Effective Date: November 17, 2025
Last Updated: December 2, 2025

This Data Processing Addendum (“DPA”) forms part of the Tide Theory Terms of Service (the “Agreement”) between Tide Theory, Inc. (“Tide Theory,” “Processor,” “we,” “us,” “our”) and the customer entity or individual that executes an Order Form or uses the Services (“Customer,” “Controller,” “Business”).

This DPA governs Tide Theory’s processing of Customer Personal Data when Tide Theory acts as a Processor, Service Provider, or Contractor on behalf of Customer under applicable privacy laws.

1. Definitions

Unless otherwise defined in this DPA, capitalized terms have the meaning given in the Agreement.

• “Customer Personal Data” means any personal data Customer submits through the Services that Tide Theory processes on behalf of Customer as Processor.

• “Applicable Data Protection Laws” means all laws relating to data protection and privacy, including the EU GDPR, UK GDPR, CCPA/CPRA, Colorado Privacy Act, Virginia VCDPA, Connecticut Data Privacy Act, Quebec Law 25, and any successor laws.

• “GDPR” means the EU General Data Protection Regulation (EU) 2016/679 and UK General Data Protection Regulation.

• “CCPA/CPRA” means the California Consumer Privacy Act as amended by the California Privacy Rights Act.

• “Sub-processor” means any third party engaged by Tide Theory to process Customer Personal Data.

2. Roles of the Parties

2.1 Controller and Processor​

Customer is the Controller or Business; Tide Theory is the Processor, Service Provider, or Contractor.

2.2 Instructions​

Tide Theory will process Customer Personal Data only according to Customer’s written instructions, which include:

• The Agreement;

• This DPA;

• Customer’s configuration and use of the Services.

3. Nature and Purpose of Processing

3.1 Subject Matter​

Provision of the Tide Theory Services, including AI-generated audio, music, ambience, sound effects, video-to-music generation, storage, hosting, rendering, inference, analytics, and related support.

3.2 Duration​

For the duration of the Agreement and any legally required retention period.

3.3 Categories of Data Subjects​

• Customer personnel

• Client teams

• Individuals whose voices/images appear in Customer uploads

• Authorized users

3.4 Types of Personal Data​

• Names, emails, account data

• Audio/video content uploaded by Customer

• Prompts, briefs, metadata

• Device/log information

• Identifiers or attributes contained within Input

3.5 Processing Activities​

• Storage

• Retrieval

• Rendering/inference

• Analysis and model optimization (subject to Terms Section 4(e) and 4(g))

• Transmission to Sub-processors (e.g., hosting providers, model APIs)

• Support and troubleshooting

• Security and fraud prevention

4. Processor Obligations

Tide Theory shall:

1. Process Customer Personal Data only for the purposes described in this DPA and Agreement.

2. Implement appropriate technical and organizational measures to protect Customer Personal Data (encryption, access controls, logging, MFA, audits).

3. Ensure personnel are bound by confidentiality obligations.

4. Notify Customer of any Data Incident without undue delay.

5. Provide reasonable assistance with:

   • Data Subject Requests

   • Impact assessments

   • DPIAs (if applicable under GDPR)

6. Not “sell” or “share” Customer Personal Data as defined under CPRA.

7. Not use Customer Personal Data for cross-context behavioral advertising.

8. Not combine Customer Personal Data with personal information received from other sources except as permitted by CPRA or necessary to provide the Services.

5. Sub-processors

5.1 Authorization​

Customer authorizes Tide Theory to use Sub-processors necessary to operate the Services, including:

• Cloud hosting providers

• AI inference engines

• Rendering and audio-processing providers

• Storage providers

• Email/SMS communication providers

• Security and logging vendors

A current Sub-processor list is available upon request.

5.2 Sub-processor Contracts​

Tide Theory will enter into written agreements with all Sub-processors requiring protections no less stringent than those in this DPA.

5.3 Changes to Sub-processors​

Tide Theory will notify Customer of any intended changes and allow Customer to reasonably object only for legitimate data-protection concerns.

6. International Transfers

When transferring Customer Personal Data internationally, Tide Theory will:

• Use the EU Standard Contractual Clauses (SCCs) where required

• Use the UK Addendum for UK transfers

• Implement appropriate supplementary measures (encryption, access controls)

• Comply with CPRA, GDPR, and other regional requirements

7. Data Subject Requests

If a Data Subject contacts Tide Theory directly:

• Tide Theory will not independently respond (unless required by law).

• Tide Theory will forward the request to Customer.

• Customer is responsible for verifying identity and providing the response.

Tide Theory will assist Customer in fulfilling such requests where reasonably necessary.

8. Data Security

Tide Theory employs industry-standard safeguards, including:

• Encryption in transit and at rest

• Secure development practices

• Logical access controls

• Role-based permissions

• Regular vulnerability scanning

• Penetration testing

• Incident response procedures

9. Data Incidents

Tide Theory will notify Customer without undue delay after confirming a Data Incident involving Customer Personal Data.

The notification will include:

• Nature of the incident

• Categories of affected data

• Likely consequences

• Remediation steps

Tide Theory will provide ongoing updates and cooperate with any required regulatory notifications.

10. Deletion or Return of Data

Upon termination or expiration of the Agreement, Tide Theory will:

• Delete Customer Personal Data
  or
• Return it upon written request

Unless retention is required by law, fraud-prevention needs, dispute resolution, or internal logging obligations.

Deletion will follow Tide Theory’s secure-erasure procedures.

11. Audits

Upon written request:

• Tide Theory will make available information necessary to demonstrate compliance with this DPA;

• Customer may conduct an audit once per year, or more frequently if required by law;

• Remote assessments or third-party audit reports satisfy this requirement;

• On-site audits require 30 days’ notice, may only occur during business hours, and cannot interfere with Tide Theory operations.

12. Customer Obligations

Customer agrees to:

1. Process personal data lawfully.

2. Obtain all necessary rights, consents, and authorizations from Data Subjects.

3. Not upload unlawful or unauthorized personal data.

4. Configure security and access settings appropriately.

5. Notify Tide Theory of any privacy-sensitive or restricted processing requirements.

13. Governing Law

This DPA is governed by the same law as the Agreement (Delaware law), except where Applicable Data Protection Laws require otherwise (e.g., GDPR).

14. Order of Precedence

If there is a conflict between:

1. This DPA

2. The Terms of Service

3. Any other agreement between the parties

The following order applies:

(1) This DPA controls, solely with respect to data-processing obligations.
(2) Then the Terms of Service.
(3) Then any other agreements.

15. Signatures

This DPA may be executed electronically and in counterparts. Execution may occur via DocuSign or similar e-signature platform.

EXHIBIT 1 — Standard Contractual Clauses (SCCs) ANNEX I, II & III

(For EU Personal Data Transfers: Controller → Processor)

ANNEX I – DESCRIPTION OF PROCESSING

A. LIST OF PARTIES​

Data Exporter (Controller)​

Name: Customer entity or individual using Tide Theory Services
Address: As listed in Order Form or account profile
Contact Person: Customer’s privacy or legal contact
Role: Data Controller under GDPR

Data Importer (Processor)​

Name: Tide Theory, Inc.
Address: 310 East 70th Street, #6LM, New York, NY 10021
Contact Email: privacy@tidetheory.ai
Role: Data Processor / Service Provider

B. DESCRIPTION OF TRANSFER​

Categories of Data Subjects​

The personal data transferred typically concerns the following data subjects:

• Customer personnel (admin users, editors, operators)

• Client organizations and creative teams

• Individuals whose voices/images appear within uploaded audio/video content

• Authorized enterprise users

• Natural persons identifiable in metadata or Input

Categories of Personal Data Transferred​

The transferred categories are limited to those necessary for the provision of Tide Theory’s AI audio services and may include:

1. Account & Identity Data

   • Name

   • Email address

   • Authentication identifiers

2. Input Content (User-Provided Content)

   • Audio files, stems, effects, ambience

   • Videos uploaded for visual analysis

   • Music briefs, prompts, scripts

   • Reference files, metadata

3. Output Metadata

   • Model selections

   • Prompt parameters

   • Genre/mood tags

   • Generation logs

4. Usage & Technical Data

   • IP address

   • Device type, OS, browser version

   • Interaction logs

   • Crash/error logs

5. Inferred or Derived Data

   • Creative preferences

   • Model-recommendation profiles

Tide Theory does not intentionally collect or request:

• Government IDs

• Sensitive personal data (unless included within customer uploads, which Customer controls)

Sensitive Data (If Provided by Customer)​

Tide Theory does not require or knowingly solicit Sensitive Personal Data but may process it if Customer uploads such data.

Processing is limited to providing the Services.

Frequency & Duration of Processing​

• Frequency: Continuous and event-driven, based on Customer usage.

• Duration: For the term of the Agreement plus any legal retention period.

Nature & Purpose of Processing​

Processing includes:

• Storage and hosting

• Rendering and inference using AI models

• Transforming audio/video into AI-generated Output

• Analysis for quality, security, and fraud prevention

• Model refinement and training (only as permitted under Terms §§ 4(e) & 4(g))

• Support, debugging, and diagnostics

• Logging and analytics

• Transmission to Sub-processors

Subject Matter of Processing​

Provision of Tide Theory’s AI audio generation Services, including:

• Music composition

• Sound-effect generation

• Ambience/foley generation

• Video-to-audio analysis

• Rendering, mixing, mastering

• Collaborative enterprise features

Competent Supervisory Authority​

The supervisory authority of the EU Member State where the Data Exporter is established (per SCC Clause 13).

If multiple Exporters exist: The lead supervisory authority shall be Ireland, unless Customer designates another.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Tide Theory implements the following TOMs, aligned with GDPR Art. 32, NIST, SOC 2 principles, and industry best practices.

1. Organizational Measures​

1. Data Protection Officer (DPO)-equivalent oversight

   • Privacy program coordinated by legal, security, and engineering leadership.

2. Access Control Policies

   • Role-based access (RBAC)

   • Enforcement of least privilege

   • Annual access reviews

3. Employee Security Training

   • Mandatory privacy, security, and confidentiality training

   • AI-sensitive data handling modules

4. Background Checks (where legally permitted)

5. Vendor Management Program

   • Security review prior to onboarding Sub-processors

   • Contractual data protection requirements

2. Technical Measures​

2.1 Encryption​

• In transit: TLS 1.2+

• At rest: AES-256 or cloud-provider equivalent

• Encryption of backups and key management via cloud KMS

2.2 Authentication & Access Controls​

• MFA for administrative accounts

• Strong password requirements

• OAuth token security

• Session management and expiry

2.3 Logging & Monitoring​

• Audit logs for administrative access

• Centralized log management

• Automated alerts for anomaly detection

2.4 Network & Cloud Security​

• Firewalls and VPC isolation

• Security groups and inbound/outbound rules

• IDS/IPS provided by cloud vendors

2.5 Application Security​

• Secure software development lifecycle (SSDLC)

• Code reviews & automated dependency scanning

• Regular penetration testing

• API rate limiting and abuse-prevention systems

2.6 Data Segmentation​

• Logical multi-tenancy separation

• Isolation of enterprise workspaces where applicable

2.7 Data Minimization & Retention​

• Input deletion upon user request

• Automatic cleanup based on retention schedules

• Anonymization or aggregation when feasible

3. Incident Response​

• 24/7 monitoring

• Documented IR plan

• Notification to Customer “without undue delay”

• Post-incident analysis and remediation

4. Business Continuity & Disaster Recovery​

• Regular backups

• Geographic redundancy

• Disaster recovery testing

• RTO/RPO targets aligned with cloud SLAs

5. Data Protection Impact Assessments​

Tide Theory conducts DPIAs for:

• New AI model deployments

• Major architectural changes

• Processing of sensitive Input (when identified)

ANNEX III – LIST OF SUB-PROCESSORS

The Customer authorizes Tide Theory to use the following Sub-processors for providing the Services.

A. Cloud Hosting & Compute Providers​

B. AI & Audio Model Execution​

C. Storage, CDN, and Delivery​

D. Analytics & Logging​

E. Email / Communications​

F. Payment Processing​

ANNEX IV – UK Addendum to the EU Standard Contractual Clauses

UK Addendum to the EU Standard Contractual Clauses (Controller → Processor Transfers)

This Addendum is entered into between:

Data Exporter: The Customer
Data Importer: Tide Theory, Inc.
Company Number: N/A (U.S. corporation)
Address: 310 East 70th Street, #6LM, New York,NY 10021
Contact: privacy@tidetheory.ai

This Addendum supplements the EU Standard Contractual Clauses (SCCs) executed between the parties and applies to the extent Tide Theory processes UK Personal Data subject to the UK GDPR.

1. Incorporation of SCCs​

The SCCs are incorporated as amended below to comply with UK GDPR and the UK Data Protection Act 2018.

2. Amendments to the SCCs for UK Transfers​

a. References to “Member State” are replaced with “United Kingdom”.
b. References to “EU GDPR” include “UK GDPR”.
c. The “competent supervisory authority” shall be the UK Information Commissioner’s Office (ICO).
d. The governing law for the SCCs as modified is the laws of England and Wales.
e. The SCCs shall be interpreted in the context of UK data protection law.

3. Priority​

In case of conflict between:

1. This UK Addendum

2. The SCCs

3. The DPA

4. The Terms

The order above governs for UK personal data.

4. Termination​

If the SCCs terminate, this Addendum automatically terminates.

5. Signatures​

This Addendum is deemed executed when the Agreement or DPA incorporating the SCCs is executed.

ANNEX V – Swiss FDPIC Addendum

Swiss Addendum to the EU SCCs
This Addendum modifies the EU Standard Contractual Clauses executed between the Customer (“Data Exporter”) and Tide Theory (“Data Importer”) to apply to transfers subject to the Swiss Federal Act on Data Protection (FADP) and the Swiss FDPIC requirements.

1. Definitions​

a. “Personal Data” includes information relating to an identified or identifiable natural person under Swiss law.
b. “Controller,” “Processor,” and similar terms shall be interpreted consistent with the Swiss FADP.

2. Amendments to SCCs​

The EU SCCs are modified as follows for Swiss data:

1. The governing law is the laws of Switzerland.

2. The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

3. References to the “EU” or “Member State” include “Switzerland” to the extent needed.

4. “GDPR” references are interpreted to include relevant Swiss FADP provisions.

5. Where Swiss and EU laws differ, the stricter protection applies.

3. Multi-Jurisdiction Transfers​

If a transfer involves both EU and Swiss data, the version of the SCCs offering the highest level of protection shall govern.

4. Termination​

The Addendum terminates automatically if the SCCs terminate.

ANNEX VI – Cookie Policy (EU/UK Compliant)

Tide Theory – Cookie Policy
Last Updated: December 2, 2025

This Cookie Policy explains how Tide Theory uses cookies and similar technologies on our website and platform.

1. What Are Cookies?​

Cookies are small text files stored on your device to help us provide, improve, and personalize the Services.

2. Types of Cookies We Use​

A. Essential Cookies​

Required for:

• Signing in

• Security

• Core functionality

You cannot disable these through cookie preferences.

B. Performance & Analytics Cookies​

Used to understand how users interact with the Services.
Examples include:

• Page views

• Feature usage

• Error diagnostics

C. Functionality Cookies​

Used to remember your preferences, such as:

• Language

• Theme settings

• Saved states in the interface

D. Advertising & Marketing Cookies (Optional)​

Used only if you explicitly opt in (EU/UK requirement).

We currently do not run targeted advertising but may use analytics attribution tools.

3. Legal Basis for Cookie Use (EU/UK Only)​

• Essential cookies: Legitimate interests / necessary for service delivery

• Analytics & marketing cookies: Consent required under GDPR/UK GDPR

4. Managing Cookies​

You can disable non-essential cookies by:

• Adjusting browser settings

• Using the on-site cookie banner controls

• Blocking or deleting cookies through browser tools

5. Changes to This Policy​

We may update this Cookie Policy periodically. Continued use constitutes acceptance.

ANNEX VII – Cookie Banner Language

EU/UK Visitors Only:

Tide Theory uses cookies to provide and secure our Services, enhance performance, and improve user experience.

You can accept all cookies, reject non-essential cookies, or customize your preferences.
Buttons:

• Accept All

• Reject Non-Essential

• Customize

Customize Panel Categories:

• Essential (required)

• Analytics

• Functionality

• Marketing (if used)

ANNEX VIII – Public Sub-processor List

Tide Theory – Sub-processor List
Last Updated: December 2, 2025

Tide Theory uses the following third-party providers (“Sub-processors”) to support the delivery of the Services. These vendors may process personal data on our behalf.

Cloud Hosting & Infrastructure​

• Amazon Web Services (AWS) – hosting, compute, storage

• Google Cloud Platform (GCP) – GPU inference, compute

AI / Audio Processing​

• [Insert actual vendors if applicable] (e.g., AssemblyAI, OpenAI, custom inference vendor)

Storage & Delivery​

• AWS S3 – object storage

• Cloudflare – CDN, edge caching, security

Analytics & Diagnostics​

• Sentry – error and crash reporting

• Mixpanel or Plausible – usage analytics

• Log management provider (if applicable)

Communications​

• AWS and/or SendGrid – transactional email

• Twilio – SMS / 2FA

Payments​

• Stripe – payment processing, subscriptions

You will notify users that this list may be updated and customers may subscribe to a change-notification list (optional).

ANNEX IX – Data Subject Request (DSR)

Tide Theory – Your Privacy Rights

If you are a resident of the EU, UK, Switzerland, California, or other jurisdictions with applicable privacy laws, you may exercise data rights regarding your personal information.

Your Rights​

Depending on your location, rights may include:

• Access your personal data

• Correct inaccurate information

• Delete personal data

• Receive a copy of your data (portability)

• Object to or restrict certain processing

• Opt out of marketing communications

• Withdraw consent (where applicable)

• Additional CPRA rights (see CPRA Addendum)

How to Submit a Request​

Email privacy@tidetheory.ai with:

• Your name

• The email associated with your account

• The type of request (access, delete, correct, etc.)

We will verify your identity before fulfilling your request.

Enterprise users should contact their organization’s administrator first.