This Data Protection Addendum (“DPA”) is incorporated into the Terms and Conditions between Capital Acquisition (“Processor”) and the User (“Controller”) and applies where Processor Processes Personal Data on behalf of Controller under the Terms.

1. Definitions
a. “Data Protection Laws” means all applicable laws concerning data protection and privacy, including GDPR (EU 2016/679) and UK GDPR.
b. “Personal Data” means any information relating to an identified or identifiable natural person Processed by Processor on behalf of Controller.
c. “Processing” means any operation performed on Personal Data (e.g., collection, storage, analysis).
d. “Controller” means the entity that determines the purposes and means of Processing Personal Data (the User).
e. “Processor” means the entity that Processes Personal Data on behalf of the Controller Capital Acquisition.

2. Processing Details
a. Subject Matter: The provision of the AI chatbot Service.
b. Duration: The term of the Terms and Conditions.
c. Nature and Purpose: Processing inputs to generate AI outputs, improving AI models, and providing support.
d. Types of Personal Data: Personal data contained in User prompts and conversations (e.g., names, contact details, any other personal data users input).
e. Data Subjects: Controller’s users, employees, customers, or any other individuals whose personal data is submitted to the Service by Controller.

3. Processor Obligations
a. Process as Instructed: Processor shall only Process Personal Data on Controller’s documented instructions (as outlined in the Terms and this DPA). Processor will inform Controller if it believes an instruction infringes Data Protection Laws.
b. Confidentiality: Processor shall ensure that persons authorized to Process Personal Data are bound by confidentiality obligations.
c. Security Measures: Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Measures include encryption of data in transit and at rest, strict access controls, and regular security assessments.
d. Sub-processing: Controller generally authorizes the use of sub-processors (e.g., cloud hosting providers like AWS, Google Cloud, Azure). Processor will:
i. Maintain an up-to-date list of sub-processors on its website.
ii. Provide Controller with notice of any intended changes to this list, giving Controller the opportunity to object.
iii. Impose data protection obligations on all sub-processors that are substantially similar to those in this DPA.

4. Data Subject Rights
Processor shall, to the extent legally permitted, promptly notify Controller of any request received from a data subject. Processor will assist Controller, using appropriate technical and organizational measures, in fulfilling its obligations to respond to data subject requests.

5. Security Incidents
Processor shall notify Controller without undue delay after becoming aware of a confirmed Personal Data breach. Processor will provide timely information and cooperation to assist Controller in meeting its breach notification obligations under Data Protection Laws.

6. Deletion or Return of Data
Upon termination of the Service, at Controller’s choice, Processor will delete or return all Personal Data to Controller, and delete existing copies, unless required by law to store the data.

7. Audits
Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Such audits will be conducted with reasonable notice and shall not unreasonably interfere with Processor’s business operations.

8. International Transfers
If Personal Data is transferred outside the UK or European Economic Area (EEA) to a country not deemed to have adequate data protection laws, such transfers shall be governed by and rely on the European Commission’s Standard Contractual Clauses (“SCCs”), which are incorporated by reference into this DPA.