NeuBird Collaborates with Microsoft to bring first Agentic SRE to the Azure Marketplace.

Data Processing Addendum

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Master Subscription Agreement or other written or electronic agreement (“Agreement”) between NeuBird, Inc. (“NeuBird”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA applies to the extent NeuBird’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

  1. Definitions
    1. For the purposes of this DPA:
      1. Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA;
      1. Data Protection Laws” means all laws relating to data protection and privacy applicable to NeuBird’s Processing of Customer Personal Data in any jurisdiction where such Customer Personal Data is subject to regulation, including without limitation, as applicable, the European Data Protection Law and the laws and regulations of the United States and its states, including, without limitation, the California Consumer Privacy Act, in each case as amended from time to time, to the extent applicable to the relevant party;
      1. Data Subjects” means the individuals identified in Schedule 1;
      1. European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”), the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), and all other privacy and data protection laws of the European Economic Area (“EEA”), and the United Kingdom, and all laws implementing, supplementing, or amending the foregoing;
      1. Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable Data Subject;
      1. Processing” (including its cognate “Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      1. Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data; and
      1. “Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”).
      1. UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office, in force as of 21 March 2022, available at international-data-transfer-addendum.pdf. (ico.org.uk).
    1. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
  1. Processing of Customer Personal Data
    1. NeuBird will Process Customer Personal Data on behalf of Customer and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service. NeuBird is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA.
    1. NeuBird will promptly inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws, unless it is prohibited from doing so by law on important grounds of public interest. If applicable laws preclude NeuBird from complying with Customer’s instructions, NeuBird will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
    1. The details of NeuBird’s Processing of Customer Personal Data are described in Schedule 1.
    1. Each of Customer and NeuBird will comply with their respective obligations under the Data Protection Laws.
    1. NeuBird will not (a) “sell” (as defined in Data Protection Law) Customer Personal Data; (b) share or otherwise disclose Customer Personal Data for targeted advertising purposes; (c) retain, use, or disclose Customer Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (d) retain, use, or disclose Customer Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.
  1. Restricted Data Transfers
    1. In the event that Customer is subject to European Data Protection Law and the transfer of Customer Personal Data to NeuBird would be restricted in the absence of the Standard Contractual Clauses, the parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and NeuBird as the “data importer.”
    1. For purposes of the EU SCCs the parties agree that:
      1. In Clause 7, the optional docking clause will not apply;
      1. In Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 5.1 of this DPA;
      1. In Clause 11, the optional language will not apply;
      1. For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;
      1. For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
      1. For Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a controller, and NeuBird is a processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;
      1. For Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes NeuBird’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) NeuBird uses Subprocessors to support the provision of the Services.
      1. For Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to NeuBird. Unless and until Customer communicates a competent supervisory authority to NeuBird, the competent supervisory authority shall be the Irish Data Protection Commission.
      1. For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.
    1. For the purposes of the UK Addendum parties agree that Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like the equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the importer.
  1. Confidentiality and Security
    1. NeuBird will require NeuBird’s personnel who access Customer Personal Data to agree to take appropriate measures designed protect the confidentiality of Customer Personal Data.
    1. NeuBird will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
    1. To the extent required by Data Protection Laws, NeuBird will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.
  1. Subprocessing
    1. Customer agrees that NeuBird may use the third-party suppliers listed in Schedule 3 to Process Customer Personal Data on its behalf for the provision of the Services under the Agreement (each a “Subprocessor”). NeuBird will inform Customer of any intended changes concerning the addition or replacement of Subprocessors and Customer will have an opportunity to object to such changes on reasonable grounds within seven days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
    1. NeuBird will impose on its Subprocessors similar obligations as those that apply to NeuBird under this DPA. NeuBird will be liable to Customer for any breaches of this DPA caused by its Subprocessors’ acts and omissions as it would be for its own.
  1. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If NeuBird receives any Requests during the term, NeuBird will advise the Data Subject to submit the request directly to Customer. NeuBird will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.

  1. Security Incidents

Upon becoming aware of a Security Incident affecting Customer Personal Data, NeuBird will (i) promptly take measures designed to remediate the Security Incident and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer. At Customer’s request, NeuBird will reasonably assist Customer’s efforts to notify Security Incidents to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. NeuBird’s notice of or response to a Security Incident under this Section 7 will not be an acknowledgement or admission by NeuBird of any fault or liability with respect to the Security Incident.

  1. Data Protection Impact Assessment; Prior Consultation

Taking into account the nature of the Processing and the information available to NeuBird, NeuBird will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by NeuBird of Customer Personal Data.

  1. Deletion of Customer Personal Data

Customer instructs NeuBird to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, NeuBird may retain Customer Personal Data to the extent and for the period required by applicable laws provided that NeuBird maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

  1. Audits
    1. Customer may audit NeuBird’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) NeuBird suffers a Security Incident affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding NeuBird’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. NeuBird will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.
    1. To request an audit, Customer must submit a detailed proposed audit plan to security@neubird.ai at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third-party Customer intends to appoint to perform the audit. NeuBird will review the proposed audit plan and provide Customer with any concerns or questions (for example, NeuBird may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise NeuBird confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.  Nothing in this Section 10 shall require NeuBird to breach any duties of confidentiality.
    1. NeuBird may object to third party auditors that are, in NeuBird’s reasonable opinion, not suitably qualified or independent, a competitor of NeuBird, or otherwise manifestly unsuitable.  Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.
    1. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on NeuBird’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and NeuBird confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.
    1. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and NeuBird’s health and safety or other relevant policies and may not unreasonably interfere with NeuBird business activities.
    1. Any audits are at Customer’s expense and Customer will promptly disclose to NeuBird any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
    1. The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10.
  1. Analytics Data

Customer acknowledges and agrees that NeuBird may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use, publicise or share with third parties such Analytics Data to improve the Service and for NeuBird’s other legitimate business purposes in accordance with Data Protection Laws.

  1. Liability
    1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
    1. Customer acknowledges that NeuBird is reliant on Customer for direction as to the extent to which NeuBird is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service.  Consequently, NeuBird will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by NeuBird in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.
  1. General Provisions

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

SCHEDULE 1

Details of Processing

  1. Categories of Data Subjects. This DPA applies to NeuBird’s Processing of Customer Personal Data relating to Customer’s authorized Users of the Service (“Data Subjects”).
  1. Types of Personal Data. User Names, email addresses, ip addresses, hostnames, and other personal data sent through available telemetry sources.
  1. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that NeuBird needs to perform in order to provide the Service pursuant to the Agreement.
  1. Purpose of the Processing. NeuBird will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.
  1. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.

SCHEDULE 2

Security Measures

We currently observe the Security Measures described in this Schedule. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

  1. Access Control
    1. Access to Customer Personal Data is restricted to employees with a defined need-to-know or a role requiring such access.
    2. User access controls are maintained that address timely provisioning and de-provisioning of user accounts.
  2. Business Continuity
    1. NeuBird maintains business continuity, backup, and disaster recovery plans (“BC/DR Plans”) in order to minimize the loss of service and comply with Applicable Laws.
    2. The BC/DR Plans address threats to the Services and any dependencies, and have an established procedure for resuming access to, and use of, the Services.
    3. The BC/DR Plans are tested at regular intervals.
  3. Change Control
    1. NeuBird maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.
    2. NeuBird undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with NeuBird’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of NeuBird’s Risk Management Framework.
    3. NeuBird regularly performs vulnerability scans of its network, and any vulnerabilities found will be addressed in accordance with NeuBird’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of NeuBird’s Risk Management Framework.
    4. Security patches are applied in accordance with NeuBird’s patching schedule.
    5. NeuBird maintains an environment for testing and development that is separate from the production environment.
  4. Data Security
    1. NeuBird maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.
  5. Encryption and Key Management
    1. NeuBird maintains policies and procedures for the management of encryption mechanisms and cryptographic keys in NeuBird’s cryptosystem.
    2. NeuBird uses encryption at rest and in transit, as applicable, according to industry-standard practice.
  6. Governance and Risk Management
    1. NeuBird maintains an information security and risk management  program that is reviewed at least annually.
  7. Administrative Controls
    1. NeuBird uses a third-party to conduct employee background verifications for NeuBird personnel with access to sensitive Customer Personal Data.
    2. NeuBird employees are required to complete initial (at-hire) and annual security awareness training.
# # # # # #