Version 2025-10-01 (supersedes all prior versions)

This Data Processing Addendum (“DPA”) forms part of and is incorporated by reference into the applicable agreement between SimplyAsk.ai Inc. (“Processor”, “SimplyAsk.ai”, “we”, “us”, “our”) and the customer or partner identified in that agreement (“Controller”, “Customer”, “you”, “your”) that governs your use of the Services (the “Agreement”). Capitalized terms not defined in this DPA have the meanings set out in the Agreement.

By executing the Agreement (including acceptance of the Terms of Service), or by executing a Side Letter or Order referencing this DPA, the Parties agree to the terms of this DPA. This DPA prevails over any conflicting data‑protection terms in the Agreement to the extent of the conflict.

1. Definitions

• “Applicable Data Protection Laws” means all laws and regulations relating to data protection, privacy and the Processing of Personal Data, including as applicable: the EU GDPR, UK GDPR, Swiss FADP, BC PIPA, Canada’s PIPEDA, Mexico’s LFPDPPP and its Regulations, and the California Consumer Privacy Act as amended by the CPRA, each as updated or replaced.
• “BC PIPA” means the British Columbia Personal Information Protection Act (SBC 2003, c. 63).
• “CPRA” means the California Privacy Rights Act (amending the CCPA).
• “EU GDPR” means Regulation (EU) 2016/679.
• “LFPDPPP” means the Mexican Ley Federal de Protección de Datos Personales en Posesión de los Particulares and its Regulations.
• “Personal Data” means any information relating to an identified or identifiable natural person that Processor Processes on behalf of Controller under the Agreement, including Customer Data and End‑Customer data within the Services.
• “Processing” (and “Process”) means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction.
• “Sub‑processor” means any Processor Affiliate or third party engaged by Processor to Process Personal Data on Controller’s behalf.
• “UK GDPR” means the EU GDPR as incorporated into UK law by the UK European Union (Withdrawal) Act 2018.

2. Roles; scope; instructions

2.1 Roles. Controller is the “controller” (or equivalent, such as “business” under the CPRA). Processor is the “processor” (or equivalent, such as “service provider”/“contractor” under the CPRA and “encargado” under the LFPDPPP) with respect to Personal Data Processed under the Agreement.

2.2 Instructions. Processor will Process Personal Data only on documented instructions from Controller, including the Agreement, this DPA, configurations made by Controller within the Services, and Controller’s written instructions reasonably provided from time to time. Processor will promptly inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws (without providing legal advice).

2.3 Purpose limitation. Processor will not retain, use, disclose or otherwise Process Personal Data for purposes other than performing the Services and its obligations under the Agreement, or as required by law.

3. Processor obligations

3.1 Confidentiality. Processor will ensure that persons authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive appropriate data‑protection training.

3.2 Security. Processor will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, at a minimum:

• encryption in transit and at rest, where applicable;
• access controls, authentication and least‑privilege principles;
• network security, logging and monitoring;
• vulnerability management and security testing;
• incident‑response procedures;
• business continuity and disaster recovery; and
• personnel security and training. A current description of Processor’s measures is set out in Annex 2 (Technical and Organizational Measures).

3.3 Sub‑processing. Controller authorizes Processor to engage Sub‑processors to Process Personal Data. Processor will:

• maintain an up‑to‑date list of Sub‑processors and processing locations at https://www.simplyask.ai/legal/subprocessors (or successor URL); and
• notify Controller at least thirty (30) days before appointing a new Sub‑processor, by posting an update at the URL above (and, where feasible, by email or in‑product notice).

3.4 Data subject requests. Taking into account the nature of Processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill Controller’s obligation to respond to requests to exercise data‑subject rights (e.g., access, rectification, deletion, restriction, objection). If Processor receives a request directly, it will promptly notify Controller and not respond except on Controller’s documented instructions, unless required by law. To the extent legally permitted, Processor may charge reasonable costs for support that is material or outside the normal operation of the Services.

3.5 DPIAs; consultations. Processor will provide reasonable assistance to Controller with data‑protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to Processor. Reasonable costs may apply where the effort is material or outside the normal operation of the Services.

3.6 Security incidents. Processor will notify Controller without undue delay, and in any event no later than seventy‑two (72) hours after confirming a Personal Data Breach affecting Controller’s Personal Data. Such notice will describe, to the extent known: the nature of the incident, affected data categories and approximate number of data subjects/records, likely consequences, and measures taken or proposed to address it. Processor will reasonably cooperate with Controller’s investigation, mitigation and notifications. Processor’s notification is not an admission of fault.

3.7 Records; audits. Processor will maintain records of Processing activities required by law and make them available to supervisory authorities upon request. No more than once per twelve (12) months, and on at least thirty (30) days’ prior written notice, Controller (or its independent auditor, not a competitor, bound by confidentiality) may audit Processor’s compliance with this DPA. Audits will:

• be conducted during normal business hours, in a manner that minimizes disruption;
• be limited to information reasonably necessary to verify compliance with this DPA;
• first rely on documentation, security questionnaires, and/or independent third‑party reports/certifications (e.g., SOC 2, if available); and
• proceed to a targeted on‑site review only if the foregoing are insufficient to demonstrate compliance. Controller bears audit costs unless a material breach is found, in which case Processor will reimburse reasonable, documented audit costs.

3.8 Return or deletion. Upon termination or expiry of the Agreement, Controller may retrieve Personal Data for thirty (30) days. Thereafter, Processor will delete or anonymize Personal Data within commercially reasonable timelines, unless retention is required by law or for the establishment, exercise or defense of legal claims. On Controller’s written request, Processor will certify deletion/anonymization. Deletion from backups occurs on the next scheduled rotation.

4. Cross‑border data transfers

4.1 General. Processor may Process and transfer Personal Data in Canada, the United States, and other regions used for resilience as disclosed at the Sub‑processor URL.

4.2 EU/EEA/Swiss transfers. To the extent Personal Data subject to EU GDPR or Swiss FADP is transferred by Controller (as data exporter) to Processor (as data importer) in a country not deemed to provide an adequate level of protection, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (“EU SCCs”) are incorporated by reference as set forth in Annex 4A, with the modules, options and annexes completed as described therein. The parties also agree to implement supplementary measures as needed and cooperate in good faith on transfer impact assessments.

4.3 UK transfers. To the extent UK GDPR applies, the UK International Data Transfer Addendum (the “UK Addendum”) issued by the UK ICO is incorporated by reference as set out in Annex 4B and applies to transfers from the UK.

4.4 Swiss addendum. For transfers subject to Swiss FADP, the adaptations set out in Annex 4C apply to the EU SCCs.

4.5 Mexico. Controller acknowledges and consents that Personal Data may be transferred to and stored in Canada and the United States for the purposes of the Agreement. Transfers will comply with LFPDPPP requirements.

4.6 Other transfers. For other restricted transfers, the parties will implement appropriate safeguards such as SCCs or other lawful transfer mechanisms.

5. Controller obligations

5.1 Lawful instructions. Controller warrants that it has provided all notices and obtained all authorizations/consents (if required) and has a valid legal basis for the Processing of Personal Data and for any instructions it issues to Processor.

5.2 Data minimization and quality. Controller will provide only the Personal Data reasonably necessary for the Services, and will ensure Personal Data are accurate and up‑to‑date where feasible.

6. CPRA service‑provider/contractor terms (California) Where Processor Processes Personal Information (as defined under the CPRA) on behalf of Controller:

6.1 Purpose limitation. Processor will Process the Personal Information only to provide the Services and perform the Agreement, for limited internal use to build or improve the Services (provided the Personal Information is not used to build or improve separate products), to detect data security incidents and protect against malicious or illegal activity, to comply with law, or for other purposes permitted by the CPRA and its regulations.

6.2 No sale/share; restrictions. Processor will not: (a) sell or share (for cross‑context behavioral advertising) Personal Information; (b) retain, use or disclose Personal Information for any purpose other than the business purposes specified in the Agreement; (c) retain, use or disclose Personal Information outside the direct business relationship with Controller; or (d) combine Personal Information received from Controller with personal information received from third parties, except as permitted by the CPRA (e.g., to detect data security incidents or to comply with law).

6.3 Subcontractors. Processor will flow down the same CPRA restrictions to subcontractors and will remain liable for their performance.

6.4 Assistance; deletion/correction. Processor will assist Controller with consumer requests (access, deletion, correction, opt‑out) to the extent required. Upon Controller’s direction, Processor will delete or return Personal Information, unless retention is required by law. Processor certifies it understands and will comply with these obligations.

6.5 Monitoring. Controller may monitor Processor’s compliance with this Section 6 through the audit rights in Section 3.7.

7. LFPDPPP (Mexico) encargado terms

7.1 Encargado obligations. As an “encargado”, Processor will: (a) Process Personal Data only on Controller’s instructions and for the authorized purposes; (b) implement appropriate security measures; (c) keep confidentiality; (d) not transfer Personal Data to third parties except Sub‑processors authorized under this DPA or as required by law; (e) assist Controller with ARCO rights and other obligations under applicable law; and (f) delete or return Personal Data upon termination of the Services, subject to legal retention requirements.

7.2 International transfers. International transfers will be performed under this DPA and Applicable Data Protection Laws. Controller authorizes transfers to the Sub‑processors listed at the Sub‑processor URL.

8. Government and legal requests

8.1 Requests. If Processor receives a legally binding request from a public authority for access to Personal Data, Processor will (to the extent legally permitted) promptly notify Controller and limit disclosure to the minimum required by law.

8.2 Challenging requests. Where feasible and lawful, Processor will reasonably challenge unlawful or overbroad requests.

9. Term; termination; survival

9.1 Term. This DPA is effective on the earlier of the Agreement effective date or the date Controller first uses the Services and remains in force until Processor deletes/anonymizes all Personal Data as described in Section 3.8.

9.2 Survival. Sections 3.1–3.8, 4, 6–8, 10–12, and Annexes survive termination to the extent necessary to give effect to their terms.

10. Liability; indemnity; limitation

10.1 Liability. Each Party’s aggregate liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

10.2 Indemnity. Each Party will defend and indemnify the other against third‑party claims to the extent arising from its breach of this DPA or Applicable Data Protection Laws in connection with Personal Data it Processes, subject to the Agreement’s indemnity procedures and limitations.

11. Order of precedence; conflicts

In case of conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. In case of conflict between this DPA and the EU SCCs, UK Addendum or Swiss addendum, those transfer instruments prevail for the transfers they govern.

12. Miscellaneous

12.1 Governing law; venue. This DPA is governed by the governing law and dispute‑resolution provisions in the Agreement, except that the EU SCCs/UK Addendum/Swiss addendum adopt their own governing law and forum as specified therein.

12.2 Changes. Processor may update the Sub‑processor URL and Annex 2 (TOMs) from time to time to reflect evolving practices, provided that such updates do not materially diminish the protection of Personal Data. Material changes to this DPA will be communicated in accordance with the Agreement.

12.3 Counterparts; electronic acceptance. This DPA may be executed electronically or deemed accepted upon Controller’s acceptance of the Agreement that incorporates this DPA by reference.

Annex 1: Description of Processing

• Subject matter: Processing of Personal Data in connection with Controller’s use of the Services under the Agreement.
• Duration: For the term of the Agreement and the data‑return window described in Section 3.8.
• Nature and purpose: Provision of the Services (AI‑automation platform Symphona), including hosting, storage, retrieval, transmission, display, analysis, workflow execution, AI model inference, communications sending (email/SMS/voice), support, security, billing and operations.
• Categories of data subjects: Controller’s end users; Controller’s customers and prospects (as entered by Controller); employees/contractors of Controller; individuals whose data are contained in content uploaded or ingested by Controller.
• Types of Personal Data: Identifiers (name, email, phone), login information (username, hashed password), business contact details, usage and telemetry data (IP address, device/browser data, in‑app events), content and files uploaded or created by Controller (which may incidentally include personal data), communications metadata, billing identifiers and transaction data.
• Special categories (if any): Not intended. Controller will not intentionally input sensitive data (e.g., health, biometric, financial account numbers, government IDs) unless expressly agreed in writing.
• Processing activities: Collection, storage, use, transmission, analysis, display, deletion, and other operations necessary to provide, secure and support the Services.

Annex 2: Technical and Organizational Measures (TOMs) Processor maintains the following measures, subject to reasonable updates over time:

• Information security program with policies covering access control, asset management, cryptography, physical security, operations security, communications security, system acquisition/development/maintenance, supplier relationships, incident management, and business continuity.
• Governance and training: security awareness and privacy training for personnel; background checks as permitted by law; confidentiality agreements for employees and contractors with access to Personal Data.
• Access controls: unique user IDs; strong authentication; role‑based access; least‑privilege; regular access reviews; MFA for privileged access.
• Encryption: TLS for data in transit; encryption at rest for applicable storage systems.
• Network and infrastructure security: segmentation; firewalls/WAFs; DDoS protections; logging and monitoring; vulnerability scanning; regular patching and hardening; change management.
• Application security: secure SDLC practices; code reviews; dependency scanning; security testing for critical releases; secrets management.
• Data management: data classification; minimization; logical tenant separation; backup and recovery with periodic testing; secure deletion procedures; data retention schedules.
• Incident response: documented and tested IR plan; 24/7 monitoring; forensic logging; breach notification procedures aligned to Section 3.6.
• Third‑party risk management: security due diligence for Sub‑processors; contractual obligations equivalent to this DPA; periodic reviews.
• Physical security: data centers operated by reputable cloud providers (e.g., GCP/AWS) with industry‑standard security controls (badges, CCTV, mantraps, visitor logs).

Annex 3: Authorized Sub‑processors

• Current list and processing locations: https://www.simplyask.ai/legal/subprocessors (or successor URL).
• Notice of changes: Processor will provide at least 30 days’ advance notice of material additions/replacements by updating the URL (and, where feasible, by email or in‑product notice).

Annex 4A: EU Standard Contractual Clauses (SCCs)

• The EU SCCs (Controller‑to‑Processor, Module 2) are incorporated by reference and apply to transfers of Personal Data from the EEA to countries lacking an adequacy decision.
• Clause selections:
  
  • Clause 7 (Docking): applies.
  • Clause 9 (Sub‑processors): Option 2 (general written authorization); 30 days’ prior notice.
  • Clause 11 (Redress): does not apply.
  • Clause 17 (Governing law): the law of Ireland.
  • Clause 18 (Forum): the courts of Ireland.
• Annex I details:
  
  • A. List of Parties:
    
    • Data exporter: Controller (as identified in the Agreement).
    • Data importer: SimplyAsk.ai Inc., Suite 900, 2025 Willingdon Ave, Burnaby, BC V5C 0J3, Canada; privacy@simplyask.ai.
  • B. Description of transfer: as set out in Annex 1.
  • C. Competent supervisory authority: Irish Data Protection Commission unless otherwise required by law.
• Annex II: Technical and organizational measures: as set out in Annex 2.
• Annex III: Sub‑processors: as set out in Annex 3.

Annex 4B: UK Addendum to the EU SCCs

• The UK International Data Transfer Addendum (Version B1.0, issued by the UK ICO) is incorporated by reference. The parties agree:
  
  • Table 1 (Parties): as per Annex 4A (Exporter: Controller; Importer: SimplyAsk.ai Inc.).
  • Table 2 (Selected SCCs): EU SCCs Module 2 as above.
  • Table 3 (Appendices): as per Annexes 1–3 of this DPA.
  • Table 4 (Ending the Addendum): either party may end the Addendum as set out in the UK Addendum.
• Governing law and forum for the UK Addendum: England and Wales.

Annex 4C: Swiss Addendum (FADP Adaptations)

• References to “Member State” and “EU GDPR” are deemed to include Switzerland and the Swiss FADP; references to supervisory authority include the Swiss FDPIC; Clause 18 disputes are subject to the courts of Zurich, Switzerland, and Swiss law governs where required.