Data Processing Addendum

Pursuant to the written agreement between Customer and Concierge AI Technologies, Inc. (“Concierge AI”) (each a “Party” and collectively the “Parties”) titled Master Customer Agreement (“the Agreement”), the Parties hereby adopt this U.S. Privacy La Data Processing Addendum (“U.S. DPA”). This U.S. DPA prevails over any conflicting terms of the Agreement.

  1. Definitions. For the purposes of this U.S. DPA--

1.1 “Consumer” means a natural person. Where applicable, Consumer shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

1.2. “Controller” means a person or entity that collects individuals’ Personal Data and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Data. Where applicable, Controller shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

1.3. “Customer Personal Data” means Personal Data provided by Customer to, or which is collected on behalf of Customer by, Concierge AI to provide services to Customer pursuant to the Agreement.

1.4. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Data shall be interpreted consistent with the same or similar term under U.S. Privacy Laws.

1.5. “Processing,” “Process,” and “Processed” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means. Where applicable, Processing, Process, and Processed shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

1.6. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in the U.S. Privacy Laws.

1.7. “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.

1.8 “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA.

1.9 “U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health information). U.S. Privacy Laws include, but are not limited to, the following:

1.9.1. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);

1.9.2. Colorado Privacy Act;

1.9.3. Connecticut Personal Data Privacy and Online Monitoring Act;

1.9.4. Delaware Personal Data Privacy Act;

1.9.5. Indiana Consumer Data Protection Act;

1.9.6. Iowa Consumer Data Protection Act;

1.9.7. Kentucky Consumer Data Protection Act;

1.9.8. Maryland Online Data Privacy Act;

1.9.9. Minnesota Consumer Data Privacy Act;

1.9.10. Montana Consumer Data Privacy Act;

1.9.11. Nebraska Data Privacy Act;

1.9.12. New Hampshire Act Relative to the Expectation of Privacy;

1.9.13. New Jersey Act Concerning Online Services, Consumers, and Personal Data;

1.9.14. Oregon Consumer Privacy Act;

1.9.15. Rhode Island Data Transparency and Privacy Protection Act;

1.9.16. Tennessee Information Privacy Act;

1.9.17. Texas Data Privacy and Security Act;

1.9.18. Utah Consumer Privacy Act; and

1.9.19. Virginia Consumer Data Protection Act.

1.10. In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the

  1. Scope, Roles, and Termination.

2.1. Applicability - This U.S. DPA applies only to Concierge AI’s Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix A.

2.2. Roles of the Parties - For the purposes of the Agreement and this U.S. DPA, Customer is the Party responsible for determining the purposes and means of Processing Customer Personal Data as the Controller and appoints Concierge AI as a Processor to Process Customer Personal Data on behalf of Customer for the limited and specific purposes set forth in Appendix A.

2.3 Obligations at Termination - Upon termination of the Agreement, except as set forth therein or herein, Concierge AI will discontinue Processing and destroy or, at Customer’s election and expense, return Customer Personal Data in its or its subcontractors’ and sub-processors’ possession without undue delay. Concierge AI may retain Customer Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Concierge AI shall ensure the confidentiality of all such Customer Personal Data.

  1. Compliance.

3.1 Privacy Notices. Customer shall provide any required privacy notices to Consumers and obtain Consumers’ consent where required for Concierge AI’s processing of Customer Personal Data as set forth in this U.S. DPA.

3.2. Compliance with Obligations - Concierge AI, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the U.S. Privacy Laws, (b) shall provide the level of privacy protection required by the U.S. Privacy Laws, (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the U.S. Privacy Laws, and (d) understand and shall comply with this U.S. DPA. Upon the reasonable request of Customer, Concierge AI shall make available to Customer information in Concierge AI’s possession necessary to demonstrate Concierge AI’s compliance with this subsection.

3.3. Compliance Assurance - Customer has the right to take reasonable and appropriate steps to ensure that Concierge AI uses Customer Personal Data consistent with Customer’s obligations under applicable U.S. Privacy Laws and this U.S. DPA.

3.4. Compliance Monitoring - Customer has the right to monitor Concierge AI’s compliance with this U.S. DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing no more than once every 12 months. Concierge AI shall cooperate fully with any audit initiated by Customer, provided that such audit will not unreasonably interfere with the normal conduct of Concierge AI’s business. Unless the audit reveals a breach by Concierge AI of this U.S. DPA or applicable U.S. Privacy Laws, Customer shall bear the costs of the audit. Alternatively, with Customer’s consent, Concierge AI shall arrange for a qualified and independent assessor to conduct an assessment, at least annually and at the Concierge AI's expense, of Concierge AI's policies and technical and organizational measures in support of the obligations under this U.S. DPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Concierge AI shall provide a report of such assessment to Customer upon request.

3.5. Compliance Remediation – Concierge AI shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Concierge AI in accordance with this subsection, Customer may direct Concierge AI to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

  1. Restrictions on Processing.

4.1. Limitations on Processing - Concierge AI will Process Customer Personal Data solely as instructed in the Agreement and this U.S. DPA or as otherwise required by law. Except as expressly permitted by the U.S. Privacy Laws, Concierge AI is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in Appendix A, (iii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties, and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws. For the avoidance of doubt, Concierge AI is permitted to retain, use, and disclose Customer Personal Data for product improvement purposes.

4.2. Confidentiality - Concierge AI shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Personal Data.

4.3. Subcontractors; Sub-processors – Concierge AI’s current subcontractors and sub-processors are set forth in Appendix C. Concierge AI shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Concierge AI shall ensure that Concierge AI’s subcontractors or sub-processors who Process Customer Personal Data on Concierge AI’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Concierge AI in this U.S. DPA and the Agreement with respect to Customer Personal Data, as well as to comply with the applicable U.S. Privacy Laws.

4.4. Right to Object – Customer may object in writing to Concierge AI’s appointment of a new subcontractor orsub-processor on reasonable grounds by notifying Concierge AI in writing within 10 calendar days of receipt of notice in accordance with Section 4.3. In the event Customer objects, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution.

  1. Security.

5.1. The Parties shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure. Without limiting the foregoing, the Parties shall comply with the security measures set forth at Appendix B when Processing Customer Personal Data.

  1. Consumer Rights.

6.1. Concierge AI shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to Consumer rights requests regarding Customer Personal Data, including promptly deleting, correcting, or providing a copy of a Consumer’s Personal Data upon direction by Customer.

6.2. Where applicable, Customer shall inform Concierge AI of any Consumer request made pursuant to the U.S. Privacy Laws that they must comply with. Customer shall provide Concierge AI with the information necessary for Concierge AI to comply with the request.

6.3. Concierge AI shall not be required to delete any Customer Personal Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Concierge AI will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and Concierge AI shall not use Customer Personal Data retained for any purpose other than provided for by that exception.

  1. Sale of Data.

7.1. The Parties acknowledge and agree that the disclosure or making available of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this U.S. DPA.

  1. Exemptions

8.1. Notwithstanding any provision to the contrary in the Agreement or this U.S. DPA, the terms of this U.S. DPA shall not apply to Concierge AI’s Processing of Customer Personal Data that is exempt from applicable U.S. Privacy Laws.

  1. Changes to Applicable U.S. Privacy Laws.

9.1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the U.S. Privacy Laws.

Appendix A - Processing Details

Nature and Purpose(s) of the Processing

Nature and Purpose(s) of the Processing

To perform services on behalf of the Customer pursuant to the Agreement and any related order form, including all Processing reasonably necessary to provide an AI chatbot embedded in Customer’s website for use by Customer’s end customers, buying prospects, and other external stakeholders.

To perform services on behalf of the Customer pursuant to the Agreement and any related order form, including all Processing reasonably necessary to provide an AI chatbot embedded in Customer’s website for use by Customer’s end customers, buying prospects, and other external stakeholders.

Types of Customer Personal Data Subject to Processing

Types of Customer Personal Data Subject to Processing

Contents of communications between the chatbot provided by Concierge AI and users of Customer’s website.

Contents of communications between the chatbot provided by Concierge AI and users of Customer’s website.

Duration of Processing

Duration of Processing

For the duration of the Agreement.

For the duration of the Agreement.

Appendix B – Security Measures

The Parties will apply at least the following types of security measures to Customer Personal Data:

  1. Physical access control
    Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal

    Data are Processed, include:

    • Establishing access authorizations for employees and third parties;

    • Access control system;

    • Key management, card-keys procedures;

    • Door locking (electric door openers);

    • Security staff; and

    • Securing decentralized data processing equipment and personal computers.

  2. Virtual access control
    Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

    • User identification and authentication procedures;

    • ID/password security procedures (special characters, minimum length, change of password);

    • Automatic blocking (e.g. password or timeout);

    • 2 factor authentication (for secure login); and

    • Encryption of data at rest.

  3. Data access control
    Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:

    • Internal policies and procedures;

    • Control authorization schemes;

    • Default configuration;

    • Differentiated access rights (profiles, roles, transactions and objects);

    • Monitoring and logging of access;

    • Disciplinary action against employees who access Customer Personal Data without authorization;

    • Reports of access;

    • Access procedure;

    • Change procedure;

    • Deletion procedure; and

    • Encryption.

  4. Disclosure control
    Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:

    • Encryption;

    • Logging; and

    • Transport security.

  5. Control of instructions
    Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:

    • Unambiguous wording of the contract;

    • Formal commissioning (request form); and

    • Criteria for selecting the Processor.

  6. Availability control
    Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:

    • Backup procedures;

    • Remote storage; and

    • Antivirus

  7. Separation control
    Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be
    Processed separately include:

    • “Internal client” concept / limitation of use;

    • Segregation of functions (production/testing); and

    • Procedures for storage, amendment, deletion, transmission of data for different purposes.

  8. Testing controls
    Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include

    • Testing and evaluation of software updates before they are installed.

  9. IT governance
    Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

    • Processes for data minimization;

    • Processes for data quality;

    • Processes for ensuring accountability; and

    • Data subject rights policies.

Appendix C – Sub-processor Details

To support delivery of Concierge AI’s services, Concierge AI may engage and use third parties as sub-processors to Process certain Customer Personal Data. This Appendix C provides information about the identity, location, and role of each sub-processor.

Entity Name

Entity Name

Purpose of Processing

Purpose of Processing

Location of Processing

Location of Processing

Anthropic PBC

Anthropic PBC

AI model via API for core product

AI model via API for core product

San Francisco, California, United States

San Francisco, California, United States

Google LLC

Google LLC

Cloud services (GCP), database (GCP), AI model via API for core product (Gemini), customer communication (Gmail)

Cloud services (GCP), database (GCP), AI model via API for core product (Gemini), customer communication (Gmail)

Mountain View, California, United States

Mountain View, California, United States

OpenAI, Inc.

OpenAI, Inc.

AI model via API for core product

AI model via API for core product

San Francisco, California, United States

San Francisco, California, United States

Perplexity AI, Inc.

Perplexity AI, Inc.

AI model via API for core product

AI model via API for core product

San Francisco, California, United States

San Francisco, California, United States

X.AI Corp.

X.AI Corp.

AI model via API for core product

AI model via API for core product

San Francisco Bay Area, California, United States

San Francisco Bay Area, California, United States

PostHog, Inc.

PostHog, Inc.

Product analytics

Product analytics

San Francisco, California, United States

San Francisco, California, United States

Retool, Inc.

Retool, Inc.

Product analytics and visibility

Product analytics and visibility

San Francisco, California, United States

San Francisco, California, United States

Sentry, Inc.

Sentry, Inc.

Error reporting

Error reporting

San Francisco, California, United States

San Francisco, California, United States

Databricks Inc.

Databricks Inc.

Database hosting (Neon)

Database hosting (Neon)

San Francisco, California, United States

San Francisco, California, United States

Clerk, Inc.

Clerk, Inc.

Authentication and user management

Authentication and user management

San Francisco, California, United States

San Francisco, California, United States

Salesforce, Inc.

Salesforce, Inc.

Customer communication (Slack)

Customer communication (Slack)

San Francisco, California, United States

San Francisco, California, United States

Vercel Inc.

Vercel Inc.

Frontend Cloud platform for web app

Frontend Cloud platform for web app

Covina, California, United States

Covina, California, United States

Stripe, Inc.

Stripe, Inc.

Payment processing

Payment processing

South San Francisco, California, United States

South San Francisco, California, United States

Data Processing Addendum

Pursuant to the written agreement between Customer and Concierge AI Technologies, Inc. (“Concierge AI”) (each a “Party” and collectively the “Parties”) titled Master Customer Agreement (“the Agreement”), the Parties hereby adopt this U.S. Privacy La Data Processing Addendum (“U.S. DPA”). This U.S. DPA prevails over any conflicting terms of the Agreement.

  1. Definitions. For the purposes of this U.S. DPA--

1.1 “Consumer” means a natural person. Where applicable, Consumer shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

1.2. “Controller” means a person or entity that collects individuals’ Personal Data and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Data. Where applicable, Controller shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

1.3. “Customer Personal Data” means Personal Data provided by Customer to, or which is collected on behalf of Customer by, Concierge AI to provide services to Customer pursuant to the Agreement.

1.4. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Data shall be interpreted consistent with the same or similar term under U.S. Privacy Laws.

1.5. “Processing,” “Process,” and “Processed” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means. Where applicable, Processing, Process, and Processed shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.

1.6. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in the U.S. Privacy Laws.

1.7. “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.

1.8 “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA.

1.9 “U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health information). U.S. Privacy Laws include, but are not limited to, the following:

1.9.1. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);

1.9.2. Colorado Privacy Act;

1.9.3. Connecticut Personal Data Privacy and Online Monitoring Act;

1.9.4. Delaware Personal Data Privacy Act;

1.9.5. Indiana Consumer Data Protection Act;

1.9.6. Iowa Consumer Data Protection Act;

1.9.7. Kentucky Consumer Data Protection Act;

1.9.8. Maryland Online Data Privacy Act;

1.9.9. Minnesota Consumer Data Privacy Act;

1.9.10. Montana Consumer Data Privacy Act;

1.9.11. Nebraska Data Privacy Act;

1.9.12. New Hampshire Act Relative to the Expectation of Privacy;

1.9.13. New Jersey Act Concerning Online Services, Consumers, and Personal Data;

1.9.14. Oregon Consumer Privacy Act;

1.9.15. Rhode Island Data Transparency and Privacy Protection Act;

1.9.16. Tennessee Information Privacy Act;

1.9.17. Texas Data Privacy and Security Act;

1.9.18. Utah Consumer Privacy Act; and

1.9.19. Virginia Consumer Data Protection Act.

1.10. In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the

  1. Scope, Roles, and Termination.

2.1. Applicability - This U.S. DPA applies only to Concierge AI’s Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix A.

2.2. Roles of the Parties - For the purposes of the Agreement and this U.S. DPA, Customer is the Party responsible for determining the purposes and means of Processing Customer Personal Data as the Controller and appoints Concierge AI as a Processor to Process Customer Personal Data on behalf of Customer for the limited and specific purposes set forth in Appendix A.

2.3 Obligations at Termination - Upon termination of the Agreement, except as set forth therein or herein, Concierge AI will discontinue Processing and destroy or, at Customer’s election and expense, return Customer Personal Data in its or its subcontractors’ and sub-processors’ possession without undue delay. Concierge AI may retain Customer Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Concierge AI shall ensure the confidentiality of all such Customer Personal Data.

  1. Compliance.

3.1 Privacy Notices. Customer shall provide any required privacy notices to Consumers and obtain Consumers’ consent where required for Concierge AI’s processing of Customer Personal Data as set forth in this U.S. DPA.

3.2. Compliance with Obligations - Concierge AI, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the U.S. Privacy Laws, (b) shall provide the level of privacy protection required by the U.S. Privacy Laws, (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the U.S. Privacy Laws, and (d) understand and shall comply with this U.S. DPA. Upon the reasonable request of Customer, Concierge AI shall make available to Customer information in Concierge AI’s possession necessary to demonstrate Concierge AI’s compliance with this subsection.

3.3. Compliance Assurance - Customer has the right to take reasonable and appropriate steps to ensure that Concierge AI uses Customer Personal Data consistent with Customer’s obligations under applicable U.S. Privacy Laws and this U.S. DPA.

3.4. Compliance Monitoring - Customer has the right to monitor Concierge AI’s compliance with this U.S. DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing no more than once every 12 months. Concierge AI shall cooperate fully with any audit initiated by Customer, provided that such audit will not unreasonably interfere with the normal conduct of Concierge AI’s business. Unless the audit reveals a breach by Concierge AI of this U.S. DPA or applicable U.S. Privacy Laws, Customer shall bear the costs of the audit. Alternatively, with Customer’s consent, Concierge AI shall arrange for a qualified and independent assessor to conduct an assessment, at least annually and at the Concierge AI's expense, of Concierge AI's policies and technical and organizational measures in support of the obligations under this U.S. DPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Concierge AI shall provide a report of such assessment to Customer upon request.

3.5. Compliance Remediation – Concierge AI shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Concierge AI in accordance with this subsection, Customer may direct Concierge AI to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

  1. Restrictions on Processing.

4.1. Limitations on Processing - Concierge AI will Process Customer Personal Data solely as instructed in the Agreement and this U.S. DPA or as otherwise required by law. Except as expressly permitted by the U.S. Privacy Laws, Concierge AI is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in Appendix A, (iii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties, and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws. For the avoidance of doubt, Concierge AI is permitted to retain, use, and disclose Customer Personal Data for product improvement purposes.

4.2. Confidentiality - Concierge AI shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Personal Data.

4.3. Subcontractors; Sub-processors – Concierge AI’s current subcontractors and sub-processors are set forth in Appendix C. Concierge AI shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Concierge AI shall ensure that Concierge AI’s subcontractors or sub-processors who Process Customer Personal Data on Concierge AI’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Concierge AI in this U.S. DPA and the Agreement with respect to Customer Personal Data, as well as to comply with the applicable U.S. Privacy Laws.

4.4. Right to Object – Customer may object in writing to Concierge AI’s appointment of a new subcontractor orsub-processor on reasonable grounds by notifying Concierge AI in writing within 10 calendar days of receipt of notice in accordance with Section 4.3. In the event Customer objects, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution.

  1. Security.

5.1. The Parties shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure. Without limiting the foregoing, the Parties shall comply with the security measures set forth at Appendix B when Processing Customer Personal Data.

  1. Consumer Rights.

6.1. Concierge AI shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to Consumer rights requests regarding Customer Personal Data, including promptly deleting, correcting, or providing a copy of a Consumer’s Personal Data upon direction by Customer.

6.2. Where applicable, Customer shall inform Concierge AI of any Consumer request made pursuant to the U.S. Privacy Laws that they must comply with. Customer shall provide Concierge AI with the information necessary for Concierge AI to comply with the request.

6.3. Concierge AI shall not be required to delete any Customer Personal Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Concierge AI will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and Concierge AI shall not use Customer Personal Data retained for any purpose other than provided for by that exception.

  1. Sale of Data.

7.1. The Parties acknowledge and agree that the disclosure or making available of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this U.S. DPA.

  1. Exemptions

8.1. Notwithstanding any provision to the contrary in the Agreement or this U.S. DPA, the terms of this U.S. DPA shall not apply to Concierge AI’s Processing of Customer Personal Data that is exempt from applicable U.S. Privacy Laws.

  1. Changes to Applicable U.S. Privacy Laws.

9.1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the U.S. Privacy Laws.

Appendix A - Processing Details

Nature and Purpose(s) of the Processing

To perform services on behalf of the Customer pursuant to the Agreement and any related order form, including all Processing reasonably necessary to provide an AI chatbot embedded in Customer’s website for use by Customer’s end customers, buying prospects, and other external stakeholders.

Types of Customer Personal Data Subject to Processing

Contents of communications between the chatbot provided by Concierge AI and users of Customer’s website.

Duration of Processing

For the duration of the Agreement.

Appendix B – Security Measures

The Parties will apply at least the following types of security measures to Customer Personal Data:

  1. Physical access control
    Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal

    Data are Processed, include:

    • Establishing access authorizations for employees and third parties;

    • Access control system;

    • Key management, card-keys procedures;

    • Door locking (electric door openers);

    • Security staff; and

    • Securing decentralized data processing equipment and personal computers.

  2. Virtual access control
    Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

    • User identification and authentication procedures;

    • ID/password security procedures (special characters, minimum length, change of password);

    • Automatic blocking (e.g. password or timeout);

    • 2 factor authentication (for secure login); and

    • Encryption of data at rest.

  3. Data access control
    Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:

    • Internal policies and procedures;

    • Control authorization schemes;

    • Default configuration;

    • Differentiated access rights (profiles, roles, transactions and objects);

    • Monitoring and logging of access;

    • Disciplinary action against employees who access Customer Personal Data without authorization;

    • Reports of access;

    • Access procedure;

    • Change procedure;

    • Deletion procedure; and

    • Encryption.

  4. Disclosure control
    Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:

    • Encryption;

    • Logging; and

    • Transport security.

  5. Control of instructions
    Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:

    • Unambiguous wording of the contract;

    • Formal commissioning (request form); and

    • Criteria for selecting the Processor.

  6. Availability control
    Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:

    • Backup procedures;

    • Remote storage; and

    • Antivirus

  7. Separation control
    Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be
    Processed separately include:

    • “Internal client” concept / limitation of use;

    • Segregation of functions (production/testing); and

    • Procedures for storage, amendment, deletion, transmission of data for different purposes.

  8. Testing controls
    Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include

    • Testing and evaluation of software updates before they are installed.

  9. IT governance
    Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

    • Processes for data minimization;

    • Processes for data quality;

    • Processes for ensuring accountability; and

    • Data subject rights policies.

Appendix C – Sub-processor Details

To support delivery of Concierge AI’s services, Concierge AI may engage and use third parties as sub-processors to Process certain Customer Personal Data. This Appendix C provides information about the identity, location, and role of each sub-processor.

Entity Name

Purpose of Processing

Location of Processing

Anthropic PBC

AI model via API for core product

San Francisco, California, United States

Google LLC

Cloud services (GCP), database (GCP), AI model via API for core product (Gemini), customer communication (Gmail)

Mountain View, California, United States

OpenAI, Inc.

AI model via API for core product

San Francisco, California, United States

Perplexity AI, Inc.

AI model via API for core product

San Francisco, California, United States

X.AI Corp.

AI model via API for core product

San Francisco Bay Area, California, United States

PostHog, Inc.

Product analytics

San Francisco, California, United States

Retool, Inc.

Product analytics and visibility

San Francisco, California, United States

Sentry, Inc.

Error reporting

San Francisco, California, United States

Databricks Inc.

Database hosting (Neon)

San Francisco, California, United States

Clerk, Inc.

Authentication and user management

San Francisco, California, United States

Salesforce, Inc.

Customer communication (Slack)

San Francisco, California, United States

Vercel Inc.

Frontend Cloud platform for web app

Covina, California, United States

Stripe, Inc.

Payment processing

South San Francisco, California, United States

Privacy Policy

Acceptable Use Policy

Data Processing

© Copyright 2025 Concierge AI Technologies, Inc.

Privacy Policy

Acceptable Use Policy

Data Processing

© Copyright 2025 Concierge AI Technologies, Inc.

How It Works

Getting Started

Sign In

Book a Demo

Sign In

Sign In