DATA PROCESSING ADDENDUM

Last updated September 21st 2024.

This SalesAi Data Processing Addendum (“Addendum”) is an agreement between SalesAi (“Company” or “Data Processor”) and you or the entity you represent (“Client” or “Data Controller”). This Addendum supplements those certain SalesAi Terms & Conditions and Agreement (as defined in or through the SalesAi Terms & Conditions) between Company and Client.
To the extent that Company Processes Personal Data (as defined below) on behalf of Client in the course of the provision of the Services, this Addendum shall apply.

In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be an addendum to the Agreement and incorporated therein by reference. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.

Definitions. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
Applicable Laws” means (a) EU law or any laws of a Member State of the EU in respect of which Company or Client is subject to and (b) any United States and other applicable law in respect of which Company or Client is subject to.
Client Personal Data” means any Personal Data which may be processed on behalf of Client pursuant to or in connection with the Agreement.
Data Protection Legislation” means GDPR and any applicable data protection or privacy law in respect of which Company or Client is subject to.
EEA” means the European Economic Area.
EU” means the European Union.
GDPR” means EU General Data Protection Regulation 2016/679, as amended from time to time.
Services” means the services as defined in the Agreement.
Standard Clauses” means the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council  available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
Sub-processor” means any person (excluding an employee of Company or any of its sub-contractors) appointed by or on behalf of Company to Process Personal Data on behalf of Client in connection with the Agreement.
Supervisory Authority” means (a) an independent public authority which is established by a Member State of the EU pursuant to Article 51 of the GDPR and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation.
Term” means the term of the Agreement, as defined therein.
The terms “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, and Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of Client Personal Data.
The parties acknowledge that Client is the Controller and shall comply with the obligations of a Controller under the GDPR and that Company is acting in the capacity of a Processor. In some circumstances, Client may additionally or alternatively be a Processor, in which case Client appoints Company as an authorized Sub-processor, which shall not change the obligations of the parties under this Addendum as Company will remain a Processor in any such event.

Company shall process Client Personal Data on the documented instructions of Client, unless otherwise required by an Applicable Law to which Company is subject. In which case, Company shall notify Client if, in its opinion, any instruction infringes the GDPR or other EU or Member State data protection provisions, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of Company to monitor or interpret the laws applicable to Client, and such notification will not constitute legal advice to Client.

Client represents and warrants that it is and will, at all relevant times, remain duly and effectively authorized to give the instruction set out in Section ‎2.2.

Client represents and warrants that it has all the necessary rights to provide the Personal Data to Company for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the Data Protection Legislation support the lawfulness of the Processing. To the extent required by the Data Protection Legislation, Client is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in the Data Protection Legislation supports the lawfulness of the processing, that any necessary Data Subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Client is responsible for communicating the fact of such revocation to Company in writing, and Company will act pursuant to Client’s instructions as appropriate.

Annex 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR, and Client represents and warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services, the nature of the Personal Data that Client provides, and manner by which Company finds appropriate to provide the required Services.

Confidentiality. Without prejudice to any existing contractual arrangements between the parties, Company shall ensure that any person that it authorizes to Process the Personal Data on its behalf shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.

Security.
Company shall implement appropriate technical and organizational measures to ensure an appropriate level of security for the Processing of Client Personal Data. Such measures may be updated by Company from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
Client acknowledges that the security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Client will therefore evaluate the measures as implemented in accordance with this Section 4 on an on-going basis in order to maintain compliance with the requirements set forth in this Section 4. The parties will negotiate in good faith, the cost, if any, to implement changes required by specific updated security requirements set forth in Data Protection Legislation or by data protection authorities of competent jurisdiction.

Sub-processing.
Client authorizes Company to appoint (and permit each Sub-processor to appoint) Sub-processors in accordance with Annex 2 to this Addendum and any restrictions in the Agreement, if required to do so to provide the Services.
Company shall inform the Client as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the authorized Sub-processors that will Process any Client Personal Data (“New Sub-processor”). If, within fourteen (14) calendar days of receipt of that notice, Client notifies Company in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-processor, the parties will endeavor to agree (acting reasonably), without undue delay, on the commercially reasonable steps to be taken to ensure that the New Sub-processor is compliant with the requirements of this Addendum.

In the absence of a resolution, Company will make commercially reasonable efforts to provide Client with the same level of Services described in the Agreement, without using the objected Sub-processor to process Client Personal Data.
Where the Client reasonably argues that the risks involved with the sub-processing activities are still unacceptable, in the context of the requirements of the GDPR and in relation to the appropriate steps, within the requisite time frame, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such time frame, Client’s sole remedy will be to terminate the Agreement.

With respect to each Sub-processors, Company shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.

Data Subject Rights.
Client shall comply with requests received from Data Subjects to exercise their data protection rights under Data Protection Legislation.

If Client is unable to perform according to Section 6.1, and therefore requires Company’s assistance, while taking into account the nature of the Processing, Company may assist Client, upon Client’s request and at Client’s cost, by using appropriate technical and organizational measures, insofar as possible, to comply with requests to exercise Data Subject rights under the Data Protection Legislation.

Personal Data Breach.
If Company becomes aware of a Personal Data Breach that has a material impact on the Processing of Personal Data that is subject to the Agreement, it shall notify Client about the Personal Data Breach without undue delay and no later than seventy-two (72) hours after becoming aware of the Personal Data Breach.  

Where the Personal Data Breach is reasonably likely to require a data breach notification by Client under the Data Protection Legislation, Company will assist Client with the notification process.

Company shall, at Client’s cost, cooperate with Client and take reasonable commercial steps as requested by Client to assist in the investigation and mitigation of a Personal Data Breach.

Deletion or Return of Client Personal Data.
Subject to Section ‎8.3, Client may by written notice to Company within thirty (30) calendar days following the Term require Company to (a) return a copy of all Client Personal Data in Company’s possession to Client and (b) delete all other copies of Client Personal Data Processed by Company. Company shall comply with any such written request within sixty (60) calendar days.

Company shall notify the relevant Sub-processors processing Personal Data on its behalf of the termination of this Addendum.

Company may retain Client Personal Data to the extent and for such period as required by Applicable Laws.

Audit Rights.
Subject to Sections ‎9.2 and ‎9.3, Company shall make available to Client upon a reasonable request, information which is reasonably necessary to demonstrate compliance with this Addendum.

Where applicable, if Client is not otherwise satisfied by its audit rights pursuant to the Agreement, Company shall, at the Client’s cost, allow for audits, including inspections, by an auditor mandated by Client (subject to Section ‎9.3 where auditor shall be subject to written confidentiality obligations in relation to such information) in relation to the Processing of Client Personal Data by Company, provided that: (a) Client shall give Company a reasonable notice of any audit or inspection to be conducted and (b) Client shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) minimize disruption to Company’s business in the course of such audit or inspection and such audits or inspections shall be conducted during normal working hours.

Company may object to an auditor mandated by Client if the auditor is, in Company’s opinion, not suitably qualified or independent, a competitor of Company, or otherwise manifestly unsuitable. In the event of such an objection, Client shall appoint another auditor or conduct the audit itself.

General Terms.
Information may be transferred to third party companies and individuals who are located in a country outside of the EEA to facilitate Company’s Services. To the extent that Company or its Sub-processors Processes Client Personal Data in countries outside of the EEA that do not provide an adequate level of data protection, as determined by the European Commission or other adequate authority, the applicable model of the Standard Clauses shall apply and shall be incorporated herein or Company shall otherwise ensure that the continuity of protection of Personal Data shall be maintained for any respective onward transfers. With respect to each such data transfer, Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, while also taking into account the costs of implementation and the nature, scope, context, and purposes of processing as well as the likelihood of a risk to the rights and freedoms of natural persons.

To the extent that Company or Client is relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, Company and Client agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

Client shall indemnify and hold harmless Company against all claims, losses, damages, and expenses incurred by Company arising out of a breach of this Addendum and/or the Data Protection Legislation by Client.

With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Company may update this Addendum from time to time based on Data Protection Legislation.

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable provision had never been contained herein.

ANNEX 1: DETAILS OF PROCESSING OF CLIENT PERSONAL DATA
This Annex 1 includes certain details of the Processing of Client Personal Data as required by Article 28(3) of the GDPR.

Subject Matter and Duration of the Processing of Client Personal Data
The subject matter and duration of the Processing of the Client Personal Data are set out in the Agreement and this Addendum.

The nature and purpose of the Processing of Client Personal Data
Company provides artificial intelligence software to work alongside sales and marketing teams. Company allows its Clients to convert leads and increase lead qualification using automated, personalized, and contextual responses and follow ups for their end users. In the course of the provision of its Services, Company may receive access to and process Client Personal Data to provide the Services in accordance with the Agreement and this Addendum.

The Categories of Data Subject to Whom the Client Personal Data Relates
The categories of Data Subjects are chosen by Client.

The Obligations and Rights of Client
The obligations and rights of Client are set out in the Agreement and this Addendum.

ANNEX 2: COMPANY’S SUB-PROCESSORS
Name of Sub-processor Type of Services Provided Location[AWS][Hosting][USA][________][Hosting][USA][________][Database][USA]