iSales AI - Data Processing Addendum

Last Updated: 1st June, 2025

This Data Processing Addendum (“DPA”) forms an integral part of the iSales AI Terms of Service, and any other applicable master services agreement between you (“Customer,” “you,” or “your”) and iSales AI (“iSales AI,” “we,” “us,” or “our”) (collectively, the “Agreement”).

This DPA applies to the Processing of Personal Data by iSales AI in the course of providing the iSales AI Services (as defined in the Agreement), including AI-powered chatbot functionalities managed primarily through a native Telegram bot interface. It sets forth the terms and conditions under which iSales AI Processes Personal Data on behalf of the Customer as a Processor, and how iSales AI Processes certain Personal Data as a Controller.

By entering into the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its authorized Affiliates.

Table of Contents

1. Definitions

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Applicable Data Protection Laws means all privacy, data security, and data protection laws, regulations, and governmental requirements applicable to the respective party in its role under the Agreement, including but not limited to the GDPR, UK GDPR, FADP, CCPA/CPRA, LGPD, Russian Federal Law No. 152-FZ "On Personal Data," and other applicable national or state laws. Each party is responsible for determining and complying with its own Applicable Data Protection Laws.

Controller means the entity that determines the purposes and means of the Processing of Personal Data. In the context of Russian Federal Law No. 152-FZ, this corresponds to the "Operator."

Customer Account Data means Personal Data relating to the Customer, its representatives, and authorized End Users that iSales AI Processes as an independent Controller, as more particularly described in Annex 1, Part B of this DPA.

Customer Content means Personal Data relating to End Users and Customer's Conversation Participants that iSales AI Processes on behalf of the Customer as a Processor in the course of providing the Services, including data inputted into or generated by AI Features, as more particularly described in Annex 1, Part A of this DPA.

Customer's Conversation Participants (or “Conversation Participants”) means Data Subjects with whom Customer communicates using the Services (e.g., end-users of Customer's chatbots on Telegram, WhatsApp, Facebook, Instagram) and/or whose Personal Data is uploaded to, or processed by, the Services by or on behalf of the Customer.

Data Breach means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by iSales AI. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

Data Privacy Frameworks or “DPF” means, collectively, the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (UK Extension), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as administered by the U.S. Department of Commerce.

Data Subject means an identified or identifiable natural person to whom Personal Data relates.

End Users means the Customer and other Data Subjects who have lawful access to the Services under the Customer's account or authorization.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

LGPD means the Brazilian General Data Protection Law (Law No. 13,709/2018).

Personal Data means “personal data,” “personal information,” “personally identifiable information,” or similar terms as defined under Applicable Data Protection Laws. Under this DPA, Personal Data encompasses both Customer Content and Customer Account Data.

Processing (and its cognates like “Process”) means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor means an entity that Processes Personal Data on behalf of a Controller. In the context of Russian Federal Law No. 152-FZ, this corresponds to a person "processing personal data on behalf of the operator."

Services means the AI chatbot services, associated software, tools, and platform (including the native Telegram bot interface) provided by iSales AI to Customer pursuant to the Agreement.

Standard Contractual Clauses or “SCCs” means, as applicable: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR, including the UK International Data Transfer Addendum to the EU SCCs (“UK Addendum”); (iii) where the Swiss Federal Act on Data Protection (“FADP”) applies, the applicable standard data protection clauses issued, approved, or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCCs”); and (iv) where the LGPD applies, the applicable standard data protection clauses (“Brazilian SCCs”) issued, approved, or recognized by the Brazilian National Data Protection Authority (“ANPD”), in each case as completed or supplemented as described in Annex 3 (International Provisions and Jurisdiction-Specific Terms) of this DPA.

Sub-processor means any Processor engaged by iSales AI or an Affiliate of iSales AI to Process Customer Content.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

2. Relationship of the Parties and Roles

2.1. iSales AI as a Processor:

The parties acknowledge and agree that with regard to the Processing of Customer Content, iSales AI is a Processor acting on behalf of the Customer. The Customer may be acting as a Controller (or "Operator" under Russian law) or as a Processor for another Controller with respect to Customer Content. iSales AI shall Process Customer Content only for the purposes described in this DPA and strictly in accordance with the Customer's documented lawful instructions as set forth in Section 3 of this DPA.

2.2. iSales AI as a Controller:

The parties acknowledge that, with regard to the Processing of Customer Account Data, iSales AI is an independent Controller (or "Operator" under Russian law), not a joint Controller with the Customer. iSales AI will Process Customer Account Data as a Controller to carry out necessary functions such as entering into the Agreement, account management, compliance with law, accounting, tax, billing, audit, sales, and marketing communications with the Customer, and for service improvement as detailed in its Privacy Policy. iSales AI will Process such Customer Account Data in accordance with its Privacy Policy (https://isales.ai/privacy-policy) and applicable provisions of this DPA.

2.3. Details of Data Processing:

Annex 1 (Details of Processing) to this DPA further specifies the subject matter, duration, nature and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects.

3. Customer's Obligations and Instructions

3.1. Customer's Instructions:

iSales AI will Process Customer Content only in accordance with Customer's documented lawful instructions. By entering into the Agreement and this DPA, Customer instructs iSales AI to Process Customer Content to: (a) provide, operate, and maintain the Services as described in the Agreement; (b) comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement; and (c) as further specified in this DPA. Customer further authorizes iSales AI to anonymize and/or aggregate Customer Content for purposes such as product improvement, analytics, and developing new features, provided such anonymized/aggregated data does not identify any individual or Customer.

3.2. Customer as a Processor:

If the Customer is a Processor on behalf of another Controller with respect to Customer Content, Customer warrants on an ongoing basis that the relevant Controller has authorized: (i) the instructions provided to iSales AI as described in this DPA and the Agreement; (ii) the appointment of iSales AI as a Sub-processor; and (iii) iSales AI's engagement of further Sub-processors as described in Section 4. Customer will immediately forward to the relevant Controller any notice provided by iSales AI under this DPA (e.g., regarding new Sub-processors, Data Breaches, Data Subject requests).

3.3. Compliance with Laws:

Each party will comply with its respective obligations under Applicable Data Protection Laws with respect to its Processing of Personal Data.

3.4. Customer's Responsibilities:

Customer represents and warrants that it has provided, and will continue to provide, all necessary notices and has obtained, and will continue to obtain, all necessary consents, permissions, and rights (or has established other valid legal bases) under Applicable Data Protection Laws for iSales AI to lawfully Process Customer Content on Customer's behalf for the purposes contemplated by the Agreement and this DPA. This includes, without limitation, any consents required for the use of AI Features and the transfer of Customer Content to iSales AI and its Sub-processors. Customer shall be responsible for the lawfulness, accuracy, quality, and legality of the Customer Content and the means by which Customer acquired it. Customer shall inform its Conversation Participants about the use of iSales AI as a Processor and provide them with all information required by Applicable Data Protection Laws.

3.5. Specific Jurisdictional Requirements:

Customer must inform iSales AI in writing of any specific requirements for Processing Customer Content by iSales AI that are imposed by Customer's Applicable Data Protection Laws and are not already covered by this DPA or the Agreement. Customer shall indemnify and hold harmless iSales AI from any claims, liabilities, damages, or costs arising from Customer's failure to comply with its obligations under this Section 3.

4. Sub-processing

4.1. Authorized Sub-processors:

Customer acknowledges and agrees that iSales AI may engage Sub-processors to Process Customer Content in connection with the provision of the Services. A list of iSales AI's current Sub-processors is available at AI Subprocessor List (https://isales.ai/service-providers) (or as otherwise made available by iSales AI) ("Sub-processor List"). Customer specifically authorizes the engagement of these Sub-processors.

4.2. Sub-processor Obligations:

With respect to all Sub-processors, iSales AI shall:

  • Conduct appropriate due diligence on such Sub-processors.
  • Enter into a legally binding written agreement with each Sub-processor imposing data protection obligations that are substantially similar to, and at least as protective as, those set out in this DPA.
  • Remain fully liable to the Customer for the performance of the Sub-processor's data protection obligations and for any acts or omissions of the Sub-processor that cause iSales AI to breach any of its obligations under this DPA.

4.3. Engagement of New Sub-processors:

iSales AI may engage new Sub-processors. iSales AI will notify Customer of any intended new Sub-processor engagement by updating the Sub-processor List and providing a mechanism for Customer to subscribe to notifications of such updates (e.g., via email or an RSS feed). Such notice will be provided at least 30 days before the new Sub-processor Processes any Customer Content, except where iSales AI reasonably believes that engaging a new Sub-processor on an expedited basis is necessary to protect the confidentiality, integrity, or availability of Customer Content or to avoid material disruption to the Services, in which case notice will be given as soon as reasonably practicable.

4.4. Objection Rights:

Customer may object to iSales AI's appointment of a new Sub-processor by notifying iSales AI in writing within 15 days after receipt of notice from iSales AI, provided such objection is based on reasonable, documented data protection concerns. If Customer objects, iSales AI will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Customer Content by the objected-to new Sub-processor without unreasonably burdening the Customer. If iSales AI is unable to make available such a change within a reasonable period, which shall not exceed 30 days, Customer may, as its sole and exclusive remedy, terminate the applicable Agreement or affected Service for convenience by providing written notice to iSales AI, with no refunds for pre-paid fees. Customer will remain liable for any fees committed under an applicable order form. If Customer does not object within the specified period, iSales AI is deemed to have been authorized by Customer to engage the new Sub-processor.

5. Security Measures

5.1. Implementation of Security Measures:

iSales AI will implement and maintain throughout the term of this DPA appropriate technical and organizational security measures designed to protect Customer Content from Data Breaches and to preserve the security, confidentiality, and integrity of Customer Content. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Such measures are further described in Annex 2 (Security Measures) to this DPA.

5.2. Confidentiality of Processing:

iSales AI shall ensure that any person authorized by iSales AI to Process Customer Content (including its staff, agents, and Sub-processors) is under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.3. Customer Responsibilities for Security:

Customer acknowledges and agrees that:

  • It has reviewed and assessed the Security Measures described in Annex 2 and deems them appropriate for the protection of Customer Content under Customer's Applicable Data Protection Laws, including providing appropriate safeguards for cross-border transfers of Personal Data, if applicable.
  • Except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials (e.g., for the native Telegram bot interface), protecting the security of Customer Content when in transit to and from the Services, and securing Customer's own systems and devices used to access the Services.

5.4. Updates to Security Measures:

Customer acknowledges that the Security Measures are subject to technical progress and development. iSales AI may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services purchased by the Customer. Customer is responsible for reviewing information made available by iSales AI relating to updated data security and making an independent determination as to whether the Services meet Customer's requirements and legal obligations under Customer's Applicable Data Protection Laws.

6. Security Reviews and Audits

6.1. Security Reports and Certifications:

iSales AI may use external auditors to verify the adequacy of its security measures and may obtain relevant security certifications or attestations (e.g., ISO 27001, SOC 2). Upon Customer's written request, and subject to appropriate confidentiality obligations, iSales AI will make available to Customer a summary copy of its most recent relevant audit report or certification, to the extent generally available to customers.

6.2. Security Due Diligence:

In addition to any available reports or certifications, iSales AI will respond to reasonable written requests for information from Customer to confirm iSales AI's compliance with this DPA, including responses to Customer's reasonable information security and due diligence questionnaires. Customer shall not exercise this right more than once per calendar year, unless a confirmed Data Breach involving Customer Content has occurred.

6.3. Audits:

To the extent required by Applicable Data Protection Laws, Customer (or its independent third-party auditor, who is not a competitor of iSales AI and is bound by appropriate confidentiality obligations) may conduct an audit of iSales AI's compliance with its obligations under this DPA. Such audits shall be: (a) limited to once per calendar year, unless a confirmed Data Breach involving Customer Content necessitates an additional audit; (b) conducted upon at least 30 days prior written notice to iSales AI; (c) mutually agreed upon in scope, timing, and duration with iSales AI; (d) conducted during iSales AI's normal business hours; (e) at Customer's sole expense; and (f) conducted in a manner that does not unreasonably interfere with iSales AI's business operations or compromise the security or confidentiality of other customers' data. iSales AI may satisfy such audit requests by providing relevant third-party audit reports or certifications as described in Section 6.1.

7. Data Breach Notification

7.1. Notification Timeframe:

Upon becoming aware of a confirmed Data Breach affecting Customer Content, iSales AI will notify Customer without undue delay, and where feasible, within 72 hours after discovery, unless prohibited by applicable law or law enforcement instruction. A delay in giving such notice requested by law enforcement and/or in light of iSales AI's legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay.

7.2. Content of Notification:

Such notices will describe, to the extent reasonably possible and known at the time: (a) the nature of the Data Breach; (b) the categories and approximate number of Data Subjects and Personal Data records concerned; (c) the likely consequences of the Data Breach; and (d) the measures taken or proposed to be taken by iSales AI to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.3. Cooperation by iSales AI:

iSales AI shall cooperate reasonably with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Data Breach. iSales AI's notification of or response to a Data Breach under this Section will not be construed as an acknowledgment by iSales AI of any fault or liability with respect to the Data Breach.

7.4. Customer's Responsibility for Notifications:

Customer is solely responsible for complying with its own obligations under Applicable Data Protection Laws to notify relevant supervisory authorities and/or affected Data Subjects about any Data Breach.

8. Data Subject Rights and Cooperation

8.1. Responding to Data Subject Requests:

Taking into account the nature of the Processing, iSales AI will provide Customer with reasonable assistance, including by appropriate technical and organizational measures, insofar as this is possible, to enable Customer to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws (e.g., rights of access, rectification, erasure, restriction, portability, and objection) with respect to Customer Content. If Customer cannot reasonably fulfill such requests independently using the self-service functionality of the Services, Customer may request iSales AI's assistance.

8.2. Direct Requests to iSales AI:

If iSales AI receives a request directly from a Data Subject concerning Customer Content, iSales AI will, to the extent legally permitted, promptly notify Customer of the request and will advise the Data Subject to submit their request to the Customer. Customer will be responsible for responding to any such request. Notwithstanding the foregoing, if a Data Subject requests (i) unsubscription from messages sent by Customer through the Services, or (ii) deletion of their Customer Content within the Services, Customer authorizes and instructs iSales AI to take reasonable steps to fulfill such requests directly where feasible through the Services' functionalities.

8.3. Assistance with DPIAs and Prior Consultations:

Taking into account the nature of Processing and the information available to iSales AI, iSales AI will provide reasonable assistance to Customer, upon Customer's written request, with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where such are required of Customer under Applicable Data Protection Laws in relation to the Processing of Customer Content by iSales AI. If such assistance requires iSales AI to assign significant resources, it may be provided at Customer's expense, as mutually agreed.

9. Return or Deletion of Data

9.1. Return or Deletion:

Upon termination or expiration of the Agreement, or upon Customer's written request at any time, iSales AI shall, at Customer's election, either delete or return to Customer all Customer Content (including existing copies) from iSales AI's systems in its possession or control, in accordance with the procedures and timeframes specified in the Agreement or as otherwise agreed. If Customer fails to elect return or deletion within 60 days of termination/expiration, iSales AI may delete the Customer Content.

9.2. Retention for Legal Purposes:

Notwithstanding the foregoing, Customer understands that iSales AI may retain certain Customer Content if required by applicable law or for legitimate and documented archival, backup, or disaster recovery purposes, in which case such data will remain subject to the confidentiality and security obligations of this DPA for as long as it is retained.

10. Miscellaneous

10.1. Processing Locations:

Customer acknowledges that the provision of the Services and iSales AI's activities as a Controller may require Processing of Personal Data by iSales AI, its Affiliates, and Sub-processors in countries outside the Customer's jurisdiction, including in the United States, as further detailed in Annex 1 and the Sub-processor List. International transfers will be subject to the safeguards described in Annex 3.

10.2. Notices:

Any notices, requests, or other communications to iSales AI related to this DPA must be sent to [email protected] or as otherwise specified in the Agreement. iSales AI shall send notifications to Customer via the email address provided by Customer during sign-up or through the user interface of the Services.

10.3. Claims and Liability:

Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Agreement. Customer agrees that any regulatory penalties incurred by iSales AI in relation to Customer Content that arise as a result of, or in connection with, Customer's failure to comply with its obligations under this DPA or Customer's Applicable Data Protection Laws shall count toward and reduce iSales AI's liability cap under the Agreement as if it were a liability to the Customer. Conversely, iSales AI is liable for regulatory penalties incurred by Customer or iSales AI that arise as a result of iSales AI's failure to comply with its obligations under this DPA or iSales AI's Applicable Data Protection Laws, subject to the limitations in the Agreement. Notwithstanding anything to the contrary, neither party will be responsible for fines issued or levied against the other party by a regulatory authority due to the other party's independent violation of its Applicable Data Protection Laws.

10.4. No Third-Party Beneficiary Rights:

This DPA does not confer any third-party beneficiary rights, except where explicitly stated (e.g., for Data Subjects under certain SCCs). It is intended for the benefit of the parties hereto and their respective permitted successors and assigns only.

10.5. Governing Law and Jurisdiction:

This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by mandatory provisions of Customer's Applicable Data Protection Laws or as set forth in Annex 3.

10.6. Termination:

This DPA will automatically terminate upon the expiration or termination of the Agreement. Termination of this DPA is only possible subject to the termination of the Agreement.

10.7. Relationship with the Agreement:

This DPA forms an integral part of the Agreement. Except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA will prevail. This DPA replaces any existing data processing addendum the parties may have previously entered into in connection with the Services.

Annexes

ANNEX 1: Details of Processing

Part A: iSales AI as a Processor

Subject Matter:

The Processing of Customer Content by iSales AI to provide the Services to Customer as described in the Agreement and this DPA.

Duration:

For the term of the Agreement and until deletion or return of Customer Content in accordance with Section 9 of this DPA.

Nature and Purpose of Processing:

  • Provision of AI-powered chatbot services on various messaging platforms (e.g., Telegram, WhatsApp, Facebook, Instagram) as configured by the Customer.
  • Processing of Inputs (prompts, configurations, training data, knowledge bases provided by Customer) by AI Features to generate Outputs (chatbot responses, analyses, etc.).
  • Storage, transmission, and management of conversation data between Customer's chatbots and Conversation Participants.
  • Enabling Customer to manage chatbot settings and performance, primarily via a native Telegram bot interface.
  • Providing support, maintenance, and troubleshooting for the Services.
  • Logging activities for security, auditing, and error tracking.
  • Ensuring the accessibility, security, and usability of the Services.
  • Anonymizing and/or aggregating Customer Content for service improvement, analytics, and development of new features (as instructed by Customer per Section 3.1).

Categories of Data Subjects:

  • End Users authorized by the Customer to use or manage the Services.
  • Customer's Conversation Participants (i.e., individuals interacting with Customer's chatbots deployed via the Services).

Categories of Personal Data (Customer Content):

The extent of Personal Data is determined and controlled by the Customer in its sole discretion through its configuration and use of the Services. This may include:

For End Users (managing the Service):

Identification information (e.g., name, email, user ID associated with the native Telegram bot interface), account credentials, configuration data, IP addresses, usage data, device information.

For Conversation Participants:

  • Identification information obtained from messaging platforms (e.g., platform-specific user ID, name/username, profile picture, phone number if provided by the platform/user).
  • Contact details if provided by the Conversation Participant (e.g., email address, phone number).
  • Content of communications with chatbots, including text, images, voice data (if supported and used), and any other Personal Data shared by the Conversation Participant within the chat.
  • Chat metadata (e.g., timestamps, message IDs, platform identifiers).
  • Technical data (e.g., IP address, device type, browser information, location data if shared by the platform/user and processed by the chatbot).
  • Any other Personal Data contained in Inputs provided by Customer (e.g., in training data or knowledge bases for the AI).

Sensitive Data Processed (if any):

Customer agrees not to provide, or configure the Services to solicit or collect, sensitive Personal Data (as defined by Applicable Data Protection Laws, e.g., health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, etc.) from Conversation Participants, unless Customer has obtained explicit consent or has another valid legal basis under Applicable Data Protection Laws for such Processing and has informed iSales AI. iSales AI does not intentionally Process sensitive Personal Data except as incidentally contained within Customer Content Processed according to Customer's instructions.

Frequency of Transfer:

On a continuous basis as Customer uses the Services.

Data Source:

Customer (or End Users acting on Customer's behalf) through their use and configuration of the Services, including data inputted into the native Telegram bot interface, data from integrated messaging platforms, and data provided by Conversation Participants during interactions with Customer's chatbots.

Onward Transfers (Sub-processors):

As listed in the Sub-processor List available at AI Subprocessor List (https://isales.ai/service-providers). The duration of sub-processing is limited to the retention period of Processing by iSales AI.

Part B: iSales AI as a Controller

Subject Matter:

Processing of Customer Account Data by iSales AI.

Duration:

For the term of the Agreement and thereafter as required by applicable law or for iSales AI's legitimate business purposes (e.g., record-keeping, resolving disputes), in accordance with iSales AI's Privacy Policy and data retention policies.

Nature and Purpose of Processing:

  • Entering into and managing the contractual relationship with the Customer.
  • Account creation, administration, and management (including management of Credits).
  • Providing customer support and communicating with Customer regarding the Services (e.g., updates, security alerts, billing notices).
  • Billing, invoicing, and payment processing.
  • Compliance with legal and regulatory obligations (e.g., tax, accounting, sanctions screening).
  • Auditing and security monitoring.
  • Sales and marketing communications with the Customer (subject to Customer's preferences and applicable law).
  • Improving iSales AI's services, business operations, and developing new offerings (typically using aggregated or anonymized data where feasible).

Categories of Data Subjects:

  • Customer (if an individual).
  • Representatives and End Users of the Customer (e.g., employees, contractors authorized to manage or use the Customer's iSales AI account).

Categories of Personal Data (Customer Account Data):

Contact and Identification Information:

Name, email address, phone number, company name, job title, business address, username/ID (including Telegram account details linked for settings).

Billing and Financial Information:

Billing address, payment card details (e.g., last four digits, expiry date, processed by a PCI-DSS compliant payment processor), bank account information (if applicable), transaction history, Credit purchase records.

Account and Usage Information:

Service plan details, account settings and preferences, IP addresses, device information, browser type, operating system, logs of access and use of iSales AI's platform (excluding Customer Content), support communication records.

Sensitive Data Processed:

iSales AI does not intentionally collect sensitive Personal Data for Customer Account Data purposes.

Frequency of Transfer:

On a continuous basis as Customer interacts with iSales AI and the Services.

Data Source:

Directly from the Customer or its representatives/End Users during the sign-up process, account configuration (including linking a Telegram account for settings), use of the Services, payment transactions, and communications with iSales AI.

Onward Transfers (Service Providers):

To iSales AI's service providers (acting as Processors for iSales AI as Controller) for purposes such as payment processing, CRM, email delivery, analytics, cloud hosting. See iSales AI's Privacy Policy for more details on sharing with such providers. Personal Data may also be disclosed to public authorities if legally required.

ANNEX 2: Security Measures

iSales AI implements and maintains technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are intended to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Security Measures include, but are not limited to, the following categories (iSales AI will provide further details upon reasonable request, subject to confidentiality obligations):

Information Security Program and Policies:

  • Maintaining a formal, documented information security program and framework.
  • Regular review and updates of security policies and procedures.
  • Assignment of responsibility for information security.

Access Control:

  • Measures to prevent unauthorized access to systems Processing Personal Data, including user identification and authentication procedures (e.g., unique IDs, strong passwords, multi-factor authentication where appropriate).
  • Role-based access controls based on the principle of least privilege ("need-to-know").
  • Procedures for managing access rights (granting, modifying, revoking).
  • Logging of access to critical systems.

Data Encryption:

  • Encryption of Personal Data in transit (e.g., using TLS/SSL).
  • Encryption of Personal Data at rest where appropriate and feasible (e.g., for databases storing Customer Content).

Personnel Security:

  • Confidentiality obligations for personnel authorized to Process Personal Data.
  • Security awareness and training programs for personnel.
  • Background checks for personnel in sensitive roles, where permitted by law.

Physical and Environmental Security:

  • Controls to prevent unauthorized physical access to premises and facilities where Personal Data is Processed (e.g., for data centers used by iSales AI or its cloud providers).
  • Measures to protect against environmental threats.

Operational Security:

  • Vulnerability management program, including regular scanning and penetration testing (where appropriate).
  • Patch management procedures.
  • Secure software development lifecycle practices.
  • Change management procedures.
  • Network security controls (e.g., firewalls, intrusion detection/prevention systems).
  • Logging and monitoring of systems for security events.

Third-Party Vendor Management:

  • Due diligence process for selecting and managing Sub-processors and other third-party vendors with access to Personal Data.
  • Contractual requirements for third-party vendors to maintain appropriate security measures.

Business Continuity and Disaster Recovery:

  • Procedures for data backup and recovery.
  • Business continuity and disaster recovery plans to ensure availability of Personal Data and Services.

Incident Management:

  • Procedures for detecting, responding to, and managing security incidents, including Data Breaches, as outlined in Section 7 of this DPA.

Customer acknowledges that security requirements are constantly changing and that iSales AI may update or modify these Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.

ANNEX 3: International Provisions and Jurisdiction-Specific Terms

This Annex applies to the Processing of Personal Data subject to the laws of specific jurisdictions.

1. European Economic Area (EEA), United Kingdom (UK), and Switzerland

Scope:

Scope: This Section 1 applies to the Processing of Personal Data subject to the GDPR, UK GDPR, or the Swiss FADP.

Roles:

Roles: For Customer Content, Customer is the Controller (or a Processor acting on behalf of another Controller), and iSales AI is the Processor. For Customer Account Data, iSales AI is an independent Controller.

International Data Transfers:

Data Privacy Frameworks (DPF):

To the extent iSales AI transfers Personal Data from the EEA, UK, or Switzerland to the United States, and iSales AI is certified under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF (as applicable), iSales AI will ensure such transfers are made in compliance with its DPF certification. iSales AI will notify Customer if its DPF certification is withdrawn, terminated, or otherwise invalidated.

Standard Contractual Clauses (SCCs):

In the event that the DPF is not applicable or relied upon for a specific transfer, or for transfers to other third countries not deemed adequate, such transfers of Personal Data from the EEA, UK, or Switzerland to iSales AI (or its Sub-processors) in a third country will be governed by the applicable Standard Contractual Clauses, which are hereby incorporated by reference and completed as follows:

EU SCCs (Commission Implementing Decision (EU) 2021/914):

  • Module One (Controller to Controller) will apply to transfers of Customer Account Data where Customer is a Controller and iSales AI is a Controller.
  • Module Two (Controller to Processor) will apply to transfers of Customer Content where Customer is a Controller and iSales AI is a Processor.
  • Module Three (Processor to Processor) will apply to transfers of Customer Content where Customer is a Processor (acting on behalf of another Controller) and iSales AI is a Sub-processor.
  • Clause 7 (Docking Clause): Will not apply.
  • Clause 9 (Use of Sub-processors): Option 2 (General written authorisation) will apply. The time period for prior notice of Sub-processor changes will be as set forth in Section 4.3 of this DPA.
  • Clause 11 (Redress - Optional): The optional language will not apply.
  • Clause 13 (Supervision): The supervisory authority shall be determined in accordance with the GDPR. For Customers established in the EU, this will be the supervisory authority of the Member State in which the Customer is established, or if not established in the EU, the authority identified by the Customer or as determined by the GDPR.
  • Clause 17 (Governing Law): Option 1 will apply. The SCCs shall be governed by the law of Ireland.
  • Clause 18(b) (Choice of Forum and Jurisdiction): Disputes shall be resolved before the courts of the jurisdiction specified in Clause 17.
  • Annex I.A (List of Parties):\nData Exporter: Customer, as defined in the Agreement. Contact details as provided by Customer. Role: As specified per the applicable Module above.\nData Importer: iSales AI. Contact: `[email protected]`. Role: As specified per the applicable Module above.
  • Annex I.B (Description of Transfer): As described in Annex 1 of this DPA.
  • Annex I.C (Competent Supervisory Authority): As determined by Clause 13.
  • Annex II (Technical and Organisational Measures): As described in Annex 2 of this DPA.

UK Addendum (International Data Transfer Addendum to the EU SCCs, Version B1.0):

For transfers subject to the UK GDPR, the UK Addendum will apply, with the EU SCCs (as specified above) forming the "Approved EU SCCs". Table 1, 2, 3, and 4 of the UK Addendum will be completed with the relevant information from this DPA and the EU SCCs sections. The "Exporter" and "Importer" will be as defined in Annex I.A above.

Swiss Transfers:

For transfers subject to the Swiss FADP, the EU SCCs (as specified above) will apply with necessary modifications to accommodate Swiss law (e.g., references to GDPR interpreted as references to FADP; competent supervisory authority being the Swiss FDPIC).

2. California

Scope:

Scope: This Section 2 applies to the Processing of "Personal Information" as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

Roles:

Roles: For Customer Content that constitutes Personal Information, iSales AI acts as a "Service Provider" to the Customer, which is a "Business." For Customer Account Data, iSales AI may act as a Business.

iSales AI as Service Provider:

When Processing Customer Content, iSales AI will:

  • Not "sell" or "share" (as those terms are defined in the CCPA/CPRA) Customer Content.
  • Not retain, use, or disclose Customer Content for any purpose other than for the specific purpose of performing the Services as specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA for Service Providers.
  • Not retain, use, or disclose Customer Content outside of the direct business relationship between Customer and iSales AI, except as permitted by the CCPA/CPRA.
  • Comply with applicable obligations under the CCPA/CPRA and provide reasonable assistance to Customer to enable Customer to comply with its CCPA/CPRA obligations with respect to Customer Content.

Aggregated/De-identified Data: Notwithstanding the foregoing, iSales AI may de-identify or aggregate Customer Content as part of performing the Services and use such de-identified or aggregated data for its own business purposes, including service improvement and analytics, provided such data does not identify, and cannot reasonably be used to identify, any individual or the Customer.

3. Brazil

Scope:

Scope: This Section 3 applies to the Processing of Personal Data subject to the LGPD.

Roles:

Roles: For Customer Content, Customer is the Controller (Controlador) (or a Processor acting on behalf of another Controller), and iSales AI is the Processor (Operador). For Customer Account Data, iSales AI is an independent Controller.

International Data Transfers:

International Data Transfers: To the extent Customer Content subject to LGPD is transferred to a jurisdiction outside of Brazil not recognized by the ANPD as providing an adequate level of protection, such transfers will be made in accordance with a valid transfer mechanism under the LGPD, which may include Brazilian SCCs (when available and applicable) or other mechanisms permitted by the ANPD. iSales AI commits to ensuring that Personal Data is transferred only to countries that provide a degree of data protection compatible with the LGPD or to entities that contractually undertake to adopt a similar degree of protection.

4. Russia

Scope:

Scope: This Section 4 applies to the Processing of Personal Data of Russian citizens subject to Russian Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006 (as amended) ("Russian Data Protection Law").

Roles:

Roles: For Customer Content involving Personal Data of Russian citizens, Customer is the "Operator" (Оператор) and iSales AI is the "Person processing personal data on behalf of the operator" (Лицо, осуществляющее обработку персональных данных по поручению оператора) under the Russian Data Protection Law. For Customer Account Data involving Personal Data of Russian citizens, iSales AI acts as an independent Operator.

Data Localization:

Customer acknowledges and agrees that it is solely responsible for complying with the data localization requirements under Article 18.5 of the Russian Data Protection Law. This requires that the initial collection, recording, systematization, accumulation, storage, clarification (updating, changing), and retrieval of Personal Data of Russian citizens must be conducted using databases located within the territory of the Russian Federation.

To the extent Customer uses the Services to Process Personal Data of Russian citizens, Customer warrants that it has fulfilled this primary localization requirement before transferring any such Personal Data to iSales AI for further Processing, or for Processing by iSales AI outside the Russian Federation.

iSales AI is not responsible for ensuring Customer's compliance with the primary data localization requirement. If iSales AI offers options for Processing Customer Content within data centers located in the Russian Federation, the terms for such an option will be specified separately.

Consent and Instructions: Customer represents and warrants that it has obtained all necessary valid consents from Russian Data Subjects in accordance with the Russian Data Protection Law for the Processing of their Personal Data by Customer, by iSales AI (acting on Customer's behalf), and by any Sub-processors, including for any cross-border transfers of Personal Data outside the Russian Federation. Such consents must meet the specific form and content requirements under Russian Data Protection Law. All instructions from Customer to iSales AI regarding the Processing of Personal Data of Russian citizens shall be lawful under the Russian Data Protection Law.

Cross-Border Transfers: If Customer Content containing Personal Data of Russian citizens is to be Processed by iSales AI or its Sub-processors outside the Russian Federation (after initial localization by the Customer within Russia), Customer is responsible for ensuring that such cross-border transfer complies with Article 12 of the Russian Data Protection Law. This includes ensuring that the recipient country provides an adequate level of protection for the rights of data subjects, or that specific conditions for transfer to non-adequate countries are met (e.g., specific written consent of the data subject, performance of a contract with the data subject). iSales AI will provide reasonable cooperation to Customer in assessing the adequacy of protection in recipient countries where iSales AI or its Sub-processors Process such data, upon Customer's reasonable request and at Customer's expense.

Customer's Responsibility: Customer remains solely responsible for all its obligations as an Operator under the Russian Data Protection Law, including but not limited to, providing notices to Data Subjects, handling Data Subject requests, ensuring the accuracy of Personal Data, and implementing necessary security measures for data processed within its own systems.

Contact Information

For questions or concerns about this DPA or data processing practices, please contact us at [email protected].

This DPA is entered into and becomes effective on the date the Customer enters into the Agreement.