Legal

Data Processing Addendum

Last updated: April 27, 2026

This Data Processing Addendum, including its schedules and annexes (this “DPA”), forms part of the agreement between Selaware LLC (“Selaware,” “we,” “us,” or “our”) and the customer that has agreed to Selaware’s Terms of Service, an Order Form, subscription agreement, or other written agreement governing use of the Services (“Customer,” “you,” or “your”).

This DPA applies when Selaware processes Customer Personal Data on behalf of Customer in connection with Selaware’s software-as-a-service products and related services, including Oculis, dashboards, APIs, collectors, scanners, integrations, support, documentation, and related services (collectively, the “Services”).

This DPA is intended to satisfy applicable data protection requirements for controller-to-processor, business-to-service provider, and similar processing relationships, including requirements under the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and other applicable privacy laws, to the extent those laws apply.

This DPA should be reviewed by legal counsel before use. It is a business template and does not replace legal advice.

1. Definitions

For purposes of this DPA:

“Agreement” means Selaware’s Terms of Service, any applicable Order Form, subscription agreement, statement of work, or other written agreement between Selaware and Customer governing the Services.

“Applicable Data Protection Laws” means all privacy, data protection, and data security laws and regulations applicable to the processing of Customer Personal Data under the Agreement, which may include the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and applicable U.S. state privacy laws.

“Authorized Subprocessor” means a third party engaged by Selaware to process Customer Personal Data on behalf of Selaware in connection with the Services.

“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.

“Customer Data” means data, information, content, files, logs, telemetry, configuration data, metadata, prompts, responses, usage data, or other materials submitted to, collected by, transmitted to, or processed through the Services by or on behalf of Customer.

“Customer Personal Data” means Personal Data contained in Customer Data that Selaware processes on behalf of Customer as a processor, service provider, contractor, or similar role under Applicable Data Protection Laws.

“Data Subject” means an identified or identifiable individual to whom Customer Personal Data relates. Under some laws, similar terms may include “consumer.”

“GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation.

“Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual, including “personal information,” “personal data,” or similar terms under Applicable Data Protection Laws.

“Process” or “Processing” means any operation or set of operations performed on Customer Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, deletion, or destruction.

“Security Incident” means a confirmed breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data processed by Selaware under this DPA. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial-of-service attempts, or other network attacks on firewalls or networked systems.

“Services” has the meaning given above and includes Oculis and related Selaware products and services.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for international transfers of Personal Data, as amended, replaced, or supplemented from time to time.

Terms such as “controller,” “processor,” “business,” “service provider,” “contractor,” “sell,” “share,” “commercial purpose,” and “business purpose” have the meanings given to them under Applicable Data Protection Laws.

2. Scope and Order of Precedence

This DPA applies only to the extent Selaware processes Customer Personal Data on behalf of Customer in connection with the Services.

If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls with respect to that conflict. If there is a conflict between this DPA and any Standard Contractual Clauses applicable to a transfer of Customer Personal Data, the Standard Contractual Clauses control with respect to that transfer.

The details of Processing are described in Schedule 1. Technical and organizational measures are described in Schedule 2. Subprocessor terms are described in Schedule 3. U.S. state privacy law service provider terms are described in Schedule 4. International transfer terms are described in Schedule 5.

3. Roles of the Parties

For Customer Personal Data processed under this DPA:

  • Customer is the controller, business, or equivalent role under Applicable Data Protection Laws.
  • Selaware is the processor, service provider, contractor, or equivalent role under Applicable Data Protection Laws.

Customer determines the purposes and means of Processing Customer Personal Data, including what Customer Data is submitted to or collected by the Services, how collectors or scanners are configured, which integrations are enabled, which users are authorized, and which systems are connected.

Selaware processes Customer Personal Data only on behalf of Customer and in accordance with Customer’s documented instructions, unless otherwise required by applicable law.

4. Customer Instructions

Customer instructs Selaware to Process Customer Personal Data as necessary to:

  1. provide, operate, maintain, secure, monitor, and support the Services;
  2. discover, monitor, analyze, and report AI agent activity, AI usage, LLM calls, provider usage, model usage, token usage, estimated costs, cache savings, latency, errors, reliability, and related operational signals;
  3. operate Oculis collectors, scanners, dashboards, APIs, alerts, notifications, integrations, reports, and administrative tools;
  4. troubleshoot, prevent, detect, investigate, and remediate security, fraud, abuse, service reliability, billing, or technical issues;
  5. comply with the Agreement, this DPA, Customer configuration, support requests, and documented instructions;
  6. comply with applicable law, legal process, or governmental requests; and
  7. perform any other Processing expressly authorized by Customer in writing.

Customer’s documented instructions include the Agreement, this DPA, applicable Order Forms, product documentation, Customer’s configuration of the Services, Customer’s use of APIs or integrations, support requests, and other written instructions submitted by authorized Customer users.

Selaware will notify Customer if, in Selaware’s reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless Selaware is prohibited from doing so by law.

5. Customer Responsibilities

Customer is responsible for:

  1. complying with Applicable Data Protection Laws in connection with Customer’s use of the Services;
  2. having all rights, notices, consents, permissions, lawful bases, and authorizations necessary for Selaware to Process Customer Personal Data under the Agreement and this DPA;
  3. determining whether the Services are appropriate for Customer’s intended use, industry, data types, and compliance requirements;
  4. configuring the Services, collectors, scanners, integrations, user permissions, alerts, API keys, and retention settings appropriately;
  5. ensuring that Customer does not submit prohibited or unsupported sensitive data unless Selaware has expressly agreed in writing and appropriate safeguards are in place;
  6. responding to Data Subject requests and regulatory inquiries, except where Selaware is legally required to respond directly;
  7. maintaining independent backups of Customer Data where appropriate;
  8. securing Customer systems, networks, endpoints, cloud accounts, Kubernetes clusters, identity providers, and environments where Selaware collectors or scanners are installed; and
  9. ensuring that Customer’s users and administrators comply with the Agreement and this DPA.

Customer should not intentionally submit secrets, passwords, private keys, access tokens, regulated payment card data, protected health information, children’s data, special category data, or other highly sensitive data to the Services unless expressly supported by Selaware in writing.

6. Selaware Processing Obligations

Selaware will:

  1. Process Customer Personal Data only in accordance with Customer’s documented instructions, the Agreement, this DPA, and Applicable Data Protection Laws;
  2. ensure that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations;
  3. implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Schedule 2;
  4. assist Customer, taking into account the nature of the Processing and information available to Selaware, with Customer’s obligations under Applicable Data Protection Laws as described in this DPA;
  5. notify Customer of confirmed Security Incidents as described in Section 10;
  6. use Authorized Subprocessors only as described in Section 8 and Schedule 3;
  7. make available information reasonably necessary to demonstrate compliance with this DPA, subject to Section 12; and
  8. return or delete Customer Personal Data as described in Section 13.

Selaware may Process de-identified, aggregated, or anonymized data derived from Customer Data for analytics, benchmarking, product improvement, security, performance, reliability, and business purposes, provided such data does not identify Customer, Customer users, or Data Subjects and is not reasonably capable of being associated with them.

Selaware will not use Customer Personal Data to train third-party AI models unless Customer expressly authorizes such use in writing.

7. Confidentiality

Selaware will ensure that personnel who Process Customer Personal Data are informed of the confidential nature of such data and are subject to appropriate confidentiality obligations. Selaware will limit personnel access to Customer Personal Data to those who need access to provide, support, secure, or improve the Services, or as otherwise permitted under the Agreement and this DPA.

8. Subprocessors

Customer authorizes Selaware to engage Authorized Subprocessors to Process Customer Personal Data in connection with the Services.

Selaware will impose written data protection obligations on Authorized Subprocessors that are substantially similar to those imposed on Selaware under this DPA, to the extent applicable to the nature of services provided by the Authorized Subprocessor.

Selaware remains responsible for the performance of its Authorized Subprocessors’ obligations to the extent required by Applicable Data Protection Laws.

Selaware may update its Authorized Subprocessors from time to time. Where required by Applicable Data Protection Laws or the Agreement, Selaware will provide notice of material changes to Authorized Subprocessors and give Customer an opportunity to object on reasonable data protection grounds. If Customer reasonably objects to a new Authorized Subprocessor and Selaware cannot provide a commercially reasonable alternative, either party may terminate the affected Services in accordance with the Agreement.

Additional Subprocessor terms are set forth in Schedule 3.

9. Security Measures

Selaware will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Such measures may include, as appropriate:

  • encryption in transit using TLS or comparable secure transport protocols;
  • encryption at rest where supported by the underlying infrastructure;
  • access controls and least-privilege practices;
  • authentication and authorization controls;
  • logging and monitoring of security-relevant events;
  • vulnerability management and patching based on risk;
  • secure software development practices;
  • backup and recovery processes for hosted systems where applicable;
  • personnel confidentiality obligations;
  • vendor review processes; and
  • incident response procedures.

The current technical and organizational measures are further described in Schedule 2 and Selaware’s Security Policy. Customer acknowledges that security measures may evolve over time, provided Selaware does not materially decrease the overall level of protection for Customer Personal Data during the applicable Subscription Term.

10. Security Incident Notification

Selaware will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data.

Selaware’s notice will include information reasonably available to Selaware, which may include:

  1. the nature of the Security Incident;
  2. the categories of Customer Personal Data affected, if known;
  3. the approximate number of affected Data Subjects or records, if known;
  4. the likely consequences of the Security Incident, if known;
  5. measures taken or proposed to address the Security Incident; and
  6. contact information for follow-up.

Selaware may provide this information in phases as details become available. Customer is responsible for determining whether the Security Incident requires notification to Data Subjects, regulators, customers, or other third parties, except where Selaware has a direct legal obligation.

Selaware’s notification of or response to a Security Incident is not an admission of fault or liability.

11. Assistance with Customer Obligations

Taking into account the nature of the Processing and information available to Selaware, Selaware will provide reasonable assistance to Customer as required by Applicable Data Protection Laws, including assistance with:

  1. responding to Data Subject requests;
  2. data protection impact assessments, where legally required;
  3. prior consultation with supervisory authorities, where legally required;
  4. Security Incident investigations and notifications;
  5. reasonable inquiries from regulators relating to Customer Personal Data; and
  6. Customer’s obligations regarding security of Processing.

Selaware may charge reasonable fees for assistance that requires significant effort, unless such assistance is required because of Selaware’s breach of this DPA.

If Selaware receives a request from a Data Subject relating to Customer Personal Data, Selaware may refer the request to Customer and will not respond directly unless instructed by Customer or required by law.

12. Audits and Compliance Information

Upon Customer’s reasonable written request, Selaware will make available information reasonably necessary to demonstrate Selaware’s compliance with this DPA, which may include security documentation, policies, summaries of controls, certifications, reports, or written responses to security questionnaires, to the extent available and subject to confidentiality obligations.

If Applicable Data Protection Laws require an audit, Customer may request an audit no more than once per year, unless a Security Incident or legal requirement justifies additional review. Any audit must:

  1. be conducted during normal business hours;
  2. be subject to reasonable advance notice;
  3. be limited to systems, records, and personnel relevant to Selaware’s Processing of Customer Personal Data;
  4. avoid disruption to Selaware’s operations and other customers;
  5. be conducted by Customer or an independent auditor subject to confidentiality obligations; and
  6. comply with Selaware’s reasonable security, confidentiality, and access requirements.

Customer is responsible for audit costs unless the audit identifies a material breach of this DPA by Selaware.

13. Return and Deletion of Customer Personal Data

Upon termination or expiration of the Agreement, Selaware will return or delete Customer Personal Data in accordance with the Agreement, this DPA, product functionality, and Selaware’s retention practices.

Customer may request export of Customer Data within the timeframe specified in the Agreement or product documentation. After that period, Selaware may delete Customer Data in accordance with its retention practices.

Selaware may retain Customer Personal Data to the extent required or permitted by law, necessary for legal claims, security, fraud prevention, audit, backup, compliance, accounting, or other legitimate business purposes, provided that retained Customer Personal Data remains protected under this DPA until deleted.

Backups and archived copies may not be immediately deleted but will be protected from active Processing and deleted in accordance with Selaware’s normal retention lifecycle.

14. International Data Transfers

Customer acknowledges that Selaware and its Authorized Subprocessors may Process Customer Personal Data in the United States and other jurisdictions where Selaware or its Authorized Subprocessors operate.

Where Customer Personal Data is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction that restricts international transfers, Selaware will use a valid transfer mechanism where required by Applicable Data Protection Laws. Such mechanisms may include the Standard Contractual Clauses, UK International Data Transfer Addendum, UK International Data Transfer Agreement, Swiss law adaptations, adequacy decisions, or another lawful transfer mechanism.

Where the Standard Contractual Clauses apply, they are incorporated by reference as described in Schedule 5.

15. U.S. State Privacy Law Terms

To the extent Selaware Processes Customer Personal Data subject to the CCPA or other U.S. state privacy laws with service provider, processor, or contractor requirements, Selaware will Process such Customer Personal Data as a service provider, contractor, processor, or equivalent role.

Selaware will not:

  1. sell or share Customer Personal Data;
  2. retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, this DPA, or as otherwise permitted by Applicable Data Protection Laws;
  3. retain, use, or disclose Customer Personal Data for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
  4. retain, use, or disclose Customer Personal Data outside the direct business relationship between Selaware and Customer except as permitted by Applicable Data Protection Laws; or
  5. combine Customer Personal Data with Personal Data received from other sources except as permitted by Applicable Data Protection Laws.

Selaware will provide the same level of privacy protection required of service providers, contractors, or processors under Applicable Data Protection Laws and will notify Customer if Selaware determines that it can no longer meet its obligations under those laws.

Additional U.S. state privacy terms are set forth in Schedule 4.

16. AI Services, Model Providers, and Customer Configuration

The Services may help Customer monitor, analyze, or route activity involving third-party AI services, model providers, API providers, or LLM providers. Customer is responsible for selecting, configuring, authorizing, and reviewing the third-party AI services and integrations it chooses to use.

Selaware will not intentionally transmit Customer Personal Data to third-party AI providers unless required to provide the Services, enabled by Customer, configured by Customer, requested by Customer, or otherwise authorized under the Agreement.

Customer acknowledges that third-party AI services may have their own data processing terms, retention practices, security controls, pricing, and model behavior. Customer is responsible for determining whether such third-party services are appropriate for Customer’s intended use and compliance requirements.

17. Sensitive Data and Regulated Data

Unless expressly agreed by Selaware in writing, Customer will not submit to the Services:

  • protected health information subject to HIPAA;
  • regulated payment card data subject to PCI DSS;
  • children’s Personal Data requiring parental consent;
  • government identification numbers, financial account numbers, or full payment credentials;
  • biometric data, genetic data, precise geolocation data, or special category data under GDPR;
  • criminal offense data; or
  • secrets, passwords, private keys, access tokens, or credentials not required for supported integrations.

If Customer believes its use case requires processing sensitive or regulated data, Customer must contact Selaware before submitting such data so the parties can determine whether additional agreements, security measures, or product configurations are required.

18. De-Identified and Aggregated Data

Selaware may create and use aggregated, anonymized, or de-identified data derived from Customer Data for purposes such as product improvement, security, analytics, benchmarking, capacity planning, cost modeling, performance monitoring, and business reporting.

Selaware will not attempt to re-identify such data except as permitted by Applicable Data Protection Laws, including for security, compliance, or testing purposes designed to validate that the data is not reasonably capable of identifying a Data Subject.

If Selaware receives a subpoena, court order, regulatory inquiry, law enforcement request, or other legal process seeking Customer Personal Data, Selaware will, where legally permitted, notify Customer and allow Customer to seek protective treatment.

Selaware may disclose Customer Personal Data where required by law, legal process, or governmental authority, or where Selaware reasonably believes disclosure is necessary to protect rights, safety, security, or property.

20. Limitation of Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations, exclusions, and liability caps in the Agreement, unless prohibited by Applicable Data Protection Laws.

21. Term and Termination

This DPA remains in effect for as long as Selaware Processes Customer Personal Data on behalf of Customer.

Upon termination or expiration of the Agreement, this DPA will continue to apply to any Customer Personal Data retained by Selaware until such data is deleted or returned in accordance with this DPA and the Agreement.

Schedule 1: Details of Processing

1. Subject Matter

Selaware’s Processing of Customer Personal Data in connection with providing the Services, including Oculis, dashboards, APIs, collectors, scanners, integrations, alerts, reporting, support, billing, administration, security, and related services.

2. Duration

For the duration of the Agreement and any additional period during which Selaware Processes Customer Personal Data in accordance with the Agreement, this DPA, applicable retention periods, or legal requirements.

3. Nature and Purpose of Processing

Selaware may Process Customer Personal Data to:

  • provide, operate, maintain, secure, troubleshoot, and improve the Services;
  • discover, inventory, monitor, and analyze AI agents and AI-related activity;
  • collect and process telemetry, logs, metadata, usage data, token counts, cost data, cache savings, performance data, error data, latency data, and reliability metrics;
  • operate collectors, scanners, APIs, dashboards, alerts, notifications, reports, and integrations;
  • authenticate users, manage organizations, manage access permissions, and maintain audit logs;
  • provide customer support, onboarding, training, and professional services;
  • process subscription, billing, payment, and account administration data;
  • detect, prevent, investigate, and respond to security events, abuse, fraud, policy violations, or service misuse;
  • comply with legal obligations and enforce the Agreement; and
  • perform other Processing authorized by Customer.

4. Categories of Data Subjects

Depending on Customer configuration, Customer Personal Data may relate to:

  • Customer employees, contractors, administrators, developers, IT users, security users, finance users, engineering users, and authorized platform users;
  • Customer end users, if Customer configures the Services to process end-user activity;
  • users or owners of AI agents, applications, services, APIs, or systems monitored by Oculis;
  • business contacts, support contacts, billing contacts, and administrative contacts;
  • prospective users invited by Customer; and
  • other individuals whose Personal Data is included in Customer Data.

5. Categories of Personal Data

Depending on Customer configuration, Customer Personal Data may include:

  • name, business email address, phone number, company name, job title, department, and account identifiers;
  • user IDs, organization IDs, role and permission data, authentication metadata, and audit logs;
  • usernames, display names, identity provider metadata, SSO metadata, and access timestamps;
  • IP addresses, hostnames, device identifiers, system identifiers, container metadata, Kubernetes metadata, cloud account metadata, API metadata, and technical logs;
  • AI agent names, agent IDs, application names, route names, model names, provider names, endpoint metadata, and configuration metadata;
  • token counts, request counts, estimated cost, cache savings, latency, errors, response status, performance metrics, and usage data;
  • support messages, support tickets, troubleshooting details, and Customer communications;
  • prompt and response content only if Customer configures the Services to capture, transmit, or store such content;
  • billing and subscription information, excluding full payment card data handled by payment processors; and
  • other Personal Data submitted by Customer or processed through Customer’s use of the Services.

6. Sensitive Data

The Services are not intended to process sensitive or regulated data unless expressly agreed by Selaware in writing. Customer should not submit protected health information, regulated payment card data, children’s data, special category data, biometric data, genetic data, precise geolocation data, criminal offense data, government identifiers, passwords, private keys, or secrets unless expressly supported by Selaware and authorized in writing.

7. Processing Operations

Processing operations may include collection, transmission, receipt, access, storage, hosting, organization, structuring, retrieval, consultation, analysis, monitoring, display, reporting, alerting, support, troubleshooting, modification, deletion, export, and other operations necessary to provide the Services.

Schedule 2: Technical and Organizational Measures

Selaware maintains technical and organizational measures designed to protect Customer Personal Data. The measures below describe Selaware’s general security approach and may evolve over time.

1. Governance and Security Program

  • Security responsibilities assigned internally based on role and function.
  • Security expectations communicated to personnel with access to relevant systems.
  • Confidentiality obligations for personnel with access to Customer Personal Data.
  • Review of material security risks based on business and product needs.

2. Access Controls

  • Unique accounts for personnel where practical.
  • Role-based access controls where supported.
  • Least-privilege access practices.
  • Removal or adjustment of access when no longer required.
  • Administrative access limited to authorized personnel.
  • Authentication controls for dashboards, APIs, and administrative systems.

3. Encryption and Network Security

  • Encryption in transit using TLS or comparable secure transport protocols.
  • Encryption at rest where supported by the underlying hosting or storage providers.
  • Network access restrictions, firewalls, or cloud security groups where appropriate.
  • Secure API authentication methods.
  • Segmentation or logical separation of production systems where appropriate.

4. Application Security

  • Secure software development practices.
  • Code review for material product changes where commercially reasonable.
  • Dependency and package review where commercially reasonable.
  • Vulnerability scanning or security testing of relevant systems.
  • Risk-based patching of vulnerabilities.
  • Protections against common web application risks.

5. Logging, Monitoring, and Alerting

  • Logging of selected authentication, API, administrative, security, and operational events.
  • Monitoring of platform health, performance, availability, and errors.
  • Alerts for selected reliability or security conditions.
  • Investigation and response processes for suspected incidents.

6. Data Separation and Tenant Controls

  • Logical separation of customer organizations and tenant data within the Services.
  • Access controls designed to limit customer access to authorized organization data.
  • Administrative tooling and internal access restrictions designed to reduce unauthorized access risk.

7. Collector and Scanner Security

  • Collectors and scanners designed to be deployed under Customer control.
  • Support for outbound connectivity patterns where practical.
  • Recommended least-privilege deployment practices.
  • Customer-controlled configuration of monitored systems, namespaces, logs, APIs, and integrations.
  • Versioning and health telemetry for operational visibility where supported.

8. Backup, Recovery, and Availability

  • Backups or replication for hosted systems where supported by infrastructure providers.
  • Recovery procedures designed for commercially reasonable restoration of critical hosted services.
  • Monitoring for service health and availability.

9. Vendor and Subprocessor Management

  • Review of vendors based on the nature of services and data involved.
  • Written agreements with Authorized Subprocessors that impose data protection obligations.
  • Replacement or update of subprocessors as needed to support the Services.

10. Incident Response

  • Procedures for investigating suspected Security Incidents.
  • Escalation paths for security events.
  • Customer notification process for confirmed Security Incidents involving Customer Personal Data.
  • Post-incident review where appropriate.

11. Customer Responsibilities

Customer is responsible for securing Customer-managed environments, including networks, firewalls, endpoints, Kubernetes clusters, cloud accounts, identity providers, API keys, integrations, collector deployment configurations, and user permissions.

Schedule 3: Authorized Subprocessors

Customer authorizes Selaware to use Authorized Subprocessors to provide, support, secure, and improve the Services.

Selaware’s Authorized Subprocessors may include providers in the following categories:

  • cloud infrastructure and hosting providers;
  • database, storage, and backup providers;
  • identity, authentication, and SSO providers;
  • payment processing and billing providers;
  • customer support, ticketing, and communication providers;
  • email delivery and notification providers;
  • analytics, logging, observability, and monitoring providers;
  • security, fraud prevention, and abuse detection providers;
  • AI, API, and model providers used to deliver customer-configured functionality;
  • professional services providers and contractors supporting the Services; and
  • other vendors reasonably necessary to provide the Services.

Selaware may maintain a public or customer-available list of Authorized Subprocessors. If Selaware does not maintain a public list, Customer may request current subprocessor information by contacting privacy@selaware.ai or security@selaware.ai.

Selaware will provide notice of material changes to Authorized Subprocessors where required by Applicable Data Protection Laws or the Agreement. Customer may object to a new Authorized Subprocessor on reasonable data protection grounds by providing written notice within the timeframe stated in Selaware’s notice or, if no timeframe is stated, within thirty (30) days after notice.

Schedule 4: U.S. State Privacy Law Service Provider Terms

This Schedule applies to Customer Personal Data subject to U.S. state privacy laws, including the CCPA, to the extent Selaware acts as a service provider, contractor, processor, or similar role.

1. Business Purpose

Selaware Processes Customer Personal Data for the business purposes described in the Agreement, this DPA, and Schedule 1, including providing, operating, maintaining, securing, supporting, and improving the Services.

2. Restrictions

Selaware will not sell or share Customer Personal Data.

Selaware will not retain, use, or disclose Customer Personal Data for purposes other than:

  • the business purposes specified in the Agreement and this DPA;
  • as instructed by Customer;
  • as necessary to provide, secure, support, or improve the Services;
  • as permitted for service providers, contractors, or processors under Applicable Data Protection Laws; or
  • as required by law.

Selaware will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by Applicable Data Protection Laws.

Selaware will not combine Customer Personal Data with Personal Data received from other sources except as permitted by Applicable Data Protection Laws.

3. Assistance

Selaware will reasonably assist Customer in responding to consumer requests and complying with applicable obligations, taking into account the nature of the Processing and information available to Selaware.

4. Subcontractors

Selaware will require Authorized Subprocessors that Process Customer Personal Data subject to this Schedule to comply with written obligations consistent with this DPA and Applicable Data Protection Laws.

5. Compliance Certification

Selaware certifies that it understands and will comply with the restrictions in this Schedule.

If Selaware determines it can no longer meet its obligations under this Schedule or Applicable Data Protection Laws, Selaware will notify Customer. Customer may take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer Personal Data.

Schedule 5: International Transfer Terms

This Schedule applies when Customer Personal Data is transferred from a jurisdiction that requires a lawful international data transfer mechanism.

1. EU/EEA Transfers

Where Customer Personal Data subject to the GDPR is transferred from the European Economic Area to a country that has not been recognized as providing adequate protection, the parties agree that the Standard Contractual Clauses apply as follows:

  • Module Two: Controller to Processor applies where Customer is a controller and Selaware is a processor.
  • Module Three: Processor to Processor applies where Customer is a processor and Selaware is a subprocessor.
  • Customer is the data exporter.
  • Selaware is the data importer.
  • The details of Processing are described in Schedule 1.
  • The technical and organizational measures are described in Schedule 2.
  • Authorized Subprocessors are addressed in Schedule 3.
  • The optional docking clause applies where appropriate.
  • The governing law and supervisory authority will be determined as required by the Standard Contractual Clauses and applicable law.

2. UK Transfers

Where Customer Personal Data subject to the UK GDPR is transferred from the United Kingdom to a country that has not been recognized as providing adequate protection, the parties agree that the applicable UK International Data Transfer Addendum or other approved UK transfer mechanism applies, as amended or replaced from time to time.

3. Swiss Transfers

Where Customer Personal Data subject to the Swiss FADP is transferred from Switzerland to a country that has not been recognized as providing adequate protection, the parties agree that the Standard Contractual Clauses apply with Swiss-law adaptations as required by the Swiss Federal Data Protection and Information Commissioner or applicable Swiss law.

4. Transfer Impact and Government Access

Selaware will use commercially reasonable measures to protect Customer Personal Data in connection with international transfers. Where required by Applicable Data Protection Laws, the parties will cooperate in good faith to evaluate transfer risks and implement supplementary measures that are appropriate to the nature of the data and Processing.

If Selaware receives a legally binding request from a public authority for Customer Personal Data, Selaware will, where legally permitted, notify Customer and provide reasonable assistance so Customer may seek protective treatment.

Contact

Questions about this DPA may be directed to:

Selaware LLC
Email: privacy@selaware.ai
Security contact: security@selaware.ai
Support contact: support@selaware.ai