DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “DPA”), including its annexes, establishes the terms under which CT Tornado spółka z o.o., a company duly incorporated and existing under the laws of the Republic of Poland, with its principal place of business in Wroclaw (address: ul. Wyspa Słodowa 7, 50-266 Wroclaw, Poland; registration: District Court for Wroclaw-Fabryczna in Wroclaw, KRS/company no.: 873910; EU VAT no.: PL8982262377; share capital: PLN 5,000.00; “CTT”), as the Processor, will handle Personal Data on behalf of the Client, who acts as the Controller. This arrangement is part of the Open Agents Builder services (the “Services”) available through CTT’s platform (the “Platform”).
This DPA supplements the agreement for the Services entered into by and between CTT and the Client (the “Agreement”) under the Terms of Service, which can be found at https://app.openagentsbuilder.com/content/terms, and becomes effective on the same date as the Agreement. It will remain in effect for the duration of the Agreement. Any terms not defined in this DPA will carry the same meanings as specified in the Agreement.
Should any inconsistency arise between this DPA and the Agreement, the terms of this DPA will override the Agreement to the extent of the conflict. CTT regularly updates these terms. The Client can access previous versions of this DPA in CTT’s archives at https://openagentsbuilder.com.

1. DEFINITIONS

  1. California Personal Information: Personal Data that falls under the protection of the California Consumer Privacy Act (CCPA).
  2. CCPA”: The California Civil Code Sections 1798.100 et seq., including the amendments under the California Privacy Rights Act of 2020.
  3. Consumer, Business, Sell, Service Provider, Share”: These terms have the meanings defined under the CCPA.
  4. Controller”: Any natural or legal person, public authority, agency, or other body that determines the purposes and means of Processing Personal Data.
  5. Data Privacy Framework”: Includes the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework, managed by the U.S. Department of Commerce. These frameworks may be updated or replaced over time.
  6. Data Privacy Framework Principles”: The core and supplementary principles outlined in the Data Privacy Framework, subject to amendments or replacements.
  7. Data Protection Laws”: All relevant global legislation related to data protection and privacy that applies to the parties involved in Processing Personal Data under the Agreement, including but not limited to European Data Protection Laws, the CCPA, other U.S. federal and state privacy laws, and the data protection laws of countries like Australia, Singapore, and Japan. These laws may be amended or replaced.
  8. Data Subject”: An individual to whom Personal Data pertains.
  9. Europe”: Encompasses the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom.
  10. European Data”: Personal Data protected under European Data Protection Laws.
  11. European Data Protection Laws”: Includes the General Data Protection Regulation (GDPR), Directive 2002/58/EC (the e-Privacy Directive), and their applicable national implementations or adaptations such as the UK GDPR and the Swiss Federal Data Protection Act.
  12. Instructions”: Documented directives issued by the Controller to the Processor, specifying actions to be taken with regard to Personal Data, which may include processing, storing, deleting, or handling of the data.
  13. Personal Data”: Any information that relates to an identified or identifiable individual, protected under applicable Data Protection Laws.
  14. Personal Data Breach”: Any security breach that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data. This does not include unsuccessful attempts that do not compromise Personal Data security, such as failed login attempts or network attacks on firewalls.
  15. Processing”: Any operation or set of operations performed on Personal Data, including but not limited to collection, storage, retrieval, modification, disclosure, and destruction. Related terms are “Process”, “Processes”, and “Processed”.
  16. Processor”: A natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Controller.
  17. Standard Contractual Clauses”: The clauses provided by the European Commission to ensure that data transfers outside the European Economic Area comply with European data protection law, found at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
  18. Sub-Processor”: A third party engaged by the Processor to assist in fulfilling their obligations under the Agreement, excluding employees or consultants of the Processor.
  19. UK Addendum”: The addendum issued by the UK Information Commissioner for international data transfers under UK law, available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

2. CONTROLLER RESPONSIBILITIES

  1. Compliance with Laws: The Client is responsible for ensuring compliance with all applicable Data Protection Laws in relation to its Processing of Personal Data and adherence to the Instructions it provides to CTT. Specifically, the Client will:
  • Ensure the accuracy, quality, and legality of the Personal Data.
  • Meet all transparency and lawfulness requirements for collecting and using Personal Data, including securing necessary consents and authorizations.
  • Confirm its rights to transfer or provide access to Personal Data to CTT for Processing as per the Agreement and this DPA.
  • Ensure all Instructions related to the Processing of Personal Data are lawful and compliant with Data Protection Laws.
  • Adhere to all applicable laws governing the content created, sent, or managed through the Services. The Client will notify CTT promptly if it is unable to meet these compliance obligations.
    2. Controller Instructions: This DPA and the use of the Services under the Agreement constitute the complete set of Instructions from the Client to CTT regarding the Processing of Personal Data. The Client may issue additional Instructions consistent with the terms of the Agreement and the lawful use of the Services during their term.
    3. Security Responsibilities: The Client must independently verify whether the data security measures in place for the Services meet the requirements of applicable Data Protection Laws. This responsibility includes ensuring the security of Personal Data during its transmission to and from the Services and implementing necessary precautions such as data backups and encryption.

3. PROCESSOR OBLIGATIONS

  1. Compliance with Instructions: CTT will Process Personal Data solely for the purposes set forth in this DPA or as explicitly agreed upon through lawful Instructions, except as required by applicable law. CTT is not responsible for adhering to any Data Protection Laws specifically applicable to the Client’s industry that do not generally apply to CTT.
  2. Conflict of Laws: Should legal requirements prevent CTT from complying with the Instructions, CTT will:
  • Promptly inform the Client about the legal requirement, to the extent permitted by law.
  • Cease all Processing activities, except for storing and securing the Personal Data, until the Client provides new lawful Instructions that CTT can comply with. During this period, CTT will not be liable for any service disruptions caused by adherence to legal requirements.
    3. Security Measures: CTT commits to implementing and maintaining robust technical and organizational measures to safeguard Personal Data against breaches, detailed in Annex 2 of this DPA. CTT may update these Security Measures, provided such updates do not degrade the level of protection.
    4. Confidentiality: CTT ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
    5. Personal Data Breaches: Should a Personal Data Breach occur, CTT will notify the Client without undue delay and provide all necessary details promptly. CTT will assist the Client in notifying affected Data Subjects and relevant authorities if required by Data Protection Laws.
    6. Deletion or Return of Personal Data: Upon termination or expiry of the Services, CTT will either delete or return all Personal Data processed under this DPA, unless legal obligations necessitate retaining the Personal Data. Any retained Personal Data will be securely isolated and protected from further processing until deletion is possible, following CTT’s established deletion practices.

4. DATA SUBJECT REQUESTS

  1. Handling Requests Through the Services: The Services equip the Client with functionalities to retrieve, correct, delete, or restrict Personal Data, facilitating compliance with Data Protection Laws and Data Subject Requests.
  2. Additional Assistance: If the Client cannot fully address a Data Subject Request using the provided Service tools, CTT will offer reasonable assistance upon receiving a written request from the Client. This includes helping respond to Data Subject Requests or queries from data protection authorities concerning the Processing of Personal Data under the Agreement. The Client will cover any commercially reasonable costs incurred by CTT for providing this assistance.
  3. Direct Requests to CTT: In cases where Data Subjects approach CTT directly regarding their Personal Data under the Agreement, CTT will promptly direct these requests to the Client. CTT will inform the Client about the request and advise the Data Subject to contact the Client directly. The Client holds sole responsibility for substantively responding to such requests or communications related to Personal Data.

5. USE OF SUB-PROCESSORS

  1. Engagement of Sub-Processors: CTT may engage Sub-Processors to assist in providing various aspects of the Services, including hosting and infrastructure, product features and integrations, and customer support. CTT will inform the Client about the default Sub-Processors and those that require Client’s opt-in to engage.
  2. Notification of Changes: CTT maintains a current list of Sub-Processors in Annex 3 of this DPA. The Client may subscribe to email notifications for updates on Sub-Processors changes by filling out a form available at https://openagentsbuilder.com. CTT commits to notifying the Client at least 30 days in advance before adding or replacing any Sub-Processors.
  3. Client’s Right to Object: The Client has the right to object to the use of new Sub-Processors on reasonable grounds related to data protection within 30 days of such notification. If the Client raises concerns, CTT will engage in discussions to seek a resolution. If no resolution is achievable, CTT may either not engage the proposed Sub-Processor or allow the Client to suspend or terminate the relevant Services per the termination provisions of the Agreement, without any liability for the cessation but subject to any fees incurred before the suspension or termination.
  4. Sub-Processor Compliance: CTT will impose data protection terms on all Sub-Processors that ensure at least the same level of data protection as set forth in this DPA, appropriate to the nature of the services they provide. CTT remains liable for the compliance of each Sub-Processor with the obligations of this DPA and for any breaches caused by the Sub-Processors.

6. DATA TRANSFERS

  1. Scope of Data Transfers: The Client acknowledges that CTT, along with its Sub-Processors, may need to access and Process Personal Data on a global scale to deliver the Services effectively. This includes the transfer of Personal Data to and processing in the United States and other countries where CTT or its Sub-Processors operate.
  2. Compliance with Data Protection Laws: Both CTT and the Client will ensure that any transfer of Personal Data outside its country of origin adheres to the applicable requirements of Data Protection Laws. This commitment includes implementing adequate safeguards and ensuring all transfers are legally compliant, whether the data is moving to or from the European Union, the United States, or other international jurisdictions.
  3. Legal Mechanisms for Data Transfer: To facilitate these transfers while complying with Data Protection Laws, CTT will employ various legal mechanisms. These may include but are not limited to the use of Standard Contractual Clauses, adherence to the EU-U.S. Privacy Shield Framework, or ensuring that Sub-Processors in third countries meet equivalent data protection standards.
  4. Notification of Transfers: CTT will provide the Client with notice of any new countries to which Personal Data may be transferred, as part of its regular updates on data handling practices. This ensures transparency and allows the Client to assess the adequacy of the protection measures in place.

7. DEMONSTRATION OF COMPLIANCE

  1. Transparency and Information Sharing: CTT commits to maintaining transparency and will provide the Client with all necessary information to demonstrate compliance with this DPA. CTT will participate in and contribute to audits and inspections conducted by the Client or its designated auditor to assess compliance with this DPA, as required by applicable law.
  2. Audit Rights: The Client has the right to conduct audits to ensure CTT's compliance with this DPA. These audit rights will be exercised by instructing CTT to adhere to the audit procedures outlined in this section. CTT acknowledges that the Services are hosted by Sub-Processors who maintain independently validated security programs, including SOC 2 and ISO 27001 certifications. CTT’s systems are also regularly audited and tested by independent third-party firms.
  3. Access to Audit Reports: Upon request, CTT will provide the Client with access to relevant audit reports on a confidential basis. These reports help the Client verify CTT’s compliance with this DPA.
  4. Responding to Compliance Inquiries: At the Client’s written request, CTT will provide written responses to all reasonable requests for information necessary to confirm CTT’s compliance with this DPA. This right may be exercised no more than once per calendar year unless the Client has reasonable grounds to suspect non-compliance with this DPA.

8. ADDITIONAL PROVISIONS FOR EUROPEAN DATA

  1. Scope: This section exclusively addresses the handling and transfer of European Data, defined as data protected under European Data Protection Laws.
  2. Roles and Responsibilities: In processing European Data, the Client acts as the “Controller”, and CTT functions as the “Processor”, each adhering to their respective obligations under European Data Protection Laws.
  3. Compliance with Instructions: Should CTT determine that an Instruction may conflict with European Data Protection Laws, CTT will promptly notify the Client, and both parties will work to resolve the issue.
  4. Data Protection Impact Assessments: CTT will support the Client in conducting data protection impact assessments and consultations with supervisory authorities, particularly when CTT possesses essential information not readily available to the Client.
  5. Legal Mechanisms for Data Transfers:
  • General: CTT will only transfer European Data to countries or entities that provide adequate data protection, as recognized by European Data Protection Laws. This includes using established frameworks and legal mechanisms such as the Data Privacy Framework, Binding Corporate Rules, or the Standard Contractual Clauses.
  • Specific Mechanisms:
    • Data Privacy Framework: CTT and its Sub-Processors in the United States will receive European Data in compliance with the Data Privacy Framework, ensuring protection levels equivalent to European standards. CTT will notify the Client if compliance with this framework becomes untenable.
    • Standard Contractual Clauses: If required by European Data Protection Laws, CTT will utilize Standard Contractual Clauses. These clauses provide detailed roles and responsibilities:
      • For GDPR-related transfers, the Client is the data exporter, and CTT or its Sub-Processors are the data importers. The relevant clauses from the EU’s decisions will be applied according to the role of the Client (Controller or Processor).
      • Adjustments specific to UK GDPR and Swiss DPA will apply as necessary, ensuring compliance with local regulations by integrating the UK Addendum and modifying references to align with Swiss law.
      • The Client agrees that CTT fulfills its obligations under Section 9 of the Standard Contractual Clauses through its adherence to the Sub-Processor provisions in this DPA. Despite potential restrictions on sharing Sub-Processor agreements, CTT will make reasonable efforts to disclose these agreements to the Client, providing all accessible information confidentially. The Client may also exercise its audit rights as defined in Clause 8.9 of the Standard Contractual Clauses by following the audit procedures specified in the “Demonstration of Compliance” section of this DPA, ensuring robust oversight of CTT’s data protection practices.
    1. Alternative Transfer Mechanisms:
  • Adoption of New Mechanisms: If CTT is required to adopt an alternative transfer mechanism for European Data, this mechanism will automatically replace the existing arrangements to ensure compliance with European Data Protection Laws. This adjustment will only be made to the extent that the new mechanism complies with these laws.
  • Client’s Cooperation: The Client agrees to perform any necessary actions and execute any documents that are reasonably necessary to legally implement these alternative transfer mechanisms effectively.

9. ADDITIONAL PROVISIONS FOR CALIFORNIA PERSONAL INFORMATION

  1. Scope: This section solely addresses the processing of California Personal Information, subject to the CCPA.
  2. Roles of the Parties: Under the CCPA, the Client acts as the “Business” and CTT functions as the “Service Provider.” Each party will perform its responsibilities strictly in accordance with their roles defined by the CCPA.
  3. Responsibilities of the Service Provider: CTT, as the Service Provider, will:
  • Process California Personal Information solely to perform the Services outlined in the Agreement or as permitted by the CCPA.
  • Not sell or share California Personal Information.
  • Refrain from processing California Personal Information outside the direct business relationship between the parties unless required by law.
  • Ensure that California Personal Information is not unlawfully combined with data from external sources, except as necessary for fulfilling its role under the Agreement.
    4. Compliance Commitment: CTT commits to:
  • Fulfilling its responsibilities as a Service Provider under the CCPA.
  • Maintaining the privacy protection level required by the CCPA for California Personal Information.
  • Notifying the Client promptly if it can no longer meet these CCPA obligations.
    5. CCPA Audits: The Client reserves the right to audit CTT’s use of California Personal Information to ensure compliance with the CCPA. This includes taking appropriate actions, as agreed upon in the Agreement, to address and rectify any unauthorized use of California Personal Information.
    6. Declaration of Non-Sale: The parties acknowledge and agree that the sharing of California Personal Information under the Agreement does not constitute a sale and no monetary or other valuable consideration is exchanged for such information. CTT's handling of California Personal Information will adhere strictly to the service provision requirements of the CCPA without any further commercial exploitation.

10. GENERAL PROVISIONS

  1. Amendments: CTT may update and make changes to this DPA as necessary, without affecting the commitments under the “Compliance with Instructions” or “Security” sections of this DPA, to ensure ongoing compliance with evolving legal requirements.
  2. Severability: Should any provision of this DPA be found invalid or unenforceable, such determination will not affect the validity and enforceability of the remaining provisions, ensuring the continued effectiveness of this DPA.
  3. Limitation of Liability: The liabilities of each party, related to or arising from this DPA, including under the Standard Contractual Clauses when applicable, are subject to the limitations and exclusions specified in the “Limitation of Liability and Disclaimer of Warranties” section of the main Agreement. References to a party’s liability in that section include the aggregate liability under this DPA.
  4. Governing Law: This DPA is governed by and construed in line with the laws specified in the “Governing Law and Jurisdiction” section of the main Agreement, except as explicitly altered by applicable Data Protection Laws.

ANNEX 1: DETAILS OF PROCESSING

1. List of Parties

  • Data Exporter (Client):
    • Name: As defined in (the context of) the Agreement.
    • Address: Specified in (the context of) the Agreement.
    • Contact Details: Specified in (the context of) the Agreement.
    • Activities: Processing Personal Data in accordance with the use of the Services under the Agreement.
    • Role: Controller.
  • Data Importer (CTT):
    • Name: As defined in the Agreement.
    • Address: Specified in the Agreement.
    • Contact Details: Specified in the Agreement.
    • Activities: Processing Personal Data to provide Services as specified in the Agreement.
    • Role: Processor.

2. Description of Transfer

  • Categories of Data Subjects: This includes the End Users—namely, pre-approved individuals or closed groups designated to access and interact with the Platform and Services.
  • Categories of Personal Data: This includes, but is not limited to, identification details (e.g., names, usernames), contact information (e.g., email addresses, phone numbers), demographic data, and user-generated content provided for accessing and utilizing the Services.
  • Sensitive Data: The processing or transfer of sensitive personal data (e.g., data related to health, racial or ethnic origin, political opinions, religious beliefs, or biometric data) is strongly discouraged.
  • Frequency of Transfer: Continuous, as needed for the provision of the Services.
  • Nature of the Processing: Personal Data will be stored, maintained, and processed to support the Services provided to the Client, including disclosures as necessary under the Agreement, or as required by law.
  • Purpose of Transfer and Further Processing: To facilitate the provision of the Services as described in the Agreement and pursuant to the Client’s Instructions.
  • Retention Period: Personal Data will be processed for the duration of the Agreement unless otherwise specified.

ANNEX 2: SECURITY MEASURES

1. Access Control:

  • Preventing Unauthorized Access:
    • Outsourced Processing: CTT uses outsourced cloud infrastructure providers, maintaining strict contractual relationships to ensure data protection in line with this DPA.
    • Physical and Environmental Security: Multi-tenant, outsourced infrastructure is used to host CTT’s product infrastructure, with stringent physical and environmental security controls.
    • Authentication and Authorization: CTT enforces a uniform password policy and controls access through user interface authentication and application programming interfaces (APIs). Access to customer data is restricted to authorized personnel only, based on roles and permissions.
  • Preventing Unauthorized Use:
    • Access Controls and Intrusion Detection: CTT employs industry-standard access controls and intrusion detection mechanisms to safeguard against unauthorized access to network and product infrastructure. This includes Virtual Private Cloud (VPC) setups, security group assignments.
    • Code Analysis and Penetration Testing: Regular static code analysis and annual penetration testing are conducted to identify and mitigate potential security vulnerabilities.

2. Transmission Control:

  • Data In-transit: All data transmitted to and from CTT’s systems is encrypted using HTTPS/TLS protocols to ensure secure data transmission.
  • Data At-rest: Key Data stored on CTT’s servers is encrypted in regards to Personal Information at rest, adhering to industry-standard practices for data security.

3. Input Control:

  • Logging and Monitoring: CTT’s infrastructure logs extensive information about system behavior, traffic, and authentication requests. These logs are monitored to detect and respond to potential security incidents.
  • Incident Response and Management: CTT maintains a comprehensive incident response plan that includes steps for handling security breaches, minimizing damage, and notifying customers in compliance with this DPA.

4. Availability Control:

  • Infrastructure Reliability: CTT’s infrastructure providers ensure at least 98% uptime and maintain redundancy to support power, network, and HVAC services.
  • Data Redundancy and Backup: Customer data is backed up and replicated across multiple data centers to ensure data availability and integrity. CTT’s disaster recovery plans are regularly tested to ensure they are effective in restoring services and data after operational disruptions.

5. Disaster Recovery and Data Integrity:

  • Disaster Recovery Plans: Regular testing of disaster recovery procedures to ensure prompt restoration of services with minimal data loss.
  • Data Integrity Measures: Continuous integrity checks and balances are performed to ensure the accuracy and reliability of the data processed.

ANNEX 3: SUB-PROCESSORS

  1. Overview: CTT engages various Sub-Processors to assist in delivering the Services. This annex provides a transparent listing of these Sub-Processors, detailing their roles and the purposes for which they are engaged. The use of Sub-Processors is in strict accordance with the terms outlined in this DPA, ensuring adherence to applicable data protection standards.
  2. List of Sub-Processors:
    1. Cloud Infrastructure Providers:
      • Purpose: To host and manage the infrastructure on which CTT’s services operate, ensuring high availability and security of the processing environment.
      • Provider: Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany, email: info@hetzner.com).
      • Location: EU/EEA.
    2. Payment Processors:
      • Purpose: To handle financial transactions related to the Services, ensuring secure and efficient processing of payments.
      • Provider: Stripe Technology Europe, Limited (an Irish limited company; Registered number: 0599050; Registered office: 25/28 North Wall Quay, Dublin 1, D01H104).
      • Location: EU/EEA.
    3. OpenAI Services:
      • Purpose: To enable AI-driven capabilities such as language processing, text generation, or content analysis, leveraging OpenAI’s technology to enhance user experience and service functionality.
      • Provider: (a) For residents in the European Economic Area (EEA) or Switzerland: OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland. (b) For residents in the UK: OpenAI OpCo, LLC, with its registered office at 1960 Bryant Street, San Francisco, California 94110, United States. OpenAI is self-certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, ensuring compliance with applicable cross-border data protection requirements.
      • Location: EU/EEA, United States.
  3. Updating the Sub-Processor List: The list of Sub-Processors may be updated periodically to reflect changes in the services CTT provides or in response to operational needs. CTT commits to updating this Annex and notifying the Client of any new Sub-Processors or changes to existing Sub-Processors as required by this DPA. Clients can subscribe to receive updates via a link provided on the CTT Sub-Processors Page at https://openagentsbuilder.com.
  4. Objections and Removal of Sub-Processors: Clients have the right to object to the use of new Sub-Processors by providing written notice to CTT within thirty (30) days of such notification. CTT will consider such objections in good faith and will either resolve the objection or provide the Client with the option to terminate the affected Services in accordance with the termination provisions of the Agreement.