This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between Probat AI Inc. ("Probat AI," "Processor," "Service Provider") and the customer agreeing to the Agreement ("Customer," "Controller," "Business"). Capitalized terms not defined here have the meaning given in the Agreement.
Processor / Service Provider: Probat AI Inc., 1908 Thomes Avenue, STE 12612, Cheyenne, Wyoming 82001
Contact: privacy@probat.ai
Customer: The entity identified in the applicable Order Form or account registration.
2.1 This DPA applies where Probat AI processes Personal Data on behalf of Customer in connection with the Services.
2.2 If there is a conflict between this DPA and the Agreement, this DPA controls for data processing terms only. All other terms remain governed by the Agreement.
3.1 "Personal Data" has the meaning in applicable data protection law (including GDPR).
3.2 "Processing" has the meaning in applicable data protection law.
3.3 "Customer Personal Data" means Personal Data contained in Customer Data that Probat AI processes on behalf of Customer as a processor/service provider.
3.4 "Subprocessor" means a third party engaged by Probat AI to process Customer Personal Data.
3.5 "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Probat AI's systems.
4.1 Customer as Controller/Business. Customer is the controller (or business) of Customer Personal Data and determines the purposes and means of processing.
4.2 Probat AI as Processor/Service Provider. Probat AI processes Customer Personal Data on behalf of Customer as a processor (or service provider) to provide the Services, as described in the Agreement and this DPA.
4.3 Customer Instructions. Customer instructs Probat AI to process Customer Personal Data only as necessary to provide and secure the Services, comply with Customer's lawful instructions, and as otherwise permitted under the Agreement.
5.1 Subject Matter. Provision of the Services, including analytics/experimentation workflows, dashboards, integrations, support, and security.
5.2 Duration. For the term of the Agreement, plus any retention period described in the Agreement, unless earlier deleted in accordance with Customer settings and the Agreement.
5.3 Nature and Purpose. Hosting, storage, transmission, analysis, and display of Customer Personal Data to provide the Services; security and abuse prevention; support; troubleshooting; and service performance.
5.4 Categories of Data Subjects. End users of Customer's websites or products; Customer employees, contractors, or users.
5.5 Types of Personal Data. Depending on Customer implementation: event/interaction data, online identifiers, user IDs, device/browser data, IP address, session data, experimentation exposure and results, and other Customer-configured properties.
5.6 Special Categories. Customer will not submit special categories of data (or regulated sensitive data) unless expressly agreed in writing.
Customer represents and warrants that:
6.1 It has provided all required notices and obtained all necessary consents and lawful bases to collect and provide Customer Personal Data to Probat AI for processing.
6.2 Its instructions to Probat AI comply with applicable law.
6.3 It will not provide regulated sensitive data unless expressly agreed in writing.
7.1 Confidentiality. Probat AI ensures personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
7.2 Processing on Instructions. Probat AI will process Customer Personal Data only on documented instructions from Customer as set out in the Agreement and this DPA, unless required by law.
7.3 Security Measures. Probat AI will maintain reasonable technical and organizational measures designed to protect Customer Personal Data (see Annex 2).
7.4 Assistance. Probat AI will provide reasonable assistance to Customer for:
in each case to the extent Customer cannot access the relevant information through the Services and subject to reasonable fees for excessive requests.
8.1 Authorization. Customer grants Probat AI general authorization to engage Subprocessors.
8.2 Obligations. Probat AI will impose contractual obligations on Subprocessors that are no less protective than this DPA for the relevant processing.
8.3 List and Updates. Probat AI will maintain a list of Subprocessors upon request. Probat AI may update Subprocessors as needed to provide the Services.
8.4 Objection (Narrow). Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within 10 days of receiving notice. If Customer objects and the parties cannot resolve, Probat AI may terminate the affected Services without penalty beyond refunding prepaid unused fees for that portion, if applicable.
9.1 Notice. Probat AI will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data.
9.2 Information. Probat AI will provide information reasonably necessary to help Customer meet incident reporting obligations.
9.3 No Admission. Notification is not an admission of fault or liability.
10.1 If Probat AI receives a request from a data subject relating to Customer Personal Data, Probat AI will direct the data subject to Customer where feasible.
10.2 Probat AI will reasonably assist Customer as described in Section 7.4.
11.1 During Term. Customer may delete Customer Personal Data through the Services where functionality exists.
11.2 Upon Termination. Upon termination, Probat AI will delete or return Customer Personal Data in accordance with the Agreement, except to the extent retention is required for legal compliance, security, backups, dispute resolution, or enforcing the Agreement.
11.3 Backups. Deleted data may persist in backups for a limited period in accordance with Probat AI's backup retention practices.
12.1 Audit Rights (Limited). Customer may audit Probat AI's compliance with this DPA no more than once per year upon 30 days' written notice, subject to:
12.2 Alternative Evidence. Probat AI may satisfy audit requests by providing reasonable security and compliance documentation (for example, policies, summaries, third-party reports) in lieu of an on-site audit.
12.3 Costs. Customer pays costs of audits unless the audit reveals material noncompliance.
13.1 Customer acknowledges Customer Personal Data may be processed in the United States and other jurisdictions where Probat AI or its Subprocessors operate.
13.2 Where GDPR applies and a transfer mechanism is required, the parties agree to use the SCCs in Annex 1.
To the extent the CCPA/CPRA applies and Customer is a "Business":
14.1 Probat AI acts as a "Service Provider" (or "Processor") and will not "sell" or "share" Customer Personal Data as those terms are defined by the CCPA/CPRA.
14.2 Probat AI will process Customer Personal Data only for the purposes of providing the Services and as permitted by the Agreement.
14.3 Customer instructs Probat AI to process Customer Personal Data for the limited and specified business purposes described in the Agreement.
15.1 Service Improvement. Customer acknowledges and agrees that Probat AI may use Customer Data (including experimentation data, performance metrics, and outputs) to operate, maintain, improve, and develop the Services, including training and improving models and automation systems, as described in the Agreement.
15.2 Aggregated and De-Identified Data. Probat AI may create and use aggregated and de-identified data for analytics, benchmarking, product improvement, research, and model training. Aggregated and de-identified data is not Customer Personal Data.
15.3 Customer Controls. If the Services provide settings that allow Customer to limit certain data uses, Customer may configure those settings, and Probat AI will honor them for the scope described in the Services.
All liability arising out of or relating to this DPA is subject to the limitations of liability in the Agreement.
This DPA remains in effect for as long as Probat AI processes Customer Personal Data on behalf of Customer under the Agreement.
If GDPR applies and SCCs are required for international transfers, the parties agree that:
Probat AI maintains reasonable safeguards designed to protect Customer Personal Data, which may include:
Customer is responsible for securing its own environments, credentials, access controls, and deployment pipelines.
Probat AI may use Subprocessors for hosting, observability, support tooling, and payments. Customer may request the current Subprocessor list by emailing privacy@probat.ai.