Data Processing Agreement

'Customer' means the entity that has entered into the SalesVu Terms of Service or a master subscription agreement. 'Processor' means SalesVu, Inc.

'Personal Data', 'Data Subject', 'Controller', 'Processor', and 'Processing' have the meanings given in applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

'Sub-processor' means any third party engaged by SalesVu to Process Personal Data on behalf of Customer.

This Data Processing Agreement ('DPA') applies to SalesVu's Processing of Personal Data on behalf of Customer in connection with the Services.

Customer is the Controller (or Processor on behalf of its own controllers) of Personal Data submitted to the Services. SalesVu acts as Processor (or Sub-processor) and Processes Personal Data only on Customer's documented instructions.

SalesVu will Process Personal Data only to provide and improve the Services as described in the Terms of Service, the SalesVu documentation, and the Customer's configuration of the Services (including AI agents Customer enables).

If SalesVu believes an instruction violates applicable Data Protection Laws, it will notify Customer without undue delay.

Customer represents that it has obtained all necessary consents and provided all required notices to enable lawful Processing of Personal Data through the Services, including for any AI agent that interacts with end customers (such as Customer Service or Recommendations).

SalesVu will (a) Process Personal Data only on documented instructions from Customer; (b) ensure persons authorized to Process Personal Data are bound by confidentiality; (c) implement the technical and organizational measures described in Annex II; and (d) assist Customer in responding to Data Subject requests and security incidents.

Customer authorizes SalesVu to engage Sub-processors to Process Personal Data, subject to written agreements imposing data protection obligations no less protective than this DPA.

An up-to-date list of Sub-processors is maintained on the Trust Center at /trust. SalesVu will notify Customer of changes and provide a reasonable opportunity to object on legitimate data protection grounds.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor; Module 3: Processor-to-Processor) and the UK International Data Transfer Addendum, as applicable.

Customer agrees that the SCCs apply to the Processing described in Annex I of this DPA.

SalesVu maintains a written information security program designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Specific safeguards are described in Annex II.

SalesVu will notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide information reasonably necessary to enable Customer to meet its own notification obligations.

SalesVu will make available to Customer information necessary to demonstrate compliance with this DPA, including by providing third-party audit reports such as SOC 2 (when available) or independent assessments.

Where required by Data Protection Laws, Customer may conduct, at its own cost and on reasonable advance notice, an audit of SalesVu's relevant Processing facilities, subject to confidentiality and security restrictions.

Taking into account the nature of the Processing, SalesVu will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws.

Within thirty (30) days following termination of the Services, SalesVu will, at Customer's option, return or delete Personal Data Processed under this DPA, unless retention is required by law.

This DPA is effective for the duration of the Services and survives until SalesVu has returned or deleted all Personal Data in accordance with Section 12.

Categories of Data Subjects: Customer's end customers, employees, vendors, and other individuals whose Personal Data is submitted to the Services.

Categories of Personal Data: identifiers, contact details, transaction history, loyalty activity, reservations, communications, device and usage data, and any additional Personal Data Customer chooses to submit.

Nature and purpose of Processing: providing and improving the SalesVu commerce platform and AI agents (including Customer Service, Recommendations, Smart Upselling, Email Automation, Personal Rewards, Churn Prediction, and the Analyst Agent suite).

Duration: for the term of the Services and as required by Section 12.

Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

Network segmentation, principle-of-least-privilege access controls, and multi-factor authentication for administrative access.

Continuous monitoring, logging, and alerting on production systems.

Secure software development lifecycle including code review, dependency scanning, and pre-release security testing.

Personnel security: background checks (where lawful), confidentiality obligations, and annual security and privacy training.

Business continuity and disaster recovery procedures, including regular backups and recovery testing.

The current list of authorized Sub-processors — including the entity, the Processing they perform, and their location — is maintained on the SalesVu Trust Center at /trust.