This Data Processing Addendum (“DPA”)forms part of the Master Software as a Service Agreement (“Agreement”) between Function AI LLC (“Processor,” “Function AI,”“we,” “us,” or “our”) and the entity identified in the applicable order form or Agreement (“Controller”or “Customer”). This DPA applies to the extent Function AI processes Personal Data on behalf of Customer in connection with the Services.

 

1. DEFINITIONS.  Forpurposes of this DPA:

 

(a)  “Applicable Data Protection Law”means all laws applicable to the Processing of Personal Data under theAgreement, including the General Data Protection Regulation (“GDPR”),UK GDPR, and applicable U.S. state privacy laws, including the California Consumer Privacy Act (“CCPA/CPRA”).

 

(b)  “Personal Data” means anyinformation relating to an identified or identifiable natural person.

 

(c)  “Processing” means any operation performed on Personal Data.

 

(d)  “Subprocessor” means any third party engaged by Processor to process Personal Data.

 

(e)  “Data Subject” means the individual to whom Personal Data relates.

 

(f)   “SecurityIncident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

 

Capitalized terms not defined hereinshall have the meaning set forth in the Agreement.

 

2. Rolesof the Parties.

 

2.1 Controller determines the purposes and means of Processing Personal Data.

 

2.2 Processor shall process Personal Data only on behalf of Controller and in accordance withthis DPA, the Agreement, and Controller’s documented instructions.

 

2.3 The parties acknowledge that Controller is responsible for ensuring that it has all necessary rights and consents to provide Personal Data to Processor.

 

3. Scope and Purpose of Processing.

 

3.1 Processor shall process Personal Data solely for the purpose of providing the Services, performing obligations under the Agreement, and complying with applicable law.

 

3.2 Processor shall not sell, retain, use, or disclose Personal Data for any purpose otherthan providing the Services.  

 

3.3 Processor shall not combine Personal Data with data obtained from other sources except as permitted by law.

 

4. Processor Obligations.  Processor shall:

 

4.1 Process Personal Data only on documented instructions from Controller;

 

4.2 Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate training;

 

4.3 Implement appropriate technical and organizational measures to protect Personal Data;

 

4.4 Assist Controller, taking into account the nature of processing, in responding to Data Subject requests, including access, correction, deletion, and restriction;

 

4.5 NotifyController without undue delay after becoming aware of a Security Incident; and

 

4.6 Maintain records of processing activities as required by applicable law.

 

5. SecurityMeasures.

 

5.1 Processor shall implement commercially reasonable administrative, technical, and physicals safeguards, including (i) encryption of data in transit using industry-standard protocols, (ii) access controls limiting access to authorized personnel, (iii) authentication mechanisms (including multi-factor authentication where appropriate), and (iv) monitoring and logging of system activity.

 

5.2 Processor may update or modify security measures from time to time, provided that such modifications do not materially reduce the level of protection.

 

6. Subprocessors.

 

6.1 Controller authorizes Processor to engage Sub processors.

 

6.2 Processor shall (i) maintain a list of Sub processors, (ii) impose data protection obligations on Sub processors that are no less protective than those set forth in this DPA; and (iii) remain liable for Sub processor performance.

 

6.3 Process or shall provide notice of new Sub processors, and Controller may object on reasonable data protection grounds within a reasonable period.

 

7. International Data Transfers.

 

7.1 Processor may transfer Personal Data to countries outside the jurisdiction of Controller.

 

7.2 Where required, Processor shall implement appropriate safeguards, including (StandardContractual Clauses approved by the European Commission and equivalent transfer mechanisms under applicable law.

 

8. Data Subject Rights.

 

8.1 Processor shall, to the extent legally required and technically feasible, assistController in responding to Data Subject requests.

 

8.2 If Processor receives a request directly from a Data Subject, Processor may redirect the request to Controller and respond directly where authorized by Controller or required by law.

 

9. Data Retention and Deletion.

 

9.1 Processor shall retain Personal Data only as long as necessary to provide the Service and comply with legal obligations.

 

9.2 Upon termination of the Agreement, Processor shall, at Controller’s election deletePersonal Data or return Personal Data to Controller.

 

9.3 Processor may retain Personal Data where required by law, subject to confidentiality obligations.

 

10. Audits and Compliance.

 

10.1 Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

 

10.2 Audits shall be conducted at Controller’s expense and no more than once per year and during normal business hours, subject to reasonable notice.

 

10.3 Processor may satisfy audit obligations through third-party certifications and independent audit reports (e.g., SOC 2), where available.

 

11. Security Incident Notification.

 

11.1 In the event of a Security Incident, Processor shall notify Controller without undue delayand provide information reasonably necessary to assess the impact.

 

11.2 Notification shall not constitute an admission of fault.

 

12. CCPA/CPRAProvisions.  To the extent applicable:

 

12.1 Processor acts as a “service provider” or “contractor”.

 

12.2 Processor shall not sell or share Personal Data or use Personal Data for purposes otherthan those specified in the Agreement.

 

12.3 Processor shall comply with applicable obligations under the California Consumer PrivacyAct.

 

13. Limitation of Liability.  This DPA is subject to the limitations ofliability set forth in the Agreement.

 

14. Order ofPrecedence.  In the event of aconflict, this DPA governs with respect to data protection obligations.  The Agreement governs all other matters.

 

15. Term andTermination. This DPAshall remain in effect for the duration of Processing under the Agreement.

 

16. GoverningLaw.  This DPA shall be governed by the lawsspecified in the Agreement.