Pulz.io Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into the Terms and Conditions (the “Main Agreement”) between Madness AI Inc. dba Pulz.io (“Pulz.io” or “Processor”) and the customer (“Customer” or “Controller”) who has agreed to the Main Agreement. This DPA sets out the terms under which Pulz.io processes personal data on behalf of the Customer.

1. Definitions

1.1 “CCPA” refers to the California Consumer Privacy Act of 2018, as amended.

1.2 “Customer Content” means any data, information, or content submitted by the Customer or its end users to the Service, including but not limited to personal data.

1.3 “Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under the Main Agreement, including the CCPA.

1.4 “Data Subject” means an identifiable individual whose personal data is processed by Pulz.io under this DPA.

1.5 “Personal Data” means any information relating to an identified or identifiable natural person, processed by Pulz.io on behalf of the Customer.

1.6 “Processing” means any operation or set of operations performed on personal data, whether or not by automated means.

1.7 “Subprocessor” means any third party appointed by Pulz.io to process personal data on behalf of the Customer.

2. Purpose and Scope

2.1 Role of the Parties: Customer acts as the Data Controller and Pulz.io acts as the Data Processor. Pulz.io processes Personal Data on behalf of the Customer as necessary to provide the Service described in the Main Agreement.

2.2 Scope of Processing: Pulz.io will process Customer Content as directed by the Customer for purposes related to the provision of Pulz.io’s services, such as generating AI-driven outputs, managing end-user interactions, and enhancing the Service.

2.3 Nature of Processing: Processing includes collection, storage, use, modification, transmission, and deletion of Personal Data as required to provide the Service.

3. Obligations of Pulz.io

3.1 Compliance: Pulz.io will comply with all applicable Data Protection Laws in its processing of Personal Data.

3.2 Instructions: Pulz.io will process Personal Data only in accordance with documented instructions from the Customer unless required to do otherwise by applicable law. Pulz.io will inform the Customer if, in its opinion, an instruction infringes applicable law.

3.3 Confidentiality: Pulz.io ensures that all personnel authorized to process Personal Data are committed to confidentiality.

3.4 Security Measures: Pulz.io implements appropriate technical and organizational measures to ensure the security of Personal Data. For detailed information, please refer to our Data Security Policy and Privacy Policy. Key measures include:

• Encryption of data in transit and at rest.
• Access controls based on the principle of least privilege.
• Secure development practices and isolated environments for testing and production.
• Incident response protocols and regular security assessments.

4. Subprocessors

4.1 Use of Subprocessors: Pulz.io may engage Subprocessors to process Personal Data on behalf of the Customer. A current list of Subprocessors is available on our Subprocessors List page and will be updated regularly.

4.2 Subprocessor Obligations: Pulz.io will ensure that Subprocessors are bound by data protection obligations consistent with those in this DPA. Pulz.io remains liable for any acts or omissions of its Subprocessors.

4.3 Notification of Changes: Pulz.io will inform the Customer of any intended changes to Subprocessors, giving the Customer an opportunity to object to such changes.

5. Data Subject Rights

5.1 Assistance: Pulz.io will provide reasonable assistance to the Customer in responding to Data Subject requests, such as access, correction, or deletion requests, to the extent legally required.

5.2 Requests Handling: If Pulz.io receives a Data Subject request directly, it will notify the Customer and await further instructions, unless prohibited by law.

6. Data Transfers

6.1 Processing Locations: Personal Data may be processed outside of the United States, including by authorized personnel or Subprocessors. All such transfers will be conducted in compliance with applicable Data Protection Laws.

7. Security Breach Notification

7.1 Breach Notification: Pulz.io will notify the Customer without undue delay upon becoming aware of a Personal Data breach affecting the Customer’s Personal Data. Pulz.io will provide details of the breach and take appropriate steps to mitigate any adverse effects.

8. Data Retention and Deletion

8.1 Retention: Pulz.io retains Personal Data only as long as necessary to fulfill the purposes outlined in the Main Agreement or as required by applicable law.

8.2 Deletion or Return of Data: Upon termination of the Main Agreement or upon Customer’s request, Pulz.io will delete or return all Personal Data unless otherwise required by law.

9. Liability and Indemnification

9.1 Limitation of Liability: The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement.

9.2 Indemnification: The Customer will indemnify Pulz.io against any claims arising from the Customer’s failure to comply with its data protection obligations under this DPA.

10. General Provisions

10.1 Governing Law: This DPA shall be governed by and construed in accordance with the laws applicable to the Main Agreement.

10.2 Amendments: Pulz.io reserves the right to update this DPA in line with changes to applicable Data Protection Laws or operational practices, provided that no such update shall materially reduce the level of protection for Personal Data.

10.3 Order of Precedence: In the event of a conflict between this DPA and any other agreements between the parties, this DPA shall prevail with respect to data protection matters.