories of Personal Information Collected To the extent CCPA/CPRA applies, Heureka Labs collects the following categories of personal information as defined under Cal. Civ. Code § 1798.140: (a) Identifiers, including name, email address, IP address, and account identifiers; (b) Professional or employment-related information, including institutional affiliation, job title, and research role; (c) Internet or other electronic network activity information, including usage data, feature interactions, session data, and log data; (d) Geolocation data, limited to IP-derived approximate location used for security screening and sanctions compliance; (e) Inferences drawn from the above categories to create a profile about a User reflecting preferences, research interests, and Platform usage patterns, where such inferences are generated in the course of providing Platform services. Heureka Labs does not collect sensitive personal information as defined under Cal. Civ. Code § 1798.121 beyond what is necessary to provide the Platform, and does not use or disclose such information for purposes that would trigger the right to limit use under § 1798.121(a). 10.3 Purposes for Collection and Use Personal information is collected and used for the purposes described in Section 2 (How We Use Information) of this Privacy Policy, including providing Platform services, security monitoring, customer support, compliance with legal obligations, and aggregated usage analytics for Platform improvement. 10.4 Sale or Sharing of Personal Information Heureka Labs does not sell personal information as defined under Cal. Civ. Code § 1798.140(ad). Heureka Labs does not share personal information for cross-context behavioral advertising as defined under Cal. Civ. Code § 1798.140(ah). Accordingly, Heureka Labs does not offer a “Do Not Sell or Share My Personal Information” opt-out at this time. If Heureka Labs’s practices change, this Section will be updated with at least thirty (30) days’ prior notice and a compliant opt-out mechanism will be made available. 10.5 Retention Periods Personal information is retained for the periods described in Section 5 (Data Storage and Retention) of this Privacy Policy. Heureka Labs retains each category of personal information for no longer than is reasonably necessary for the disclosed purpose of collection, consistent with Cal. Civ. Code § 1798.100(a)(3). 10.6 California Consumer Rights To the extent CCPA/CPRA applies, California residents have the following rights with respect to their personal information: (a) Right to Know. The right to request disclosure of: the categories and specific pieces of personal information Heureka Labs has collected about the consumer; the categories of sources from which personal information was collected; the business or commercial purpose for collecting personal information; and the categories of third parties with whom personal information is shared. (b) Right to Delete. The right to request deletion of personal information collected from the consumer, subject to exceptions under Cal. Civ. Code § 1798.105(d), including where retention is necessary to complete a transaction, detect security incidents, comply with legal obligations, or enable internal uses reasonably aligned with the consumer’s expectations. (c) Right to Correct. The right to request correction of inaccurate personal information maintained by Heureka Labs, taking into account the nature of the personal information and the purposes of the processing. (d) Right to Opt Out of Sale or Sharing. As described in Section 10.4, Heureka Labs does not currently sell or share personal information. No opt-out mechanism is required at this time. (e) Right to Limit Use of Sensitive Personal Information. Heureka Labs does not use or disclose sensitive personal information for purposes beyond those permitted under Cal. Civ. Code § 1798.121(a). No separate limit-use mechanism is required at this time. (f) Right to Non-Discrimination. Heureka Labs will not discriminate against any California resident for exercising their CCPA/CPRA rights, including by denying goods or services, charging different prices, or providing a different level or quality of service. 10.7 Exercising California Rights California residents may submit a rights request by contacting Heureka Labs at support@heurekalabs.co with the subject line “California Privacy Rights Request.” Heureka Labs will acknowledge receipt within ten (10) business days and respond substantively within forty-five (45) days of receipt. Where reasonably necessary, the response period may be extended by an additional forty-five (45) days with prior notice. Heureka Labs will verify the identity of the requestor before fulfilling any request by confirming the email address and account information associated with the request. Requests may be submitted by an authorized agent on behalf of a California resident, provided the agent provides written authorization signed by the consumer or a power of attorney executed pursuant to Cal. Prob. Code §§ 4000–4465. 10.8 Shine the Light California Civil Code § 1798.83 permits California residents who are customers of Heureka Labs to request certain information regarding Heureka Labs’s disclosure of personal information to third parties for those third parties’ direct marketing purposes. Heureka Labs does not disclose personal information to third parties for their direct marketing purposes. California residents with questions about this practice may contact support@heurekalabs.co. 10.9 Financial Incentives Heureka Labs does not offer financial incentives or price differences in exchange for the collection, retention, or sale of personal information within the meaning of Cal. Civ. Code § 1798.125.

  11. U.S. STATE PRIVACY RIGHTS 11.1 Scope In addition to the California-specific rights described in Section 10, residents of certain other U.S. states have privacy rights under applicable state law. This Section applies to residents of states with comprehensive consumer privacy laws currently in effect, including but not limited to Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Florida, Indiana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, and Maryland (“State Privacy Laws”). 11.2 Available Rights Depending on your state of residence and subject to applicable exceptions, you may have the right to: (a) confirm whether Heureka Labs processes your personal data and access a copy of that data; (b) correct inaccurate personal data Heureka Labs holds about you; (c) request deletion of personal data Heureka Labs has collected from or about you, subject to exceptions required to complete transactions, detect fraud, comply with legal obligations, or fulfill purposes compatible with the context of collection; (d) obtain a copy of your personal data in a portable, machine-readable format; and (e) opt out of sale of personal data, targeted advertising, or profiling for decisions with legal or similarly significant effects. Heureka Labs does not sell personal data, conduct targeted advertising, or engage in automated profiling for such decision-making purposes as those terms are defined under applicable State Privacy Laws. If Heureka Labs’s practices change, this Section will be updated with prior notice. Heureka Labs will not discriminate against you for exercising any State Privacy Law right. 11.3 Submitting a Request To exercise a right under this Section, email support@heurekalabs.co with subject line “State Privacy Rights Request” and include your state of residence. Heureka Labs will respond within the timeframe required by applicable State Privacy Law and in no event more than forty-five (45) days of receipt, with one possible extension of an additional forty-five (45) days where reasonably necessary. Heureka Labs will verify your identity before processing your request. Authorized agents may submit requests on your behalf where permitted by applicable law. If Heureka Labs declines to act on your request, you may appeal by emailing support@heurekalabs.co with subject line “Privacy Rights Appeal.” Heureka Labs will respond within the timeframe required by applicable State Privacy Law. 11.4 Sensitive Data Heureka Labs does not process categories of data universally defined as sensitive personal data under applicable State Privacy Laws beyond what is necessary to provide the Platform, and does not process such data for purposes requiring consent under applicable State Privacy Laws. If you believe Heureka Labs is processing sensitive data about you in a manner requiring consent, please contact support@heurekalabs.co.

  12. CHILDREN’S PRIVACY The Platform is not directed to individuals under eighteen (18) years old. We do not knowingly collect personal data from children.

  13. THIRD-PARTY LINKS AND SERVICES This Privacy Policy does not apply to third-party services. We encourage Users to review the privacy policies of any third-party services they access through the Platform.

  14. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time. Material changes will be communicated through in-app notifications and posted to our public terms page at least thirty (30) days before taking effect. Major changes may also be sent via email notice. Continued use constitutes acceptance.

  15. GOVERNING LAW This Privacy Policy is governed by the laws of the State of Delaware and applicable U.S. federal law. For EU/UK Users, applicable GDPR requirements shall prevail to the extent required by law.

  16. CONTACT INFORMATION For questions or data requests, please contact Heureka Labs at support@heurekalabs.co.

We will respond to all requests within thirty (30) days, or within applicable statutory deadlines for EU/UK Users.

Last Updated: March 4, 2026   HEUREKA LABS, INC. GDPR DATA PROCESSING ADDENDUM (“DPA”) Exhibit A to Terms of Service and Privacy Policy Effective Date: March 4, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service and Privacy Policy between Heureka Labs (“Data Processor” or “Company”) and the User or Organization (“Data Controller” or “Customer”) and applies where Heureka Labs processes personal data of individuals located in the European Economic Area (“EEA”) or the United Kingdom in connection with the Platform. Capitalized terms used but not defined herein have the meanings given in the Terms of Service, EULA, or Privacy Policy.

ARTICLE 1: DEFINITIONS 1.1 “GDPR” means the General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK GDPR as defined in the UK Data Protection Act 2018. 1.2 “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR. 1.3 “Processing” has the meaning given in Article 4(2) GDPR. 1.4 “Data Subject” means the natural person to whom Personal Data relates. 1.5 “Sub-processor” means any processor engaged by Heureka Labs to process Personal Data on behalf of Customer. 1.6 “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries as approved by the European Commission, currently set out in Commission Implementing Decision (EU) 2021/914. 1.7 “Supervisory Authority” means the relevant data protection authority in the EEA Member State or the UK Information Commissioner’s Office (ICO) for UK Users.

ARTICLE 2: SCOPE AND ROLES 2.1 This DPA applies to the processing of Personal Data by Heureka Labs on behalf of Customer in connection with the Platform. 2.2 Customer is the Data Controller and Heureka Labs is the Data Processor for Personal Data processed in connection with the Platform, except to the extent that Heureka Labs processes Personal Data for its own legitimate purposes (e.g., account management, security, compliance, and aggregated usage analytics for Platform improvement), in which case Heureka Labs acts as an independent Data Controller. 2.3 Each party shall comply with all applicable obligations under the GDPR in relation to the Personal Data for which it acts as Controller.

ARTICLE 3: DETAILS OF PROCESSING 3.1 Subject Matter. Heureka Labs’s processing of Personal Data as Processor is limited to what is necessary to provide Platform services to Customer. 3.2 Duration. Heureka Labs processes Personal Data for the duration of the customer relationship and as required by applicable law thereafter. 3.3 Nature and Purpose — Processor Activities. Processing activities undertaken by Heureka Labs as Data Processor on behalf of Customer include: hosting and storage of User Data on Platform infrastructure; providing AI-assisted research tools, agents, and services; authentication and access management; customer support; security monitoring; and related Platform operations. 3.4 Nature and Purpose — Controller Activities. Heureka Labs also processes certain personal data as an independent Data Controller for its own legitimate purposes, including aggregated usage analytics for Platform improvement and user experience optimization. This processing is undertaken pursuant to Article 2.2 of this DPA and Heureka Labs’s legitimate interests as described in the Privacy Policy. Aggregated usage analytics data processed by Heureka Labs as Controller is retained for a period not to exceed twenty-four (24) months in accordance with the Privacy Policy. EU/UK Data Subjects may exercise their right to object to this processing under GDPR/UK GDPR Article 21 in accordance with Section 8.5(b) of the Privacy Policy. Heureka Labs will assess any such objection and cease or restrict the relevant processing unless Heureka Labs can demonstrate compelling legitimate grounds that override the Data Subject’s interests, rights, and freedoms. To the extent Heureka Labs’s Controller processing described in this Section involves transfer of personal data outside the EEA or UK, such transfers are governed by Article 5.3 of this DPA. 3.5 Types of Personal Data. Depending on Customer’s use of the Platform, Personal Data processed may include: identification data (name, email, job title); institutional affiliation; login credentials; usage data; research data inputs (including history and memory data) to the extent they contain Personal Data; and communications with Heureka Labs support. 3.6 Categories of Data Subjects. Data Subjects may include: Customer’s employees, researchers, and affiliates who use the Platform; any individuals whose Personal Data is included in research data uploaded by Customer. Customer warrants that any Personal Data of research subjects uploaded to the Platform is de-identified in accordance with Section 4.5 of the Terms of Service. 3.7 Automated Processing. The Platform uses automated processing to personalize features and content presented to Users. As of the effective date, March 4, 2026, Heureka Labs does not make solely automated decisions that produce legal or similarly significant effects on Data Subjects within the meaning of GDPR Article 22. In the event Heureka Labs introduces processing that constitutes solely automated decision-making with legal or similarly significant effects under GDPR Article 22, Heureka Labs shall notify Customer in accordance with DPA Article 10.1, update this DPA to describe the relevant processing and implement any required GDPR Article 22 safeguards, and Customer shall have the right to object in accordance with that Article. Where Customer’s use of the Platform involves automated processing that Customer determines may trigger GDPR Article 35, Customer should refer to DPA Article 4.6(c) for Heureka Labs’s DPIA assistance obligations. Relevant technical documentation will be provided upon written request.

ARTICLE 4: PROCESSOR OBLIGATIONS 4.1 Instructions Heureka Labs shall process Personal Data only on documented instructions from Customer, including as set out in the Terms of Service and this DPA, unless required to do so by applicable EU/UK law. If Heureka Labs is required by law to process Personal Data other than in accordance with Customer’s instructions, Heureka Labs shall notify Customer before such processing, unless legally prohibited from doing so. 4.2 Confidentiality Heureka Labs shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality obligations no less restrictive than those in the Terms of Service. 4.3 Security Measures Heureka Labs shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: pseudonymization and encryption; ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; ability to restore availability of Personal Data in the event of a physical or technical incident; and a process for regularly testing and evaluating security measures. 4.4 Sub-processors Customer grants Heureka Labs general authorization to engage Sub-processors. Heureka Labs shall: (a) impose data protection obligations on Sub-processors no less stringent than those in this DPA; (b) maintain a list of Sub-processors and make it available to Customer upon request; (c) provide Customer with at least thirty (30) days’ prior notice of any addition or replacement of a Sub-processor; and (d) remain fully liable to Customer for the performance of Sub-processors’ obligations. Customer may object to a new Sub-processor within fourteen (14) days of notice on reasonable data protection grounds by notifying support@heurekalabs.co. If the parties cannot resolve the objection, Customer may terminate the affected services by written notice. 4.5 Data Subject Rights Assistance Heureka Labs shall, taking into account the nature of the processing, assist Customer by implementing appropriate technical and organizational measures to fulfill Customer’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Heureka Labs shall promptly notify Customer of any Data Subject request received directly by Heureka Labs and shall not respond to such requests except on the documented instructions of Customer or as required by law. 4.6 Compliance Assistance Heureka Labs shall assist Customer in ensuring compliance with GDPR Articles 32-36, including: (a) security obligations; (b) notification of Personal Data breaches; (c) data protection impact assessments; and (d) prior consultation with Supervisory Authorities, taking into account the nature of processing and information available to Heureka Labs. Heureka Labs acknowledges that certain uses of the Platform by Customer may trigger the obligation to conduct a Data Protection Impact Assessment (“DPIA”) under GDPR Article 35. Customer is solely responsible for determining whether a DPIA is required for its specific use of the Platform and for conducting any required DPIA in accordance with GDPR Article 35. Where Customer determines that a DPIA is required or advisable, Heureka Labs shall, upon Customer’s written request and at Customer’s reasonable cost, provide assistance. Heureka Labs may charge a reasonable fee for DPIA assistance that requires material Heureka Labs personnel time. Heureka Labs does not conduct DPIAs on Customer’s behalf and is not responsible for Customer’s compliance with GDPR Article 35. 4.7 Personal Data Breach Notification Heureka Labs shall notify Customer without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Personal Data breach affecting Customer’s Personal Data, to the extent practicable. Notification shall include, to the extent known: a description of the nature of the breach; categories and approximate number of Data Subjects and records concerned; the name and contact details of the data protection contact; description of likely consequences; and measures taken or proposed to address the breach. Heureka Labs acknowledges that Customer may have a seventy-two (72) hour notification obligation to its Supervisory Authority under GDPR Article 33. 4.8 Return and Deletion of Personal Data (GDPR Article 28(3)(h)) (a) Obligation. In accordance with GDPR Article 28(3)(h), upon: (i) the termination or expiration of the Terms of Service or this DPA; or (ii) Customer’s written request at any time during the term; Heureka Labs shall, at Customer’s election and cost, either: (A) Return: securely return all Personal Data to Customer in a commonly used, machine-readable format (such as CSV, JSON, or equivalent); or (B) Delete: securely delete and destroy all Personal Data and any existing copies in Heureka Labs’s systems and those of its Sub-processors, in accordance with the deletion standards described in Section 4.8(c). (b) Timeline. Heureka Labs shall complete the return or deletion described in Section 4.8(a) within thirty (30) days of: (i) the effective date of termination or expiration; or (ii) receipt of Customer’s written request, as applicable. Heureka Labs will provide Customer with written confirmation of completion of deletion or return within such period. (c) Deletion Standards. Where deletion is elected, Heureka Labs shall render Personal Data unrecoverable using commercially reasonable methods appropriate to the storage medium, including overwriting or cryptographic erasure for electronic records. Deletion shall extend to live systems, staging environments, and backup systems, except that backup media that cannot practically be deleted within the thirty (30) day period shall be quarantined from further use and deleted at the next scheduled backup rotation, which shall occur no later than ninety (90) days after the deletion request. (d) Legal Retention Exception. Notwithstanding Section 4.8(a) and (b), Heureka Labs may retain Personal Data to the extent and for the period required by applicable EU Member State law, UK law, or U.S. federal or state law (“Legal Retention”). Where Legal Retention applies, Heureka Labs shall: (i) inform Customer of the legal basis for retention; (ii) restrict processing of retained Personal Data to the purpose required by the applicable legal obligation; and (iii) delete the retained Personal Data as soon as the Legal Retention period expires. (e) Sub-processor Deletion. Heureka Labs shall ensure that Sub-processors delete or return Personal Data in accordance with this Article upon Customer’s request or upon termination, pursuant to the data processing agreements maintained with each Sub-processor under DPA Article 4.4. (f) Interaction with Data Download Window detailed in the Terms. The return and deletion obligations in this Article 4.8 apply to Personal Data held on Heureka Labs’s cloud infrastructure. They do not modify the data download window available to Users under EULA Section 8.4(c) and Section 7.5 of the Terms, which governs User-initiated download access. 4.9 Audit Rights Heureka Labs shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits and inspections conducted by Customer or a third-party auditor mandated by Customer, provided that: (a) Customer provides at least thirty (30) days’ written notice; (b) such audit does not unreasonably interfere with Heureka Labs’s business operations; and (c) the auditor is bound by appropriate confidentiality obligations. Customer agrees to exercise this audit right no more than once per year unless a Personal Data breach has occurred and to assume all costs associated with such audits, as allowed by applicable law.

ARTICLE 5: INTERNATIONAL DATA TRANSFERS 5.1 Where the processing of Personal Data involves a transfer of Personal Data outside the EEA or UK to a country not recognized as providing an adequate level of protection, such transfer shall be made pursuant to appropriate safeguards under GDPR Chapter V. 5.2 The parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) as set out in Commission Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference and shall apply to transfers of personal data from the EEA or UK to a country not recognized as providing an adequate level of protection, with the following specifications: (a) Module Two applies; (b) Clause 7 (Docking Clause) is not included; (c) Clause 9 Option 2 (General Written Authorization) applies, with a notice period of thirty (30) days in accordance with Article 4.4 of this DPA; (d) Clause 11 (Redress) optional language is not included; (e) Clause 17 governing law: the law of the Republic of Ireland, or, where Customer is established in an EEA Member State, the law of that Member State; (f) Clause 18 forum: the courts of the Republic of Ireland, or, where Customer is established in an EEA Member State, the courts of that Member State; (g) Annex I (List of Parties and Description of Transfer) is set forth as a schedule to this DPA following Article 10. Annex II (Technical and Organizational Measures) and Annex III (Sub-Processor List) are available upon written request to support@heurekalabs.co. Heureka Labs will provide Annex II to requesting parties under appropriate confidentiality obligations. 5.3: Standard Contractual Clauses – Module One (Controller to Controller Transfers). (a) Scope. This Article 5.3 applies to transfers of personal data from the EEA or UK by Heureka Labs as an independent Data Controller (as described in DPA Articles 2.2 and 3.4) to Heureka Labs’s own infrastructure, processors, or affiliates located in a country not recognized as providing an adequate level of protection under GDPR Chapter V. (b) Incorporation of Module One SCCs. The parties agree that the Standard Contractual Clauses (Module One: Controller to Controller) as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference and shall apply to the transfers described in Article 5.3(a), with the following specifications: (i) Module One applies; (ii) Clause 7 (Docking Clause) is not included; (iii) Clause 11 (Redress) optional language is not included; (iv) Clause 17 governing law: the law of the Republic of Ireland, or, where Heureka Labs is established in an EEA Member State in its capacity as Controller, the law of that Member State; (v) Clause 18 forum: the courts of the Republic of Ireland, or, where Heureka Labs is established in an EEA Member State in its capacity as Controller, the courts of that Member State; (vi) For the purposes of Module One, Heureka Labs acts as both data exporter (in its capacity as EEA/UK Controller of the personal data described in Article 3.4) and data importer (in its capacity as recipient of such data in the United States or other third country). Heureka Labs represents and warrants that it has implemented appropriate intra-company policies, technical measures, and governance mechanisms to give practical effect to the Module One obligations in the absence of a separate counterparty; (vii) Annex I (List of Parties) for the purposes of Module One transfers is as follows: Data Exporter: Heureka Labs, in its capacity as Data Controller of personal data collected from EEA/UK Data Subjects through the Platform, including aggregated usage analytics data as described in DPA Article 3.4. Data Importer: Heureka Labs’s U.S. entity and infrastructure operators receiving such personal data. Categories of Data Subjects: Platform Users located in the EEA or UK. Categories of Personal Data: Aggregated usage analytics data and associated session identifiers as described in DPA Article 3.4 and Privacy Policy Section 2. Purposes: Platform improvement, user experience optimization, and operational analytics as described in DPA Article 3.4. (viii) Annex II (Technical and Organizational Measures) for Module One transfers is the same as the TOMs described in Annex II to this DPA (Module Two), available upon request. (c) UK Transfers. For transfers of UK personal data subject to UK GDPR, the UK International Data Transfer Addendum (IDTA) to the EU SCCs, as issued by the UK Information Commissioner’s Office, is incorporated by reference and shall apply to Heureka Labs’s Controller-to-Controller transfers of UK personal data, with Heureka Labs as both Exporter and Importer, on the same terms as set out in Article 5.3(b) above with necessary modifications for the UK context. (d) Practical Implementation. Heureka Labs acknowledges that Module One SCCs in their standard form contemplate two separate legal entities as parties. Where Heureka Labs acts as both data exporter and data importer in an intra-group or intra-entity transfer scenario, Heureka Labs shall maintain internal documentation evidencing: (i) the categories of personal data transferred; (ii) the purposes of and legal basis for the transfer; (iii) the technical and organizational measures applied; and (iv) compliance with the substantive obligations of Module One as incorporated by this Article 5.3. Such documentation shall be made available to the relevant Supervisory Authority upon request. (e) Supersession. If and to the extent Module One SCCs are superseded by new transfer mechanisms approved under GDPR or UK GDPR, Heureka Labs shall transition to the updated mechanism within the timeframe required by the applicable regulatory guidance. 5.4 For UK Users, the UK International Data Transfer Addendum (IDTA) to the EU SCCs, as issued by the UK Information Commissioner’s Office, is incorporated by reference and shall apply to transfers of UK personal data to the U.S., with Heureka Labs as the Importer. 5.5 If and to the extent SCCs or the IDTA are superseded by new transfer mechanisms approved under GDPR or UK GDPR, the parties agree to cooperate in good faith to adopt such updated mechanisms.

ARTICLE 6: DATA CONTROLLER OBLIGATIONS Customer, as Data Controller, represents and warrants that: 6.1 Customer has a valid legal basis under GDPR Article 6 (and Article 9 where applicable for special categories of data) for all Personal Data it provides to Heureka Labs for processing. 6.2 Customer shall not upload special categories of Personal Data (as defined in GDPR Article 9) to the Platform without separately notifying Heureka Labs and obtaining explicit written agreement on appropriate safeguards. Uploading special category data without such agreement constitutes a material breach of this DPA and the Terms of Service. 6.3 Customer has provided all required notices and disclosures to Data Subjects regarding the processing of their Personal Data as described in this DPA and the Privacy Policy. 6.4 Customer shall promptly inform Heureka Labs of any changes in Data Subject consent status, withdrawal of consent, or regulatory requirements that may affect Heureka Labs’s authorization to process Personal Data. 6.5 Customer shall ensure that any Authorized Participants who process Personal Data under Customer’s authorization comply with the same obligations as Customer under this DPA.

ARTICLE 7: DATA PROTECTION CONTACT For all matters relating to data protection and this DPA, including a dedicated EU Representative, UK Representative, or Data Protection Officer (“DPO”), contact the Company at support@heurekalabs.co.

ARTICLE 8: TERM AND TERMINATION 8.1 This DPA is effective from the date Customer first uses the Platform and remains in effect until terminated in accordance with the Terms of Service or until Heureka Labs ceases to process Personal Data on behalf of Customer. 8.2 Termination or expiration of this DPA does not affect the validity of any SCCs or other transfer mechanisms entered into pursuant to this DPA, which shall continue to apply for as long as necessary to complete the transfer and any associated processing.

ARTICLE 9: GOVERNING LAW AND PRECEDENCE 9.1 This DPA is governed by the laws of the EEA Member State in which Customer is established, or where Customer is not established in the EEA, the laws of the Republic of Ireland, except to the extent EU or UK law mandatorily applies. 9.2 In the event of any conflict between this DPA and the Terms of Service or Privacy Policy with respect to Personal Data processed under GDPR or UK GDPR, this DPA shall take precedence. 9.3 Nothing in this DPA reduces the rights of Data Subjects or the obligations of Heureka Labs under applicable data protection law.

ARTICLE 10: AMENDMENTS 10.1 Heureka Labs may amend this DPA with thirty (30) days’ prior notice to Customer to reflect changes in applicable data protection law, regulatory guidance, or Platform operations. Where an amendment is required to comply with applicable law, it shall take effect immediately upon notice. 10.2 Governing Language. This DPA is drafted in the English language, which shall be the governing language for all purposes. Translations provided for convenience do not affect the primacy of the English version. Where applicable EU or UK law requires provision of documents in a specific language for enforceability, Heureka Labs will use commercially reasonable efforts to provide a compliant version upon written request.

ACCEPTANCE: Customer’s continued use of the Platform after the effective date of this DPA constitutes acceptance of its terms. For enterprise customers requiring a countersigned DPA, please contact support@heurekalabs.co.

Last Updated: March 4, 2026   HEUREKA LABS, INC. ANNEX I: List of Parties and Description of Transfer The following schedule forms part of this DPA. Annexes II and III are available as described in Article 5.2(g). Effective Date: March 4, 2026

A. LIST OF PARTIES

A.1 Data Exporter (Controller) Name The User or Organization identified in the Heureka Labs Account registration (“Customer”) Address As set forth in the Account registration Contact person The Account administrator email address on file with Heureka Labs Activities relevant to transfer Use of the Heureka Labs AI-powered research platform for scientific research, data analysis, and related activities as described in the Terms of Service Signature / date Deemed executed upon Customer’s acceptance of the Terms of Service and this DPA. For enterprise customers requiring a countersigned DPA, contact support@heurekalabs.co. Role Controller

A.2 Data Importer (Processor) Name Heureka Labs, Inc. Address 1030 N Rogers Ln, Ste 121 PMB 2165, Raleigh, NC 27610, USA Contact person support@heurekalabs.co — Data Protection Contact (see DPA Article 7) Activities relevant to transfer Provision of the Heureka Labs Platform, including AI-powered research tools, cloud infrastructure, authentication, storage, agent execution, and related services as described in the Terms of Service and EULA Signature / date Deemed executed upon Heureka Labs’s provision of Platform access following Customer’s acceptance of the Terms of Service and this DPA Role Processor (except where Heureka Labs acts as independent Controller for aggregated analytics — see DPA Article 2.2 and Article 3.4)

B. DESCRIPTION OF TRANSFER

B.1 Categories of Data Subjects Data subjects The personal data transferred concerns the following categories of data subjects: • Customer’s employees, researchers, scientists, and affiliated personnel who are registered Users of the Platform • Research collaborators and Authorized Participants granted Platform access by Customer under Section 5.3 of the Terms • Any individuals whose personal data is incidentally contained in research data or documents uploaded by Customer, to the extent not excluded by the de-identification requirement in Section 4.5 of the Terms and DPA Article 6.2 Note: Customer warrants under DPA Article 6.1–6.2 that any personal data of research subjects is de-identified before upload and that no special category personal data (GDPR Article 9) is uploaded without a separately executed written agreement.

B.2 Categories of Personal Data Personal data The following categories of personal data are transferred: • Identification and contact data: name, email address, job title, institutional affiliation • Account and authentication data: login credentials (stored via OS secure credential storage per EULA Section 5.9), session tokens, account identifiers • Usage and interaction data: feature interactions, agent session data, tool usage patterns, Credit consumption, session duration, workflow analytics • Device and technical data: device type, operating system, browser type, IP address, device identifiers • Log and performance data: access logs, error reports, performance metrics • Platform memory data: conversation context and history retained within a User’s account to personalize agent interactions, subject to User’s toggle controls per Section 4.4 of the Terms • Research data inputs: files, datasets, text, code, notes, and other content uploaded or created on the Platform, to the extent such content contains personal data of the User (e.g. authorship metadata, User-identifying annotations) • Communications: support requests, feedback, and correspondence with Heureka Labs • Device permission data (where applicable): where User has granted device permissions under EULA Section 5.6, session-level metadata relating to such access • Response quality feedback data: binary or categorical response ratings and any associated voluntary free-text comments submitted through the Platform’s optional response feedback feature, linked to User Account identifiers and session data • Local Memory data (desktop Software users only): conversation context, session history, and personalization data stored in Local Memory files on User’s local device, accessible to Heureka Labs only where User has enabled cloud backup or cross-device sync features. Where Local Memory is stored exclusively on User’s local device and not transmitted to Heureka Labs, Heureka Labs acts solely as the provider of the software mechanism and does not process this personal data as Controller or Processor

B.3 Sensitive Data Sensitive / special category data None transferred by default. Upload of special categories of personal data as defined in GDPR Article 9 (including health data, genetic data, biometric data, and data revealing racial or ethnic origin) is prohibited under Section 4.5 Terms and DPA Article 6.2 without a separately executed written agreement specifying appropriate safeguards.

B.4 Frequency of Transfer Frequency Continuous, for the duration of Customer’s active Platform account and for the retention periods described in the Privacy Policy and DPA Article 3.2 and Article 4.8

B.5 Nature of the Processing Nature of processing Processing activities undertaken by Heureka Labs as Processor include: • Storage and hosting of User Data on Heureka Labs cloud infrastructure • Processing of User inputs through AI models, agents, and analytical tools to provide Platform features and generate Outputs • Authentication and access management • Security monitoring, intrusion detection, and incident response • Customer support and technical troubleshooting • Backup, archival, and disaster recovery operations • Transmission of data to Sub-processors as listed in Annex III, to the extent necessary for Platform operations • Deletion or return of personal data upon termination in accordance with DPA Article 4.8 • Collection and processing of optional User-submitted Response Ratings to assess Platform response quality and, where applicable, provide training signals for Platform improvement, in accordance with EULA Section 5.11 and the no-AI-training limitations set forth in Section 4.5 of the Terms of Service • For desktop Software users: enabling Local Memory functionality via the Platform software; where cloud backup or sync is enabled by User, storage and retrieval of Local Memory data on Heureka Labs cloud infrastructure subject to User’s backup settings

B.6 Purposes of Processing Purposes Provision of the Platform services described in the Terms of Service and EULA, including AI-powered research assistance, data analysis, workflow automation, cloud compute, and related features. Heureka Labs processes personal data as Processor solely on Customer’s documented instructions as set out in the Terms of Service and this DPA.

B.7 Retention Period Retention Personal data is retained for the duration of the Customer Account and thereafter as follows: • User Data stored on Platform cloud infrastructure: retained until deleted by User or until Account termination, after which a single archival backup copy may be retained for a commercially reasonable period not to exceed the backup rotation cycle described in Privacy Policy Section 5.3 • Usage and log data: retained for up to 24 months as de-identified aggregated analytics, then deleted or further anonymized (Privacy Policy Section 5.4) • Authentication data: deleted upon Account closure in accordance with EULA Section 5.9 • All personal data: subject to deletion or return in accordance with DPA Article 4.8 upon termination or Customer request, within 30 days • Legal retention exception: personal data may be retained beyond the above periods to the extent required by applicable law (DPA Article 4.8(d))

B.8 Sub-processors Sub-processor transfers For transfers to Sub-processors, see Annex III (Sub-Processor List). The subject matter, nature, and duration of Sub-processor processing is described in Annex III for each Sub-processor. Heureka Labs imposes data processing obligations on all Sub-processors no less stringent than those in this DPA (DPA Article 4.4).