Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") is entered into between SendItFast AI ("Data Processor") and the entity accessing or using the SendItFast services ("Data Controller" or "Customer"). This DPA governs the processing of Personal Data by the Data Processor on behalf of the Data Controller in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

This DPA forms part of the agreement between the parties governing the use of the SendItFast services (the "Services").

─────────────────────────────────────────────────

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in the GDPR, including but not limited to names, email addresses, phone numbers, and other contact or professional information.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

"Sub-Processor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.

─────────────────────────────────────────────────

3. Scope and Subject Matter

3.1 Subject Matter

The Data Processor shall process Personal Data on behalf of the Data Controller solely for the purpose of providing the Services to the Data Controller.

3.2 Nature and Purpose of Processing

The nature and purpose of the processing include:

• Providing personalized content generation and outreach capabilities
• Processing and analyzing prospect and contact data provided by the Data Controller
• Conducting online research using publicly available information from various sources
• Managing user accounts and authentication
• Providing customer support and technical assistance
• Analytics and service improvement

3.3 Categories of Personal Data

Categories of Personal Data processed may include:

• Contact information (names, email addresses, phone numbers)
• Professional information (job titles, company names, LinkedIn profiles)
• Business information (company details, industry, company size)
• Account information (user names, authentication data, usage data)

3.4 Categories of Data Subjects

Categories of Data Subjects include:

• Prospects and business contacts identified by the Data Controller
• Employees or representatives of companies identified by the Data Controller
• Users of the Services
• Authorized users accessing the Services on behalf of the Data Controller

─────────────────────────────────────────────────

4. Obligations of the Data Processor

4.1 Processing on Behalf of Controller

The Data Processor shall:

• Process Personal Data only on documented instructions from the Data Controller
• Ensure that persons authorized to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• Take all measures required to ensure the security of the processing
• Not engage another processor without prior specific or general written authorization from the Data Controller

4.2 Security of Processing

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate a level of security appropriate to the risk, including as appropriate:

• The pseudonymization and encryption of Personal Data
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

These measures include encryption at rest (AES-256), encryption in transit (TLS 1.2 or higher), access controls, regular security assessments, and employee training.

4.3 Confidentiality

The Data Processor shall ensure that any person who is authorized to process Personal Data is under a duty of confidentiality or is bound by appropriate statutory obligations of confidentiality.

4.4 User Risk Acknowledgment

The Data Controller acknowledges and agrees that:

• The Data Controller is solely and exclusively responsible for all decisions, actions, and outcomes resulting from use of the Data Processor's services
• The Data Processor has no liability whatsoever for any losses, damages, or consequences arising from the Data Controller's use of services
• The Data Controller uses the Data Processor's services entirely at its own risk
• Even in the event of errors, inaccuracies, or omissions in any service, the Data Processor shall have no liability of any kind
• The Data Controller releases the Data Processor from all claims, demands, causes of action, losses, damages, costs, or liabilities of any kind

The Data Controller waives all rights to bring any claim, lawsuit, or legal action against the Data Processor in connection with or arising from the use of services.

─────────────────────────────────────────────────

5. Sub-Processing

5.1 Authorization

The Data Processor may engage other Data Processors ("Sub-Processors") to process Personal Data on behalf of the Data Controller, provided that such Sub-Processors:

• Are contractually bound to provide a level of protection for Personal Data equivalent to that required under this DPA
• Are subject to appropriate data protection and security obligations
• Comply with applicable data protection laws and regulations

5.2 Current Sub-Processors

The Data Processor currently uses the following categories of Sub-Processors:

• Cloud Infrastructure: Hosting, storage, and computing services (EU and USA)
• Database Services: Data storage and management (EU and USA)
• Payment Processing: Secure payment handling (PCI-DSS compliant)
• Email Services: Transactional email delivery (EU and USA)
• Authentication: User identity and access management (EU and USA)
• Analytics: Service monitoring and improvement (EU and USA)
• Data Enrichment: Contact intelligence and business data services (EU and USA)

5.3 Online Research Services

The Data Processor may conduct online research using publicly available information from various sources. All online research is conducted using lawful means that respect:

• Platform terms of service
• Rate limits and robots.txt directives
• Applicable data protection laws
• No circumvention of technical protection measures or authentication barriers

Online research sources may include professional networks, social media platforms, business intelligence sources, news media, regulatory filings, and other publicly available data. Not all sources may be used for every research query.

5.4 Notice of Changes

The Data Processor shall provide the Data Controller with reasonable notice of any intended addition or replacement of a Sub-Processor, giving the Data Controller the opportunity to object to such changes on reasonable grounds relating to data protection.

─────────────────────────────────────────────────

6. Data Subject Rights

6.1 Assistance

Taking into account the nature of processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights.

6.2 Right to Access, Rectification, Erasure, and Portability

The Data Processor shall assist the Data Controller in responding to Data Subject requests regarding:

• Right of access to Personal Data
• Right to rectification of inaccurate or incomplete Personal Data
• Right to erasure of Personal Data ("right to be forgotten")
• Right to data portability

6.3 Right to Restriction and Objection

The Data Processor shall assist the Data Controller in responding to Data Subject requests regarding:

• Right to restriction of processing
• Right to object to processing

─────────────────────────────────────────────────

7. Data Breach Notification

7.1 Notification to Controller

The Data Processor shall notify the Data Controller without undue delay upon becoming aware of a personal data breach. The notification shall describe:

• The nature of the personal data breach including, where possible, the categories and approximate number of Data Subjects concerned
• The likely consequences of the personal data breach
• The measures taken or proposed to be taken by the Data Processor to address the personal data breach

7.2 Information Required by Controller

The Data Processor shall provide the Data Controller with information reasonably required by the Data Controller to meet its own obligations under data protection laws, including notification to supervisory authorities and affected Data Subjects.

─────────────────────────────────────────────────

8. Data Protection Impact Assessment and Prior Consultation

The Data Processor shall, where reasonably possible, provide the Data Controller with reasonable assistance in relation to any data protection impact assessment and any prior consultation with a supervisory authority, insofar as this is possible.

─────────────────────────────────────────────────

9. Return and Deletion of Personal Data

9.1 Return or Deletion

Upon termination or expiration of the agreement, the Data Processor shall, at the choice of the Data Controller, return all Personal Data processed on behalf of the Data Controller and delete existing copies or verify that such Personal Data has been deleted.

9.2 Retention

Notwithstanding the foregoing, the Data Processor may retain Personal Data for:

• The duration required by applicable law or regulation
• A reasonable period for backup and disaster recovery purposes
• Aggregated or anonymized data that does not identify Data Subjects

9.3 Backup and Security Logs

Security logs and system backups may be retained for longer periods for security, compliance, and business continuity purposes. Such retained data shall be securely stored and not accessed except as necessary for security or compliance purposes.

─────────────────────────────────────────────────

10. Audit Rights

Subject to reasonable notice and at reasonable intervals, the Data Processor shall make available to the Data Controller information to demonstrate compliance with the obligations set out in this DPA. The Data Processor shall allow for and contribute to audits and inspections by the Data Controller or a third-party auditor mandated by the Data Controller.

─────────────────────────────────────────────────

11. International Data Transfers

11.1 Safeguards

Personal Data may be transferred to, stored, and processed in countries other than the country in which the Data Controller is located. When such transfers occur, the Data Processor ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Appropriate supplementary measures

11.2 EU Data Transfers

For transfers of Personal Data from the European Economic Area (EEA), the Data Processor shall ensure that the transfer is in accordance with GDPR requirements, including the use of Standard Contractual Clauses and appropriate technical and organizational measures.

─────────────────────────────────────────────────

12. Compliance with Applicable Laws

Both parties agree to comply with all applicable data protection laws, regulations, and guidance, including but not limited to:

• GDPR and national implementations in EEA member states
• UK Data Protection Act 2018
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Other applicable state and federal privacy laws

─────────────────────────────────────────────────

13. Term and Termination

13.1 Duration

This DPA shall remain in effect for so long as the Data Controller accesses or uses the Services and shall survive termination or expiration of the agreement until all Personal Data has been deleted or returned in accordance with this DPA.

13.2 Termination

Either party may terminate this DPA in accordance with the termination provisions of the agreement governing the Services. Upon termination, both parties shall return or delete Personal Data as specified in Section 9.

─────────────────────────────────────────────────

14. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the jurisdiction specified in the agreement governing the Services.

─────────────────────────────────────────────────

15. Contact Information

For any questions regarding this DPA, or to request an executed DPA, please contact:

SendItFast AI
Email: legal@senditfast.ai
Data Protection Officer: dpo@senditfast.ai

─────────────────────────────────────────────────