Legal

Data Processing Addendum

This Data Processing Addendum (DPA) is incorporated into the Master Subscription Agreement between NeuBird AI, Inc. and Customer, applying to the extent NeuBird AI's Processing of Customer Personal Data is subject to the Data Protection Laws.

1. Definitions

1.1 Key Terms

  • Customer Personal Data: Personal Data described in Schedule 1
  • Data Protection Laws: All laws relating to data protection and privacy applicable to NeuBird AI's Processing of Customer Personal Data
  • Data Subjects: Individuals identified in Schedule 1
  • European Data Protection Law: Encompasses EU GDPR, UK GDPR, EEA laws, and implementing legislation
  • Personal Data: Any information that reasonably relates, directly or indirectly, to an identified or identifiable Data Subject
  • Processing: Any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
  • Security Incident: Breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data
  • Standard Contractual Clauses: Module 2 EU SCCs per EC Decision 2021/914; UK Addendum per ICO guidance
  • UK Addendum: International Data Transfer Addendum issued by UK ICO (effective March 21, 2022)

1.2 Other Terms

Undefined capitalized terms have meanings from the Agreement.

2. Processing of Customer Personal Data

2.1 Processor Role

NeuBird AI will Process Customer Personal Data on behalf of Customer and in accordance with Customer's prior written instructions.

2.2 Notification Obligation

NeuBird AI must promptly inform Customer if instructions potentially violate Data Protection Laws, unless legally prohibited.

2.3 Processing Details

Details are specified in Schedule 1.

2.4 Legal Compliance

Both parties comply with their respective Data Protection Laws obligations.

2.5 Data Restrictions

NeuBird AI will not: (a) "sell" Customer Personal Data; (b) share for targeted advertising; (c) retain/use for unauthorized purposes; (d) disclose outside the direct Customer relationship per the Agreement.

3. Restricted Data Transfers

3.1 SCCs Incorporation

Standard Contractual Clauses are incorporated with Customer as data exporter, NeuBird AI as data importer.

3.2 EU SCCs Terms

Clause 7: Optional docking clause does not apply

Clause 9: Option 2 applies; Subprocessor notice period per Section 5.1

Clause 11: Optional language does not apply

Clause 17: Governed by Irish law

Clause 18(b): Irish courts have jurisdiction

Annex I, Section A:

  • Contact details per Agreement or party communications
  • Customer is controller; NeuBird AI is processor
  • Activities relate to Service provision
  • DPA entry constitutes Annex I signature

Annex I, Section B:

  • Schedule 1 describes Processing
  • Transfer frequency: continuous
  • Retention per Clause 8.5 and DPA
  • Subprocessors used for Service provision

Annex I, Section C:

  • Competent supervisory authority per Customer communication to NeuBird AI
  • Default: Irish Data Protection Commission if not communicated

Annex II: Data importer maintains technical/organizational measures per Schedule 2.

3.3 UK Addendum Terms

Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like the equivalent provisions in the EU SCCs. For Part 1 Table 4, importer may end the Addendum per Section 19.

4. Confidentiality and Security

4.1 Personnel Confidentiality

NeuBird AI will require NeuBird AI's personnel who access Customer Personal Data to agree to take appropriate measures designed to protect the confidentiality of that data.

4.2 Technical and Organizational Measures

NeuBird AI implements commercially reasonable technical and organisational measures protecting against destruction, loss, alteration, unauthorized disclosure or access (Schedule 2 details).

4.3 Customer Assistance

NeuBird AI provides reasonable assistance for Customer's Data Protection Laws security obligations.

5. Subprocessing

5.1 Authorized Subprocessors

Customer agrees NeuBird AI may use third-party suppliers listed in Schedule 3 to process Personal Data for Service provision.

5.2 Change Notification and Objection

NeuBird AI informs Customer of Subprocessor changes; Customer may object on reasonable grounds within seven days. Unresolved objections permit either party to terminate the Agreement.

5.3 Subprocessor Obligations

NeuBird AI will impose on its Subprocessors similar obligations as those that apply to NeuBird AI under this DPA. NeuBird AI will be liable to Customer for any breaches of this DPA caused by its Subprocessors' acts and omissions.

6. Data Subject Rights

Customer is responsible for responding to Data Subject requests. NeuBird AI advises requesters to contact Customer directly and provides self-service functionality or reasonable assistance for Customer responses.

7. Security Incidents

7.1 Response Requirements

Upon Security Incident awareness, NeuBird AI: (i) promptly remediates; (ii) notifies Customer without undue delay.

7.2 Notification Assistance

Customer bears sole Security Incident notification responsibility. NeuBird AI provides reasonable assistance for authority/Data Subject notifications if legally required.

7.3 Liability Disclaimer

NeuBird AI's notice of or response to a Security Incident under this Section 7 will not be an acknowledgement or admission by NeuBird AI of any fault or liability.

8. Data Protection Impact Assessment; Prior Consultation

NeuBird AI reasonably assists Customer with data protection impact assessments and supervisory authority consultation when legally required and necessary for NeuBird AI's Processing evaluation.

9. Deletion of Customer Personal Data

9.1 Deletion Timeline

Customer instructs NeuBird AI to delete Personal Data within 90 days post-termination; existing copies deleted unless law requires otherwise.

9.2 Certification

Deletion certification per EU SCCs Clause 8.5 and UK SCCs Clause 12 provided only upon written Customer request.

9.3 Legal Retention Exception

NeuBird AI may retain data as legally required, maintaining confidentiality and processing only as necessary per applicable law.

10. Audits

10.1 Audit Frequency and Triggers

Customer may audit annually. Additional audits permitted: (1) following Security Incident; (2) for documented compliance concerns; (3) when Data Protection Laws mandate, including regulatory directives.

10.2 Audit Request Process

Customer submits detailed audit plan to security@neubird.ai one month pre-audit. Plan describes scope, duration, start date, third-party auditor identity. NeuBird reviews, raising concerns/objections. Parties negotiate final audit plan two weeks pre-audit. Nothing in this Section 10 shall require NeuBird to breach any duties of confidentiality.

10.3 Third-Party Auditor Objection

NeuBird AI may object to third party auditors that are, in NeuBird AI's reasonable opinion, not suitably qualified or independent, a competitor of NeuBird AI, or otherwise manifestly unsuitable. Customer appoints alternative auditor or self-conducts if unresolved.

10.4 Audit Report Alternative

If SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar qualified third-party audit report addresses requested scope within twelve months and no material control changes, Customer accepts the Audit Report in lieu of separate audit.

10.5 Audit Logistics

Audits occur at mutually agreed times during business hours, per final audit plan and NeuBird AI policies, without unreasonably disrupting operations.

10.6 Audit Costs and Disclosure

Any audits are at Customer's expense and Customer will promptly disclose to NeuBird AI any perceived non-compliance or security concerns.

10.7 SCCs Audit Alignment

Audits per EU SCCs Clause 8.9 and UK SCCs Clause 5(f) conducted per Section 10.

11. Analytics Data

Customer acknowledges and agrees that NeuBird AI may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject ("Analytics Data"), and use, publicise or share with third parties such Analytics Data to improve the Service and for NeuBird AI's other legitimate business purposes.

12. Liability

12.1 Liability Limitation

Each party's liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

12.2 Customer Instruction Reliance

Customer acknowledges that NeuBird AI is reliant on Customer for direction as to the extent to which NeuBird AI is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. NeuBird AI bears no liability for Data Subject claims from: (a) NeuBird AI's compliance with Customer instructions; (b) Customer's failure to comply with Data Protection Laws.

13. General Provisions

DPA provisions prevail over Agreement inconsistencies; Standard Contractual Clauses prevail over DPA inconsistencies.

Schedule 1: Details of Processing

1. Categories of Data Subjects

This DPA applies to NeuBird AI's Processing of Customer Personal Data relating to Customer's authorized Users of the Service ("Data Subjects").

2. Types of Personal Data

User Names, email addresses, ip addresses, hostnames, and other personal data sent through available telemetry sources.

3. Subject-Matter and Nature of the Processing

Customer Personal Data will be subject to the Processing activities that NeuBird AI needs to perform in order to provide the Service pursuant to the Agreement.

4. Purpose of the Processing

NeuBird AI will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.

5. Duration of the Processing

Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.

Schedule 2: Security Measures

All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

1. Access Control

1.1 Need-to-Know Restriction

Access to Customer Personal Data is restricted to employees with a defined need-to-know or a role requiring such access.

1.2 User Account Management

User access controls are maintained that address timely provisioning and de-provisioning of user accounts.

2. Business Continuity

2.1 BC/DR Plans Maintenance

NeuBird AI maintains business continuity, backup, and disaster recovery plans ("BC/DR Plans") in order to minimize the loss of service and comply with Applicable Laws.

2.2 Plan Scope

The BC/DR Plans address threats to the Services and any dependencies, and have an established procedure for resuming access to, and use of, the Services.

2.3 Plan Testing

The BC/DR Plans are tested at regular intervals.

3. Change Control

3.1 Change Management Policies

NeuBird AI maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.

3.2 Annual Penetration Testing

NeuBird AI undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with NeuBird AI's Vulnerability Management Policies and Procedures, and will be assessed on the basis of NeuBird AI's Risk Management Framework.

3.3 Regular Vulnerability Scans

NeuBird AI regularly performs vulnerability scans of its network, and any vulnerabilities found will be addressed in accordance with NeuBird AI's Vulnerability Management Policies and Procedures, and will be assessed on the basis of NeuBird AI's Risk Management Framework.

3.4 Security Patch Application

Security patches are applied in accordance with NeuBird AI's patching schedule.

3.5 Development Environment Separation

NeuBird AI maintains an environment for testing and development that is separate from the production environment.

4. Data Security

4.1 Technical Safeguards

NeuBird AI maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.

5. Encryption and Key Management

5.1 Encryption Policies

NeuBird AI maintains policies and procedures for the management of encryption mechanisms and cryptographic keys in NeuBird AI's cryptosystem.

5.2 Encryption Standards

NeuBird AI uses encryption at rest and in transit, as applicable, according to industry-standard practice.

6. Governance and Risk Management

6.1 Program Maintenance

NeuBird AI maintains an information security and risk management program that is reviewed at least annually.

7. Administrative Controls

7.1 Background Verification

NeuBird AI uses a third-party to conduct employee background verifications for NeuBird AI personnel with access to sensitive Customer Personal Data.

7.2 Security Training

NeuBird AI employees are required to complete initial (at-hire) and annual security awareness training.

Schedule 3: Subprocessors

The list of authorized Subprocessors is available upon request. Please contact security@neubird.ai for the current Subprocessor list.

We use cookies for analytics and marketing. Privacy Policy