Data Processing Agreement

For the purposes of this Agreement:

• "Agreement" means this Data Processing Agreement including all schedules.
• "Controller" means the Customer who determines the purposes and means of processing personal data.
• "Processor" means Konvoq Ltd., who processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Protection Laws" means the EU General Data Protection Regulation (EU GDPR 2016/679) and all applicable national implementing laws.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "Security Incident" means any confirmed breach of security leading to accidental or unlawful access to Personal Data.

This Agreement applies to all Processing activities performed by the Processor on behalf of the Controller in connection with the Konvoq AI chatbot platform and related services ("Services"), as described in the main Services Agreement between the parties.

This Agreement commences on the Effective Date and remains in force for the duration of the Services Agreement, unless terminated earlier in accordance with Clause 12.

The Processor shall process Personal Data only for the following purposes:

• Providing the Konvoq AI chatbot platform and associated features to the Controller and its end users;
• Training AI models on the Controller's website content and documentation as instructed by the Controller;
• Storing and routing conversation data between end users and the AI chatbot;
• Enabling human-agent handoff and hybrid inbox functionality;
• Generating analytics and conversation insights for the Controller;
• Processing contact form submissions and support requests on behalf of the Controller;
• Providing technical support, maintenance, and security monitoring of the Services.

The Processor shall not process Personal Data for any purpose other than those specified above or as otherwise instructed in writing by the Controller.

The categories of Personal Data processed under this Agreement may include:

• End user identifiers (name, email address, IP address, device identifiers);
• Conversation content and chat transcripts;
• Contact form submission data (name, email, message content);
• Usage data and analytics (pages visited, session duration, click interactions);
• Lead qualification data as configured by the Controller (e.g. company name, role, budget range).

The Data Subjects to whom the Personal Data relates are:

• End users and website visitors of the Controller's website;
• Employees and authorised users of the Controller's Konvoq account.

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law;
2. Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations;
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Schedule 1);
4. Respect the conditions for engaging Sub-processors as set out in Clause 7;
5. Assist the Controller in fulfilling Data Subject rights requests within the mandatory 30-day timeframe;
6. Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations;
7. Delete or return all Personal Data to the Controller upon termination of Services, at the Controller's choice, and delete existing copies unless storage is required by applicable law;
8. Make available all information necessary to demonstrate compliance with this Agreement and allow for and contribute to audits.

The Controller shall:

1. Ensure it has a lawful basis for processing Personal Data and for instructing the Processor to do so;
2. Ensure that all Personal Data provided to the Processor has been collected in accordance with applicable Data Protection Laws;
3. Provide clear and accurate instructions to the Processor regarding the Processing of Personal Data;
4. Ensure that end users are informed about data processing activities in accordance with Articles 13 and 14 of the GDPR.

The Controller grants general authorisation to the Processor to engage Sub-processors. The Processor shall maintain an up-to-date list of Sub-processors (Schedule 2) and shall notify the Controller of any intended changes at least 14 days in advance.

The Processor shall ensure that Sub-processors are bound by data protection obligations equivalent to those set out in this Agreement. The Processor remains fully liable to the Controller for the performance of any Sub-processor.

The Processor shall implement and maintain the technical and organisational security measures set out in Schedule 1. These measures are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary.

In the event of a Security Incident affecting Personal Data processed under this Agreement, the Processor shall:

1. Notify the Controller without undue delay and no later than 72 hours after becoming aware of the incident;
2. Provide the Controller with sufficient information to meet its obligations under Article 33 of the GDPR, including: the nature of the incident, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed;
3. Cooperate with the Controller and take all reasonable steps to mitigate the effects of the Security Incident.

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

Where a Data Subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller and shall not respond on behalf of the Controller without written authorisation.

Data Subjects may submit formal requests via konvoq.com/gdpr or by emailing support@konvoq.com.

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless one of the following safeguards is in place:

• An adequacy decision by the European Commission;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Any other appropriate safeguard permitted under Article 46 of the GDPR.

Details of any international transfers and applicable safeguards are set out in Schedule 2.

This Agreement shall remain in effect for the duration of the Services Agreement. Either party may terminate this Agreement immediately upon written notice if the other party materially breaches any provision of this Agreement and fails to cure such breach within 14 days of receiving written notice.

Upon termination, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days, and certify such deletion in writing upon request.

This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

This Agreement, together with the Services Agreement and its schedules, constitutes the entire agreement between the parties with respect to the subject matter herein and supersedes all prior agreements, understandings, or representations relating to data processing.