Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the agreement between the Customer and MySalesSquad.AI for the Service, including the Terms of Service (the “Agreement”).

This DPA applies only to the extent MySalesSquad.AI processes Personal Data on behalf of Customer as a processor (or service provider). This DPA does not apply to information that MySalesSquad.AI processes as a controller (for example, account administration and billing).

If there is a conflict between this DPA and the rest of the Agreement, this DPA controls for the limited purpose of data protection and processing obligations.

1. Definitions

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the EU GDPR and UK GDPR.

“Customer Personal Data” means Personal Data contained in Customer Content that MySalesSquad.AI processes on behalf of Customer.

“EU GDPR” means Regulation (EU) 2016/679.

“UK GDPR” means the EU GDPR as incorporated into UK law, as amended from time to time.

“Personal Data Breach” has the meaning set out in Applicable Data Protection Law.

“Restricted Transfer” means a transfer of Personal Data that is restricted by Applicable Data Protection Law (for example, an EU/UK transfer to a country without an adequacy decision).

“Subprocessor” means a third party authorized by MySalesSquad.AI to process Customer Personal Data to provide the Service.

The terms “controller,” “processor,” “processing,” and “supervisory authority” have the meanings given in Applicable Data Protection Law.

2. Roles and scope

2.1 Roles

Customer is the controller of Customer Personal Data.

MySalesSquad.AI is the processor of Customer Personal Data.

2.2 Scope

MySalesSquad.AI will process Customer Personal Data only:

• to provide and secure the Service,
• to maintain and troubleshoot the Service,
• to comply with Customer’s documented instructions, and
• as otherwise permitted by the Agreement and Applicable Data Protection Law.

3. Customer instructions

Customer instructs MySalesSquad.AI to process Customer Personal Data by using the Service and configuring features, as described in the Agreement and associated documentation.

Additional or different instructions must be in writing and agreed by both parties (including any instructions that require changes to the Service or create material security risk).

If MySalesSquad.AI believes an instruction violates Applicable Data Protection Law, MySalesSquad.AI will inform Customer.

4. MySalesSquad.AI obligations

MySalesSquad.AI will:

4.1 Confidentiality

Ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

4.2 Security

Implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Appendix 2 (Security Measures). MySalesSquad.AI may update security measures over time, provided the overall security posture is not materially reduced.

4.3 Subprocessors

Engage Subprocessors only in accordance with Section 5 (Subprocessors) of this DPA.

4.4 Personal Data Breach notice

Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide information reasonably necessary for Customer to meet its breach-related obligations.

4.5 Assistance with Customer requests

Taking into account the nature of the processing, provide reasonable assistance to Customer in responding to requests by data subjects to exercise their rights under Applicable Data Protection Law, to the extent Customer cannot fulfill the request using self-service features of the Service.

4.6 Assistance with compliance

Provide reasonable assistance to Customer with:

• data protection impact assessments (DPIAs), and
• consultations with supervisory authorities,

in each case only to the extent required by Applicable Data Protection Law and to the extent the relevant information is available to MySalesSquad.AI.

4.7 Return or deletion

At the end of the Service, delete or return Customer Personal Data in accordance with Section 8 (Return and deletion).

4.8 Information to demonstrate compliance

Make available to Customer information reasonably necessary to demonstrate compliance with this DPA, in accordance with Section 9 (Audits and reviews).

5. Subprocessors

5.1 Authorization

Customer provides general authorization for MySalesSquad.AI to appoint Subprocessors for the processing of Customer Personal Data.

5.2 Current Subprocessors and updates

A list of current Subprocessors is available in the Trust Center Subprocessors page.

MySalesSquad.AI may add or replace Subprocessors. When MySalesSquad.AI makes a material change to Subprocessors that process Customer Personal Data, MySalesSquad.AI will update the Subprocessors page with a new effective date, and prior versions will be available in the Policy archive.

Where required by Applicable Data Protection Law, Customer may object to a new Subprocessor on reasonable data protection grounds by notifying privacy@mysalessquad.ai within 10 business days after the update is posted. If Customer objects, the parties will work in good faith to address the objection, which may include:

• providing a commercially reasonable alternative where available, or
• allowing Customer to stop using the affected feature or terminate the affected portion of the Service.

5.3 Flow-down terms

MySalesSquad.AI will impose data protection obligations on Subprocessors that are no less protective than those in this DPA, appropriate to the services provided.

5.4 Liability for Subprocessors

MySalesSquad.AI remains responsible for the performance of its Subprocessors to the extent required under Applicable Data Protection Law.

6. International transfers

Customer acknowledges that the Service is operated from the United States and that Customer Personal Data may be processed in the United States and other jurisdictions where MySalesSquad.AI or its Subprocessors operate.

6.1 Transfer safeguards

If Customer Personal Data is subject to a Restricted Transfer, the parties agree to implement an appropriate transfer mechanism.

EU/EEA Restricted Transfers:

• The parties agree that the EU Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 (Module Two: controller to processor) will apply and are incorporated by reference, as completed by the information in Appendix 1 (Processing Details) and this DPA.

UK Restricted Transfers:

• The parties agree that the UK International Data Transfer Addendum to the EU SCCs (or another valid UK transfer mechanism) will apply and is incorporated by reference, as completed by the information in Appendix 1 (Processing Details) and this DPA.

6.2 Cooperation

Each party will provide reasonable information and cooperation required to support transfer compliance (for example, responding to reasonable questionnaires), taking into account confidentiality and security.

7. Assistance and cooperation

Customer is responsible for:

• determining the purposes and means of processing,
• ensuring it has a lawful basis to process Customer Personal Data, and
• providing required notices to data subjects.

MySalesSquad.AI will provide reasonable cooperation as described in Section 4.5 and 4.6.

8. Return and deletion

8.1 During the Service

Customer can delete Customer Content through the Service where the Service provides deletion controls.

Customer can request deletion assistance by emailing privacy@mysalessquad.ai.

8.2 At the end of the Service

Upon termination or expiration of the Service, MySalesSquad.AI will, at Customer’s choice:

• return Customer Personal Data to Customer, or
• delete Customer Personal Data,

in each case within a reasonable period, unless retention is required by law or is necessary for security, fraud prevention, dispute resolution, or enforcement of the Agreement.

8.3 Backups

Customer Personal Data may remain in encrypted backups until those backups are rotated or expire, consistent with MySalesSquad.AI’s backup practices.

8.4 Beta environment note

Customer acknowledges the Service is currently an invite-only beta. Features may change quickly, and data may be deleted or reset as described in the Agreement and Trust Center policies. Customer should maintain its own backups of any Customer Content it needs to retain.

9. Audits and reviews

9.1 Documentation and questionnaires

MySalesSquad.AI will provide reasonable information to demonstrate compliance with this DPA, which may include:

• responses to reasonable security and privacy questionnaires, and
• available security documentation (if any), such as summaries of controls.

9.2 Onsite audits

Customer may request an onsite audit only if:

• required by Applicable Data Protection Law, or
• a competent supervisory authority requires it, or
• the parties otherwise agree in writing.

Any onsite audit will be:

• limited in scope to systems relevant to Customer Personal Data,
• subject to reasonable advance notice and scheduling,
• conducted no more than once per year (unless required by law),
• subject to confidentiality, and
• at Customer’s expense, unless Applicable Data Protection Law requires otherwise.

10. Liability

Liability arising out of or relating to this DPA is subject to the limitations of liability and exclusions in the Agreement, unless Applicable Data Protection Law requires otherwise.

11. Contact

Privacy: privacy@mysalessquad.ai

Security: security@mysalessquad.ai

Legal: legal@mysalessquad.ai

Appendix 1: Processing Details

A. Subject matter and duration

Subject matter: Processing of Customer Personal Data to provide the Service.

Duration: The term of the Agreement, plus any period required for return/deletion and backup rotation.

B. Nature and purpose of processing

Nature of processing may include:

• hosting, storing, and organizing Customer Content,
• generating outputs requested by Customer (including AI outputs),
• authentication and access control,
• customer support and troubleshooting,
• security logging and abuse prevention.

Purpose of processing: Provide, secure, and improve the Service in accordance with Customer’s documented instructions.

C. Categories of data subjects

Customer Personal Data may relate to:

• Customer’s authorized users,
• Customer’s employees and contractors,
• Customer’s customers, prospects, leads, and business contacts,
• other individuals whose business contact information is included in Customer Content.

D. Types of Personal Data

Customer Personal Data may include:

• identifiers and contact details (name, email, phone, title, company),
• business profile and preferences,
• communications, notes, and documents provided by Customer,
• metadata associated with the use of the Service,
• audio submitted for transcription and the resulting transcripts (if used).

Customer should avoid submitting special categories of data or highly sensitive personal information unless necessary and lawful for Customer’s business purpose.

Appendix 2: Security Measures (high level)

MySalesSquad.AI maintains measures designed to protect Customer Personal Data, which may include:

• logical access controls and least-privilege access,
• session protections and request protections (for example, CSRF protection for state-changing requests and rate limiting on sensitive endpoints),
• encryption in transit (TLS) where available,
• monitoring and logging to detect and investigate security events,
• secure handling of credentials and secrets,
• change management practices appropriate for a beta-stage service,
• incident response practices designed to assess, contain, and remediate security incidents.

Security measures may be updated over time as the Service evolves.

Appendix 3: Subprocessors

A list of current Subprocessors is available in the Trust Center Subprocessors page.