Schedule D - DPA

DPA WILL APPLY ACCORDING TO THE RULES STATED HEREIN AND MAY BEAR SOME CHANGES DEPENDING ON THE SERVICE.

ANNEX 1 TO BE COMPLETED WITH CUSTOMER ASSISTANCE

This Data Processing Addendum (the “Addendum”) forms part of the Teneo AI (“AS”) SaaS Agreement (the “Agreement”) by and between Customer and the applicable AS Entity from which Customer is acquiring SaaS Enterprise or SaaS Pro license. This Addendum will be effective as of the date (“Effective Date”) both Teneo AI and the Customer has signed the signature block below.

This Addendum will apply to the scope of Processing of Dialogue Data in SaaS Products that contains End User Personal Data, thus being considered Dialogue Data with Personal Identifiable Information (“DDPII”). The categories of Data Subjects of DDPII shall be defined by the Customer in the Annex 1 of this Addendum.

For any avoidance of doubt, for this addendum, the term Personal Data only refers to DDPII.

A. Any change to this Addendum should be approved by both parties in writing.
B. This Addendum will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this Addendum.

The parties agree:

1.1 The terms below shall have the following meanings:

“Teneo AI”, “TENEO”, “we”, “us”, “our”, ‘’Teneo.ai’’ means the applicable AS Entity with whom the Customer has a valid Order Form for SaaS Products.

“SaaS Enterprise” means the Teneo.ai Software as a Service product offered by Teneo AI under the “Enterprise” license. Is the Teneo Software as a Service product offered by Teneo AI.

“SaaS Pro” means the Teneo.ai Software as a Service product offered by Teneo AI under the “Pro” license.

‘‘SaaS Products’’means, for the purpose of this Addendum, the Teneo.ai Software as a Service, under any of the SaaS Enterprise or SaaS Pro licenses.

“AS Entities”, “AS Entity” means the Entity with whom the Customer has a valid offer and any of the Teneo AI entities listed in Annex 3 (as may be updated from time to time).

“Controller” means the entity which determines the purposes and means of the Processing of Dialogue Data with Personal Identifiable Information (DDPII).

“Customer”, “you”, “your” means in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting the Agreement.

“Dialogue Data” means session logs generated from a published Customer Solution in AS SaaS. Dialogue Data might contain End User Personal Data, thus be considered Dialogue Data with Personal Identifiable Information (DDPII).

“Customer Solution” means instructions, programming code, scripts, flows, integrations, listeners, program or code libraries, decision rules and similar programmatic parts that the Customer executes in some form in the AS SaaS through its development environment, runtime or embedded services. The Customer Solution consists of a) the code, flows and instruction parts of the solution (“Customer Code”) and b) the language rules and training data (“Customer Training Data”).

“Data Subject“, “Personal Data“, “Processing” and “Appropriate Technical and Organizational Measures” as used in this Addendum shall have the meanings given in the GDPR irrespective of whether GDPR applies.

“End Users” means an individual “the Customer’s customer” interacting with a published Customer Solution in AS SaaS, for example by chatting or speaking with a bot that the Customer has built, deployed and made available to the End User using AS SaaS.

“Europe” means, for the purposes of this Addendum, the member states of the European Economic Area, Switzerland and the United Kingdom.

“European Data Protection Law” (or “Data Protection Law“) means any data protection and privacy laws of Europe applicable to the Processing of the Dialogue Data in question by AS under this Addendum, including where applicable (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementations of (i) and/or (ii); and (iv) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time.

‘‘Instructions’’ means the instructions issued by a Controller to a Processor and commanding the last to perform a specific or general action regarding to DDPII (including, but not limited to, depersonalizing, blocking, deletion, making available).

‘’DDPII Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, DDPII transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. "DDPII Breach" will not include unsuccessful attempts or activities that do not compromise the security of DDPII, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processor” means the entity which processes Dialogue Data with Personal Identifiable Information (DDPII) on behalf of the Controller.

“Processing” means any operation which is performed on DDPII, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of DDPII. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Sub-Processor” means any Processor engaged by AS or our Affiliates to assist in fulfilling our obligations with respect to the provision of the SaaS Products under the Agreement.

2.1 The parties acknowledge that European Data Protection Law will only apply to DDPII that is covered by the territorial scope of European Data Protection Law.

3.1 The Customer shall be the Controller and Teneo AI shall be the Processor in respect of DDPII processed by Teneo AI on the Customer’s behalf in performing its obligations under this Agreement.

3.2 The Customer shall be solely responsible for determining the purposes (and means) for which and the manner in which DDPII is, or is to be, processed and be responsible for complying with all requirements that apply to you under applicable Data Protection Laws with respect to its Processing of DDPII and the Instructions you issue to us.

4.1 Where Teneo AI processes DDPII on behalf of the Customer, Teneo AI shall, in respect of such DDPII:

4.2 Teneo AI shall notify the Customer promptly and without undue delay after becoming aware of any accidental, unlawful or unauthorized destruction, loss, alteration, access to, disclosure of or Processing of DDPII (“DDPII Breach’’). Such notice shall include reasonable details of the Incident which are known to Teneo AI at the time, including without limitation, where possible: (i) a description of the Incident; (ii) likely consequences of the Incident; (iii) the number of data subjects affected, number of records affected and the types of records affected; and (iv) the measures taken or proposed to be taken to address the Incident, including measures to mitigate possible adverse effects of the Incident.

4.3 To the extent required under Data Protection Laws and in relation to Teneo AI Processing of DDPII under this Addendum, Teneo AI will promptly inform the Customer and shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations under Articles 35 and 36 of GDPR in relation to the preparation of data protection impact assessments and consulting with any supervisory authority if such a data protection impact assessment indicates that such Processing would result in high risk in the absence of measures taken by the Customer to mitigate the risk.

4.4 To the extent required under Data Protection Laws and in relation to Teneo AI Processing of DDPII under this Addendum, Teneo AI shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations to respond to data subject rights requests under Data Protection Laws by providing the Customer documentation, product functionality, or processes to assist the Customer in retrieving, correcting, deleting or restricting DDPII.

4.5 Teneo AI shall, on the condition that the Customer has entered into an appropriate non-disclosure agreement with Teneo AI:

4.6 Teneo AI shall not engage any sub-processor to process any DDPII under this Addendum without the Customer’s prior written consent. The Customer provides general consent Teneo AI’ appointment of the Teneo AI affiliates and applicable third-party sub-processors listed under Annex 3. Teneo AI may update the list of approved sub-processors, at which point the Customer will have the opportunity to object within forty-five (45) days of any such update to the list of sub-processors by terminating the Agreement for convenience on written notice. When engaging sub-processors in the Processing of DDPII, Teneo AI are responsible for the performance of each sub-processor. Teneo AI will include in the agreement with any such third party sub-processor terms for the protection of DDPII as required by applicable Data Protection Law.

4.7 No DDPII processed by Teneo AI pursuant to this Agreement shall be exported outside the United Kingdom or European Economic Area without the prior explicit instruction from the Customer.

4.8 On termination or expiry of this Agreement, at the Customer’s request, Teneo AI shall delete or return to the Customer all DDPII processed on behalf of the Customer, and Teneo AI shall delete existing copies of such DDPII except where necessary to retain such DDPII strictly necessary for the purposes of compliance with applicable law.

5.1 Teneo AI shall not retain, use, sell or otherwise disclose DDPII other than as required by law or as needed to provide and support SaaS Products, as set forth in the Agreement.

5.2 Each party acknowledges that the other party may disclose this Addendum and any relevant privacy provisions in the Agreement to any relevant regulator or judicial body.

6.1 If there is a conflict between this Addendum and any supplementary terms agreed between the parties, this Addendum will govern.

7.1 This Addendum shall survive the termination or expiry of any supplementary terms to the extent that Teneo AI continues to process DDPII on behalf of the Customer.

8.1 All notices must be in (electronic) writing and addressed to the attention of the other party’s primary contact. Notice will be deemed given upon receipt if verifiable by trusted logs or receipts (electronic or otherwise) to the last provided contact information. Each party is responsible for keeping the other informed of changes to its contact information.

9.1 Failure to enforce any provision of this Addendum will not constitute a waiver.

10.1 If any provision of this Addendum is found unenforceable, the balance of this Addendum will remain in full force and effect.

11.1 This Addendum (including any document incorporated herein by reference) is the entire agreement between the parties on the topic of Processing of DDPII and supersedes all prior agreements between the parties on this subject matter.

12.1 The construction, validity and performance of this Agreement and all non-contractual obligations arising from or connected with this Agreement shall be governed by Swedish law and the parties hereby submit irrevocably to the exclusive jurisdiction of the Swedish courts to resolve any dispute between them.

We will process DDPII as necessary to provide the SaaS Products pursuant: (i) to the Agreement, as further specified in the applicable Order Form, and (ii) as instructed by you depending on your use of the Services.

SaaS Enterprise a default retention time of 12 weeks with a maximum retention time eligible of 52 weeks.

SaaS Pro has a fixed retention time of 2 weeks.

The DDPII concerns End Users of AS SaaS, in addition to individuals whose DDPII is supplied by End Users of AS SaaS.

The DDPII processed may include the following categories of data:

The DDPII is processed for the purposes of providing SaaS Products in accordance with the Agreement.

Teneo AI’ Entities acting as joint processors.

Sub-Processors

Teneo AI’ Entities acting as joint processors.

Sub-Processors