Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Enterprise Services Agreement or similar agreement (the “Agreement”) between CBK.AI LTD (ChatBotKit) (“Company”) and ${counterpartyName} (“Customer” (collectively the “Parties”)).

1. Subject Matter and Duration.
   1. Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Company’s execution of the Agreement. All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
   2. Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date upon which both Parties have signed this Addendum, if it is completed after the Effective Date of the Agreement. Company will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Company’s obligations and Customer’s rights under this Addendum will continue in effect so long as Company Processes Customer Personal Data.
2. Definitions.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

1. “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protection Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements, the United Kingdom Data Protection Act 2018, and the California Consumer Privacy Act of 2018 (“CCPA”), and its implementing regulations. For the avoidance of doubt, if Company’s processing activities involving Customer Personal Data are not within the scope of an Applicable Data Protection Law, such law is not applicable for purposes of this Addendum.
2. “Customer Personal Data” means Personal Data pertaining to Customer’s users or employees Processed by Company to provide the Services. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit 1 attached hereto, as required by the GDPR.
3. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
4. “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).
5. “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
6. “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.
7. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Company.
8. “Services” means any and all services that Company performs under the Agreement.
9. “Standard Contractual Clauses” means the UK Standard Contractual Clauses, and/or the 2021 Standard Contractual Clauses.
10. “Third Party(ies)” means Company’s authorized contractors, agents, vendors and third party service providers that Process Customer Personal Data.
11. “UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described below.
12. “2021 Standard Contractual Clauses" means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described below.
13. Data Use and Processing.
    1. Compliance with Laws. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
    2. Purpose Limitation. Company will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in the Agreement, unless obligated to do otherwise by applicable law. In such case, Company will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so.
    3. Documented Instructions. Company and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer. The Agreement, including this Addendum, along with any applicable statement of work, constitute Customer’s complete and final instructions to Company regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
    4. Authorization to Use Third Parties. To the extent necessary to fulfill Company’s contractual obligations under the Agreement or any statement of work, Customer hereby authorizes (i) Company to engage Third Parties and (ii) Third Parties to engage subprocessors.
    5. Company and Third Party Compliance. Company agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties (and their subprocessors) data protection and security requirements for Customer Personal Data that are at least as restrictive as the obligations in this Addendum; and (ii) remain responsible to Customer for Company’s Third Parties’ (and their subprocessors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.
    6. Right to Object to Third Parties. Company’s list of Third Parties that Process Customer Personal Data is listed in Exhibit 2. Prior to engaging any new Third Parties that Process Customer Personal Data, Company will notify Customer via email and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Third Party, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by Company without use of the objectionable Third Party.
    7. Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
    8. Personal Data Inquiries and Requests. Upon written request from Customer, Company agrees to provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to Company, Company shall promptly notify Customer and shall not respond to the request unless Customer has authorized Company to do so.
    9. Government Access Requests. Unless prohibited by applicable law or a legally-binding request of law enforcement, Company shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Customer Personal Data, and shall render reasonable assistance to Customer, if Customer wishes to contest the access or seizure.
    10. Data Protection Impact Assessment and Prior Consultation. Upon written request from Customer, Company agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgment, the type of Processing performed by Company is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
    11. Sale of Customer Personal Data Prohibited. Company shall not sell Customer Personal Data as the term "sell" is defined by the CCPA.
    12. CCPA Certification. Company hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
14. Cross-Border Transfers of Personal Data.
    1. Cross-Border Transfers of Personal Data. Customer authorizes Company and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area (the “EEA”), the United Kingdom, and Switzerland to the United States. Company and Customer agree to use the Standard Contractual Clauses as the adequacy mechanism supporting the transfer and Processing of Customer Personal Data, as further detailed below.
    2. 2021 Standard Contractual Clauses. For transfers of Customer Personal Data out of the EEA that are subject to Section 4(a) of this DPA, the 2021 Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the 2021 Standard Contractual Clauses will apply as set forth in this Section 4(b). “Module Two: Transfer controller to processor” will apply and all other module options will not apply. Under Annex 1 of the 2021 Standard Contractual Clauses, the “data exporter” is Customer and the “data importer” is Company and the information required by Annex 1 can be found in Exhibit 1. For the purposes of Annex 2 of the Standard Contractual Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this Addendum. Clause 7 will not apply. For clause 9, the Parties choose Option 2 and the Parties agree that the time period for prior notice of Third Party changes will be as set forth in 3(f) of this Addendum. For clause 11, the optional language will not apply. For clause 17, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland. For clause 18, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b).
    3. UK Standard Contractual Clauses. For transfers of Customer Personal Data out of the United Kingdom that are subject to Section 4(a) of this Addendum, the UK Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the UK Standard Contractual Clauses will apply as set forth in this Section 4(c). For Table 1 of the UK Standard Contractual Clauses, (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Annex 1 of the 2021 Standard Contractual Clauses and (ii) the Key Contacts shall be the contacts set forth in Annex 1 of the 2021 Standard Contractual Clauses. The Approved EU SCCs referenced in Table 2 shall be the 2021 Standard Contractual Clauses as executed by the Parties pursuant to this Addendum. For Table 3, Annex 1A, 1B, and II shall be set forth in Annex 1 of the 2021 Standard Contractual Clauses. For Table 4, either party may end the UK Standard Contractual Clauses as set out in Section 19 of the UK Standard Contractual Clauses.
    4. Switzerland Transfers. For transfers of Customer Personal Data out of Switzerland that are subject to Section 4(a) of this DPA, the 2021 Standard Contractual Clauses will apply and will be deemed to have the differences set forth in this Section 4(d), to the extent required by the Swiss Federal Act on Data Protection (“FADP”). References to the GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR. The term “member state” in the 2021 Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 Standard Contractual Clauses. References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope. Under Annex I(C) of the 2021 Standard Contractual Clauses (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
    5. Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Standard Contractual Clauses as separate documents. In case of conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses will prevail.
15. Information Security Program.
    1. Company agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Such measures shall be designed to include:
       1. Pseudonymisation of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit and at rest;
       2. The ability to ensure the ongoing confidentiality, integrity, availability of Company’s Processing and Customer Personal Data;
       3. The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident;
       4. A process for regularly testing, assessing and evaluating the effectiveness of Company’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
16. Security Incidents.
17. Security Incident Procedure. Company will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
18. Notice. Company agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than seventy-two (72) hours) to Customer’s Designated POC upon becoming aware that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
19. Audits.
    1. Right to Audit; Permitted Audits. Company shall make available to Customer and its regulators all information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Customer and its regulators shall have the right to inspect Company’s architecture, systems, and documentation which are relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator:
       1. Following any notice from Company to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data;
       2. Upon Customer’s reasonable belief that Company is not in compliance with Applicable Data Protection Laws, this Addendum or its security policies and procedures under the Agreement;
       3. As required by governmental regulators;
       4. For any reason, or no reason at all, once annually.
    2. Audit Terms. Any audits described in this Section shall be:
       1. Conducted by Customer or its regulator, or through a third party independent contractor selected by one of these parties, and to whom Company does not reasonably object.
       2. Conducted during reasonable times.
       3. Conducted upon reasonable advance notice to Company.
       4. Of reasonable duration and scope and shall not unreasonably interfere with Company’s day-to-day operations.
       5. Conducted in such a manner that does not violate any agreement between Company and its service providers, including cloud providers, or violate or cause Company to violate its reasonable policies related to security and confidentiality.
    3. Third Parties. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Company’s and Company’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.
    4. Audit Results. Upon Company’s request, after conducting an audit, Customer shall notify Company of the manner in which Company does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, Company shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six (6) months of Company’s notice of completion of any necessary changes. To the extent that a Customer audit identifies any material security vulnerabilities, Company shall promptly remediate those vulnerabilities.
20. Data Storage and Deletion.
    1. Data Storage. Company will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.
    2. Data Deletion. Company will abide by the following with respect to deletion of Customer Personal Data:
       1. Within ninety (90) calendar days of the Agreement’s expiration or termination, Company will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).
       2. Upon Customer’s request, Company will promptly return to Customer a copy of all Customer Personal Data within thirty (30) calendar days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.
       3. All deletion of Customer Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.
       4. Tapes, printed output, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding performed by a bonded provider.
       5. Upon Customer’s request, Company will provide evidence that Company has deleted all Customer Personal Data. Company will provide the “Certificate of Deletion” within thirty (30) calendar days of Customer’s request.
21. Contact Information.
22. Company and the Customer agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:

• Company Designated POC: Ivana Petkova, COO, ivana@cbki.ai
• Customer Designated POC: ${counterpartyPoc}, ${counterpartyPocTitle}, ${counterpartyPocEmail}. If no individual and email is specified here, Company may use the Customer notice email specified in the Notices section of the Agreement.

CBK.AI LTD (ChatBotKit)

("Company")

Signature:

Name: Petko Petkov

Title: CEO and Founder

Date: ${date}

Address: 86-90 Paul Street, London, United Kingdom, EC2A 4NE

[TODO: Counterparty Name]

("Customer")

Signature: 

Name: ${signeeName}

Title: ${signeeTitle}

Date: ${date}

Address: ${counterpartyAddress}

Exhibit 1

DETAILED USES OF CUSTOMER PERSONAL DATA

Exhibit 2

LIST OF SUBPROCESSORS

For the full, up-to-date subprocessor list with categories, data types processed, and regions of processing, see chatbotkit.com/legal/subprocessors.