Data Processing Agreement

Governing all Beta Access Agreements of the same version.

This DPA incorporates the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms defined in the UK GDPR have the meanings given there.

“Anonymised Platform Data” means conversation data, interaction patterns, and aggregated usage statistics derived from the Controller's use of the Platform that have been irreversibly anonymised such that they cannot reasonably be used to identify the Controller, its personnel, or any Data Subject.

“Data Protection Law” means all applicable UK data protection and privacy legislation, including the UK General Data Protection Regulation (“UK GDPR”) as defined in section 3(10) of the Data Protection Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any binding guidance or decisions of the Information Commissioner's Office (“ICO”), each as amended from time to time.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed by the Processor under this DPA, including the Controller's employees and website visitors or prospects who interact with the sAIlsbot agent.

“IDTA” means the International Data Transfer Agreement issued by the ICO under section 119A of the Data Protection Act 2018, as updated from time to time.

“Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Principal Agreement.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.

“Restricted Transfer” means a transfer of Personal Data from the United Kingdom to a country or territory not subject to a UK adequacy decision under Data Protection Law.

“Sub-processor” means any third-party processor engaged by the Processor to carry out processing of Personal Data on behalf of the Controller.

“Technical and Organisational Measures” (or “TOMs”) means the security measures implemented by the Processor to protect Personal Data, as described in Annex C.

“UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the ICO pursuant to s.119A of the Data Protection Act 2018 (version B.1.0), as updated from time to time.

2. Scope and Relationship of the Parties

2.1 Processor role

The Processor processes Personal Data only on behalf of, and in accordance with the documented instructions of, the Controller, as a data processor within the meaning of Article 4(8) UK GDPR. The Controller determines the purposes and means of processing. The Processor processes Personal Data solely to provide the services described in the Principal Agreement.

2.2 Processing details

The subject matter, nature, purpose, and duration of processing, together with the types of Personal Data and categories of Data Subjects, are set out in Annex A.

2.3 Controller obligations

The Controller warrants that:

it has a valid legal basis under Data Protection Law for each category of Personal Data provided to the Processor;

Personal Data has been collected and shared in compliance with Data Protection Law;

it will provide Data Subjects with all required privacy information regarding the processing carried out under this DPA; and

documents and files uploaded to the Platform for knowledge base ingestion shall not contain Personal Data, and the Controller is solely responsible for reviewing and ensuring compliance with this obligation before uploading any content.

2.4 Instructions

The Processor shall process Personal Data only in accordance with the Controller's documented instructions, as set out in this DPA and the Principal Agreement. If the Processor is required by applicable law to process Personal Data otherwise, it shall notify the Controller before doing so, to the extent permitted by law.

2.5 Unlawful instructions

If the Processor considers that any instruction of the Controller infringes Data Protection Law, it shall promptly inform the Controller and shall not be obliged to follow any instruction it reasonably considers unlawful.

3. Processor Obligations

3.1 Confidentiality

The Processor shall ensure that personnel with access to Personal Data are subject to binding confidentiality obligations, and that such access is limited to those who need it to perform their duties.

3.2 Technical and organisational measures

The Processor shall implement and maintain the TOMs described in Annex C. The Processor may update these measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Personal Data.

3.3 Assistance with data subject rights

The Processor shall, taking into account the nature of the processing and information available to it, provide the Controller with reasonable assistance to enable the Controller to fulfil its obligations in respect of:

Data Subject rights under Chapter III UK GDPR (including access, rectification, erasure, restriction, portability, and objection);

data protection impact assessments and prior consultations; and

security, breach notification, and confidentiality obligations.

3.4 Response times

The Processor shall respond to reasonable requests for assistance within a timeframe that enables the Controller to meet its own legal deadlines. Where the Controller receives a Data Subject request relating to Personal Data processed by the Processor, the Processor shall respond with the relevant information within five (5) business days.

3.5 Deletion or return of data

On termination or expiry of the Principal Agreement, the Processor shall, at the Controller's written election:

securely delete or destroy all Personal Data processed on the Controller's behalf within thirty (30) days;

return a copy of such Personal Data in a commonly used, machine-readable format within ten (10) business days of a written request; or

migrate all Personal Data to the Controller's General Availability account, where the Controller continues on a paid subscription.

For the avoidance of doubt, Anonymised Platform Data is not Personal Data and is not subject to deletion or return obligations under this clause.

3.6 Records of processing

The Processor shall maintain records of all categories of processing activities carried out on behalf of the Controller as required by Article 30(2) UK GDPR, and shall make such records available to the ICO on request.

3.7 No sale of personal data

The Processor shall not sell, rent, or otherwise make Personal Data available to any third party for that third party's own marketing, commercial, or other independent purposes.

4. Sub-Processing

4.1 General authorisation

By accepting the Principal Agreement, the Controller grants the Processor general authorisation to engage the Sub-processors listed in Annex B. The Controller's acceptance of the Principal Agreement constitutes its prior written consent to those Sub-processors, subject to the conditions in this clause.

4.2 Conditions for sub-processing

When engaging any Sub-processor, the Processor shall:

carry out appropriate due diligence on the Sub-processor's data protection practices before engagement;

ensure a written agreement is in place imposing data protection obligations at least equivalent to those in this DPA; and

remain fully liable to the Controller for the acts and omissions of each Sub-processor as if they were its own.

4.3 New sub-processors

5. Personal Data Breaches

5.1 Notification timing

In the event of a Personal Data Breach affecting Personal Data processed on behalf of the Controller, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, to enable the Controller to meet its own notification obligations to the ICO and affected Data Subjects where required.

5.2 Notification content

The Processor's breach notification shall, to the extent known at the time, include:

a description of the breach, including categories and approximate number of Data Subjects and records affected;

the name and contact details of the Processor's data protection contact;

likely consequences;

measures taken or proposed to address the breach; and

such other information as the Controller reasonably requires.

Information not available at the time of initial notification will be provided as soon as it becomes available.

5.3 Breach response

Following notification, the Processor shall promptly investigate, contain, and remediate the breach, and shall co-operate fully with the Controller in its own investigation and any regulatory inquiry.

5.4 No admission

A breach notification under this clause does not constitute an admission of liability or fault by the Processor.

6. International Data Transfers

6.1 General restriction

The Processor shall not carry out or permit any Restricted Transfer of Personal Data except as authorised under this clause and in compliance with Data Protection Law.

6.2 Authorised transfers

Several Sub-processors listed in Annex B are established in the United States, which is not the subject of a comprehensive UK adequacy decision. The Processor shall ensure that any Restricted Transfer to a US-based Sub-processor is governed by one of the following safeguards:

IDTA: the transfer is governed by the International Data Transfer Agreement issued by the ICO; or

UK Addendum: the transfer is governed by the EU Standard Contractual Clauses (Controller-to-Processor or Processor-to-Processor modules as applicable) together with the UK Addendum (version B.1.0).

6.3 Transfer impact assessments

The Processor shall carry out, and make available to the Controller on request, a transfer impact assessment in respect of each Restricted Transfer, assessing whether the law and practice of the destination country impairs the applicable transfer mechanism. Where a material risk is identified, the Processor shall apply appropriate supplementary measures.

6.4 EEA transfers

Transfers to countries subject to a UK adequacy decision (including EEA member states) are not Restricted Transfers and do not require the safeguards in clause 6.2.

7. Audit Rights

7.1 Information requests

The Processor shall make available to the Controller, on reasonable written request, information reasonably necessary to demonstrate compliance with its obligations under this DPA. The Processor shall respond within fifteen (15) business days.

7.2 Audit procedure

Where information provided under clause 7.1 is insufficient, the Controller may request a formal audit using the following stepped procedure:

Step 1 — Questionnaire: the Controller submits a written data protection compliance questionnaire; the Processor responds fully within fifteen (15) business days.

Step 2 — Third-party audit report: if concerns remain, the Processor shall share a summary of a relevant independent audit report (for example, ISO 27001 certification or SOC 2 report) where one exists.

Step 3 — Physical audit: if concerns are unresolved after Steps 1 and 2, the Controller (or an approved independent auditor) may carry out a physical audit on no less than thirty (30) business days' prior written notice, during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations.

7.3 Conditions

Physical audits:

shall occur no more than once per year (unless a Personal Data Breach has occurred);

are at the Controller's cost;

are subject to the Processor's third-party confidentiality obligations; and

shall not extend to information relating to other clients or commercially sensitive information not relevant to the Controller's processing.

7.4 Regulatory access

Nothing in this clause limits any right of the ICO or other supervisory authority to access the Processor's premises, records, or personnel in the exercise of its regulatory functions.

8. Anonymised Platform Data and AI Training

8.1 Not personal data

Anonymised Platform Data does not constitute Personal Data for the purposes of UK GDPR or this DPA. Accordingly, the obligations and restrictions applicable to Personal Data under this DPA do not apply to Anonymised Platform Data.

8.2 Permitted uses

The Controller has consented (in the Principal Agreement) to the Processor's use of Anonymised Platform Data for:

training, fine-tuning, and improving the Processor's AI models, algorithms, and the Platform's sales intelligence capabilities;

developing new products and features;

generating aggregated statistical analysis and benchmarks; and

internal research and product development.

8.3 Anonymisation standard

The Processor warrants that its anonymisation process is designed to meet the standard set out in the ICO's Anonymisation Code of Practice, such that the risk of re-identification is sufficiently remote that the data cannot reasonably be used to identify any individual. The Processor shall maintain and document its anonymisation methodology.

8.4 Separation

The Processor shall maintain clear technical and procedural separation between processes that handle Personal Data (subject to this DPA) and processes that handle Anonymised Platform Data. The Processor shall not anonymise data in a manner that circumvents the Controller's rights under this DPA.

9. Duration

9.1 Term

This DPA applies for so long as the Processor processes Personal Data on behalf of the Controller under the Principal Agreement, and terminates automatically on termination or expiry of the Principal Agreement.

9.2 Survival

Clauses 1, 3.5, 5 (in respect of breaches occurring during the term), 8, and 10 survive termination of this DPA.

10. General

10.1 Governing law

This DPA is governed by and construed in accordance with the law of Scotland. The parties submit to the exclusive jurisdiction of the Scottish courts.

10.2 Priority

In the event of any conflict between this DPA and the Principal Agreement on matters of data protection, this DPA shall prevail. In all other respects, the Principal Agreement prevails.

10.3 Updates

10.4 Version control

10.5 Liability

The liability of the parties under this DPA is subject to the limitations and exclusions in the Principal Agreement, save to the extent prohibited by applicable Data Protection Law.

Annex A — Details of Processing

This Annex describes the processing carried out by Breezee AI Limited as Processor on behalf of each Controller under the Beta Access Agreement.

Subject matter

The provision of the sAIlsbot AI sales agent platform, including knowledge base ingestion, AI-driven sales conversations across digital channels (including web and, as the platform develops, messaging platforms such as WhatsApp), lead qualification, prospect management, analytics, and related services.

Duration

For the duration of the Beta Period and, where the Controller continues to a General Availability subscription, the term of that subscription.

Nature of processing

Collection, storage, retrieval, analysis, use, disclosure, transmission, and deletion of Personal Data. Automated processing using large language models and machine learning to generate AI-driven sales agent conversations and lead qualification outcomes.

Purpose of processing

operating the sAIlsbot AI agent on and across the Controller's digital channels to conduct AI-driven sales conversations with visitors and prospects;

capturing prospect contact information and qualifying leads;

maintaining prospect records, conversation histories, and session analytics;

generating reports and insights for the Controller; and

enabling the Controller to configure and manage its AI sales agent via the dashboard.

Categories of personal data

Prospect and visitor data: name, email address, company name, job title, telephone number, and any other personal information voluntarily shared during an agent conversation.

Conversation content: chat transcripts and session records.

Behavioural data: session metadata, engagement signals, and lead scoring data.

Controller personnel data: names and email addresses of authorised dashboard users.

Special categories of personal data

None anticipated. The sAIlsbot is designed for B2B sales conversations. Controllers must not configure the Platform to solicit or process special category personal data (Article 9 UK GDPR) without prior written agreement with Breezee AI.

Categories of data subjects

prospects and visitors who interact with the sAIlsbot agent; and

the Controller's authorised dashboard users.

Controller's legal basis

To be identified and documented by each Controller. Likely bases include: Legitimate Interests (Article 6(1)(f) UK GDPR) for prospect profiling and lead scoring; Contract (Article 6(1)(b)) for processing relating to existing customers; Consent (Article 6(1)(a)) where collected via the agent. Each Controller is solely responsible for identifying and maintaining the appropriate legal basis.

Annex B — Approved Sub-Processors

OpenAI, L.L.C.

Location: United States of America

Processing purpose: large language model processing (GPT); generation of AI agent responses and vector embeddings for the knowledge base. AI training uses only Anonymised Platform Data.

Transfer safeguard: IDTA or UK Addendum to EU SCCs (Processor-to-Processor).

Supabase, Inc.

Location: United States of America

Processing purpose: database hosting (PostgreSQL + pgvector), authentication, file storage, and serverless edge function execution.

Transfer safeguard: IDTA or UK Addendum to EU SCCs (Processor-to-Processor).

Vercel, Inc.

Location: United States of America

Processing purpose: frontend application hosting, serverless function execution, and content delivery network.

Transfer safeguard: IDTA or UK Addendum to EU SCCs (Processor-to-Processor).

Langfuse GmbH

Location: Germany (EEA)

Processing purpose: AI observability and tracing: logging of agent conversation metadata and tool call spans for quality monitoring. PII masking applied before export.

Transfer safeguard: No Restricted Transfer — EEA (UK adequacy decision applies).

HubSpot, Inc.

Location: United States of America

Processing purpose: CRM and contact management: storage and synchronisation of prospect and lead data captured via the sAIlsbot agent; sales pipeline management.

Transfer safeguard: IDTA or UK Addendum to EU SCCs (Processor-to-Processor).

Resend, Inc.

Location: United States of America

Processing purpose: transactional email delivery: sending confirmation emails and platform notifications to authorised dashboard users.

Transfer safeguard: IDTA or UK Addendum to EU SCCs (Processor-to-Processor).

Atlassian, Inc.

Location: United States of America

Processing purpose: bug tracking and support ticket management; tickets may contain personal data relating to the Controller's end users.

Transfer safeguard: IDTA or UK Addendum to EU SCCs (Processor-to-Processor).

Note on transfer mechanisms. Breezee AI ensures that appropriate transfer safeguards (IDTA or UK Addendum to EU SCCs) are in place with each US-based Sub-processor prior to any transfer of Personal Data, and conducts transfer impact assessments as required under clause 6.3. Documentation is available on request.

Note on knowledge base ingestion tools. Tools used solely to retrieve publicly available website content or to parse documents uploaded by the Controller for knowledge base ingestion do not process Personal Data and are therefore not Sub-processors within the meaning of this DPA. The Controller is responsible for ensuring that documents and files uploaded for knowledge base ingestion do not contain Personal Data (see clause 2.3).

Annex C — Technical and Organisational Measures

This Annex describes the Technical and Organisational Measures implemented by Breezee AI Limited to protect Personal Data processed in connection with the sAIlsbot Beta Programme. These measures will be reviewed and strengthened as the Platform develops toward General Availability.

Access control and authentication

Access to Personal Data is restricted on the principle of least privilege. The Platform enforces data isolation at the database level using Row-Level Security (RLS) via Supabase, ensuring each organisation's data is segregated from other tenants. Dashboard access requires authenticated login. API routes implement independent authentication checks. Credentials are not stored in plaintext.

Encryption

Data in transit is encrypted using TLS 1.2 or higher across all connections. Data at rest is encrypted by Supabase's underlying infrastructure. OAuth integration tokens are stored using AES-256-GCM encryption. Widget authentication uses short-lived HMAC tokens (5-minute TTL) to reduce session hijacking risk.

Data minimisation and pseudonymisation

The Platform is designed to collect only the Personal Data necessary for delivery of the sAIlsbot services. Website visitors are assigned a pseudonymous prospect identifier generated client-side before any contact information is captured. AI observability traces have PII masking (email address and telephone number patterns) applied before export to Langfuse.

Infrastructure and availability

The Platform is hosted on Vercel (application layer) and Supabase (database, authentication, edge functions, and file storage), both operating enterprise-grade infrastructure with built-in redundancy. Content processing uses asynchronous message queues and scheduled functions, reducing data loss risk from processing failures.

Organisational measures

Access to production systems and Personal Data is restricted to Breezee AI personnel who require it for their duties. All such personnel are subject to binding confidentiality obligations. Breezee AI maintains internal policies governing the use of production data, AI training data, and Sub-processor engagement. Credentials are managed via environment variables and are not stored in source code.

Anonymisation for AI training

Before any conversation data is used for AI model training or platform improvement, it undergoes an anonymisation process designed to remove all direct and indirect personal identifiers. Anonymised Platform Data is processed entirely separately from Personal Data and is not subject to the access controls or deletion obligations applicable to Personal Data.

Incident response

Breezee AI maintains an internal incident response process for identifying, classifying, and responding to Personal Data Breaches. Suspected breaches are escalated immediately to the founding team. Post-incident reviews are conducted to identify and address root causes. The Processor commits to the 72-hour notification timeline in clause 5.1 of this DPA.

Updates

These TOMs will be reviewed and strengthened as the Platform moves toward General Availability. Breezee AI will notify Beta customers of any material reduction in the level of protection in advance of implementing such a change.

Breezee AI Limited — Company No. SC857320 — Registered office: 10/1 Woodcroft Road, Edinburgh EH10 4FD