Data Processing Agreement

1. Definitions

Capitalised terms not defined in this DPAhave the meaning given in the Agreement.

In addition, the following definitionsapply:

•         Applicable Data ProtectionLaw means all laws and regulations applicable tothe processing of Personal Data under the Agreement, including the UK GDPR, EUGDPR and the Data Protection Act 2018.

•         Controller, Processor, Data Subject, Personal Data, Processinghave the meanings given in Applicable Data Protection Law.

•         Customer Personal Data means Personal Data contained within Customer Data or ConversationData that Ai4u processes on behalf of the Customer.

•         Sub-Processor means any third party appointed by or on behalf of Ai4u to processCustomer Personal Data.

2. Roles of the Parties

2.1 Customer as Controller
The Customer acts as Controller (or Processor on behalf of another Controller)of Customer Personal Data.

2.2 Ai4u as Processor
Ai4u acts as Processor and shall process Customer Personal Data only ondocumented instructions from the Customer, including as necessary to providethe Software Services.

2.3 B2B Use Only
The Parties acknowledge that the Software Services are intended for businessuse only and not for personal or household purposes.

3. Details of Processing

3.1 Subject Matter

Provision of AI agent software, hosting,analytics, support and related services.

3.2 Duration

For the duration of the Agreement and anyretention period specified therein.

3.3 Nature and Purpose of Processing

•         Hosting and storage of CustomerData

•         Processing Conversation Datavia AI assistants (Korrah)

•         Authentication, access controland logging

•         Technical support andtroubleshooting

•         Security monitoring and abuseprevention

3.4 Types of Personal Data

As determined by the Customer, which mayinclude:

•         Names, contact details

•         Business identifiers

•         End-user conversation content

•         Metadata and usage data

3.5 Categories of Data Subjects

•         Customer employees andcontractors

•         End-users interacting with AIassistants

•         Other individuals whose data isincluded in Customer Data

4. Customer Obligations

The Customer warrants that:

•         it has a lawful basis forProcessing Customer Personal Data;

•         it has provided all requirednotices to Data Subjects;

•         its instructions comply withApplicable Data Protection Law;

•         it shall not upload or processunlawful or excessive Personal Data.

5. Ai4u Obligations

Ai4u shall:

5.1 process Customer Personal Data onlyon documented instructions from the Customer;

5.2 ensure that persons authorised toprocess Personal Data are bound by confidentiality obligations;

5.3 implement appropriate technical andorganisational measures to protect Customer Personal Data;

5.4 not use Customer Personal Data orConversation Data to train foundation models;

5.5 assist the Customer, to the extentreasonably possible, in responding to Data Subject requests;

5.6 notify the Customer without unduedelay upon becoming aware of a Personal Data Breach affecting Customer PersonalData;

5.7 upon termination, delete CustomerPersonal Data in accordance with the Agreement (typically within 30 days).

6. Sub-Processors

6.1 The Customer authorises Ai4u toengage Sub-Processors.

6.2 Ai4u shall:

•         impose data protectionobligations on Sub-Processors equivalent to this DPA;

•         remain responsible for the actsand omissions of Sub-Processors.

6.3 A current Sub-Processor List isavailable upon request. Ai4u shall notify Customers of material changes whererequired by law.

7. International Transfers

Customer Personal Data may be processedin the UK, EEA and United States.

Where transfers outside the UK/EEA occur,Ai4u shall implement appropriate safeguards, including:

•         EU Standard ContractualClauses; and/or

•         UK International Data TransferAddendum.

8. Security Measures

Ai4u shall implement commerciallyreasonable technical and organisational measures designed to:

•         prevent unauthorised access ordisclosure;

•         protect against accidental lossor destruction;

•         ensure ongoing confidentiality,integrity and availability.

Security measures may evolve in linewith industry standards.

9. Personal Data Breach

Ai4u shall notify the Customer withoutundue delay after becoming aware of a Personal Data Breach affecting CustomerPersonal Data and shall provide information reasonably required to meet theCustomer’s breach notification obligations.

10. Audit Rights

Upon reasonable notice and no more thanonce per year, the Customer may audit Ai4u’s compliance with this DPA, subjectto:

•         confidentiality obligations;

•         reasonable scope and timing;

•         use of third-party auditreports (e.g. ISO, SOC) where available.

11. Liability

Liability arising from this DPA issubject to the limitations of liability set out in the Agreement.

12. Governing Law

This DPA is governed by the laws ofEngland and Wales, and the courts of England shall have exclusive jurisdiction.

13. Order of Precedence

This DPA forms part of the Agreement. Inthe event of inconsistency:

1.       this DPA;

2.       the Terms of Service;

3.       any Proposal or SLA.

Schedule 1 – Technical andOrganisational Measures

Ai4u maintains security measuresappropriate to the risk, which may include:

•         access controls andauthentication

•         encryption in transit

•         logical segregation of customerdata

•         monitoring and logging

•         secure development practices

(Details available upon request.)

‍