Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Babou AI, Inc. ("Babou," "Provider") and the customer agreeing to the Agreement ("Customer"). This DPA applies automatically where Babou processes Personal Data on behalf of Customer in the course of providing the Service.

Enterprise customers may negotiate a custom DPA by contacting us. Where a custom DPA exists, it will control to the extent of any conflict with this standard DPA.

1. Processor and Subprocessor Relationships

1.1 Provider as Processor

In situations where Customer is a Controller of the Customer Personal Data, Babou will be deemed a Processor that is Processing Personal Data on behalf of Customer.

1.2 Provider as Subprocessor

In situations where Customer is a Processor of the Customer Personal Data, Babou will be deemed a Subprocessor of the Customer Personal Data.

2. Processing

2.1 Processing Details

Subject matter

Processing of Personal Data that Customer submits to, or that is collected through, the Service.

Duration

The term of the Agreement plus the period until all Personal Data is deleted or returned.

Nature and purpose

To provide and maintain the Service as described in the Agreement, including content processing, rendering, and AI features.

Categories of Personal Data

Any Personal Data contained in Customer Content or Input, which may include names, contact information, images, likenesses, voice recordings, brand assets, prompts, and other data submitted by Customer or its end users.

Categories of data subjects

Customer's end users, employees, contractors, and any individuals whose Personal Data is contained in Customer Content or Input.

2.2 Processing Instructions

Customer instructs Babou to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer's use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Babou. Babou will abide by these instructions unless prohibited by applicable law. Babou will immediately inform Customer if it is unable to follow Processing instructions.

2.3 Processing by Provider

Babou will only Process Customer Personal Data in accordance with this DPA. If Babou updates the Service to include new products, features, or functionality, Babou may update the processing details in Section 2.1 as needed to reflect the updates by notifying Customer.

2.4 Consent to Processing

Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Babou and the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

2.5 Subprocessors

Customer provides general written authorization for Babou to engage Subprocessors to Process Customer Personal Data. A current list of Subprocessors is maintained in Section 6 of the Privacy Policy.

Babou will inform Customer at least 30 days in advance of any intended changes to the Subprocessor list, whether by addition or replacement, by updating the Privacy Policy. Customer has 30 days after notice of a change to object. If Customer does not object within 30 days, Customer will be deemed to accept the change. If Customer objects, Babou and Customer will cooperate in good faith to resolve the objection. If no resolution is reached, either party may terminate the affected portion of the Service.

When engaging a Subprocessor, Babou will have a written agreement ensuring the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform its obligations and consistent with the terms of the Agreement. Babou remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors.

3. International Transfers

3.1 Authorization

Customer agrees that Babou may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant territory as necessary to provide the Service. If Babou transfers Customer Personal Data to a territory for which the relevant authority has not issued an adequacy decision, Babou will implement appropriate safeguards consistent with Applicable Data Protection Laws.

3.2 EEA Transfers

Where the GDPR applies and Customer Personal Data is transferred from within the EEA to Babou outside the EEA, and the transfer is not governed by an adequacy decision, the parties are deemed to have signed the Standard Contractual Clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 ("EEA SCCs"), which are incorporated by reference.

• Module Two (Controller to Processor) applies when Customer is a Controller and Babou is a Processor.
• Module Three (Processor to Sub-Processor) applies when Customer is a Processor and Babou is a Subprocessor.
• In Clause 9, Option 2 (general written authorization) applies, with a minimum notice period of 30 days for Subprocessor changes.
• In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Ireland.
• In Clause 18(b), disputes will be resolved in the courts of Ireland.

3.3 UK Transfers

Where UK GDPR applies and Customer Personal Data is transferred from the United Kingdom to Babou outside the United Kingdom, and the transfer is not governed by an adequacy decision, the parties are deemed to have signed the International Data Transfer Addendum to the EEA SCCs issued by the UK Information Commissioner ("UK Addendum"), which is incorporated by reference. Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent the ICO issues a revised Approved Addendum, the parties will work in good faith to revise this DPA accordingly.

3.4 Swiss Transfers

For transfers where Swiss law applies, references to the GDPR in the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act or its successor, and the supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

4. Security Incident Response

Upon becoming aware of any Security Incident, Babou will: (a) notify Customer without undue delay, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Babou's notification of or response to a Security Incident will not be construed as an acknowledgment of fault or liability.

5. Audit and Information Rights

5.1 Audit Rights

Babou will give Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits to assess compliance. However, Babou may restrict access to data or information if access would negatively impact Babou's intellectual property rights, confidentiality obligations, or other obligations under applicable law. Babou will maintain records of its compliance with this DPA for 3 years after the DPA ends.

5.2 Security Due Diligence

Babou will respond to reasonable requests for information to confirm compliance with this DPA, including responses to information security, due diligence, and audit questionnaires. All requests must be in writing and may only be made once per year.

6. Coordination and Cooperation

6.1 Data Subject Requests

If Babou receives any inquiry or request from a data subject or anyone else about the Processing of Customer Personal Data, Babou will notify Customer and will not respond without Customer's prior consent unless required by applicable law. Babou will follow Customer's reasonable instructions about these requests and will assist Customer in fulfilling valid data subject requests under Applicable Data Protection Laws.

6.2 Impact Assessments

If required by Applicable Data Protection Laws, Babou will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities.

7. Deletion of Customer Personal Data

7.1 Deletion by Customer

Babou will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Service. Babou will comply with deletion instructions as soon as reasonably practicable except where further storage is required by applicable law.

7.2 Deletion at Termination

After the Agreement expires or is terminated, Babou will return or delete Customer Personal Data at Customer's instruction within 60 days, unless further storage is required or authorized by applicable law. If return or destruction is impracticable or prohibited, Babou will make reasonable efforts to prevent additional Processing and will continue to protect the remaining Customer Personal Data.

8. Limitation of Liability

To the maximum extent permitted under Applicable Data Protection Laws, each party's total cumulative liability arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

Any claims against Babou or its affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

This DPA does not limit any liability to an individual about the individual's data protection rights under Applicable Data Protection Laws. This DPA also does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

9. Conflicts Between Documents

This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA and the Agreement, the following order of precedence applies: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.

10. Term

This DPA takes effect when Customer agrees to the Agreement and continues until the Agreement expires or is terminated. However, both parties remain subject to the obligations in this DPA and Applicable Data Protection Laws until Babou stops Processing Customer Personal Data.

11. Definitions

"Applicable Data Protection Laws"

The applicable laws that govern how the Service may process or use an individual's personal information, personal data, or other similar term, including GDPR and UK GDPR.

"Controller"

The company that determines the purpose and means of Processing Personal Data, as defined in Applicable Data Protection Laws.

"Customer Personal Data"

Personal Data that Customer uploads or provides to Babou as part of the Service and that is governed by this DPA.

"EEA SCCs"

The standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914.

"GDPR"

European Union Regulation 2016/679.

"Personal Data"

Has the meaning(s) given in Applicable Data Protection Laws for personal information, personal data, or similar term.

"Processing" or "Process"

Has the meaning(s) given in Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data.

"Processor"

The company that Processes Personal Data on behalf of the Controller, as defined in Applicable Data Protection Laws.

"Security Incident"

A Personal Data breach as defined in Article 4 of the GDPR.

"Subprocessor"

A company that, with the approval of the Controller, assists the Processor in Processing Personal Data on behalf of the Controller.

"UK Addendum"

The international data transfer addendum to the EEA SCCs issued by the UK Information Commissioner.

"UK GDPR"

European Union Regulation 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018.