Data Processing Addendum

Capitalized terms not defined here have the meaning given in the Terms of Service or applicable Order Form (together, the "Agreement").

• "Applicable Data Protection Laws" means privacy and data protection laws that apply to the processing, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), together with other US state privacy laws.
• "Customer Personal Data" means personal data within Customer Data that Dench processes on Customer's behalf to provide the Services.
• "controller," "processor," "business," "service provider," "sell," "share," and "data subject" have the meanings given under Applicable Data Protection Laws.
• "Standard Contractual Clauses" means the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Addendum, and the Swiss SCCs, as applicable.
• "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data.

For Customer Personal Data, Customer is the controller (or a processor acting on behalf of a controller) and business, and Dench is the processor and service provider. Where Customer is a processor, Customer appoints Dench as a subprocessor. For account, billing, and usage data described in our Privacy Policy, Dench acts as a controller.

Dench will process Customer Personal Data only: (a) to provide and support the Services under the Agreement, (b) in accordance with Customer's documented instructions, including Customer's configuration and use of the Services, (c) as needed to comply with law, and (d) as otherwise agreed in writing. Dench will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Laws.

Dench will not sell Customer Personal Data and will not share it for cross-context behavioral advertising. Dench will not retain, use, or disclose Customer Personal Data outside the direct business relationship or for any purpose other than providing the Services, unless Customer directs otherwise in writing.

The Services are not intended for the storage or processing of special categories of data or other highly regulated data (for example, protected health information or full payment card data beyond what Stripe processes) unless the parties agree otherwise in writing. Customer determines what Customer Personal Data it submits.

Dench will ensure that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations or a statutory duty of confidentiality.

Dench will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to data subjects. A summary of these measures is set out in Annex II to this DPA and on our security page.

Customer provides general authorization for Dench to engage affiliates and third-party subprocessors to process Customer Personal Data to provide the Services. Dench imposes data protection obligations on each subprocessor that are no less protective than those in this DPA, and Dench remains responsible for its subprocessors' performance.

The current subprocessors are listed on our Subprocessors page, where you can subscribe to change notifications. Dench will give notice before authorizing a new subprocessor. Customer may object on reasonable data-protection grounds within 30 days of notice, and if the parties cannot resolve the objection, Customer may terminate the affected Services.

Taking into account the nature of the processing, Dench will provide reasonable assistance, including through Service features and, where needed, additional support, to help Customer respond to requests from data subjects to exercise their rights under Applicable Data Protection Laws. If Dench receives such a request directly, it will, where legally permitted, refer the data subject to Customer.

Dench will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, and will provide information reasonably available to it about the nature of the incident, its likely consequences, and the measures taken or proposed to address it. Dench will provide updates as more information becomes available. Notice of a Security Incident is not an acknowledgment of fault or liability.

Taking into account the nature of the processing and the information available to Dench, Dench will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Laws, including by providing relevant documentation about the Services.

Customer authorizes Dench and its subprocessors to process Customer Personal Data in the United States and other countries where Dench or its subprocessors operate, subject to the safeguards in this section.

Where a transfer of Customer Personal Data protected by the GDPR, UK GDPR, or Swiss law is a restricted transfer, the parties agree to the following, in order of precedence: (a) where Dench is certified, the relevant Data Privacy Framework; then (b) the Standard Contractual Clauses, which are incorporated by reference and completed as follows. For the EU SCCs, Module Two applies where Customer is a controller and Module Three where Customer is a processor; the docking clause applies; the supervisory authority and governing law follow the data exporter where required; and the annexes are populated using Annex I and Annex II below. The UK Addendum and Swiss SCCs apply with the corresponding adjustments for transfers protected by UK and Swiss law. By entering into this DPA, the parties are deemed to have signed the applicable Standard Contractual Clauses.

Dench will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party certifications and audit reports where available. Where that information is not sufficient to satisfy an audit obligation under Applicable Data Protection Laws, Customer may request an audit on reasonable prior written notice, no more than once per year (except following a Security Incident or where required by a regulator), during business hours, subject to confidentiality and to not unreasonably disrupting Dench's operations, and at Customer's expense.

Upon termination of the Services, and on Customer's request, Dench will delete or return Customer Personal Data in accordance with the data lifecycle described in the Terms of Service and Privacy Policy, except to the extent retention is required by law, after which Dench will delete the data. Customer is responsible for exporting any data it wishes to retain before termination.

To the extent the CCPA applies, Dench acts as a service provider with respect to Customer Personal Data and receives it only to provide the Services (a business purpose). Dench will not sell or share that data, will not retain, use, or disclose it for any purpose other than providing the Services or as otherwise permitted by the CCPA, and will not combine it with personal information from other sources except as permitted by the CCPA. Dench certifies that it understands and will comply with these restrictions.

Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement, including the Limitation of Liability section of the Terms of Service. In the event of a conflict between this DPA and the rest of the Agreement regarding the processing of personal data, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control to the extent of the conflict.

Annex I: Parties and processing

• Data exporter: Customer, the entity that uses the Services and submits Customer Personal Data.
• Data importer: Merse Originals, Inc. (doing business as Dench), which provides the Services.
• Data subjects: Customer's Authorized Users, and the individuals whose information Customer includes in its workspace, such as contacts, leads, customers, and other business relationships.
• Categories of personal data: identifiers and contact details, professional and organizational information, communications and message content, CRM records and notes, files, and any other personal data Customer chooses to submit.
• Frequency and nature of processing: continuous, as needed to provide the CRM and agent workspace Services, including storage, hosting, AI inference, and automation directed by Customer.
• Purpose: to provide, secure, and support the Services under the Agreement.
• Duration: for the term of the Agreement and the retention periods described in the Privacy Policy and Terms.

Annex II: Technical and organizational measures

• Encryption of data in transit and at rest.
• Access controls and authentication for systems that process Customer Personal Data.
• Cloud secret management and encrypted storage of sensitive configuration.
• Network controls, logging, and monitoring of the production environment.
• Confidentiality obligations for personnel and vetting of subprocessors.
• Backup, recovery, and an incident response process for Security Incidents.

Annex III: Subprocessors

The list of authorized subprocessors is maintained on our Subprocessors page.