Data Processing Addendum

"Customer Personal Data" means the Personal Data processed by Intempt on behalf of Customer in connection with the provision of the Services.

"Data Protection Laws" means all applicable laws, rules, and regulations relating to the privacy, confidentiality, or security of Personal Data, including without limitation the GDPR, the UK GDPR, and the CCPA, as amended from time to time.

"Security Incident" means any unauthorized access to, acquisition of, or disclosure of Customer Personal Data.

"Subprocessor" means any third party engaged by Intempt to process Customer Personal Data on Intempt's behalf.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission for the transfer of Personal Data to countries outside the EEA.

"UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.

2.1 You are responsible for complying with all applicable Data Protection Laws in connection with your use of the Services, including providing all required notices to data subjects, obtaining all necessary consents, and maintaining appropriate lawful bases for processing.

2.2 You determine what Customer Personal Data is collected through the Services and how it is processed. Intempt processes Customer Personal Data solely in accordance with your documented instructions.

2.3 This Agreement, together with your configuration of the Services, constitutes your complete and documented instructions to Intempt for the processing of Customer Personal Data. You acknowledge that per-customer AI model training within your isolated tenant environment is a core, disclosed, and necessary component of the Services and constitutes a documented instruction for processing Customer Personal Data for the purpose of providing the Services.

2.4 You may not submit to the Services: (a) protected health information subject to HIPAA; (b) payment card data subject to PCI-DSS; (c) government-issued identification numbers; (d) special categories of personal data under GDPR Article 9; or (e) personal data of children under thirteen (13) — unless you have entered into a separate written agreement with Intempt specifically authorizing such use. Intempt will have no liability whatsoever for Sensitive Data submitted in violation of this Section, whether in connection with a Security Incident, Regulatory Action, or otherwise.

3.1 Intempt will process Customer Personal Data only as necessary to: (a) provide, secure, and maintain the Services; (b) comply with your documented instructions; and (c) comply with applicable law.

3.2 All Intempt personnel who process Customer Personal Data are bound by written confidentiality obligations.

3.3 Intempt will implement and maintain appropriate technical and organizational security measures as described in Annex 2 of this DPA.

3.4 In the event of a Security Incident involving Customer Personal Data, Intempt will notify you within seventy-two (72) hours of confirming the incident, where feasible.

3.5 Intempt will provide reasonable assistance with data subject requests and data protection impact assessments, at your cost where such assistance requires significant effort.

4.1 Intempt provides self-service tools and APIs that enable you to respond to data subject requests for access, correction, export, and deletion.

4.2 If Intempt receives a data subject request directly, we will redirect the request to you unless we are legally required to respond.

5.1 You grant Intempt a general written authorization to engage Subprocessors for the processing of Customer Personal Data.

5.2 The current list of Subprocessors is maintained at https://intempt.com/subprocessors.

5.3 Intempt will provide at least thirty (30) days' advance written notice before engaging any new Subprocessor. If you object to a new Subprocessor on reasonable data protection grounds, Intempt will work with you to resolve the objection. If we are unable to resolve the objection, you may terminate the affected portion of the Services.

5.4 Intempt will impose data protection obligations on each Subprocessor that are at least as protective as those set forth in this DPA.

5.5 Intempt remains fully responsible for the acts and omissions of its Subprocessors.

6.1 You authorize the transfer of Customer Personal Data to the United States and to any other country where our Subprocessors operate, as necessary for the provision of the Services.

6.2 For transfers of Customer Personal Data from the EEA, we rely on the Standard Contractual Clauses (Module 2: Controller to Processor). For transfers from the United Kingdom, we rely on the UK Addendum. For transfers from Switzerland, we align with the applicable framework.

6.3 The SCCs and UK Addendum are incorporated into this DPA by reference and shall control in the event of any conflict with this DPA for restricted transfers.

7.1 Intempt will make available to you all information reasonably necessary to demonstrate compliance with this DPA.

7.2 You may exercise your audit rights up to once per year through: (a) a review of third-party audit reports, certifications, or questionnaires provided by Intempt; or (b) an on-site audit, subject to a separate written agreement regarding scope, timing, and confidentiality.

8.1 For the purposes of the GDPR, you act as the Controller and Intempt acts as the Processor of Customer Personal Data.

8.2 If Intempt becomes aware that your instructions may violate applicable European data protection law, we will promptly inform you.

9.1 For the purposes of the CCPA, you act as the Business and Intempt acts as the Service Provider.

9.2 Intempt will not sell or share Customer Personal Data within the meaning of the CCPA. Intempt will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Intempt and you. Intempt will not combine Customer Personal Data with personal data from other Intempt customers, or with data from sources unrelated to the direct business relationship, except: (a) data sources connected and authorized by Customer within the Services (such as CRM, e-commerce, email, and analytics integrations); and (b) as otherwise permitted by the CCPA.

9.3 You are responsible for honoring consumer opt-out requests. Intempt will support you through product-level controls.

10.1 You may request deletion of Customer Personal Data at any time, and Intempt will complete the deletion within thirty (30) days.

10.2 Following termination of the Agreement, Customer Personal Data will be retained in active systems for ninety (90) days and then deleted.

10.3 Backup copies may be retained for up to one (1) year and will be overwritten in the ordinary course.

10.4 Customer Personal Data may be exported at any time in CSV or JSON format using our self-service tools and APIs.

11.1 Intempt trains AI models using Customer Personal Data as a core, disclosed, and necessary part of providing the Services. This processing occurs exclusively within Customer's isolated tenant environment. Customer Personal Data is never used to train models that serve any other customer, and is never combined with any other customer's data at any stage of processing, storage, or training. Certain features also use third-party AI APIs (currently OpenAI and Anthropic) for processing. These providers are prohibited under their commercial API agreements with Intempt from using Customer Personal Data to train their own models.

12.1 This DPA is subject to the limitation of liability provisions set forth in the Agreement. In no event shall either party's liability be limited with respect to any individual's data protection rights under this DPA or applicable Data Protection Law.

12.2 The Standard Contractual Clauses and UK Addendum shall take precedence over this DPA to the extent required for restricted data transfers.

12.3 Intempt may update this DPA from time to time, subject to the notice requirements set forth in the Agreement for material changes.

Data Exporter: Customer (as identified in the Order Form).

Data Importer: Intempt Technologies LLC, 1101 W 34th St #595, Austin, TX 78705, United States.

Data Subjects: End users, website visitors, employees, contractors, prospects, and contacts of the Customer.

Categories of Personal Data: Identifiers (names, email addresses, phone numbers), online identifiers (IP addresses, device identifiers, cookie data), behavioral data (page views, clicks, interactions), communications content (email bodies, meeting recordings and transcripts), uploaded files, inferences and scoring data, and billing information. Voice recordings processed through meeting recording features may constitute biometric personal data under applicable law (including Illinois BIPA and GDPR Article 9) and are subject to the additional requirements in DPA §2.4.

Purpose of Processing: Provision of CRM and AI-powered services, including unified customer profiling, segmentation, journey automation, predictive scoring, and per-customer AI model training. Legal basis (GDPR): Article 6(1)(b) for core service delivery and AI training; Article 6(1)(f) for analytics and product improvement.

Duration of Processing: For the duration of the Agreement, plus the retention period specified in Section 10.