RUNBOOK

Runbook Data Processing Addendum

Last Updated: February 6, 2026

THIS DATA PROCESSING ADDENDUM (“DPA”) to the Agreement (as defined below) is entered into as of the Addendum Effective Date by and between Runbook AI, Inc. (“Runbook” or “Service Provider”) and the Customer identified in the Agreement (“Customer”). This DPA is incorporated into, and forms an integral part of, the Agreement. Any terms not defined herein shall have the meanings given to them in the Agreement, or if not in the Agreement, in Applicable Privacy Laws.

1. Definitions

In this DPA, the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

  • “Addendum Effective Date” means the effective date of the Agreement.
  • “Appropriate Safeguards” means such lawful mechanism(s) for international transfers of Personal Data (legally valid at the time of such transfer) permitted under Applicable Privacy Laws.
  • “Agreement” means the Runbook Master Services Agreement.
  • “Controller” means the entity that determines the purposes and means of Processing Customer Personal Data.
  • “Customer Personal Data” means any Customer Content Processed by Service Provider or its Sub-Processor on behalf of Customer to perform the Services under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar term as defined in Applicable Privacy Laws except that Customer Personal Data does not include the contact information pertaining to Customer’s personnel or representatives who are business contacts of Customer (where Service Provider acts as a controller of such information).
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Data Subject Request” means the exercise by a Data Subject of their rights under Applicable Privacy Laws in respect of Customer Personal Data and its Processing.
  • “Deidentified Data” means data that cannot reasonably be used to infer information about, or be linked to, a Data Subject, or a device linked to a Data Subject.
  • “Personal Data Breach” means a breach of Service Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data in Service Provider’s control, excluding unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
  • “Personnel” means a person’s employees, agents, consultants or contractors.
  • “Processor” means the entity which Processes Customer Personal Data on behalf of the Controller.
  • “Restricted Transfer” means the transfer of Customer Personal Data to a location outside the jurisdiction in which the Data Subject is located or the Personal Data was originally accessed or located which, under Applicable Privacy Laws, requires a lawful mechanism prior to effectuating the transfer.
  • “SCCs” means the applicable standard contractual clauses (and any successor, amendment or reenactment of such clauses) issued by a Supervisory Authority which ensure that any Personal Data transferred outside the jurisdictional boundaries of the country or territory where the Personal Data was originally collected or accessed receives adequate protection.
  • “Sub-Processor” means any third party appointed by or on behalf of Service Provider to Process Customer Personal Data.
  • “Supervisory Authority” means a governmental body with authority to enforce Applicable Privacy Laws in relation to the Processing of Customer Personal Data under the Agreement.
  • “Third Country” means a country or jurisdiction not deemed by Supervisory Authorities of an applicable jurisdiction to have an adequate level of protection in connection with the international transfer of Personal Data.

2. Scope of This Data Processing Addendum

This DPA applies to Service Provider’s Processing of Customer Personal Data under the Agreement to the extent Applicable Privacy Laws apply to the relevant Customer Personal Data. The details of such Processing are described in Annex 1. Annex 2 (Europe Annex) applies only if and to the extent Service Provider’s Processing of Customer Personal Data under the Agreement is subject to the Applicable Privacy Laws in force in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”). Annex 3 (California Annex) applies only if and to the extent Service Provider’s Processing of Customer Personal Data under the Agreement is subject to the CCPA. Annex 4 (Security Measures) describes the security measures that Runbook has implemented and maintains, and may update from time to time.

Service Provider is not a “payment card processor” (as defined by the Payment Card Industry Data Security Standard or “PCI DSS”) or a “business associate” (as defined by the Health Insurance Portability and Accountability Act or “HIPAA”) and the Services are not designed to be PCI DSS or HIPAA compliant.

3. Processing of Customer Personal Data

Service Provider shall Process Customer Personal Data only on Customer’s written instructions or as required by applicable laws. For the Services and this DPA, Service Provider is the Processor (or “service provider” as defined under Applicable Privacy Laws). Customer instructs Service Provider to Process Customer Personal Data to provide the Services to Customer and according to the Agreement (including this DPA). The Agreement, including this DPA, is the complete record of these instructions, and additional instructions are binding only in a written amendment to this DPA signed by both parties. Where required by Applicable Privacy Laws, Service Provider shall promptly notify Customer if it receives an instruction that, in its reasonable opinion, infringes Applicable Privacy Laws. The parties acknowledge that Service Provider’s Processing per Customer’s instructions in the Agreement (including this DPA) is essential to the Services and the business relationship. Access to Customer Personal Data is not part of the consideration exchanged for the Agreement or other business dealings. Service Provider shall require that its Personnel authorized to access Customer Personal Data are under appropriate confidentiality obligations.

4. Security

Service Provider shall implement and maintain the Security Measures described in Annex 4, which may be updated from time to time provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

5. Data Subject Requests

To the extent required by Applicable Privacy Laws, Service Provider shall provide reasonable assistance to Customer, using appropriate technical and organizational measures, to help Customer fulfill its obligations under Applicable Privacy Laws to respond to Data Subject Requests. Service Provider shall promptly notify Customer of any Data Subject Request that it receives and shall not respond to it, except to advise the Data Subject to submit it to Customer, or as required by Applicable Privacy Laws. Customer shall respond to all Data Subject Requests.

6. Personal Data Breach

Service Provider shall notify Customer without undue delay upon its becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification or response to a Personal Data Breach does not constitute acknowledgement of fault or liability. To the extent the breach resulted from Service Provider’s breach of its security obligations, Service Provider shall provide Customer with reasonably requested information (insofar as such information is within Service Provider’s possession and knowledge and does not otherwise compromise the security of any Customer Personal Data Processed by Service Provider or the Service Provider’s other confidentiality or nondisclosure obligations, including any imposed by a law enforcement request, a Supervisory Authority, or other governmental authority) to meet Customer’s breach reporting obligations under Applicable Privacy Laws. If the breach did not result from Service Provider’s breach of its security obligations, Service Provider shall reasonably cooperate with Customer, and Customer shall reimburse Service Provider for related costs. Customer is solely responsible for complying with all applicable notification requirements. If Customer must notify a Supervisory Authority, government authority, Data Subject(s), the public or others of a Personal Data Breach, and the notice refers to or identifies Service Provider, Customer agrees (prior to the provision of any such notification and in writing) to: (a) notify Service Provider of the anticipated notification; and (b) consult with Service Provider in good faith and consider any reasonable clarifications or corrections Service Provider may recommend.

7. Sub-Processing

Customer authorizes Service Provider to appoint Sub-Processors. Information about Sub-Processors is available in Annex 5 (Sub-Processors). Service Provider shall enter into a written contract with each Sub-Processor containing data protection obligations no less protective than those in this DPA. Service Provider is liable for the acts and omissions of its Sub-Processors under or in connection with this DPA to the same extent Service Provider would be liable under the terms of this DPA if performing such Services itself directly. Service Provider shall notify Customer of any new Sub-Processor engagements by updating the Sub-Processor Site at least 15 days before the Sub-Processor Processes Customer Personal Data. Customer may object to the engagement in writing within 15 days of notification on reasonable grounds related to data protection. The parties will work in good faith to find a solution. If no solution is reached, Customer may terminate the Agreement within 30 days of the initial objection notice to Service Provider, subject to paying all due amounts. If Customer does not object within the 15-day period, Customer is deemed to have approved the engagement.

8. Compliance Assistance; Audits

Taking into account the nature of the Processing and the information available to Service Provider, Service Provider shall provide such information and reasonable assistance to Customer as Customer may reasonably request (if such information is available to Service Provider and sharing it doesn’t compromise the security, confidentiality, integrity or availability of any data Processed by Service Provider) to help Customer meet its obligations under Applicable Privacy Laws, including regarding security, breach reporting and investigation, and data protection assessments and consultations with Supervisory Authorities. Service Provider shall provide Customer with reasonably requested information to demonstrate its compliance with Applicable Privacy Laws and this DPA.

Without limitation of the foregoing, Customer may conduct, at its sole cost and expense and in accordance with this Section 8, and Service Provider will reasonably cooperate with, reasonable audits (including inspections, manual reviews, automated scans and other technical and operational testing only to the extent that Customer is entitled to perform these activities under Applicable Privacy Laws), in each case, whereby Customer or a qualified and independent auditor appointed by Customer using an appropriate and accepted audit control standard or framework may audit Service Provider’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Customer and Service Provider. Customer (and its auditor, as applicable) shall use its best efforts (and ensure that each of its auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Service Provider’s premises, equipment, and personnel.

Customer shall give Service Provider reasonable advance notice of any audit. Service Provider need not cooperate with audits: (a) by anyone who has not signed a non-disclosure agreement with Service Provider on terms acceptable to Service Provider; (b) outside normal business hours; or (c) more than once per year (unless required by Applicable Privacy Laws). Audits must follow Service Provider’s policies; not impact the security, confidentiality, integrity or availability of any data; not unreasonably interfere with Service Provider’s business activities; and not destroy, damage, injure or disrupt Service Provider’s premises, equipment or personnel. Customer shall not conduct scans or technical testing of Service Provider’s systems without prior approval. If the audit’s controls are covered by a recent (within 12 months) SOC 2 Type 1, ISO, NIST, or similar audit report, and Service Provider confirms no material changes, Customer agrees to accept that report instead of an audit. Audit reports and information are Service Provider’s Confidential Information and shall be used only to confirm DPA compliance or meet Customer’s legal obligations.

9. Return and Deletion

Within 30 days after the Agreement’s expiration or earlier termination, Service Provider shall, to the fullest extent technically possible in the circumstances: (i) return or delete all Customer Personal Data in Service Provider’s care, custody or control in accordance with Customer’s instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement; or (ii) irreversibly anonymize or deidentify all Customer Personal Data in Service Provider’s care, custody or control. Service Provider may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Service Provider shall (i) maintain measures to protect the Customer Personal Data; and (ii) Process the Customer Personal Data only as necessary for the purpose(s) specified in applicable law requiring such retention.

10. Customer’s Responsibilities

Customer is responsible for its use of the Services, including: (a) appropriate security measures; (b) securing account credentials, systems, and devices Customer uses to access the Services; (c) securing Customer’s systems and devices used by Service Provider; and (d) backing up Customer Personal Data. Customer shall ensure a valid legal basis for Service Provider’s Processing and that all necessary notices, consents, permissions, and rights have been provided (and where applicable, obtained) for Service Provider to Process Customer Personal Data. Customer agrees that the Services, Security Measures, and Service Provider’s DPA commitments are adequate to satisfy its privacy and security needs and legal requirements. Customer shall compensate Service Provider at Service Provider’s rates for cooperation, information, or assistance requested by Customer under Sections 5, 8, and 9 of this DPA, beyond self-service features.

11. Deidentified, Anonymized or Aggregated Data

To the extent Service Provider processes or generates any Deidentified Data, Service Provider shall take reasonable measures designed to prevent such data from being associated with a natural person. If Service Provider’s creation and/or use of aggregated, anonymized or deidentified data is subject to Applicable Privacy Laws, then Service Provider’s creation and/or use of such data, including but not limited to Deidentified Data, shall be permitted only to the extent permitted by Applicable Privacy Laws.

12. International Data Transfers

Service Provider and Customer shall implement any Appropriate Safeguards and conduct any required assessments as required by Applicable Privacy Laws to ensure the lawfulness of any transfer of Customer Personal Data to any Third Country (“International Transfer”). If circumstances beyond the parties’ control affect compliance with an Appropriate Safeguard or other International Transfer requirement (e.g., if a legal instrument is invalidated, amended, or replaced), the parties shall cooperate in good faith to resolve the non-compliance without undue delay. If new or amended SCCs or other legal instruments for International Transfers are issued and approved by a Supervisory Authority, the parties may amend this DPA to comply with Applicable Privacy Laws and International Transfer legal requirements.

13. Liability

The total aggregate liability of either party towards the other party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the parties in the Agreement; provided that, nothing in this Section 13 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).

14. Change in Laws

Service Provider may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Privacy Laws from time to time.

15. Incorporation and Precedence

This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any SCCs and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

Annex 1: Data Processing Details

Service Provider / Data Importer Details

NameRunbook AI, Inc.
Address13208 McCulloch Ave Saratoga CA 95070
Contact Details for Data ProtectionEmail: legal@myrunbook.com
Service Provider ActivitiesRunbook provides an AI-supported platform to assist logistics businesses in managing their business operations.
RoleProcessor

Customer / Data Exporter Details

Name[NAME]
Address[ADDRESS]
Contact Details for Data ProtectionEmail: [EMAIL]
Customer ActivitiesCustomer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
RoleController

Details of Processing

Categories of Data Subjects
  • Customer’s employees and contractors, including drivers and distributors
Categories of Customer Personal Data
  • Employee/Contractor Identification and Contact Data (e.g. name, email address, phone number, location information)
  • Content voluntarily uploaded by Customer and Customer’s users into the Services and any Customer Personal Data contained in Customer Materials
Sensitive Categories of DataNo sensitive or special category data will be processed unless voluntarily provided by Customer, which Runbook does not recommend or require.
Frequency of TransferOngoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the ProcessingProcessing operations required in order to provide the Services in accordance with the Agreement, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose of the ProcessingCustomer Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention PeriodConcurrent with the term of the Agreement and then thereafter pursuant to Section 9 (Return and Deletion) of this DPA.
Transfers to Sub-ProcessorsTransfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with the DPA).

Annex 2: Europe Annex

Data Protection Impact Assessment and Prior Consultation

Taking into account the nature of the Processing of Customer Personal Data by Service Provider and the information available to Service Provider, Service Provider shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Service Provider.

Restricted Transfers

EEA Restricted Transfers

To the extent that any Processing of Customer Personal Data under this DPA involves an EEA Restricted Transfer from Customer to Service Provider, the parties shall comply with their respective obligations set out in the EU SCCs, which are hereby deemed to be:

  • populated in accordance with Part 1 of Attachment 1 to this Annex 2 (European Annex); and
  • entered into by the parties and incorporated by reference into this DPA.

UK Restricted Transfers

To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Service Provider, the parties shall comply with their respective obligations set out in the UK SCCs, which are hereby deemed to be:

  • The EU SCCs as varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to this Annex 2 (European Annex); and
  • entered into by the parties and incorporated by reference into this DPA.

Adoption of New Transfer Mechanism

Service Provider may on notice vary this DPA and replace the relevant SCCs with:

  • any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
  • another transfer mechanism, that enables the lawful transfer of Customer Personal Data by Customer to Service Provider under this DPA in compliance with Chapter V of the GDPR.

Provision of Full-Form SCCs

In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Service Provider shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to this Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Privacy Laws.

Supplementary Measures

As of the date of this DPA, Service Provider has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Customer Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”).

If, after the date of this DPA, Service Provider receives any Government Agency Requests, Service Provider shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Service Provider may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Service Provider shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Service Provider is legally prohibited from doing so. Service Provider shall not voluntarily disclose Customer Personal Data to any law enforcement or government agency. Customer and Service Provider shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests.

Customer and Service Provider will meet as needed to consider whether:

  • the protection afforded by the laws of the country of the Service Provider to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
  • additional measures are reasonably necessary to enable the transfer to be compliant with the Applicable Privacy Laws; and
  • it is still appropriate for Customer Personal Data to be transferred to the relevant Service Provider, taking into account all relevant information available to the parties, together with guidance provided by the Supervisory Authorities.

Operational Clarifications

  • When complying with its transparency obligations under Clause 8.3 of the EU SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect Service Provider’s and its licensors’ trade secrets, business secrets, Confidential Information and/or other commercially sensitive information.
  • Where applicable, for the purposes of Clause 10(a) of Module Two of the EU SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Service Provider to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
  • For the purposes of Clause 15.1(a) of the EU SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
  • The terms and conditions of Section 7 of this DPA apply in relation to Service Provider’s appointment and use of Sub-processors under the EU SCCs. Any approval by Customer of Service Provider’s appointment of a Sub-processor that is given expressly or deemed given pursuant to Section 7 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-processors if and as required under Clause 8.8 of the EU SCCs.
  • The audits described in Clauses 8.9(c) and 8.9(d) of the EU SCCs shall be subject to any relevant terms and conditions detailed in Section 8 of this DPA.
  • Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the EU SCCs shall be provided only upon Customer’s written request.

Attachment 1 to European Annex: Population of SCCs

Notes:

  • In the context of any EEA Restricted Transfer, the EU SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA).
  • In the context of any UK Restricted Transfer, the UK SCCs (i.e. the EU SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1) are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA).

Part 1: Population of the SCCs – EU SCCs

Signature of the EU SCCs:

Where the EU SCCs apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, (a) each of the parties is hereby deemed to have signed the EU SCCs at the relevant signature block in Annex I to the Appendix to the EU SCCs; and (b) those EU SCCs are entered into by and between the parties with effect from (i) the Addendum Effective Date; or (ii) the date of the first EEA Restricted Transfer to which they apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, whichever is earlier.

Modules:

The following module of the EU SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA): Module Two of the EU SCCs applies to any EEA Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right.

Population of the Body of the EU SCCs:

For Module Two of the EU SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

  • The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
  • In Clause 9: OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 7 of the DPA; and OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.
  • In Clause 11, the optional language is not used and is deleted.
  • In Clause 13, all square brackets are removed and all text therein is retained.
  • In Clause 17: OPTION 1 applies, and the parties agree that the EU SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
  • For the purposes of Clause 18, the parties agree that any dispute arising from the EU SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

Population of Annexes to the Appendix to the EU SCCs:

  • Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Customer being ‘data exporter’; and Service Provider being ‘data importer’.
  • Part C of Annex I to the Appendix to the EU SCCs is populated as below:
    • Where Customer is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
    • Where Customer is not established in an EU Member State, Article 3(2) of the EU GDPR applies and Customer has appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
    • Where Customer is not established in an EU Member State, Article 3(2) of the EU GDPR applies, but Customer has not appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Service Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
  • Annex II to the Appendix to the EU SCCs is populated as below:
    • General: Please refer to Section 4 of the DPA and the Security Measures described therein.
    • In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Service Provider, Customer should email Service Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
    • Sub-Processors: When Service Provider engages a Sub-Processor under these Clauses, Service Provider shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of: applicable information security measures; notification of Personal Data Breaches to Service Provider; return or deletion of Customer Personal Data as and where required; and engagement of further Sub-Processors.

Part 2: UK Restricted Transfers – UK SCCs

UK Transfer Addendum:

Where relevant in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA, the EU SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum (UK SCCs) in the manner described below:

  • Part 1 to the UK Transfer Addendum. The parties agree:
    • Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
    • Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
  • Part 2 to the UK Transfer Addendum. The parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
  • As permitted by Section 17 of the UK Mandatory Clauses, the parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
  • In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.

Annex 3: California Annex

  • In this Annex, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes “personal information” as defined in and that is subject to the CCPA.
  • The business purposes and Services for which Service Provider is Processing personal information are for Service Provider to provide the Services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details).
  • It is the parties’ intent that with respect to any personal information, Service Provider is a service provider. Service Provider (a) acknowledges that personal information is disclosed by Customer only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 8 (Compliance Assistance; Audits) of this DPA to help ensure that Service Provider’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Service Provider that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
  • Service Provider shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Service Provider and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Service Provider’s own interaction with any consumer to whom such personal information pertains.
  • Service Provider shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 4 (Security) of the DPA.
  • When Service Provider engages any Sub-processor, Service Provider shall notify Customer of such Sub-processor engagements in accordance with Section 7 (Sub-Processing) of the DPA.

Annex 4: Security Measures

As from the Addendum Effective Date, Service Provider will implement and maintain the Security Measures as set out in this Annex 4.

Technical and Organizational Security MeasureDetails
Measures of pseudonymisation and encryption of personal dataService Provider has deployed security methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Service Provider uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesService Provider’s customer agreements contain strict confidentiality obligations. Additionally, Service Provider requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in Service Provider’s customer agreements. Service Provider has undergone a SOC 2 Type 1 audit that includes the Security Trust Service Criteria.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentDaily backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processingService Provider has undergone a SOC 2 Type 1 audit that includes the Security Trust Service Criteria.
Measures for user identification and authorizationService Provider uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication and Single Sign On (SSO). All production access requires the use of two-factor authentication, and network infrastructure is securely configured to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmissionService Provider has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Service Provider uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.2).
Measures for the protection of data during storageEncryption-at-rest is automated by Google Cloud Platform’s Cloud SQL, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by GCP.
Measures for ensuring events loggingService Provider monitors access to applications, tools, and resources that process or store Customer Personal Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configurationService Provider adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and managementThe framework for Service Provider’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Measures for certification/assurance of processes and productsService Provider undergoes annual SOC 2 Type 1 audits.
Measures for ensuring data minimizationService Provider’s Customers unilaterally determine what data they route through the Services. As such, Service Provider operates on a shared responsibility model. Service Provider gives Customers control over exactly what data enters the platform. Additionally, Service Provider has functionality in the Services that allows Customers to delete and suppress data at their discretion.
Measures for ensuring data qualityService Provider has a multi-tiered approach for ensuring data quality. These measures include: (i) testing to ensure quality of logic used to process API calls, (ii) database validation rules which execute against data before it is saved to our database, (iii) strong typing to enforce a strict contract between official clients and API resolvers. Service Provider applies these measures across the board, both to ensure the quality of any Usage Data that Service Provider collects and to ensure that the Service Provider Platform is operating within expected parameters. Service Provider ensures that data quality is maintained from the time a Customer sends Customer Personal Data into the Services and until that Customer Personal Data is presented or exported.
Measures for ensuring limited data retentionCustomers unilaterally determine what data they route through the Services. As such, Service Provider operates on a shared responsibility model. The Service Provider can delete Customer Personal Data upon the Customer’s written request, within the timeframe specified in this DPA and in accordance with Applicable Privacy Laws. All Customer Personal Data is deleted from the Services following service termination.
Measures for ensuring accountabilityService Provider has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Personal Data Breaches, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Service Provider conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasureCustomer Personal Data submitted to the Services by Customer may be deleted by the Customer or at the Customer’s request. Customer Personal Data is incidental to the Service Provider’s Services. Based on Privacy by Design and Data Minimization principles, Service Provider severely limits the instances of Customer Personal Data collection and processing within the Services. Most use cases for porting Customer Personal Data from Service Provider are not applicable. However, Service Provider will respond to all requests for data porting in order to address Customer needs.
Technical and organizational measures of sub-processorsThe Service Provider enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this DPA.

Service Provider may update the Security Measures from time to time in accordance with Section 4 of the DPA.

Annex 5: Sub-Processors

Sub-ProcessorLocation of Processing ActivitiesProcessing Activities
AnthropicUSLarge language model services.
AWSUSData storage and hosting.
OpenAIUSLarge language model services.