Data Processing Agreement

Data Controller ("You")

The User / Customer

The individual or organization that has agreed to the SimStim Terms of Service and is using the SimStim connector to push content to display screens. You determine the purposes and means of processing personal data through SimStim.

Data Processor ("SimStim")

SimStim.ai

SimStim, Inc (PO Box 282, Manchester, VT 05254), operator of SimStim.ai. We process personal data strictly on your behalf and only to the extent necessary to deliver the SimStim display connector service.

Contents

01Definitions
02Scope & Role of Parties
03Processor Obligations
04Controller Obligations
05Sub-Processors
06Data Subject Rights
07Security Measures
08Data Breach Notification
09International Data Transfers
10Retention & Deletion
11Audit Rights
12Liability
13Term & Termination
14Schedule A — Processing Details
15Schedule B — Approved Sub-Processors

01 —

Definitions

In this DPA, the following terms have the meanings set out below:

"Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including the GDPR, CCPA, LGPD, and any successor or implementing legislation.
"Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, you (the SimStim user) are the Controller.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, SimStim is the Processor.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Sub-Processor" means any third party engaged by SimStim to process Personal Data on behalf of the Controller.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard data protection clauses adopted by the European Commission for the transfer of Personal Data to third countries.
"Services" means the SimStim ambient display connector and associated platform made available to you under the Terms of Service.

02 —

Scope & Role of Parties

This DPA applies to all Personal Data processed by SimStim in connection with providing the Services to you. SimStim processes Personal Data solely:

On your documented instructions as Controller;
As necessary to perform the Services under the Terms of Service;
As required by Applicable Data Protection Law (in which case SimStim will inform you, unless prohibited by law).

SimStim will not process Personal Data for its own purposes, sell Personal Data, or use Personal Data to build profiles about Data Subjects beyond what is strictly necessary to deliver the Services.

SimStim's data minimization commitment: we collect only screen names, display URLs, push history, and account credentials. We do not collect the broader contents of your Claude conversations. See Schedule A for the complete list of data categories processed.

03 —

Processor Obligations

SimStim, as Data Processor, agrees to:

Process Personal Data only on your documented instructions and not for any other purpose;
Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations;
Implement and maintain appropriate technical and organizational security measures as described in Section 7;
Respect the conditions for engaging Sub-Processors as described in Section 5;
Assist you in fulfilling your obligations to respond to Data Subject rights requests as described in Section 6;
Assist you in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations under Applicable Data Protection Law;
Delete or return all Personal Data upon termination of Services, as described in Section 10;
Provide all information reasonably necessary to demonstrate compliance with this DPA and cooperate with audits as described in Section 11;
Promptly notify you if, in SimStim's opinion, an instruction infringes Applicable Data Protection Law.

04 —

Controller Obligations

You, as Data Controller, represent and agree that:

You have a lawful basis for processing Personal Data through the Services under Applicable Data Protection Law;
You have provided all required notices to and obtained all necessary consents from Data Subjects for the processing activities contemplated by this DPA;
Your instructions to SimStim will comply with Applicable Data Protection Law;
You are solely responsible for the accuracy, quality, and legality of the Personal Data you input into or transmit through the Services;
You will not instruct SimStim to process Personal Data in a manner that would violate Applicable Data Protection Law or this DPA.

05 —

Sub-Processors

You provide general authorization for SimStim to engage Sub-Processors to assist in delivering the Services. SimStim will:

Maintain an up-to-date list of approved Sub-Processors (see Schedule B);
Notify you at least 30 days in advance before adding or replacing a Sub-Processor that processes Personal Data;
Impose data protection obligations on Sub-Processors equivalent to those in this DPA;
Remain liable to you for the acts and omissions of its Sub-Processors to the same extent as if SimStim had performed the processing directly.

If you object to a new Sub-Processor on reasonable data protection grounds, you may notify SimStim within 14 days of the change notice. If the parties cannot resolve the objection, you may terminate the Services on 30 days' written notice.

06 —

Data Subject Rights

If SimStim receives a request from a Data Subject seeking to exercise rights under Applicable Data Protection Law (including rights of access, correction, deletion, portability, restriction, or objection), SimStim will:

Promptly notify you of the request;
Not respond directly to the Data Subject (except to confirm receipt and direct them to you), unless you instruct otherwise or SimStim is required to do so by law;
Provide reasonable assistance to help you fulfill the request within applicable timeframes.

You are responsible for responding to Data Subject requests for Personal Data that you control. SimStim will provide the technical means to assist where the relevant Personal Data is within SimStim's systems.

Note regarding Anthropic: Anthropic independently handles data subject requests relating to Claude. SimStim is responsible only for data it collects and controls directly. Please direct Claude-related data requests to privacy@anthropic.com.

07 —

Security Measures

SimStim shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents. These measures include, at minimum:

Encryption in transit: All Personal Data transmitted between users, devices, and SimStim servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Personal Data stored in SimStim databases is encrypted at rest.
Access controls: Access to Personal Data is restricted to authorized personnel who require access to perform their job functions, on a least-privilege basis.
Authentication: Multi-factor authentication is required for access to production systems containing Personal Data.
Vulnerability management: SimStim maintains a process for receiving, assessing, and remediating security vulnerability reports.
Logging and monitoring: Access to Personal Data in production systems is logged and monitored for anomalous activity.
Personnel training: SimStim personnel with access to Personal Data receive regular data protection training.

SimStim will review and update these measures periodically in response to new threats or changes to the Services.

08 —

Data Breach Notification

In the event SimStim becomes aware of a Security Incident involving Personal Data processed under this DPA, SimStim will:

Notify you without undue delay, and in any event within 72 hours of becoming aware of the Security Incident (consistent with GDPR Article 33 timelines);
Provide, to the extent then known: a description of the nature of the incident; the categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address the incident;
Cooperate with you and take reasonable steps to mitigate the effects of the Security Incident;
Not make any public disclosure about the Security Incident relating to your Personal Data without your prior written consent, except as required by law.

Notification to you does not constitute an acknowledgment by SimStim of fault or liability in connection with the Security Incident.

09 —

International Data Transfers

SimStim's primary infrastructure is located in the United States. If you are based in the European Economic Area (EEA), United Kingdom, or Switzerland, any transfer of Personal Data from those regions to SimStim's US-based infrastructure will be made pursuant to:

The European Commission's Standard Contractual Clauses (Module 2: Controller to Processor), which are hereby incorporated by reference into this DPA; or
Any other adequate transfer mechanism recognized under Applicable Data Protection Law.

By entering into this DPA, you and SimStim agree to be bound by the applicable SCCs for any such transfers. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

SimStim will not transfer Personal Data to any country or organization that does not provide an adequate level of data protection without implementing appropriate safeguards.

10 —

Retention & Deletion

SimStim retains Personal Data only for as long as necessary to perform the Services or as required by Applicable Data Protection Law.

Push history: Retained for 90 days, then automatically deleted. You may clear push history at any time from your account settings.
Account and screen configuration data: Retained until your account is closed or you delete individual screens.
Server logs: Retained for up to 90 days for security and debugging, then deleted.
Backup data: Included in automated backup rotations and permanently deleted within 30 days of the primary data deletion.

Upon termination of Services for any reason, SimStim will, at your choice, delete or return all Personal Data to you within 30 days, and certify in writing that deletion has occurred, unless Applicable Data Protection Law requires further retention.

11 —

Audit Rights

SimStim will make available to you, upon reasonable request, all information necessary to demonstrate compliance with this DPA. SimStim may satisfy this obligation by providing:

Responses to security questionnaires or compliance assessments;
Third-party audit reports or certifications (e.g., SOC 2, ISO 27001) if and when obtained; or
Access to relevant policies, procedures, and documentation.

You may request an on-site or remote audit of SimStim's data processing activities no more than once per year, with at least 30 days' written notice, at your expense. SimStim may require that such audits be conducted by a mutually agreed third-party auditor subject to appropriate confidentiality obligations. SimStim reserves the right to object to auditors who are competitors or who pose a conflict of interest.

12 —

Liability

Each party's liability under this DPA is subject to the limitations set out in the SimStim Terms of Service.

As between the parties, you are responsible for your compliance with Applicable Data Protection Law in your capacity as Controller, including the lawfulness of your instructions to SimStim. SimStim is responsible for its compliance with this DPA and Applicable Data Protection Law in its capacity as Processor.

If a Data Subject or regulatory authority brings a claim against SimStim for processing Personal Data in violation of this DPA due to your instructions, you will indemnify and hold SimStim harmless from any resulting damages, costs, and penalties, to the extent such claim arises from your failure to comply with your obligations as Controller.

13 —

Term & Termination

This DPA is effective from the date you accept the SimStim Terms of Service and remains in effect for the duration of the Terms of Service.

This DPA automatically terminates upon termination of the Terms of Service. The obligations in Sections 3, 6, 7, 8, 10, 11, and 12 survive termination.

Any amendment to this DPA requires written agreement between the parties. SimStim may update this DPA to reflect changes in Applicable Data Protection Law by providing 30 days' advance notice to you.

Schedule A —

Processing Details

This Schedule describes the processing of Personal Data by SimStim under this DPA.

Processing Details

Subject matter Operation of the SimStim ambient display connector service — routing content from Claude to registered display screens.

Duration For the term of the SimStim Terms of Service, plus any retention periods described in Section 10.

Nature of processing Collection, storage, transmission, display, and deletion of personal data in connection with the Services.

Purpose of processing To authenticate users, operate screen registration and content delivery, maintain push history and scheduling, and provide technical support.

Types of personal data Account data (name, email address); screen configuration data (screen names, display URLs); push history (content payloads, timestamps, screen identifiers); device metadata (device type, optional); technical data (IP address, browser type, session tokens); payment-related identifiers (managed by payment processor).

Categories of data subjects SimStim account holders (registered users). Potential indirect data subjects: persons who appear in content pushed to displays (e.g., names in meeting agendas, menu items).

Special categories SimStim does not intentionally process special categories of personal data (e.g., health, biometric, political, or religious data). Users should not input such data into the Services.

Schedule B —

Approved Sub-Processors

The following Sub-Processors are currently authorized to process Personal Data in connection with the SimStim Services. SimStim will notify you of any additions or changes at least 30 days in advance.

Sub-Processor	Purpose	Location	Data Categories
Cloudflare, Inc.	Cloud hosting, CDN, DDoS protection, DNS	USA / Global	All data in transit; server logs
Anthropic, PBC	Claude AI connector protocol — receives content payloads and screen identifiers when users instruct Claude to push content	USA	Screen identifiers; content payloads
[Payment Processor TBD]	Payment processing for paid plans (Pro/Enterprise)	TBD	Payment identifiers (card data not stored by SimStim)
[Email Provider TBD]	Transactional email delivery (account confirmation, password reset)	TBD	Email address; email content
[Error Monitoring TBD]	Application error logging and monitoring	TBD	Anonymized error logs; technical identifiers

Signatures —

Execution

By using the SimStim Services, you agree to this Data Processing Agreement. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.

For enterprise customers requiring a separately executed DPA, please contact legal@simstim.ai.

Controller (You / Customer)

Name

Title

Date

Processor (SimStim.ai)

Authorized Signatory

Title

Date