Data Processing Addendum

Parties

This DPA is between you (“Customer”) and Notika AI (d/b/a Dreamlit AI) (“Dreamlit”). When Dreamlit processes Customer personal data on your behalf, you act as the controller (or processor) and Dreamlit acts as a processor.

Purpose and scope

This DPA defines the terms, conditions, and obligations of each party regarding the processing of Customer personal data under applicable data protection laws (including GDPR, where applicable).

Definitions

• Customer personal data: personal data that Dreamlit processes on behalf of Customer in connection with the services.
• Data protection laws: GDPR and other applicable privacy/data protection laws as they apply to the processing of Customer personal data.
• SCCs: the Standard Contractual Clauses for international transfers (when required), as described below.

Nature, purpose, and duration of processing

• Nature: processing personal data electronically to provide the service.
• Purpose: operating email workflow automation, troubleshooting, and customer support.
• Duration: for the term of the services (unless otherwise agreed in writing).
• Typical personal data: names, email addresses, identifiers, and other data the Customer supplies for configuring or sending emails.
• Data subjects: end users, customers, employees, and other individuals whose data the Customer uploads or references.

Instructions

Dreamlit will process personal data only to provide the services and in accordance with Customer’s documented instructions, unless otherwise required by law.

Security measures

Dreamlit maintains technical and organizational measures designed to protect Customer personal data, including (as appropriate): encryption in transit and at rest, access controls and least-privilege practices, monitoring and logging, and incident response procedures.

Subprocessors

Dreamlit may engage subprocessors to help provide the services. We maintain a list at /subprocessors. Subprocessors are required to be bound by data protection obligations consistent with this DPA.

We will provide at least fourteen (14) days’ notice before adding or replacing a subprocessor that processes Customer personal data by updating the list and (where possible) notifying the primary account owner. If you reasonably object, you may contact [email protected] and we’ll work with you on a commercially reasonable alternative. If no alternative is available, you may stop using the affected feature or terminate the services.

Assistance with data subject rights

Dreamlit will provide reasonable assistance to help the Customer respond to data subject requests (e.g., access, rectification, deletion, restriction, portability) relating to Dreamlit’s processing activities. If Dreamlit receives a request directly, Dreamlit will (where appropriate) direct the requestor to Customer.

Personal data breach notification

Dreamlit will notify Customer without undue delay after becoming aware of a personal data breach involving personal data processed under this DPA.

Audits and questionnaires

Upon request, Dreamlit will make available information reasonably necessary to demonstrate compliance with this DPA, including responding to security or GDPR questionnaires. Where required by law, Customer may audit Dreamlit’s compliance on reasonable notice and no more than once per year, subject to reasonable confidentiality and scope limits.

International transfers (SCCs)

Dreamlit and its subprocessors may process Customer personal data outside the EEA/UK. Where required for international transfers, Dreamlit will enter into Standard Contractual Clauses with Customer (including the EU SCCs (Commission Decision 2021/914) and the UK Addendum, as applicable). If you need an executed copy of SCCs for your compliance review, email [email protected].

Return or deletion of data

Following termination of the services, Dreamlit will, at the Customer’s choice, return or securely delete personal data within a reasonable period, unless applicable law requires continued retention.

Dreamlit retains Customer personal data for up to one (1) year (for example, workflow execution history and delivery events) unless Customer requests deletion sooner or longer retention is required by law. Customer may request deletion at any time by contacting [email protected].

Order of precedence

If this DPA (or any SCCs) conflicts with the Terms of Service, the following order will apply: (1) SCCs (if applicable), (2) this DPA, then (3) the Terms of Service.

Contact

Questions about this DPA? Email [email protected].