Data Processing Addendum

1. Definitions

• Affiliate means an entity that controls, is controlled by, or is under common control with a party, where control means ownership of fifty percent (50%) or more of voting securities or equivalent.
• Authorized Sub-processor means a third party sub-processor engaged by Botify as described in Section 5.
• Account Data means personal data relating to Customer's relationship with Botify, such as names and business contact details of users who access Customer's workspace, authentication identifiers, and billing contacts.
• Customer Content means content, prompts, training materials, configurations, and similar data that Customer (or its end users) submits to the Services, including conversational data processed on Customer's behalf.
• Data Protection Laws means applicable laws relating to privacy and the processing of personal data, including, where applicable, the EU and UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended (including CPRA), and their implementing regulations, each as updated from time to time.
• The terms Controller, Processor, Data Subject, Personal Data, processing, and Personal Data Breach have the meanings given under applicable Data Protection Laws (and, for EU/UK purposes, the GDPR).

2. Relationship of the parties

2.1 With respect to processing of Personal Data that Customer provides or makes available through the Services solely to enable Botify to provide the Services, the parties acknowledge that Customer is the Controller (or Processor acting on behalf of its own controller, as applicable) and Botify is the Processor, unless both parties agree in writing that Botify acts as an independent Controller for specific processing (e.g. certain Account Data or usage telemetry used for security and product integrity as described in our Privacy Policy).

2.2 Customer will process Personal Data lawfully and will ensure that its instructions to Botify comply with Data Protection Laws. Customer is solely responsible for the lawfulness of Customer Content, including end-user data collected via widgets, chats, or integrations. Customer will not instruct Botify to process Personal Data in violation of the Agreement.

2.3 Botify will process Personal Data only on documented instructions from Customer (including this DPA, the Agreement, and Customer's configuration and use of the product), unless required by applicable law—in which case Botify will, to the extent permitted, inform Customer before processing unless the law forbids such notice.

3. Details of processing (Exhibit A)

Subject matter: Provision of the Botify platform (AI agents, web widgets, messaging connectors, analytics, and related features).

Duration: For the term of the Agreement, plus a reasonable post-termination period to allow deletion, export, or legal retention described in the Agreement or Privacy Policy.

Nature and purposes: Hosting, storage, retrieval, transformation (including to power AI functionality), security monitoring, support, billing, backups, logging, and compliance with law.

Categories of Data Subjects: Customer's employees and other authorized users; Customer's prospects, customers, or visitors who interact with Customer's bots or widgets, as determined by Customer's use.

Categories of Personal Data: Identification and contact data; account and authentication data; communications content and metadata; technical and usage data; and other categories Customer or its end users submit. Customer will not submit special categories of data (e.g. health data) unless the parties expressly agree in writing and appropriate safeguards apply.

4. Confidentiality and personnel

Botify ensures that persons authorized to process Personal Data are bound by appropriate confidentiality obligations. Botify may disclose Personal Data to professional advisers and subprocessors strictly as needed to operate the Services or comply with law.

5. Authorized Sub-processors

5.1 Customer generally authorizes Botify to engage Sub-processors to support the Services. Botify will impose data protection terms on Sub-processors that are materially no less protective than this DPA.

5.2 Botify's Sub-processors may include, without limitation, infrastructure and hosting providers (e.g. Vercel), database and authentication providers (e.g. Supabase), payment processors (e.g. Polar), AI inference providers (e.g. Google Gemini / Google Cloud), email and notification delivery providers, and monitoring tools. The categories may change; Botify may publish or update a subprocessors list and can provide notice of material additions (for example by email to administrators or an in-product notice) at least ten (10) days before engagement where reasonably practicable. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection within a reasonable time, Customer may discontinue the affected Service or terminate the Agreement as its exclusive remedy.

5.3 Botify remains liable under Data Protection Laws for the performance of Sub-processors it appoints, subject to limitations in the Agreement.

6. Security of processing

Botify implements appropriate technical and organizational measures appropriate to the risk, including industry-standard encryption for data in transit (e.g. TLS), access controls and authentication, logical separation of customer environments, logging and monitoring, vulnerability management, and business continuity practices. Further detail may be provided in security documentation or responses to reasonable questionnaires.

7. International transfers

Personal Data may be processed in the United States and other countries where Botify or its Sub-processors operate. Where Data Protection Laws require safeguards for transfers from the EEA, UK, or Switzerland, Botify will ensure appropriate mechanisms apply, which may include Standard Contractual Clauses and the UK International Data Transfer Addendum (or successor mechanisms). Upon request, Botify can provide executed or deemed-incorporated transfer terms consistent with regulatory templates then in force.

8. Data Subject requests; assistance

Where Botify receives a Data Subject request relating to Customer's use of the Services, Botify will advise the requester to contact Customer, unless applicable law requires otherwise. Taking into account the nature of processing, Botify will assist Customer—at Customer's expense where permitted by law—in responding to requests, Data Protection Impact Assessments, and supervisory consultations, as reasonable and proportionate.

9. Personal Data Breach; audits

Botify will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data in Botify's control, and will provide information reasonably necessary for Customer to meet its obligations, subject to legitimate restrictions (e.g. law enforcement). Notifications are not an admission of fault.

Customer may exercise audit rights by requesting relevant certifications, summaries, or questionnaires once per year, or as otherwise required by Data Protection Laws. On-site audits are permitted only with reasonable advance notice, during business hours, where required by law or SCCs, and in a manner that minimizes disruption; Customer bears reasonable costs unless the breach is attributable to Botify's material non-compliance.

10. Return and deletion

Following termination or expiry of the Agreement, Botify will delete or return Customer Personal Data in accordance with the Agreement and Privacy Policy, except where retention is required by applicable law or permitted backups that are securely overwritten in the ordinary course.

11. California (CCPA/CPRA)

To the extent the CCPA/CPRA applies, Botify is a "service provider" or "processor" (as applicable) with respect to personal information processed to provide the Services. Botify will not sell or share such personal information; will not retain, use, or disclose it outside the business relationship except as permitted by applicable law and the Agreement; and certifies that it understands and will comply with these restrictions.

12. Order of precedence

If mandatory transfer terms (such as approved Standard Contractual Clauses) apply, those terms prevail over conflicting provisions of this DPA to the minimum extent required. Otherwise, if there is a conflict among the Agreement, this DPA, and the Privacy Policy regarding processing of Personal Data, the order of precedence is: (1) mandatory transfer instruments; (2) this DPA; (3) the Agreement; (4) the Privacy Policy—unless the documents expressly state otherwise.