This Data Processing Addendum (“DPA”) forms part of the agreement between Circleback AI, Inc. (“Circleback”, “Processor”, or “we”) and you (“Customer”, “Controller”, or “you”) (together, the “Parties”), the entity that has agreed to Circleback’s Terms of Service (the “Agreement”).

This DPA applies to the extent that Circleback processes Personal Data on your behalf in connection with the Services, and Applicable Data Protection Laws apply to such processing. By using the Services, you agree to this DPA. If you are accepting on behalf of an organization, you represent that you have authority to bind that organization.

1. Definitions
1.1 “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, and "Supervisory Authority"  have the meanings given in the General Data Protection Regulation (“GDPR”).

1.2 “Applicable Data Protection Laws” means all applicable data protection and privacy laws and regulations, including the GDPR (EU) 2016/679, UK GDPR, Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act, and any other data protection laws applicable to the processing of Personal Data under this DPA.

1.3 “Customer Personal Data” means Personal Data that Circleback processes on behalf of Customer in connection with the Services.

1.4 “Services” shall have the meaning set forth in the Agreement.

1.5 “DPF” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as applicable.

1.6 “Subprocessor” means any third party engaged by Circleback to process Customer Personal Data.

1.7 "Data Subject Request(s)" means a request by a Data Subject to exercise the Data Subject's right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making.

2. Scope and Roles
Customer is the Controller with respect to Customer Personal Data. Circleback is the Processor. For the purposes of the CCPA (to the extent applicable), Customer is the Business and Circleback is the Service Provider.
The details of the processing (subject matter, duration, nature and purpose, types of Personal Data, and categories of Data Subjects) are described in Exhibit A.

3. Customer Obligations

Customer is responsible for ensuring that its use of the Services and its instructions to Circleback comply with Applicable Data Protection Laws. This includes ensuring that Customer has a valid lawful basis for the processing, and that any necessary consents or notices have been obtained or provided, including with respect to meeting participants who may not be Circleback users.

4. Circleback Obligations

Circleback will:

1. Process Customer Personal Data only in accordance with Customer’s documented instructions, including with respect to international transfers, unless required by applicable law. Circleback has no obligation to monitor the compliance of Customer’s use of the Services with applicable law and Circleback will have no liability for any harm or damages resulting from Circleback’s compliance with unlawful instructions received from Customer. However, Circleback will, unless legally prohibited from doing so, (i) inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law, and (ii) in either such event, cease all processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Circleback is able to comply. If this provision is invoked, Circleback will not be liable to Customer under the Agreement for failure to perform the Services until such time as the parties agree on new instructions;

2. Ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;

3. Implement and maintain appropriate technical and organizational security measures as described in Exhibit B;

4. Comply with the subprocessor obligations set out in Section 7;

5. Assist Customer with Data Subject Requests in accordance with Section 9;

6. Where and to the extent required by Applicable Data Protection Laws, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Circleback.

7. At Customer’s election, provided that Customer is itself unable to accomplish the action without Circleback's assistance, delete or return all Customer Personal Data after the end of the provision of Services, and delete existing copies unless applicable law requires retention; and

8. Make available to Customer the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and this DPA.
   
   

5. California Consumer Privacy Act
To the extent the CCPA applies to the processing of Customer Personal Data, Circleback certifies that it understands the restrictions set out in this Section and will comply with them. Circleback shall not: (a) “sell” or “share” Customer Personal Data (as such terms are defined in the CCPA); (b) process Customer Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms are defined in the CCPA); (c) retain, use, or disclose Customer Personal Data for any purpose other than for the business purposes set out in this DPA and the Agreement, or as otherwise permitted by the CCPA; or (d) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Circleback. Circleback shall not combine Customer Personal Data with personal information that Circleback receives from, or on behalf of, another person or persons, except as permitted by the CCPA.

6. Security

Circleback will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are described at security.circleback.ai.

7. Subprocessors

Customer provides Circleback with general written authorization to engage Subprocessors. The current list of Subprocessors can be found at security.circleback.ai. Circleback may update this list from time to time, providing Customer with notice of such update at least 14 days in advance.

If Customer objects to a Subprocessor, Customer must notify Circleback in writing within 7 days of receipt of the updated Subprocessors list. If Customer reasonably objects to an engagement, and Circleback cannot provide a commercially reasonable alternative within a reasonable period of time, either Party may discontinue the affected Services with reasonable prior written notice. Discontinuation shall not relieve Customer of any fees owed to Circleback under the Agreement.

Circleback will (i) enter into a written agreement with each Subprocessor regarding such Subprocessor’s processing of Customer Personal Data that imposes data protection requirements consistent with this DPA; and (ii) remain responsible to Customer for Circleback’s Subprocessors’ failure to perform their obligations with respect to the processing of Customer Personal Data.

8. International Data Transfers

Customer acknowledges that Circleback’s primary processing operations take place in the United States, and that the transfer of Customer Personal Data to the United States is necessary for the provision of the Services.

Customer Personal Data may be transferred from the EEA (European Economic Area), Switzerland, or the United Kingdom to countries that offer an adequate level of data protection pursuant to adequacy decisions published by the relevant data protection authorities.

Customer Personal Data may be transferred from the EEA, Switzerland, or the United Kingdom to Circleback in the United States on the basis of Circleback’s certification to the DPF.

If Circleback transfers Customer Personal Data to a jurisdiction for which no adequacy decision has been issued and the DPF does not apply, Circleback will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Applicable Data Protection Laws.

9. Data Subject Rights

Circleback shall, to the extent permitted by law, notify Customer upon receipt of a Data Subject Request. If Circleback receives a Data Subject Request in relation to Customer’s data, Circleback will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Circleback, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

​​Circleback shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Circleback's assistance and (ii) Circleback is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Circleback.

10. Personal Data Breach Notification

Circleback shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Circleback in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach. Notification of a breach is not an acknowledgment of fault or liability.

Circleback shall, taking into account the nature of the processing and the information available to Circleback, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

11. Audits

Circleback will maintain records of its compliance with this DPA for a period of three (3) years. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Circleback shall make available to Customer (or Customer’s independent, reputable, third-party auditor) information regarding Circleback’s compliance with the obligations set forth in this DPA by providing Customer with the most recent third-party audit reports. 

Where Applicable Data Protection Laws afford Customer an audit right, Customer (or Customer’s independent, reputable, third-party auditor) may request an audit of Circleback’s policies, procedures, and records relevant to the processing of Customer Personal Data necessary to confirm Circleback’s compliance with this DPA. Customer shall reimburse Circleback for its costs and expenses, including any time expended in connection with any such audit. Before the commencement of any such audit, Customer and Circleback shall mutually agree upon the scope, timing, and duration of the audit. Any audit must be: (a) conducted at Circleback’s offices during regular business hours; (b) with reasonable prior written notice to Circleback; (c) carried out in a manner that prevents unnecessary disruption to Circleback’s operations; (d) limited to no more than once per calendar year; and (e) subject to reasonable confidentiality obligations.

12. Data Retention and Deletion
Customer Personal Data is retained for the duration of the agreement. Customers may configure workspace-level retention periods for meeting data through the Service’s administrative settings. After the retention period expires, the applicable data is permanently deleted.

If no retention period is configured, Customer Personal Data persists while the account is active and until Customer deletes it through the Service.

Following completion of the Services, at Customer’s choice and to the extent Customer is unable to fulfill such obligations without Circleback's assistance, Circleback shall return or delete Customer Personal Data, unless further storage of such Customer Personal Data is required or authorized by applicable law.

13. Term and General Provisions

This DPA takes effect when Customer agrees to the Agreement and remains in effect until Circleback ceases all processing of Customer Personal Data. The provisions of this DPA that by their nature should survive termination will survive.

This DPA is governed by the laws of Ireland. The courts of Ireland shall have exclusive jurisdiction in relation to any dispute arising out of or in connection with this DPA.

This DPA supersedes and replaces any previously issued data processing agreement or addendum between Customer and Circleback relating to the processing of Customer Personal Data. In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Customer Personal Data.

For questions about this DPA, contact support@circleback.ai.

Exhibit A: Description of Processing

Nature and Purpose of Processing

Circleback will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.

Duration of Processing

Circleback will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Circleback’s legitimate business needs; or (iii) by applicable law or regulation. Customer Personal Data will be processed and stored as set forth in the Agreement and this DPA. 

Categories of Data Subjects

• Customer’s authorized users of the Services

• Meeting participants (including individuals who may not be Circleback users)

Categories of Personal Data

As described in Circleback’s Privacy Policy at circleback.ai/privacy.

Special Categories of Data

Not applicable.

Exhibit B: Technical and Organizational Security Measures

See Security Portal at security.circleback.ai.