Capacity DPA

This Data Processing Addendum (“DPA”) incorporates, forms part of, and is subject to the terms and conditions of the Capacity Services Agreement (the “Agreement”) between AI Software, LLC, d/b/a Capacity, a limited liability company organized under the laws of the State of Delaware, in the United States of America (“Capacity”), and the customer entity that is a party to the Agreement (“Client”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

Definitions. In this DPA:
1. “Controller”, “Data Subject”, “Personal Data”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;
2. “Data Protection Law” means: a) for individuals residing in the European Economic Area and Switzerland: Regulation (EU) 2016/679, Directive 2002/58/EC (as amended by Directive 2009/136/EC); and b) for individuals residing in the United Kingdom: the United Kingdom General Data Protection Regulation. Data Protection Law further includes all other applicable data protection laws of the relevant jurisdictions in which individuals reside, including but not limited to the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act (“CPA”) (effective July 1, 2023), the Connecticut Data Privacy Act (“CTDPA”) (effective July 1, 2023), the Utah Consumer Privacy Act (“UCPA”) (effective December 31, 2023), the Virginia Consumer Data Privacy Act (“VCDPA”); and any legal instrument for International Data Transfers; each as applicable, and as may be amended or replaced from time to time;
3. “Data Subject Rights” means all rights granted to Data Subjects by Data Protection Law, including the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;
4. “International Data Transfer” means any transfer of Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom, and includes any onward transfer of Personal Data from the international organization or the country outside of the EEA, Switzerland or the United Kingdom to another international organization or to another country outside of the EEA, Switzerland and the United Kingdom;
5. “Personnel” means any natural person acting under the authority of Capacity;
6. “Personal Data Breach” means any unauthorized disclosure, destruction, or loss or access of Personal Data Processed on behalf of Client;
7. “Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;
8. “Subprocessor” means an affiliate, subsidiary, agent, subcontractor, or other third party engaged by Capacity to assist Capacity in providing the Processing Services; and
9. “EU Standard Contractual Clauses” or “EU SCCs” means: for individuals residing in the European Economic Area or Switzerland: the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council.
10. “UK GDPR” means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
11. “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.
Roles

Client is a Controller and appoints Capacity as a Processor on behalf of Client.

Scope
1. This DPA applies to the Processing of Personal Data by Capacity in the context of the Agreement.
2. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Appendix 1, which is an integral part of this DPA, the Agreement, and any applicable statement of work.
Instructions
1. Client shall only disclose Personal Data to Capacity solely for a valid business purpose as set forth in the Agreement, and solely in connection with the Services.
2. Capacity must only Process Personal Data on documented instructions of and on behalf of Client as necessary to carry out the purposes of the Agreement in accordance with Appendix 1 or as otherwise authorized by Client in writing (“Processing Purposes”) and is prohibited from Processing Personal Data for any other purpose.
3. For the avoidance of doubt, Capacity will not engage in the sale (i.e., “share” under applicable Data Protection Law) of Personal Data, nor will Capacity combine Personal Data of Client with any other Personal Data held by or accessible to Capacity in identifiable form to provide services to any other entity or customer of Capacity.
4. Client shall be solely responsible for, and represents and warrants that, any documented instructions it provides hereunder shall comply with Data Protection Law. Moreover, Client shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired Client Personal Data.
5. Where an applicable Data Protection Law requires Capacity to Process Personal Data under terms other than those of this DPA, or other written instructions of Client, Capacity shall notify Client of such legal requirement before Processing in accordance with the legal requirement, unless the applicable law prohibits disclosure. In addition, Capacity shall notify Client if, in Capacity’s assessment, any of Client’s instructions infringe applicable law, including but not limited to applicable Data Protection Law. In the event that Capacity determines that it can no longer meet its obligations under this DPA, Capacity shall notify Client promptly after making such a determination.
6. Client has taken and further undertakes that throughout the Term it shall take all necessary steps (having regard to the nature of the circumstances in which Client Personal Data will be collected) to provide affected data subjects with an accurate, comprehensible, concise, conspicuous and easily accessible description of all processing of Client Personal Data carried out under and in connection with the DPA, which are sufficient to meet the standards and requirements of Article 13/14 of the GDPR.
7. Client may issue additional instructions to Capacity as it deems necessary to comply with Data Protection Law. Client shall be responsible for any additional fees, or costs arising from any such additional instructions, which fees or costs shall be mutually agreed upon by the Parties.
Subprocessing
1. The parties agree that Capacity has general authorization to engage Subprocessors subject to the terms of this Section 5. The current Subprocessors of Capacity are set out in Appendix 3.
2. Capacity will inform Client if there are any changes concerning the addition or replacement of such Subprocessors by making available an up-to-date list at https://capacity.com/capacity-sub-processors/, to which changes Client has the right to object within fifteen (15) days. The parties shall cooperate in good faith to address any such objection.
3. Capacity will take appropriate steps to confirm that all Subprocessors are capable of providing the level of protection for Personal Data as is required by Data Protection Law and this DPA.
4. Capacity must enter into a binding written agreement with all Subprocessors which imposes materially the same obligations on the Subprocessors as this DPA imposes on Capacity.
5. If any Subprocessor fails to fulfill its obligations under Data Protection Law, this DPA, or the agreements between Capacity and Subprocessor, Capacity will be responsible to Client for the performance of such obligations.
International Data Transfers
1. EU Standard Contractual Clauses. As applicable to the Agreement and to the extent required by Applicable Data Protection Laws, the parties agree that the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will apply to Personal Data that is transferred under the Agreement from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs, Module 2 (Controller to Processor), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

In Clause 7, the optional docking clause will not apply;
In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in Appendix 3 (Subprocessors) of this Addendum;
In Clause 11, the optional redress language will not apply;
In Clause 13(a), all three options may be retained and apply, depending on the circumstances, and as relevant where the transfer falls within the territorial scope of the Regulation (EU) 2016/679;
In Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law;
In Clause 18(b), disputes will be resolved before the courts of Ireland; and
Appendix 1 (Description of Processing) of this Addendum serves as Annex I of the EU SCCs; Appendix 2 (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum serves as Annex II of the EU SCCs and Appendix 3 (List of Subprocessors) serves as Annex III of the EU SCCs.
UK Addendum. As applicable to the Agreement and in relation to Personal Data that is protected by the UK GDPR, the UK Addendum shall apply. To the extent that the UK Addendum applies, Annexes A, B, and C of this Addendum shall also apply. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

For Table One, the details as set out in Appendix 1 of this Addendum shall apply.
For Table Two, the check-box referring to the following shall apply:

“the Approved EU SCCs, including the Appendix Information and with only the modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of the UK Addendum.”

For Table Three, the following shall apply to the referenced columns: Appendix 1 (Description of Processing) of this Addendum shall apply to the columns entitled Annex IA and Annex IB; Appendix 2 (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum shall apply to the column entitled Annex II; and Appendix 3 (List of Subprocessors) shall apply to the column entitled Annex III.
For Table Four, data exporter and data importer shall have the right to terminate this Addendum.

Personnel
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Capacity must implement appropriate technical and organizational measures to ensure that Personnel do not Process Personal Data except on the instructions of the Controller.
2. Capacity must ensure that all Personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality.
3. Capacity must regularly train Personnel regarding the protection of Personal Data.
Security and Personal Data Breaches
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Capacity must implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing consistent with applicable Data Protection Law and as further described in Appendix 2 to this DPA (“Security Measures”). Capacity may update or modify the Security Measures set out in Appendix 2 from time to time.
2. In assessing the appropriate level of security, Capacity shall take into account the risks that are presented by the Processing under this Agreement, in particular from accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of, or access to Data Controller’s Personal Data transmitted or stored.
3. Capacity must inform Client without undue delay after becoming aware of a Personal Data Breach. Capacity shall reasonably cooperate in the investigation and remediation of the Personal Data Breach and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Personal Data Breach.
Assistance
1. Taking into account the nature of the Processing, Capacity may reasonably assist Client, by implementing appropriate technical and organizational measures, for fulfillment of Client’s own obligations under Data Protection Law if and to the extent Client cannot meet such obligations without Capacity’s assistance, including:
  1. Complying with Data Subjects’ requests to exercise Data Subject Rights;
  2. Replying to inquiries or complaints from Data Subjects;
  3. Replying to investigations and inquiries from Supervisory Authorities;
  4. Conducting data protection impact assessments or similar activity;
  5. Conducting prior consultations with Supervisory Authorities; and
  6. Assisting with Personal Data Breaches as described in Section 8.3.
2. Unless prohibited by applicable law, Capacity must inform Client without undue delay if Capacity:
  1. Receives a request, complaint, claim or other inquiry regarding the Processing of Personal Data from a Data Subject or Supervisory Authority;
  2. Receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
  3. Receives a request, complaint, claim or other inquiry from Client’s employees or other third parties, other than those set forth in this DPA.
  4. Is subject to a legal obligation that requires Capacity to Process Personal Data in contravention of Client’s instructions;
  5. Is otherwise unable to comply with Data Protection Law or this DPA.
3. Unless prohibited by applicable law, Capacity must obtain Client’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in Section 9.2.
Accountability
1. Capacity must maintain records of Processing of Personal Data Processed on behalf of Client, including at a minimum the categories of information required under Data Protection Law.
2. If and to the extent required by applicable Data Protection Law, Client may request, upon thirty (30) days written notice to Capacity, an audit, through itself or through an independent third-party auditor. The audit may be carried out once in any calendar year and at Client’s sole expense. Audits shall be subject to all applicable confidentiality obligations agreed to by Client and Capacity, and any independent auditor shall be required to enter into a non-disclosure agreement with Capacity, containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Capacity’s confidential and proprietary information. Audits shall be conducted in a manner that minimizes any disruption of Capacity’s performance of services and other normal operations. For the avoidance of doubt, any information disclosed by Capacity in connection with this DPA will be subject to the confidentiality (including non-use) provisions in the Agreement.
Liability
1. Any liability imposed on or incurred by Capacity under this DPA shall be subject to any exclusions or limitations of liability under the Agreement.
2. Client represents and warrants that on the effective date of this DPA and during the term of this DPA:
  1. Personal Data has been and will be collected and Processed by Client in accordance with the Data Protection Laws;
  2. The Processing of Personal Data in accordance with this DPA by Capacity will not violate the Data Protection Laws;
  3. Client shall provide Data Subjects with appropriate opt-outs where applicable under the Data Protection Laws, and shall inform Capacity of any exercise of such rights by a Data Subject; and
  4. Client will take all steps necessary to ensure it achieves the foregoing, including without limitation, by providing Data Subjects with appropriate privacy notices, obtaining any required consent, and ensuring that there is a lawful basis for Capacity to Process Personal Data.
Term and duration of the Processing
1. Notwithstanding any other provision of the Agreement or this Addendum to the contrary, when Capacity ceases to perform Processing Services for Client upon termination of the Agreement or otherwise (e.g., per the request or explicit instruction of Client), Capacity shall, if requested by Client and within sixty (60) days of the request: (i) return Personal Data to Client; and/or securely purge, delete, and destroy Personal Data, to the extent practicable, excluding Personal Data that is stored in a back-up or archived format in accordance which shall be deleted in accordance with its normal retention schedule so long as such Personal Data is otherwise retained in accordance with this DPA, and unless Capacity is obligated by applicable law to maintain all or part of the Personal Data of Client, in which case all such Personal Data shall be used only for the purposes for which it must be maintained and in accordance with the terms of this Addendum.
Modification of this DPA

This DPA may only be modified by a written amendment signed by both Client and Capacity. To the extent required by Applicable Data Protection Laws, the parties agree to make all commercially reasonable efforts to make necessary amendments to this Addendum, including all Annexes. The parties will agree on the necessary changes in good faith, taking into account the obligation to carry out this contractual relationship in compliance with Applicable Data Protection Laws.

Invalidity and severability

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

Certification of Understanding

Both parties certify that they understand and will comply with all restrictions imposed upon their Processing of Personal Data under this Addendum.

Appendix 1

Description of the Processing

List of Parties

If the EU SCCs apply, the data exporter(s) and importer(s) are identified as follows:

Data Exporting Organisation

Name/Address/Contact details: As specified in AgreementActivities relating to the transferred Personal Data: As specified in the AgreementSignature and date: By entering into the Agreement, data exporter is deemed to have signed these EU Standard Contractual Clauses and UK Addendum incorporated herein as of the effective date of the Agreement.Role: Controller

Data Importing Organisation

Name: AI Software, LLC, d/b/a CapacityAddress/Contact details: As specified in AgreementActivities relating to the transferred Personal Data: SaaS Services – Capacity will host and process personal data in the course of providing its texting platform and related services to Client. Signature and date: By entering into the Agreement, data importer is deemed to have signed these EU Standard Contractual Clauses and UK Addendum incorporated herein as of the effective date of the Agreement.Role: Processor

Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred:

The Personal Data Processed concern the following categories of Data Subjects (please specify):

#	Category	Description
1	Mobile Users	Mobile users of Client that Client is providing services to or otherwise communicating with
2	Business partners	Entities that partner with Client

Categories of Personal Data Transferred

The Personal Data Processed concern the following categories of data (please specify):

#	Category	Description
1	Name	First name, last name
2	Contact Information	Phone number, contact lists (synching of contacts)
3	Communications	Text messages, emails, recordings
4	Other Identifiers	Call center agent identification number, call center interaction identifiers

Special Categories of Data

The Personal Data Processed concern the following special categories of data (please specify): None.

Frequency of the Transfer

Ongoing.

Nature of the Processing

As specified in the Agreement.

Purpose of the Data Transfer and Further Processing

As specified in the Agreement.

Retention Period

As specified in the Agreement.

Subject Matter, Nature and Duration of Transfers to Subprocessors

As specified in the Agreement.

Competent Supervisory Authority

Irish Data Protection Commission

Appendix 2

Technical and Organizational Security Measures Implemented by Capacity

Description of the technical and organizational security measures implemented by Capacity:

To the extent that Data Controller provides to Service Provider or Service Provider otherwise accesses Data Controller’s Personal Data in connection with this Addendum, Service Provider shall implement an Information Security Program that includes administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity and availability of Personal Data, and protect against unauthorized access, use, disclosure, alteration or destruction of Personal Data. In particular, Service Provider’s Information Security Program shall include, without limitation, the following safeguards where appropriate or necessary to ensure the protection of Personal Data:

the pseudonymisation of Personal Data where reasonable and appropriate;
the encryption of personal data in transit and at rest;
the measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Capacity’s processing systems and services, and the Personal Data;
the measures designed to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of Capacity’s Information Security Program designed to ensure the security of Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, undisclosed disclosure or access.

Appendix 3

List of Subprocessors

Client authorizes Capacity to engage the following Subprocessors:

Capacity Sub-Processors

Cookie	Duration	Description
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_no_tracky_101397840	1 hour	Description is currently not available.
rl_session	1 year	Description is currently not available.
ubpv	6 months 1 day	No description available.
ubvs	5 months 27 days	No description available.
ubvt	3 days	No description available.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
INGRESSCOOKIE	session	This cookie is used for load balancing and session stickiness. This technical session identifier is required for some website features.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
visitorId	1 year	ZoomInfo sets this cookie to identify a user.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.