Spoko.ai Data Processing Addendum

1.1. "Applicable Data Protection Law" means applicable law governing the use of, access to, deletion of, or processing of Personal Information under this DPA, including, but not limited to, U.S. Data Protection Laws and European Data Protection Laws, together with any national or subordinate legislation and regulations implementing, in each case as amended, repealed, consolidated, or replaced from time to time.

1.2. "commercial purpose", "controller", "processor", "data subject", "processing" (and "process"), "service provider", and "supervisory authority" each have the meaning given to them in Applicable Data Protection Law, as appropriate.

1.3. "Controller to Processor SCCs" means the Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914, which can be found here: https://www.spoko.ai/legal/standard-contractual-clauses, as updated or replaced from time to time.

1.4. "Data Privacy Framework" means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time.

1.5. "Data Privacy Framework Principles" means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.

1.6. "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.7. "European Data" means Personal Information that is subject to the protection of European Data Protection Laws.

1.8. "European Data Protection Laws" mean (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (b) in respect of the United Kingdom, the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR"); and (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss FADP"); in each case as may be amended, superseded, or replaced from time to time.

1.9. "Personal Information" means (a) personal data or personal information (as defined under the Applicable Data Protection Law) that is subject to the Applicable Data Protection Law and (b) that is contained within Customer Content, for which you authorize Spoko.ai to collect and process on your behalf in connection with Spoko.ai's provision of the Service under the Agreement.

1.10. "Processor to Processor SCCs" means the Module Three (transfer processor to processor) of the European Commission Implementing Decision (EU) 2021/914, which can be found here: https://www.spoko.ai/legal/standard-contractual-clauses, as updated and/or replaced from time to time.

1.11. "Security Incident" means a confirmed breach of security of the Service or Spoko.ai's systems used to process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information processed by Spoko.ai. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.12. "Sensitive Information" means any Personal Information (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (b) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation; (c) relating to criminal convictions and offenses; and (d) any other form of Personal Information that is afforded enhanced protection under the Applicable Data Protection Law.

1.13. "Subprocessor List" means Spoko.ai's Subprocessors as identified on https://www.spoko.ai/legal/subprocessors.

1.14. "Swiss Amendments" mean the Controller to Processor SCCs or the Processor to Processor SCCs (as applicable) with the following amendments: (a) "FDPIC" means the Swiss Federal Data Protection and Information Commissioner, (b) "Revised FADP" means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023, (c) the term "EU Member State" must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c), (d) the Controller to Processor SCCs also protect the data of legal entities until the entry into force of the Revised FADP, and (e) the FDPIC shall act as the "competent supervisory authority" insofar as the relevant data transfer is governed by the FADP.

1.15. "UK Addendum" means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force from 21 March 2022, available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as updated and/or replaced from time to time. For the purposes of the UK Addendum, (a) the information required for Table 1 of the UK Addendum is contained in Schedule 1 of this DPA, and the start date shall be the commencement of the Service; (b) in relation to Table 2 of the UK Addendum, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor where Spoko.ai is acting as your Processor and Module Three for Processor to Processor where Spoko.ai is acting as your Subprocessor; (c) in relation to Table 3 of the UK Addendum, the list of parties and description of the transfer are as set out in Schedule 1 of this DPA, Spoko.ai's technical and organizational measures are set out in Schedule 2 of this DPA, and the list of Spoko.ai's Subprocessors is as provided in Section 9 of this DPA; and (d) in relation to Table 4 of the UK Addendum, neither party will be entitled to terminate the UK Addendum in accordance with clause 19 of Part 2 of the UK Addendum.

1.16. "U.S. Data Protection Laws" mean all state laws in effect in the United States of America that are applicable to the processing of Personal Information under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

2.1. Categories of Data Subjects. As set out in Schedule 1.

2.2. Types of Personal Information. As set out in Schedule 1.

2.3. Subject-Matter and Nature of Processing. The subject-matter of processing of Personal Information by Spoko.ai is the provision of the Service to you that involves processing of Personal Information. Personal Information will be subject to those processing activities that Spoko.ai needs to perform in order to provide the Service pursuant to the Agreement, including the execution of Spokes (automated workflows).

2.4. Purpose of the Processing. Personal Information will be processed by Spoko.ai for purposes of providing the Service set out in the Agreement, including enabling Spokes to automate tasks across your connected apps.

2.5. Duration of the Processing. Personal Information will be processed for the duration of the Agreement, subject to Section 12 of this DPA.

3.1. Spoko.ai will process Personal Information in its capacity as processor (a) for the purpose of providing and supporting the Service, including Spokes, in accordance with the Agreement, this DPA, and any other documented lawful instructions from you (whether in written or electronic form); (b) to develop, enhance, and improve the Service as provided by the Agreement; and (c) as otherwise required by applicable law. Spoko.ai will at all times comply with the Applicable Data Protection Law in processing Personal Information under the Agreement.

3.2. Notwithstanding anything to the contrary in the Agreement, if required by Applicable Data Protection Law, Spoko.ai shall not: (a) retain, use, or disclose Personal Information other than as provided for in the Agreement or as needed to perform the Service; (b) "sell" (as such term is defined by CCPA) or "share," (as such term is defined by CCPA); (c) process Personal Information except as necessary for the business purposes specified in the Agreement or this DPA; or (d) retain, use, disclose, or otherwise process Personal Information outside of the direct business relationship with Customer and not combine Personal Information with personal information that it receives from other sources, except as permitted under the CCPA.

3.3. In case Spoko.ai cannot process Personal Information in accordance with your instructions due to a legal requirement under any applicable law to which Spoko.ai is subject, Spoko.ai shall (a) promptly notify you in writing (including by e-mail) of such legal requirement before carrying out the relevant processing, to the extent permitted by the applicable law, and (b) cease all processing (other than merely storing and maintaining the security of the affected Personal Information) until you provide Spoko.ai with new instructions.

3.4. You are solely responsible for (a) the accuracy, quality, and legality of Personal Information and the means by which you acquired Personal Information; (b) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law for the collection and use of Personal Information, including obtaining any necessary consents and authorizations; (c) ensuring you have the right to transfer, or provide access to, Personal Information to Spoko.ai for processing in accordance with the terms of the Agreement (including this DPA); and (d) ensuring that your instructions to Spoko.ai regarding the processing of Personal Information comply with applicable laws, including Applicable Data Protection Law.

3.5. You are responsible for independently determining whether the data security provided for in the Service adequately meets your obligations under Applicable Data Protection Law. You acknowledge and agree that you are solely responsible for (a) certain configurations and design decisions for the Service, including Spokes, and (b) for implementing those configurations and design decisions in a secure manner that complies with Applicable Data Protection Law. Without limiting the foregoing, you represent, warrant, and covenant that you shall only transfer Personal Information to Spoko.ai using secure, reasonable, and appropriate mechanisms.

3.6. You acknowledge that the Service is not intended or designed for the processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service. The parties agree that you provide Personal Information to Spoko.ai as a condition precedent to Spoko.ai's performance of the Service and that Personal Information is not exchanged for monetary or other valuable consideration.

3.7. You acknowledge that Spoko.ai is an independent controller when carrying out any activities not related solely to Spoko.ai's processing of Personal Information added by you to the Service (such as Spoko.ai's management of its online forum, analytics, customer accounts, and marketing program).