Data Processing Addendum (DPA)

This Data processing Addendum (“DPA”) is incorporated into and is subject to the terms and conditions of the agreement (the “Agreement”) between Customer and Outmarket AI, Inc. (“Outmarket AI”) (collectively, “the parties”) applicable to the Customer’s use of the Services. This DPA shall be effective for the term of the Agreement.

1. Definitions

1.1 In this DPA:

1. “Customer Personal Data” means Personal Data provided to Outmarket AI in connection with the Services by Customer or Customer’s authorized users

2. “Data Protection Law” means all laws that apply to the processing of Customer Personal Data under the Agreement, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder and other laws and regulations of the United States and its states, as amended from time to time.

3. “Data Subject” means the individual to whom Customer Personal Data relates.

4. “Personal Data” has the meaning given to it in the Data Protection Law, and includes “Personal Data,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Law. 

“Security Incident” means a material breach of Outmarket AI’s security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data in Outmarket AI’s possession, custody or control. “Security Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.2 Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Customer’s Instructions

2.1 Outmarket AI will process Customer Personal Data only in accordance with Customer’s instructions.  By entering into this DPA, Customer instructs Outmarket AI to process Customer Personal Data to provide the Services and to perform its other obligations and exercise its rights under the Agreement, including without limitation to (a) carry out Services or the business of which the Services are a part, (b) carry out any benefits, rights, and obligations relating to the Services, (c) maintain records relating to the Services, and (d) comply with any legal or self-regulatory obligations relating to the Services.  

3. Processing of Customer Personal Data

3.1 Outmarket AI serves as a “service provider” or “processor”, meaning that Outmarket AI processes Customer Personal Data at the direction of and on behalf of Customer.

3.2 The extent of Customer Personal Data processed by Outmarket AI is determined and controlled by Customer in its sole discretion and may include names, age, financial information, health information, email addresses, and other Personal Data that Customer may elect to upload to the Service

3.3 Each party will comply with the obligations applicable to it under the Data Protection Law with respect to the processing of Customer Personal Data. Customer represents and warrants that it has the necessary rights, consents and permissions to use Customer Personal Data and to enable Outmarket AI to process Customer Personal Data as intended by the parties under the Agreement.

3.4 When Outmarket AI processes Customer Personal Data, it will:

1. Except as permitted by applicable law, the Agreement or this DPA, not (a) “sell” or “share” (each as defined in the Data Protection Law) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of providing the Services, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Outmarket AI, and (d) combine Customer Personal Data with any Personal Data other than Customer Personal Data;

2. Provide reasonable assistance necessary for Customer to comply with its obligations under the Data Protection Law;

3. Promptly notify the Customer of any request made by a Data Subject in relation to Customer Personal Data. Outmarket AI will, at the Customer’s written request, provide the Customer with reasonable assistance necessary for the fulfilment of the Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights under the Data Protection Law. Outmarket AI shall not respond to such requests other than confirming with the Data Subject that the request relates to the Customer and Customer Personal Data. Customer shall be solely responsible for responding to such requests;

4. Unless prohibited by law, inform Customer if Outmarket AI receives a request, complaint or other inquiry regarding the processing of Customer Personal Data;

5. Inform Customer if it can no longer comply with its obligations under this DPA. Upon notice to Outmarket AI, Customer may take reasonable and appropriate steps to remediate Outmarket AI’s use of Customer Personal Data in violation of this DPA; and

6. Upon termination of the Agreement, as instructed by Customer, delete or return Customer Personal Data, except where continued retention of Customer Personal Data is in accordance with applicable law or the Outmarket AI’s policies, in which case Outmarket AI shall retain such Customer Personal Data in accordance with this DPA.

4. Subprocessing

4.1 Customer agrees that Outmarket AI may use third-party suppliers to process Customer Personal Data on its behalf for the provision of the Services (each a “Subprocessor”).  in accordance with the terms of this DPA by posting to website https://outmarket.ai/docs/subp which shall have a mechanism allowing Customer to subscribe to notifications of new Subprocessors (the “Notification Mechanism”), and sending email notification to Customers who have subscribed to the Notification Mechanism. If Customer does not subscribe to such notifications, Customer shall be deemed to have received notice of a new Subprocessor when such changes are posted to the Subprocessors list website. In response to Customer’s reasonable objection, the parties will engage in good faith to determine an appropriate resolution.

4.2 When engaging any Subprocessor, Outmarket AI will enter into a written contract with such Subprocessor containing data protection obligations consistent with those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Subprocessor.

5. Data Security

5.1 Outmarket AI will implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, as further described in Schedule 1. Outmarket AI may update the security measures from time to time, provided the updated measures do not decrease the overall protection of Customer Personal Data.

5.2 Customer agrees that, without limitation of Outmarket AI’s obligations under Section 5.1 of this DPA, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Outmarket AI uses to provide the Services; and (d) backing up Customer Personal Data. Customer agrees that the Services and Outmarket AI’s security commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Law, and provide a level of security appropriate to the risk in respect of Customer Personal Data.

6. Security Incidents

6.1 If Outmarket AI becomes aware of a Security Incident, Outmarket AI will: (a) notify Customer of the Security Incident without undue delay and in any event within 48 hours after becoming aware of it; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm and prevent a recurrence.

6.2 Customer is solely responsible for complying with incident notification requirements applicable to Customer. Outmarket AI’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Outmarket AI of any fault or liability with respect to the Security Incident.

7. Audit

7.1 Outmarket AI will make available to Customer, at Customer’s request, reasonable information as necessary to demonstrate compliance with this DPA. 

7.2 To the extent Outmarket AI makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, upon request from Customer, Outmarket AI may provide such Audit Report in satisfaction of any audit rights accorded to Customer pursuant to the Data Protection Law. The Audit Report shall be considered Outmarket AI’s confidential information. 

7.3 If Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Outmarket AI to provide for an audit subject to reasonable confidentiality procedures. Such audit shall: (i) not include access to any information that could compromise confidential information relating to other Outmarket AI’s customers or suppliers, Outmarket AI's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours, and in such a manner as not to unreasonably interfere with Outmarket AI’s normal business activities.

8. General

8.1 If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the processing of Customer Personal Data.

8.2 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

8.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement. Customer acknowledges that Outmarket AI is reliant on Customer for direction as to the extent to which Outmarket AI is entitled to process Customer Personal Data on behalf of Customer in the provision of the Services. Consequently, Outmarket AI will not be liable under the Agreement for any claim brought by individuals to whom Customer Personal Data relates arising from (a) any action or omission by Outmarket AI in compliance with Customer’s instructions, or (b) from Customer’s failure to comply with its obligations under the Data Protection Law.

8.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

Schedule 1 – Technical and Security Measures

Outmarket AI shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

• The pseudonymization and encryption of Customer Personal Data;

• Ensuring that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate obligation of confidentiality;

• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

• The ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;

• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Additionally, Outmarket AI shall maintain data confidentiality and security in a multi-tenant secure system, including but not limited to:

• Data Isolation: Ensuring logical data isolation between tenants to prevent unauthorized access to other tenants' Customer Personal Data.

• Access Control: Implementing strict access control measures, including role-based access control and multi-factor authentication, to limit access to Customer Personal Data to only those individuals who need it to perform their job duties.

• Encryption: Encrypting Customer Personal Data both in transit and at rest using industry-standard encryption algorithms and protocols.

• Monitoring and Logging: Continuously monitoring and logging access to Customer Personal Data and system activities to detect and respond to security incidents promptly.

• Audits: Conducting regular security audits and vulnerability assessments to identify and mitigate potential security risks.

• Data Minimization: Ensuring that only the necessary amount of Customer Personal Data is processed for the specified purposes.