AGNTIX
DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “DPA”) along with any schedules, exhibits or addendums, is incorporated into the Master SAAS Agreement (the “Agreement”) between Actualize (the “Company”) and the Customer identifed and defned in the Order Form (each a “Party” and collectively, the “Parties”) and is efective as of the efective date mentioned in the Order Form (the “Efective Date”).
The Company and the Customer hereby agree as follows:
1.DEFINITIONS
Any capitalized terms used but not defned in this DPA will have the meanings set out in the Agreement. The headings herein are for convenience only and do not afect interpretation:
a. Account data means Personal Data that relates to Customer’s relationship with the Company, including to access Customer’s account and billing information, identity verifcation, maintain or improve performance of the Services, provide support, investigate and prevent system abuse, or fulfll legal obligations.
b. Applicable Data Protection Legislation means laws and regulations applicable to the Parties in relation to Customer Data, including but not limited to (1) UAE Federal Decree by Law No. (45) of 2021 Concerning the Protection of Personal Data, (2) Data Protection Regulations 2021 (ADGM), (3) Regulation (EU) 2016/679 (General Data Protection Regulation), in each case, as may be amended, superseded or replaced.
c. Customer means an individual, group of individuals or an entity identifed and defned in the Order form who avails the Services from the Company.
d. Customer Data means any data, Personal Data, content, or information of any kind that is submitted to the Services by or on behalf of the Customer, including, but not limited to: (a) data, content, or information that the Customer submits, uploads, imports, or instructs to be used within the Services (including from Third-Party Platforms); and (b) data, Personal Data, content, or information related to or provided by the Customer’s end users or prospects (including chat and message logs) that are collected from the Customer’s databases or Third-Party Platforms through the use of the Services.
e. Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
f. Confdential Information means information disclosed by one Party to the other that is marked as confdential or should reasonably be understood as confdential given the nature of the information, including but not limited to either Party’s business afairs, operations, fnance, assets, liabilities, Customer Data, Personal Data,Account Data.
g. Personal Data means any information, including personal information, relating to an identifed or identifable natural person (“Data Subject”) or as defned in and subject to Applicable Data Protection Legislation.
h. Processor means the entity which processes Personal Data on behalf of the Controller.
i. Processing / process means any operation or set of operations performed upon Personal Data, whether or not by automated means, means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination, blocking,erasure, or destruction.
j. Sub-processor means (a) the Company, when the Company is processing Customer Data and where the Customer is itself a processor of such Customer Data, or (b) any third-party Processor engaged by the Company to assist in fulflling the Company’s obligations under the Agreement and which processes Customer Data.
k. Third-Party Platform(s) means any software, software-as-a-service, data sources or other products or services not provided by the Company that are integrated with or otherwise accessible through the Services.
2. ROLES AND SCOPE
a. Scope. The scope of this DPA is limited to the extent that the Company processes Customer Data and/or Account Data for the purposes set out in this DPA under Applicable Data Protection Legislation.
b. Company as Processor. The Parties acknowledge and agree that regarding Processing of Customer Data, the Customer may act either as a Controller or a processor and the Company is a processor. The Company will process Customer Data in accordance with the terms in the DPA.
c. Company as Controller. The Parties acknowledge that regarding Processing of Account Data, the Customer is a controller and the Company is a Processor and an independent controller, not a joint controller with the Customer. The Company will process Account Data as a Controller (a) in order to manage the relationship with the Customer; (b) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) identity verification; (e) to comply with the Company’s legal or regulatory obligations; and (f) as otherwise permitted under Applicable Data Protection Legislation and in accordance with this DPA and the Agreement.
d. Modifcation. The Company shall amend the terms and conditions of this DPA (“Terms”) as necessary to comply with Applicable Data Protection Legislation. The Customer shall periodically review these Terms for any such modifcations. The Customer's continued use of the Services will be deemed to have provided acceptance of and consent to such modifcations of these Terms.
3. DATA PROCESSING
a. Customer Instructions. The Customer designates the Company as a Processor to handle Customer Data on its behalf, as (a) outlined in the Agreement, or this DPA, or as required to deliver the Services to the Customer (which may involve investigating security incidents and detecting or preventing exploits or abuse); (b) as needed to comply with relevant laws, including Applicable Data Protection Legislation; and / or (c) as mutually agreed in writing by the Parties (“Permitted Purposes”).
b. Processing of Data. The Company will process Customer Data for the duration of the Agreement subject to the Terms. Schedule 1 annexed herewith (Details of Processing) sets out the nature and purpose of the processing, the types of Customer Data the Company processes and the categories of data subjects whose Personal Data is processed.
4. CUSTOMER OBLIGATIONS
a. Compliance with law.
- The Customer shall, at all times, ensure that it adheres to Applicable Data Protection Legislation and all or any applicable laws and regulations, in connection with collecting, storing, using, processing, transferring or handling Customer Data under this DPA.
- The Customer must provide all necessary, fair, and transparent information and notices to, and obtain all necessary consents from, any Data Subjects whose Personal Data the Customer provides to the Company, so that the Company is lawfully able to use or otherwise process this Personal Data for the Permitted Purpose without needing any further consent, approval, or authorization.
- The Customer must ensure that any Personal Data disclosed or transferred to the Company is accurate and limited to what is necessary for the performance of the Services or for the Permitted Purpose. The Customer must not disclose or transfer any excessive or irrelevant Personal Data that is not required for these purposes. Additionally, the Customer shall take all necessary steps to delete any such excessive or irrelevant Personal Data from any documents disclosed or transferred to the Company. The Company shall not be liable for any consequences arising from errors, inaccuracies, or the disclosure of excessive or irrelevant Personal Data by the Customer.
b. Legality of Instructions. The Customer will ensure that its instructions comply with Applicable Data Protection Legislation. The Customer acknowledges that the Company is neither responsible for determining which laws are applicable to Customer’s business nor whether the Company’s Services meet or will meet the requirements of such laws.
c. Data Subject Rights. The Customer acknowledges and agrees that it is responsible for handling and responding to Data Subject requests under Applicable Data Protection Legislation, including access, rectifcation, deletion, and objection requests. Upon the Customer’s request, the Company shall, taking into account the nature of the processing, provide reasonable assistance to Customer where possible and at Customer’s cost and expense,to enable Customer to respond to requests from a Data Subject or any third-party if any, seeking to exercise their rights under Applicable Data Protection Legislation.
5. SUB PROCESSORS
a. Authorization. The Customer acknowledges and agrees that the Company may engage Sub-processors as necessary, to support the Services and to process Customer Data for the purposes specifed in the DPA. List of Sub-processors that may be engaged by the Company are listed under Schedule 2 herein, which may be updated from time to time. These entities may, in turn, engage third-party processors to process Customer Data on the Company’s behalf. The Company will restrict Sub-processor access to Customer Data strictly to what is necessary for Service provision and prohibit processing for any other purpose.
b. Transfer. Customer acknowledges that the Company and its Sub-processors may transfer and process Customer Data to locations where the Company or Sub-processors maintain data processing operations. Such transfer and processing will be limited to the purposes of providing the Services to the Customer.
6. CONFIDENTIALITY
a. Obligations
i. Each Party shall maintain the confdentiality of all Confdential Information disclosed under this DPA and use such information solely for fulflling its obligations under the Agreement or the DPA.
ii. The Company shall ensure that any personnel, including employees, or agents, authorized to access or process Customer Data are bound by confdentiality obligations.
b. Access Restrictions
i. Access to Customer Data shall be strictly limited to personnel who need to know such data for the performance of the Services and who have been granted specifc authorization.
ii. The Company shall implement appropriate access controls, including role-based access restrictions, to ensure that only authorized individuals handle Customer Data.
c. Disclosure Restrictions
i. Neither party shall disclose Confdential Information to any third party without prior written consent, except where required by law or regulatory authority. If disclosure is required, the disclosing party shall (to the extent legally permitted) notify the other party in advance and take reasonable steps to limit disclosure.
ii. The receiving party shall implement appropriate technical and organizational measures to protect Confdential Information against unauthorized access, disclosure, or use.
d. Exceptions. Confdentiality obligations shall not apply to information that:
● Was lawfully known to the receiving party before disclosure without confdentiality obligations.
● Becomes publicly available through no fault of the receiving party.
● Is lawfully obtained from a third party without restriction.
7. SECURITY
a. Organisational Measures. The Company will maintain appropriate technical and organizational measures designed to protect Customer Data. Such measures shall be designed to ensure a level of security appropriate to the nature of the data and the Company’s obligations under Applicable Data Protection Legislation.
b. Use of Services. The Customer is responsible for how they use the Services, including:
i. Using the Services in a way that ensures appropriate security for their Personal Data.
ii. Keeping account credentials, systems, and devices secure.
iii. Backing up their Personal Data.
8. DATA BREACH
a. Notification. Each Party, upon becoming aware of a data breach involving Customer Data under this DPA, shall notify the other Party without undue delay. The notifying Party shall provide all relevant details reasonably required by the other Party to assess the impact of the breach and to fulfll their respective obligations under Applicable Data Protection Legislation, including any required data breach notifcations to supervisory authorities or afected Data Subjects.
b. Liability. The Company’s notifcation of or response to a data breach shall not be construed as an acknowledgement by the Company of any fault or liability with respect to the data breach.
9. AUDIT
a. The Company shall permit the Customer and/or its appropriately qualifed third-party representative (collectively, the “Auditor”), to conduct an audit of the Company's processing of Customer Data, at Customer’s expense, upon a written request.
b. The audit shall be subject to mutual agreement on its start date, scope, and duration, and must adhere to the Company’s security and confdentiality policies. Audits may be limited to data relevant to the Customer. If the Auditor is a third party, the Company may object in writing if the Auditor is not suitably qualifed or is a direct competitor, requiring the Customer to either appoint another Auditor or conduct the audit itself.
10. RETENTION, RETURN AND DELETION OF DATA
a. Retention. The Company shall retain Customer Data only for as long as necessary to fulfll the Permitted Purposes or as required by Applicable Data Protection Legislation.
b. Return or Deletion. Upon the Customer’s written request, termination or expiry of the Agreement, the Company shall (at the Customer’s election),delete or return to Customer all Customer Data in its possession or control as soon as reasonably practicable and within a maximum period of 45 days of receipt of a written request or termination or expiry of the Agreement, save that this requirement will not apply to the extent that the Company is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which the Company will securely isolate and protect from any further processing, except to the extent required by applicable law.
SCHEDULE 1
DETAILS OF PROCESSING
1. CATEGORIES OF DATA SUBJECTS
The following categories of Data Subjects may be subject to processing:
a. Category I: Customer’s employees and individuals authorized by the Customer to access Customer’s account relating to the Services.
b. Category II: Customer’s end users: Prospects, customers, business partners and vendors of Customer (who are natural persons).
- DESCRIPTION OF PROCESSING / TRANSFER
| Description | Category I | Category II |
|---|---|---|
| Types of Personal Data | Account Data which constitutes Personal Data, such as name and contact information as well as Customer billing address. | Any Customer Data in connection with the Services and which could constitute any type of Personal Data included in chats or messages, <br>including, without limitation, <br>username, password, email address, IP address as well as customer <br>attribute data. |
| Nature and Purpose | Account Data will be processed to manage the account, <br>including to access Customer’s account and billing information, for identity verifcation, to <br>maintain or improve the <br>performance of the Services, to provide support, to investigate and prevent system abuse, or to fulfll legal obligations. | The Company will process Personal Data as necessary to provide the Services under the Agreement. |
| Duration | Account Data and Customer Data shall be processed for the duration of the Agreement and as necessary to provide the Services. | Account Data and Customer Data shall be processed for the duration of the Agreement and as necessary to provide the Services. |
SCHEDULE 2
LIST OF SUB-PROCESSORS
The Company may engage the below listed Sub-processors to provide the Service and to process Customer Data:
Cloud & Infrastructure Providers:
a. Amazon Web Services (AWS) (US): Hosting infrastructure for scalable compute resources and server deployment, vector and relational database management, secure object storage for data and fle hosting.
b. Microsoft Azure (US): Cloud hosting for AI services, including Speech-to-Text (STT) and Text-to-Speech (TTS).
c. Google Cloud (US): AI-driven STT and TTS services.
d. Cloudfare (US): Content Delivery Network (CDN) services, DDoS protection, and enhanced security for web applications.
Webhooks & Event Streaming:
a. SVIX (US): Webhooks publishing for real-time event delivery.
AI & Language Model Providers:
a. OpenAI (US): Large language model APIs for AI-driven applications.
b. Anthropic (US): AI model APIs with a focus on safety and responsible AI.
c. Cohere (US): NLP models for text generation and semantic search.
Database & Analytics:
a. Datadog (US): Application monitoring and security insights.
LLM Observability & Monitoring:
a. LMNR (US): LLM observability for monitoring AI model performance and operational metrics.
Identity & Authentication:
a. Clerk (US): Authentication and user identity management.
Communication & Voice Services:
a. Twilio (US): SMS, phone, and WhatsApp communication services.
b. Telnyx (US): VoIP, SIP trunking, and telephony solutions.
c. LiveKit (US): Real-time voice and video communication.
d. Eleven Labs (US): AI-powered voice generation and synthesis.
e. Deepgram (US): Speech-to-Text (STT) AI services.
f. Cartesia (US): Speech-to-Text (STT) AI services.
g. PlayAI (US): Speech-to-Text (STT) AI services.
Billing & Metering:
a. OpenMeter (US): Real-time event-driven metering and billing.