Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") governs the processing of personal data by AIMatric (the "Processor") on behalf of the Customer (the "Controller") in connection with AIMatric's AI automation services.

GDPR Compliance

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws. It applies whenever AIMatric processes personal data on behalf of customers using our cloud services.

This DPA is incorporated into and forms part of the Master Services Agreement, Terms of Service, or other written agreement between AIMatric and Customer governing Customer's use of the Services.

1

Definitions

For the purposes of this DPA, the following definitions apply:

"Personal Data"

Any information relating to an identified or identifiable natural person ('data subject') that is processed by AIMatric on behalf of the Customer in connection with the Services.

"Processing"

Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

"Controller"

The Customer, who determines the purposes and means of the processing of Personal Data.

"Processor"

AIMatric, which processes Personal Data on behalf of the Controller.

"Sub-Processor"

Any third party engaged by AIMatric to process Personal Data on behalf of the Customer.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed.

"Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Standard Contractual Clauses"

The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

2

Scope and Roles

2.1 Parties' Roles

The parties acknowledge and agree that with regard to the processing of Personal Data in connection with the Services:

🏢

DATA CONTROLLER

Customer

Determines the purposes and means of processing Personal Data. Responsible for ensuring lawful grounds for processing and providing required notices to data subjects.

⚙️

DATA PROCESSOR

AIMatric

Processes Personal Data only on documented instructions from the Customer and in accordance with this DPA and applicable data protection laws.

2.2 Subject Matter of Processing

AIMatric will process Personal Data as necessary to provide the Services, which may include:

AI agent deployment and management
Customer support automation (SALLY)
Marketing automation (MARK)
Virtual assistance and lead intelligence (VALI)
Financial reconciliation automation (REKON)
Data analytics and reporting

2.3 Categories of Data Subjects

Personal Data processed may relate to the following categories of data subjects:

Customer's employees and contractors
Customer's end-users and customers
Customer's business contacts and prospects
Any other individuals whose data is processed through the Services

2.4 Types of Personal Data

The types of Personal Data processed may include:

Contact information (name, email, phone, address)
Account credentials and authentication data
Communication content (messages, support tickets)
Usage data and interaction logs
Financial and transaction data (where applicable)
Any other data submitted by Customer to the Services

⚠️

Special Categories of Data: Customer should not submit special categories of personal data (e.g., health data, biometric data, religious beliefs) unless explicitly agreed in writing with AIMatric and appropriate safeguards are in place.

3

Processor Obligations

AIMatric, as the Processor, agrees to the following obligations:

📋 Documented Instructions

Process Personal Data only on documented instructions from the Customer, including transfers to third countries, unless required by law.

🔒 Confidentiality

Ensure that all personnel authorized to process Personal Data have committed to confidentiality or are under appropriate statutory obligation of confidentiality.

🛡️ Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

📝 Sub-Processor Terms

Engage Sub-Processors only with prior authorization and ensure they are bound by data protection obligations equivalent to those in this DPA.

🤝 Assistance

Assist the Customer in responding to data subject requests and ensuring compliance with GDPR obligations (security, breach notification, DPIAs).

🗑️ Data Deletion

At Customer's choice, delete or return all Personal Data after the end of services and delete existing copies unless storage is required by law.

📊 Audit Support

Make available all information necessary to demonstrate compliance and allow for audits conducted by the Customer or an authorized auditor.

🚨 Breach Notification

Notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's data.

4

Security Measures

AIMatric implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

🔐

Encryption

Data encrypted in transit (TLS 1.3) and at rest (AES-256)

🔑

Access Controls

Role-based access, MFA, and principle of least privilege

📊

Monitoring

24/7 security monitoring and intrusion detection

💾

Backups

Regular encrypted backups with tested recovery procedures

👥

Personnel Security

Background checks, security training, and NDAs

🔍

Vulnerability Management

Regular penetration testing and vulnerability assessments

📋

Incident Response

Documented incident response and disaster recovery plans

ℹ️

A detailed description of our security measures is available in our Security Overview documentation.

5

Sub-Processors

5.1 Authorization

Customer provides general authorization for AIMatric to engage Sub-Processors to assist in providing the Services. AIMatric maintains a list of current Sub-Processors and will notify Customer of any intended changes.

5.2 Sub-Processor Obligations

AIMatric ensures that each Sub-Processor is bound by data protection obligations substantially similar to those in this DPA through a written agreement.

5.3 Current Sub-Processors

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and hosting	US, EU, APAC
Google Cloud Platform	AI/ML processing and analytics	US, EU
Stripe	Payment processing	US
Twilio	Communication services (SMS, Voice)	US
SendGrid	Email delivery services	US
Datadog	Infrastructure monitoring	US

5.4 Objection to Sub-Processors

Customer may object to AIMatric's use of a new Sub-Processor by notifying AIMatric in writing within 30 days of receiving notice. If Customer objects on reasonable grounds relating to data protection, AIMatric will work with Customer to find a mutually acceptable resolution.

6

International Data Transfers

AIMatric may transfer Personal Data to countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. When such transfers occur, AIMatric ensures appropriate safeguards are in place:

📜 Standard Contractual Clauses

EU Commission-approved SCCs are incorporated into agreements with Sub-Processors located outside the EEA.

✅ Adequacy Decisions

Transfers to countries with EU adequacy decisions (e.g., UK, Canada, Japan, Switzerland).

🛡️ Additional Safeguards

Supplementary measures including encryption, access controls, and transfer impact assessments.

EU-US Data Privacy Framework

Where applicable, AIMatric relies on the EU-US Data Privacy Framework for transfers to certified US organizations. Customers can request information about the specific transfer mechanisms used for their data.

7

Data Subject Rights

AIMatric will assist the Customer in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection laws:

👁️

Right of Access

Obtain confirmation of processing and access to their personal data

✏️

Right to Rectification

Request correction of inaccurate or incomplete personal data

🗑️

Right to Erasure

Request deletion of personal data under certain circumstances

⏸️

Right to Restriction

Request limitation of processing in specific situations

📦

Right to Portability

Receive data in a structured, commonly used format

🚫

Right to Object

Object to processing based on legitimate interests or direct marketing

📧

Request Handling: AIMatric will promptly notify Customer of any data subject request received directly and will not respond to such requests without Customer's prior authorization, unless legally required to do so.

8

Data Breach Notification

In the event of a Personal Data breach, AIMatric will notify Customer without undue delay and provide the following information:

Within 24 Hours

Initial Notification

AIMatric will notify Customer of the breach, providing initial details including the nature of the breach and approximate number of data subjects affected.

Within 72 Hours

Detailed Report

AIMatric will provide a comprehensive report including categories of data affected, likely consequences, and measures taken or proposed to address the breach.

Ongoing

Continued Updates

AIMatric will provide ongoing updates as new information becomes available and assist Customer with any regulatory notifications or data subject communications.

Customer Obligations: Customer remains responsible for determining whether notification to supervisory authorities and/or data subjects is required under applicable law and for making such notifications. AIMatric will provide reasonable assistance to support these obligations.

9

Audit Rights

AIMatric will make available to Customer information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable data protection laws.

Audit Procedures

✓ Customer may submit written audit requests with at least 30 days' advance notice
✓ Audits will be conducted during normal business hours and will not unreasonably disrupt operations
✓ Customer may engage a qualified third-party auditor, subject to confidentiality obligations
✓ Customer is responsible for costs associated with audits unless the audit reveals material non-compliance
✓ AIMatric will cooperate with regulatory audits and inspections as required by law

10

Term and Termination

10.1 Duration

This DPA shall remain in effect for as long as AIMatric processes Personal Data on behalf of the Customer under the Agreement.

10.2 Data Return and Deletion

Upon termination of the Services or upon Customer's written request, AIMatric shall, at Customer's election:

📥 Return Data

Return all Personal Data to Customer in a commonly used, machine-readable format within 30 days of the request.

🗑️ Delete Data

Securely delete all Personal Data and certify such deletion in writing within 90 days, unless retention is required by law.

10.3 Survival

The provisions of this DPA that by their nature should survive termination shall remain in effect, including confidentiality obligations and limitations of liability.

11

Liability

11.1 Liability Cap

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for breaches that cannot be limited under applicable law.

11.2 Indemnification

Each party shall indemnify the other for any damages, fines, or penalties arising from its own breach of this DPA or applicable data protection laws, to the extent permitted by the Agreement.

⚖️

Regulatory Fines: In the event of regulatory action, each party shall bear its own fines and penalties to the extent such fines result from that party's breach of its obligations under this DPA or applicable law.

12

Contact Information

For questions about this Data Processing Agreement or to exercise any rights under this DPA, please contact us:

🔒

Data Protection Officer

dpo@aimatric.com

⚖️

Legal Department

legal@aimatric.com