Data Processing Addendum

1. Definitions

"Agreement" means the written or online agreement governing Customer's use of the Data Parrot Services.

"Customer" means the entity that has entered into the Agreement with Data Parrot.

"Customer Personal Data" means personal data that Data Parrot processes on behalf of Customer in providing the Services.

"Data Protection Laws" means applicable privacy and data protection laws, including the GDPR, UK GDPR, Swiss data protection law, the CCPA as amended by the CPRA, and other similar privacy laws to the extent applicable to the processing of Customer Personal Data.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Data Parrot's possession or control.

"Services" means Data Parrot's hosted software, applications, integrations, support, and related services provided under the Agreement.

"Subprocessor" means a third party engaged by Data Parrot to process Customer Personal Data on behalf of Customer in connection with the Services.

2. Scope and Roles

This Data Processing Addendum (DPA) forms part of the Agreement between Customer and Data Parrot and applies only to Data Parrot's processing of Customer Personal Data under the Agreement.

For Customer Personal Data subject to Data Protection Laws, Customer is the controller or business, and Data Parrot is the processor or service provider acting on Customer's behalf. If Customer is a processor acting on behalf of a third-party controller, Data Parrot acts as Customer's subprocessor.

Customer remains responsible for determining the purposes and means of processing Customer Personal Data, providing required notices, obtaining required consents, and ensuring that Customer's instructions comply with applicable law.

3. Processing Instructions

Customer instructs Data Parrot to process Customer Personal Data as necessary to provide, secure, support, maintain, and improve the Services for Customer; to comply with applicable law; and as otherwise documented in the Agreement, this DPA, Customer's configuration and use of the Services, or Customer's written instructions.

Data Parrot may use aggregated or de-identified usage and performance information to understand and improve the Services, provided that such information does not identify Customer, users, or individuals.

Data Parrot will not sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, or process Customer Personal Data outside the direct business relationship with Customer except as permitted by Data Protection Laws.

Data Parrot does not use Customer Personal Data, connected customer data, or personal data collected through the Services to train generalized artificial intelligence or machine learning models.

4. Description of Processing

Subject matter: Data Parrot's provision of sales intelligence, workflow, integration, analytics, reporting, AI-assisted, and related software services to Customer.

Duration: For the term of the Agreement and as required to provide the Services, comply with law, resolve disputes, enforce agreements, complete active-system deletion, or allow backups and permitted records to expire in accordance with Data Parrot's retention practices.

Nature and purpose: Collection, retrieval, synchronization, hosting, storage, organization, analysis, transformation, enrichment, transmission, display, deletion, support, security monitoring, and related processing needed to provide the Services.

Frequency: Continuous or as initiated by Customer, its authorized users, or enabled integrations.

Categories of data subjects: Customer personnel, authorized users, prospects, customers, customer personnel, business contacts, meeting participants, and other individuals whose information is included in Customer Personal Data.

Categories of personal data: Names, business contact details, company information, CRM records, deal and activity data, communications metadata, meeting or transcript information where enabled, user account information, usage data, and other business information submitted or authorized by Customer.

Sensitive data: The Services are not intended for regulated sensitive data such as protected health information, payment card data other than information handled by payment processors, government identification numbers, children's data, or special categories of personal data unless Data Parrot has expressly agreed in writing to support that data type.

5. Confidentiality and Personnel

Data Parrot will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or appropriate statutory obligations of confidentiality.

Data Parrot will limit personnel access to Customer Personal Data to those who need access to provide, secure, support, or maintain the Services or to comply with applicable law.

6. Security Measures

Data Parrot will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include access controls, authentication controls, encryption or equivalent protections where appropriate, logging and monitoring, backup and recovery controls, vulnerability management practices, and vendor security review processes appropriate to the nature of the Services.

Customer is responsible for configuring and using the Services in a manner appropriate for the sensitivity of Customer Personal Data and for managing its users, credentials, connected accounts, and integration permissions.

7. Subprocessors

Customer authorizes Data Parrot to engage Subprocessors to provide the Services. Data Parrot remains responsible for its Subprocessors' performance of data-processing obligations relating to Customer Personal Data.

Data Parrot will enter into written agreements with Subprocessors that impose data protection obligations materially consistent with this DPA, taking into account the nature of the services provided by the Subprocessor.

Data Parrot maintains a customer-shareable Subprocessor list and will provide it upon request as part of a security or privacy review.

If Data Parrot adds or replaces a Subprocessor that materially processes Customer Personal Data, Data Parrot will provide notice through a reasonable channel. Customer may object on reasonable data protection grounds, and the parties will work in good faith to address the objection.

8. International Transfers

Customer acknowledges that Data Parrot and its Subprocessors may process Customer Personal Data in the United States and other countries where Data Parrot or its Subprocessors operate.

Where Data Protection Laws require transfer safeguards for Customer Personal Data, Data Parrot will use appropriate safeguards such as standard contractual clauses, adequacy decisions, data privacy frameworks, or other lawful transfer mechanisms.

If the European Commission Standard Contractual Clauses or UK transfer addendum are required for a restricted transfer, they are incorporated into this DPA by reference to the extent required by applicable law.

9. Assistance and Data Subject Requests

Taking into account the nature of processing and information available to Data Parrot, Data Parrot will reasonably assist Customer with requests relating to data subject rights, security of processing, data protection impact assessments, regulatory consultations, and deletion or return of Customer Personal Data.

If Data Parrot receives a request from a data subject relating to Customer Personal Data, Data Parrot will direct the requester to Customer where reasonably practicable and will not respond on Customer's behalf unless required by law or authorized by Customer.

Customer will reimburse Data Parrot for reasonable costs of assistance where permitted by the Agreement and applicable law.

10. Personal Data Breach

Data Parrot will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

Data Parrot will provide information reasonably available to Data Parrot to help Customer meet its own breach-notification obligations, including the nature of the incident, affected data where known, remediation steps taken or planned, and contact information for follow-up.

Data Parrot's notification of or response to a Personal Data Breach is not an admission of fault or liability.

11. Return and Deletion

Upon termination or expiration of the Agreement, or upon Customer's verified written request, Data Parrot will delete or return Customer Personal Data in accordance with the Agreement and Customer's reasonable written instructions.

Unless retention is required by applicable law or for security, fraud-prevention, dispute-resolution, tax, accounting, or compliance purposes, Data Parrot deletes Customer Personal Data from active production systems within 30 days. Production database backups expire on a rolling basis according to Data Parrot's managed database backup schedule, currently within 7 days.

Logs, records, backups, and archives retained for permitted purposes remain protected and are not further processed except for those permitted purposes.

12. Audit and Compliance Information

Upon reasonable written request, Data Parrot will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational restrictions.

Any customer-requested audit must be conducted no more than once annually unless required by Data Protection Laws or following a confirmed Personal Data Breach, during normal business hours, on reasonable notice, and in a manner that does not unreasonably interfere with Data Parrot's operations.

Data Parrot may satisfy audit requests by providing security documentation, third-party reports, written responses, policies, or other evidence reasonably appropriate to the request.

13. CCPA Service Provider Terms

To the extent the CCPA applies, Data Parrot acts as a service provider or contractor for Customer Personal Data processed on behalf of Customer.

Data Parrot will not retain, use, disclose, sell, or share Customer Personal Data except as necessary to provide the Services, as permitted by the Agreement, this DPA, and applicable law, or as otherwise instructed by Customer.

Data Parrot will not combine Customer Personal Data with personal data received from or on behalf of another person except as permitted for service providers or contractors under the CCPA and its implementing regulations.

Data Parrot certifies that it understands and will comply with the restrictions in this section.

14. Order of Precedence and Modifications

If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls to the extent of the conflict.

Data Parrot may update this DPA from time to time to reflect changes in law, the Services, or Data Parrot's privacy and security practices. Material changes will be posted on this page or communicated through a reasonable channel.