This Data Processing Addendum ("Addendum") forms part of the Master Services Agreement, or other similar agreement (collectively, the "Agreement") between Detech.ai, Inc. ("Processor"), and the applicable Controller customer which is also a party to such Agreement (“Company”).  Processor and Company are each referred to as a “Party” and collectively as the “Parties”.

Except as modified below, the terms of the Agreement shall remain in full force and effect.   Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. Definitions.

The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:

1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Company or Processor, respectively.

1.2. “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Company is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018 (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 (“EU GDPR”) including the applicable implementing legislation of each Member State, (c) the UK Data Protection Act 2018, and the UK General Data Protection Regulation (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, (e) any other applicable law with respect to any Personal Data in respect of which the Company is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.

1.3. “Data Subject” shall mean an identified or identifiable natural person.

1.4. “Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Processor, on behalf of Company, in connection with Processor’s performance of the Services.

1.5. “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of Company.

1.6. “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

1.7. “Security Breach” shall mean an actual or reasonably suspected accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.

1.8. “Services” shall mean the services as described in the Agreement or any related order form or statement of work.

1.9. “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), and (b) with respect to restricted transfers subject to the UK GDPR and other Applicable Privacy Laws pursuant to which the EU Clauses have not been adopted, such other transfer clauses as may be adopted from time to time under the UK GDPR and other Applicable Privacy Laws.

1.10. “Subprocessor” shall mean any subcontractor (including any third party and/or Company Affiliate) engaged by Processor to Process Personal Data on behalf of Processor.

2. Processing Requirements.

2.1. Processor shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Processor’s instructions, and as may subsequently be agreed between the Parties in writing.  Processor shall promptly inform Company if (a) in Processor’s opinion, an instruction from Company violates Applicable Privacy Law; or (b) Processor is required by applicable law to otherwise Process Personal Data, unless Processor is prohibited by that law from notifying Company under applicable law.

2.2. Processor shall implement and maintain reasonable and appropriate technical measures that will ensure that Company’s reasonable and lawful instructions can be complied with, including the following:

1. updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Company from time to time;
2. cancelling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Company;
3. otherwise facilitating Company’s responses to Data Subject requests as required under Applicable Privacy Law; and
4. Processor shall promptly re-direct any request from a Data Subject to exercise any of its Data Subject rights to Company and shall not respond directly to the Data Subject unless instructed so by Company in writing.

2.3. Processor acknowledges that (a) Company discloses Personal Data to Processor solely for the business purpose of Company, and (b) Processor has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Company to Processor under the Agreement relates only to Processor’s provision of the Services.  Processor shall not collect, retain, use, disclose, or otherwise Process the Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Company, or (ii) outside of the direct business relationship between Company and Processor.  In addition, Business shall not ‘sell,’ as defined under Applicable Privacy Law (including, without limitation, CCPA), or otherwise disclose any Personal Data except to authorized Subprocessors needed to render the Services.

2.4. Processor shall provide to Company such co-operation, assistance and information as Company may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Processor’s provision of the Services, and (b) within such reasonable time as would enable Company to meet any time limit imposed by the Privacy Authority.

3. Security of Personal Data.

3.1. Processor shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access.

3.2. Processor shall ensure the reliability of any employees who Process Personal Data.

4. Subprocessors.

4.1. Processor shall not, without Company’s prior written consent, sub-contract or outsource any Processing of Personal Data to any Subprocessor; provided that Company shall not unreasonably withhold or delay consent to Processor’s appointment of any Subprocessor. Without limiting the foregoing, Company authorizes Processor to engage the following subprocessors: vendors, subcontractors.

4.2. Processor shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.

4.3. Processor will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on Company under this Addendum.

5. Breach Notification.

5.1. Notification to Company. Unless otherwise prohibited by applicable law, Processor shall notify Company without undue delay, and in any event within 72 hours after Processor becomes aware of a Security Breach. Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). In addition, Processor shall communicate to Company (i) the name and contact details of Processor’s data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by Processor to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.2. Investigation. Processor shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.

6. Privacy Impact Assessment. Processor shall, promptly upon receipt of written request by Company (a) make available to Company such information as is reasonably necessary to demonstrate Processor’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Company in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Processor. Processor shall reasonably cooperate with Company to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Company shall not make any such request more than once in any 12-month period.

7. ‍Audit Rights.  Processor shall permit Company and/or its authorized agents, at Company’s cost, to audit its written records to the extent reasonably required in order to confirm that Processor is complying with its obligations under this Addendum, provided always that any such audit does not involve the review of any third party data and that the records and information accessed in connection with such audit are treated as Processor’s confidential and proprietary information.

8. ‍Deletion of Personal Data. Processor shall, promptly and in any event within 90 days of expiration or termination of the Agreement, or following receipt of written notice from the Company, (a) return a complete copy of all Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Processor; and (b) delete and procure the deletion of all other copies of Personal Data Processed by Processor.

9. ‍Third Party Disclosure Requests.

9.1. Unless prohibited by applicable law, Processor shall promptly notify Company of any inquiry, communication, request or complaint, to the extent relating to Processor’s Processing of Personal Data on behalf of Company, from:

1. any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
2. any Data Subject,

and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Company to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Processor shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 9.1 and Section 9.2.

9.2. In the event that Processor is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Company, including any national security authority or other government body, Processor shall attempt to redirect the government request to Company. If Processor is unable to redirect the request, Processor shall, unless prohibited by applicable law, notify Company promptly and shall provide all reasonable assistance to Company to enable Company to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines. If Processor is prohibited by applicable law from providing notice to Company of a Legal Request, Processor shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Processor shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 9.2.

10. ‍Restricted Transfers of Personal Data Outside of the European Economic Area, the United Kingdom, and Switzerland. The Parties acknowledge and agree that, to the extent a transfer of Personal Data under this Addendum is considered a “restricted transfer” (as defined under Applicable Privacy Law) with respect to which the Standard Contractual Clauses constitute a valid transfer mechanism, the Parties shall undertake such transfer pursuant to the applicable Standard Contractual Clauses, the terms of which are hereby incorporated into this Addendum by reference. To the extent the Parties mutually determine that the Standard Contractual Clauses are applicable, the Parties shall complete the appropriate appendices and annexes to the Standard Contractual Clauses.

11. ‍Claims. Any claims brought under, or in connection with, this Addendum, shall be subject to the exclusions and limitations of liability set forth in the Agreement.