This Data Processing Agreement ("DPA") constitutes a legal agreement between You (“User” or “You” or “Your” or “Customer”) and DraftSpotting Technologies Private Limited/ DraftSpotting Inc. (and its affiliates) (“SpotDraft” or “Company” or "Data Processor" or “us”) and reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with your use of VerifAI and any associated application provided by SpotDraft. This DPA shall be effective from the date on which you accept this or access VerifAI in any manner (“Effective Date”). 

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1 "DPA" means this Data Processing Agreement and all Schedules;

1.1.2 "Customer Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with Customer’s use of VerifAI;

1.1.3 "Contracted Processor" means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this DPA;

1.1.4 "Applicable Data Protection Laws" the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protection Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements, the United Kingdom Data Protection Act 2018 ("DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, the Privacy and Electronic Communications Regulations 2003, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”), and its implementing regulations, and dany relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. For the avoidance of doubt, if SpotDraft’s processing activities involving Customer Personal Data are not within the scope of an Applicable Data Protection Law, such law is not applicable for purposes of this DPA;

1.1.5 "EEA" means the European Economic Area;

1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 "Data Transfer" means:

1.1.7.1 a transfer of Customer Personal Data from the Customer to a Contracted Processor; or

1.1.7.2 an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,

in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws); 

1.1.8 “Security Incident(s)” means the breach of security, directly attributable to SpotDraft, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by SpotDraft.

1.1.9 "Services" means VerifAI product related services that SpotDraft provides.

1.1.10 "Sub-Processor" means any person appointed by or on behalf of Processor to process Customer Personal Data in connection with the DPA.

1.1.11 “2021 Standard Contractual Clauses/ SCCs" means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj.

1.1.12 “VerifAI” means a Microsoft Word Add-In offered by SpotDraft, which uses generative artificial intelligence to review contracts against user-specified guidelines, written in simple English, and streamlines the contract review process, and also answers open-ended, contextual and logical questions about contracts.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

2.1 Processor shall:

2.1.1 comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data; 

2.1.2 not Process Customer Personal Data other than any purpose other than for the specific purposes set forth in the DPA or outside the direct business relationship between Customer and SpotDraft, unless obligated to do otherwise by applicable law. In such case, SpotDraft will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. SpotDraft shall comply with any applicable restrictions under Applicable Data Protection Law(s) on combining Customer Personal Data with personal data that SpotDraft receives from, or on behalf of, another person or persons, or that SpotDraft collects from any interaction between it and any individual. Notwithstanding the foregoing, SpotDraft may Process Customer Personal Data for any purposes permitted by Applicable Data Protection Law(s) for “service providers” (as defined in the CCPA) or Processors to undertake. Further details regarding SpotDraft’s processing operations, including the purposes for processing Customer Personal Data, are set forth In Schedule 1.

2.1.3 SpotDraft and its Sub-Processors shall process Customer Personal Data only in accordance with the documented instructions of Customer. The VerifAI terms of use, including this DPA, constitute Customer’s complete and final instructions to SpotDraft regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. SpotDraft will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

2.2 Personal Data Inquiries and Requests. Upon written request from the Customer, SpotDraft shall provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to SpotDraft, SpotDraft shall promptly notify Customer and shall not respond to the request unless Customer has authorized SpotDraft to do so. Where necessary, Customer shall inform SpotDraft of any other individual rights requests that SpotDraft must comply with and provide the information necessary for SpotDraft to comply with the request.

2.3 Government Access Requests. Unless prohibited by Applicable Data Protection Laws or a legally binding request of law enforcement, SpotDraft shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Customer Personal Data, and shall render reasonable assistance to Customer, if Customer wishes to contest the access or seizure.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Services, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall, in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Sub- Processing

a. SpotDraft may engage Sub-Processors in accordance with this section.

b. SpotDraft will fully be responsible for any failure by a Sub-Processor to perform the Processing for which it was engaged. 

c. SpotDraft shall impose on Sub-Processors data protection obligations that are at least as stringent as those in this DPA, including an obligation to implement GDPR-compliant technical and organizational measures. 

d. The list of Sub-Processors currently engaged by SpotDraft is available at https://www.spotdraft.com/security#data-security. SpotDraft reserves the right to amend the list of Sub-Processors, as necessary.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Applicable Protection Laws.

6.2 Processor shall:

6.2.1 promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of Customer Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Data Protection Laws and inform Customer of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Data Storage and Hosting

SpotDraft will not store or retain any Customer Personal Data except as necessary to perform the Services under the DPA. The Customer Personal Data shall be hosted in the EU.

10. Deletion or return of Customer Personal Data

10.1 Subject to this section 10, SpotDraft shall, upon request from the Customer on cessation of Services involving the Processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data.

10.2 Upon Customer’s request, SpotDraft will promptly return to Customer a copy of all Customer Personal Data within thirty (30) calendar days.

10.3 All deletion of Customer Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.

10.4 Upon Customer’s request, and within 30 calendar days, SpotDraft will provide a certificate of deletion as evidence of deletion of all Customer Personal Data. 

11. Audit rights

11.1 Subject to this section 11, Data Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors.

11.2 Information and audit rights of the Customer only arise under section 11.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law. 

12. Data Transfer

12.1 The Customer acknowledges that the Customer Personal Data may be Processed outside the EEA, if the following conditions are both met: 

i. SpotDraft shall ensure adequacy measures are in place with each of its Sub-Processors that may Process the Personal Data outside the EEA, whether binding corporate rules, or SCCs, and upon Customer’s request will provide proof of such adequacy measures without undue delay; and 

ii. all such Processing will be performed in accordance with the SCCs.

iii. The SCCs between SpotDraft and Customer shall take effect on the earlier of:

a. the final date of signature of the SCCs; or

b. retroactively, on the date of first transfer of Personal Data outside the EEA. 

13. Security Incidents. SpotDraft will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.

SpotDraft shall provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer Designated PoC upon becoming aware of occurrence of a Security Incident. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

14. Termination. This DPA shall be co-terminus with the termination of VerifAI terms of use.

15. Enforcement and Indemnity.

15.1 Without prejudice to any other rights or remedies that the Data Controller may have, Data Processor hereby acknowledges and agrees that a person with rights under this DPA may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, a person bringing a claim under this DPA shall be entitled to the remedies of injunction, specific performance or other equitable relief for any breach of the terms of this DPA.

15.2 Data Processor agrees that it will (in addition to, and without affecting, any other rights or remedies that Data Controller may have whether under statute, common law or otherwise) indemnify and hold harmless Data Controller, on demand from and against all claims, liabilities, costs, expenses, loss or damage incurred by Data Controller arising directly from a breach of this DPA by Data Processor or enforcement of any rights under it.

16. General Terms.

16.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law;

(b) the relevant information is already in the public domain.

16.2 Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.

16.2.1 SpotDraft’s point of contact for urgent privacy and security issues (a “Designated POC”) shall be Romit Raj, legal@spotdraft.com 

17. Governing Law and Jurisdiction

17.1 Governing Law and Jurisdiction shall be in accordance with the VerifAI Terms of Use.

SCHEDULE A

PROCESSING ACTIVITIES

1. SpotDraft processes the Customer Personal Data as described below on behalf of the Customer:

· First and last name

· Title

· Position

· Employer

· Contact information (company, email, phone, physical business address)

· Identification Data (email addresses and phone numbers)

· Electronic identification data (IP addresses)

2. Nature of processing of Customer Personal Data

Processing of the data uploaded by Customer to VerifAI.

3. Purpose of the processing of Personal Data

The purpose of Processing of Customer Personal Data by SpotDraft is for the performance of the Services. 

4. Categories of Data Subjects

· Prospects, customers, business partners and vendors of Customer (who are natural persons).

· Employees or contact persons of Customer’s prospects, customers, business partners and vendors.

· Employees, agents, advisors, freelancers of Customer (who are natural persons).

5. Duration of the processing

The Processing will continue until the expiration or termination of this DPA. 

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Company has all the relevant security measures and policies in place to ensure utmost security of its User's data. The Company has policies and procedures such as patch management, access control, asset management, business continuity & disaster recovery, confidentiality, network security, and multiple others to ensure the security of the data. Additionally, the Company is ISO 27001:2013 and SOC 2 Type 1&2 certified and complies with all the guidelines and controls.