Data Processing Agreement

Last Updated: November 1, 2024

IIf you need a signed copy of this Data Processing Agreement, please contact [email protected]

.

This Data Processing Agreement, including its Annexes (“DPA”), is entered into by and between Profit Shark, Inc., doing business as AI Business Automation and aibusinessautomation.ai (“aibusinessautomation.ai,” “Processor,” “we,” “us,” or “our”), and the customer entity executing, accepting, or otherwise being bound by the Agreement (“Customer,” “Controller,” or “you,” as applicable).

This DPA forms part of and supplements the applicable Terms of Service, Order Documents, or other written agreement between the parties governing the services (“Agreement”). This DPA reflects the parties’ agreement regarding the Processing of Customer Personal Data by aibusinessautomation.ai on behalf of Customer in connection with the Services.

If there is any conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA shall prevail to the extent of that conflict.

1. DEFINITIONS

For purposes of this DPA, the following definitions apply:

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, the CCPA/CPRA, and other relevant privacy and data protection laws.

“CCPA/CPRA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data, or any equivalent term under Applicable Data Protection Law.

“Customer Personal Data” means Personal Data processed by Processor on behalf of Customer in connection with the Services under the Agreement.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates, or any equivalent term under Applicable Data Protection Law.

“EEA” means the European Economic Area.

“Europe” means, as applicable, the EEA, the United Kingdom, and Switzerland.

“GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR.

“Personal Data” means any information relating to an identified or identifiable natural person, or any equivalent term such as “personal information” under Applicable Data Protection Law.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise Processed.

“Process” / “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, deletion, or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, or any equivalent term under Applicable Data Protection Law.

“Restricted Transfer” means a transfer of Customer Personal Data subject to Chapter V of the GDPR or comparable international transfer restrictions under Applicable Data Protection Law.

“SCCs” means the European Commission’s standard contractual clauses for international data transfers adopted under Commission Implementing Decision (EU) 2021/914, as amended, replaced, or superseded.

“Subprocessor” means any third party engaged by Processor to Process Customer Personal Data on behalf of Customer in connection with the Services.

“UK Addendum” means the UK International Data Transfer Addendum to the EU SCCs approved by the UK Information Commissioner, as amended, replaced, or superseded.

2. SCOPE AND ROLE OF THE PARTIES

2.1 This DPA applies where aibusinessautomation.ai Processes Customer Personal Data on behalf of Customer in connection with the Services.

2.2 The parties acknowledge that, with respect to Customer Personal Data covered by this DPA:

Customer acts as a Controller or as another Processor acting on behalf of its own controller; and

aibusinessautomation.ai acts as a Processor or subprocessor, as applicable.

2.3 This DPA does not apply to the extent aibusinessautomation.ai Processes Personal Data as an independent Controller for its own legitimate business purposes, such as billing, account administration, service security, fraud prevention, business operations, or compliance with legal obligations, as further described in the Privacy Policy.

3. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAW

3.1 Each party shall comply with Applicable Data Protection Law in connection with its performance under this DPA.

3.2 This DPA supplements, and does not replace, the parties’ independent obligations under Applicable Data Protection Law.

4. CUSTOMER INSTRUCTIONS

4.1 Processor shall Process Customer Personal Data only:

on documented instructions from Customer;

as necessary to provide the Services under the Agreement;

as otherwise authorized by this DPA; or

as required by applicable law.

4.2 The Agreement, this DPA, applicable Order Documents, and Customer’s use and configuration of the Services constitute Customer’s complete and documented instructions to Processor regarding the Processing of Customer Personal Data, unless the parties agree to additional written instructions.

4.3 If Processor believes that an instruction infringes Applicable Data Protection Law, Processor shall notify Customer, unless prohibited from doing so by law. ICO guidance identifies documented instructions as a mandatory controller-processor contract term.

4.4 Processor is not obliged to follow an instruction that would require Processor to violate Applicable Data Protection Law or exceed the scope of the Services unless otherwise agreed in writing.

5. CUSTOMER RESPONSIBILITIES

5.1 Customer represents and warrants that:

it has all necessary rights, consents, permissions, authorizations, and lawful bases to provide Customer Personal Data to Processor and to instruct Processor to Process it;

it has provided all required privacy notices;

it has complied, and will comply, with Applicable Data Protection Law in relation to its collection and use of Customer Personal Data; and

its instructions to Processor are lawful.

5.2 Customer remains solely responsible for:

the accuracy, quality, and legality of Customer Personal Data;

the means by which Customer acquired Customer Personal Data;

the lawfulness of Customer’s marketing, messaging, outreach, analytics, or business activities; and

the lawful configuration and use of the Services.

6. NATURE, PURPOSE, AND DETAILS OF PROCESSING

6.1 The subject matter, nature, purpose, duration of Processing, categories of Data Subjects, and categories of Customer Personal Data are described in Annex A.

7. CONFIDENTIALITY

7.1 Processor shall ensure that persons authorized to Process Customer Personal Data:

are informed of the confidential nature of the data;

are subject to appropriate confidentiality obligations; and

access Customer Personal Data only where necessary for the performance of the Services.

Confidentiality is one of the minimum required processor-contract terms under ICO guidance.

8. SECURITY OF PROCESSING

8.1 Processor shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects.

8.2 The technical and organizational measures currently used by Processor are described in Annex B.

8.3 Processor may update or modify the measures in Annex B from time to time, provided that such changes do not materially reduce the overall level of protection for Customer Personal Data.

Appropriate security measures are another mandatory Article 28 contract element.

9. SUBPROCESSORS

9.1 Customer authorizes Processor to engage Subprocessors in connection with the Services.

9.2 Processor shall maintain a list of authorized Subprocessors in Annex C or by equivalent written notice mechanism.

9.3 Processor shall impose data protection obligations on Subprocessors that are no less protective than those imposed on Processor under this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.

9.4 Processor remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law and the Agreement.

9.5 Where required by Applicable Data Protection Law, Processor shall provide notice of new or replacement Subprocessors through an updated Annex C, website posting, or other reasonable written mechanism.

Subprocessor terms are explicitly required in controller-processor contracts.

10. ASSISTANCE WITH DATA SUBJECT RIGHTS

10.1 Taking into account the nature of the Processing, Processor shall provide reasonable assistance to Customer, through appropriate technical and organizational measures where feasible, to enable Customer to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law.

10.2 Unless otherwise expressly stated in the Agreement, Customer remains responsible for responding to Data Subject requests.

10.3 To the extent legally permitted, Processor may refer any Data Subject request received directly to Customer.

10.4 Unless otherwise agreed, Customer shall bear Processor’s reasonable costs for assistance beyond the standard features of the Services.

Assistance with data subject rights is another required Article 28 term.

11. ASSISTANCE WITH SECURITY, DPIAS, AND REGULATORY COOPERATION

11.1 Taking into account the nature of the Processing and the information available to Processor, Processor shall provide reasonable assistance to Customer with:

security of Processing obligations;

Personal Data Breach obligations;

data protection impact assessments, where required; and

prior consultation with supervisory authorities,

to the extent required by Applicable Data Protection Law and to the extent such assistance is reasonable and proportionate in light of the Services provided.

11.2 Unless otherwise agreed, Customer shall bear Processor’s reasonable costs for assistance beyond what is required through the standard Services.

Assistance with broader compliance duties is also one of the required Article 28 themes.

12. PERSONAL DATA BREACH NOTIFICATION

12.1 Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

12.2 Such notification shall include, to the extent known and reasonably available:

a description of the nature of the Personal Data Breach;

the categories of Customer Personal Data affected;

the categories of Data Subjects affected;

the likely consequences of the breach;

measures taken or proposed to address the breach; and

any information reasonably required for Customer to assess notification obligations.

12.3 Processor may provide information in phases as it becomes available.

12.4 Processor’s notification of or response to a Personal Data Breach does not constitute an admission of fault or liability.

13. AUDITS AND INFORMATION RIGHTS

13.1 Processor shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, to the extent required by Applicable Data Protection Law.

13.2 Where Customer cannot reasonably satisfy its audit requirement through information already provided by Processor, Customer may request an audit or inspection, subject to the following conditions:

Customer must provide reasonable prior written notice;

the audit must be limited in scope to matters relevant to this DPA;

the audit must occur no more than once per twelve-month period unless required by law or following a confirmed Personal Data Breach;

the audit must be conducted during normal business hours and in a manner that minimizes disruption;

Customer and its auditor must protect confidential information; and

Customer shall bear its own costs and reimburse Processor’s reasonable internal and external costs unless the audit reveals a material breach by Processor.

Audit/inspection support is also part of the minimum Article 28 package.

14. INTERNATIONAL DATA TRANSFERS

14.1 Where Processor Processes Customer Personal Data subject to the GDPR or other European transfer restrictions and such Processing involves a Restricted Transfer, the parties shall implement an appropriate transfer mechanism recognized under Applicable Data Protection Law.

14.2 For transfers subject to the EU GDPR, the parties may rely on the SCCs, where applicable. The European Commission’s 2021 SCCs remain the relevant official transfer clauses.

14.3 For transfers subject to the UK GDPR, the parties may rely on the UK Addendum to the EU SCCs, or the UK IDTA, where applicable. The ICO states that the Addendum lets organizations rely on the EU SCCs for UK restricted transfers, while the EU SCCs alone are not valid on their own for UK restricted transfers.

14.4 If additional transfer documentation is reasonably required, the parties shall cooperate in good faith to execute such documentation.

14.5 To the extent required by Applicable Data Protection Law, the parties shall implement supplementary measures and transfer risk assessments where appropriate.

15. RETURN AND DELETION OF CUSTOMER PERSONAL DATA

15.1 Upon termination or expiration of the Agreement, Processor shall, at Customer’s choice and subject to applicable law, delete or return Customer Personal Data, unless retention is required by law.

15.2 If Customer does not provide written instructions within thirty (30) days after termination or expiration, Processor may delete Customer Personal Data in accordance with its standard deletion practices, subject to applicable law and technical limitations.

15.3 This obligation does not require Processor to delete:

archived copies retained for disaster recovery or business continuity purposes until overwritten in the ordinary course;

data retained to comply with legal obligations; or

data retained as necessary to establish, exercise, or defend legal claims.

End-of-contract deletion/return provisions are a required contract element.

16. CCPA / CPRA SERVICE PROVIDER TERMS

16.1 To the extent the CCPA/CPRA applies and Processor Processes Customer Personal Data subject to that law on behalf of Customer, Processor shall act as a “service provider” or “contractor,” as applicable, and shall not:

sell or share such personal information;

retain, use, or disclose such personal information for any purpose other than for the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA;

retain, use, or disclose such personal information outside the direct business relationship between the parties, except as permitted by law; or

combine such personal information with personal information received from another source except as permitted by law.

16.2 Customer is responsible for determining whether the CCPA/CPRA applies to its activities and for providing any required notices and handling any consumer requests.

17. LIABILITY

17.1 The liability of each party arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement, except to the extent such limitations are prohibited by Applicable Data Protection Law.

17.2 Nothing in this DPA excludes or limits either party’s liability to the extent such exclusion or limitation is not permitted by law.

18. TERM AND TERMINATION

18.1 This DPA shall remain in effect for as long as Processor Processes Customer Personal Data on behalf of Customer under the Agreement.

18.2 Termination or expiration of this DPA shall not relieve either party of obligations that by their nature are intended to survive, including confidentiality, liability, and deletion/return obligations.

19. GOVERNING LAW AND JURISDICTION

19.1 This DPA shall be governed by the governing law and dispute resolution provisions set out in the Agreement, unless Applicable Data Protection Law requires otherwise.

19.2 Where SCCs or other mandatory transfer clauses apply, the governing law and forum provisions required by those clauses shall apply to the extent mandated for the relevant transfer arrangement.

20. ORDER OF PRECEDENCE

If there is any conflict between:

the SCCs, UK Addendum, or other mandatory transfer mechanism;

this DPA; and

the Agreement,

then the order of precedence shall be:

first, the SCCs / UK Addendum / mandatory transfer mechanism;

second, this DPA; and

third, the Agreement,

but only to the extent of the relevant conflict.

21. CHANGES TO THIS DPA

21.1 We may update this DPA where necessary to reflect changes in Applicable Data Protection Law, Subprocessors, Services, or operational practices.

21.2 Material changes will become effective upon notice or posting, unless a different effective date is stated.

21.3 Where Applicable Data Protection Law requires bilateral execution of an updated DPA or transfer mechanism, the parties shall cooperate in good faith to execute the required documentation.

22. CONTACT

For any questions regarding this DPA, requests for a signed copy, or privacy-related issues, please contact:

Profit Shark, Inc. d/b/a AI Business Automation / aibusinessautomation.ai

P.O. Box 222447

Hollywood, FL 33022

Email: [email protected]

ANNEX A – DETAILS OF PROCESSING

A. Parties

Data Exporter / Controller:

Customer, as identified in the applicable Agreement, Order Documents, or Platform account.

Data Importer / Processor:

Profit Shark, Inc. d/b/a AI Business Automation / aibusinessautomation.ai

P.O. Box 222447

Hollywood, FL 33022

Email: [email protected]

B. Subject Matter of the Processing

Provision of the Services described in the Agreement, including onboarding, setup, configuration, support, CRM-related services, automation services, AI assistant configuration, integrations, communications tooling support, and related service delivery.

C. Duration of the Processing

For the duration of the Agreement and for any additional period during which Processor retains Customer Personal Data in accordance with the Agreement, this DPA, applicable law, and standard deletion/backup practices.

D. Nature and Purpose of the Processing

Processing may include:

collection;

recording;

organization;

structuring;

storage;

consultation;

use;

transmission;

configuration;

synchronization;

support;

deletion; and

other operations necessary to provide the Services.

The purpose of the Processing is to enable Processor to provide the Services to Customer.

E. Categories of Data Subjects

Depending on Customer’s use of the Services, Data Subjects may include:

Customer’s leads and prospects;

Customer’s customers and clients;

Customer’s employees, contractors, agents, or representatives;

Customer’s business contacts;

website visitors or communication recipients whose data Customer instructs Processor to handle; and

other individuals whose personal data Customer uploads, connects, imports, or otherwise makes available through the Services.

F. Categories of Personal Data

Depending on Customer’s use of the Services, Customer Personal Data may include:

name;

email address;

telephone number;

company name;

job title;

address;

communication history;

CRM and pipeline data;

lead source data;

appointment or booking information;

marketing interaction data;

account identifiers;

notes, tags, custom fields, and workflow-related data;

online identifiers;

IP address where applicable;

and any other Personal Data Customer chooses to upload, connect, or instruct Processor to process.

Sensitive or special category data should not be provided unless expressly agreed and lawfully supported.

G. Frequency of Transfer

Continuous, occasional, or recurring, depending on Customer’s use of the Services.

ANNEX B – TECHNICAL AND ORGANIZATIONAL MEASURES

Processor maintains technical and organizational measures designed to protect Customer Personal Data, including as appropriate:

Access Controls

Role-based or need-based access limitations, credential controls, and internal access management procedures.

Confidentiality Measures

Personnel confidentiality obligations and internal restrictions on access to Customer Personal Data.

Network and Transmission Security

Encryption in transit where supported by the relevant systems and services, including use of HTTPS/TLS where applicable.

System Security Measures

Use of reputable infrastructure and service providers, endpoint protection practices, and reasonable security configuration practices.

Operational Controls

Procedures for onboarding/offboarding access, issue handling, and internal review of permissions where appropriate.

Availability and Resilience

Backup, recovery, and continuity measures where supported by the relevant service architecture and providers.

Vendor Management

Use of Subprocessors and service providers subject to contractual or policy-based privacy and security obligations as appropriate.

Incident Response

Processes for identifying, escalating, investigating, and responding to suspected security incidents affecting Customer Personal Data.

Data Minimization and Storage Practices

Processing limited to what is reasonably necessary for service delivery, support, security, compliance, and business operations.

Testing and Review

Periodic review and updating of technical and organizational measures as appropriate to the Services and risk profile.

For clarity, Annex B describes general categories of measures and does not constitute a guarantee that any specific certification, algorithm, control, or architecture will be maintained unless expressly stated in writing.

ANNEX C – AUTHORIZED SUBPROCESSORS

Important: keep only vendors you actually use now. If a listed vendor is no longer active, remove it before publishing or signing.

Processor may use the following categories of Subprocessors, as applicable to the Services:

Cloud / infrastructure providers

Example purposes: hosting, storage, backups, infrastructure.

Communications providers

Example purposes: SMS, voice, telephony, messaging, email delivery.

Payment processors

Example purposes: billing, payment collection, fraud prevention.

Analytics / diagnostics providers

Example purposes: usage analytics, website diagnostics, service optimization.

Support, scheduling, and collaboration providers

Example purposes: customer support, meetings, ticketing, project coordination.

AI and automation-related providers

Example purposes: model processing, automation support, content generation, AI assistant functions.

Advertising / attribution providers

Example purposes: campaign attribution, conversion tracking, advertising analytics