Data Processing Agreement

1. Definitions

• "Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" will be construed accordingly.
• "Customer Personal Data" means any Customer’s Proprietary Information that is personal data and that is processed by Enablism on behalf of Customer in the course of providing the Services under the Agreement, as more particularly described in Schedule A of this DPA.
• "Customer’s Proprietary Information" or "Customer Data" means the proprietary content provided by Customer to Enablism or other Information belonging to Customer, that is provided to and processed by Enablism on behalf of Customer in the course of providing the Services under the Agreement, including personal data, that is not public knowledge and that is viewed as the property of the holder. Notwithstanding the foregoing, "Customer’s Proprietary Information" or "Customer Data" shall not be construed to mean or include metadata created from Customer's use of the Services, to the extent that such data is wholly anonymized and cannot be recompiled into Customer Personal Data, Customer’s Proprietary Information, or Customer Data.
• "Data Protection Laws" means all data protection and privacy laws and regulations applicable to the Customer Personal Data in question, including, where applicable, EU/UK Data Protection Laws.
• "Data Systems" means information systems including, but not limited to, cloud-based systems, net-services, networks, computers, computer systems, communication systems and other information systems which may or may not be part of the Enablism software.
• "EU/UK Data Protection Law" means: (i) the GDPR; (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
• "Enablism Affiliate" means the Affiliates of Enablism that may assist in the performance of the Services in accordance with this DPA.
• "EEA" means the European Economic Area.
• "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (European Union General Data Protection Regulation).
• "Enablism Platform" or the "Platform" is the software or Services provided by Enablism as part of the Services.
• "Permitted Affiliate" means any Affiliate of Customer which: (i) is the controller of Customer Personal Data; and (ii) is permitted to use the Service pursuant to the Agreement, but has not signed its own service agreement or Order Form with Enablism and is not a "Customer" as defined under the Agreement.
• "Process", "Processing" or "Processed" means any operation or set of operations which is performed upon Customer Proprietary Information including Personal Data, whether or not by automated means, according to the definitions given to such terms in the GDPR.
• "Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
• "Standard Contractual Clauses" means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").
• "Security Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data transmitted, stored or otherwise processed by Enablism and/or its Sub-processors in connection with the provision of the Service. "Security Breach" shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
• "Services" means all services provided by Enablism in accordance with, and as defined in, the Agreement.
• "Sub-processor" means any third party engaged by Enablism or Enablism Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.

The terms "controller", "data subject", "processor", "processing", "personal data" and "supervisory authority" shall have the meanings given to them in Data Protection Laws or if not defined therein, the GDPR.

2. Roles and Scope of Processing

2.1 This DPA applies where and only to the extent that Enablism processes Customer Personal Data as a processor or sub-processor on behalf of the Customer in the course of providing Services pursuant to the Agreement.

2.2 Customer is the controller of the Customer Personal Data and is solely responsible for providing all required notices and obtaining all the necessary authorizations and approvals to enter, use, provide, store and process Customer Personal Data to enable Enablism to provide lawfully the Services. Customer shall, in its use of the Service and provision of instructions to Enablism, process Customer Personal Data in accordance with all laws and regulations. Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Enablism for processing [except where and to the extent expressly disclosed in Schedule A of this DPA].

2.3 Customer, as the controller, hereby appoints Enablism as the processor in respect of all processing operations required to be carried out by Enablism on Customer Personal Data in order to provide the Services in accordance with the terms of the Agreement.

2.4 Enablism shall collect, retain, use, disclose, and otherwise process the Customer Personal Data only in accordance with documented instructions given by Customer for the for the following purposes: (i) processing in accordance with the Agreement; (ii) processing initiated by software users in their use of the Services; and (iii) processing to comply with other documented reasonable and lawful instructions provided by Customer (unless required by law to act without such instructions, in which case Enablism shall, except where prohibited by law from doing so, inform the Customer of that legal requirement before Processing). For these purposes, Customer instructs Enablism to process Customer Personal Data for the purposes described in Schedule A. The DPA and Main Agreement are Customer's complete and final instructions.

3. Sub-Processing

3.1 Customer acknowledges and agrees that Enablism and Enablism Affiliates may engage third-party Sub-Processors to process Customer Personal Data on behalf of Enablism in connection with the provision of the Services.

3.2 A list of Enablism's current Sub-processors is published at: Enablism Subprocessors.

3.3 Customer may opt into notifications regarding any additions to the Sub-processor List by notifying Enablism at hello@enablism.com. If Customer has elected to receiving these notifications, Enablism shall notify Customer of any proposed amendments to the Sub-processor List (including the addition or any replacement to the list) which would impact the Services purchased by Customer, at least fifteen days prior to any such change.

3.4 Enablism will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of all Sub-processors it engages to provide the Services, that cause Enablism to breach any of Enablism’s obligations under this DPA.

4. Compliance with Laws

4.1 Each Party will comply with all applicable laws, including the Data Protection Laws applicable to it and binding on it in the performance of the Service, including all statutory requirements relating to data protection.

4.2 Customer acknowledges that Enablism is not responsible for determining the requirements of laws applicable to Customer’s business, clientele, or choice of markets, or that Enablism’s provision of the Services meet the requirements of such laws.

5. Security Responsibilities of Enablism

5.1 Enablism shall implement and maintain appropriate technical and organizational measures for ensuring the security of, and protecting the confidentiality and integrity of, Customer Personal Data and to ensure that Enablism’s processing of Customer Personal Data is in accordance with the requirements of the Data Protection Laws and protects the rights of Data Subjects. These measures ensure a level of security appropriate to the risks presented by the nature of the processing activities having regard to the state of the art and the cost of their implementation.

5.2 Information relevant to how Enablism security measures are implemented and maintained is provided in the “Technical and Organizational Security Measures” document, attached hereto as Schedule B. Enablism reserves the right to make changes to the document to reflect technological developments provided, that such changes to not result in any degradation to the security of Customer Personal Data or the manner in which the Services is provided.

5.3 In addition to those Measures identified in Schedule B, the technical and organizational measures implemented by Enablism include the following:

• Enablism has implemented and will maintain appropriate procedures to ensure that unauthorized persons will not have access to Customer Personal Data and to the Data Systems used to process Customer Personal Data, and that any persons authorized to have access to Customer Personal Data will protect and maintain its confidentiality and security.
• Enablism has implemented and will maintain appropriate measures to ensure that all employees and contractors involved in the processing of Customer Personal Data are authorized personnel with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection and handling of Personal Data.

5.4 Customer declares and confirms to have evaluated the security measures implemented by Enablism as providing an appropriate level of protection for the Customer Proprietary Information, taking into account the risk associated with the processing of such information.

6. Security Breach

6.1 If Enablism becomes aware of a Security Breach affecting Customer Personal Data, Enablism shall, without undue delay: (I) notify Customer of the Security Breach; and (II) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.

6.2 In the event of a Security Breach, Enablism shall provide Customer with a reasonable assistance in dealing with the Security Breach, in particular in relation to making any notification to a supervisory authority or any communication to data subject, as required under Data Protection laws. In order to provide such assistance and taking into account the nature of the Services and the information available to Enablism, Enablism shall provide all such timely information as it becomes known or as is reasonably requested by Customer.

6.3 Customer agrees that Enablism’s obligation to report or respond to a Security Breach under this Section is not and will not be construed as an acknowledgement by Enablism of any fault or liability of Enablism with respect to the Security Breach.

7. Subject Access Requests & Other Communications

Taking into account the nature of the Services, Enablism shall provide reasonable assistance to Customer, to allow the Customer to respond to (i) any request from a data subject to exercise any of its rights under applicable Data Protection Laws; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Customer Personal Data. To the extent permitted by law, Enablism shall forward to Customer any such request, correspondence, enquiry or complaint it receives. Any cost arising from the provision of assistance by Enablism under this Section 7 shall be borne by Customer. Enablism shall provide an estimate of any such costs which shall be to be agreed in writing by the Parties.

8. Data, Retrieval & Destruction

8.1 Subject to Section 8.2 on termination of this DPA, Customer will uninstall, remove, or otherwise fully cease all interactions with all instances of the Services contemplated by this Agreement. Within up to One Hundred and Twenty days (120) following the termination of this DPA, Enablism shall destroy all Customer Personal Data, Customer’s Proprietary Information, or Customer Data (including all data contained within the Services). Neither party shall be obligated to erase or destroy Customer Personal Data that such party is required to retain under any applicable law, regulation or order, or that is contained in an archived computer system backup, provided that such archived copy will (i) eventually be erased or destroyed in the ordinary course of such party’s data processing procedures, and (ii) shall remain fully subject to the obligations of confidentiality stated herein until the earlier of the erasure or destruction of such copy.

8.2 Customer acknowledges that the Services rely on cloud infrastructure providers (e.g., AWS, Azure), and that Enablism can only logically delete terminated Customer Personal Data stored in the Platform. Enablism will carry out the logical deletion within One Hundred and Twenty (120) days from the termination of the Agreement and will refrain from using Customer Personal Data for any other purpose during that period.

9. Information Security Assessment

9.1 Customer acknowledges that Enablism, as an organization, maintains robust security practices. Upon Customer's request and on a confidential basis, Enablism will provide, no more than once per calendar year to Customer and its designees, all reasonably requested information necessary to demonstrate Enablism’s compliance with Data Protection Laws.

9.2 Customer is responsible for reviewing the information made available by Enablism relating to data security and making an independent determination as to the provisions of the DPA in relation to the provision of the Services meets Customer’s requirements and legal obligations, as well as the obligations under this DPA.

10. Processing Locations

Customer acknowledges and agrees that Enablism may transfer and process Customer Personal Data to and in the United States, Canada, and other locations in which Enablism, Enablism Affiliates or Enablism's Sub-Processors maintain data processing operations. Enablism shall at all times ensure such transfers are made in compliance with the requirements of this DPA.

11. Europe

11.1 The terms in this Section 11 apply only if and to the extent Customer Personal Data is subject to EU/UK Data Protection Law.

11.2 Enablism shall notify Customer in writing, unless prohibited from doing so under EU/UK Data Protection Law if it becomes aware or believes that any data processing instruction from Customer violates applicable EU/UK Data Protection Law.

11.3 Enablism will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as this DPA and to the extent applicable to the nature of the services provided by such Sub-processor.

11.4 To the extent the transfer of Customer Personal Data from Customer to Enablism is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:

12. Nondisclosure

Customer agrees that the details of this DPA are not publicly known and constitute Enablism’s Confidential Information under the confidentiality provisions of the Agreement. If the Agreement does not include a confidentiality provision protecting Enablism Confidential Information and Customer and Enablism or its Affiliates do not have a non-disclosure agreement in place covering this DPA, then Customer will not disclose the contents of this DPA to any third party except as required by law.

13. Permitted Affiliates

When a Permitted Affiliate becomes a party to the DPA, then such Permitted Affiliate shall be entitled to exercise its rights and remedies available under this DPA to the extent required under Data Protection Laws. The Customer that is the contracting entity is responsible for coordinating all communication with Enablism under the DPA and be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.

14. Liability

Enablism's and all of Enablism Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses) and all data processing agreements between Customer, Permitted Affiliates and Enablism, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability under the Agreement.

15. California Consumer Privacy Act

15.1 The terms in this Section 15 apply only if and to the extent Customer Personal Data is subject to the California Consumer Privacy Act, California Civil Code § 1798.100 et seq. (as may be amended, modified, or supplemented from time to time, and together with any implementing regulations, “CCPA”).

15.2 Enablism acknowledges and agrees that it is required to assist Customer through appropriate technical and organizational measures in complying with certain requirements under the CCPA.

15.3 Enablism will reasonably assist Customer with any data subject access, erasure or opt-out requests and objections.

16. Generative AI Technology

16.1 Definitions: As used herein, "AI Technology" refers to natural language processing tools, products, or services, machine learning capabilities, automated decision-making technology, models, and all artificial intelligence software, systems, processes, or technology.

16.2 Use of AI Technology: Enablism will not use, disclose, or process any Customer Data (including any derivative, subset, or compilation of such Customer Data) through AI Technology except as explicitly authorized herein. Enablism will only use AI Technology as necessary to provide Services to the Customer and strictly in accordance with the terms of this Agreement. Where Customer elects to use AI-powered features, Enablism will process such data through Azure OpenAI by default, or through a Customer-provided model/key if the Customer configures one.

16.3 Additional Restrictions: Enablism, and any party acting on its behalf, shall not:

• Process Customer Data (or any derivative, subset, or compilation of such Customer Data) using AI Technology in a manner that co-mingles the Customer's data with the data of any other Enablism customer.
• Process Customer Data (or any derivative, subset, or compilation of such Customer Data) to train any AI Technology, including associated models, for any purpose other than as required to provide Services to the Customer in accordance with this Agreement or as expressly permitted (e.g. on anonymized/aggregated data).

Enablism represents, warrants, and covenants that no Customer Data processed through AI Technology will be accessible to, accessed by, transmitted to, or received by any third party unless explicitly permitted by this Agreement. No Customer Data will be used for model training by Enablism or any third-party model provider. Customer-provided AI model keys or credentials are treated as Customer Confidential Information and are not transmitted to any third party except the Customer’s configured AI endpoint.

17. Miscellaneous

17.1 Notwithstanding the foregoing and anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Enablism shall have a right to process Customer Personal Data or data related to Customer's use of the Service for the purposes of creating anonymized, aggregate and/or de-identified information for its own legitimate business purposes, including but not limited to improve and develop the Service.

17.2 This DPA supersedes and replaces all prior representation, understanding, communications and agreements between the Parties in relation to the matter of this DPA.

17.3 As between Customer and Enablism, this DPA is incorporated into and subject to the terms of the Agreement and shall be effective and remain in force for the term of the Agreement or the duration of the Service. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.

17.4 In no event shall this DPA benefit or create any right or cause of action on behalf of a third party, but without prejudice to the rights or remedies available to data subjects under Data Protection Laws or this DPA.