Terms of Use

Effective Date: April 27, 2026

This Web site located at app.chatteragent.ai and related Web pages (collectively, the “Site”) is provided by Content Workshop LLC and its affiliates (referred to as “We,” “Us,” or “Company”). These Terms of Use are an agreement between the Company and each person who accesses or uses the Website (a “User,” or “you”). YOU SHOULD READ CAREFULLY THE FOLLOWING TERMS AND CONDITIONS BEFORE CHECKING THE [I ACCEPT] BUTTON IN THE REGISTRATION SECTION OF THE CUSTOMER PORTAL AND PROCEEDING TO USE THE FEATURES AND FUNCTIONALITY OF THE SERVICES MADE AVAILABLE VIA THE SITE. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, THEN DO NOT ACCESS OR USE THE SERVICES MADE AVAILABLE VIA THE SITE. You may print and keep a copy of these Terms of Use and your Registration. You may request a copy of these Terms of Use and your Registration by contacting the Company at [email protected], provided you pay for the costs of copying and delivering the documents to you.

These Terms of Use are subject to change by Company at any time. When the Terms of Use are changed, Company will notify you by e-mail or online postings. The changes also will appear in this document, which you can access at any time by selecting the “Terms of Use” link on the login page. If you do not agree to be bound by the changes, you should not enter or use the Site again. If you use the site after Company has notified its customers of a change in the Terms of Use, you are agreeing now to be bound by all of the changes. We encourage you to review these Terms of Use periodically prior to your use of the Site.

Certain information made available via the Site may be provided from registered users, as further described below in the section entitled User Provided Content. Company does not have any obligation to verify the background or credentials of any registered user or the accuracy of information, reference materials, advice or other User Content provided by any user. Company undertakes to provide accurate and up-to-date information on the Site for the portions of the content provided by the Company. However, you understand and agree that information contained on this Site is subject to change and the Site is provided “AS IS.” Accordingly:

  • YOUR USE OF THE INFORMATION AND USER CONTENT MADE AVAILABLE VIA THE SITE IS AT YOUR OWN RISK.
  • The information on this Site may not be relied upon as financial or professional advice. Company shall not be responsible or liable for the accuracy, usefulness or availability of any information transmitted or made available via the Site, and you are solely responsible for any decisions made based on such information.
  • The passage of time can render information contained in, or linked to, this Site stale. Company is not responsible for any misimpressions which may result from the use of dated material. You should consider the dates of issuance of all items and information contained in, or linked to, this Site. Company does not undertake any duty to update, supplement, correct, comment upon or modify any information contained in the Site or any Web site to which it is linked.

Description of Services

We make various services available on this site including, but not limited to: (1) AI-powered content discovery, summarization, and generation, including the use of large language models and semantic embeddings to match third-party content to your brand and to rewrite that content in your brand voice; (2) a usage-based token system that meters and gates certain AI features; (3) automated content aggregation from external sources, including RSS feeds, public APIs, and web scraping of publicly available pages; (4) a tiered subscription pricing model with per-seat billing, processed through a third-party payment processor (Stripe); (5) team collaboration features (workspaces, invitations, role-based access); and (6) product analytics and error monitoring used to operate and improve the Services. Fees for the various services are set out in the membership and service fees described elsewhere in this site. You are solely responsible for providing, at your own expense, all equipment necessary to use the services, including a computer or mobile device; your own Internet access (including payment of any service fees associated with such access); and all equipment and internet access necessary to use the services, including a compatible web browser.

We reserve the sole right to either modify or discontinue the site, including any features therein, at any time with or without notice to you. We shall not be liable to you or any third party should We exercise such right. Modifications may include, but are not limited to, changes in the pricing structure, the addition of fee-based services, or changes to limitations on allowable file sizes. Any new features that augment or enhance the then-current services on this site shall also be subject to these Terms of Use.

You understand and agree that temporary interruptions of the services available through this site may occur as normal events. You further understand and agree that We have no control over third party networks you may access in the course of the use of this site, and therefore, delays and disruption of other network transmissions are completely beyond our control.

You understand and agree that the services available on this site are provided “AS IS” and that We assume no responsibility for the timeliness, deletion, mis-delivery or failure to store any user communications or personalization settings.

Payment of Fees

If you subscribe to a service on this site that requires payment of a fee, you agree to pay all fees associated with such service. For all charges for services on this site, We will bill your credit card through a third-party billing service. Recurring charges are billed in advance of service. You agree to provide Us with accurate and complete billing information, including valid credit card information, your name, address and telephone number, and to provide Us with any changes in such information prior to 3 (three) days to the scheduled billing date.

If, for any reason, your credit card company refuses to pay the amount billed for the service, you agree that We may, at our option, suspend or terminate your subscription to the service and require you to pay the overdue amount by other means acceptable to us. We may charge a fee for reinstatement of suspended or terminated accounts.

You agree that until your subscription to the service is terminated, you will continue to accrue charges for which you remain responsible, even if you do not use the service.

In the event legal action is necessary to collect on balances due, you agree to reimburse Us for all expenses incurred to recover sums due, including attorney’s fees, costs, and other legal expenses.

Registration Data; Login and Passwords; Electronic Passwords

In order to view and submit content to the Site you will be required to register as a user of the Site by completing the online registration application. Portions of this Site are only available to registered users who are customers of the Company. You will not be able to access all functionality of the Site unless you are a registered user of a customer. In consideration of your use of the Site, you agree to: (a) provide true, accurate, current and complete information about yourself as prompted by the Site’s registration form (such information being the “Registration Data”); and (b) maintain and promptly update the Registration Data to keep it true, accurate, current and complete by contacting Us at [email protected]. If you provide any information that is untrue, inaccurate, not current or incomplete, or if Company has reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete, Company has the right to suspend or terminate your account and refuse any and all current or future use of the Site (or any portion thereof). Each individual may maintain only one registered user account. Company reserves the right to verify any information you submit as Registration Data.

As a registered user, you will have login information, including user names and passwords to access certain functionality of the Site. You are responsible for maintaining the confidentiality of the password and account, and you are fully responsible for all activities that occur under your password or account. You will not allow others to use the login information. You agree to immediately notify Company by e-mail to [email protected] of any potential breaches of secrecy of the login information or of the discovery of any fraudulent use of your login information. Company reserves the right to suspend, deactivate, or replace user names and passwords at any time for any reason.

You acknowledge and agree that Company may access, preserve and disclose your account information and User Content if required to do so by law or in a good faith belief that such access, preservation or disclosure is reasonably necessary to: (i) comply with legal process; (ii) enforce these terms of use; (iii) respond to claims that any Content violates the rights of third parties; (iv) respond to your requests for customer service; or (v) protect the rights, property or personal safety of Sponsor, its users and the public.

By checking the [I Accept] box below, you agree to transact business with the Company electronically. Your agreement to transact business with the Company electronically applies to all transactions conducted through the Site. You may refuse to transact business with Us at any time in the future by notifying Us in writing and sending such notice to [email protected] and Content Workshop, 600 Cleveland Street, STE 218, Clearwater, Florida 33755. You will need to maintain equipment, software and Internet access necessary to access and use the features made available via the Site, as well as to request and access any copies of these Terms of Use or Privacy Policy.

User Provided Content

As a registered user of the Site, you may submit content, including images, text, multimedia documents, links and other content enabled by the Site from time to time (“User Content”), and you and other users may access and use your and their User Content, subject to the restrictions stated in these Terms of Use.

Any User Content submitted to the Site may be made available to other users of the Site. Do not submit User Content if you do not want other users to have access to it. DO NOT SUBMIT ANY PERSONALLY IDENTIFIABLE INFORMATION IN VIOLATION OF ANY APPLICABLE LAW.

To the extent you have and retain ownership rights in and to the User Content, by submitting User Content to the Site, you grant Company the non-exclusive, royalty-free, perpetual, irrevocable, transferable, and fully sublicensable right and license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, sell, perform, and display such User Content (in whole or part, including modified or adapted versions thereof) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed, without any obligation to acknowledge authorship or ownership. You warrant you have all rights necessary or appropriate to disclose such User Content and post it to the Site, and that submitting the User Content will not violate the rights of any third party, including without limitation any proprietary or privacy rights.

You agree you will not submit material that is copyrighted, protected by trade secret or otherwise subject to third-party proprietary rights, including privacy and publicity rights, without permission of the owner of such rights.

Company, to the extent it can do so based on the license granted by other users, acknowledges you have permission to display, copy, distribute and download the User Content from this Site (other than software, which is addressed solely in the section entitled “Software Downloads”), on the conditions that:

  1. Both the copyright notice identified below and this permission notice appear in the User Content;
  2. The use of such User Content is solely for your personal or internal business purposes and will not be copied or posted on any networked computer, broadcast in any media, or used for commercial gain; and
  3. The User Materials are not modified in any way.

This permission terminates automatically without notice if you breach any of these terms or conditions. Upon termination, you will immediately destroy any downloaded or printed User Content.

Company reserves the right to refuse or delete any User Content in its sole discretion.

Software Downloads

Any software that is made available (whether as User Content or otherwise) to download from this Site may be protected by copyright of the owner or licensor. Your use of the software shall be subject to the terms of the end user license agreement, if any, which accompanies, or is included with, the software. You may not install or use any software that is accompanied by or includes a license agreement unless you first agree to the terms of the license agreement terms. Any reproduction or redistribution of the software not permitted by the terms of the license agreement is prohibited by law, and may result in severe civil and criminal penalties.

For any software not accompanied by a license agreement, the Company, to the extent it can do so based on the license granted by other users, acknowledges you have permission to display, copy, distribute, download and use the software, on the conditions that:

  1. Both the copyright notice identified below and this permission notice appear in the software;
  2. The use of such software is solely for your personal or internal business purposes and will not be copied or posted on any networked computer, broadcast in any media, or used for commercial gain; and
  3. The software is not modified in any way.

Company Products and Services

This Site may provide information regarding Company products and services, including without limitation product demonstrations, and to facilitate information sharing between users of the Company products and services.

Information displayed by the Company regarding products or services offered by Company represents only a solicitation of interest and not an offer. Company explicitly reserves (i) the right to stipulate terms for sale, license or use of such products or services at the time they are ordered or purchased; and (ii) the right to withdraw or modify the products or services, to limit available quantities, or to decline an order or purchase.

Third-Party Links

From time to time, the Site may contain links or other references to third-party materials, including without limitation other Websites (“Linked Sites”), not controlled by the Company or its suppliers or licensors. Use of any such Linked Site or Linked Content is at the User’s own risk. The Company provides such information and links as a convenience to you and should not be considered endorsements of such sites or any content, products, or information offered on such sites. You acknowledge and agree that the Company is not responsible for any aspect of the information or content contained in any third-party materials or on any third-party sites accessible or linked to the Site.

To use some of the functionality of the Site you may be required to establish an account with a username and password with Linked Sites. As these are unaffiliated sites, we are not responsible for any username, password, or other information these sites may collect. If you are unable to establish accounts on these Linked Sites for any reason, you may not be able to fully utilize the functionality provided by the Site.

In addition to these Terms of Use, if Linked Content is displayed on the Site, the use thereof may be subject to separate terms of use provided by the Linked Site.

Although Company is under no obligation to do so, Company reserves the right to disable Web site links to or from Linked Sites. This right to disable links includes links to or from advertisers, sponsors, and partners.

Restrictions

Your use of the site is subject to all applicable laws and regulations, and you are solely responsible for the contents of your communications through the site. By posting information in or otherwise using any communications service, chat room, message board, newsgroup, software library, or other interactive service that may be available to you on or through this Site, you agree that you will not upload, share, post, or otherwise distribute or facilitate distribution of any content — including text, communications, software, images, sounds, data, or other information — that:

  1. Is unlawful, threatening, abusive, harassing, defamatory, libelous, deceptive, fraudulent, invasive of another’s privacy, tortious, contains explicit or graphic descriptions or accounts of sexual acts (including but not limited to sexual language of a violent or threatening nature directed at another individual or group of individuals), or otherwise violates our rules or policies;
  2. Victimizes, harasses, degrades, or intimidates an individual or group of individuals on the basis of religion, gender, sexual orientation, race, ethnicity, age, or disability;
  3. Infringes on any patent, trademark, trade secret, copyright, right of publicity, or other proprietary right of any party;
  4. Constitutes unauthorized or unsolicited advertising, junk or bulk e-mail (also known as “spamming”), chain letters, any other form of unauthorized solicitation, or any form of lottery or gambling;
  5. Contains software viruses or any other computer code, files, or programs that are designed or intended to disrupt, damage, or limit the functioning of any software, hardware, or telecommunications equipment or to damage or obtain unauthorized access to any data or other information of any third party; or
  6. Impersonates any person or entity, including any of our employees or representatives.

We neither endorse nor assume any liability for the contents of any material uploaded or submitted by third-party users of or third-party links contained within the Site.

We generally do not pre-screen, monitor, or edit the content posted by users of communications services, chat rooms, message boards, newsgroups, software libraries, or other interactive services that may be available on or through this site. However, We and our agents have the right at their sole discretion to remove any content that, in our judgment, does not comply with these Terms of Use and any other rules of user conduct for our site, or is otherwise harmful, objectionable, or inaccurate. We are not responsible for any failure or delay in removing such content. You hereby consent to such removal and waive any claim against Us arising out of such removal of content. See “Procedure for Making Copyright Infringement Claims” below for a description of the procedures to be followed in the event that any party believes that content posted on this site infringes on any patent, trademark, trade secret, copyright, right of publicity, or other proprietary right of any party.

In addition, you may not use your account to breach security of another account or attempt to gain unauthorized access to another network or server. Not all areas of the site may be available to you or other authorized users of the site. You shall not interfere with anyone else’s use and enjoyment of the site or other similar services. Users who violate systems or network security may incur criminal or civil liability.

You agree that We may at any time, and at our sole discretion, terminate your membership without prior notice to you for violating any of the above provisions. In addition, you acknowledge that We will cooperate fully with investigations of violations of systems or network security at other sites, including cooperating with law enforcement authorities in investigating suspected criminal violations.

You agree not to use the Site for any unlawful purpose or in any way that might harm, damage, or disparage any other party.

Without limiting the proceeding sentence and by way of example, you agree that you will not:

  • Post personally identifiable information (as images or text) to publicly viewable areas or otherwise violate local and federal privacy protection regulations;
  • Collect or store personal data about other users, including e-mail addresses;
  • Threaten, harass, “stalk,” abuse, slander, defame, or otherwise violate the legal rights (such as rights of privacy and publicity) of others;
  • Publish, distribute or disseminate any inappropriate, profane, vulgar, defamatory, infringing, obscene, tortious, indecent, unlawful, immoral, or otherwise objectionable material or information;
  • Create a false identity or impersonate another for the purpose of misleading others as to the identity of the sender or the origin of a message, including, but not limited to, providing misleading information to any feedback system employed through the Site;
  • Transmit or upload any material that contains viruses, Trojan horses, worms, time bombs, cancelbots, or any other harmful or deleterious software programs;
  • Interfere with or disrupt the Site, networks or servers connected to the Site, such as by attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures, attempting to interfere with service to any user, host or network, such as by overloading, “flooding,” “spamming,” “mailbombing,” or “crashing,” sending unsolicited e-mail, including promotions and/or advertising of products or services, or forging any TCP/IP packet header or any part of the header information in any e-mail or newsgroup posting, or otherwise violating the regulations, policies or procedures of such networks or servers;
  • Attempt to gain unauthorized access to the Site, logins, and passwords of others, or computer systems and networks connected to the Site;
  • Upload or otherwise transmit any information or content that infringes any patent, trademark, trade secret, copyright, or other proprietary rights of any party;
  • Upload, post or otherwise transmit any unsolicited or unauthorized advertising, promotional materials, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” or any other form of solicitation (commercial or otherwise);
  • Employ any type of bots that can disrupt the normal flow of dialogue, cause a screen to “scroll” faster than other users of the Service are able to type, show multiple screens, or otherwise act in a manner that negatively affects other users’ ability to engage in real time exchanges;
  • Use or attempt to use any engine, software, tool, agent or other device or mechanism (including browsers, spiders, robots, avatars, or intelligent agents) to navigate or search the Site other than the search engine and search agents which Company makes available on the Site and generally available third-party Web browsers;
  • Intentionally or unintentionally violate any applicable local, state, national, or international law, including, but not limited to, regulations promulgated by the U.S. Securities and Exchange Commission, any rules of any national or other securities exchange, including, without limitation, the New York Stock Exchange, the American Stock Exchange or the NASDAQ, and any regulations having the force of law;
  • Link, “frame” or “mirror” any content or information contained on or accessible from the Site through use of your login information without the prior written approval of the Company or its licensors, as may be appropriate. Violations of system or network security may result in civil or criminal liability. Company will investigate occurrences that may involve such violations and may involve, and cooperate with, law enforcement authorities in prosecuting users who are involved in such violations.

You agree to:

  • Comply with all notices, instructions and rules posted on the Site;
  • Implement all Internet access and all security procedures required to use the Site at the sole expense of You; and
  • Take any and all applicable administrative, physical, and technical safeguards to protect the security of the electronic information you exchange through the Site, including any login credentials and account data.

From time to time, Company may establish general practices and limits concerning use of the Site without notice to you. These general practices and limits may include, without limitation, the maximum number of days that User Content will be retained by the Site, and the maximum number of times (and the maximum duration for which) you may access the Service in a given period of time. Company has no responsibility or liability for the deletion or failure to store any messages and other communications or other Content maintained or transmitted by the Site or any change in these policies.

Intellectual Property Rights Notice

Except for the User Content you submit, all of the content you see and hear on the Site, including all data, images, logos, illustrations, graphics, sound, audio clips, software, and text, represents valuable proprietary and intellectual property of other users, the Company, its licensors, or third-parties. Such content and information are protected by international, federal, and state laws, rules, orders, and regulations relating to intellectual property.

Except for the permission you have to display, copy, distribute, and download the User Content from this Site, as described in the section entitled “User Provided Content,” you agree not to reproduce, distribute, display, revise, create derivative works of, copy, publish, sell, license, or edit any such content and information. You may not “mirror” any content or information contained on this Site without Company’s advance written consent. You may not create links to this Site from other sites without Company’s advance written consent and compliance with all applicable laws.

Company logos and service marks and product and service names are Company trademarks or registered trademarks in the United States and other countries. These Terms of Use do not grant you any license in Company trademarks.

Use of the Internet

Internet software or electronic transmissions may produce inaccurate or incomplete copies of the Site’s content when downloaded and displayed on any computer. Company does not assume any liability or responsibility whatsoever for such matters or the inaccurate or incomplete information or data arising from software problems, transmissions errors, the display of content in browser frames displaying information from other websites, or any misinterpretation of the content for such reasons. Company is not responsible for computer viruses or other destructive programs which are introduced by visitors or other providers or software or content. You are advised to employ security and virus protection software on all computer systems used to access the Internet or to share files with other computer systems. Any unprotected e-mail communication over the Internet is, as with communication via any other medium, subject to possible interception or loss.

Indemnity

You agree to indemnify and hold harmless the Company and its licensors and suppliers, and their respective directors, officers, employees, agents, and contractors, from all damages, injuries, liabilities, costs, fees, fines, penalties, and expenses (including, but not limited to, legal and accounting fees) arising from or in any way related to your violation of these Terms of Use or misuse of the Site by you or any of your employees, contractors or agents.

You further agree to indemnify and hold harmless the Company for any issues concerning billing, which is conducted by a third-party contractor, unless solely due to the gross negligence or intentional acts of the Company. These issues include, but are not limited to, issues regarding overbilling or mishandling of, protection of, storage of, or unauthorized release of billing or financial information.

Disclaimers

The information provided by Company is provided for informational purposes only and does not act as a warranty or guaranty. THIS SITE IS PROVIDED ON AN “AS IS,” “AS AVAILABLE” BASIS WITHOUT REPRESENTATIONS OR WARRANTIES OF ANY KIND. THE COMPANY AND ITS LICENSORS AND SUPPLIERS HEREBY DISCLAIM ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

The Site is comprised of information and materials submitted by various individuals who use the Site. Company does not endorse, recommend or guaranty any User Content or any opinion, recommendation or advice expressed therein and Company expressly disclaims any and all liability in connection with any content made available via the Site, including without limitation User Content. The Company assumes no responsibility for the accuracy, timeliness, deletion, misdelivery of information or failure to store any user communications or personalization settings.

Limitations

IN NO EVENT WILL THE COMPANY OR ITS LICENSORS OR SUPPLIERS BE LIABLE TO YOU OR ANY OTHER PERSON OR ENTITY FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THE USE OF OR INABILITY TO USE THIS SITE OR ANY CONTENT OR INFORMATION ASSOCIATED THEREWITH, OR ANY OTHER LINKED Web site, INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, OR OTHERWISE, WHETHER BASED IN TORT, CONTRACT OR OTHER LEGAL THEORY, EVEN IF THE COMPANY OR ITS LICENSORS OR SUPPLIERS IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL THE COMPANY OR ITS LICENSORS OR SUPPLIERS BE LIABLE IN THE AGGREGATE FOR ANY DAMAGES INCURRED BY YOU IN EXCESS OF THE FEES YOU PAID US FOR THE SERVICES IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE LIABILITY.

Special Admonitions for International Use

Recognizing the global nature of the Internet, you agree to comply with all local rules regarding online conduct, personal health information and the content made available via the Site or the Services. You agree to comply with all applicable laws regarding the transmission of technical data exported from the United States or the country in which you reside.

Additional Features

Additional terms and conditions may apply for your use of certain features of the Site, such as the purchase of products or services. Some of the features or functionality of the Site may require you to have third-party software installed on the equipment you use to access the Site. You are solely responsible to obtain and maintain all rights and licenses to third-party software and equipment necessary to utilize such features and functionality.

Suspension and Termination of a Registered User Account

Company spends valuable resources to provide the Site, and your access and use of the Site is a privilege and not a right. Company, in its sole discretion, may suspend or terminate access of any registered user, for any reason, including, without limitation, for lack of use, termination of your customer relationship with Company, or if Company believes that you have violated or acted inconsistently with the letter or spirit of the Terms of Service, including without limitation allowing third parties to use or access the Site using your login information. Although Company has no obligation to monitor the User Content, Company reserves the right to log off accounts that are inactive for an extended period of time. Company reserves the right to determine whether User Content is appropriate.

In its sole discretion, Company may remove and discard any User Content or other content, in whole or in part, within the Site for violation of these Terms of Service, including removal of any information that Company finds to be personally identifiable information, with or without notice. Company reserves the right to discontinue providing the Site with or without notice.

Company may immediately deactivate or delete your account and all related information and files related to any registered user account and/or bar any further access to such files or the Site. You agree that Company shall not be liable to you or any third party for any termination of your access to the Site.

Choice of Law

This Site (excluding any linked sites) is controlled by the Company, which is a limited liability company created under the laws of the State of Delaware, United States of America. It can be accessed from all 50 states, as well as from other countries around the world. As each of these places has laws that may differ from those of Delaware, by accessing this site both you and the Company agree that the statutes and laws of the State of Delaware, without regard to the conflicts of laws principles thereof and the United Nations Convention on the International Sales of Goods, will apply to all matters relating to the use of this site and the purchase of products and services available through this Site.

Dispute Resolution

The Company and User Each Agree to First Contact Each Other with Any Disputes

The Company and User (together, “the Parties”) each agree to first contact each other with any Disputes (defined below) and provide a written description of the problem, relevant documents and supporting information, and the proposed resolution. The User agrees to contact the Company via certified mail at the address: Content Workshop, 600 Cleveland Street, STE 218, Clearwater, Florida 33755. The Company agrees to contact the User via either the email address or physical address provided in the Registration Data.

Instead of Suing in Court, The Parties Each Agree to Arbitrate Disputes

The Parties each agree to arbitrate all Disputes between the Parties, on an individual basis, not on a class-wide or consolidated basis. This agreement to arbitrate is intended to be broadly interpreted. In arbitration, there’s no judge or jury. However, just as a court would, the arbitrator must honor the terms and limitations in the Agreement and can award damages and relief, including any Attorney’s fees authorized by law. The arbitrator’s decision and award is final and binding, with some exceptions under the Federal Arbitration Act (“FAA”), and judgment on the award may be entered in any court with jurisdiction.

The Parties each also agree as follows:

  1. “Disputes” are any claims or controversies against each other related in any way to or arising out of in any way our Services or the Agreement, including, but not limited to, coverage, Devices, billing services and practices, policies, contract practices (including enforceability), service claims, privacy, or advertising, even if it arises after Services have terminated. Disputes include claims that you bring against our employees, agents, affiliates, or other representatives or that we bring against you. It also includes but is not limited to claims related in any way to or arising out of in any way any aspect of the relationship between the Parties, whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory.
  2. If either of the Parties wants to initiate a claim to arbitrate a Dispute, the Parties each agree to send written notice to the other providing a description of the dispute, a description of previous efforts to resolve the dispute, all relevant documents and supporting information, and the proposed resolution. Notice to you will be sent either via electronic mail or physical address as provided in the Registration Data, while notice to the Company will be sent via certified mail to us at: Content Workshop, 600 Cleveland Street, STE 218, Clearwater, Florida 33755. The Parties each agree to make attempts to resolve the dispute prior to filing a claim for arbitration. If the Parties cannot resolve the dispute within forty-five (45) days of receipt of the notice to arbitrate, then the Parties each may submit the dispute to formal arbitration.
  3. The FAA applies to this Agreement and arbitration provision. The Parties each agree that the FAA’s provisions—not state law—govern all questions of whether a dispute is subject to arbitration.
  4. Unless the Parties each agree otherwise, the Arbitration will be conducted by a single, neutral arbitrator and will take place in Hillsborough County, State of Florida, United States of America, or if there is none in said Hillsborough County, then in an available arbitrator in a surrounding or nearby County in Florida, in accordance with the other terms of this Agreement.
  5. The arbitration will be governed and conducted by JAMS. The JAMS rules, including rules about the selection of an arbitrator, filing, administration, discovery, and arbitrator fees, will be conducted under JAMS Comprehensive Arbitration Rules & Procedures. The JAMS rules are available on its Web site at www.jamsadr.com. To the extent that this “Dispute Resolution” section conflicts with JAMS’s minimum standards for procedural fairness, the JAMS’s rules or minimum standards for arbitration procedures in that regard will apply. However, nothing in this paragraph will require or allow us or you to arbitrate on a class-wide or consolidated basis.
  6. THE PARTIES EACH AGREE THAT WE WILL ONLY PURSUE ARBITRATION ON AN INDIVIDUAL BASIS AND WILL NOT PURSUE ARBITRATION ON A CLASS-WIDE OR CONSOLIDATED BASIS. The Parties each agree that any arbitration will be solely between you and our company (not brought on behalf of or together with another individual’s claim). If for any reason any court or arbitrator holds that this restriction is unconscionable or unenforceable, then our agreement to arbitrate doesn’t apply and the dispute must be brought in court.
  7. The Parties each are responsible for our respective costs relating to counsel, experts, and witnesses, as well as any other costs relating to arbitration. However, the Company will pay for the arbitration administrative or filing fees, including the arbitrator fees. Otherwise, the JAMS Comprehensive Arbitration Rules & Procedures and the JAMS Policy on Consumer Arbitrations Pursuant to Pre-Dispute Clauses, Minimum Standards of Procedural Fairness regarding costs and payment apply.

Exceptions to The Parties’ Agreement to Arbitrate Disputes

Either of the Parties may bring qualifying claims in small claims court. In addition, this arbitration provision does not prevent you from bringing your dispute to the attention of any federal, state, or local government agency that can, if the law allows, seek relief against us on your behalf.

No Class Actions

TO THE EXTENT ALLOWED BY LAW, THE PARTIES EACH WAIVE ANY RIGHT TO PURSUE DISPUTES ON A CLASSWIDE BASIS; THAT IS, TO EITHER JOIN A CLAIM WITH THE CLAIM OF ANY OTHER PERSON OR ENTITY OR ASSERT A CLAIM IN A REPRESENTATIVE CAPACITY ON BEHALF OF ANYONE ELSE IN ANY LAWSUIT, ARBITRATION, OR OTHER PROCEEDING.

No Trial by Jury

TO THE EXTENT ALLOWED BY LAW, THE PARTIES EACH WAIVE ANY RIGHT TO TRIAL BY JURY IN ANY LAWSUIT, ARBITRATION, OR OTHER PROCEEDING.

Miscellaneous

In the event any of the provisions of the Terms of Use are held unenforceable or invalid by a court of competent jurisdiction, such provisions shall be deemed severed from the applicable agreement, and the remaining provisions thereof shall remain in full force and effect. Failure of any party to enforce, in any one or more instances, any of the provisions herein shall not be construed as a waiver of the future performance of any such terms or conditions. No consent to a breach of any express or implied term of the Terms of Use or any other notice, directive, or rule otherwise posted on the Site shall constitute a consent to any prior or subsequent breach. These Terms of Use will be governed by the laws of the State of Delaware, United States of America. These Terms of Use and any order or purchase between the parties will not be governed by the United Nations Convention on Contracts for the International Sale of Goods.

Authority to Accept Terms of Service

By checking “I Accept,” you represent and warrant that you have the authority to accept these Terms of Service on behalf of yourself and any organization or institution you represent, that you are more than 18 years of age, and will abide by and comply with these Terms of Service. If you do not agree with these Terms of Service, do not click “I Agree” and do not access the Site.

Procedure for Making Copyright Infringement Claims

Company and its affiliates respect the intellectual property of others. If you believe that your work has been copied in a way that constitutes copyright infringement, please provide Us the written information specified below. Please note that this procedure is exclusively for notifying Us and our affiliates that your copyrighted material has been infringed. If you believe that your copyrighted work has been copied in a way that constitutes copyright infringement and is accessible via the Site, you may notify our copyright agent, as set forth in the Digital Millennium Copyright Act of 1998 (DMCA).

For your complaint to be valid under the DMCA, you must provide the following information when providing notice of the claimed copyright infringement: (1) a physical or electronic signature of a person authorized to act on behalf of the copyright owner; (2) identification of the copyrighted work or other intellectual property that you claim to have been infringed; (3) identification of the material that you claim is infringing as well as information reasonably sufficient to permit Us to locate the material on the Web site; (4) your address, telephone number, and e-mail address; (5) a statement by you that you as the complaining party have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and (6) a statement, made under penalty of perjury, that the information in the notification is accurate, and that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed. The foregoing information must be submitted as a written notification to the following Designated Agent:

Chatter Agent (https://app.chatteragent.ai)
DMCA Designated Agent, Content Workshop LLC
600 Cleveland Street, STE 218, Clearwater, Florida 33755, United States
[email protected]

WE CAUTION YOU THAT UNDER FEDERAL LAW, IF YOU KNOWINGLY MISREPRESENT THAT ONLINE MATERIAL IS INFRINGING, YOU MAY BE SUBJECT TO CIVIL PENALTIES. THESE INCLUDE MONETARY DAMAGES, COURT COSTS, AND ATTORNEYS’ FEES INCURRED BY US, BY ANY COPYRIGHT OWNER, OR BY ANY COPYRIGHT OWNER’S LICENSEE THAT IS INJURED AS A RESULT OF OUR RELYING UPON YOUR MISREPRESENTATION. YOU MAY ALSO BE SUBJECT TO CRIMINAL PROSECUTION FOR PERJURY.

This information should not be construed as legal advice. For further details on the information required for valid DMCA notifications, see 17 U.S.C.A. 512(c)(3).

Data Processing Addendum

This Data Processing Addendum (“Addendum”) supplements the Terms of Use entered into by and between (“User” or “You”) and Content Workshop, LLC (“Company”). By agreeing to the Terms of Use, you agree to this Addendum to the extent required under applicable Data Protection Laws (defined below). This Addendum incorporates the terms of the Terms of Use, and any terms not defined in this Addendum shall have the meaning set forth in the Terms of Use.

1. Definitions

1.1. “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

1.2. “Authorized Sub-Processor” means, in respect of the Company’s activities as a data processor, a third-party who has a need to know or otherwise access User’s Personal Data to enable Company to perform its obligations under this Addendum or the Terms of Use, and who is either (1) listed in Exhibit B, D and F or (2) subsequently authorized under Section 4.2 of this Addendum.

1.3. “User Account Data” means personal data that relates to User’s relationship with Company, including the names or contact information of individuals authorized by User to access User’s account and billing information of individuals that User has associated with its account. User Account Data also includes any data Company may need to collect for the purpose of managing its relationship with User, identity verification, or as otherwise required by applicable laws and regulations.

1.4. “User Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

1.5. “Data Exporter” means User.

1.6. “Data Importer” means Company.

“Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 and their implementing regulations (collectively, the “CCPA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), the Texas Data Privacy and Security Act (“TDPSA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”) and any similar state data privacy laws that are effective as of the effective date of this Agreement, (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection, (iv) Section 3(10) (as supplemented by Section 205(4)) of the Data Protection Act 2018 (the “UK GDPR”); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” “service provider” and “supervisory authority” shall have the meanings set forth in the GDPR and/or the CCPA and other federal and state data privacy and breach notification laws.

1.7. “EU SCCs” means as applicable (i) “EU SCCs (Module One: Controller-to-Controller)”, (ii) “EU SCCs (Module Two: Controller-to-Processor)” and (iii) “EU SCCs (Module Three: Processor-to-Processor)”.

1.8. “EU SCCs (Module One: Controller-to-Controller)” means “Module One: Transfer controller to controller” of the European Commission’s Standard Contractual Clauses for the transfer of personal data from a controller to a controller set out in the Annex to Commission Implementing Decision (EU) 2021/914 with Annex I and Annex II to such clauses being set out in Exhibit B.

1.9. “EU SCCs (Module Two: Controller-to-Processor)” means “Module Two: Transfer controller to processor” of the European Commission’s Standard Contractual Clauses for the transfer of personal data from a controller to a processor set out in the Annex to Commission Implementing Decision (EU) 2021/914 with Annex I, Annex II and Annex III to such clauses being set out in Exhibit D.

1.10. “EU SCCs (Module Three: Processor-to-Processor)” means “Module Three: Transfer processor to processor” of the European Commission’s Standard Contractual Clauses for the transfer of personal data from a processor to another processor set out in the Annex to Commission Implementing Decision (EU) 2021/914, with Annex I, Annex II and Annex III to such clauses being set out in Exhibit F.

1.11. “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.

1.12. “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.

1.13. “Services” shall have the meaning set forth in the Terms of Use.

1.14. “Standard Contractual Clauses” or “SCCs” means the EU SCCs and the UK SCCs.

1.15. “Supplementary Measures” means the provisions of Clause 6.7, which set out the supplementary measures to the SCCs used to ensure an essentially equivalent level of protection as provided under Data Protection Laws.

1.16. “UK SCCs” means, as applicable (i) “UK SCCs (Module One: Controller-to-Controller)”; (ii) “UK SCCs (Module Two: Controller-to-Processor)” and “UK SCCs (Module Three: Processor-to-Processor)”.

1.17. “UK SCCs (Module One: Controller-to-Controller)” means the EU SCCs (Module One: Controller-to-Controller) amended by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018, Version B1.0, with part 1 of such addendum being set out in Exhibit C.

1.18. “UK SCCs (Module Two: Controller-to-Processor)” means the EU SCCs (Module Two: Controller-to-Processor) amended by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018, Version B1.0, with part 1 of such addendum being set out in Exhibit E.

1.19. “UK SCCs (Module Three: Processor-to-Processor)” means the EU SCCs (Module Three: Processor-to-Processor) amended by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018, Version B1.0, with part 1 of such addendum being set out in Exhibit G.

2. Relationship of the Parties; Processing of Data

2.1. The parties acknowledge and agree that with regard to the processing of Personal Data, User may act either as a controller or processor and, except as expressly set forth in this Addendum or the Terms of Use, Company is a processor. User shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. User shall ensure that the processing of Personal Data in accordance with User’s instructions will not cause Company to be in breach of the Data Protection Laws. User is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of User, (ii) the means by which User acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. User shall not provide or make available to Company any Personal Data in violation of the Terms of Use or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith.

2.2. Company shall not process Personal Data (i) for purposes other than those set forth in the Terms of Use and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in the Terms of Use and/or Addendum or, in respect of any personal data processed by the Company as a data processor / service provider, any other documented instructions provided by User, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Company is subject; in such a case, the Company shall inform the User of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Protection Laws. User hereby instructs Company to process Personal Data in accordance with the foregoing and as part of any processing initiated by User in its use of the Services.

2.3. The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this Addendum.

2.4. Following completion of the Services, Company shall delete User’s Personal Data that it processes as a data processor / service provider on behalf the User, unless further storage of such Personal Data is required or authorized by applicable law. If destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect such Personal Data remaining in its possession, custody, or control. If User and Company have entered into Standard Contractual Clauses as described in Section 6.2.2, 6.2.3, 6.5.2 and 6.5.3 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the SCCs (as applicable) shall be provided by Company to User only upon User’s request.

2.5. CCPA. Except with respect to User Account Data and User Usage Data, the parties acknowledge and agree that Company is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from User in order to provide the Services pursuant to the Terms of Use, which constitutes a business purpose. Company shall not sell any such personal information. Company shall not retain, use or disclose any personal information provided by User pursuant to the Terms of Use except as necessary for the specific purpose of performing the Services for User pursuant to the Terms of Use, or otherwise as set forth in the Terms of Use or as permitted by the CCPA. The terms “personal information,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. Company certifies that it understands the restrictions of this Section 2.5.

3. Confidentiality

Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company’s confidentiality obligations in the Terms of Use. User agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the provisions of this Addendum, the Terms of Use, and/or the provision of Services to User.

4. Authorized Sub-Processors

4.1. User acknowledges and agrees that Company may (1) engage its affiliates and the Authorized Sub-Processors on the List (defined below) to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services and/or the processing of Personal Data. By way of this Addendum, User provides general written authorization to Company, where it acts as a data processor, to engage sub-processors as necessary to perform the Services.

4.2. A list of Company’s current Authorized Sub-Processors (the “List”) is attached to this Addendum. Such List may be updated by Company from time to time and User will be notified of any addition. Company will provide a mechanism to subscribe to notifications (which may include but are not limited to email) of new Authorized Sub-Processors and User, if it wishes, will subscribe to such notifications where available. User may subscribe to such notifications by sending an email to [email protected] with addresses to be notified. If User does not subscribe to such notifications, User will have waived any right it may have to prior notice of changes to Authorized Sub-Processors. At least ten (10) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Company will add such third party to the List and notify User via the aforementioned notifications. User may object to such an engagement by informing Company in writing within ten (10) days of receipt of the aforementioned notice by User, provided such objection is in writing and based on reasonable grounds relating to data protection. User acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Company from offering the Services to User.

4.3. If User reasonably objects to an engagement in accordance with Section 4.2, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, User may discontinue the use of the affected Service by providing written notice to Company. Discontinuation shall not relieve User of any fees owed to Company under the Terms of Use.

4.4. If User does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Company, that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.

4.5. Company will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Company under this Addendum with respect to the protection of Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to User for the performance of the Authorized Sub-Processor’s obligations under such agreement.

4.6. If User and Company have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), (i) the above authorizations will constitute User’s prior written consent to the subcontracting by Company of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Company to User pursuant to Clause 9(c) of the SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Company beforehand, and that such copies will be provided by the Company only upon request by User.

5. Security of Personal Data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibits B, D and F set forth additional information about Company’s technical and organizational security measures.

6. Transfers of Personal Data

6.1. The parties agree that Company may transfer Personal Data processed under this Addendum outside the EEA, the UK, or Switzerland as necessary to provide the Services. User acknowledges that Company’s primary processing operations take place in the United States, and that the transfer of User’s Personal Data to the United States is necessary for the provision of the Services to User. If Company transfers Personal Data protected under this Addendum to a jurisdiction for which the European Commission has not issued an adequacy decision, Company will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

6.2. Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

6.2.1. EU SCCs (Module One: Controller-to-Controller) apply when Company is processing Personal Data as a controller pursuant to Section 9 of this Addendum.

6.2.2. EU SCCs (Module Two: Controller-to-Processor) apply when User is a controller and Company is processing Personal Data for User as a processor pursuant to Section 2 of this Addendum.

6.2.3. EU SCCs (Module Three: Processor-to-Processor) apply when User is a processor and Company is processing Personal Data on behalf of User as a sub-processor.

6.2.4. Exhibit B to this Addendum contains the information required in Annex I and Annex II of the EU SCCs (Module One: Controller-to-Controller).

6.2.5. Exhibit D to this Addendum contains the information required in Annex I, II and III of the EU SCCs (Module Two: Controller-to-Processor).

6.2.6. Exhibit F to this Addendum contains the information required in Annex I, II and III of the EU SCCs (Module Three: Processor-to-Processor).

6.3. For each module, where applicable the following applies:

6.3.1. The optional docking clause in Clause 7 does not apply.

6.3.2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 4.2 of this Addendum;

6.3.3. In Clause 11, the optional language does not apply;

6.3.4. All square brackets in Clause 13 are hereby removed;

6.3.5. In Clause 17 (Option 1), the EU SCCs will be governed by Irish law; and

6.3.6. In Clause 18(b), disputes will be resolved before the courts of Ireland.

6.4. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

6.5. Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and completed as follows:

6.5.1. References to the GDPR will be deemed to be references to the UK GDPR and the UK Data Protection Act 2018.

6.5.2. UK SCCs (Module One: Controller-to-Controller) apply when the Company processes User’s Personal Data as a controller pursuant to Section 9 of this Addendum.

6.5.3. UK SCCs (Module Two: Controller-to-Processor) apply when the Company processes User’s Personal Data as a processor.

6.5.4. UK SCCs (Module Three: Processor-to-Processor) apply when User is a processor and Company is processing Personal Data on behalf of User as a sub-processor.

6.5.5. Exhibit C to this Addendum contains the information required in Part 1 of the UK SCCs (Module One: Controller-to-Controller).

6.5.6. Exhibit E to this Addendum contains the information required in Part 1 of the UK SCCs (Module Two: Controller-to-Processor).

6.5.7. Exhibit G to this Addendum contains the information required in Part 1 of the UK SCCs (Module Three: Processor-to-Processor).

6.6. Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:

6.6.1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to Data transfers subject to the FADP.

6.6.2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.

6.6.3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed.

6.6.4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.

6.7. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following Supplementary Measures shall apply:

6.7.1. As of the date of this Addendum, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) User’s Personal Data (“Government Agency Requests”);

6.7.2. If, after the date of this Addendum, the Data Importer receives any Government Agency Requests, Company shall attempt to redirect the law enforcement or government agency to request that data directly from User. As part of this effort, Company may provide User’s basic contact information to the government agency. If compelled to disclose User’s Personal Data to a law enforcement or government agency, Company shall give User reasonable notice of the demand and cooperate to allow User to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so. Company shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this Addendum should be suspended in the light of such Government Agency Requests;

6.7.3. The parties shall ensure that any transfer involving Personal Data to the other party under the Agreement has been encrypted to the standard Transparent Data Encryption (TDE) (or higher);

6.7.4. The Data Importer shall implement (to the extent not already in place) the following organisational measures:

  1. The adoption of internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access the data;
  2. Specific training procedures for personnel in charge of managing requests for access to personal data from public authorities. Such training will take into account the legislation and regulations to which the data importer is subject;
  3. The adoption of strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures;
  4. The adoption of best practices to appropriately and timely involve and provide access to information to the legal and internal auditing teams on matters related to international transfers of personal data transfers, who shall be consulted on the necessity of the transfer and the additional safeguards, if any;
  5. The adoption of strict data security and data privacy policies, based on international standards and industry best practices; and
  6. The regular review of internal policies to assess the suitability of the implemented supplementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an equivalent level of protection to that guaranteed within the UK and EEA of the personal data transferred is maintained;

6.7.5. The Data Exporter and Data Importer will meet as needed to consider whether:

  1. The protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
  2. Additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
  3. It is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.

6.7.6. If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.

6.7.7. If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this Addendum cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.

7. Rights of Data Subjects

7.1. Company shall, to the extent permitted by law, notify User upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Company receives a Data Subject Request in relation to User’s data, Company will advise the Data Subject to submit their request to User and User will be responsible for responding to such request. User is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject. However, to the extent the Company is a controller in respect of any such Personal Data, Company shall comply with the relevant Data Subject Requests.

7.2. Company shall, when acting as a data processor / services provider and at the request of the User, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist User in complying with User’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) User is itself unable to respond without Company’s assistance and (ii) Company is able to do so in accordance with all applicable laws, rules, and regulations. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

8. Actions and Access Requests; Audits

8.1. Company shall, when acting as a data processor / services provider and taking into account the nature of the processing and the information available to Company, provide User with reasonable cooperation and assistance where necessary for User to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that User does not otherwise have access to the relevant information. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

8.2. Company shall, taking into account the nature of the processing and the information available to Company, provide User with reasonable cooperation and assistance with respect to User’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

8.3. Company shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. User shall, with reasonable notice to Company, have the right to review, audit and copy such records at Company’s offices during regular business hours.

8.4. Upon User’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall, either (i) make available for User’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards applicable to the processing of User’s Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow User’s independent third party representative to conduct an audit or inspection of Company’s data security infrastructure and procedures that is sufficient to demonstrate Company’s compliance with its obligations under Data Protection Laws, provided that (a) User provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to User. User shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits. If User and Company have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 8.9 of the SCCs shall be carried out in accordance with this Section 8.4.

8.5. Company shall immediately notify User if an instruction, in the Company’s opinion, infringes the Data Protection Laws or Supervisory Authority.

8.6. In the event of a Personal Data Breach in connection with the Services under this Agreement, Company shall, without undue delay, inform User of the Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Company’s reasonable control).

8.7. In the event of a Personal Data Breach in connection with the Services under this Terms of Use, Company shall, taking into account the nature of the processing and the information available to Company, provide User with reasonable cooperation and assistance necessary for User to comply with its obligations under the GDPR or other Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

8.8. The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of User. Company’s obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.

9. Company’s Role as a Controller

The parties acknowledge and agree that with respect to User Account Data and User Usage Data, Company is an independent controller, not a joint controller with User nor a data processor on behalf of the User (and accordingly the processor / service provider obligations do not apply). Company will process User Account Data and User Usage Data as a controller (i) to manage the relationship with User; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to User; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this Addendum and the Terms of Use. Company may also process User Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any processing by the Company as a controller shall be in accordance with the Company’s privacy policy set forth at https://chatteragent.ai/privacy-policy/.

10. Conflict

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Addendum; (3) the Terms of Use; and (4) the Company’s privacy policy. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Terms of Use.

Exhibit A — Details of Processing

Nature and Purpose of Processing: Company will process User’s Personal Data as necessary to provide the Services under the Terms of Use, for the purposes specified in the Terms of Use and this Addendum, and in accordance with User’s instructions as set forth in this Addendum and which may include anonymising the User’s Personal Data.

Duration of Processing: Company will process User’s Personal Data as long as required (i) to provide the Services to User under the Terms of Use; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. User Account Data and User Usage Data will be processed and stored as set forth in Company’s privacy policy.

Categories of Data Subjects: User’s employees, consultants, contractors, agents and/or customers.

Categories of Personal Data: Company processes Personal Data contained in User Account Data, User Usage Data, and any Personal Data provided by User or collected by Company in order to provide the Services or as otherwise set forth in the Terms of Use or this Addendum. User may submit Personal Data to the Services, the extent of which is determined and controlled by User in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • Connection data
  • Transaction data
  • Order details
  • Localisation data

Sensitive Data or Special Categories of Data: Users are prohibited from providing special categories of data to Company, including any data which discloses the criminal history of any persons.

Exhibit B

The following includes the information required by Annex I and Annex II of the EU SCCs Module 1, Controller-to-Controller.

Annex I

A. The Parties

Data Exporter(s): [Identification of contact details of data exporter(s)] (and, where applicable, of its/their data protection officer and/or representative in the European Union).

Name: [Name of User]
Address: [Address of User]
Contact person’s name, position and contact details: [Details of contact person]
Activities relevant to the data transferred under these Clauses: As described in Part B of the Addendum.
Signature and date: mm/dd/yyyy
Role (controller/processor): Controller

Data Importer(s):

Name: Company
Address: [Address of company]
E-mail: [Contact details of company]
Activities relevant to the data transferred under these Clauses: As described in Part B of the Addendum.
Signature and date: mm/dd/yyyy
Role (controller/processor): Controller

B. Description of the Transfer

Data Subjects The data exporter may submit personal data to the data importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the data exporter and/or the data importer in compliance with applicable data protection laws and regulations, and which may include but is not limited to personal data relating to the following categories of data subjects: data exporter’s employees, consultants, contractors, agents, customers, individuals authorized by User to access User’s account and/or individuals that User has associated with its account.
Categories of Personal Data The personal data transferred concern the following categories of data: Any personal data comprised in all data and information submitted by data exporter to data importer’s software, services, systems, products, and/or technologies, relating to the following categories of Personal Data:

  • User Account Data
  • User Usage Data
Special Category Personal Data (if applicable) Data exporters are prohibited from providing special categories of data to Company, including any data which discloses the criminal history of any persons.
Nature of the Processing Data is processed in order for User to manage its information security and data privacy programs and evidence said programs for third-party audit and for Company to manage its relationship with User and the provision of the Services.
Purposes of Processing To fulfill each party’s obligations under the Terms of Use.
Duration of Processing and Retention During the term of the Terms of Use.
Frequency of the Transfer During the term of the Terms of Use on a periodic basis throughout the day and/or at the discretion of the User.
Recipients of Personal Data Transferred to the Data Importer Company will maintain a list of Subprocessors that is attached hereto and may be updated from time to time.

C. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter.

Annex II

Description of the Technical and Organisational Security Measures Implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs.

Technical and Organizational Security Measure Details
Measures of pseudonymisation and encryption of personal data Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and User Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Company’s customer agreements contain strict confidentiality obligations. Additionally, Company requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in customer agreements. Company maintains internal security controls aligned with industry frameworks. Formal third-party attestations (such as SOC 2 Type II) are part of Company’s roadmap; current attestation status is available to Users on request.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Daily backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Company maintains internal security controls aligned with industry frameworks. Formal third-party attestations (such as SOC 2 Type II) are part of Company’s roadmap; current attestation status is available to Users on request.
Measures for user identification and authorization Company uses secure access protocols and processes and follows industry best-practices for authentication. End-user authentication is delegated to a third-party identity provider (Auth0), through which Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are available and may be enabled by User account administrators. Two-factor authentication is required for all administrative access by Company personnel to production systems. Network infrastructure is securely configured to vendor and industry best practices to block unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Company uses recommended secure cipher suites and protocols to encrypt all traffic in transit (TLS 1.2 or higher).
Measures for the protection of data during storage Encryption-at-rest is automated using the encryption-at-rest provided by our cloud hosting provider (AWS, via Render), which uses industry-standard AES-256 encryption to secure all volume (disk) data. Keys are managed by AWS Key Management Service.
Measures for ensuring physical security of locations at which personal data are processed All Company processing occurs in physical data centers operated by our cloud hosting provider, Render (https://render.com/security), which runs on Amazon Web Services (AWS) infrastructure in the United States. AWS data center physical security: https://aws.amazon.com/compliance/data-center/controls/.
Measures for ensuring events logging Company monitors access to applications, tools, and resources that process or store User Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration Company adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management Company maintains a risk-based information security governance program. The framework for Company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of User Data.
Measures for certification/assurance of processes and products Card payment processing is performed by Stripe, a PCI DSS Level 1 certified service provider; Company does not store or process payment card data directly. Company is pursuing SOC 2 Type II attestation.
Measures for ensuring data minimization Company’s Users solely determine what User PII Data they route through the Services. As such, Company operates on a shared responsibility model. Company gives Users control over exactly what PII data enters the platform.
Measures for ensuring data quality Company has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any Usage Data that Company collects and to ensure that the Company Platform is operating within expected parameters. Company ensures that data quality is maintained from the time a User sends User Data into the Services and until that User Data is presented or exported.
Measures for ensuring limited data retention Company Users solely determine what User Data they route through the Services. User Data is deleted from the Services following service termination, generally within ninety (90) days, except where retention is required by applicable law, ongoing dispute resolution, or as anonymized data used for service improvement.
Measures for ensuring accountability Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents involving Personal Data, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure All PII in the Services may be deleted by the User or at the User’s request. Most use cases for porting PII from Company are not applicable. However, Company will respond to all requests for data porting in order to address User needs.
Technical and organizational measures of sub-processors The Company enters into Data Processing Agreements with its Authorized Subprocessors with data protection obligations substantially similar to those contained in this Addendum.

Exhibit C

The following includes the information required by Part 1 of the UK SCCs, Module 1, Controller-to-Controller.

Table 1: Parties

Start date The date of this agreement.
The Parties Exporters (who send the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details See Exhibit B. See Exhibit B.
Key Contact See Exhibit B. See Exhibit B.
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Exhibit B.
Annex 1B: Description of Transfer: See Exhibit B.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit B.
Annex III: List of Sub processors (Modules 2 and 3 only): N/A.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19: Importer.

Exhibit D

The following includes the information required by Annex I, Annex II and Annex III of the EU SCCs Module 2, Controller-to-Processor.

Annex I

A. The Parties

Data Exporter(s): [Identification of contact details of data exporter(s)] (and where applicable, of its/their data protection officer and/or representative in the European Union).

Name: [Name of User]
Address: [Address of User]
Contact person’s name, position and contact details: [Details of contact person]
Activities relevant to the data transferred under these Clauses: As described in Part B of the Addendum.
Signature and date: mm/dd/yyyy
Role (controller/processor): Controller

Data Importer(s):

Name: Company
Address: [Address of company]
E-mail: [Contact details of company]
Activities relevant to the data transferred under these Clauses: As described in Part B of the Addendum.
Signature and date: mm/dd/yyyy
Role (controller/processor): Processor

B. Description of the Transfer

Data Subjects The data exporter may submit personal data to the data importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the data exporter in compliance with applicable data protection laws and regulations, and which may include but is not limited to personal data relating to the following categories of data subjects: data exporter’s employees, consultants, contractors, agents and/or customers.
Categories of Personal Data The personal data transferred concern the following categories of data: Any personal data comprised in all data and information submitted by data exporter to data importer’s software, services, systems, products, and/or technologies, which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • Connection data
  • Transaction data
  • Order details
  • Localisation data
Special Category Personal Data (if applicable) Data exporters are prohibited from providing special categories of data to Company, including any data which discloses the criminal history of any persons.
Nature of the Processing Data is processed in order for User to manage its information security and data privacy programs and evidence said programs for third-party audit.
Purposes of Processing To fulfill each party’s obligations under the Agreement.
Duration of Processing and Retention During the term of the Agreement.
Frequency of the Transfer During the term of the Agreement on a periodic basis throughout the day and/or at the discretion of the User.
Recipients of Personal Data Transferred to the Data Importer Company will maintain a list of Subprocessors that is attached hereto and may be updated from time to time.

C. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter.

Annex II

Description of the Technical and Organisational Security Measures Implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs.

Technical and Organizational Security Measure Details
Measures of pseudonymisation and encryption of personal data Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and User Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Company’s customer agreements contain strict confidentiality obligations. Additionally, Company requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in customer agreements. Company maintains internal security controls aligned with industry frameworks. Formal third-party attestations (such as SOC 2 Type II) are part of Company’s roadmap; current attestation status is available to Users on request.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Daily backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Company maintains internal security controls aligned with industry frameworks. Formal third-party attestations (such as SOC 2 Type II) are part of Company’s roadmap; current attestation status is available to Users on request.
Measures for user identification and authorization Company uses secure access protocols and processes and follows industry best-practices for authentication. End-user authentication is delegated to a third-party identity provider (Auth0), through which Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are available and may be enabled by User account administrators. Two-factor authentication is required for all administrative access by Company personnel to production systems. Network infrastructure is securely configured to vendor and industry best practices to block unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Company uses recommended secure cipher suites and protocols to encrypt all traffic in transit (TLS 1.2 or higher).
Measures for the protection of data during storage Encryption-at-rest is automated using the encryption-at-rest provided by our cloud hosting provider (AWS, via Render), which uses industry-standard AES-256 encryption to secure all volume (disk) data. Keys are managed by AWS Key Management Service.
Measures for ensuring physical security of locations at which personal data are processed All Company processing occurs in physical data centers operated by our cloud hosting provider, Render (https://render.com/security), which runs on Amazon Web Services (AWS) infrastructure in the United States. AWS data center physical security: https://aws.amazon.com/compliance/data-center/controls/.
Measures for ensuring events logging Company monitors access to applications, tools, and resources that process or store User Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration Company adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management Company maintains a risk-based information security governance program. The framework for Company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of User Data.
Measures for certification/assurance of processes and products Card payment processing is performed by Stripe, a PCI DSS Level 1 certified service provider; Company does not store or process payment card data directly. Company is pursuing SOC 2 Type II attestation.
Measures for ensuring data minimization Company’s Users solely determine what User PII Data they route through the Services. As such, Company operates on a shared responsibility model. Company gives Users control over exactly what PII data enters the platform.
Measures for ensuring data quality Company has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any Usage Data that Company collects and to ensure that the Company Platform is operating within expected parameters. Company ensures that data quality is maintained from the time a User sends User Data into the Services and until that User Data is presented or exported.
Measures for ensuring limited data retention Company Users solely determine what User Data they route through the Services. User Data is deleted from the Services following service termination, generally within ninety (90) days, except where retention is required by applicable law, ongoing dispute resolution, or as anonymized data used for service improvement.
Measures for ensuring accountability Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents involving Personal Data, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure All PII in the Services may be deleted by the User or at the User’s request. Most use cases for porting PII from Company are not applicable. However, Company will respond to all requests for data porting in order to address User needs.
Technical and organizational measures of sub-processors The Company enters into Data Processing Agreements with its Authorized Subprocessors with data protection obligations substantially similar to those contained in this Addendum.

Annex III

Please see list of Authorized Subprocessors as referenced in Exhibit D, as updated from time to time.

Exhibit E

The following includes the information required by Part 1 of the UK SCCs, Module 2, Controller-to-Processor.

Table 1: Parties

Start date The date of this agreement.
The Parties Exporters (who send the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details See Exhibit D. See Exhibit D.
Key Contact See Exhibit D. See Exhibit D.
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Exhibit D.
Annex 1B: Description of Transfer: See Exhibit D.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit D.
Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit D.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19: Importer.

Exhibit F

The following includes the information required by Annex I, Annex II and Annex III of the EU SCCs Module 3, Processor-to-Processor.

Annex I

D. The Parties

Data Exporter(s): [Identification of contact details of data exporter(s)] (and where applicable, of its/their data protection officer and/or representative in the European Union).

Name: [Name of User]
Address: [Address of User]
Contact person’s name, position and contact details: [Details of contact person]
Activities relevant to the data transferred under these Clauses: As described in Part B of the Addendum.
Signature and date: mm/dd/yyyy
Role (controller/processor): Controller

Data Importer(s):

Name: Company
Address: [Address of company]
E-mail: [Contact details of company]
Activities relevant to the data transferred under these Clauses: As described in Part B of the Addendum.
Signature and date: mm/dd/yyyy
Role (controller/processor): Processor

E. Description of the Transfer

Data Subjects The data exporter may submit personal data to the data importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the data exporter in compliance with applicable data protection laws and regulations, and which may include but is not limited to personal data relating to the following categories of data subjects: data exporter’s employees, consultants, contractors, agents and/or customers.
Categories of Personal Data The personal data transferred concern the following categories of data: Any personal data comprised in all data and information submitted by data exporter to data importer’s software, services, systems, products, and/or technologies, which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • Connection data
  • Transaction data
  • Order details
  • Localisation data
Special Category Personal Data (if applicable) Data exporters are prohibited from providing special categories of data to Company, including any data which discloses the criminal history of any persons.
Nature of the Processing Data is processed in order for User to manage its information security and data privacy programs and evidence said programs for third-party audit.
Purposes of Processing To fulfill each party’s obligations under the Agreement.
Duration of Processing and Retention During the term of the Agreement.
Frequency of the Transfer During the term of the Agreement on a periodic basis throughout the day and/or at the discretion of the User.
Recipients of Personal Data Transferred to the Data Importer Company will maintain a list of Subprocessors that is attached hereto and may be updated from time to time.

F. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter.

Annex II

Description of the Technical and Organisational Security Measures Implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs.

Technical and Organizational Security Measure Details
Measures of pseudonymisation and encryption of personal data Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and User Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Company’s customer agreements contain strict confidentiality obligations. Additionally, Company requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in customer agreements. Company maintains internal security controls aligned with industry frameworks. Formal third-party attestations (such as SOC 2 Type II) are part of Company’s roadmap; current attestation status is available to Users on request.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Daily backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Company maintains internal security controls aligned with industry frameworks. Formal third-party attestations (such as SOC 2 Type II) are part of Company’s roadmap; current attestation status is available to Users on request.
Measures for user identification and authorization Company uses secure access protocols and processes and follows industry best-practices for authentication. End-user authentication is delegated to a third-party identity provider (Auth0), through which Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are available and may be enabled by User account administrators. Two-factor authentication is required for all administrative access by Company personnel to production systems. Network infrastructure is securely configured to vendor and industry best practices to block unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Company uses recommended secure cipher suites and protocols to encrypt all traffic in transit (TLS 1.2 or higher).
Measures for the protection of data during storage Encryption-at-rest is automated using the encryption-at-rest provided by our cloud hosting provider (AWS, via Render), which uses industry-standard AES-256 encryption to secure all volume (disk) data. Keys are managed by AWS Key Management Service.
Measures for ensuring physical security of locations at which personal data are processed All Company processing occurs in physical data centers that are managed by Microsoft Azure. https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security
Measures for ensuring events logging Company monitors access to applications, tools, and resources that process or store User Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration Company adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management Company maintains a risk-based information security governance program. The framework for Company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of User Data.
Measures for certification/assurance of processes and products Card payment processing is performed by Stripe, a PCI DSS Level 1 certified service provider; Company does not store or process payment card data directly. Company is pursuing SOC 2 Type II attestation.
Measures for ensuring data minimization Company’s Users solely determine what User PII Data they route through the Services. As such, Company operates on a shared responsibility model. Company gives Users control over exactly what PII data enters the platform.
Measures for ensuring data quality Company has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any Usage Data that Company collects and to ensure that the Company Platform is operating within expected parameters. Company ensures that data quality is maintained from the time a User sends User Data into the Services and until that User Data is presented or exported.
Measures for ensuring limited data retention Company Users solely determine what User Data they route through the Services. User Data is deleted from the Services following service termination, generally within ninety (90) days, except where retention is required by applicable law, ongoing dispute resolution, or as anonymized data used for service improvement.
Measures for ensuring accountability Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents involving Personal Data, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure All PII in the Services may be deleted by the User or at the User’s request. Most use cases for porting PII from Company are not applicable. However, Company will respond to all requests for data porting in order to address User needs.
Technical and organizational measures of sub-processors The Company enters into Data Processing Agreements with its Authorized Subprocessors with data protection obligations substantially similar to those contained in this Addendum.

Annex III

Please see list of Authorized Subprocessors as referenced in Exhibit F, as updated from time to time.

Exhibit G

The following includes the information required by Part 1 of the UK SCCs, Module 3, Processor-to-Processor.

Table 1: Parties

Start date The date of this agreement.
The Parties Exporters (who send the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details See Exhibit F. See Exhibit F.
Key Contact See Exhibit F. See Exhibit F.
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Exhibit F.
Annex 1B: Description of Transfer: See Exhibit F.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit F.
Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit F.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19: Importer.

Last Updated / Effective Date: April 27, 2026