Data Processing
Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between ClosedLoop Labs LLC, doing business as "ClosedLoop AI" ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") that has executed our Terms of Service or other agreement governing the use of ClosedLoop AI services (the "Agreement").

Capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For purposes of this DPA:

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by ClosedLoop AI on behalf of Controller in connection with the Services.
• "Service Data" means all data, including Personal Data, that Controller or its end users submit to the Services.
• "Services" means the ClosedLoop AI platform and related services as described in the Agreement.
• "Subprocessor" means any third party engaged by ClosedLoop AI to process Personal Data on behalf of Controller.

This DPA applies to all processing of Personal Data by ClosedLoop AI on behalf of Controller in connection with the Services. The purpose of this DPA is to ensure that ClosedLoop AI processes Personal Data in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection legislation.

ClosedLoop AI acts as a Processor (or Subprocessor) with respect to Personal Data processed in connection with the Services. Controller is the Controller (or Processor) of such Personal Data.

The parties acknowledge and agree that:

• Subject Matter: The processing of Personal Data in connection with the Services, including customer feedback, conversations, product information, and related data submitted by Controller or its end users.
• Duration: The term of the Agreement and for as long as ClosedLoop AI processes Personal Data on behalf of Controller.
• Nature and Purpose: Processing of Personal Data for the purpose of providing the Services, including AI-powered analysis, insight generation, pattern recognition, and related functionality.
• Categories of Data Subjects: Controller's customers, employees, and other individuals whose Personal Data is included in the data submitted to the Services.
• Types of Personal Data: May include names, email addresses, customer feedback, conversation transcripts, product information, and other data submitted by Controller or its end users. For enterprise customers with specific data processing requirements, a detailed data processing annex may be attached to this DPA specifying the exact categories of Personal Data, data subjects, and processing activities.

Data Processing Annex: For enterprise customers, ClosedLoop AI can provide a detailed data processing annex that specifies the exact categories of Personal Data processed, data subjects, processing activities, retention periods, and other processing details. This annex may be customized based on the Controller's specific use case and data processing requirements.

ClosedLoop AI shall:

• Process Personal Data only on documented instructions from Controller, unless required to do so by applicable law. In such cases, ClosedLoop AI shall inform Controller of that legal requirement before processing, unless the law prohibits such information.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments.
• Assist Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.
• Assist Controller in ensuring compliance with its obligations under applicable data protection laws, including data protection impact assessments and prior consultation with supervisory authorities.
• At Controller's choice, delete or return all Personal Data to Controller after the end of the provision of services relating to processing, and delete existing copies unless storage of Personal Data is required by applicable law.
• Make available to Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits conducted by Controller or its authorized representative.

Controller shall:

• Provide ClosedLoop AI with clear instructions regarding the processing of Personal Data and ensure that all instructions comply with applicable data protection laws.
• Ensure that it has all necessary rights and consents to provide Personal Data to ClosedLoop AI for processing in connection with the Services.
• Comply with all applicable data protection laws in its use of the Services and in its processing of Personal Data.
• Notify ClosedLoop AI immediately if it becomes aware of any breach of applicable data protection laws or any unauthorized access to Personal Data.

Controller acknowledges and agrees that ClosedLoop AI may engage Subprocessors to process Personal Data on behalf of Controller. ClosedLoop AI maintains a current list of Subprocessors, which may be updated from time to time.

ClosedLoop AI shall:

• Ensure that all Subprocessors are bound by data protection obligations that are substantially similar to those set forth in this DPA.
• Notify Controller of any intended changes concerning the addition or replacement of Subprocessors at least thirty (30) days in advance, giving Controller the opportunity to object to such changes. Notification will be provided via email to the Controller's designated contact or through the ClosedLoop AI platform.
• Remain fully liable for the performance of Subprocessors' obligations under this DPA.

Controller may object to ClosedLoop AI's use of a new Subprocessor by notifying ClosedLoop AI in writing within thirty (30) days after the Subprocessor list is updated. If Controller objects, ClosedLoop AI will work with Controller to address the objection, which may include ceasing to use the Subprocessor for Controller's data or providing alternative service arrangements.

ClosedLoop AI shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit using TLS 1.3 or higher protocols
• Encryption of data at rest using industry-standard encryption mechanisms, including Azure PostgreSQL's default encryption at rest
• Access controls and authentication mechanisms, including role-based access control and multi-factor authentication
• Regular security assessments, vulnerability scanning, and penetration testing
• Comprehensive audit logging of all data access and modifications
• Secure secret management using Azure Key Vault
• Network security controls including firewalls, intrusion detection, and DDoS protection

In the event of a Personal Data breach, ClosedLoop AI shall notify Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of the breach, unless notification is delayed due to law enforcement requirements or ongoing investigation. The notification shall include:

• A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the data protection officer or other contact point where more information can be obtained
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken by ClosedLoop AI to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

ClosedLoop AI shall provide Controller with reasonable assistance as requested by Controller to enable Controller to comply with its obligations under applicable data protection laws regarding data breach notifications to supervisory authorities and data subjects.

ClosedLoop AI shall assist Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws, including:

• The right of access to Personal Data
• The right to rectification of inaccurate Personal Data
• The right to erasure of Personal Data
• The right to restriction of processing
• The right to data portability
• The right to object to processing

Controller may request deletion of Personal Data at any time through account settings or by contacting [email protected]. ClosedLoop AI will process such requests promptly in accordance with applicable data protection laws.

ClosedLoop AI shall retain Personal Data only for as long as necessary to provide the Services or as required by applicable law. ClosedLoop AI's data retention policies are set forth in our Subprocessors page, which include:

• Raw Customer Data: Retained for up to twelve (12) months, then automatically deleted unless a longer retention period is required by law or necessary for ongoing service delivery
• Processed Insights: Retained for the duration of the subscription term and may be retained longer for ongoing service delivery, subject to customer deletion requests
• Pattern Recognition Data: Raw signals retained for two (2) years, pattern history retained for five (5) years, strategic insights retained for three (3) years
• Audit Logs: Retained for two (2) years for security and compliance purposes
• Account Data: Retained for the duration of the subscription term and deleted within thirty (30) days of account termination, unless a longer retention period is required by law

Upon termination of the Agreement or upon Controller's request, ClosedLoop AI shall, at Controller's choice, delete or return all Personal Data to Controller and delete existing copies unless storage of Personal Data is required by applicable law. ClosedLoop AI will provide a certificate of deletion upon request confirming that Personal Data has been deleted in accordance with this DPA.

Data Export and Exit Assistance: Upon termination of the Agreement or upon Controller's request, ClosedLoop AI will provide Controller with the ability to export all Personal Data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) within thirty (30) days of the request. ClosedLoop AI will provide reasonable assistance to Controller in extracting and exporting Personal Data, including providing technical support and documentation as needed.

ClosedLoop AI shall make available to Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA. Upon reasonable notice and during normal business hours, ClosedLoop AI shall allow Controller or its authorized representative to conduct audits of ClosedLoop AI's processing of Personal Data, subject to:

• Controller providing at least thirty (30) days' advance written notice
• Audits being conducted no more than once per calendar year, unless required by applicable law or a supervisory authority
• Controller bearing the costs of such audits
• Audits being conducted in a manner that does not unreasonably interfere with ClosedLoop AI's business operations
• Controller and its representatives entering into appropriate confidentiality agreements

In lieu of an audit, ClosedLoop AI may provide Controller with certifications, audit reports, or other documentation that demonstrates compliance with this DPA. ClosedLoop AI commits to maintaining and providing upon request:

• Summary documentation of technical and organizational measures implemented
• Third-party security assessment reports, subject to confidentiality restrictions
• Compliance summaries demonstrating adherence to applicable data protection laws
• Security certifications and compliance reports when available

All Personal Data processed by ClosedLoop AI is stored and processed in the United States by default. ClosedLoop AI does not transfer Personal Data outside of the United States unless required to do so by applicable law or with Controller's explicit consent.

EU Data Residency: For enterprise customers subject to GDPR or other data protection laws requiring data residency in the European Union or other regions, ClosedLoop AI can arrange EU-based data processing. For questions about data residency requirements or to discuss EU region processing, please contact [email protected].

Transfer Safeguards: If ClosedLoop AI transfers Personal Data outside of the United States or the European Economic Area, ClosedLoop AI shall ensure that appropriate safeguards are in place to protect Personal Data in accordance with applicable data protection laws, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (UK IDTA) for transfers from the UK
• Other approved transfer mechanisms under applicable data protection laws

ClosedLoop AI will provide Controller with documentation of the transfer safeguards in place upon request.

If Controller intends to process special categories of Personal Data (also known as "sensitive data") as defined under applicable data protection laws (e.g., health data, biometric data, financial data, or other regulated categories), Controller must notify ClosedLoop AI in writing and obtain ClosedLoop AI's prior written consent before submitting such data to the Services.

ClosedLoop AI may require additional safeguards, controls, or contractual provisions for processing sensitive data, including but not limited to:

• Enhanced encryption and access controls
• Additional audit and monitoring requirements
• Specific data retention and deletion schedules
• Compliance with industry-specific regulations (e.g., HIPAA, PCI-DSS)

If ClosedLoop AI agrees to process sensitive data, such processing will be subject to the terms of this DPA and any additional safeguards agreed upon in writing between the parties.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions set forth in the Agreement, except as set forth below.

Liability Carve-Outs: The limitation of liability set forth in the Agreement does not apply to, and ClosedLoop AI's liability shall not be limited for:

• Data Breach: Claims arising from a breach of ClosedLoop AI's security obligations resulting in unauthorized access to or disclosure of Personal Data, up to two (2) times the amount Controller paid to ClosedLoop AI in the twelve (12) months preceding the claim
• Data Protection Non-Compliance: Claims arising from ClosedLoop AI's failure to comply with applicable data protection laws (including GDPR, CCPA), up to two (2) times the amount Controller paid to ClosedLoop AI in the twelve (12) months preceding the claim
• Confidentiality Breach: Claims arising from a breach of ClosedLoop AI's confidentiality obligations, up to two (2) times the amount Controller paid to ClosedLoop AI in the twelve (12) months preceding the claim
• Gross Negligence or Willful Misconduct: Claims arising from ClosedLoop AI's gross negligence or willful misconduct

Nothing in this DPA shall be construed to modify or limit either party's liability under the Agreement, except as expressly set forth in this section.

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement. If the Agreement does not specify governing law, this DPA shall be governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions.

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Agreement. If the Agreement does not specify jurisdiction, disputes shall be subject to the exclusive jurisdiction of the courts of Delaware, United States.

For enterprise customers with specific jurisdictional requirements (e.g., EU-based customers requiring EU jurisdiction), ClosedLoop AI can negotiate alternative governing law and jurisdiction provisions as part of the Agreement.

This DPA shall remain in effect for as long as ClosedLoop AI processes Personal Data on behalf of Controller in connection with the Services. The terms of this DPA shall survive termination of the Agreement to the extent necessary to give effect to the parties' obligations under this DPA.

This DPA may be updated from time to time to reflect changes in applicable law or ClosedLoop AI's data processing practices. Material changes to this DPA will be communicated to Controller in accordance with the Agreement.

If any provision of this DPA is found to be unenforceable or invalid, such provision shall be limited or eliminated to the minimum extent necessary so that this DPA shall otherwise remain in full force and effect.

For questions about this DPA or ClosedLoop AI's data processing practices, please contact us at:

Email: [email protected]