European Union, United Kingdom & United StatesUpdated January 14, 2025

Data Processing Agreement

GDPR Art. 28 terms for customers who process personal data through UZZIWAI®

This Data Processing Agreement ("DPA") forms part of the Terms of Service and reflects the parties' agreement regarding the processing of personal data subject to the GDPR, UK GDPR, Swiss FADP and CCPA. Capitalized terms not defined here have the meaning given in the Terms or the Standard Contractual Clauses.

1. Scope and roles

Customer is the controller (or processor, where Customer is a processor acting on behalf of its controllers) of Customer Data. UZZIWAI® acts as a processor on Customer's behalf. This DPA applies to all processing of personal data carried out by UZZIWAI® to provide the Services.

2. Processing details (GDPR Art. 28(3))

ItemDetails
Subject matterProvision of the UZZIWAI® AI Workforce Services to Customer.
Nature of processingHosting, retrieval, automated processing and AI-mediated handling of Customer Data.
PurposeTo deliver the Services configured by Customer, including AI Employee interactions.
Duration of processingFor the term of the underlying agreement, plus the retention period in the Terms.
Types of personal dataContact, identification, account, communication and end-user interaction data.
Categories of data subjectsCustomer's end-users, contacts, employees and prospects, as configured by Customer.

3. Processor obligations

UZZIWAI® will:

  • Process Customer Data only on Customer's documented instructions, including with regard to transfers, unless required by law.
  • Ensure personnel authorized to process Customer Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (Art. 32), summarized in Section 5.
  • Not engage sub-processors without Customer's authorization, provided under the terms of Section 4.
  • Assist Customer in responding to data subject requests, taking into account the nature of processing.
  • Assist Customer in meeting obligations under Arts. 32-36 (security, breach notification, DPIA and prior consultation).
  • Delete or return Customer Data at the end of the Services, subject to legal retention requirements.
  • Make available information necessary to demonstrate compliance and allow for audits (Art. 28(3)(h)).

4. Sub-processors

Customer authorizes UZZIWAI® to engage the sub-processors listed in our Sub-processors list. We will give at least 30 days' notice of new or replacement sub-processors and the right to object on reasonable data-protection grounds. We impose data protection terms on each sub-processors no less protective than those in this DPA.

5. Security measures (Art. 32)

We maintain measures appropriate to the risk, including:

  • Encryption of Customer Data in transit (TLS 1.3) and at rest (AES-256).
  • Role-based access control, least-privilege principles and multi-factor authentication.
  • Network and application security, including firewalls, WAF and intrusion detection.
  • Immutable audit logging of administrative and data-access actions.
  • Regular vulnerability scanning and annual third-party penetration testing.
  • Business continuity, disaster recovery and tested backup restoration.
  • Annual SOC 2 Type II audit and documented incident response procedures.
  • Personnel security, including background checks where lawful and security training.

6. International data transfers

For transfers of Customer Data from the EEA/UK/CH to countries lacking an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor, and Module 3 where Customer is a processor), the UK International Data Transfer Addendum, and supplementary measures including encryption. A copy of the executed SCCs is available on request under NDA.

7. Personal data breach

UZZIWAI® will notify Customer without undue delay (and in any case within 48 hours) of becoming aware of a personal data breach affecting Customer Data, including the nature of the breach, the categories and approximate number of data subjects and records, the likely consequences, and the measures taken or proposed. We will assist Customer in meeting breach notification obligations to regulators and data subjects under Art. 33-34.

8. Audit rights

Customer may audit UZZIWAI®'s compliance with this DPA, subject to reasonable notice and confidentiality obligations. In lieu of an on-site audit, UZZIWAI® may provide our SOC 2 Type II report, ISO certifications (where available) and other third-party audit reports, which Customer agrees constitute a reasonable audit. Where an on-site audit is necessary, it will be conducted once annually at Customer's expense, during business hours, and without undue disruption.

9. Deletion and return

Upon termination, UZZIWAI® will, at Customer's choice, return or delete Customer Data within 60 days, except where retention is required by law (in which case we will isolate and protect the data and delete it when the legal basis expires).

10. Term and termination

This DPA takes effect on the date the Services commence and remains in effect for as long as UZZIWAI® processes Customer Data. Obligations regarding confidentiality, security, deletion, audit and international transfers survive termination.