ConnectionAI Data Protection Agreement

‍

BETWEEN:

1. Connection AI, Inc. (“ConnectionAI”); and

2. The entity agreeing to this Data Protection Agreement (“DPA”), including its schedules and any applicable amendments and statement(s) of work thereto (the “Agreement”) (collectively, “You,” “Your,” and “Customer”)

(each, a “Party”, and jointly, “the Parties”).

‍

LEGAL EFFECT

(A) This DPA is entered into between You and ConnectionAI, and forms part of the Beta Terms and Conditions Agreement, and reflects the Parties’ agreement with regard to the Processing of Personal Data. This DPA will only become legally binding between You and ConnectionAI when: (i) You complete the information in the signature box below and sign this DPA; (ii) You send the signed DPA to ConnectionAI by email to connect@connectionai.io and (iii) upon confirmed receipt by ConnectionAI of the validly completed DPA at the listed email address (the “Effective Date”). 

(B) This DPA amends, supersedes, and replaces any prior data protection agreements that the Parties may have been entered into. Any modifications to the terms of this DPA shall be deemed ineffective unless expressly agreed to in writing by both parties.

‍

1. DEFINITIONS

1.1 “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control, by any Party. For purposes of the preceding sentence, “control” means direct or indirect ownership or control of a plurality of the voting interest of the subject entity.  

1.2 “Business Purpose” means the Processing of Personal Data to the render the Services by ConnectionAI to You, and shall include the following: (i) Processing in accordance with the Agreement, which shall include all applicable Statements of Work and includes: (a) helping to ensure security and integrity to the extent the use of Your Personal Data is reasonably necessary and proportionate for these purposes; (b) performing services on behalf of You; (c) Processing to comply with other documented reasonable instructions provided by You (e.g., via email) where such instructions are consistent with the terms of the Agreement and this DPA; and (d) Processing conducted by ConnectionAI Sub-processors consistent with the foregoing.

1.3 “Controller” means the legal entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.4 “Your Personal Data” means any Personal Data that is Processed by ConnectionAI pursuant to the Agreement on behalf of You and/or Your Affiliates that is subject to the Data Protection Laws.

1.5 “Data Protection Laws” means all applicable laws, regulations or guidance which govern the Processing of Personal Data, including without limitation all applicable U.S. federal and state privacy laws, and any other domestic laws in each case, all of the foregoing as amended, replaced or supplemented from time to time, and all subordinate legislation made under them.

1.6 “Data Subject” means a natural person who can be identified, directly or indirectly, by the Personal Data.

1.7 “Personal Data” means (i) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (ii) any information defined as “personal data”, “personal information,” or other similar terms under applicable Data Protection Laws.

1.8 “Personal Data Breach” means (i) the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by any Sub-processor; and (b) any other broader circumstance defined by applicable Data Protection Laws as a “breach,” “data breach,” “personal data breach” or other similar term.

1.9 “Processing” or “Processed” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, transfer, adaptation, alteration, retrieval, use, or disclosure.

1.10 “Processor” means a natural or legal person which Processes Personal Data on behalf of the Controller.

1.11 “Regulatory Authority” means any entity which has jurisdiction to enforce compliance with the Data Protection Laws.

1.12 “Services” means the services to be provided by ConnectionAI to You pursuant to the Agreement.

1.13 “Sub-processor” means any Processor engaged by or on behalf of ConnectionAI to Process Personal Data.

‍

2. PROCESSING OF YOUR PERSONAL DATA

2.1 Roles of the Parties. 

The Parties acknowledge and agree that with regard to the Processing of Your Personal Data, You are the Controller and ConnectionAI is a Processor. 

2.2 Details of Processing. 

The subject-matter and details of ConnectionAI’s Processing in connection with the Services (including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed) are further specified in Schedule 1 to this DPA.

‍

2.3 ConnectionAI’s Processing of Your Personal Data ‍

2.3.1 ConnectionAI will only Process Your Personal Data on behalf of You (i) to the extent, and in such a manner, as is necessary for the limited and specified purposes of providing the Services under the Agreement; and (ii) in accordance with the terms of the Agreement and this DPA, which together constitute Your instructions. The restrictions set forth in this section will not restrict ConnectionAI’s ability to Process Your Personal Data where required to do so by applicable laws to which ConnectionAI is subject; provided, however, ConnectionAI will notify You of such legal requirement before Processing, unless such law prohibits such notification. ConnectionAI will, in a reasonable manner, inform You if, in ConnectionAI’s opinion, a Processing instruction violates applicable Data Protection Laws.

2.3.2 ConnectionAI certifies that ConnectionAI (i) understands the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a Processor; (ii) will comply with all such obligations, including providing the same level of privacy protection as required by applicable Data Protection Laws; and (c) will notify You in a reasonable manner if ConnectionAI determines it can no longer meet its obligations under applicable Data Protection Laws or this DPA. You will take reasonable and appropriate steps to help ensure that ConnectionAI Processes Your Personal Data in a manner consistent with Your obligations under Data Protection Laws.

2.3.3 Without limiting ConnectionAI’s obligations under this DPA, ConnectionAI will not Process Your Personal Data for any purpose other than to provide the Services under the Agreement, which for the avoidance of doubt prohibits ConnectionAI from retaining, using, or disclosing Your Personal Data outside of the direct business relationship with ConnectionAI. 

‍

2.4 Confidentiality. 

ConnectionAI will take reasonable steps to ensure that access to Your Personal Data is limited to those of its Affiliates, employees, agents, and subcontractors who (i) have a need to know or otherwise access Your Personal Data to enable ConnectionAI to provide the Services under the Agreement and perform its obligations under this DPA, and (ii) who are bound in writing by confidentiality obligations sufficient to protect the confidentiality of Your Personal Data in accordance with the terms of this DPA.

‍

2.5 Security. 

ConnectionAI will implement and maintain reasonable technical and organizational safeguards to protect Your Personal Data that comply with applicable Data Protection Laws. In assessing the appropriate level of security, ConnectionAI will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Your Personal Data transmitted, stored, or otherwise Processed. 

‍

2.6 Personal Data Breach. 

In the event of an actual Personal Data Breach impacting Your Personal Data or any system which houses Your Personal Data, ConnectionAI will notify You in a reasonable manner after ConnectionAI or any Sub-processor becomes aware of such Personal Data Breach, and (b) provide You with sufficient details of the Personal Data Breach to allow You to meet any obligations under Data Protection Laws to report or inform Data Subjects or relevant Regulators of the Personal Data Breach. ConnectionAI’s obligation to report or respond to a Personal Data Breach will not be construed as an acknowledgement of any fault or liability of ConnectionAI.

‍

2.7 Sub-processors. 

2.7.1 You hereby (i) grant ConnectionAI a general authorization to engage Sub-processors for the limited purpose of providing the Services. 

2.7.2 ConnectionAI will ensure that it has in place a written agreement with each Sub-processor containing data protection obligations which are no less protective of Your Personal Data than the terms provided by this DPA. 

‍

2.8 Data Subject Rights. 

ConnectionAI will reasonably notify You if it receives a request from a Data Subject regarding Your Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws (“Data Subject Request”). ConnectionAI will await instructions from You concerning whether, and how, to respond to any Data Subject Request. ConnectionAI shall not be required to destroy or delete Your Personal Data in response to a Data Subject Request if Section 2.4.6.2 applies.

‍

2.9 Deletion or Return of Your Personal Data. 

2.9.1 At any time during the term of the Agreement at Your request, or upon the termination or expiration of the Agreement for any reason, ConnectionAI will, and will instruct all Sub-processors to (i) return to You all copies of Your Personal Data in its possession, or the possession of such Sub-processor, or (ii) delete and procure the deletion of all other copies of Your Personal Data Processed by ConnectionAI or any Sub-processor. ConnectionAI will comply with reasonable directions provided by You with respect to the return or deletion of Your Personal Data.

2.9.2 Retention Required under Applicable Law. Notwithstanding obligations to delete under Sections 2.6 and 2.7.1, ConnectionAI may retain Your Personal Data if required or permitted by applicable law. If required by law to retain Your Personal Data, ConnectionAI will: (i) continue to ensure the security and confidentiality of such Personal Data; (ii) only Process such Personal Data as necessary for the purpose specified in the applicable law requiring such storage; and (iii) delete such Personal Data once the applicable legal retention period expires. 

‍

2.10 Compliance and Audits. 

2.10.1 ConnectionAI agrees that You or an external auditor designated by You (“Auditor”) may inspect and audit, with reasonable notice and during ConnectionAI’s normal business hours, ConnectionAI’s Processing of Your Personal Data under the Agreement to confirm that ConnectionAI has complied with the obligations set forth in this DPA and Data Protection Laws. 

2.10.2 ConnectionAI will furnish You or Auditor with all materials necessary for You to prepare such inspection or audit. 

2.10.3 All information obtained during any such request for information or audit will be considered ConnectionAI’s confidential information under the Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed ConnectionAI’s confidential information. Auditor may only disclose to You specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.

‍

3. GENERAL TERMS

3.1 Conflicts. In the event of any conflict between the Agreement and this DPA, this DPA will govern with respect to the subject matter of this DPA. 

3.2 Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Laws, the Parties agree to discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable.

3.3 Severability. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.

3.4 Breach of Obligations. In the event that ConnectionAI is in breach of any of its obligations under this DPA, You may terminate the Agreement.

3.5 Modifications and Amendments. The DPA may only be amended by a written instrument executed by the Parties.

3.6 Miscellaneous. Any Party to this Agreement may, only by an instrument in writing, waive compliance by the other Party to this Agreement with any term or provision of this Agreement on the part of such other Party to this Agreement to be performed or complied with. The waiver by any Party to this Agreement of a breach of any term or provision of this Agreement shall not be construed as a waiver of any subsequent breach. No failure or delay by any party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privilege.

3.7 Liability and Indemnification. ConnectionAI shall remain reasonably liable for any act or omission of ConnectionAI Personnel that does not comply with the Agreement. ConnectionAI shall also be reasonably liable for any of its acts and omissions relating to the obligations in the Agreement.

‍

List of Schedules Attached hereto

Schedule 1: Details of Processing

The Parties’ authorized signatories have duly executed this DPA.

‍Schedule 1

Details of Processing

‍

1. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union] 

Customer Legal Name:  

Address: 

Contact person’s name, position and contact details: 

Activities relevant to the data transferred under these Clauses: To provide the Services as described in the Agreement

Signature and date: Refer to the Agreement

Role (controller/processor): Controller

‍

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: ConnectionAI, Inc.

Address: 3020 E Camelback Rd #100, Phoenix, AZ 85016, United States

Contact person’s name, position and contact details: Sara Cecchi, Chief Technology Officer, sara.cecchi@connectionai.io

Activities relevant to the data transferred under these Clauses: To receive the Services as described in the Agreement.

Signature and date: Refer to the Agreement

Role (controller/processor): Processor

‍

2. DESCRIPTION OF TRANSFER