Data processing agreement.

Preamble

This Data Processing Agreement (“DPA”) forms part of the Terms of Service(“Agreement”) between you (“Customer”) and Kade Software Limited (“Proxima”), and applies to the processing of Customer Personal Data by Proxima in the course of providing the Service.

To the extent of any conflict between this DPA and the Agreement, this DPA prevails for matters relating to the processing of Personal Data.

This DPA is a legally binding part of the Agreement and applies automatically to any Customer subject to GDPR, UK GDPR, the Swiss FADP, or comparable data-protection legislation. No signature is required; if your local law requires a counter-signed copy, email privacy.proxima@dterminal.net and we will provide one.

Definitions

Capitalized terms used but not defined here have the meanings given in the Agreement, the GDPR, or the EU Standard Contractual Clauses (the “SCCs”), as applicable.

• Applicable Data Protection Law means all data- protection and privacy laws applicable to the processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the Swiss FADP, and the CCPA.
• Customer Personal Data means Personal Data processed by Proxima on behalf of Customer in the course of providing the Service.
• Controller, Processor, Sub-processor, Data Subject, Personal Data, Personal Data Breach, Processing have the meanings given in the GDPR.
• SCCs means the Standard Contractual Clauses for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914, as amended.
• UK IDTAmeans the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office.

Scope, roles & purpose of processing

Roles

• With respect to Customer Personal Data, Customer is the Controller (or, where applicable, the Processor acting on behalf of a third-party Controller) and Proxima is the Processor.
• With respect to data Proxima collects directly about Customer (account billing data, support correspondence, etc.), Proxima is an independent Controller, and that processing is governed by the Privacy Policy.

Subject matter, nature, purpose, duration

The subject matter of the processing is the provision of the Service. The nature of the processing is automated processing of Customer Personal Data to read messages, schedule events, and surface drafts for Customer’s approval. The duration of the processing is the term of the Agreement plus any post-termination retention period required by Applicable Data Protection Law and described in this DPA.

The categories of Data Subjects, the categories of Personal Data, and the special categories of data (if any) are set out in Annex 1.

Customer instructions

Customer’s use of the Service constitutes Customer’s documented instructions to Proxima for the processing. Proxima will process Customer Personal Data only for the purposes described in this DPA and the Agreement, in accordance with Customer’s documented instructions, and not for any other purpose unless required by law (in which case, Proxima will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).

Processor obligations

Proxima will:

• process Customer Personal Data only on documented instructions from Customer;
• ensure that persons authorized to process Customer Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2 and on the Security page;
• engage Sub-processors only in compliance with the section below;
• assist Customer in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law (see Data-subject rights below);
• assist Customer in ensuring compliance with the obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Proxima;
• at Customer’s choice, delete or return all Customer Personal Data to Customer at the end of the provision of the Service, and delete existing copies (subject to retention required by applicable law);
• make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (see Audit below);
• immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

Sub-processors

General authorization

Customer provides general authorization for Proxima to engage Sub-processors to process Customer Personal Data, subject to the conditions in this section.

Current list

Proxima’s current Sub-processors are listed in Annex 3 and on the Security page.

Notice of changes

Proxima will give Customer at least 30 days’ prior notice of any new Sub-processor before that Sub-processor begins processing Customer Personal Data, by updating the published list and emailing Customers who have subscribed to the sub-processor change list (see Security).

Right to object

Within 30 days of notice, Customer may object to the appointment of a new Sub-processor on reasonable, documented grounds related to data protection. Proxima will use commercially reasonable efforts to provide an alternative; if it cannot, Customer may terminate the Agreement with respect to the Service that requires the Sub-processor and receive a pro-rata refund of any prepaid fees.

Sub-processor contracts

Proxima will impose on each Sub-processor data-protection obligations no less protective than those in this DPA, by way of a written contract or other binding instrument. Proxima remains liable to Customer for the acts and omissions of its Sub-processors relating to the processing of Customer Personal Data.

Security measures

Proxima implements and maintains the technical and organizational measures described in Annex 2 and on the Security page. These measures include encryption of Customer Personal Data in transit and at rest, access controls, network isolation, monitoring, and an incident- response process. Proxima may update these measures over time provided the level of protection is not materially diminished.

Data-subject rights

Taking into account the nature of the processing, Proxima will assist Customer in fulfilling its obligation to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

The Service provides Customer with the ability to access, rectify, export, and delete Customer Personal Data through the dashboard (Settings → Data export, Settings → Danger zone). Where Customer is unable to address a request through these tools, Proxima will provide reasonable assistance to do so, at no additional charge for requests that fall within Proxima’s ordinary obligations under Applicable Data Protection Law.

If Proxima receives a request from a Data Subject directly, it will promptly notify Customer and will not respond to the request other than to direct the Data Subject to Customer, unless Proxima is legally required to respond.

Personal data breaches

Proxima will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

The notification will, to the extent reasonably available, include:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
• the name and contact details of the contact point at Proxima where more information can be obtained;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where it is not possible to provide all the information at the same time, the information may be provided in phases without further undue delay.

Customer is responsible for any further notification to Data Subjects and supervisory authorities required by Applicable Data Protection Law. Proxima will provide reasonable cooperation to support Customer in making any such notifications.

International transfers

Customer acknowledges that Proxima processes Customer Personal Data in the United States and may transfer it to other countries where its Sub-processors operate.

EU SCCs incorporated by reference

For transfers of Customer Personal Data from the EEA, Switzerland, or any other jurisdiction whose laws require the use of Standard Contractual Clauses, the parties agree that the SCCs are hereby incorporated by reference into this DPA, with Module Two (Controller-to-Processor) applying where Customer is a Controller, and Module Three (Processor-to-Sub-processor) applying where Customer is itself a Processor on behalf of a third-party Controller.

The SCCs are completed as follows:

• Clause 7 (Docking Clause): not used.
• Clause 9 (Use of Sub-processors): Option 2 (general written authorization), with the notice period set to 30 days.
• Clause 11 (Redress): the optional independent dispute-resolution body language is not selected.
• Clause 17 (Governing Law): the law of Ireland.
• Clause 18 (Forum and Jurisdiction): the courts of Ireland.
• Annex I.A (List of Parties): Customer is the data exporter; Proxima is the data importer. Contact details are those provided in the Agreement.
• Annex I.B (Description of Transfer): set out in Annex 1 below.
• Annex I.C (Competent Supervisory Authority): the Irish Data Protection Commission, or, where the data exporter is established in another EU Member State, the supervisory authority of that Member State.
• Annex II (Technical and Organizational Measures): set out in Annex 2 below.
• Annex III (List of Sub-processors): set out in Annex 3 below.

UK IDTA

For transfers of Customer Personal Data subject to the UK GDPR, the parties agree that the UK International Data Transfer Addendum to the EU SCCs is hereby incorporated by reference into this DPA, completing the SCCs as set out above.

Swiss FADP

For transfers of Customer Personal Data subject to the Swiss FADP, the SCCs apply mutatis mutandis, with references to GDPR replaced by references to the FADP and the supervisory authority being the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Audit

On reasonable prior written request, and no more than once per year (except after a Personal Data Breach or where required by a supervisory authority), Proxima will make available to Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.

Such information may take the form of:

• written responses to a reasonable security questionnaire (we maintain a CAIQ-Lite-style response that we’ll share on request);
• an executive summary of any current SOC 2 / ISO 27001 / similar audit reports we hold;
• attestations from our principal Sub-processors.

To the extent that the foregoing does not satisfy Customer’s audit obligations under Applicable Data Protection Law, Customer may conduct, at its own expense and on at least 30 days’ written notice, an on-site audit during regular business hours, in a manner that does not unreasonably interfere with Proxima’s operations and subject to reasonable confidentiality obligations. The auditor must not be a competitor of Proxima.

Return & deletion

On termination of the Agreement, Proxima will delete Customer Personal Data within 30 days, except where retention is required by applicable law (e.g. tax, accounting). Backups containing Customer Personal Data are encrypted and overwritten on a 30-day rolling basis.

On request from Customer made before deletion, Proxima will provide a final export of Customer Personal Data in a structured, commonly-used, machine-readable format.

Liability

Each party’s liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. The parties acknowledge that, where the SCCs apply, Clause 12 of the SCCs governs liability between Customer (as data exporter) and Proxima (as data importer) toward Data Subjects, and nothing in the Agreement’s liability cap limits the liability owed to a Data Subject under the SCCs.

Term

This DPA takes effect on the date of acceptance of the Agreement and remains in force for the duration of the Agreement. Sections that by their nature should survive termination — including provisions on security, confidentiality, audit, return and deletion, and liability — survive.

General

Order of precedence

In the event of a conflict between this DPA, the SCCs, and the Agreement, the SCCs prevail, then this DPA, then the Agreement.

Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in effect.

Signatures

This DPA is automatically applied as part of the Agreement. A signed counterpart will be issued on request to privacy.proxima@dterminal.net.

Annex 1 — Description of processing

A. List of parties

Data exporter: Customer (as identified in the Agreement). Role: Controller (or Processor on behalf of a third- party Controller).

Data importer: Kade Software Limited, hello.proxima@dterminal.net. Role: Processor (or Sub-processor).

B. Description of transfer

• Categories of Data Subjects:Customer’s employees, contractors, agents, and end users; the senders and recipients of email and calendar invites that Customer chooses to connect to the Service; participants in lead-research feeds Customer configures.
• Categories of Personal Data: name; email address; telephone number (where present in connected sources); calendar availability; message content (email, Discord, Notion); social- media handles and posts (where the Service is configured to monitor X / Twitter); IP address (in service logs).
• Special categories of data (Article 9): none intentionally collected. The Service is not designed for the processing of special-category data; Customer should not connect sources that will routinely surface it.
• Frequency of transfer: continuous, on-demand, for the duration of the Agreement.
• Nature of processing: automated reading of connected-tool data; LLM-based generation of drafts; storage of approval records; transmission of approved actions back to the connected tools.
• Purpose of processing: provision of the Service as described in the Agreement.
• Retention period: as described in the Privacy Policy.
• Sub-processors: as listed in Annex 3; transfers to Sub-processors are for the duration of their service to Proxima, with retention governed by Sub-processor contracts.

C. Competent supervisory authority

Where the data exporter is established in the EU/EEA, the competent supervisory authority is the supervisory authority of the Member State of establishment. Where the data exporter is not established in the EU/EEA but Article 3(2) GDPR applies, the competent supervisory authority is the Irish Data Protection Commission.

Annex 2 — Technical and organizational measures

Proxima implements and maintains the security measures set out below. These measures are reviewed at least annually and updated to reflect industry standards and the evolving threat landscape. The full description, with implementation detail, is on the Security page.

Confidentiality, integrity, availability

• Encryption — TLS 1.2+ in transit; AES-256 at rest; envelope encryption with KMS-managed keys for OAuth credentials.
• Access control — role-based, least-privilege, MFA on all employee accounts, audit logging of production access.
• Network isolation — production and non-production environments are physically separated.
• Monitoring — application metrics, error traces, access logs, and authentication anomalies streamed to a SIEM.
• Backups — encrypted, point-in-time recovery, 30-day retention, periodic restore tests.

Pseudonymization & data minimization

• Customer-content fields are redacted in application logs at the source.
• Drafts that are never approved are deleted within 30 days.

Resilience & business continuity

• Multi-region database replication; documented runbook for failover.
• Quarterly disaster-recovery drill.

Personnel

• All employees sign a confidentiality agreement and complete security and privacy training within 30 days of joining and annually thereafter.

Vendor management

• Pre-onboarding security review of every Sub-processor; contractual data-protection terms equivalent to this DPA.

Incident response

• Documented runbook; on-call coverage; 72-hour notification commitment; public post-mortem for severe incidents.

Annex 3 — Sub-processors

A current list of Sub-processors is also published on the Security page. Any changes are notified at least 30 days in advance via that page and (for subscribed Customers) by email.