Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Use or other agreement governing Customer’s use of the Services (the “Underlying Agreement”) and applies where CustomerNode processes Customer Data on behalf of Customer.

In the event of any conflict between this DPA and the Underlying Agreement, this DPA controls with respect to the processing of Customer Data.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

• 1.1.1 “Underlying Agreement” means the Terms of Use or other agreement governing Customer’s use of the Services.
• 1.1.2 “User” means an individual end user (including the Customer’s personnel and any invited guests) who interacts with the platform provided by CustomerNode.
• 1.1.3 “Customer” means the organization (tenant) that has accepted the Underlying Agreement and on whose behalf Customer Data is uploaded or processed through the Services.
• 1.1.4 “CustomerNode” means the entity providing the Services, in the roles described in Section 2.2.
• 1.1.5 “Customer Data” means any data, including personal data, that the Customer or its Users upload to, submit to, or process through the Services.
• 1.1.6 “Processor” means CustomerNode, when processing Customer Data on behalf of the Customer in connection with the Services, solely to provide, maintain, secure, support, and improve the Services provided to the applicable tenant. Customer Data is not used to train shared or general-purpose foundation models. CustomerNode may perform tenant-specific AI processing, optimization, retrieval augmentation, embeddings, fine-tuning, or model adaptation where explicitly enabled for that tenant; any such processing is logically isolated to that tenant environment, may be disabled by the tenant, and is not used to improve shared models across customers.
• 1.1.7 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
• 1.1.8 “EEA” means the European Economic Area;
• 1.1.9 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
• 1.1.10 “GDPR” means EU General Data Protection Regulation 2016/679;
• 1.1.11 “Data Transfer” means:
  • 1.1.11.1 a transfer of Customer Data from the Customer to CustomerNode (as Processor); or
  • 1.1.11.2 an onward transfer of Customer Data from CustomerNode to a Subprocessor, or between two establishments of CustomerNode, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
• 1.1.12 “Services” means the software services provided by CustomerNode under the Underlying Agreement.
• 1.1.13 “Subprocessor” means any person appointed by or on behalf of CustomerNode to process Customer Data in connection with this DPA.

1.2 The terms “Commission,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Data

2.1 Lawful Basis for Processing. Customer is responsible for establishing and maintaining a lawful basis for the processing of Customer Data under applicable Data Protection Laws, including obtaining any required consents from Data Subjects. CustomerNode supports consent collection features within the Services where configured by the Customer.

2.2 Roles of the Parties.

• 2.2.1 Customer acts as Controller with respect to Customer Data uploaded or processed through the Services.
• 2.2.2 CustomerNode acts as Processor with respect to Customer Data processed on behalf of the Customer in connection with the Services.
• 2.2.3 CustomerNode acts as Controller solely with respect to business operations data for which CustomerNode independently determines the purposes and means of processing, including billing, account management, security operations, support communications, fraud prevention, legal compliance, and website analytics.
• 2.2.4 Customer Data processed through the Services remains logically isolated to the applicable tenant environment except where disclosure is required by law or explicitly authorized by the Customer.

2.3 Customer’s Obligations as Controller. The Customer, as Controller of Customer Data, agrees to:

• 2.3.1 Ensure that its provision of Customer Data to CustomerNode, and any instructions given to CustomerNode in connection with the Services, comply with the Underlying Agreement, this DPA, and applicable Data Protection Laws.
• 2.3.2 Establish and maintain a lawful basis for the Processing of Customer Data and, where required, obtain and document the necessary consents from Data Subjects.
• 2.3.3 Configure the Services (including any tenant-isolated AI-assisted functionality that the Customer chooses to enable) in a manner consistent with the Customer’s legal and contractual obligations to Data Subjects.
• 2.3.4 Cooperate with CustomerNode in responding to requests from Data Subjects related to their Customer Data.

2.4 CustomerNode’s Processing of Customer Data. CustomerNode, as the platform provider and in the roles described in Section 2.2, may Process Customer Data for the following purposes:

• 2.4.1 Processing Customer Data to provide, maintain, secure, support, and improve the Services, including tenant-isolated AI-assisted functionality requested or enabled by the applicable tenant.
• 2.4.2 Complying with applicable Data Protection Laws and other legal obligations applicable to CustomerNode in handling Customer Data.
• 2.4.3 Cooperating with the Customer and its Users in managing and responding to Data Subject requests relating to Customer Data.

2.5 Details of the Processing. The specifics of Customer Data Processing, including the duration, nature, and purpose of the Processing, as well as the types of Customer Data and categories of Data Subjects, are further detailed in Annex 1 (Details of the Processing) to this DPA.

3. CustomerNode Personnel

CustomerNode shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of CustomerNode or any Subprocessor who may have access to Customer Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Data, as strictly necessary for the purposes of this DPA, and to comply with applicable laws in the context of that individual’s duties to CustomerNode, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CustomerNode shall provide and maintain appropriate technical and organizational security measures to safeguard Customer Data within the Services. These measures shall ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 Where the Customer exports or otherwise removes Customer Data from the Services for external analysis or use, the Customer shall implement its own security measures to ensure the safe handling of such Customer Data in accordance with the terms of this DPA. The Customer shall ensure that such security measures are commensurate with the sensitivity of the Customer Data and the potential risks associated with its removal from the Services.

5. Subprocessing

CustomerNode may appoint a Subprocessor to assist in the processing of Customer Data, provided that:

1. The Subprocessor is in compliance with all applicable data protection laws and regulations.
2. The Subprocessor agrees in writing to data protection obligations substantively equivalent to the obligations of CustomerNode under this DPA.
3. CustomerNode remains fully liable for the performance of the Subprocessor’s obligations under this DPA.

5.1 Current Subprocessors. A current list of CustomerNode’s Subprocessors is published at /trust-center/subprocessors/. A detailed list identifying the categories of Customer Data each Subprocessor processes and the location of such processing is available to the Customer on request to [email protected].

5.2 Notice of Changes. CustomerNode shall provide the Customer with reasonable prior notice (which may be given through the Services, by email, or by publication on the CustomerNode website) of any intended addition or replacement of Subprocessors processing Customer Data. CustomerNode will endeavor to provide such notice at least thirty (30) days in advance, except where a shorter period is reasonably necessary to address an urgent security, legal, or operational need.

5.3 Objection Process. Within thirty (30) days of receiving notice under Section 5.2, the Customer may object in writing to a proposed Subprocessor on reasonable grounds related to data protection. If the Customer objects, the Parties shall work in good faith to resolve the objection, which may include CustomerNode offering alternative measures to address the Customer’s concerns. If the Parties are unable to resolve the objection within a reasonable period, the Customer may terminate the affected portion of the Services with respect to which the Subprocessor would process Customer Data, on written notice to CustomerNode, without penalty.

Any appointment of a Subprocessor shall not relieve CustomerNode of its responsibilities and liabilities under this DPA.

6. Rights of Data Subjects

6.1 Data Subjects have the right to access, rectify, restrict processing, erase, and port their data, and to object to processing, in accordance with the GDPR. Requests for exercising these rights can be made through the platform’s user interface or by contacting us at [email protected]. Where a Data Subject wishes to exercise its rights (to the extent available to it under applicable law) of access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to Processing, the right not to be subject to automated individual decision-making, to opt-out of the sale of Personal Data, or the right not to be discriminated against for exercising any data privacy rights (each a “Data Subject Request”), it may do so through the means described above.

6.2 CustomerNode shall promptly notify the Customer if CustomerNode receives a Data Subject Request relating to Customer Data. Taking into account the nature of the Processing, CustomerNode shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of the Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Where a Data Subject contacts CustomerNode directly, CustomerNode may, where appropriate, refer the Data Subject to the Customer or assist the Customer in responding.

7. Personal Data Breach

7.1 CustomerNode maintains security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify the Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed on behalf of the Customer (a “Data Incident”). CustomerNode shall make commercially reasonable efforts to identify the cause of such Data Incident and take those steps as CustomerNode deems necessary and reasonable to remediate the cause of such Data Incident to the extent the remediation is within CustomerNode’s reasonable control. The obligations herein shall not apply to incidents that are caused by the Customer, the Customer’s Users, or third parties not engaged by CustomerNode as Subprocessors. To the extent legally permitted, Customer will provide CustomerNode with reasonable prior notice before publicly disclosing information regarding a Data Incident that directly identifies CustomerNode, so that the Parties may coordinate in good faith regarding the disclosure. Data Incidents may be reported to [email protected]. CustomerNode provides access and edit logging for Customer Data within the Services; the Customer is encouraged to regularly review these logs and check for any abnormal signs or activities that may indicate a Data Incident.

7.2 Where a Personal Data Breach affects Customer Data and CustomerNode is otherwise required to notify a supervisory authority under Article 33 of the GDPR with respect to its own Processing, CustomerNode shall do so no later than 72 hours after becoming aware of it. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, CustomerNode shall also communicate the breach to the affected Data Subjects without undue delay where required by applicable law. Nothing in this Section relieves the Customer of its own notification obligations as Controller under Articles 33 and 34 of the GDPR.

8. Data Protection Impact Assessment and Prior Consultation

CustomerNode shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Data by CustomerNode and its Subprocessors, and taking into account the nature of the Processing and the information available to CustomerNode and its Subprocessors.

9. Deletion or Return of Customer Data

9.1 Subject to this Section 9, on termination of the Services or upon the Customer’s written request, CustomerNode shall delete or, at the Customer’s option, return all copies of Customer Data within a commercially reasonable period following the date of cessation of any Services involving the Processing of Customer Data (the “Cessation Date”), in accordance with the rights of Data Subjects as defined in Section 6, except to the extent CustomerNode is required by applicable law to retain some or all of the Customer Data. The Customer may also delete or remove its own Customer Data at any time through the Services prior to the Cessation Date.

10. Audit Rights

10.1 Demonstration of Compliance: Upon request, CustomerNode commits to making commercially reasonable efforts to demonstrate compliance with the terms of this DPA and applicable Data Protection Laws to the Customer. This may include providing relevant documentation, summaries of audit reports, or other evidence of compliance. Standard compliance materials are described at /trust-center/audit-policy/.

10.2 Third-Party Auditor: The Customer has the right to appoint an independent, qualified third-party auditor to conduct audits for the purpose of ensuring CustomerNode’s compliance with this DPA and Data Protection Laws. The scope, timing, and duration of such audits will be mutually agreed upon between CustomerNode and the Customer, subject to reasonable requirements and constraints to maintain business operations and data security.

10.3 Limitations on Audit Rights: Information and audit rights of the Customer, as stipulated in Sections 10.1 and 10.2, will arise only to the extent that this DPA does not already provide the Customer with information and audit rights that meet the relevant requirements of Data Protection Law. CustomerNode reserves the right to limit or deny audit requests if they are deemed excessive, unduly disruptive to business operations, or if they compromise the security or privacy of the data of other customers or third parties.

10.4 Confidentiality of Audit: All audits conducted under this section shall be subject to confidentiality obligations. The Customer or its appointed third-party auditor will not disclose any confidential information obtained during the audit process without the prior written consent of CustomerNode.

10.5 Costs of Audit: Unless otherwise agreed, the Customer shall bear the costs associated with any audits carried out under this section, including any costs incurred by CustomerNode in facilitating the audit.

11. Data Transfer

11.1 Application: This Clause applies when Customer Data is transferred from within the European Economic Area (EEA) to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the European Union.

11.2 Transfer Mechanism: To ensure the protection of Customer Data transferred outside the EEA, the Parties shall rely on Standard Contractual Clauses (SCCs) approved by the European Commission (including, where applicable, the SCCs adopted under Commission Implementing Decision (EU) 2021/914) or other suitable transfer mechanisms as permitted under the GDPR.

11.3 Binding Nature of SCCs: The applicable SCCs form a part of this DPA and bind both Parties to ensure the protection of Customer Data in compliance with the GDPR and other relevant Data Protection Laws.

11.4 Obligations of the Parties:

• Customer (Data Exporter): Shall ensure that Customer Data is transferred to CustomerNode in compliance with the GDPR and the terms of this DPA.
• CustomerNode (Data Importer): Shall process the Customer Data only for the specific purposes set out in this DPA and in accordance with the documented instructions of the Customer.

11.5 Data Subjects’ Rights: The Data Importer agrees to respect the rights of Data Subjects as per the GDPR, including the rights to access, rectification, erasure, and data portability.

11.6 Liability and Redress: The Parties acknowledge that the Data Importer is liable for any breaches of the SCCs attributable to it, and Data Subjects shall have the right to seek legal redress for such breaches as per the GDPR.

11.7 Law and Jurisdiction: The SCCs and any disputes arising from them shall be governed by the law of the Member State in which the Data Exporter is established (or such other law as the applicable SCCs require), and the competent courts of such Member State shall have exclusive jurisdiction in relation to such SCCs.

11.8 Review and Amendment: The Parties agree to review the effectiveness of the SCCs periodically and amend them as necessary to ensure ongoing compliance with the GDPR and other relevant data protection laws.

11.9 Conflict and Duration: In case of any conflict between the provisions of this Clause and other parts of this DPA, the provisions of this Clause shall prevail with respect to the matters it addresses. This Clause shall remain in effect for as long as Customer Data is being transferred outside the EEA under this DPA.

12. General Terms

12.1 Confidentiality

Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; or (b) the relevant information is already in the public domain.

12.2 Updates

CustomerNode may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or the Services.

12.3 Notices

All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this DPA or at such other address as notified from time to time by the Parties changing address.

13. Governing Law and Exclusive Jurisdiction

This DPA is governed by the laws of Delaware, without regard to its choice of law provisions. The Customer hereby consents to the exclusive jurisdiction of the competent courts of Delaware, United States of America, except where the applicable SCCs in Section 11 require otherwise with respect to disputes arising under those SCCs.

14. Contact Us

If you have questions or concerns about this DPA or the handling of personal information, please contact us at [email protected].

Effective Date: 6/23/2023

Last Updated: 5/19/2026

Annex 1 — Details of Processing

Subject Matter. CustomerNode’s provision of the Services to Customer under the Underlying Agreement.

Duration. For the term of the Underlying Agreement, subject to deletion or return of Customer Data as set forth in Section 9.

Nature and Purpose of Processing. Processing Customer Data to provide, maintain, secure, support, and improve the Services, including tenant-isolated AI-assisted functionality where enabled by the applicable tenant.

Types of Personal Data. Configurable by Customer; may include contact details, user identifiers and authentication metadata, user interactions with the Services, content uploaded by Customer or its Users, and any additional categories the Customer chooses to process.

Categories of Data Subjects. Customer’s personnel, Customer’s clients and prospects, invited guests, and other individuals interacting with the Services on behalf of or as configured by Customer.