Bland.ai Data Processing Agreement

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into by and between Intelliga Corporation, d/b/a Bland.ai (“Bland”) and the Customer identified in the Enterprise Services Agreement (“Agreement”). This DPA amends and forms part of the Agreement. This DPA applies where Bland Processes Customer Personal Data as a Processor on behalf of Customer, the Controller (or as a subprocessor, where Customer is a Processor on behalf of a third-party Controller), in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA. 

1. DEFINITIONS

For purposes of this DPA, the following terms will have the meaning ascribed below. Any capitalized term not defined in this DPA shall have the meaning given to it in the Agreement. 

1. “CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
2. “Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.
3. “Customer Personal Data” means Personal Data that Bland Processes on behalf of Customer in connection with providing the Services as described in Attachment 1 (including, for the avoidance of doubt, any such Personal Data comprised within Customer Content). Customer Personal Data does not include (i) such information pertaining to Customer’s personnel or representatives who are business contacts of Customer, or (ii) Service Data.
4. “Data Protection Law” means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Bland’s Processing of Customer Personal Data.
5. “Data Subject” means an identified or identifiable natural person. 
6. “Deidentified Data” means information that cannot reasonably be linked to or associated with Customer or any Data Subject. 
7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 
8. “Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.
9. “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.
10. “Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.
11. “SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. 
12. “Security Incident” means a breach of Bland’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Bland’s possession, custody, or control. For clarity, Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
13. “Service Data” means any data relating to the use, support, and/or operation of the Services, which is collected directly by Bland from and/or about users of the Services and/or Customer’s use of the Services for use for Bland’s own purposes.  
14. “Services” means the services provided by Bland pursuant to the Agreement.
15. “"UK GDPR” means the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced). 
16. “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.  

2. DATA PROCESSING AND PROTECTION
   
   1. Limitations on Use. Bland will Process Customer Personal Data only: (a) in a manner consistent with Customer’s documented instructions as specified under Section 2.2 (Instructions); and (b) as required by applicable laws. Without limiting the instructions under Section 2.2, Bland will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the Parties except as permitted by Data Protection Law or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, or as otherwise permitted by Data Protection Law; (y) “sell” or “share” (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Bland receives from individuals or other Customers, except as permitted by Data Protection Law.
   2. Instructions. Customer instructs Bland to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 1 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Bland constitute Customer’s documented instructions regarding Bland’s Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and Bland, including agreement on any additional fees to carry out such instructions. Customer will not instruct Bland to perform any Processing of Customer Personal Data that violates any Data Protection Law. Bland may suspend Processing based upon any Customer instructions that Bland reasonably suspects violate Data Protection Law, provided Bland will promptly inform Customer if, in Bland’s opinion, an instruction infringes Data Protection Law. 
   3. Compliance. Each Party will comply with its obligations under Data Protection Law. Bland shall notify Customer if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Bland has Processed Customer Personal Data without authorization, Customer may take reasonable and appropriate steps to stop and remediate such Processing.
   4. Confidentiality. Bland will ensure that persons authorized by Bland to Process any Customer Personal Data are subject to appropriate confidentiality obligations. 
   5. Security. Bland will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law as set forth at https://trust.delve.co/blandai (“Security Measures”). Notwithstanding, Bland may, from time to time, update its Security Measures, provided the new measures do not materially reduce the level of security. Customer agrees that the Services, the Security Measures, and Bland’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Law, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
   6. Disposal. At Customer’s request, Bland will delete or return all Customer Personal Data upon the end of the provision of Services: (a) unless applicable law requires the storage of such Customer Personal Data by Bland; and (b) except for Customer Personal Data that is archived on back-up systems, which Bland will securely isolate and protect from any further Processing, except to the extent required or permitted by law. Customer may make its request within 14 days of the cessation date of the Services by emailing the request to [email protected]. Bland shall comply with such Customer instruction as soon as reasonably practicable.
   7. Deidentified Data. Bland may create and derive Deidentified Data to improve Bland’s products and services and for other business purposes. With respect to Deidentified Data, Bland will: (a) take reasonable technical and organizational measures designed to ensure that such data cannot be associated with a Data Subject or Customer; (b) Process such data only in a de-identified fashion and not attempt to re-identify such data except as permitted by Data Protection Laws; and (c) comply with data protection laws applicable to Bland’s Processing of such data.
   8. Service Data. Notwithstanding anything to the contrary in the Agreement and this DPA, Customer agrees that Bland shall have the right to generate, collect, store, use, disclose, and/or otherwise Process data resulting from the use or provision of the Services for its legitimate business purposes, such as: billing, account management, sales, and marketing; performing data analytics; monitoring, improving, and supporting the Services; designing, developing, and offering Bland products and services; and for any other lawful purposes. To the extent that any such data is considered Personal Data under Data Protection Law, Bland is the Controller of such data and shall Process such data in accordance with Bland’s Privacy Policy and Data Protection Law. 
3. DATA PROCESSING ASSISTANCE
   
   1. Data Subject Rights Assistance. Customer shall be responsible for responding to requests from Data Subjects to exercise rights under Data Protection Law relating to Customer Personal Data (each a “Data Subject Request”). Customer will inform Bland of any Data Subject Request to which Bland must comply as a Processor under Data Protection Law and provide the information necessary for Bland to comply with the request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Bland will, on Customer’s request, provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law. In the event any Data Subject Request is made directly to Bland, Bland will, to the extent permitted by Data Protection Law, notify Customer without undue delay. Bland will not respond to the request directly, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Data Protection Law.
   2. Security Assistance. Taking into account the nature of Processing and the information available to Bland, Bland will provide commercially reasonable efforts to assist Customer in Customer’s efforts to comply with Customer’s obligations to secure Customer Personal Data by providing the information and assistance described in Section 5 (Audits). 
   3. Data Protection Impact Assessment (“DPIA”) and Prior Consultation Assistance. Taking into account the nature of Processing and the information available to Bland, Bland will provide commercially reasonable efforts to assist Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities to the extent required by Data Protection Law. 
4. SECURITY INCIDENT 
   
   1. Notice and Assistance. Bland will notify Customer without undue delay after becoming aware of a Security Incident. Bland will provide Customer with information (insofar as such information is within Bland’s possession and knowledge and does not otherwise compromise the security or confidentiality of any other data in Bland’s possession or control) designed to allow Customer to meet its obligations under Data Protection Law to report the Security Incident if and to the extent required by Data Protection Law. Bland will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and will reasonably cooperate with Customer and take commercially reasonable steps as may be requested by Customer to assist in the investigation of any such Security Incident. Bland’s notification of or response to a Security Incident shall not be construed as Bland’s acknowledgement of any fault or liability with respect to the Security Incident.
   2. Notification to Bland. If Customer determines to notify any governmental entity, Data Subject(s), the public, or others of a Security Incident, to the extent such notice directly or indirectly refers to or identifies Bland, where permitted by applicable laws, Customer will notify Bland in writing in advance of such notice and will, in good faith, consult with Bland and consider any clarifications or corrections Bland may reasonably recommend or request to any such notification that relates to Bland’s involvement in or relevance to such Security Incident and is consistent with applicable laws.
5. AUDITS
   
   1. Bland shall make available to Customer all information as Bland (acting reasonably) considers appropriate to demonstrate its compliance with this DPA and with its obligations under Applicable Data Protection Law. 
   2. Bland may procure audits by third parties to assess Bland’s adherence to SOC 2 Type II and/or certifications or other documentation evidencing compliance with alternative standards that are substantially equivalent to the foregoing (collectively, “Audit Reports”). Subject to the confidentiality obligations set forth in the Agreement, Bland will provide Customer with summaries of Bland’s then-current Audit Reports on Customer’s reasonable request. If the Agreement does not include a provision protecting Bland’s confidential information, then the Audit Reports will be made available to Customer subject to a mutually agreed-upon non-disclosure agreement covering the Audit Reports. 
   3. Customer will exercise its audit rights by first requesting the Audit Reports as described in Section 5.2. To the extent that the information provided in such Audit Reports is insufficient to demonstrate Bland’s compliance with this DPA and/or Data Protection Law, Customer may, not more than once every twelve (12) months, conduct (or another auditor mandated by Customer that is reasonably acceptable to Bland may conduct) a documentary audit of Bland’s policies and procedures regarding the Processing of Customer Personal Data. 
   4. Any such audit must be tailored to what is reasonably necessary to verify Bland’s compliance with this DPA and must occur during Bland’s normal business hours. In connection with any such audit, the auditor will: (a) observe restrictions reasonably imposed by Bland; and (b) not unreasonably interfere with or cause destruction, damage, or injury to Bland’s personnel and business activities. Customer will provide written communication of any audit findings to Bland, and the results of the audit will be the confidential information of Bland. Unless otherwise required by a data protection authority (which such audits will be conducted with reasonable prior notice to meet regulatory mandates), Customer will provide no less than thirty (30) days’ advance notice of its request for any such audit and will cooperate in good faith with Bland to schedule any such audit on a mutually agreed-upon date and time (such agreement not to be unreasonably withheld by either Party). 
   5. Prior to conducting any audit, Customer must submit a detailed proposed audit plan. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Bland will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Bland security, privacy, employment, or other relevant policies). The Parties shall cooperate to agree on a final audit plan, including the confidentiality of any information or reports relating to the audit.
6. SUBPROCESSORS
   
   1. Appointment of Subprocessors. Customer authorizes Bland to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a “Subprocessor”). Customer specifically consents to Bland’s appointment of the Subprocessors identified at https://trust.delve.co/blandai (the “Subprocessor List”). 
   2. Objection Right for New Subprocessors. Bland will notify Customer of its intent to update the Subprocessor List at least 14 days prior to engaging a new Subprocessor by sending an email to Customer’s point of contact. Customer may object to Bland’s use of a new Subprocessor on reasonable grounds relating to data protection within 14 days of such notice by sending an email to [email protected] clearly indicating its desire to object to any such change. If Customer objects to the change in Subprocessors, Bland and Customer will cooperate in good faith to resolve Customer’s objection. If the Parties are unable to resolve Customer’s objection within a reasonable time frame, then Customer may, as its sole and exclusive remedy, cancel the Services that Bland indicates cannot be provided without the objected-to Subprocessor by providing written notice to Bland and receive a refund of any prepaid but unused fees under the Agreement related to the canceled Services. If Customer does not object to Bland’s appointment of a Subprocessor during the objection period, Customer shall be deemed to have approved the engagement and ongoing use of that Subprocessor. 
   3. Liability. Bland will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Bland will remain liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.
7. DATA TRANSFERS
   
   1. Overview. The parties will conduct any transfers of Customer Personal Data relating to residents of the European Economic Area, the UK, and Switzerland to a country not subject to an adequacy decision (a “Data Transfer”) pursuant to the SCCs, which are incorporated into this DPA and deemed executed by this reference. The parties agree to comply with the general clauses and with Module 2 where Customer is a Controller or Module 3 where Customer is a Processor on behalf of a third-party Controller. Under the SCCs, Customer is the “data exporter” and Bland is the “data importer.” 
   2. Transfers Subject to the GDPR. To the extent Customer Personal Data subject to the GDPR is subject to a Data Transfer, the SCCs will be modified as follows: in Clause 7, the optional docking language is deleted; in Clause 8.9, the audits shall be conducted according to the audit provisions of this DPA; in Clause 9, Option 2 applies and changes to Subprocessors will be notified in accordance with the Subprocessors section of this DPA; in Clause 11, the optional language is deleted; in Clauses 17 and 18, Bland and Customer agree that the governing law and forum for disputes will be the laws and courts of Ireland (without reference to conflicts of law principles); the Annexes of the SCCs will be deemed completed with the information set forth in this DPA; and the supervisory authority that will act as competent supervisory authority will be determined in accordance with the GDPR.
   3. Transfers Subject to the UK GDPR. To the extent Customer Personal Data subject to the UK GDPR is subject to a Data Transfer, the parties will conduct such transfers pursuant to the SCCs in tandem with the UK IDTA, which is incorporated by this reference. The information needed to complete the Tables to the UK IDTA is provided in this DPA.
   4. Transfers Subject to Swiss Data Protection Law. To the extent Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the Data Transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.
   5. Alternative Transfer Mechanism. In the event that Bland is required to adopt an alternative transfer mechanism under Data Protection Law, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with Data Protection Laws), and Customer agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect to such alternative transfer mechanism.
8. LIABILITY

The total aggregate liability of either Party toward the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed to by the Parties in the Agreement.

9. MISCELLANEOUS

To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law clause and forum selection clause of the Agreement will apply to any disputes arising out of this DPA. Bland may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Data Protection Law from time to time.

‍