Data Processing Agreement

Key Terms

The key legal terms of the DPA are as follows:

This Data Processing Agreement (“DPA”) forms an integral part of and is incorporated by reference into the Terms of Service (“Terms”) of the imentiv.ai website and platform. Capitalized terms not defined herein shall have the meaning assigned to them in the Terms.

This DPA applies to the extent imentiv.ai processes Personal Data in connection with the Services.

1. DEFINITIONS

For the purposes of this DPA:

• “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the Parties, including but not limited to:
  • Regulation (EU) 2016/679 (GDPR),
  • UK GDPR and Data Protection Act 2018,
  • Digital Personal Data Protection Act, 2023 (India),
  • California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA),
  • other applicable U.S. state privacy laws.
• “Applicable Laws” means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.
• “Controller” will have the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.
• “Cover Page” means a document that is signed or electronically accepted by the parties that incorporates these DPA Standard Terms and identifies Provider, Customer, and the subject matter and details of the data processing.
• “Customer Personal Data” means Personal Data that Customer uploads or provides to Provider as part of the Service and that is governed by this DPA.
• “DPA” means these DPA Standard Terms, the Cover Page between Provider and Customer, and the policies and documents referenced in or attached to the Cover Page or Terms of Service.
• “EEA SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.
• “European Economic Area” or “EEA” means the member states of the European Union, Norway, Iceland, and Liechtenstein.
• “GDPR” means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nations.
• “Personal Data” will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.
• “Processing” or “Process” will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.
• “Processor” will have the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.
• “Report” means audit reports prepared by another company according to the standards defined in the Security Policy on behalf of Provider.
• “Restricted Transfer” means (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
• “Security Incident” means a Personal Data Breach as defined in Article 4 of the GDPR.
• “Service” means the product and/or services described in the Terms of Service Agreement for the Selected Plan.
• "Special Category Data” will have the meaning given in Article 9 of the GDPR.
• “Subprocessor” will have the meaning(s) given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.
• “UK GDPR” means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the United Kingdom.
• “UK Addendum” means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.

2. ROLE OF THE PARTIES

Depending on the nature of the Services and the data involved, imentiv.ai (“Provider”) may act as:

2.1 Data Controller

Provider acts as a Data Controller where it independently determines the purposes and means of Processing, including but not limited to:

• account management, cloud management and authentication,
• platform security and fraud prevention,
• compliance with legal obligations,
• service analytics and improvement (where permitted by law).

In all such cases, imentiv.ai shall manage and process the Personal Data in accordance with its Privacy Policy, this Data Protection Agreement and Applicable Data Protection Laws.

2.2 Data Processor

Provider acts as a Data Processor where it Processes Personal Data strictly on approved plan and it’s instructions chosen by the Customer, including where:

• Customer uploads or transmits data for analysis,
• Customer determines the purpose of Processing,
• imentiv.ai provides Services on behalf of the Customer.

In such cases, Customer shall be the Data Controller.

2.3 Sub-Processor

Provider or it’s affiliate/subsidiaries/vendors acts as a Sub-Processor where the Processor’s affiliate/subsidiaries/vendors Processes Personal Data on behalf of the Customer.

In such cases, Provider shall:

• comply with the obligations imposed by the upstream Controller or Processor, and
• process Personal Data solely for the purposes defined in the relevant Terms of Service or any supplementary agreements executed between the parties.

3. CUSTOMER OBLIGATIONS (WHERE CUSTOMER IS CONTROLLER)

The Customer represents and warrants that:

• it has a valid lawful basis for Processing Personal Data;
• it has provided all required notices and obtained necessary consents;
• Personal Data provided to Provider is lawfully collected;
• its instructions comply with Applicable Data Protection Laws.
• It will comply with the Providers requirements stated in the terms of Service and related policies for Controlling or Processing any person data.

Consent to Processing. Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Provider and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

4. PROCESSING INSTRUCTIONS

Where provider acts as a Processor or Sub-Processor:

• Processing shall be carried out only on documented instructions as per the chosen plan by the Customer;
• Provider shall notify the Customer if an instruction violates Applicable Data Protection Laws.

5. CONFIDENTIALITY

imentiv.ai shall ensure that persons authorized to Process Personal Data:

• are bound by confidentiality obligations; and
• process data only as necessary to perform the Services.

6. SECURITY MEASURES

imentiv.ai shall implement appropriate technical and organizational measures to protect Personal Data, including:

• encryption in transit and at rest,
• access controls and authentication,
• logging and monitoring,
• incident response procedures.

7. SUB-PROCESSING

7.1 Customer grants general authorization for imentiv.ai to engage Sub-Processors.

7.2 Provider shall:

• impose equivalent data protection obligations on Sub-Processors;
• remain responsible for Sub-Processor compliance; and
• make available an updated list of Sub-Processors upon request.

7.3. Provider will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before the Provider begins using the new Subprocessor(s). Provider will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and Provider will cooperate in good faith to resolve Customer’s objection or concern.

• When engaging a Subprocessor, Provider will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement.
• If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) Provider’s agreement with the Subprocessor will incorporate these obligations, including details about how Provider and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. In addition, Provider will share, at Customer’s request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including personal data, Provider may redact the text of its agreement with its Subprocessor prior to sharing a copy.
• Provider remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Provider will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Provider and the Subprocessor.

8. INTERNATIONAL DATA TRANSFERS

Where Personal Data is transferred outside the jurisdiction of origin, imentiv.ai shall ensure appropriate safeguards, including:

• EU Standard Contractual Clauses,
• UK International Data Transfer Addendum, or
• other lawful transfer mechanisms.
  Restricted Transfers
  • Authorization. Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Provider transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Provider will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.
  • Ex-EEA Transfers. Customer and Provider agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Provider outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Provider are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:
    • Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Provider is Processing Customer Personal Data for Customer as a Processor.
    • Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Provider is Processing Customer Personal Data on behalf of Customer as a Subprocessor.
    • For each module, the following applies (when applicable):
      • The optional docking clause in Clause 7 does not apply;
      • In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days;
      • In Clause 11, the optional language does not apply;
      • All square brackets in Clause 13 are removed;
      • In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Governing Member State;
      • In Clause 18(b), disputes will be resolved in the courts of the Governing Member State; and
      • The Cover Page to this DPA contains the information required in Annex I, Annex II, and Annex III of the EEA SCCs.
  • Ex-UK Transfers. Customer and Provider agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Provider outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Provider are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:
    • Section 3.2 of this DPA contains the information required in Table 2 of the UK Addendum.
    • Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.
    • The Cover Page contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.
  • Other International Transfers. For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

9. DATA SUBJECT RIGHTS

Where imentiv.ai acts as a Processor or Sub-Processor, it shall reasonably assist the Customer in responding to Data Subject requests, including requests for access, deletion, or restriction.
imentiv.ai shall not respond directly to Data Subjects unless legally required or instructed.

10. SECURITY INCIDENT RESPONSE

Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Provider’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by Provider of any fault or liability for the Security Incident.

11. DATA RETENTION AND DELETION

The Provider shall retain and process Personal Data only for such period as is reasonably necessary to perform its obligations under the Terms of Service and this Data Processing Agreement, unless the retention period is required or permitted under applicable law, regulation, contractual obligation, or lawful order of a governmental or regulatory authority.

Upon receipt of a written request from the Customer, the Provider shall, subject to this clause, use commercially reasonable efforts to delete the Personal Data processed on behalf of the Customer. The Customer acknowledges and agrees that the Provider may retain Personal Data to the extent required for compliance with applicable laws, statutory retention requirements, accounting, tax, audit, dispute resolution, enforcement of contractual rights, or legitimate internal business purposes.

The Provider shall, upon reasonable written request, provide confirmation of deletion of Personal Data; however, such confirmation shall be limited to a statement of compliance with this clause and shall not require the Provider to disclose its internal systems, processes, or security measures.

12. CCPA / CPRA COMPLIANCE

Where applicable, imentiv.ai acts as a Service Provider and:

• does not sell or share Personal Data,
• does not retain, use, or disclose Personal Data outside the Services,
• processes Personal Data solely for permitted business purposes.

13. AUDIT AND COMPLIANCE

Provider shall make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security obligations.

Audit Rights. Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and Provider will allow for and contribute to audits, including inspections by Customer, to assess Provider’s compliance with this DPA. However, Provider may restrict access to data or information if Customer’s access to the information would negatively impact Provider’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will only exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Provider to comply with the reporting and due diligence requirements below. Provider will maintain records of its compliance with this DPA for 3 years after the DPA ends.

Security Reports. Customer acknowledges that Provider is regularly audited against the standards defined in the Security Policy by independent third-party auditors. Upon written request, Provider will give Customer, on a confidential basis, a summary copy of its then-current Report so that Customer can verify Provider’s compliance with the standards defined in the Security Policy.

Security Due Diligence. In addition to the Report, Provider will respond to reasonable requests for information made by Customer to confirm Provider’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to the Provider Security Contact and may only be made once a year.

14. COORDINATION & COOPERATION

Response to Inquiries. If Provider receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Provider will notify Customer about the request and Provider will not respond to the request without Customer’s prior consent. Examples of these kinds of inquiries and requests include a judicial or administrative or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. If allowed by Applicable Law, Provider will follow Customer’s reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to Provider, Provider will assist Customer in fulfilling the request according to the Applicable Data Protection Law. Provider will cooperate with and provide reasonable assistance to Customer, at Customer’s expense, in any legal response or other procedural action taken by Customer in response to a third-party request about Provider’s Processing of Customer Personal Data under this DPA.

DPIAs and DTIAs. If required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.

15. LIABILITY

Liability arising under this DPA shall be subject to the limitations of liability set forth in the Terms of Service, except where prohibited by Applicable Data Protection Laws.

16. GOVERNING LAW AND PRECEDENCE

This DPA shall be governed by the law specified in the Terms of Service.
In the event of conflict, this DPA shall prevail with respect to data protection matters.

17. CONFLICTS BETWEEN DOCUMENTS

This DPA forms part of the Terms of Service. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum or any applicable Data Protection Laws, (2) this DPA, and then (3) the Terms of Service.

This DPA is effective upon acceptance of the Terms of Service.