This Data Processing Agreement ("DPA") forms an integral part of the Propsle Technologies Inc | ProAgent Terms of Service ("Terms") between the party named as "Customer" in the Terms ("Customer" or "Controller") and Propsle Technologies Inc | ProAgent, Inc. ("Company" or "Processor") and sets out the parties' respective obligations when Customer personal data is processed by Company in relation to the Services performed by Company on Customer's behalf pursuant to the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the authorized signatories of the parties sign the Order Form.
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between the Customer and Propsle Technologies Inc | ProAgent (together as the "Parties").
(A) The Company acts as a Data Controller and wishes to engage Service Provider for AI-powered desktop assistant services, white glove onboarding, knowledge base creation, and Propsle Technologies Inc | ProAgent customization services.
(B) The Company wishes to subcontract certain Services, which may involve the processing of personal data and confidential business information, to the Service Provider.
(C) The Parties seek to implement comprehensive data protection, confidentiality, and intellectual property provisions that comply with applicable laws including GDPR, U.S. state privacy laws, and other relevant data protection regulations.
(D) The Parties wish to establish clear ownership rights regarding deliverables created during paid pilot programs and ongoing services.
IT IS AGREED AS FOLLOWS:
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing and Services Agreement and all Schedules;
1.1.2 "Company Personal Data" means any Personal Data Processed by Service Provider on behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 "Company Confidential Information" means all non-public, proprietary, or confidential information disclosed by Company to Service Provider, including but not limited to business processes, customer data, financial information, technical specifications, and strategic plans;
1.1.4 "Data Protection Laws" means EU Data Protection Laws, U.S. Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 "U.S. Privacy Laws" means applicable U.S. federal and state privacy laws including but not limited to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and any other applicable state privacy laws;
1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Data Transfer" means:
1.1.9 "Services" means the AI-powered desktop assistant services, white glove onboarding, knowledge base creation, Propsle Technologies Inc | ProAgent customization, sales coaching, and meeting assistance that Propsle Technologies Inc | ProAgent provides;
1.1.10 "Deliverables" means all work products, documents, designs, configurations, customizations, prompt designs, knowledge bases, and other materials created by Service Provider specifically for Company during the performance of Services, particularly during paid pilot programs;
1.1.11 "Subprocessor" means any person appointed by or on behalf of Service Provider to process Personal Data on behalf of the Company in connection with the Agreement;
The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.1.1 Service Provider acknowledges that it may receive Company Confidential Information and Company Personal Data in connection with the Services.
2.1.2 Service Provider shall:
2.1.3 The confidentiality obligations shall survive termination of this Agreement for a period of five (5) years.
Service Provider shall:
2.2.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
2.2.2 not Process Company Personal Data other than on the Company's documented instructions;
2.2.3 ensure all employees handling Personal Data or Confidential Information are bound by legally enforceable confidentiality agreements;
2.2.4 provide adequate training to all employees handling Personal Data on data protection requirements and procedures;
2.2.5 be held liable for any processing activities conducted outside the scope of documented instructions.
Service Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual's duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Company instructs Service Provider to process Company Personal Data for the following purposes:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
In assessing the appropriate level of security, Service Provider shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
Service Provider shall assist Company in fulfilling consumer rights requests under applicable U.S. Privacy Laws, including:
5.2.1 Service Provider warrants that it will not:
5.2.2 Service Provider shall provide the same level of privacy protection as required by applicable U.S. Privacy Laws.
For transfers of personal data from the U.S. to other jurisdictions, Service Provider shall implement appropriate safeguards including standard contractual clauses or other legally recognized transfer mechanisms.
6.1.1 For paid pilot programs, all Deliverables created specifically for Company, including but not limited to:
shall be owned by Company upon full payment of applicable fees.
6.1.2 Service Provider hereby assigns to Company all right, title, and interest in and to such Deliverables, including all intellectual property rights therein.
6.2.1 Service Provider retains ownership of:
6.2.2 Service Provider may use general knowledge, skills, and experience gained from providing Services, provided such use does not violate confidentiality obligations or disclose Company Confidential Information.
6.3.1 Company grants Service Provider a limited, non-exclusive license to use Company Confidential Information solely for the purpose of providing the Services during the term of this Agreement.
6.3.2 Service Provider grants Company a perpetual, irrevocable, royalty-free license to use Deliverables for Company's business purposes, including the right to modify and create derivative works.
Service Provider is authorized to engage the following Subprocessors:
Service Provider shall ensure that all Subprocessors:
Service Provider shall inform Company of any intended changes to Subprocessors with at least 30 days' prior written notice. Company may object to such changes within 14 days if the changes do not meet required data protection standards.
Service Provider shall assist Company in fulfilling its obligations to respond to requests to exercise Data Subject rights under applicable Data Protection Laws, including both GDPR and U.S. Privacy Laws.
Service Provider shall:
8.2.1 promptly notify Company within 5 days if it receives a request from a Data Subject;
8.2.2 not respond to that request except on the documented instructions of Company or as required by applicable laws.
Service Provider shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by Service Provider, taking into account the nature of the Processing and information available to Service Provider.
Service Provider shall notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data or Confidential Information, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Service Provider shall cooperate with Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Service Provider shall delete Company Personal Data and Confidential Information within 30 days of the cessation of Services, except for:
Service Provider shall provide written certification to Company that it has fully complied with this section within 30 days of the Cessation Date.
Subject to this section, Service Provider shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of Company Personal Data.
Company may conduct at least one audit per year of Service Provider's data processing activities upon reasonable notice.
Information and audit rights of the Company only arise to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
Service Provider shall maintain and provide documentation demonstrating compliance with this Agreement and applicable Data Protection Laws.
Personal data processed under this Agreement may be transferred from Company's jurisdiction to the United States and other jurisdictions where Service Provider or its Subprocessors operate.
For transfers from the EU/EEA, the Parties shall rely on EU approved standard contractual clauses as set forth in Schedule A.
Service Provider shall immediately notify Company of any legally binding request for disclosure of Personal Data by a government authority, unless prohibited by law.
Service Provider shall not use Company Personal Data or Confidential Information for the purpose of training or developing its artificial intelligence models, machine learning algorithms, or similar technologies, except where explicitly authorized by Company in writing.
Service Provider warrants that its AI systems are designed and operated in accordance with responsible AI principles, including fairness, transparency, and accountability.
Service Provider shall be liable for damages caused by:
Service Provider shall indemnify Company for damages resulting from unauthorized disclosure of Company Confidential Information.
All other liability matters, including commercial liability, limitation of damages, and general indemnification, shall be governed by the Principal Agreement between the parties.
This Agreement shall remain in effect for the duration of the Principal Agreement.
The following provisions shall survive termination:
This Agreement shall be governed by the laws of [CUSTOMER JURISDICTION]. Where Company is located in the United States, this Agreement shall be governed by the laws of the state where Company is headquartered.
Any disputes shall be resolved in accordance with the dispute resolution mechanism set forth in the Principal Agreement.
This Agreement, together with the Principal Agreement, constitutes the entire agreement between the parties regarding data processing and confidentiality.
This Agreement may only be amended in writing signed by both parties.
All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties.
If any provision is found unenforceable, the remainder of the Agreement shall remain in full force and effect.
The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
The Parties:
have agreed to these standard contractual clauses (hereinafter: "Clauses").
These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Note: Due to the comprehensive nature of this document, the full Standard Contractual Clauses continue with detailed provisions for data transfers, processor obligations, data subject rights, supervision, local laws compliance, and audit rights as required by GDPR Article 28(7) and EU Commission Decision 2021/914.
The controller has authorized the use of the following sub-processors:
| Name | Purpose | Location | Website |
|---|---|---|---|
| AWS | Cloud infrastructure and hosting services | United States | aws.amazon.com |
| OpenAI | AI language model services | United States | openai.com |
| Stripe | Payment processing and billing | United States | stripe.com |
| Pinecone | Vector database and search | United States | pinecone.io |
| AssemblyAI | Speech recognition and audio intelligence | United States | assemblyai.com |