Data Processing Addendum

This Data Processing Addendum (“DPA”) is part of the Agreement between Advantage Systems Group LLC (“Advantage Systems,” “Processor,” “we”) and the customer (“Customer,” “Controller,” “you”). It applies to our processing of Personal Information on your behalf in providing the Services. If this DPA conflicts with the Terms regarding personal-information processing, this DPA controls.

1. Definitions

• Personal Information — information that identifies or could reasonably be linked to an individual, processed by us on your behalf through the Services.
• Processing — any operation performed on Personal Information.
• Service Provider / Processor — an entity that processes Personal Information on behalf of, and at the direction of, a Controller.
• Subprocessor — a third party we engage to process Personal Information.
• Applicable Privacy Law — U.S. federal and state privacy laws applicable to the processing.

2. Roles and Scope

You are the Controller (or processor acting for another controller) of Personal Information you submit to the Services. We act solely as your Service Provider/Processor and process Personal Information only:

• to provide, maintain, secure, and support the Services;
• in accordance with your documented instructions (the Agreement and your configuration of the Services are your instructions); and
• as required by Law, in which case we will inform you unless legally prohibited.

We will not sell or share (as those terms are defined under Applicable Privacy Law) Personal Information, and will not retain, use, or disclose it for any purpose other than providing the Services or as permitted by Applicable Privacy Law. We may create and use de-identified and aggregated data as described in the Terms.

3. Customer Obligations

You represent and warrant that you have provided all required notices and obtained all consents and rights necessary for us to process Personal Information as contemplated by the Agreement, and that your instructions comply with Applicable Privacy Law. You are responsible for the accuracy and legality of the Personal Information you submit.

4. Confidentiality

We ensure that personnel authorized to process Personal Information are bound by confidentiality obligations.

5. Security

We will implement and maintain commercially reasonable administrative, technical, and physical safeguards appropriate to the nature of the Personal Information, including encryption in transit, access controls, logging, and monitoring. You are responsible for securely configuring your account, managing User access, and safeguarding credentials.

6. Subprocessors

You authorize us to engage Subprocessors to provide the Services (for example, cloud hosting and error-monitoring providers). We will impose data-protection obligations on Subprocessors substantially similar to those in this DPA and remain responsible for their performance. We will make available a current list of Subprocessors on request and will give reasonable notice of new Subprocessors so you may object on reasonable data-protection grounds.

7. Assistance to Controller

Taking into account the nature of the processing, we will provide reasonable assistance to help you:

• respond to individuals exercising their rights under Applicable Privacy Law (we will refer such requests we receive directly to you);
• conduct data-protection assessments where required; and
• meet your security and breach-notification obligations.

8. Personal Information Breach

We will notify you without undue delay after becoming aware of a confirmed breach of security leading to the unauthorized access, disclosure, or loss of Personal Information processed on your behalf, and will provide information reasonably available to us to help you meet your notification obligations. Our notification is not an acknowledgment of fault or liability.

9. Return and Deletion

On termination of the Services, we will, at your request and within the period stated in the Terms, delete or return Personal Information processed on your behalf, except where retention is required by Law. After the deletion period in the Terms, we may permanently delete it.

10. Audits

On reasonable written request, no more than once per year (unless required by Applicable Privacy Law or following a breach), we will make available information reasonably necessary to demonstrate compliance with this DPA. Where on-site or third-party audits are required by Applicable Privacy Law, the parties will agree on reasonable scope, timing, and confidentiality, at your expense.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Terms.

12. Conflict and Term

This DPA is effective for as long as we process Personal Information on your behalf. In case of conflict with the Terms regarding personal-information processing, this DPA governs.

Questions: privacy@advantagesystems.ai