Last Updated October 10, 2025

‍

This Data Processing Addendum and its Annexes (“DPA”) is incorporated into and forms part of the Intempt Customer Terms of Service, Order Form, or other agreement governing Customer’s use of the Services (the “Agreement”) between Customer and Intempt Technologies LLC (“Intempt,” “we,” “us,” “our”).

This DPA reflects the parties’ agreement regarding:

1. Controller-to-Processor Processing: Intempt’s Processing of Customer Personal Data as a Processor / Service Provider on behalf of Customer in connection with the Services; and
   
   
2. Controller-to-Controller Processing (Limited): where applicable, the parties’ Processing as independent Controllers in connection with partner-sourced enrichment described in Section 10.
   
   

If there is any conflict between this DPA and the Agreement, this DPA controls for privacy and data protection matters.

The term of this DPA follows the term of the Agreement unless stated otherwise.

1. Definitions

Capitalized terms not defined here have the meaning in the Agreement.

“Customer Data” has the meaning in the Agreement and includes Customer Personal Data.

“Customer Personal Data” means Personal Data contained in Customer Data that Intempt Processes as a Processor on behalf of Customer.

“Controller”, “Processor”, “Personal Data”, “Processing” have the meanings set out in applicable Data Protection Laws.

“Data Protection Laws” means all applicable privacy and data protection laws and regulations relating to the Processing of Personal Data under the Agreement, including (where applicable) the GDPR, UK GDPR, Swiss FADP, and U.S. state privacy laws such as the CCPA/CPRA.

“CCPA” means the California Consumer Privacy Act as amended by the CPRA.

“Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Intempt and/or its Subprocessors.

“Subprocessor” means a Processor engaged by Intempt to Process Customer Personal Data on behalf of Customer.

“Standard Contractual Clauses” or “SCCs” means the European Commission’s standard contractual clauses (Decision (EU) 2021/914), as may be updated or replaced.

“UK Addendum” means the International Data Transfer Addendum issued by the UK ICO, as may be updated or replaced.

2. Customer Responsibilities

2.1 Compliance with Laws. Customer is responsible for compliance with Data Protection Laws applicable to Customer’s Processing, including providing notices, obtaining consents where required, honoring opt-outs, and ensuring a valid lawful basis for collection and use of Personal Data.

2.2 Implementation Choices. Customer controls what Customer Personal Data is collected and sent to Intempt via APIs, SDKs, pixels, mobile SDKs, session replay, call recording, and integrations, and is responsible for configuration choices (including enabling optional features).

2.3 Instructions. The Agreement (including this DPA), Customer’s configuration and use of the Services, and any documented written instructions consistent with the Agreement constitute Customer’s instructions to Intempt.

2.4 Sensitive Data. Customer will not provide Sensitive Data unless expressly permitted in writing and supported by appropriate controls.

3. Intempt Obligations as Processor

3.1 Processing on Instructions. Intempt will Process Customer Personal Data only:
(a) to provide and secure the Services;
(b) in accordance with the Agreement and Customer’s documented instructions; or
(c) as required by applicable law (in which case Intempt will notify Customer unless prohibited).

3.2 Confidentiality. Intempt will ensure personnel authorized to Process Customer Personal Data are subject to confidentiality obligations.

3.3 Security. Intempt will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data. See Annex 2 (Security Measures).

3.4 Security Incidents. Intempt will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data and will provide information reasonably necessary for Customer to meet its obligations. Where feasible, Intempt typically notifies within 72 hours.

3.5 Assistance. Taking into account the nature of Processing and the information available, Intempt will provide reasonable assistance for:
(a) Data Subject Requests (Section 4); and
(b) DPIAs and consultations with supervisory authorities where required (GDPR Articles 35–36).
Intempt may charge reasonable fees for assistance that is beyond self-serve tooling or standard support.

3.6 Subprocessors. Intempt may engage Subprocessors in accordance with Section 5.

4. Data Subject Requests

4.1 Self-Serve Controls. Intempt provides in-product tools and/or APIs to help Customer access, correct, export, delete, or restrict Customer Personal Data.

4.2 Requests Received by Intempt. If Intempt receives a request directly from a Data Subject relating to Customer Personal Data, Intempt will (to the extent legally permitted):
(a) inform Customer; and
(b) direct the Data Subject to Customer (unless Customer authorizes Intempt to respond).

5. Subprocessors

5.1 Authorization. Customer grants Intempt general authorization to engage Subprocessors to Process Customer Personal Data.

5.2 List. Intempt maintains a current list of Subprocessors at: https://intempt.com/subprocessors (the “Subprocessors Page”), incorporated into this DPA.

5.3 Notice and Objection. Intempt will provide advance notice of new or replacement Subprocessors as described in the DPA (typically at least 30 days where required, except for urgent security/operational needs). Customer may object on reasonable grounds related to data protection. If the parties cannot resolve the objection commercially reasonably, Customer may terminate the affected Services as its sole remedy.

5.4 Flow-down Terms. Intempt will impose data protection terms on Subprocessors that provide at least the same level of protection for Customer Personal Data as this DPA, as applicable.

5.5 Responsibility. Intempt remains responsible for its Subprocessors’ performance of their obligations in relation to Customer Personal Data.

6. International Data Transfers

6.1 Scope. Customer authorizes Intempt to transfer Customer Personal Data internationally as necessary to provide the Services.

6.2 Transfer Mechanisms (Europe/UK/Switzerland). Where European Data Protection Laws require safeguards for transfers to countries without an adequacy decision, the parties agree that the SCCs apply and are incorporated by reference, completed using the information in Annex 1 and Annex 2, with the following:

• Module Two (Controller-to-Processor) applies where Customer is a Controller and Intempt is a Processor.
  
  
• For the UK, the UK Addendum is incorporated by reference and modifies the SCCs accordingly.
  
  
• For Switzerland, SCC references are interpreted to align with Swiss requirements, and the competent authority is the FDPIC as applicable.
  
  

6.3 Order of Precedence. If SCCs/UK Addendum conflict with this DPA, the SCCs/UK Addendum control for the Restricted Transfer.

7. Demonstration of Compliance / Audits

7.1 Information. Intempt will make available information reasonably necessary to demonstrate compliance with this DPA.

7.2 Audits. Customer may request (no more than once per year absent reasonable grounds of non-compliance) either:
(a) third-party audit reports or certifications (if available); or
(b) responses to reasonable security/privacy questionnaires.
On-site audits of Intempt systems or data centers are not supported by default; any expanded audit rights require a separate written agreement.

8. Additional Terms for European Data

8.1 Roles. For Customer Personal Data subject to GDPR/UK GDPR, Customer is Controller and Intempt is Processor (unless Customer acts as Processor on behalf of another Controller, in which case Intempt is a subprocessor).

8.2 Conflicting Instructions. If Intempt believes Customer instructions violate European Data Protection Laws, Intempt will inform Customer without undue delay.

9. Additional Terms for California Personal Information (CCPA/CPRA)

9.1 Roles. For California Personal Information that Intempt Processes on Customer’s behalf, Customer is a Business and Intempt is a Service Provider (and “Contractor” where applicable).

9.2 Restrictions. Intempt will not:
(a) Sell or Share California Personal Information;
(b) retain, use, or disclose it outside the direct business relationship except as permitted by the CCPA; or
(c) combine it with personal information obtained from other sources except as permitted by the CCPA (including to perform Services).

9.3 Compliance Signals. Customer is responsible for honoring consumer opt-outs and preference signals in its collection layer and configurations; Intempt will support deletion/opt-out handling through available product controls.

10. Controller-to-Controller Terms (Enrichment Data from Partners) — Limited

10.1 When this applies. This section applies only to the extent Intempt provides optional enrichment outputs sourced from third-party partners and Intempt and Customer each determine independent purposes for their Processing of that partner-sourced enrichment data (if applicable).

10.2 Independent Compliance. Each party will comply with applicable Data Protection Laws for its own Processing as Controller, including providing appropriate notices and maintaining a lawful basis.

10.3 Opt-Out / Deletion. Where enrichment data originates from partners and an individual’s deletion/opt-out must be executed through the partner, Intempt will support Customer by facilitating the request path consistent with partner capabilities and the Agreement.

11. Deletion, Return, and Retention

11.1 Customer-Controlled Deletion During Term. Customer may delete Customer Data via self-serve controls/APIs. Intempt will delete Customer Data from active systems within 30 days of a valid Customer deletion request, except where retention is required by applicable law or for security/fraud prevention as permitted by law.

11.2 After Termination/Expiration (Default Retention). Unless otherwise agreed in an Order Form, Intempt retains Customer Data for up to three (3) years following termination/expiration unless Customer requests deletion earlier.

11.3 Backups. Customer Data deleted from active systems may remain in backups that are securely isolated and expire on a rolling basis, with a maximum backup retention of up to three (3) years, after which it is overwritten or deleted as part of normal backup lifecycle management.

11.4 Return/Export. Customer may export Customer Data during the Subscription Term via product tools/APIs, subject to plan features and the Agreement.

12. Product-Specific Processing Disclosures (Accuracy Locks)

12.1 Tracking Technologies. Intempt provides web SDKs/pixels and mobile SDKs (iOS/Android) that may collect events, device data, and interactions from Customer properties as configured by Customer.

12.2 Session Replay / Keystroke Capture. If enabled (default ON), session replay may capture interaction events including certain keystroke events as implemented in the SDK. Intempt provides:

• default masking for password and payment-card fields; and
  
  
• an opt-out selector: .intempt-no-capture to prevent capture for designated elements/areas.
  
  

12.3 Call Recording + Meeting Notes. Intempt may support call recording and meeting note-taking as a core feature when enabled by Customer. This may involve Subprocessors including Twilio (telephony/recording) and Recall.ai (bot note-taker/storage), as configured.

12.4 AI Features (OpenAI / Anthropic). If Customer uses AI features, prompts may include Customer-provided content and/or retrieved snippets (RAG) from Customer Data to generate outputs. Intempt uses the OpenAI and Anthropic APIs and OpenAI embeddings for applicable features. Intempt does not use Customer Data to train generalized AI models by default.

13. General Provisions

13.1 Limitation of Liability. This DPA is subject to the limitations of liability in the Agreement.

13.2 Order of Precedence. If SCCs/UK Addendum apply, they take precedence over this DPA for Restricted Transfers.

13.3 Updates. Intempt may update this DPA by posting a revised version. Material changes will be notified consistent with the Agreement.

13.4 Contact. Questions about this DPA: hey@intempt.com.

Annex 1 — Details of Processing (SCC Annex I equivalents)

A. List of Parties

• Data Exporter: Customer (as identified in the Agreement/Order Form)
  
  
• Data Importer: Intempt Technologies LLC, 1101 W 34th St, #595, Austin, TX 78705, USA
  
  

B. Categories of Data Subjects

• Customer’s end users/visitors
  
  
• Customer’s employees, contractors, and authorized users
  
  
• Customer’s prospects/customers and other contacts, as uploaded or collected
  
  

C. Categories of Personal Data (determined by Customer configuration/use), which may include:

• Identifiers: name, email, phone, external user_id, cookie/device IDs, hashed identifiers
  
  
• Online identifiers: IP address, user agent, browser/device metadata
  
  
• Events and behavioral data: page views, clicks, form interactions, session replay events
  
  
• Communications metadata/content: messages sent/stored as configured (email/SMS/push/WhatsApp), call/meeting artifacts where enabled
  
  
• Files uploaded by Customer
  
  
• Inferences/segments created in the product based on Customer configuration
  
  
• Billing/admin contact information (e.g., name, email, company, billing metadata)
  
  

D. Special Categories of Data

• Not intended; Customer should not provide unless expressly agreed.
  
  

E. Processing Activities / Purposes

• Provide, secure, and maintain the Services
  
  
• Identity resolution and profile management
  
  
• Segmentation, journeys/automation, personalization, experimentation, analytics
  
  
• Messaging delivery via Subprocessors
  
  
• Customer support and troubleshooting
  
  
• Security monitoring and abuse prevention
  
  
• Billing and account administration
  
  

F. Frequency of Transfer

• Continuous
  
  

G. Duration of Processing

• For the term of the Agreement, plus retention described in Section 11.
  
  

Annex 2 — Security Measures (Summary)

Intempt maintains commercially reasonable safeguards, including (as applicable):

• Access controls and least privilege; RBAC in-product
  
  
• Encryption in transit (TLS)
  
  
• Logging/monitoring for security and availability
  
  
• Separation of environments and controlled production access
  
  
• Incident response processes and notification commitments (Section 3.4)
  
  
• Secure development and change management practices
  
  

Annex 3 — Subprocessors

The Subprocessors Page at https://intempt.com/subprocessors is incorporated into this DPA.

• Amazon Web Services, Inc. (hosting/infrastructure)
  
  
• Intercom, Inc. (customer support/chat)
  
  
• Stripe, Inc. (payment processing / billing contact info)
  
  
• SendGrid, Inc. (email delivery)
  
  
• Twilio Inc. (SMS/telephony/recording, if enabled)
  
  
• Google LLC (FCM push)
  
  
• Apple Inc. (APNs push)
  
  
• OpenAI, L.L.C. (AI features / embeddings)
  
  

Anthropic, PBC (AI features)