Data Processing Addendum

"Customer Personal Data" means the Personal Data processed by Intempt on behalf of Customer in connection with the provision of the Services.

"Data Protection Laws" means all applicable laws, rules, and regulations relating to the privacy, confidentiality, or security of Personal Data, including without limitation the GDPR, the UK GDPR, and the CCPA, as amended from time to time.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed by Intempt or its Sub-Processors in connection with the provision of the Services.

"Subprocessor" means any third party engaged by Intempt to process Customer Personal Data on Intempt's behalf.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission for the transfer of Personal Data to countries outside the EEA.

"UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.

2.1 You are responsible for complying with all applicable Data Protection Laws in connection with your use of the Services, including providing all required notices to data subjects, obtaining all necessary consents, and maintaining appropriate lawful bases for processing.

2.2 You determine what Customer Personal Data is collected through the Services and how it is processed. Intempt processes Customer Personal Data solely in accordance with your documented instructions.

2.3 This Agreement, together with your configuration of the Services, constitutes your complete and documented instructions to Intempt for the processing of Customer Personal Data. You acknowledge that AI model training within your logically isolated environment is a core, disclosed, and necessary component of the Services and constitutes a documented instruction for processing Customer Personal Data for the purpose of providing the Services. Intempt does not provide per-customer model management, versioning dashboards, or performance metrics.

2.4 You may not submit to the Services: (a) protected health information subject to HIPAA; (b) payment card data subject to PCI-DSS; (c) government-issued identification numbers; (d) special categories of personal data under GDPR Article 9; or (e) personal data of minors where you have not obtained all consents and authorisations required by applicable law — unless you have entered into a separate written agreement with Intempt specifically authorizing such use. Intempt will have no liability whatsoever for Sensitive Data submitted in violation of this Section, whether in connection with a Security Incident, Regulatory Action, or otherwise.

3.1 Intempt will process Customer Personal Data only as necessary to: (a) provide, secure, and maintain the Services; (b) comply with your documented instructions; and (c) comply with applicable law.

3.2 All Intempt personnel who process Customer Personal Data are bound by written confidentiality obligations.

3.3 Intempt will implement and maintain appropriate technical and organizational security measures as described in Annex 2 of this DPA.

3.4 In the event of a Security Incident involving Customer Personal Data, Intempt will notify you within seventy-two (72) hours of confirming the incident, where feasible. Where Intempt is legally required to delay notification of a Security Incident — including where directed by law enforcement or a competent authority — notification will be provided as soon as legally permitted.

3.5 Intempt will provide reasonable assistance with data subject requests and data protection impact assessments, at your cost where such assistance requires significant effort.

4.1 Intempt provides tools and controls within the Services that enable you to respond to data subject requests for access, correction, and deletion. Intempt will provide reasonable assistance to you in responding to data portability requests from your end users in accordance with its obligations as a data processor under applicable Data Protection Laws.

4.2 If Intempt receives a data subject request directly, we will redirect the request to you unless we are legally required to respond.

5.1 You grant Intempt a general written authorization to engage Subprocessors for the processing of Customer Personal Data.

5.2 The current list of Subprocessors is maintained at https://intempt.com/subprocessors.

5.3 Intempt will provide at least thirty (30) days' advance written notice before engaging any new Subprocessor. If you object to a new Subprocessor on reasonable data protection grounds, Intempt will work with you to resolve the objection. If we are unable to resolve the objection, you may terminate the affected portion of the Services.

5.4 Intempt will impose data protection obligations on each Subprocessor that are at least as protective as those set forth in this DPA.

5.5 Intempt remains fully responsible for the acts and omissions of its Subprocessors.

6.1 You authorize the transfer of Customer Personal Data to the United States and to any other country where our Subprocessors operate, as necessary for the provision of the Services.

6.2 For transfers of Customer Personal Data from the EEA, we rely on the Standard Contractual Clauses (Module 2: Controller to Processor). For transfers from the United Kingdom, we rely on the UK Addendum. For transfers from Switzerland, we align with the applicable framework.

6.3 The SCCs and UK Addendum are incorporated into this DPA by reference and shall control in the event of any conflict with this DPA for restricted transfers.

6.4 India. For transfers of Customer Personal Data originating from India, Intempt processes such data in accordance with India's Digital Personal Data Protection Act 2023 (DPDPA) to the extent applicable. Customers who process personal data of Indian data principals are solely responsible for ensuring they have an appropriate lawful basis for such processing and for compliance with all applicable obligations under the DPDPA.

7.1 Intempt will make available to you all information reasonably necessary to demonstrate compliance with this DPA.

7.2 You may exercise your audit rights up to once per calendar year through: (a) a review of Intempt's available third-party audit reports, certifications, security questionnaires, and compliance documentation; or (b) an on-site audit conducted by you or your designated auditor, subject to: (i) at least thirty (30) days' prior written notice; (ii) documented reasonable grounds for the audit request; (iii) mutual agreement on scope, dates, and auditor identity before commencement; (iv) execution of a confidentiality agreement treating all findings as Intempt Confidential Information; and (v) limitation of scope strictly to Intempt's data processing activities and procedures — audits shall not extend to underlying Customer Data, third-party systems, or information subject to existing confidentiality obligations. Audit costs are borne by Customer unless the audit confirms material non-compliance by Intempt, in which case Intempt shall bear reasonable audit costs.

8.1 For the purposes of the GDPR, you act as the Controller and Intempt acts as the Processor of Customer Personal Data.

8.2 If Intempt becomes aware that your instructions may violate applicable European data protection law, we will promptly inform you.

8.3 EU Representative. Intempt has appointed an EU Representative under GDPR Article 27. EU data subjects and supervisory authorities may direct inquiries to Intempt's EU Representative at privacy@intempt.com. Intempt will respond to such inquiries without undue delay and in any event within the timeframes required by applicable EU data protection law.

9.1 For the purposes of the CCPA, you act as the Business and Intempt acts as the Service Provider.

9.2 Intempt will not sell or share Customer Personal Data within the meaning of the CCPA. Intempt will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Intempt and you. Intempt will not combine Customer Personal Data with personal data from other Intempt customers, or with data from sources unrelated to the direct business relationship, except: (a) data sources connected and authorized by Customer within the Services (such as CRM, e-commerce, email, and analytics integrations); and (b) as otherwise permitted by the CCPA.

9.3 You are responsible for honoring consumer opt-out requests. Intempt will support you through product-level controls.

10.1 You may request deletion of Customer Personal Data at any time, and Intempt will complete the deletion within thirty (30) days.

10.2 Following termination of the Agreement, Customer Personal Data will be retained in active systems for thirty (30) days following termination and then deleted. Deletion will cover all active data stores maintained by Intempt for the Customer account. Written confirmation of deletion is available on request.

10.3 Intempt maintains data redundancy and infrastructure resilience controls appropriate to the Services. Where infrastructure-level copies of data exist, they are encrypted, isolated from active processing, and subject to Intempt's standard data lifecycle procedures.

11.1 Intempt uses AI and machine learning models to deliver its Services. This processing occurs within a logically isolated, per-customer environment. Customer Personal Data is never used to train models that serve any other customer, and is never combined with any other customer's data at any stage of processing, storage, or training. Intempt does not provide per-customer model management, versioning dashboards, or performance metrics. Certain features use third-party AI APIs (currently OpenAI and Anthropic) for processing. These providers process data on Intempt's behalf only and, consistent with their commercial API terms, restrict the use of Customer Personal Data for model training purposes.

11.2 AI Decision Records. Intempt maintains internal records of AI-generated outputs sufficient to respond to data subject requests for explanation of automated decisions under applicable law including GDPR Article 22. Customers may submit written requests for explanation of specific AI decisions affecting their end users to privacy@intempt.com. Intempt will respond within thirty (30) days.

11.3 AI Training Settings. AI model training on Customer Personal Data is a core and disclosed component of the Services. For customers on non-Enterprise pricing plans, AI model training on Customer Personal Data is enabled by default; these customers may opt out at any time by contacting hey@intempt.com. For customers on the Enterprise plan, AI model training is not enabled by default and requires explicit opt-in configuration. Data subjects have the right to object to processing based on legitimate interests under GDPR Article 21.

12.1 This DPA is subject to the limitation of liability provisions set forth in the Agreement. In no event shall either party's liability be limited with respect to any individual's data protection rights under this DPA or applicable Data Protection Law.

12.2 The Standard Contractual Clauses and UK Addendum shall take precedence over this DPA to the extent required for restricted data transfers.

12.3 Intempt may update this DPA from time to time, subject to the notice requirements set forth in the Agreement for material changes.

Data Exporter: Customer (as identified in the Order Form).

Data Importer: Intempt Technologies LLC, 1101 W 34th St #595, Austin, TX 78705, United States.

Data Subjects: End users, website visitors, employees, contractors, prospects, and contacts of the Customer.

Categories of Personal Data: Identifiers (names, email addresses, phone numbers), online identifiers (IP addresses, device identifiers, cookie data), behavioral data (page views, clicks, interactions), communications content (email bodies, meeting recordings and transcripts), uploaded files, inferences and scoring data, and billing information. Voice recordings processed through meeting recording features may constitute biometric personal data under applicable law (including Illinois BIPA and GDPR Article 9) and are subject to the additional requirements in DPA §2.4.

Purpose of Processing: Provision of CRM and AI-powered services, including unified customer profiling, segmentation, journey automation, predictive scoring, and AI-assisted recommendations delivered through Intempt's models. Legal basis (GDPR): Article 6(1)(b) for core service delivery; Article 6(1)(f) for analytics, product improvement, and AI model optimization. Data subjects have the right to object to processing based on Article 6(1)(f) under GDPR Article 21.

Duration of Processing: For the duration of the Agreement, plus the retention period specified in Section 10.