How we process your data

Agreement

This Data Processing Addendum ("DPA") forms part of Taizen's Terms and Conditions available at https://usetaizen.com/terms and applies where Taizen processes Customer Personal Data on behalf of Customer in connection with the Services.

By accessing or using Taizen, creating an account, starting a trial or pilot, connecting a third-party system, accepting an Order Form, or otherwise using the Services, Customer agrees to this DPA without requiring a separate signature, unless the parties expressly agree otherwise in writing.

If Customer requires a countersigned copy of this DPA for procurement, legal, or compliance records, Customer may contact legal@usetaizen.com.

This DPA is between:

• the company or legal entity accessing or using the Services ("Customer," "Controller," or "you"); and
• Novadata Technologies, S.L., doing business as Taizen, with its registered office at Calle Maria Aguilo 121, 08005 Barcelona, Spain ("Taizen," "Processor," "we," "us," or "our").

Customer and Taizen are each a "Party" and together the "Parties."

1. Definitions

1.1 Capitalized terms not defined in this DPA have the meaning given to them in the Terms.

1.2 "Applicable Data Protection Laws" means all privacy and data protection laws applicable to the processing of Customer Personal Data under the Agreement, including, where applicable:

• the EU General Data Protection Regulation 2016/679 ("GDPR");
• the UK GDPR and the UK Data Protection Act 2018;
• the Swiss Federal Act on Data Protection;
• applicable US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act and its implementing regulations; and
• any other data protection or privacy laws applicable to the processing under the Agreement.

1.3 "Customer Personal Data" means Personal Data processed by Taizen on behalf of Customer under the Agreement.

1.4 "Data Hosting Region" means the region in which Taizen will host and primarily process Customer Personal Data for the Services. Unless otherwise agreed in an Order Form or Statement of Work signed by both Parties, the Data Hosting Region is the European Economic Area ("EEA").

1.5 "EU SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914, as may be updated or replaced from time to time.

1.6 "Personal Data," "Controller," "Processor," "Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" have the meanings given to them under Applicable Data Protection Laws.

1.7 "Subprocessor" means any third party engaged by Taizen to process Customer Personal Data on behalf of Customer.

2. Scope and Roles

2.1 The Parties acknowledge that, for purposes of Applicable Data Protection Laws, Customer acts as the Controller and Taizen acts as the Processor in respect of Customer Personal Data.

2.2 Where Customer is itself a processor, Taizen acts as Customer's subprocessor.

2.3 The details of processing, including subject matter, duration, nature and purpose, types of Personal Data, categories of Data Subjects, and processing locations, are described in Annex 1.

2.4 Default Data Hosting Region. Taizen will host and primarily process Customer Personal Data within the EEA unless otherwise agreed in writing.

2.5 Optional Regional Deployment. If Customer requests a Data Hosting Region outside the EEA, including United States-only processing, such deployment will apply only if expressly set out in the applicable Order Form or Statement of Work and accepted by Taizen in writing. Optional regional deployments may be subject to additional fees, technical constraints, or availability limitations.

2.6 Change of Region. Taizen will not change the Data Hosting Region without Customer's documented instructions or an updated Order Form or Statement of Work.

2.7 Remote Access for Support and Security. Customer acknowledges that authorized Taizen personnel may access Customer Personal Data remotely from locations outside the Data Hosting Region solely as necessary to provide support, operate and maintain the Services, prevent or address security incidents, and comply with applicable law, subject to Taizen's technical and organizational measures, including least privilege, multi-factor authentication, logging, and confidentiality obligations. Where such access constitutes a restricted transfer under Applicable Data Protection Laws, the Parties will rely on the transfer safeguards set out in this DPA.

3. Customer Instructions

3.1 Taizen will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country, unless Taizen is required to do so by applicable law.

3.2 Customer's documented instructions include the Agreement, the applicable Order Form or trial confirmation, Customer's configuration of the Services, Customer's use of the Services, and any written instructions agreed by the Parties.

3.3 If Taizen believes an instruction infringes Applicable Data Protection Laws, Taizen will promptly inform Customer and cooperate in good faith to agree on compliant instructions.

4. Confidentiality and Personnel

4.1 Taizen will ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Taizen will limit access to Customer Personal Data to personnel with a need to know for performance of the Services.

4.3 Taizen will revoke access promptly when access is no longer required.

5. Security Measures

5.1 Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, Taizen will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as required by Applicable Data Protection Laws.

5.2 A description of Taizen's technical and organizational measures is set out in Annex 2.

5.3 Taizen maintains an information security program aligned to recognized security standards and maintains an independent SOC 2 Type II report. Copies of relevant certificates, reports, or summaries may be made available to Customer on request, subject to confidentiality obligations.

5.4 Taizen will not materially decrease the overall level of security provided by the technical and organizational measures during the term of the Agreement, except where reasonably necessary to respond to evolving threats or changes in technology, provided that the resulting measures continue to meet the requirements of Applicable Data Protection Laws.

6. Subprocessing

6.1 Customer grants Taizen general authorization to engage Subprocessors to process Customer Personal Data, provided that Taizen:

• maintains an up-to-date list of Subprocessors in Annex 3 or on a public subprocessor page;
• enters into a written agreement with each Subprocessor imposing data protection obligations no less protective in substance than those in this DPA; and
• remains responsible to Customer for Subprocessors' performance of their data protection obligations.

6.2 Taizen will provide notice of any intended addition or replacement of a Subprocessor at least 30 days in advance, or as soon as reasonably practicable where required to avoid service disruption or address security, legal, or operational risk.

6.3 Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within 14 days of the notice.

6.4 The Parties will work in good faith to resolve the objection. If they cannot resolve the objection, Customer may terminate the affected Services without penalty for the unused portion of prepaid fees, if any, as Customer's sole and exclusive remedy.

6.5 Taizen will not disclose Customer Personal Data to any Subprocessor except as authorized under this DPA.

7. Data Subject Requests and Assistance

7.1 Taking into account the nature of the processing, Taizen will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligation to respond to requests to exercise Data Subject rights under Applicable Data Protection Laws.

7.2 If Taizen receives a request from a Data Subject relating to Customer Personal Data, Taizen will, without undue delay, notify Customer and will not respond to the request except on Customer's documented instructions or as required by applicable law.

7.3 Taizen will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by Applicable Data Protection Laws, taking into account the nature of processing and information available to Taizen.

7.4 Taizen may charge reasonable fees for assistance that goes beyond standard product functionality or routine support.

8. Personal Data Breach

8.1 Taizen will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data.

8.2 Where feasible, Taizen will provide initial notice within 48 hours of becoming aware of the Personal Data Breach.

8.3 Taizen will provide additional information in phases as it becomes available.

8.4 Taizen will cooperate with Customer and take reasonable steps to investigate, mitigate, and remediate the Personal Data Breach, and to support Customer's notifications to Supervisory Authorities and Data Subjects as required.

8.5 Taizen's notification or response to a Personal Data Breach is not an admission of fault or liability.

9. Audits and Compliance Information

9.1 Taizen will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

9.2 As a primary means of demonstrating compliance, Taizen may provide, upon request and subject to confidentiality:

• a copy or executive summary of its SOC 2 Type II report;
• relevant security certificates or summaries;
• reasonable responses to security and privacy questionnaires; and
• other appropriate compliance documentation.

9.3 If Customer reasonably requires an on-site or live audit because the information provided under Section 9.2 is insufficient to address a material compliance concern, Customer may request one audit per 12-month period.

9.4 Any audit must be conducted:

• upon at least 30 days' prior written notice;
• during normal business hours;
• in a manner that does not unreasonably interfere with Taizen's operations;
• subject to confidentiality obligations; and
• without access to source code, trade secrets, unrelated customer data, or systems not relevant to the processing of Customer Personal Data.

9.5 Each Party will bear its own costs unless the audit reveals material non-compliance by Taizen, in which case Taizen will bear Customer's reasonable documented audit costs.

9.6 Customer will ensure that auditors are subject to confidentiality obligations and will promptly provide Taizen with a copy of any audit report to the extent it relates to Taizen.

10. International Transfers

10.1 Taizen may process Customer Personal Data in the Data Hosting Region and in other locations described in Annex 1 and Annex 3, or as otherwise instructed by Customer in writing.

10.2 Where Customer Personal Data is transferred to a third country without an adequacy decision, the Parties will ensure appropriate safeguards under Applicable Data Protection Laws are in place, including by entering into the EU SCCs and, where applicable, the UK International Data Transfer Addendum and/or Swiss addendum.

10.3 The EU SCCs are incorporated by reference and deemed executed as of the effective date of the Agreement.

10.4 For purposes of the EU SCCs:

• Module Two applies where Customer is a Controller and Taizen is a Processor.
• Module Three applies where Customer is a Processor and Taizen is a Subprocessor.
• The optional docking clause applies.
• The details of processing are described in Annex 1.
• The technical and organizational measures are described in Annex 2.
• The authorized Subprocessors are described in Annex 3 or on Taizen's public subprocessor page.

10.5 Taizen will implement supplementary measures as appropriate and will provide reasonable assistance for transfer impact assessments upon Customer's request.

11. Return and Deletion

11.1 Upon termination or expiry of the Services, Taizen will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, unless applicable law requires storage of the Personal Data.

11.2 Unless otherwise agreed in writing, Taizen will delete Customer Personal Data from active systems within 30 days of termination and from backups within 90 days, subject to ordinary backup retention cycles.

11.3 Taizen will provide written certification of deletion upon request.

11.4 Where Taizen is required by law to retain Customer Personal Data, Taizen will inform Customer unless prohibited by law, limit further processing to storage, and maintain confidentiality and security for the retention period.

12. AI and Model Use

12.1 Taizen may use machine learning, large language model, retrieval, classification, and other AI technologies to provide the Services.

12.2 Unless Customer expressly instructs otherwise in writing, Taizen will not use Customer Personal Data to train or fine-tune generalized models that are made available to other customers or the public.

12.3 Taizen will apply technical and organizational controls designed to minimize Personal Data in model prompts and inputs where feasible and consistent with the Services, including redaction or pseudonymization workflows where configured by Customer or available in the product.

12.4 Where LLM or AI functionality is provided by a Subprocessor, such use is subject to Section 6 and Section 10 of this DPA.

13. US State Privacy Laws

13.1 Where applicable US state privacy laws apply, Taizen will process Customer Personal Data as a service provider or processor on behalf of Customer.

13.2 Taizen will not:

• sell Customer Personal Data;
• share Customer Personal Data for cross-context behavioral advertising;
• retain, use, or disclose Customer Personal Data outside the business purposes of providing the Services;
• retain, use, or disclose Customer Personal Data for a commercial purpose other than the business purposes specified in the Agreement, unless expressly permitted by Applicable Data Protection Laws;
• retain, use, or disclose Customer Personal Data outside the direct business relationship between Taizen and Customer, unless expressly permitted by Applicable Data Protection Laws; or
• combine Customer Personal Data with personal data obtained from other sources except as permitted by Applicable Data Protection Laws.

13.3 Taizen will provide the same level of privacy protection required of service providers or processors under Applicable Data Protection Laws.

13.4 Taizen certifies that it understands and will comply with the restrictions in this Section 13.

14. Liability and Order of Precedence

14.1 The Parties' liability arising out of or in connection with this DPA is subject to the liability limitations and exclusions in the Agreement, unless Applicable Data Protection Laws require otherwise.

14.2 In the event of conflict between this DPA and the Terms, this DPA prevails with respect to the Parties' data protection obligations.

14.3 In the event of conflict between this DPA and the EU SCCs, the EU SCCs will prevail to the extent of the conflict.

15. Term and Governing Law

15.1 This DPA remains in effect for so long as Taizen processes Customer Personal Data under the Agreement.

15.2 This DPA is governed by the governing law and jurisdiction clauses in the Terms, unless otherwise required by Applicable Data Protection Laws or the EU SCCs.

Annex 1 — Processing Details

A. Subject Matter and Duration of Processing

Taizen processes Customer Personal Data in connection with the provision of the Services under the Agreement for the term of the Agreement, plus any agreed retention or deletion period.

B. Nature and Purpose of Processing

The nature and purpose of processing includes hosting, storage, ingestion, organization, indexing, analysis, enrichment, classification, summarization, retrieval, reporting, generation of outputs, generation of insights, delivery of assets, workflow automation, notifications, dashboards, exports, integrations, security monitoring, troubleshooting, and support.

C. Categories of Data Subjects

Categories of Data Subjects may include:

• Customer's authorized users;
• Customer's employees and representatives;
• Customer's contractors and agents;
• Customer's customers;
• Customer's prospects and leads;
• business contacts;
• call or meeting participants;
• account and opportunity stakeholders; and
• individuals whose communications or information are included in Customer-authorized data sources.

D. Types of Personal Data

Types of Personal Data may include:

• identification and contact data, such as name, business email address, company name, and job title;
• CRM records and account information;
• opportunity, pipeline, and deal information;
• communication content included in Customer-authorized data sources;
• call transcripts, call summaries, call metadata, and meeting notes;
• Slack, email, document, or file content where connected by Customer;
• customer proof points, testimonials, quotes, objections, and related business context;
• user account, authentication, and usage data;
• technical logs and audit data;
• configuration and integration metadata; and
• other business data submitted, connected, or configured by Customer.

E. Special Categories of Data

The Services are not designed to intentionally process special categories of Personal Data, protected health information, payment card data, children's data, biometric data, government identifiers, or other highly sensitive data.

Customer must not provide such data unless expressly agreed in writing and appropriate safeguards are implemented.

F. Processing Locations and Data Hosting Region

The default Data Hosting Region is the EEA.

If the applicable Order Form or Statement of Work specifies United States-only processing and Taizen accepts in writing, the Data Hosting Region is the United States.

Additional locations and Subprocessor processing locations are listed in Annex 3 or on Taizen's public subprocessor page.

Remote access for support and security may occur globally as described in Section 2.7 of this DPA, subject to the technical and organizational measures in Annex 2 and applicable transfer safeguards.

G. Retention

Customer Personal Data will be retained as described in Section 11 of this DPA, unless otherwise agreed in the Agreement, an Order Form, or a Statement of Work.

Annex 2 — Technical and Organizational Measures

Taizen implements and maintains an information security program designed to protect Customer Personal Data. The measures below summarize key controls. More detailed documentation may be provided under confidentiality upon request.

1. Information Security Governance

Taizen maintains documented security policies, risk assessment processes, and management oversight of security controls.

2. Asset and Configuration Management

Taizen maintains an inventory of relevant systems and applies configuration management, hardened baselines, change management, and review processes where appropriate.

3. Access Control

Taizen uses access controls designed to restrict access to Customer Personal Data, including role-based access control, least privilege, multi-factor authentication for privileged access, periodic access reviews, and timely deprovisioning.

4. Encryption

Taizen uses TLS or equivalent encryption for data in transit and encryption at rest using industry-standard mechanisms provided by cloud providers and/or application-level encryption where appropriate.

5. Logging and Monitoring

Taizen maintains centralized logging, audit trails for administrative access, and alerting for suspicious activity where appropriate.

6. Vulnerability Management

Taizen performs vulnerability management activities, including dependency scanning, patching, and remediation of identified vulnerabilities.

7. Secure Development Lifecycle

Taizen applies secure development practices, including code review, CI/CD controls, testing prior to deployment, and separation of duties where feasible.

8. Incident Response

Taizen maintains a documented incident response process, tracks security incidents, and performs post-incident reviews where appropriate.

9. Business Continuity and Disaster Recovery

Taizen maintains backup, resilience, and recovery measures appropriate to the Services.

10. Subprocessor Management

Taizen performs due diligence and applies contractual controls for Subprocessors, including security and data protection obligations.

11. AI-Specific Controls

Taizen maintains internal controls designed to prevent Customer Personal Data from being used to train generalized models for other customers or the public, except as instructed by Customer.

Taizen applies prompt and input handling controls as applicable to AI features, including minimization, redaction, pseudonymization, or other safeguards where configured by Customer or available in the product.

Annex 3 — Subprocessors

Taizen maintains a list of authorized Subprocessors. This list may be updated in accordance with Section 6 of this DPA.

Taizen may publish the current list at: https://usetaizen.com/subprocessors

If no separate subprocessor page is available, the table below lists Taizen's authorized Subprocessors as of the "Last updated" date of this DPA.