DATA PROCESSING ADDENDUM

This Data Processing Agreement, including its schedules (“DPA”) is incorporated into the Agreement between Interai and Customer in relation to any processing activities performed by Interai with respect of Customer’s Personal Data as part of the License to Software and related Services, all set forth in the Agreement and any Order Form entered into by the parties. Any capitalized term not defined herein shall have such meaning ascribe to it under the general Terms.

INTERAI DOES NOT COLLECT ANY PERSONAL DATA OTHER THAN PERSONAL DATA RELATING TO CUSTOMER’S AGENTS. ALL OTHER PERSONAL DATA PROCESSED THROUGH THE SOFTWARE SHALL BE STRICTLY PROCESSED WITHIN CUSTOMER’S ENVIRONMENT WITHOUT ACCESS OR RETENTION BY INTERAI.

1. DEFINITIONS

1.1 “Agreement” means the Interai general Terms and Order Form executed between Interai and Customer, including any ancillary documents, exhibits, quotes, or statements of work entered into by Customer and Interai in connection therewith.

1.2 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.3 "Controller Personal Data" means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement and Personal Information as defined under the CCPA and Information as defined under the Privacy Law.

1.4 “Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), laws implementing or supplementing the GDPR; (ii) Israel's Protection of Privacy Law, 1981 and regulations and orders promulgated thereunder, including without limitation Protection of Privacy Regulations (Information Security) 2017, and Directive 2-2011 for Use of Outsourcing for the processing of Personal Data (collectively, "Privacy Law"); (iii) the California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5 and the regulations thereunder, as may be amended from time to time ("CCPA"); and/or (iv) any privacy and data protection laws applicable to the Controller.

1.5 “Services” means the grant of License to the Software pursuant to the Agreement and any services relating thereto.

1.6 “Standard Contractual Clauses” means the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or updated from time to time by the European Commission (EC).

1.7 “Sub-Processor” means any Processor engaged by Processor, including Interai affiliates which shall be deemed approved Sub-Processors pursuant to Section ‎8.

1.8 The terms "Controller", "Data Subject", "Data Protection Officer", "Member State", "Personal Data", "Personal Data Breach", "Processor", "processing", and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.

1.9 The terms "Business", "Consumer", "processing", "Request to Know", "Request to Delete", "Request to Opt-Out", "Sell", "Service Provider", shall have the meanings ascribed to them in the CCPA.

2. APPLICATION OF DATA PROTECTION LAWS

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the processing of Controller Personal Data, (i) as applicable under the GDPR, Customer is the Data Controller, and Interai is the Processor appointed by the Customer on behalf, and accordingly (ii) as applicable under the CCPA when Customer collects Personal Information that is subject to the CCPA, Customer may constitute a Business with respect to such Personal Information and Interai will therefore be considered a Service Provider on its behalf. Each Party is responsible for complying with the Data Protections Laws as they apply to it.

2.2 Additional Measures. If any Data Protection Laws impose on Processor additional or overriding obligations to those in this Data Processing Addendum with respect to its processing of Controller Personal Data or require Controller and Processor to enter into any additional agreements or to implement any additional security or organizational security measures to process Controller Personal Data under the Agreement, Controller and Processor agree to negotiate such additional obligations, agreements, or security measures in good faith. If the Parties are unable to agree on a resolution and costs in respect of additional measure required in consideration of such additional obligations, then either party may immediately terminate the Agreement and Processor shall have no further liability to Controller in respect of such termination.

2.3 CCPA Related Provisions. In the event the CCPA applied to the processing of Controller Personal Data under this Data Processing Addendum, the Additional CCPA Terms attached hereto as Exhibit A shall apply to such processing in addition to this DPA.

3. PROCESSING OF CONTROLLER PERSONAL DATA

3.1 Controller Responsibilities
3.1.1 Controller shall, in its use of the Services, process Controller Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to data controllers thereunder. Controller shall comply with all necessary transparency and lawful requirements under Data Protection Laws in order to disclose any Controller Personal Data to Processor, including without limitation as applicable obtaining all consents necessary to enable the processing activities contemplated under this DPA. Controller’s instructions for the Processing of Controller Personal Data shall comply with Data Protection Laws and shall be in strict consistence with the scope of the Agreement.

3.1.2 Controller shall defend, hold harmless and indemnify Processor, its affiliates, and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation, or infringement by Controller and/or its authorized users of any Data Protection Laws and/or this DPA and/or this Section.

3.1.3 Processor will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Controller to the extent that such is a result of Controller’s instructions.

3.2 Processor Responsibilities

3.2.1 Processing. Processor shall process Personal Data on Controller’s behalf and in accordance with Controller’s documented instructions as necessary for the performance of the Services and for the performance of the Agreement and this DPA. Processor will comply will all applicable Data Protection Laws. Where Processor believes that an instruction of Controller would result in a violation of any applicable Data Protection Laws, Processor shall notify the Controller thereof without undue delay.

3.2.2 Details of Processing. The details of processing activities to be carried out by Processor in respect of the engagement under the Agreement, including with respect of the duration of the Processing, the nature, and purposes of the Processing, as well as the types of Personal Data processed and categories of Data Subjects under this DPA are further specified in Exhibit B (Details of the Processing).

3.2.3 Assistance. Processor will use reasonable commercial efforts to assist Controller in ensuring compliance with Controller's obligations related to the security of the Controller Personal Data processed by Processor, notification, and communication of data breaches, conduct of data protection impact assessments and any inquiry, investigation, or other request by a Supervisory Authority.

4. SECURITY, AUDITS, AND INSPECTIONS

4.1.1 Controls for Protection of Personal Data. Taking into account the state of the art, the type of Controller Personal Data and the risk of a data security breach, Processor shall implement and maintain those technical and organizational measures set forth in Exhibit C as required to ensure an appropriate level of security pursuant to Article 32 of the GDPR in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to Controller Personal Data and/or as otherwise required pursuant to applicable Data Protection Laws. Controller and Processor agree that the technical and organizational security measures that are listed in Exhibit C ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects’ Personal Data as contemplated in this DPA.

4.1.2 Records of Processing. Each of Processor and Controller will maintain up-to-date written records of its processing activities as required under Article 30 of the GDPR, including, inter alia, Processor’s and Controller's contact details, details of data protection officers (where applicable), the categories of processing, transfers of Controller Personal Data, and the technical and organizational security measures implemented by Processor. Upon request, each party will provide an up-to-date copy of these records to the other party.

4.1.3 Third Party Certification and Compliance Assessment. Processor shall make available to Controller information reasonably necessary to demonstrate its compliance with this DPA and Data Protection Laws and shall cooperate with reasonable privacy impact assessment requests by Controller (or another auditor mandated by Controller). The parties agree that Processor may satisfy its obligations under this Section, and any similar obligations under the Standard Contractual Clauses, by presenting summary copies of ISO 27001 certification or other security documentation at Processor’s discretion to Controller, which reports, certifications and documentation shall be subject to the confidentiality provisions of the Agreement.

4.1.4 Audit. Upon the prior request of Controller, and no more than once per year, upon prior notice of at least thirty (30) days, Processor shall make available to an independent third-party auditor appointed by Controller, all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits including inspection conducted by it. Any such inspection or audit shall be conducted during Processor’s regular business hours. Any personnel of the third-party auditor shall be bound by written agreement containing confidentiality obligations no less strict than under this Agreement and the findings of any such audit shall be deemed Processor’s Confidential Information. Controller shall provide Processor with a copy of such information and audit reports.

4.2 DPO. If required under Applicable Law, Processor will appoint a Data Protection Officer.

5. PERSONAL DATA BREACH

5.1 Notification. Processor shall notify Controller within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Controller Personal Data. In such event, Processor shall:
5.1.1 provide Controller with all available information relating to (i) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned; (ii) the likely consequences of the Personal Data Breach; (iii) the name and contact details of Processor's Data Protection Officer or another contact point where more information can be obtained; and (iv) a description of the measures taken or proposed to be taken by Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
5.1.2 reasonably cooperate with Controller in connection with the investigation, mitigation, and will use commercially reasonable efforts in the remediation of any Personal Data Breach the implementation of any necessary corrective action as determined by Processor.
5.1.3 The obligations herein shall not apply to incidents that are caused by Controller or Controller’s Agents or are otherwise unrelated to the provision of the Software. In any event, Controller will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws).

6. RIGHTS OF DATA SUBJECTS

6.1 Processor shall assist Controller in complying with any of Controller's statutory obligations concerning requests to exercise Data Subject rights under applicable Data Protection Law (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall use commercially reasonable efforts to assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, Controller shall be responsible for any costs arising from Processor’s provision of such assistance.

7. PERSONNEL

7.1 Personnel. Processor shall ensure that only authorized personnel have access to Controller Personal Data and that any persons whom it authorizes to have access to Controller Personal Data on its behalf are subject to a binding contractual or statutory obligation to protect the Controller Personal Data and keep it confidential no less than Processor is required to do under the Agreement and this DPA. Processor shall ensure that its authorized personnel are appropriately trained regarding their data protection and confidentiality obligations.

7.2 Permitted Disclosure. Processor may disclose and Process the Controller Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, Processor shall inform the Controller of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.

8. SUB-PROCESSORS

8.1 Authorized Sup-Processors. Processor has appointed its Affiliates and the Sub-processors included in Exhibit D as Sub-Processors to perform processing activities in respect of Controller Personal Data on behalf of Processor, and any such Sub-Processors are hereby approved by Controller. Processing by Sub-Processors is done under a written contract containing: (i) materially equivalent obligations to those in this DPA; or (ii) provisions which meet the requirements under applicable Data Protection Laws including without limitation under Article 28(3), 28(7) and 28(8) of the GDPR and Section 1798.140 (v) and (w) of the CCPA. Processor shall remain fully responsible for its Affiliates and the Sub-Processors’ performance of their obligations.

8.2 Objection Right for Sub-Processors. Processor may not add or change a Sub-Processor without first notifying Controller in writing (including by providing public notice of an update on its website) and giving Controller ten (10) days (from date of receipt of the notice) to object to the change in Sub-Processor on reasonable and objectively justifiable grounds that are related to the data protection measures implemented by such Sub-Processor. Controller may subscribe to e-mail notifications of any new Sub-Processor by sending an email to team@inter.ai with the subject “SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION.” Failure to object during the notice period to such Sub-processor shall be deemed as acceptance of the Sub-Processor. Failure to object to such Sub-processor in writing following Processor’s notice in the aforementioned objection period shall be deemed as acceptance of the Sub-Processor. If Controller objects to the change in Sub-Processor, then the parties will work together in good faith to resolve the objection, which may include avoiding the functionality provided by the new Sub-Processor or recommending a commercially reasonable workaround to avoid processing of the Controller Personal Data by the new Sub-Processor. If such agreement is not reached then Controller, as its sole and exclusive remedy, may terminate the applicable Agreement and this DPA, solely with respect to those Services which cannot be provided by Processor without the use of the objected-to Sub-processor.

9. TRANSFERS OF DATA

9.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein, and Iceland) (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States, or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.

9.2 Transfers to Other Countries. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which are not subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with their applicable obligations under Chapter V of the GDPR, including, if necessary, executing the Standard Contractual Clauses or comply with any of the other mechanisms provided for in the GDPR for transferring Personal Data to such Other Countries.  

9.3 Standard Contractual Clauses. The Parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfers from the EEA to Other Countries, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.
9.3.1 Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and Interai is the data processor of the Personal Data.
9.3.2 Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Interai as the data processor of the Personal Data and a third party appointed by Interai is a Sub-processor of the Personal Data.
9.3.3 Clause 7 of the Standard Contractual Clauses (Docking Clause) shall apply.
9.3.4 Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 8 of the DPA.
9.3.5 In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
9.3.6 In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.9.3.7 In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of Ireland.
9.3.8 Annex I.A of the Standard Contractual Clauses shall be completed as follows:
(i) Data Exporter: CUSTOMER.
(ii) Contact details: As detailed in the Agreement.
(iii) Data Exporter Role: As detailed in the Agreement.
(iv) Module Two: The Data Exporter is a data controller.
(v) Module Three: The Data Exporter is a data processor.
(vi) Data Importer: Interai.
(vii) Contact details: As detailed in the Agreement.
(viii) Data Importer Role: service provider.
(ix) Module Two: The Data Importer is a data processor.
(x) Module Three: The Data Importer is a sub-processor.
9.3.9 Annex I.B of the Standard Contractual Clauses shall be completed as follows:
(i) The categories of Data Subjects are described in Exhibit B (Details of Processing) of this DPA.
(ii) The categories of Personal Data are described in Exhibit B (Details of Processing) of this DPA.
(iii) The frequency of the transfer is a continuous basis for the duration of the Agreement.(iv) The nature of the processing is described in Exhibit B (Details of Processing) of this DPA.
(v) The purpose of the processing is described in Exhibit B (Details of Processing) of this DPA.
(vi) The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
(vii) In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Exhibit B (Details of Processing) of this DPA.
(viii) Annex I.C of the Standard Contractual Clauses shall be completed as follows:
(ix) The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated above.
(x) The security documentation referred to in the DPA serves as Annex II of the Standard Contractual Clauses.

10. RETURN OR DELETION OF PERSONAL DATA

10.1 Return. Processor will retain Controller Personal Data only for as long as necessary to satisfy the purposes for which it was provided to Processor by Controller. Processor shall, at Controller’s request and option, delete or return the Controller Personal Data to Controller all copies of any Controller Personal Data once such data is no longer necessary to be retained in accordance with the Agreement. Processor shall ensure that all Sub Processors shall similarly delete or return all copies of Controller Personal Data.
10.2 Retention. Notwithstanding, Processor may retain Controller Personal Data to the extent required according to applicable laws of the European Union of any Member State, or for evidence and legal compliance purposes, provided that such Controller Personal Data shall continue to be retained in accordance with the terms of this DPA. If Controller requests the Controller Personal Data to be returned, the Controller Personal Data shall be returned in the format generally available for Processor’s customers.

11. TERMINATION

1.1 This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.

12. ORDER OF PRECEDENCE

1.2 In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely as relating to matters concerning personal data. Except as expressly modified herein, all terms and conditions of the Agreement shall remain in full force and effect. With respect to Processor’s processing of Controller Personal Data as part of a transfer pursuant to Section 9.3, in the event of a conflict between the terms of the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.

13. MODIFICATIONS

Processor reserves the right, at its discretion, to change this DPA at any time. Such change will be effective ten (10) days following sending a notice thereof to Controller or posting the revised DPA on the Interai website, and Controller’s continued use of the Software thereafter means that Controller accepted those changes.

EXHIBIT A - CCPA ADDITIONAL TERMS

To the extent that CCPA/CPRA applies to the processing by Processor of any Controller Personal Data, then, notwithstanding anything to the contrary in the DPA:  
(a) Interai shall comply with the obligations of a “service provider” as defined in CCPA/CPRA.
(b) Customer shall disclose Personal Data to Interai solely for: (i) a valid business purpose; and (ii) Interai to perform the Services.
(c) Interai is prohibited from: (i) selling or sharing Personal Data; (ii) retaining, using, or disclosing Personal Data for any purpose other than for the business purposes specified in this Agreement, including a commercial purpose other than providing the Services or as otherwise permitted by the CCPA/CCRA; (iii) retaining, using, or disclosing the Personal Data outside of the Agreement; and (iv) combining the Personal Data that Interai receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Interai may combine personal information to perform any business purpose as defined in regulations adopted pursuant to the CCPA/CPRA.
(d) Interai acknowledges that Customer discloses Personal Data only for limited and specified purposes, as set forth herein.
(e) Customer may take reasonable and appropriate steps to help ensure that Interai uses the Personal Data transferred to it in a manner consistent with Customer’s obligations under the CCPA/CPRA.
(f) Interai shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA/CPRA provided that such notice shall not derogate from Interai’s responsibilities under this DPA so long as it is in effect.
(g) Customer may, upon notice to Interai, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.(h) Both parties certify that they understand and will comply with the restrictions set forth in this Exhibit A to the DPA.

EXHIBIT B - DETAILS OF THE PROCESSING

Subject matter. Interai will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.

Nature and Purpose of Processing
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the service(s) to Customer, and providing support and technical maintenance, if agreed in the Agreement
2. For Interai to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Duration of Processing.
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Interai will Process Controller Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Personal Data.
Interai may process Controller Personal Data through the Services, the extent of which is controlled by Customer, and which may include, but is not limited to the following categories of Personal Data:
● Full name
● Address
● Phone number
● Email address
● Any other Personal Data or information provided through the Services.

Categories of Data Subjects
Interai may process Controller Personal Data through the Services under the Agreement, the extent of which is controlled by Customer, and which may include, but is not limited to the following categories of data subjects:
● Employees, service agents, advisors, freelancers of Customer (who are natural persons)

EXHIBIT C - SECURITY MEASURES

ISO 27001
Interai is ISO 27001 certified. As part of our compliance program, we have a set of procedures and policies and follow an annual methodical and documented compliance work plan.We are audited for compliance with the standard by an external 3rd party accreditation body on an annual basis.

Data in transit
The service supports only HTTPS communication. The Web server is configured to allow only incoming connections protected with TLS 1.2.
Interai issues a certificate (from Sectigo CA) upon setup which is maintained and reissued by Interai ahead of expiration date.

Data at rest
All customers’ data hosted in AWS is encrypted using Amazon AES-256 encryption algorithm, including Elastic Block Store (EBS) storage and Relational Database Service (RDS) databases.

EXHIBIT D - SUB-PROCESSORS LIST