Data Processing Agreement

Parties

Processor: Engaige Technologies B.V., having its registered office at Goeman Borgesiuslaan 77, 3515 ET Utrecht, the Netherlands, registered with the Dutch Chamber of Commerce under number 90976827 (“Engaige”).

Controller: the customer that has accepted the Engaige Master Subscription Agreement (or other equivalent written master agreement with Engaige) and is identified in the applicable Order Form or in the Customer’s Engaige account (“Customer”). Where this DPA is signed as a separate written instrument, the Customer is the entity identified at the foot of this DPA, whose details prevail over the foregoing for the purpose of identifying the data exporter under any incorporated Standard Contractual Clauses.

This Data Processing Agreement (this “DPA”) is version 2.0 of Engaige’s standard data processing terms. From the Effective Date applicable to the Customer (as determined in accordance with the Versioning clause in Section 20), this DPA supersedes any previously signed Engaige data processing terms between the Parties for the same Services (whether titled “Data Processing Addendum”, “Data Processing Agreement” or otherwise). This DPA is incorporated by reference into the Master Agreement and is binding on the Parties without countersignature; either Party may request a countersigned counterpart for record-keeping purposes by writing to privacy@letsengaige.com, in which case Engaige will provide a signable counterpart by qualified electronic signature.

1. Background and interpretation

This DPA sets out the additional terms, requirements and conditions on which Engaige will process personal data when providing the Services to the Customer under the master agreement between the Parties (the “Master Agreement”, which includes the Master Subscription Agreement and any Order Form under it). This DPA is incorporated into the Master Agreement and is referenced from each Order Form. In all matters relating to the processing of personal data, this DPA prevails. In all other respects the Master Agreement (including its limitations of liability) governs.

Order of precedence

In the event of any conflict between the documents that together comprise the Master Agreement in respect of the processing of personal data, the order of precedence is: (1) the SCCs, where they apply pursuant to Section 6 and to the extent the conflict concerns matters governed by the SCCs; (2) this DPA; (3) the Order Form; and (4) the Master Subscription Agreement. An Order Form may vary this DPA only where it expressly identifies the provision of this DPA being varied and the variation is signed by authorised representatives of both Parties; absent such express, signed variation, this DPA prevails over the Order Form on personal-data matters.

Capitalised terms used in this DPA have the meaning given in the GDPR unless otherwise defined here. References to “Articles” are to Articles of the GDPR. “GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR as defined in section 3 of the UK Data Protection Act 2018. “SCCs” means the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021. “Sub-processor” means any third party engaged by Engaige to process personal data on Engaige’s behalf in connection with the Services. “Customer Content” means the personal data and other content the Customer or its data subjects submit to, or generate through use of, the Services. “Effective Date” means the date set out at the top of this DPA, or, if later, the date on which this DPA is signed by both Parties.

2. Roles and processing details

For the purposes of this DPA, Engaige shall be considered data processor and will only process personal data on behalf of the Customer. The Customer can either be the controller (the party who determines the purpose and means of the processing) or another data processor on a third party’s behalf.

The subject matter, duration, nature and purpose of the processing and the categories of personal data and data subjects in respect of which Engaige may process to fulfil its obligations under the Master Agreement are further detailed in Section 11 of this DPA.

Engaige will only process the personal data to the extent, and in such a manner, as necessary for the provision of the Services under the Master Agreement and in accordance with the Customer’s written instructions. The Agreement, this DPA and the configuration the Customer makes within the Services together constitute the Customer’s documented instructions. Engaige will not process the personal data for any other purpose or in a way that does not comply with this DPA or applicable data protection legislation, in particular the GDPR. Engaige shall, without undue delay, notify the Customer if, in its opinion, the Customer’s instruction would not comply with applicable data protection legislation.

Engaige will not transfer personal data to a country or international organisation outside the European Economic Area (“EEA”) except as expressly permitted under this DPA (including the safeguards in Section 6) or as required by Union or Member State law applicable to Engaige, in which case Engaige will inform the Customer before such processing unless that law prohibits the notice on important grounds of public interest.

Engaige internal access

Within the scope of providing the Services under the Master Agreement and this DPA, Engaige personnel may access personal data only for the following purposes and only on a need-to-know basis subject to the access controls in Section 3: (a) to provide the Services to the Customer and to respond to Customer support requests; (b) to operate, secure, monitor, debug and maintain the Services; (c) to investigate suspected abuse, fraud, security events or breaches of the Acceptable Use Policy in the Master Agreement; (d) to evaluate model output quality, accuracy and safety in accordance with this DPA; and (e) to comply with applicable law or a binding order of a competent authority, subject to Section 6.

Aggregated and de-identified data

Engaige may process aggregated, de-identified or anonymised data derived from the Customer’s use of the Services for the purposes of (a) operating, securing, monitoring and improving the Services; (b) developing new features and products; (c) security research, abuse detection and threat intelligence; and (d) Engaige’s own legal, compliance, audit and statistical reporting. Data is treated as de-identified for the purposes of this Section when it is no longer reasonably attributable to an identified or identifiable natural person, taking into account the means reasonably likely to be used by Engaige or any other person, and Engaige does not attempt to re-identify it and does not combine it with other data in a manner that would render the natural person re-identifiable. Once data is de-identified in accordance with this paragraph, it falls outside the scope of personal data under the GDPR and is not subject to the SCCs. For the avoidance of doubt, this paragraph does not authorise the use of Customer Content to train or fine-tune third-party foundation models; that prohibition is governed by Section 6 and the equivalence criteria for Sub-processors in the LLM category.

3. Security measures

Engaige implements the security measures required pursuant to the applicable data protection legislation, Article 32 GDPR in particular. In this regard, Engaige will implement, and maintain throughout the term of the Master Agreement, adequate technical and organisational security measures to secure the processing operations involved against loss or any form of unlawful processing, including:

Data encryption in transit: TLS 1.2 or higher for all public service endpoints and for traffic between Engaige and its Sub-processors.

Data encryption at rest: Postgres database encrypted at rest with pgsodium and underlying disk-level encryption. Hashing of passwords in the authentication provider with bcrypt. Encryption of sensitive customer-supplied secrets (such as API keys for tool integrations) with a Fernet symmetric key in the application layer; the Fernet key is stored in a managed secrets service.

Tenant isolation: logical separation at application and database layer.

Access controls: single sign-on with mandatory multi-factor authentication for all Engaige personnel; least-privilege role-based access; periodic access reviews.

Backups: daily backups under a documented backup-rotation policy; backups are purged in line with the deletion timelines in Section 12.

Logging and monitoring: centralised application and infrastructure logging with restricted access; alerting and on-call response.

Vulnerability management: dependency monitoring, periodic third-party security testing, remediation tracked in an internal register.

Change management: code review and CI/CD controls for production deployments.

Incident response: documented personal-data-breach response playbook covering containment, evidence preservation, controller notification and supervisory-authority assistance; tabletop or live exercises at least annually.

Sub-processor monitoring: PII scrubbing enabled on the error-monitoring service; input masking and form blocking enabled on the product-analytics session-replay feature.

Personnel and devices: written confidentiality obligations for all personnel; mandatory privacy and security training on hire and at least annually thereafter; all work-related processing on Engaige-provided hardware (full-disk encryption, OS-vendor protections, Mobile Device Management with compliance policies).

Disaster recovery: documented business continuity playbook covering loss of database, region or Sub-processor, tested at least annually.

Pseudonymisation and minimisation

Where appropriate, Engaige applies pseudonymisation and data-minimisation techniques (including the optional server-side field allowlist described in Section 11) to reduce the volume and identifiability of personal data processed.

Updates to security measures

Engaige may update the measures set out in this Section from time to time provided that the updates do not, taken as a whole, materially reduce the level of security protection. The internal substitution of products, services or tools that maintain or improve the security posture (for example, replacing one managed secrets service with another of equivalent or higher assurance, or migrating between hardware-vendor protections) is not a material change for the purposes of this Section or of Section 20. Where an update would materially affect the level of security in a way that is adverse to the Customer, Engaige will notify the Customer in accordance with Section 19 not less than thirty (30) days before the change takes effect, and the Customer’s remedies are those set out in the Sub-processor objection procedure in Section 7, applied with the necessary changes.

The Customer is responsible for ensuring that the security measures as mentioned in this Section comply with its obligations pursuant to the applicable data protection legislation as regards the personal data processed.

4. Audit and inspection rights

The Customer shall be entitled to monitor compliance with the provisions on data protection and the contractual agreements with Engaige to a reasonable extent, either itself or through third parties. This may include obtaining information, inspecting stored data, reviewing data processing programs, and conducting on-site checks. Engaige shall grant access to the persons entrusted with the inspection to the extent necessary.

Engaige shall provide necessary information, demonstrate relevant processes, and supply evidence required to carry out such inspections. If a third party conducts the inspection on behalf of the Customer, such third party must be contractually bound to confidentiality and data protection obligations.

Inspections at Engaige’s premises shall be carried out in a way that avoids unnecessary disruption to Engaige’s business operations and to other Engaige customers. Unless otherwise indicated for urgent reasons documented by the Customer, inspections shall only occur during Engaige’s regular business hours, no more frequently than once every twelve (12) months, and following a minimum of thirty (30) calendar days’ prior written notice. The Customer bears its own audit costs and Engaige bears its own assistance costs, except where the audit reveals a material non-compliance, in which case Engaige bears the reasonable costs of the audit.

Where Engaige provides Engaige’s then-current independent audit reports, ISO/IEC 27001 certification, SOC 2 Type II attestation (or equivalent third-party assurance) together with a written response from Engaige Security to the Customer’s reasonable follow-up questions, the Customer’s audit right under this Section shall be deemed satisfied unless the Customer can identify, by reference to the reports and responses, a specific data-protection deficiency that is not adequately addressed and that gives rise to a reasonable concern requiring further inspection. An audit conducted by a third party engaged by the Customer counts against the audit cadence in this Section in the same way as an audit conducted by the Customer itself, regardless of whether the same third party also audits Engaige on behalf of other customers.

This Section is without prejudice to the Customer’s separate rights under the SCCs Module Two when those clauses apply pursuant to Section 13.

5. Confidentiality

All obligations for Engaige under this DPA shall apply equally to any persons processing the personal data under the supervision of Engaige, including but not limited to employees in the broadest sense of the term. Engaige ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received appropriate data-protection training.

All personal data received by Engaige from the Customer within the framework of the Master Agreement is subject to a duty of confidentiality vis-à-vis third parties. This duty of confidentiality will not apply in the event that the Customer (i) has expressly authorised the provision of such information to third parties, (ii) where the provision of the information to third parties is reasonably necessary taking into account the nature of the instructions and the provision of Services under the Master Agreement, or (iii) if there is a statutory obligation to provide the information to a third party.

Where Engaige engages a third party other than a Sub-processor listed in Section 11 (for example, an independent security tester or external auditor) and that third party is granted access to personal data processed under this DPA, Engaige first puts in place a written confidentiality and data-protection commitment that is no less protective than this DPA.

6. Location of the data and international transfers

Engaige processes personal data within the EEA. Product hosting, database, authentication, webhook processing infrastructure, transactional email delivery, product analytics, error monitoring and vector-database services are located in the EEA (see the Sub-processor list in Section 11 for details).

Large-language-model inference and embedding generation are performed via providers in the LLM providers category set out in Section 11. Engaige requires each provider in that category to (i) expose an EEA-resident endpoint that Engaige uses to serve traffic for the Customer; (ii) contractually commit not to use customer content submitted via its API to train or improve the provider’s models; (iii) operate under a data processing agreement that is materially equivalent to the protections in this DPA (in particular, the security and confidentiality obligations, the breach-notification obligations and the assistance obligations); and (iv) make available a Chapter V GDPR transfer mechanism (EU-U.S. Data Privacy Framework certification where the importer is a U.S. entity, otherwise SCCs) covering any incidental administrative or support access from outside the EEA. Engaige refers to these four requirements collectively as the “equivalence criteria” and verifies them before routing any production traffic to a provider in the category.

Transitional fallback for new models

The EEA-resident endpoint requirement in criterion (i) is the default and primary requirement. Where, in respect of a specific new model that Engaige reasonably considers materially superior on relevant performance, safety or capability dimensions, the relevant provider does not yet offer an EEA-resident endpoint, criterion (i) may be satisfied for a transitional period of up to twelve (12) months from first production routing by (a) the routing of traffic to a non-EEA endpoint under a Chapter V GDPR transfer mechanism with the provider (EU-U.S. Data Privacy Framework where the importer is certified, otherwise SCCs); (b) enhanced technical and organisational safeguards, including regional access restrictions, encryption of customer content in transit, and a contractual commitment from the provider that there is no abuse-monitoring retention beyond what is necessary for the provider to comply with applicable law; and (c) Engaige having completed and retained a Transfer Impact Assessment for the relevant importer demonstrating that the supplementary measures reduce the residual risk to a level consistent with the case law of the Court of Justice of the European Union (in particular Case C-311/18, Schrems II) and the European Data Protection Board’s Recommendations 01/2020 on supplementary measures, made available to the Customer on reasonable request. The transitional fallback does not apply to special categories of personal data within the meaning of Article 9 GDPR or to personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, unless the Customer has expressly opted in to such routing in writing and the Transfer Impact Assessment addresses the elevated risk specific to such data. Engaige will publish the use of the transitional fallback for any given provider on the Sub-processor page in advance of routing production traffic and will notify subscribed privacy contacts under Section 19. At the end of the transitional period the provider must satisfy criterion (i) in full to remain in the category. The Customer’s right to object under Section 7 applies to the introduction of any provider relying on the transitional fallback in the same way as it applies to a new Sub-processor.

Engaige carries out one systematic transfer of personal data outside the EEA in connection with webhook processing performed by Hookdeck Inc. (Canada). Hookdeck retains event payloads for up to seven (7) days for delivery and debugging purposes. This transfer takes place on the basis of the SCCs (Module Three, processor to sub-processor) incorporated in Hookdeck’s data processing agreement.

Other Sub-processors host the Customer’s personal data in the EEA. Any incidental administrative or support access by their personnel from outside the EEA takes place under appropriate transfer safeguards in their respective sub-processor agreements (EU-U.S. Data Privacy Framework where the importer is certified, otherwise SCCs).

If a Sub-processor materially changes its data-protection practices in a way that reduces the level of protection of personal data processed under this DPA (for example, a change to retention, training-on-content or transfer-mechanism positions, or an LLM provider that ceases to satisfy the equivalence criteria above), Engaige will (i) assess the change against this DPA and applicable law, (ii) notify the Customer without undue delay, and (iii) at the Customer’s option, work with the Customer in good faith to identify an alternative Sub-processor or terminate the affected Services in accordance with Section 7.

Where the Customer is established outside the EEA, or is itself acting as processor for a controller established outside the EEA, and the transfer of personal data from the Customer to Engaige requires a transfer mechanism under Chapter V GDPR, the SCCs are hereby incorporated into this DPA by reference and apply between the Parties as data importer (Engaige) and data exporter (Customer): Module Two (controller to processor) where the Customer is itself the controller, or Module Three (processor to processor) where the Customer is itself acting as processor for a third-party controller, with the details set out in Section 13.

Government and law-enforcement access requests

Where Engaige receives a legally binding request from any public authority, court, tribunal or law-enforcement or intelligence agency for access to or disclosure of personal data processed under this DPA (a “Government Access Request”), Engaige will:

(a) review each request for legal validity, scope and proportionality, and only disclose the minimum amount of personal data strictly necessary to comply with the request;

(b) challenge any Government Access Request that, in Engaige’s reasonable assessment, is not legally binding on Engaige, exceeds what the requesting authority is authorised to demand, conflicts with the law of the European Union or of a Member State (including Article 48 GDPR), is overbroad on its face, or is otherwise contrary to applicable law, and exhaust reasonable means of legal challenge where available;

(c) notify the Customer of the request without undue delay, before responding to it where lawful and operationally feasible, and otherwise as soon as it is lawful to do so; where notification is prohibited by law, Engaige will use reasonable efforts to obtain a waiver of the prohibition, or at least the right to provide the Customer with general statistical information;

(d) document each Government Access Request that results in a disclosure, including the requesting authority, the legal basis, the categories of personal data disclosed and the Customer(s) affected, and provide that information to the Customer on request, subject to applicable legal prohibitions; and

(e) publish, on an aggregated and anonymised basis at the Sub-processor page or such other public location as Engaige may designate, a summary of any Government Access Requests that have resulted in disclosure to a public authority, promptly after each calendar year in which any such disclosure has occurred; where Engaige has received no such requests, Engaige is under no obligation to publish a report for that period but may do so at its option.

The Customer’s rights under Clause 14 of the SCCs (including Clause 14(e) and (f) on the suspension of transfers) are preserved in full where the SCCs apply pursuant to Section 6, and nothing in this Section limits those rights.

7. Engaging sub-processors

The Customer agrees that Engaige may engage any of its affiliates as a sub-processor after prior written approval of the Customer. The Customer hereby grants Engaige and any of its affiliates permission to engage the third-party Sub-processors as listed in Section 11, within the framework of the Master Agreement.

For the commissioning of Sub-processors by Engaige, Engaige shall comply with the requirements set forth in Article 28(2) and Article 28(4) GDPR. In particular, at the request of the Customer, Engaige shall inform the Customer without undue delay about the Sub-processors. Engaige and any of its affiliates shall, in any event, ensure that such third parties will be obliged to agree in writing to obligations comparable to those agreed by the Customer and Engaige in this DPA. Where such Sub-processor fails to fulfil its obligations under such agreement, Engaige shall remain fully liable to the Customer for the performance of the Master Agreement.

Notice mechanism

Engaige maintains an up-to-date list of its current Sub-processors at letsengaige.com/legal/subprocessors (the “Sub-processor page”). The Sub-processor page is the primary channel by which Engaige gives notice of intended changes concerning the engagement of new Sub-processors. The Customer is responsible for monitoring the Sub-processor page, and may, on request to privacy@letsengaige.com, subscribe a designated privacy contact to email notifications of updates to that page. Where notice is given via the Sub-processor page, the notice period in this Section runs from the date the update is published on that page.

Engaige shall inform the Customer of any intended changes concerning the engagement of new Sub-processors via the Sub-processor page or, at Engaige’s option, by notice in writing or notice shown within the Service. Subject to the routing-within-an-approved-category provisions below, the Customer shall have thirty (30) calendar days from the date of notice to object in writing. The Customer’s objection must be on reasonable data-protection grounds and must (i) specify the specific data-protection deficiency the Customer relies on (for example, a concern about the proposed Sub-processor’s technical and organisational measures, its retention or training-on-content positions, or its transfer mechanism); (ii) identify the specific provision of this DPA, the SCCs or the applicable data-protection legislation that the Customer considers would be breached; and (iii) where reasonably possible, suggest an alternative that would be acceptable to the Customer. Objections based solely on commercial preference, pricing, the geographic location of the Sub-processor’s ownership (where the data-processing location and equivalence criteria are satisfied), or factors unrelated to data protection are not reasonable data-protection grounds for the purposes of this Section. If the Customer objects, the Parties agree to engage in good faith discussions to resolve the matter. If the Customer does not object within the period of thirty (30) days, the Customer is deemed to have agreed to the engagement of the new Sub-processor.

Remedies on an unresolved objection

If the Parties do not reach an agreement within the notice period, Engaige shall be entitled to engage the relevant Sub-processor, and the Customer’s remedies shall be limited to those set out in this paragraph, applied in order: (a) Mitigation. Engaige will use commercially reasonable efforts to source an alternative Sub-processor acceptable to the Customer for the affected feature, or to provide the affected feature using alternative means. (b) Feature removal. Where (a) is not commercially or technically feasible, Engaige will remove the affected feature from the Services provided to the Customer’s tenant, and the Master Agreement and the fees payable under it shall continue unchanged. (c) Termination. Where the affected feature is material to the Customer’s overall use of the Services — meaning that, with the affected feature removed, the Services as a whole no longer provide the substantial benefit the Customer reasonably expected at the time of contracting — the Customer may terminate the Master Agreement on written notice with effect from the date the new Sub-processor is engaged. In that case, Engaige will refund a pro-rata portion of fees pre-paid for the unused part of the then-current subscription term, calculated from the termination date; Engaige is not required to refund fees for services already rendered. For the avoidance of doubt, Engaige is not required to retain a Sub-processor that Engaige has decided to discontinue, and the foregoing remedies are the Customer’s sole and exclusive remedies in respect of an objection that the Parties cannot resolve in good-faith discussion. For the purposes of (c), Sub-processors that support secondary functions of the Services — including, without limitation, observability, error monitoring, product analytics, logging, telemetry and quality-assurance functions — are not, individually, material to the Customer’s overall use of the Services. An objection limited to such a Sub-processor is therefore expected to be resolved through Mitigation or Feature removal under this paragraph and does not, by itself, give rise to a Termination right.

Routing within an approved category

Where this DPA identifies a category of Sub-processors in Section 11 (in particular, the LLM providers category), the Customer’s general written authorisation in this Section extends to all providers in that category that satisfy the equivalence criteria for that category set out in Section 6. Engaige may add, remove or route traffic between providers within such a category without observing the thirty (30) day notice and objection procedure set out above, provided that (i) Engaige has verified before routing production traffic that the provider satisfies the equivalence criteria for that category, and (ii) Engaige updates the Sub-processor page without undue delay and, in any event, no later than the date on which production traffic begins to route to the new provider. Adding a Sub-processor that does not satisfy the equivalence criteria for its category, materially relaxing the equivalence criteria, or introducing a new category of Sub-processor that is not already identified in Section 11 remains subject to the thirty (30) day prior-notice and objection procedure in this Section. The material-change provisions of Section 6 continue to apply to every Sub-processor, including those in a pre-authorised category.

The Sub-processors approved as at the Effective Date of this DPA are set out in Section 11. Engaige maintains the up-to-date list at letsengaige.com/legal/subprocessors.

8. Special categories of personal data

The Services are not designed for, and the Customer instructs Engaige not to expect, the systematic processing of special categories of personal data within the meaning of Article 9 GDPR or of personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR.

Because data subjects in the AI-assisted customer-experience Services may volunteer such information in free text, the Customer is responsible for taking reasonable steps within its own deployment to discourage the inclusion of special-category data in end-user inputs and to monitor for its inadvertent inclusion. On the Customer’s request, Engaige will reasonably cooperate with measures that reduce the likelihood of such inclusion in its tenant, including the server-side field allowlist for tool responses described in Section 11. If Engaige becomes aware that special-category data is being persisted or transferred to a Sub-processor in a way that materially elevates the risk profile of the processing, Engaige will notify the Customer without undue delay together with a proposed remediation.

The Customer remains responsible for the lawful basis under Article 9(2) for any processing of special-category data.

9. Rights of data subjects

In the event a data subject makes a request to exercise his or her legal rights under Articles 15 to 22 GDPR to Engaige, Engaige shall pass on such request without undue delay to the Customer. Engaige may inform the data subject of this passing on. Engaige will not respond independently without the Customer’s prior written approval. The Customer will then further process the request.

If necessary and requested by the Customer, Engaige will assist the Customer with fulfilment of a request as far as possible and reasonable. Engaige will enable the Customer to carry out requests for access and restriction of processing of data subjects, and requests for correction or erasure of personal data, and the exercise of any right of a data subject under Chapter III of the GDPR and any other applicable legislation, regulations and codes of conduct.

The Customer agrees to send all data-subject-request instructions to privacy@letsengaige.com. Engaige will acknowledge receipt within one (1) business day and will action the instruction within the timelines required by the GDPR (typically one month from the Customer’s receipt of the underlying request). Without limiting the scope of this Section, Engaige’s standard assistance includes:

Article 15 (access): retrieval and export of the relevant personal data in a structured, machine-readable format.

Article 16 (rectification): application of corrected values supplied by the Customer to the relevant data fields, where the data is held by Engaige.

Article 17 (erasure): deletion of the relevant personal data from production systems on the timelines set out in Section 12, and notification of the deletion to authorised Sub-processors where applicable.

Article 18 (restriction): application of a flag or hold that prevents further processing of the personal data pending the Customer’s further instruction.

Article 21 (objection): application of a configuration that excludes the personal data from the processing objected to.

Engaige provides the assistance described above for up to ten (10) data-subject requests per Customer per calendar quarter at no additional charge. Beyond that volume, and in all cases for assistance that goes materially beyond the standard scope described above (for example, bespoke reporting, forensic-level reconstruction or assistance with disputed requests), Engaige may charge for the time spent at Engaige’s then-current standard hourly rates for professional services, subject to the aggregate assistance cap in Section 20.

10. Personal data breach

In the event of a personal data breach, or suspected breach of security, leading to (or likely to lead to) the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data within the meaning of Article 4(12) GDPR, Engaige will notify the Customer thereof without undue delay after becoming aware of such an event, and in any event in sufficient time to enable the Customer to comply with its own notification obligations under Article 33 GDPR. Engaige will use reasonable endeavours to ensure that the provided information is complete, correct and accurate.

For the purpose of this Section, Engaige is deemed to have become aware of a personal data breach when any member of Engaige’s incident-response team has, or with reasonable diligence ought to have, sufficient information to conclude on the balance of probabilities that a personal data breach has occurred. Engaige operates a documented incident-response runbook and uses reasonable measures to identify, triage and confirm reported security events, including monitoring its own infrastructure, attending to reports from data subjects, customers and Sub-processors, and triaging suspected events as soon as feasible after first notification.

If required by applicable data protection legislation, Engaige shall cooperate in notifying the relevant data controller, data subjects and supervisory authorities. The Customer shall determine whether or not to inform these parties and remains the party responsible for any statutory notification obligations in respect thereof.

Along with the fact that a personal data breach has occurred, Engaige will, on first request of the Customer, provide details, if available, regarding (a) the date on which the breach occurred (if the exact date is not known: the period of time within which the breach occurred), (b) the (suspected) cause of the breach, (c) the contact point where more information can be obtained, (d) the categories of personal data concerned, (e) the categories of data subjects concerned, (f) the approximate number of data subjects and number of personal data records concerned, (g) the (currently known and/or anticipated) consequences thereof, (h) the (proposed) solution, and (i) the measures that have already been taken by Engaige. Furthermore, Engaige will make sure any evidence relating to the data and security breach is contained and securely stored and shared with the Customer on the Customer’s request.

Engaige will provide reasonable assistance to the Customer with data-protection impact assessments and any prior consultation with a supervisory authority required under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to Engaige. This includes, where reasonably required, providing the Customer with the documented technical and organisational measures (Section 3), the Sub-processor list and transfer mechanisms (Sections 6 and 11) and the AI-system and Article 22 information set out in Section 14.

Cost of breach-related assistance

Where the underlying personal data breach is attributable to Engaige or to a Sub-processor of Engaige, Engaige provides the assistance described in this Section at no additional charge. Where the underlying personal data breach is attributable to the Customer, its end-systems, its integrations with the Services, or events outside Engaige’s reasonable control, Engaige may charge for the time spent on assistance beyond the standard scope of the Services at Engaige’s then-current standard hourly rates for professional services. Standard scope includes the initial notification under this Section, the first round of follow-up information in response to the Customer’s reasonable questions, and the documentation needed to satisfy the Customer’s notification obligations under Articles 33 and 34 GDPR. Costs charged under this Section are subject to the aggregate assistance cap in Section 20.

11. Processing details

Duration of processing: for as long as the Services are provided under the Master Agreement, plus the period required for return or deletion under Section 12.

Purposes of processing: the purposes of processing are limited to the provision of the Services that are provided by Engaige under the Master Agreement, including evaluation of model output quality, audit and traceability, and return or deletion on the Customer’s instruction. Where the Services include AI-assisted customer-experience ticket handling, the purpose extends to passing ticket content and tool-integration responses to a large language model for reasoning and reply drafting, generating embeddings for semantic search and retrieval, and writing the AI agent’s reply back to the Customer’s customer-experience platform.

Categories of data subjects

End Users of the Services (e.g., employees, contractors and temporary workers of the Customer);

the Customer’s external workforce attached to the Customer (e.g., BPO agents, outsourced operations staff, partner-company employees), where the Customer extends use of the engagement platform to that population;

the Customer’s end-consumers and any individuals whose personal data appears in customer-service interactions (where the Customer subscribes to the AI-assisted customer-experience Services);

any other persons to whom the personal data relates that is included in the data provided via established integrations between the Customer’s systems and Engaige.

Categories of personal data

For the employee-engagement Services: business name and business email address of the relevant data subjects, plus aggregated, non-attributable engagement metrics derived from survey responses. The product does not collect HR metadata, device identifiers, IP addresses or attributable free-text content.

For the AI-assisted customer-experience Services:

Identifying: name, username;

Contact: email address, phone number, postal address as provided;

Customer or order references: order ID, account ID where included;

Free-text complaint or request content as submitted by the data subject;

AI-generated content: drafted replies, classifications, summaries;

Embeddings: vector representations of ticket content and knowledge-base entries, stored in the vector database;

Source-system metadata: ticket ID, channel, timestamps;

Tool-integration response data passed to the LLM as context for inference (see below);

Authenticating: password, two-factor authentication details (for users of the Services);

Device information: IP address, browser fingerprint (for users of the Services);

Behavioural: usage behaviour (for users of the Services);

Open-field data: any types of personal data entered in an open input field within the Services;

Integration: any types of personal data included in the data transferred via Integrations to Engaige;

Incidentally, and outside the intended scope of the Services as described in Section 8, any indicators of special-category data that the data subject chooses to include in free text.

Source of the data

Personal data is received via API from the Customer’s customer-experience platform. The customer-experience platform is the Customer’s own system and is not a Sub-processor of Engaige.

Where the Customer configures action tools for the AI agent to call, the responses returned by those systems are passed to the LLM (i.e., to the LLM provider serving the Customer’s tenant at that time) as context for the next inference step. This may include personal data such as customer name, contact details, order identifiers, order line items, shipping or billing address, refund and return status, and any other field the Customer chooses to include in the tool response. The integrated tools are part of the Customer’s controller perimeter and are not Engaige Sub-processors. The Customer determines which fields are returned and is responsible for data minimisation in tool configurations. Engaige does not strip identifiers from tool responses prior to LLM context inclusion. On request, Engaige can configure a server-side field allowlist for the Customer’s tenant.

Logic of the AI processing

Inference and embedding generation are performed by general-purpose large language models supplied by one or more of the providers in the LLM providers category set out below. Engaige may route traffic for the Customer’s tenant to any provider in that category that satisfies the equivalence criteria set out in Section 6, and may add or change providers within the category in accordance with Section 7. Embeddings are stored in the vector database (Weaviate). The specific model set within a given provider evolves over time and Engaige reviews its disclosure on an annual cycle. The model is grounded on the incoming ticket content and on the Customer’s configured knowledge and policy sources, and produces a contextually relevant reply that is posted back to the source customer-experience platform. No profiling for pricing, advertising, fraud-scoring or comparable consumer treatment is performed.

Sub-processor categories

Engaige treats certain functional layers of the Services as categories of Sub-processor. Each provider within a category must, at all times that Engaige routes Customer traffic to it, satisfy the equivalence criteria for that category set out in Section 6. Engaige verifies the equivalence criteria before routing production traffic to a provider, monitors them on an ongoing basis, and treats any failure to satisfy them as a material change for the purposes of Section 6. Within an approved category, Engaige may add, remove or route traffic between providers in accordance with the routing-within-an-approved-category provisions of Section 7.

The category established as at the Effective Date of this DPA is: LLM providers (large-language-model inference and vector-embedding generation). The equivalence criteria for this category are the four criteria set out in Section 6. Engaige may introduce additional categories (for example, speech-to-text, text-to-speech, image or document understanding, telephony, or knowledge-source ingestion) by following the thirty (30) day prior-notice and objection procedure in Section 7; introduction of a new category, or material relaxation of the equivalence criteria for an existing category, is subject to that procedure and is not within the routing-within-an-approved-category authorisation.

LLM providers (category)

The LLM providers approved as at the Effective Date of this DPA are:

Microsoft Azure OpenAI Service (EU region): large-language-model inference. Contracted under the Microsoft Products and Services Data Protection Addendum. EEA-resident endpoint; Azure data-residency commitments apply. Microsoft does not use customer content submitted via the Azure OpenAI Service API to train or improve its models. Prompt and completion content may be retained by Microsoft for up to thirty (30) days for abuse monitoring; abuse-monitoring access is governed by the Microsoft Products and Services DPA. EU-U.S. Data Privacy Framework and SCCs in the Microsoft DPA cover any incidental US support access.

Anthropic (EEA region): large-language-model inference (Claude family models) via Anthropic’s EEA-resident API offering. Contracted under the Anthropic Commercial Terms and Anthropic Data Processing Addendum. Anthropic does not use customer content submitted via the API to train or improve its models. EU-U.S. Data Privacy Framework and SCCs in the Anthropic DPA cover any incidental US support access.

OpenAI (EU data residency): large-language-model inference via OpenAI’s EU-data-residency API offering, with inference served from an EEA-resident endpoint. Contracted under the OpenAI Business Terms and OpenAI Data Processing Addendum. OpenAI does not use customer content submitted via the API to train or improve its models. EU-U.S. Data Privacy Framework and SCCs in the OpenAI DPA cover any incidental US support access.

Google (EEA region): large-language-model inference and vector-embedding generation via Google Gemini models served from an EEA endpoint within Engaige’s EEA-based Google Cloud project. Contracted under the Google Cloud Data Processing Addendum. Google does not use customer content submitted via the Vertex AI / Gemini API to train or improve its foundation or embedding models. EU-U.S. Data Privacy Framework (Google LLC) and SCCs in the Google Cloud DPA cover any incidental US support access.

Core platform

Google Cloud Platform (EU region): compute, object storage and managed secrets infrastructure underlying the Services (separate from the LLM category above). EU-U.S. Data Privacy Framework (Google LLC) and SCCs in the Google Cloud DPA apply to incidental US support access.

Weaviate (EU region): vector database for semantic search and retrieval; stores a subset of customer data (vector representations and associated metadata). Retention aligns with the primary database (duration of the Master Agreement, with deletion on the timelines in Section 12). SCCs apply under the Weaviate data processing agreement.

Supabase (EU region): authentication and Postgres database. SCCs apply under the Supabase DPA.

Hookdeck Inc. (Canada): webhook processing and delivery. Event payloads retained for up to seven (7) days, after which they are automatically purged. SCCs (Module Three, processor to sub-processor) apply.

Resend, Inc. (EU region): transactional email delivery. Recipient addresses and email content are processed in the EEA. SCCs apply under the Resend data processing agreement.

Analytics and observability

Sentry (EU region): application error monitoring with server-side PII scrubbing. EU-U.S. Data Privacy Framework and SCCs apply to incidental US support access.

PostHog (EU region): product analytics and session replay with input masking and form blocking enabled. EU-U.S. Data Privacy Framework and SCCs apply to incidental US support access.

Langfuse (EU region): LLM call observability and tracing; stores prompts, completions and model metadata for debugging, evaluation and quality monitoring of the AI-assisted customer-experience Services. SCCs apply under the Langfuse data processing agreement.

Customer support

Pylon (Pylon Labs Inc., US): shared inbox and ticketing platform used to receive and triage Customer support requests submitted to Engaige. Engaige instructs the Customer’s authorised contacts not to include end-user personal data in support communications; any personal data included by the Customer (including any incidental end-user personal data in support requests, attachments or screenshots) is processed by Pylon as a Sub-processor of Engaige. Pylon is SOC 2 Type II and ISO 27001 certified. SCCs (Module Two) and the UK Addendum apply under the Pylon data processing agreement.

For the avoidance of doubt, the Customer’s own customer-experience platform and any action-tool systems the Customer integrates are not Sub-processors of Engaige. They are Customer-controlled systems with which Engaige integrates by API under the Customer’s instructions.

Retention

Operational ticket content and AI outputs are held in Engaige’s EU database for the duration of the Master Agreement. Embeddings and associated metadata are held in the vector database (Weaviate) for the same duration. At end of contract, the 30/90 day rule in Section 12 applies, with backups purged within a further ninety (90) days. Each LLM provider commits, in its applicable data processing agreement, not to use prompt or completion content sent through the inference API to train or improve its models; provider-side abuse-monitoring retention windows (typically up to thirty (30) days) are described in the provider entries above. Hookdeck retains webhook event payloads for up to seven (7) days for delivery and debugging purposes; payloads are automatically purged after that period.

Frequency of transfer

Continuous, as initiated by data subjects’ interactions with the Customer and by the Customer’s use of the Services.

Supervisory authority

Engaige’s lead supervisory authority is the Autoriteit Persoonsgegevens (Netherlands), Bezuidenhoutseweg 30, 2594 AV The Hague.

12. Treatment of personal data upon termination

Upon termination of the Master Agreement, for whatever reason, Engaige must, without being entitled to any additional compensation or remuneration, on demand of the Customer:

(a) make available to the Customer all personal data processed in the context of this DPA and the Master Agreement in the manner and format reasonably requested by the Customer (including, by default, comma-separated values format);

(b) immediately cease the processing of personal data and ensure that Sub-processors do the same;

(c) provide the Customer with all documents and (digital) files in which personal data have been recorded or stored; and

(d) after the Customer has explicitly given the order thereto, permanently delete all personal data that have been stored electronically or, as far as permanent deletion of the data carrier is impossible, destroy the data carrier, and confirm to the Customer in writing, upon request, that all duties stipulated in this Section have been complied with.

Unless the Customer instructs otherwise in writing, the default position is deletion within thirty (30) days of termination or expiry of the Master Agreement. The Customer may request an extension of this period to ninety (90) days in writing, in which case Engaige will retain the personal data only for the purpose of return and final deletion. Engaige will purge the personal data from operational backup systems within ninety (90) days of the corresponding deletion from production systems, in accordance with Engaige’s documented backup-rotation policy.

During the term, personal data processed in the AI-assisted customer-experience Services is retained for the duration of the Master Agreement by default. On the Customer’s written instruction to privacy@letsengaige.com, Engaige will enable a tenant-level retention window — typically automatic deletion of resolved tickets after thirty (30) or ninety (90) days. This is configured by Engaige on the Customer’s instruction; it is not self-configurable by the Customer.

Engaige shall only be entitled to retain (parts of) the personal data after the termination of this DPA and the Master Agreement if specific provisions under the GDPR or the laws of an EU member state, applicable to Engaige, so dictate.

13. Standard Contractual Clauses (Modules Two and Three)

This Section completes the SCCs incorporated by reference in Section 6. It applies only where the Customer is established outside the EEA, or where the Customer is itself acting as processor for a controller established outside the EEA, and a transfer mechanism under Chapter V GDPR is required between the Parties. It does not apply where the Customer is established in the EEA and is itself the controller. The selections set out below apply equally to Module Two or Module Three, whichever applies under Section 6. References to “Annex I.A — List of parties” below are completed accordingly: where Module Three applies, the data exporter is the Customer in its capacity as processor and the underlying controller is identified by the Customer in the body of this DPA or in a side letter.

Clause 7 (Docking clause)

Does not apply.

Clause 9 (Use of sub-processors)

Option 2 (general written authorisation) applies. The minimum prior notice for Sub-processor changes is thirty (30) days, as set out in Section 7 of this DPA, except that, in respect of changes within a pre-authorised category of Sub-processors that satisfy the equivalence criteria for that category as described in Section 6 and Section 7, the Customer’s general written authorisation extends to such changes without a fresh thirty (30) day notice.

Clause 11 (Redress)

The Parties do not adopt the optional language in Clause 11(a) regarding an independent dispute-resolution body.

Clause 17 (Governing law)

The SCCs are governed by the law of the Netherlands.

Clause 18(b) (Choice of forum and jurisdiction)

Disputes arising from the SCCs are resolved before the courts of the Netherlands (Rechtbank Midden-Nederland).

Annex I.A — List of parties

Data exporter: the Customer, identified at the top of this DPA. Activities relevant to the data transferred to Engaige: as set out in Section 11. Role: controller (or, where applicable, processor).

Data importer: Engaige Technologies B.V., Goeman Borgesiuslaan 77, 3515 ET Utrecht, the Netherlands; contact for data-protection matters: privacy@letsengaige.com. Activities relevant to the data transferred from the Customer: provision of the Services as set out in Section 11. Role: processor.

Annex I.B — Description of transfer

Categories of data subjects, categories of personal data, special categories, frequency, nature, purpose, retention and Sub-processor recipients are as described in Section 11.

Annex I.C — Competent supervisory authority

In accordance with Clause 13, the competent supervisory authority is the Autoriteit Persoonsgegevens (Netherlands).

Annex II — Technical and organisational measures

As set out in Section 3.

Annex III — Sub-processors

As set out in Section 11 (Sub-processor categories, LLM providers, Core platform, Analytics and observability, and Customer support).

UK transfers

Where the transfer concerns personal data subject to the UK GDPR, the Parties incorporate the UK Addendum to the SCCs (issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018) by reference. Tables 1 to 3 of the UK Addendum are completed using the information in Section 11 and Section 3 of this DPA. Table 4 (ending the Addendum): either Party may end the Addendum as set out in Section 19 of the Mandatory Clauses of the UK Addendum.

14. Automated decision-making and profiling (Article 22)

This Section applies where the Customer configures the Services to perform AI-assisted customer-experience ticket handling end-to-end without a human reviewing each individual response before it is sent to the data subject. In that configuration, the Engaige AI agent reads each incoming ticket from the Customer’s customer-experience platform, generates a reply, classifies the ticket and posts the reply back to the customer-experience platform. The processing is therefore solely automated within the meaning of Article 22(1) GDPR.

Whether the processing produces a legal effect on the data subject, or significantly affects the data subject in a similar way, depends on the type of decision the agent takes:

Informational replies (such as order status, delivery questions, return-policy explanations, product questions and general support) do not, in Engaige’s reasonable view, produce a legal or similarly significant effect on the data subject and accordingly do not engage Article 22(1).

Decisions that change the data subject’s outcome (such as approving or refusing a return or refund, issuing a goodwill credit, resolving a complaint, granting an exception or denying access to a service) are closer to the line and may engage Article 22(1) where they are taken solely by the AI agent without human review.

The classification of any specific response depends on the actual business effect of the response in the Customer’s environment, not on its phrasing. For example, a response that confirms the approval of a refund and triggers automatic execution of that refund through a tool integration is an outcome-changing decision even if the response itself is phrased informally. The Customer is responsible for configuring the Services and the surrounding business processes so that the classification of responses is consistent with how the Services are actually used.

Where the configuration described above is in use, the Customer represents and warrants that, in its capacity as controller, it will:

(a) disclose in its consumer-facing privacy notice and/or terms of service that customer-service interactions may be handled by an AI agent on Engaige’s platform, including the categories of decisions the agent can take on the Customer’s behalf;

(b) provide a clear and easily discoverable route for the data subject to obtain human intervention, to express the data subject’s point of view and to contest a decision, in the same channel where the automated decision was communicated;

(c) document the lawful basis under Article 22(2) (typically Article 22(2)(a) “necessary for entering into, or performance of, a contract” or Article 22(2)(c) explicit consent) for any agent-taken decision that falls within Article 22(1);

(d) comply with Article 9(2) where any decision involves special-category data; and

(e) provide the information required by Articles 13(2)(f) and 14(2)(g) GDPR and be in a position to provide the information required by Article 15(1)(h) on request.

On the Customer’s request, Engaige will supply per-ticket logs containing the inputs, the model version and the generated output, sufficient to allow the Customer to support a data subject’s right to obtain human intervention or to contest a decision. Engaige will also reasonably assist the Customer in fulfilling its obligations under Articles 13(2)(f), 14(2)(g) and 22(3) GDPR.

15. AI output limitations and allocation of accuracy risk

This Section applies where the Services include AI-assisted customer-experience ticket handling or other features that generate outputs using large language models.

Nature of model outputs

The Customer acknowledges that the outputs of large language models, including the outputs generated by the AI agent in the Services, are probabilistic and may contain inaccuracies, omissions, fabricated content, outdated information or content that does not align with the Customer’s policies, knowledge sources or commercial intentions. Engaige does not warrant that any specific output is accurate, complete, fit for a particular purpose, or that any output will not contain such inaccuracies.

Customer configuration responsibilities

The Customer is responsible, in its capacity as controller and deployer, for:

(a) configuring the human-review threshold appropriate to the type of decision being taken, including in light of Section 14 (Article 22) and Section 16 (AI Act);

(b) curating, maintaining and verifying the knowledge sources, policy documents and configurations on which the AI agent is grounded;

(c) configuring the tool allowlist, action permissions and field controls that determine what the AI agent can access and what it can do on the Customer’s behalf;

(d) configuring server-side field allowlists for tool responses where data minimisation in tool integrations is required;

(e) providing appropriate consumer-facing disclosures and contestability routes as required by Section 14 and Section 16; and

(f) monitoring the operation of the AI agent in its environment and intervening as appropriate.

Engaige’s obligation

Engaige’s obligation is to provide the Services consistent with the documented Service description and the technical and organisational measures in Section 3, and to operate the AI agent and its surrounding system in accordance with this DPA. Where the Master Agreement contains a service-level commitment, that commitment prevails over this Section for the failure modes within its scope.

No third-party reliance

No data subject and no other third party may rely on any output of the AI agent as an authoritative statement by Engaige. The AI agent acts in the Customer’s name and on the Customer’s behalf as deployer; the Customer’s consumer-facing notices and terms govern the legal effect of any output as between the Customer and the data subject.

16. EU AI Act

This Section applies where the Services include AI-assisted customer-experience ticket handling or other features that involve the deployment of an AI system within the meaning of Regulation (EU) 2024/1689 (the “AI Act”). It allocates the Parties’ respective responsibilities under the AI Act and is without prejudice to the Parties’ separate responsibilities under the GDPR (in particular, Sections 2 and 14 of this DPA).

Roles

For the AI-assisted customer-experience Services, Engaige acts as a provider of an AI system within the meaning of Article 3(3) AI Act in respect of the AI agent and the surrounding system that Engaige supplies to the Customer. The Customer acts as the deployer within the meaning of Article 3(4) AI Act, in that the Customer determines the purpose for which the AI system is used in interactions with the Customer’s end-consumers and integrates the AI system into the Customer’s own business processes. Where Engaige integrates general-purpose AI models from third-party LLM providers (Section 11), those providers are providers of general-purpose AI models in their own right, and Engaige relies on their compliance with Articles 53 to 55 AI Act as applicable.

AI literacy (Article 4)

Each Party shall, within its respective sphere as provider or deployer, take measures to ensure to its best extent a sufficient level of AI literacy among its staff and any other persons dealing with the operation and use of the Services on its behalf, taking into account their technical knowledge, experience, education and training and the context the Services are used in, in accordance with Article 4 AI Act. Engaige maintains an internal AI literacy programme covering the design, operation, limitations and known failure modes of the Services and of the LLM providers used. The Customer is responsible for the AI literacy of its own personnel using or operating the Services as deployer (including human reviewers, customer-experience leads and any external workforce attached to the Customer).

Classification

Engaige reasonably classifies the AI-assisted customer-experience Services as a limited-risk AI system in their default configuration, principally because the system interacts directly with natural persons within the meaning of Article 50(1) AI Act. The Customer is responsible for assessing whether its specific configuration, use case or deployment context elevates the system into a higher risk category under Article 6 and Annex III AI Act, and for complying with the additional obligations that follow from such classification. By way of non-exhaustive example, Customer configurations that may elevate the Services into Annex III include: configuring the AI agent to make or materially influence decisions on creditworthiness or eligibility for buy-now-pay-later, instalment-payment or other consumer-credit products (Annex III §5(b)); pricing or eligibility for life or health insurance (Annex III §5(c)); decisions affecting access to essential public or private services or benefits (Annex III §5(a)); use of biometric categorisation or emotion-recognition functionality in interactions with end-consumers (Annex III §1); or use in employment-related decision-making, performance evaluation, allocation of tasks, or access to education and vocational training (Annex III §3 and §4). Where the Customer identifies that its configuration falls within Annex III, the Customer will inform Engaige in writing without undue delay so that the Parties can agree any supplementary measures required.

Article 26 deployer obligations

Without limiting the generality of the foregoing, the Customer acknowledges that, as deployer, it is responsible (and Engaige is not responsible) for the following obligations under Article 26 AI Act, to the extent they apply to the AI-assisted customer-experience Services: (a) using the AI system in accordance with the instructions for use supplied by Engaige (Article 26(1)); (b) assigning human oversight to natural persons with the necessary competence, training, authority and support (Article 26(2)); (c) ensuring that input data is relevant and sufficiently representative in view of the intended purpose, to the extent the Customer exercises control over the input data (Article 26(4)); (d) monitoring the operation of the AI system on the basis of the instructions for use, informing Engaige and, where relevant under Articles 26(5) and 72 AI Act, the provider and the competent market surveillance authority of any identified risk or serious incident, and complying with the deployer-side reporting obligations in Article 26(5) AI Act; (e) keeping the logs automatically generated by the AI system to the extent such logs are under the Customer’s control (Article 26(6)); (f) where the Customer is an employer and the AI system is used in the workplace, informing workers’ representatives and the affected workers in accordance with applicable Union or national law (Article 26(7)); (g) informing natural persons subject to the use of a high-risk AI system in accordance with Article 26(11); and (h) cooperating with competent authorities on any action taken in relation to the AI system. Engaige will supply the instructions for use, the system description and other documentation reasonably necessary to enable the Customer to comply with this paragraph.

Article 27 (Fundamental Rights Impact Assessment)

Where the Customer’s deployment of the AI-assisted customer-experience Services requires a fundamental rights impact assessment under Article 27 AI Act (in particular, where the Customer is a body governed by public law or a private entity providing public services, or where the Customer’s deployment falls within Annex III §5), the Customer is responsible for conducting that assessment in accordance with Article 27. Engaige will reasonably assist on the Customer’s request by supplying information about the AI system, its intended purpose, the categories of natural persons and groups likely to be affected, the period and frequency of intended use, and the technical and organisational measures set out in Section 3 of this DPA and in Engaige’s instructions for use. Assistance under this paragraph that goes materially beyond the standard documentation set is chargeable in accordance with Engaige’s assistance terms below and is subject to the aggregate assistance cap in Section 20.

Article 50 transparency

The Customer, as deployer, is responsible for informing end-consumers that they are interacting with an AI system as required by Article 50(1) AI Act, save where the AI nature of the interaction is obvious from the point of view of a reasonably well-informed, observant and cautious end-consumer taking into account the circumstances and context of use. Section 14 of this DPA sets out related transparency obligations under Article 22 GDPR; the Customer’s obligations under the AI Act apply in addition and not in substitution. The information and routing-to-human-review mechanisms required by Section 14 will normally satisfy the AI Act transparency obligation in the same channel, provided that the Customer’s consumer-facing notices are kept consistent with the disclosures Engaige supplies in the instructions for use.

Article 50(2) — AI-generated content

Article 50(2) AI Act applies to (i) text generated or manipulated by an AI system and published for the purpose of informing the public on matters of public interest and (ii) synthetic image, audio or video content (including deep fakes). In Engaige’s reasonable view, AI-generated replies produced by the AI-assisted customer-experience Services do not fall within the text-disclosure obligation in Article 50(2) because (a) such replies are addressed to an individual end-consumer in the context of that end-consumer’s support enquiry and are not published with the purpose of informing the public on matters of public interest, and (b) where the Customer configures the Services to subject AI-generated replies to human review, or where the Customer otherwise retains editorial responsibility for the published reply, the carve-out in the second sub-paragraph of Article 50(2) applies. Where the Services generate image, audio or video content as part of an AI-generated reply, Engaige will mark such outputs in a machine-readable format detectable as artificially generated or manipulated, in a manner that is effective, interoperable, robust and reliable as far as technically feasible, in accordance with the first sub-paragraph of Article 50(2). The Customer remains responsible for ensuring that any onward distribution or use of AI-generated outputs by the Customer’s own systems preserves the machine-readable marking applied by Engaige.

Prohibited practices

The Customer represents and warrants that it will not configure or use the Services in a manner that constitutes a prohibited practice under Article 5 AI Act (including manipulative or exploitative techniques, social-scoring uses, or real-time biometric identification in publicly accessible spaces) and will not instruct Engaige to do so. Engaige reserves the right to refuse, suspend or terminate configurations that, in Engaige’s reasonable view, would constitute a prohibited practice or otherwise breach the AI Act.

Serious incidents (Article 73)

Engaige operates an AI-Act-aligned serious-incident response process under Article 73 AI Act, separate from and complementary to the personal-data-breach process in Section 10. For the purposes of this Section, “serious incident” has the meaning given in Article 3(49) AI Act (including any malfunction or use of an AI system that directly or indirectly leads to death or serious harm to a person’s health, a serious and irreversible disruption of critical infrastructure, an infringement of obligations under Union law intended to protect fundamental rights, or serious harm to property or the environment). Engaige will notify the Customer without undue delay of any serious incident within the meaning of Article 3(49) AI Act that affects the AI-assisted customer-experience Services deployed by the Customer, and will reasonably assist the Customer in meeting any deployer-side reporting obligation it may have under Article 26(5) AI Act. The Customer will notify Engaige without undue delay (and in any event within the timelines required of deployers under Article 26(5) AI Act) of any serious incident it identifies in connection with its use of the Services. Where the underlying incident is attributable to Engaige or to a Sub-processor of Engaige, Engaige provides assistance under this Section at no additional charge; where attributable to the Customer, its configuration, integrations or end-systems, Section 10’s cost-of-assistance rules apply with the necessary changes.

Instructions for use (Article 13)

This Section 16, read together with Sections 11, 14, 15 and 19 of this DPA, constitutes the instructions for use supplied by Engaige to the Customer for the purposes of Article 13 AI Act. References elsewhere in this DPA to “the instructions for use supplied by Engaige” are to this Section 16 read together with those cross-referenced Sections. Specifically: Section 11 records the intended purpose, the categories of intended uses, the categories of data subjects, the categories of personal data, and the source-system perimeter of the AI-assisted customer-experience Services; Section 15 records the known limitations, the probabilistic nature of model outputs, and the Customer’s configuration responsibilities; the Article 26 deployer-obligations subsection above and Section 14 record the required human-oversight and log-access mechanisms; the Classification subsection above records the AI Act classification, the Annex III boundary, and the configurations that are not within the intended purpose; the Prohibited practices subsection above records the configurations the Customer must not deploy; and Section 19 records the contact channel for AI Act enquiries. Detailed product documentation — including feature descriptions, configuration guides, integration walkthroughs and tool-allowlist mechanics — is maintained at Engaige’s help center and is the authoritative source for product behaviour as it evolves between DPA versions. Material changes to the AI Act-relevant content of the instructions for use are treated as material changes to this DPA for the purposes of Section 20 (Versioning).

Engaige’s assistance

Engaige will provide the Customer with the information reasonably necessary to enable the Customer to comply with its obligations under the AI Act in respect of its use of the Services, including (a) a description of the AI system, its intended purpose and the categories of intended uses; (b) information about the data used to train, validate and test the AI system to the extent applicable and available to Engaige; (c) information about the LLM providers used and their data-protection and AI Act commitments (Section 11); and (d) on the Customer’s request, the per-ticket logs described in Section 14. Engaige may charge for assistance that goes materially beyond the standard scope of the Services at Engaige’s then-current standard hourly rates for professional services, subject to the aggregate assistance cap in Section 20.

17. Customer responsibilities, warranties and indemnity

Customer warranties

The Customer represents and warrants on a continuing basis that, in connection with its use of the Services and the processing of personal data under this DPA:

(a) the Customer has all rights, authorisations and lawful bases necessary to disclose the personal data to Engaige and to authorise Engaige to process the personal data as contemplated by the Master Agreement and this DPA, including an appropriate lawful basis under Article 6 GDPR and, where applicable, Article 9 and Article 22 GDPR;

(b) the Customer has provided all notices and obtained all consents required by Articles 13, 14 and (where applicable) 22 GDPR, and by Article 50 AI Act and any other applicable law, to enable Engaige to process the personal data lawfully;

(c) the Customer’s written instructions, configurations, integrations, knowledge sources, policy sources, allowlist settings and other inputs to the Services comply with applicable law, including data-protection law, consumer-protection law, the AI Act and any sector-specific law applicable to the Customer’s business;

(d) the Customer’s configuration of the Services accurately reflects the actual business effect of the AI agent’s responses and the human-review thresholds the Customer has determined are appropriate, in accordance with Sections 14, 15 and 16;

(e) the Customer’s customer-experience platform, action-tool integrations and other source systems are lawfully operated by the Customer (or by third parties acting on the Customer’s behalf) under appropriate legal arrangements, and are not Sub-processors of Engaige (Section 11);

(f) the Customer will not configure or use the Services in a manner that constitutes a prohibited practice under Article 5 AI Act and will not instruct Engaige to do so;

(g) the Customer’s end-consumer inputs do not, to the Customer’s knowledge and on the basis of measures reasonably available to the Customer, systematically include unlawful content (including child sexual abuse material, content infringing third-party rights, content that constitutes regulated professional advice that the Customer is not authorised to provide, or content that breaches the Acceptable Use Policy in the Master Agreement); and

(h) where the Customer’s end-consumers may include minors, the Customer is responsible for any age-appropriate measures, parental-consent requirements (Article 8 GDPR where applicable) and supplementary disclosures; Engaige does not separately verify age.

Affiliate use

The Customer’s Affiliates may use the Services subject to a separate or extended Order Form, in which case the Customer ensures that each Affiliate complies with the Master Agreement and this DPA. The Customer remains the primary point of contact for Engaige and is responsible for the acts and omissions of its Affiliates in connection with the Services.

Customer indemnity

The Customer will defend, indemnify and hold harmless Engaige and its affiliates, and their respective officers, directors and employees, from and against any third-party claim, demand, investigation or proceeding (including any claim or enforcement action by a data subject, supervisory authority or other competent authority), and any damages, fines, penalties, settlements, reasonable costs and reasonable legal fees finally awarded or agreed in settlement in respect thereof, to the extent arising out of or in connection with: (i) the Customer’s breach of the warranties in this Section; (ii) the Customer’s breach of Section 14 (Article 22), Section 15 (AI output limitations) or Section 16 (AI Act); (iii) the Customer’s instructions, configurations, integrations, knowledge sources, policy sources or other inputs causing the processing of personal data in a manner that infringes applicable law; (iv) any failure by the Customer to inform data subjects or to provide the contestability route, lawful basis or transparency information required by Section 14, Section 16 or applicable law; (v) any content uploaded, generated through, or transmitted by means of the Services in breach of the Acceptable Use Policy in the Master Agreement; or (vi) any claim by an Affiliate of the Customer to the extent such claim would have been covered by this indemnity had it been brought by the Customer.

Indemnity procedure

Engaige will (a) promptly notify the Customer in writing of any claim subject to this indemnity, except that any delay in notification will not relieve the Customer of its obligations except to the extent the Customer is materially prejudiced; (b) permit the Customer to control the defence and settlement of the claim, provided that any settlement that imposes a non-monetary obligation on Engaige or that contains an admission of liability requires Engaige’s prior written consent (not to be unreasonably withheld); and (c) provide reasonable cooperation at the Customer’s expense.

Cap interaction

The Customer’s indemnity obligation under this Section is not subject to any limitation of liability set out in the Master Agreement or this DPA, except that it is capped at the higher of (i) the aggregate liability cap set out in the Master Agreement applied as a separate cap dedicated to this indemnity, and (ii) any data-protection indemnity cap expressly set out in the Master Agreement or the Order Form. This Section does not limit the Customer’s liability for amounts payable under the SCCs (where they apply pursuant to Section 6) to the extent the SCCs require those amounts to be uncapped.

18. Liability and governing law

Each Party’s liability arising out of or in connection with this DPA, whether in contract, tort (including negligence) or otherwise, is subject to the limitations and exclusions of liability set out in the Master Agreement. The Parties acknowledge that the SCCs (where they apply pursuant to Section 6) contain mandatory liability provisions which apply notwithstanding any agreed limitation in the Master Agreement, but only as between the data exporter and the data importer of the SCCs and only in respect of Article 82 GDPR liability towards data subjects.

This DPA is governed by the law specified in the Master Agreement, except that, where the SCCs apply pursuant to Section 6, those clauses are governed by the law specified in Section 13. Disputes arising out of or in connection with this DPA are subject to the jurisdiction specified in the Master Agreement.

19. Notices

Notices and other communications under this DPA are given as follows:

Customer to Engaige

All Customer notices under this DPA — including data-subject-request instructions (Section 9), Sub-processor objections (Section 7), audit requests (Section 4), breach reports, Government Access Request enquiries (Section 6), AI Act enquiries (Section 16) and any other notice for which this DPA does not specify a different channel — are to be sent to privacy@letsengaige.com.

Engaige to Customer

All Engaige notices under this DPA are sent to the privacy contact subscribed by the Customer in accordance with Section 7 and, absent such subscribed contact, to the billing or administrative email of record for the Customer’s Engaige account. For material changes to this DPA (Section 20), Engaige will additionally publish notice on the public version page maintained under the Versioning clause; for changes to the Sub-processor list, Engaige will additionally publish on the Sub-processor page.

Effectiveness

Notices by email are effective on send (subject to any delivery-failure notification received by the sender). Notices by publication on a public page are effective on the date the change is shown on that page. Notices given by registered post are effective on delivery.

Keeping contacts current

Each Party is responsible for keeping its notice contact current. The Customer may update its privacy contact by email to privacy@letsengaige.com; Engaige will publish any update to its notice contact at the public version page maintained under the Versioning clause.

Data Protection Officer / EU Representative

Engaige has not designated a Data Protection Officer under Article 37(1) GDPR, having determined that its processing does not meet the Article 37(1) criteria. Engaige’s designated contact for privacy matters under this DPA is privacy@letsengaige.com. Engaige will update this designation, including any future designation of a DPO or EU representative, at the public version page maintained under the Versioning clause.

20. Term, material breach and miscellaneous

Term

This DPA takes effect on the Effective Date and continues in force for the duration of the Master Agreement. On termination or expiry of the Master Agreement for any reason, this DPA terminates concurrently, subject to Section 12 (Treatment of personal data upon termination) and to the Survival clause below.

Material breach

For the purposes of any termination-for-cause right in the Master Agreement that references this DPA, a breach of this DPA will be considered material only if it (a) constitutes a personal data breach within the meaning of Article 4(12) GDPR that materially impacts the Customer; (b) is a failure by Engaige to notify a personal data breach in accordance with Section 10 within the timelines required by that Section, persisting after Engaige has had a reasonable opportunity to cure following written notice from the Customer; (c) is a failure by Engaige, after a reasonable opportunity to cure following written notice from the Customer, to permit an audit that the Customer is entitled to conduct under Section 4; (d) is a failure to comply with the SCCs (where they apply pursuant to Section 6) that is not cured within thirty (30) days of written notice from the Customer; or (e) is a repeated failure to comply with the same provision of this DPA that Engaige has not cured within thirty (30) days of written notice. Any other non-compliance with this DPA is a non-material breach and is to be addressed under the cure mechanics in the Master Agreement (if any) or, failing that, on a commercially reasonable basis between the Parties; it is not a ground for termination-for-cause of the Master Agreement.

Versioning

Engaige maintains the current version of this DPA at letsengaige.com/legal/dpa (the “version page”). The version of this DPA in force as at the Effective Date of the applicable Order Form (or, where the Customer accepts the Master Agreement without a separate Order Form, on the date the Customer first accepts the Master Agreement) applies for the duration of the then-current subscription term. On each renewal of the Master Agreement, the then-current published version of this DPA applies for the renewed term. Engaige will publish notice of material changes to this DPA on the version page and, where the Customer has subscribed a designated privacy contact under Section 7, by email to that contact, not less than thirty (30) days before the change takes effect. The Customer may, on request to privacy@letsengaige.com, obtain a copy of the version of this DPA that applies to its subscription. Updates to the Sub-processor list (Section 11), the security measures (Section 3 — subject to the procedure in that Section) and routine non-substantive updates (typographical corrections, clarifications that do not change substantive meaning, contact updates and cross-reference renumbering) are made under the procedures in those Sections, or take effect at the version page without prior notice, and do not constitute material changes for the purposes of this clause.

Aggregate assistance cap

The total amount that Engaige may charge the Customer under this DPA for assistance that is expressly chargeable under Sections 9, 10, 14 and 16 (and any other expressly chargeable assistance) in any calendar year is capped at five per cent (5%) of the fees paid by the Customer to Engaige in respect of the Services in the same calendar year. The cap does not apply to costs awarded to Engaige under Section 4 where an audit reveals a material non-compliance attributable to the Customer, or to costs payable by the Customer under Section 17 (Customer indemnity).

Survival

The obligations in Sections 4 (Audit), 5 (Confidentiality), 6 (Government access requests — to the extent matters arose during the term), 8 (Special categories — for liability arising during the term), 9 (Rights of data subjects), 10 (Personal data breach), 12 (Treatment of personal data upon termination), 13 (SCCs, to the extent required by their own terms), 14 (Article 22 — for liability arising during the term), 15 (AI output limitations), 16 (AI Act — for liability arising during the term), 17 (Customer responsibilities, warranties and indemnity), 18 (Liability and governing law), 19 (Notices) and this Section 20 survive termination or expiry of the Master Agreement to the extent and for the period necessary to give effect to their purpose.

Counterparts; electronic signature

Where this DPA is countersigned in accordance with the preamble, it may be executed in any number of counterparts, each of which when executed constitutes an original, and which together constitute one and the same instrument. The Parties agree that signature by electronic means (including DocuSign, Adobe Sign and equivalent qualified electronic signature services) is valid and binding.

No waiver

A failure or delay by either Party in exercising any right under this DPA does not constitute a waiver of that right, and no single or partial exercise of any right precludes any other or further exercise of that or any other right.

No third-party beneficiaries

Other than the third-party beneficiary rights expressly granted to data subjects under the SCCs (where they apply pursuant to Section 6), this DPA does not confer any benefit or right on any person other than the Parties.

Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect, and the Parties will replace the invalid provision with a valid one that achieves, as closely as possible, the original intent.

Amendments

Except as expressly set out in the Versioning clause above, this DPA may only be amended by a written instrument signed by authorised representatives of both Parties. Engaige may update the security measures in Section 3 and the Sub-processor list in Section 11 in accordance with the procedure set out in Section 7 (including, where applicable, the routing-within-an-approved-category provisions of Section 7) without further signature.

Countersignature

This DPA is binding on the Parties without countersignature in accordance with the preamble above. If you would like a signed counterpart for your records, email privacy@letsengaige.com and we will send a tracked, signable copy via qualified electronic signature.