Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Agreement between Supplier and Customer.

1. Purpose and scope

1.1 This DPA applies when Supplier processes Personal Data on behalf of Customer in connection with the Services.

1.2 The purpose of this DPA is to set out the Parties’ rights and obligations regarding the processing of Personal Data under applicable Data Protection Laws.

1.3 In case of conflict between this DPA and the rest of the Agreement regarding Personal Data, this DPA prevails.

2. Definitions

2.1 “Data Protection Laws” means all laws applicable to the processing of Personal Data under the Agreement, including Regulation (EU) 2016/679 (“GDPR”) and applicable national implementing or supplemental laws.

2.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in the GDPR or other applicable Data Protection Laws.

2.3 “Customer Personal Data” means Personal Data contained in Customer Data that Supplier processes on behalf of Customer under the Agreement.

3. Roles of the Parties

3.1 As between the Parties, Customer acts as: (a) Controller; or (b) where applicable, Processor on behalf of its own client or affiliate controller.

3.2 Supplier acts as Processor, or where applicable sub-processor, of Customer Personal Data.

3.3 Supplier may also process limited Account Data and operational contact data as an independent controller for billing, security, abuse prevention, compliance, and corporate administration. Such processing is described in Supplier’s Privacy Policy and is not governed by this DPA except to the extent required by law.

4. Subject matter, duration, nature, and purpose

4.1 The subject matter of the processing is the provision, support, security, maintenance, and continuity of the Services.

4.2 The duration of the processing is the term of the Agreement and any limited post-termination period necessary to return or delete Customer Personal Data or comply with law.

4.3 The nature and purpose of the processing are described in Annex 1.

5. Documented instructions

5.1 Supplier will process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and the applicable Order Form, unless otherwise required by law.

5.2 Supplier will promptly inform Customer if, in Supplier’s opinion, an instruction infringes applicable Data Protection Laws.

5.3 Customer instructs Supplier to:

• (a) Host, access, use, transmit, and otherwise process Customer Personal Data as necessary to provide the Services
• (b) Generate and retain logs, backups, support records, and security records as necessary to operate the Services
• (c) Engage approved subprocessors in accordance with Section 8
• (d) Return or delete Customer Personal Data as described in Section 12

6. Confidentiality and personnel

6.1 Supplier will ensure that persons authorized to process Customer Personal Data are under an appropriate duty of confidentiality.

6.2 Supplier will limit access to Customer Personal Data to personnel who need such access for the purposes of the Agreement.

7. Security measures

7.1 Supplier will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risk to Data Subjects.

7.2 Without limiting Section 7.1, Supplier’s measures include:

• (a) Encryption in transit
• (b) Access controls and role-based permissions
• (c) Logging and monitoring
• (d) Vulnerability management
• (e) Backup and disaster recovery controls
• (f) Support for single sign-on where offered
• (g) Separation between Customer integration data and operational data as reasonably appropriate
• (h) Personnel confidentiality and security training

7.3 Supplier may update the security measures from time to time, provided the overall level of protection is not materially reduced for the paid Commercial Service.

8. Subprocessors

8.1 Customer gives Supplier a general authorization to engage subprocessors.

8.2 Supplier will impose on each subprocessor data protection obligations no less protective than those set out in this DPA to the extent applicable to the services performed by that subprocessor.

8.3 Supplier will remain responsible for its subprocessors to the extent required by law and the Agreement.

8.4 Supplier will notify Customer of any intended addition or replacement of a subprocessor by email, in-product notice, or other reasonable means. Default notice period: 15 days.

8.5 Customer’s rights regarding subprocessors are notice and discussion rights only, unless otherwise required by law or expressly stated in an Order Form.

9. International transfers

9.1 Supplier will store and process Customer Personal Data within the EEA.

9.2 Supplier will not transfer Customer Personal Data outside the EEA unless:

• (a) Customer has provided prior written instruction or approval
• (b) The transfer is required to provide the Services and the Parties have agreed it in writing
• (c) A lawful transfer mechanism under Data Protection Laws is in place

9.3 If a transfer outside the EEA becomes necessary, the Parties will cooperate to implement an appropriate transfer mechanism, including the European Commission’s Standard Contractual Clauses where applicable.

10. Assistance obligations

10.1 Taking into account the nature of the processing, Supplier will provide reasonable assistance to Customer for:

• (a) Responses to Data Subject requests
• (b) Security and breach obligations
• (c) Data protection impact assessments where required
• (d) Consultations with supervisory authorities where required

10.2 Supplier will notify Customer without undue delay, and in any event within seventy-two (72) hours after confirmation, of any Personal Data Breach affecting Customer Personal Data.

10.3 Supplier’s notice will include reasonably available information necessary for Customer to meet its own obligations.

11. Audit and information rights

11.1 Supplier will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

11.2 Supplier may satisfy audit requests by providing current audit reports, security materials, policy packs, architecture summaries, control matrices, penetration-test summaries, or equivalent independent verification materials.

11.3 If such materials are insufficient on reasonable grounds, Customer may conduct one audit per year, at Customer’s cost, on at least thirty (30) days’ prior written notice, during normal business hours, and subject to confidentiality, safety, and security restrictions.

11.4 The Parties will agree in advance on the scope, timing, duration, and manner of any audit. Customer will not access data belonging to other customers or Supplier trade secrets unrelated to Customer’s processing.

12. Return and deletion

12.1 Upon termination or expiry of the Agreement, Supplier will, at Customer’s written election:

• (a) Return Customer Personal Data in a commonly used machine-readable format; or
• (b) Delete Customer Personal Data, except to the extent retention is required by law.

12.2 Customer must submit any return request within thirty (30) days after termination. If Customer does not request return within that period, Supplier may delete Customer Personal Data in accordance with its standard retention schedule, subject to legal retention obligations.

12.3 Any post-termination processing solely for return, deletion, or legally required retention will remain subject to this DPA.

13. No training on Customer data

13.1 Supplier will not use Customer Personal Data, Customer Inputs, or Customer Outputs to train Supplier models or third-party models.

13.2 Supplier may process de-identified operational telemetry that does not identify individual employees and does not contain Customer Inputs or Outputs for service improvement and analytics, as permitted by the Agreement.

14. Liability

14.1 The liability provisions and limitations in the Agreement apply to this DPA.

Annex 1 — Specification of processing

A. Subject matter

Provision of AI agent software and related deployment, integration, support, monitoring, account management, logging, backup, and continuity services.

B. Duration

For the term of the Agreement and limited post-termination periods for return, deletion, backup expiry, dispute handling, and legal compliance.

C. Nature and purpose

Hosting, storage, retrieval, analysis, indexing, transmission, support, monitoring, security, backup, disaster recovery, and other processing necessary to provide the Services.

D. Categories of Data Subjects

• Customer employees, contractors, administrators, and users
• Customer clients, prospects, vendors, and counterparties whose data may be present in Customer systems
• Other individuals whose Personal Data Customer submits to the Services

E. Categories of Personal Data

Depending on Customer’s use, may include:

• Names, contact details, job titles, usernames
• Account and authentication data
• Support records
• Repository metadata and business system metadata
• Business records and documents submitted by Customer
• Logs and operational metadata
• Any Personal Data included by Customer in Inputs, Outputs, or connected systems

F. Sensitive data

No special category data is intended to be processed unless Customer includes it in connected systems or Inputs. If special category data is processed, Customer is responsible for ensuring a lawful basis and giving any necessary instructions.

Annex 2 — Retention schedule