Data Processing Agreement

Last modified: May 16th, 2024

1. Introduction

This agreement (the “Agreement”) was concluded by and between Incentivai Inc., with its registered office at 251 Little Falls Drive, Wilmington, New Castle, DE 19808, United States of America (the “Processor”) and the customer signing this Agreement (the “Controller”). The Controller and the Processor shall jointly be referred to as the “Parties” and individually as a “Party”. The Controller is the controller (within the meaning of the GDPR, as defined in Clause 2.1 below) of the personal data set out in Schedule 1 (Personal Data) to this Agreement (the “Personal Data”). The Controller intends to transfer the Personal Data to the Processor, and the Processor intends to accept the Personal Data transferred to it, for processing on behalf of the Controller, in accordance with this Agreement and regulations pertaining to personal data processing, binding both the Processor and the Controller.

2. Purpose

2.1 The Controller shall entrust the Processor with processing the Personal Data on behalf of the Controller, on terms set out in this Agreement and applicable regulations pertaining to the processing of personal data – in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”).

2.2 The type of Personal Data and categories of the Personal Data subjects, as well as the subject-matter, duration, nature and purpose of the processing are set out in Schedule 1 (Personal Data) to this Agreement.

2.3 The Parties undertake to perform the obligations set out in this Agreement with the due diligence in order to legally, organisationally and technically secure the Parties’ interests, as well as the interests of the Personal Data subjects, with respect to the processing of the Personal Data.

3. Representations of the Processor

The Processor represents that it:

(a) implemented technical and organisational measures ensuring the processing of the Personal Data in accordance with applicable regulations, in a manner ensuring the protection of the rights of the Personal Data subjects; and

(b) possesses proper means, experience, expertise and properly trained staff, enabling it to process the Personal Data in the scope and for the purpose set out in this Agreement.

4. Processing Personal Data

General rules of processing

4.1 Subject to Clause 4.2 below, the Processor shall process the Personal Data in accordance with the terms of this Agreement or pursuant to separate written instructions from the Controller (including by way of electronic mail).

4.2 The Processor may process the Personal Data if it is required to do so by law of the European Union or a member state law to which the Processor is subject. In such a case, the Processor must inform the Controller of such legal requirement in advance of commencing such processing (unless prohibited by law for reasons of protecting the public interest).

4.3 Processing the Personal Data by the Processor is limited to the purpose and scope set out in Schedule 1 (Personal Data) to this Agreement.

4.4 The Processor must maintain a record of its processing activities, comprising information required by applicable regulations, unless applicable regulations exempt it from maintaining such a record.

4.5 The Processor must maintain a record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30 section 2 of the GDPR, unless applicable regulations exempt it from maintaining such a record.

4.6 Taking into account the nature of the processing of the Personal Data, the Processor shall assist the Controller in fulfilling the Controller’s obligation to respond to requests for exercising the Personal Data subject’s rights in accordance with applicable regulations, by implementing appropriate technical and organisational measures.

Authorisation to Process

4.7 The Processor shall ensure that persons involved in Personal Data processing operations in its organisation:

(a) receive written authorisations to process the Personal Data;

(b) are familiar with applicable regulations pertaining to personal data processing (including any amendments) and liability for infringement;

(c) process the Personal Data exclusively upon the Controller’s instructions (save as permitted under Clause 4.2 above); and

(d) undertake to keep the Personal Data and any security measures implemented by the Processor confidential in perpetuity, unless they are under an appropriate statutory obligation of confidentiality.

4.8 The Processor shall maintain a record of issued authorisations to process the Personal Data, referred to in Clause 4.7 (a) above.

Engaging Sub-Processors

4.9 The Processor may sub-contract the processing of the Personal Data to a sub-processor provided that, it concludes an agreement with the sub-processor for processing Personal Data on terms not worse than the terms of this Agreement.

4.10 In case the sub-contractor fails to fulfil his obligations of Personal Data protection, the Processor shall be fully liable towards the Controller for fulfilment of the sub-processor’s obligations.

5. Personal Data Security

Security Measures

5.1 The Processor shall use technical and organisational measures which are appropriate to the threats and nature, scope, context and purposes of processing of the Personal Data, assuring security of the Personal Data, in particular from their accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

5.2 The Processor shall constantly monitor the state of the implemented measures of security of the Personal Data, as well as existing security threats, and (if required) update the used technical and organisational measures, in order to assure the highest possible level of Personal Data protection.

Cooperation Regarding Security

5.3 The Processor shall, taking into account the nature of processing of the Personal Data and the information available to the Processor, assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR.

5.4 The Processor shall, prior to taking any actions, notify the Controller of any case of:

(a) any authority demanding that the Personal Data be made available to it, unless it is prohibited to disclose that information by applicable regulations;

(b) any Personal Data subject issuing a demand pertaining to the processing of the Personal Data or its contents.

5.5 The Processor shall promptly, in any case not later than within 48 (forty eight) hours of detection, notify the Controller of any detected Personal Data breaches, providing the Controller with any information pertaining to the breach which is available to the Processor.

5.6 The Processor shall cooperate with the Controller, in order to identify details of the Personal Data breach notified to the Controller, in particular its causes and results of its occurrence, as well as implement measures advised by the Controller, aiming to mitigate possible adverse effects of the Personal Data breach, and remedial actions.

5.7 The Processor shall promptly inform the Controller if, in its opinion, any instructions received from the Controller infringes applicable regulations.

6. Right of Control

6.1 The Controller has the right to control the manner in which the Processor performs its obligations set out in this Agreement or in accordance with applicable regulations. In particular, the Controller has the right to demand that the Processor makes available certain information and/or documents, as well as to conduct – directly or via an auditor engaged by the Controller – audits, including inspections in the place of the processing of the Personal Data by the Processor. The audit can be conducted once a year with prior written, at least 14-days, notice to the Processor.

6.2 The Processor is obliged to cooperate with the Controller or the auditor engaged by the Controller during the ongoing control proceedings, in a manner enabling the Controller to confirm that the Processor has properly carried out its obligations.

7. Termination

7.1 This Agreement enters into force on the date of its signing and remains in force until the termination and/or expiry of the last agreement binding the Parties, which give basis for the necessity of processing of the Personal Data by the Processor.

7.2 Not later than on the date of termination of this Agreement the Processor shall:

(a) delete all Personal Data; or

(b) return to the Controller all carriers containing the Personal Data and delete all existing copies of the Personal Data, unless applicable regulations require further storage of a part of or all the Personal Data by the Processor,

depending on the Processor’s choice.

8. Notices

8.1 Any correspondence between the Parties in relation to this Agreement will be prepared in writing or in an electronic form, in English, and will be deemed delivered:

(a) with the moment of delivery – in case of personal delivery or with the moment of receipt – in case of postage (registered mail with a confirmation of receipt) or delivery via a reputable courier service; or

(b) with the moment of occurrence of the possibility to read its contents – in case of correspondence via email.

8.2 The Parties appoint their representatives authorised to receive deliveries referred to in Clause 8.1 above Any correspondence will be sent to the relevant address indicated below or to another address communicated by the other Party in accordance with this Agreement:

(a) to the Processor:

Email: contact@quickchat.ai

(b) to the Controller:

Email address used by the Controller to log in to https://app.quickchat.ai platform.

8.3 The Parties shall inform their representatives indicated in Clause 8.2 above of transferring their personal data to the other Party, providing them with any information required by applicable regulations, in particular information about their rights and about the fact that the transfer of their personal data was effected pursuant to this Agreement, for the purpose of performing its provisions.

9. Final Provisions

Entire Agreement

9.1 Agreement constitutes the whole agreement between the Parties and replaces in full any previous or simultaneous arrangements made by the Parties (in writing or orally) in the scope regulated by this Agreement.

Schedules

9.2 Schedules to this Agreement constitute an integral part of this Agreement and shall be construed jointly with the main text of this Agreement.

Governing Law

9.3 Agreement shall be governed by, and construed in accordance with, the laws of Poland.

Dispute Resolution

9.4 Any disputes between the Parties shall be resolved in amicable negotiations. In case the Parties do not reach an agreement within 30 (thirty) days of the date of notifying the dispute to the other Party, the dispute will be directed for resolution to a common court relevant for the registered office of the Processor.

Assignment

9.5 No Party shall be entitled to assign any of its rights and/or obligations under this Agreement without the prior written consent of the other Party.

Amendments

9.6 Any amendment to this Agreement, apart from changing information regarding authorised representatives, indicated in Clause 8.2 above, must be in writing and signed by or on behalf of each Party, otherwise being null and void.

Counterparts

9.7 This Agreement was drawn up in 2 (two) counterparts, one for each Party.

SCHEDULE 1 - Personal Data

1. Type of Personal Data: Name, surname, address, personal identification number, telephone number, email, location data, IP address.

2. Categories of the Personal Data subjects: Business partners, clients, users, distributors

3. Scope of Personal Data Processing: Collecting, recording, organizing, structuring, adapting, storing, altering, retrieving using, disclosing, combining, erasing.

4. Nature of the Processing: Systematic

5. Purpose of Processing: Provision of services in accordance with Terms of Service available here: https://www.quickchat.ai/terms

6. Duration of Processing: Duration of provision of services in accordance with Terms of Service available here: https://www.quickchat.ai/terms