Schedule D - DPA

Version: 1 April 2024

DPA WILL APPLY ACCORDING TO THE RULES STATED HEREIN AND MAY BEAR SOME CHANGES DEPENDING ON THE SERVICE.

ANNEX 1 TO BE COMPLETED WITH CUSTOMER ASSISTANCE

Schedule D - SAAS PRODUCTS DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) forms part of the Artificial Solutions (“AS”) SaaS Agreement (the “Agreement”) by and between Customer and the applicable AS Entity from which Customer is acquiring SaaS Enterprise or SaaS Pro license. This Addendum will be effective as of the date (“Effective Date”) both Artificial Solutions and the Customer has signed the signature block below.

This Addendum will apply to the scope of Processing of Dialogue Data in SaaS Products that contains End User Personal Data, thus being considered Dialogue Data with Personal Identifiable Information (“DDPII”). The categories of Data Subjects of DDPII shall be defined by the Customer in the Annex 1 of this Addendum.

For any avoidance of doubt, for this addendum, the term Personal Data only refers to DDPII.

I. EFFECTIVENESS

A. Any change to this Addendum should be approved by both parties in writing.
B. This Addendum will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this Addendum.

II. DATA PROCESSING TERMS

The parties agree:

1. Definitions

1.1 The terms below shall have the following meanings:

“Artificial Solutions”, “AS”, “we”, “us”, “our”, ‘’Teneo.ai’’ means the applicable AS Entity with whom the Customer has a valid Order Form for SaaS Products.

“SaaS Enterprise” means the Teneo.ai Software as a Service product offered by Artificial Solutions under the “Enterprise” license. Is the Teneo Software as a Service product offered by Artificial Solutions.

“SaaS Pro” means the Teneo.ai Software as a Service product offered by Artificial Solutions under the “Pro” license.

‘‘SaaS Products’’means, for the purpose of this Addendum, the Teneo.ai Software as a Service, under any of the SaaS Enterprise or SaaS Pro licenses.

“AS Entities”, “AS Entity” means the Entity with whom the Customer has a valid offer and any of the Artificial Solutions entities listed in Annex 3 (as may be updated from time to time).

“Controller” means the entity which determines the purposes and means of the Processing of Dialogue Data with Personal Identifiable Information (DDPII).

“Customer”, “you”, “your” means in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting the Agreement.

“Dialogue Data” means session logs generated from a published Customer Solution in AS SaaS. Dialogue Data might contain End User Personal Data, thus be considered Dialogue Data with Personal Identifiable Information (DDPII).

“Customer Solution” means instructions, programming code, scripts, flows, integrations, listeners, program or code libraries, decision rules and similar programmatic parts that the Customer executes in some form in the AS SaaS through its development environment, runtime or embedded services. The Customer Solution consists of a) the code, flows and instruction parts of the solution (“Customer Code”) and b) the language rules and training data (“Customer Training Data”).

“Data Subject“, “Personal Data“, “Processing” and “Appropriate Technical and Organizational Measures” as used in this Addendum shall have the meanings given in the GDPR irrespective of whether GDPR applies.

“End Users” means an individual “the Customer’s customer” interacting with a published Customer Solution in AS SaaS, for example by chatting or speaking with a bot that the Customer has built, deployed and made available to the End User using AS SaaS.

“Europe” means, for the purposes of this Addendum, the member states of the European Economic Area, Switzerland and the United Kingdom.

“European Data Protection Law” (or “Data Protection Law“) means any data protection and privacy laws of Europe applicable to the Processing of the Dialogue Data in question by AS under this Addendum, including where applicable (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementations of (i) and/or (ii); and (iv) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time.

‘‘Instructions’’ means the instructions issued by a Controller to a Processor and commanding the last to perform a specific or general action regarding to DDPII (including, but not limited to, depersonalizing, blocking, deletion, making available).

‘’DDPII Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, DDPII transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. "DDPII Breach" will not include unsuccessful attempts or activities that do not compromise the security of DDPII, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processor” means the entity which processes Dialogue Data with Personal Identifiable Information (DDPII) on behalf of the Controller.

“Processing” means any operation which is performed on DDPII, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of DDPII. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Sub-Processor” means any Processor engaged by AS or our Affiliates to assist in fulfilling our obligations with respect to the provision of the SaaS Products under the Agreement.

2. Scope of the Data Protection Law

2.1 The parties acknowledge that European Data Protection Law will only apply to DDPII that is covered by the territorial scope of European Data Protection Law.

3. Customer Responsibilities Towards Processing of DDPII

3.1 The Customer shall be the Controller and Artificial Solutions shall be the Processor in respect of DDPII processed by Artificial Solutions on the Customer’s behalf in performing its obligations under this Agreement.

3.2 The Customer shall be solely responsible for determining the purposes (and means) for which and the manner in which DDPII is, or is to be, processed and be responsible for complying with all requirements that apply to you under applicable Data Protection Laws with respect to its Processing of DDPII and the Instructions you issue to us.

4. Artificial Solutions Obligations towards Processing of DDPII

4.1 Where Artificial Solutions processes DDPII on behalf of the Customer, Artificial Solutions shall, in respect of such DDPII:

4.1.1 Act only on Instructions from the Customer and shall comply promptly with all such Instructions received from the Customer from time to time regarding the Processing of DDPII. If applicable law requires Artificial Solutions to process the DDPII for any other purpose, Artificial Solutions will inform the Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us. If you need us to comply with them in order to be able to use SaaS Products, please contact our DPO.
4.1.2 Immediately notify the Customer if, in Artificial Solutions’ opinion, any instruction or direction from the Customer infringes Data Protection Law. Artificial Solutions shall not be required to comply with such an instruction or direction in relation to the Processing of DDPII, except to the extent the Customer withdraws or amends such direction or instruction.
4.13 Not process DDPII for any purpose other than for the provision of AS SaaS to the Customer and only to the extent reasonably necessary for the performance of the Agreement, including this Addendum.
4.1.4 Ensure that persons authorized to process the DDPII have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
4.1.5 Implement Appropriate Technical and Organizational Measures (i) to protect the security and confidentiality of DDPII processed by it in providing the Services and (ii) to protect DDPII against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, access, or Processing. In each case, as required under Data Protection Laws to ensure a level of security appropriate to the risk. At the same time Customer acknowledges that they have understood the technical limitations of the services and themselves determined that the procured services are adequate for Processing DDPII. Customer acknowledges that the security measures set out in Annex 2 of this Addendum are sufficient and appropriate for the protection of the DDPII.

4.2 Artificial Solutions shall notify the Customer promptly and without undue delay after becoming aware of any accidental, unlawful or unauthorized destruction, loss, alteration, access to, disclosure of or Processing of DDPII (“DDPII Breach’’). Such notice shall include reasonable details of the Incident which are known to Artificial Solutions at the time, including without limitation, where possible: (i) a description of the Incident; (ii) likely consequences of the Incident; (iii) the number of data subjects affected, number of records affected and the types of records affected; and (iv) the measures taken or proposed to be taken to address the Incident, including measures to mitigate possible adverse effects of the Incident.

4.3 To the extent required under Data Protection Laws and in relation to Artificial Solutions Processing of DDPII under this Addendum, Artificial Solutions will promptly inform the Customer and shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations under Articles 35 and 36 of GDPR in relation to the preparation of data protection impact assessments and consulting with any supervisory authority if such a data protection impact assessment indicates that such Processing would result in high risk in the absence of measures taken by the Customer to mitigate the risk.

4.4 To the extent required under Data Protection Laws and in relation to Artificial Solutions Processing of DDPII under this Addendum, Artificial Solutions shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations to respond to data subject rights requests under Data Protection Laws by providing the Customer documentation, product functionality, or processes to assist the Customer in retrieving, correcting, deleting or restricting DDPII.

4.5 Artificial Solutions shall, on the condition that the Customer has entered into an appropriate non-disclosure agreement with Artificial Solutions:

Allow the Customer and the Customer’s authorized representatives to access and review available up-to-date attestations, certifications, reports or extracts thereof from independent bodies (e.g., external auditors, internal audit, data protection auditors) or other suitable certifications to verify compliance with the terms of this Addendum; or
Where required by Data Protection Law, allow the Customer and authorized representatives to conduct audits, at Customer sole expense, if any, (including inspections) during the term of the Agreement to verify compliance with the terms of this Addendum. Notwithstanding the foregoing, any audit must be conducted during Artificial Solutions regular business hours, with reasonable advance notice to Artificial Solutions and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to the Customer or Customer’s authorized representatives, or to allow the Customer or the Customer’s authorized representatives to access:
1. any data or information of any other Artificial Solutions’ customer,
2. any Artificial Solutions internal accounting or financial information,
3. any Artificial Solutions trade secret,
4. any information that, in Artificial Solutions’ reasonable opinion could: 1) compromise the security of Artificial Solutions systems or premises or 2) cause us to breach Artificial Solutions’ obligations under Data Protection Laws or Artificial Solutions security, confidentiality and / or privacy obligations to any other Artificial Solutions customer or any third party,
5. any information that the Customer or the Customer’s authorized representatives seek to access for any reason other than the good faith verification by the Customer of our compliance with the terms of this Addendum.
6. In addition, any such audits shall be limited to once per year, unless 1) Artificial Solutions have experienced an Incident within the prior twelve (12) months which has impacted the Customer’s DDPII or 2) an audit reveals a material noncompliance with the obligations set out in this Addendum. If Artificial Solutions decline or are unable to follow the Customer’s instructions regarding audits permitted under this Section 3.7, the Customer is entitled to terminate this Addendum and the Agreement for convenience on written notice.

4.6 Artificial Solutions shall not engage any sub-processor to process any DDPII under this Addendum without the Customer’s prior written consent. The Customer provides general consent Artificial Solutions’ appointment of the Artificial Solutions affiliates and applicable third-party sub-processors listed under Annex 3. Artificial Solutions may update the list of approved sub-processors, at which point the Customer will have the opportunity to object within forty-five (45) days of any such update to the list of sub-processors by terminating the Agreement for convenience on written notice. When engaging sub-processors in the Processing of DDPII, Artificial Solutions are responsible for the performance of each sub-processor. Artificial Solutions will include in the agreement with any such third party sub-processor terms for the protection of DDPII as required by applicable Data Protection Law.

4.7 No DDPII processed by Artificial Solutions pursuant to this Agreement shall be exported outside the United Kingdom or European Economic Area without the prior explicit instruction from the Customer.

4.8 On termination or expiry of this Agreement, at the Customer’s request, Artificial Solutions shall delete or return to the Customer all DDPII processed on behalf of the Customer, and Artificial Solutions shall delete existing copies of such DDPII except where necessary to retain such DDPII strictly necessary for the purposes of compliance with applicable law.

5. Miscellaneous

5.1 Artificial Solutions shall not retain, use, sell or otherwise disclose DDPII other than as required by law or as needed to provide and support SaaS Products, as set forth in the Agreement.

5.2 Each party acknowledges that the other party may disclose this Addendum and any relevant privacy provisions in the Agreement to any relevant regulator or judicial body.

6. Conflict

6.1 If there is a conflict between this Addendum and any supplementary terms agreed between the parties, this Addendum will govern.

7. Survival

7.1 This Addendum shall survive the termination or expiry of any supplementary terms to the extent that Artificial Solutions continues to process DDPII on behalf of the Customer.

8. Notices

8.1 All notices must be in (electronic) writing and addressed to the attention of the other party’s primary contact. Notice will be deemed given upon receipt if verifiable by trusted logs or receipts (electronic or otherwise) to the last provided contact information. Each party is responsible for keeping the other informed of changes to its contact information.

9. Waiver

9.1 Failure to enforce any provision of this Addendum will not constitute a waiver.

10. Severability

10.1 If any provision of this Addendum is found unenforceable, the balance of this Addendum will remain in full force and effect.

11. Entire Agreement

11.1 This Addendum (including any document incorporated herein by reference) is the entire agreement between the parties on the topic of Processing of DDPII and supersedes all prior agreements between the parties on this subject matter.

12. Governing Law

12.1 The construction, validity and performance of this Agreement and all non-contractual obligations arising from or connected with this Agreement shall be governed by Swedish law and the parties hereby submit irrevocably to the exclusive jurisdiction of the Swedish courts to resolve any dispute between them.

Annex 1 – Data Protection Schedule

Nature and Purpose of Processing

We will process DDPII as necessary to provide the SaaS Products pursuant: (i) to the Agreement, as further specified in the applicable Order Form, and (ii) as instructed by you depending on your use of the Services.

Duration of Processing

SaaS Enterprise a default retention time of 12 weeks with a maximum retention time eligible of 52 weeks.

SaaS Pro has a fixed retention time of 2 weeks.

Categories of data subjects

The DDPII concerns End Users of AS SaaS, in addition to individuals whose DDPII is supplied by End Users of AS SaaS.

Categories of DDPII

The DDPII processed may include the following categories of data:

Direct identifying information (e.g., name, email address, telephone).
Indirect identifying information (e.g., job title, gender, date of birth).
Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
Any DDPII supplied by End Users of AS SaaS or supplied by the Customer by implementation and execution of the Customer Solution.

Subject matter, nature and purposes of processing

The DDPII is processed for the purposes of providing SaaS Products in accordance with the Agreement.

Annex 2 - Security Measures for protecting Artificial Solutions’ Information

2.a. Security Measures included for SaaS Enterprise

Area	Sub-area and Security Measures
Physical Access Control	MS Azure https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure
System Access Control	Dedicated Customer Clusters Two-factor for all Operational Access Least Privilege principle to Identity & Policy Control Unique Personal identifiers Secure Passwords Separate user ID for privileged access Automatic Access Lock & Deactivation Network Segmentation Firewalls Secure Management of Certificates & Tokens Security Training for Operational Resources Enhanced Security on devices with access to Operational environments Workplace restrictions for Operational Access
Data Access Control	Customer Solution and Dialogue Data only in Dedicated Customer Cluster or Encrypted Backup. Operational Resources L1/L2 never access Dialogue Data (organizational measure) Operational Resources L3+ only access Dialogue Data after Client Approval (organizational measure) Privileged Rights required for Operational Access Data Residency always Cloud Region EU/EEA Operational Access only from EU/EEA/UK GDPR training for all internal users. Customer can apply pseudonymization/sanitization algorithms to Dialogue Data before logging/storing in cloud Data Encryption at rest Data Retention times for Dialogue Data based on Change Request. There is a default retention time of 12 weeks with a maximum time eligible of 52 weeks. Confidential Compute endpoints for encryption in-use (availability per cloud regions) Only in SaaS Enterprise
Transmission Control	Artificial Solutions offer transfer of data via HTTPS endpoints All traffic in transfer between Artificial Solutions endpoints and Customer is encrypted in accordance with Artificial Solutions Cryptography manual Artificial Solutions endpoints require authentication for data access TLS Data Encryption in transit over public/shared networks VPN/Encrypted Bastion host connection for Operational Access
Process Control	ISO-based Information Security Management System (ISMS) with three mandatory levels: Policy, Instruction and Guideline Strict Programmatic Procedures for Commission/De-commission of Customer Environments Strict Operating Manuals Strict Runbooks for Operational duties L1/L2 Risk Management Process Change Management Process for Customer Environments Separation of Development & Production Tenants Compliance roadmap L1/L2 team in ISO 270001 Certified Organization Task segregation
Availability Control	24/7 Monitoring & Management Daily Backups across two cloud regions in each of the regions three availability zones. Business Continuity Management Plan Restore Procedures Auto-scaling Prod Endpoints
Security & Vulnerability Controls	Binding Guidelines for Secure Software Development Common Vulnerabilities and Exposure (CVE) Process Static Application Security Testing Dynamic Application Security Testing Vulnerability & Malicious Code Scanning Peer Security & Risk Assessment Analysis before release to Production Release Restrictions of only verified Components in Production Environments – “Don’t break the seal” approach Environment Hardening – based on CIS where applicable Penetration Testing POD images scanned for vulnerabilities / malicious code SIEM Development Suite Access Logs Environment Access Logs Cloud Component Upgrades & Security Patching according to Vendor Specifications Monthly Operational Reviews Security Incident Management Process
Audit Logging	Logged events include but are not limited to: unsuccessful authentication and access attempts against systems, networks and network devices, authorized and unauthorized user access to the systems, networks and network devices, administration events and use of privileged administration accounts, changes in configuration parameters of systems, networks and network devices, running errors in systems and networks, authorized and unauthorized access to communications networks, traffic which has been disallowed or rejected by firewalls and network devices, changes in access privileges: user registration, deregistration and modification, changes in roles, etc., changes in security systems, such as activation/deactivation or changes in antimalware scanner configuration, access to the source code of the developed systems, activation/deactivation or changes in the configuration of the mechanisms generating audit logs, modification or deletion of audit log data. Access to audit logs and the control mechanisms which generate the logs is only granted to authorized individuals. Audit logs are stored using tamper proof methods in order to guarantee log integrity and prevent unauthorized manipulation or deletion of audit log data.

2.a. Security Measures included for SaaS Pro

Area	Sub-area and Security Measures
Physical Access Control	MS Azure https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure
System Access Control	Dedicated Customer Clusters - Only for SaaS Enterprise Two-factor for all Operational Access Least Privilege principle to Identity & Policy Control Unique Personal identifiers Secure Passwords Separate user ID for privileged access Automatic Access Lock & Deactivation Network Segmentation Firewalls Secure Management of Certificates & Tokens Security Training for Operational Resources Enhanced Security on devices with access to Operational environments Workplace restrictions for Operational Access
Data Access Control	Customer Solution and Dialogue data in shared Customer Cluster or Encrypted backup. Operational Resources L1/L2 never access Dialogue Data (organizational measure) Operational Resources L3+ only access Dialogue Data after Client Approval (organizational measure) Privileged Rights required for Operational Access Data Residency always Cloud Region EU/EEA Operational Access only from EU/EEA/UK GDPR training for all internal users. Customer can apply pseudonymization/sanitization algorithms to Dialogue Data before logging/storing in cloud Data Encryption at rest Data Retention times for Dialogue Data are fixed to two weeks.
Transmission Control	Artificial Solutions offer transfer of data via HTTPS endpoints All traffic in transfer between Artificial Solutions endpoints and Customer is encrypted in accordance with Artificial Solutions Cryptography manual Artificial Solutions endpoints require authentication for data access TLS Data Encryption in transit over public/shared networks VPN/Encrypted Bastion host connection for Operational Access
Process Control	ISO-based Information Security Management System (ISMS) with three mandatory levels: Policy, Instruction and Guideline Strict Programmatic Procedures for Commission/De-commission of Customer Environments Strict Operating Manuals Strict Runbooks for Operational duties L1/L2 Risk Management Process Change Management Process for Customer Environments Separation of Development & Production Tenants Compliance roadmap L1/L2 team in ISO 270001 Certified Organization Task segregation
Availability Control	24/7 Monitoring & Management Daily Backups across two cloud regions in each of the regions. Three availability zones for SaaS Enterprise. Business Continuity Management Plan Restore Procedures Auto-scaling Prod Endpoints
Security & Vulnerability Controls	Binding Guidelines for Secure Software Development Common Vulnerabilities and Exposure (CVE) Process Static Application Security Testing Dynamic Application Security Testing Vulnerability & Malicious Code Scanning Peer Security & Risk Assessment Analysis before release to Production Release Restrictions of only verified Components in Production Environments – “Don’t break the seal” approach Environment Hardening – based on CIS where applicable Penetration Testing POD images scanned for vulnerabilities / malicious code SIEM Development Suite Access Logs Environment Access Logs Cloud Component Upgrades & Security Patching according to Vendor Specifications Monthly Operational Reviews Security Incident Management Process
Audit Logging	Logged events include but are not limited to: unsuccessful authentication and access attempts against systems, networks and network devices, authorized and unauthorized user access to the systems, networks and network devices, administration events and use of privileged administration accounts, changes in configuration parameters of systems, networks and network devices, running errors in systems and networks, authorized and unauthorized access to communications networks, traffic which has been disallowed or rejected by firewalls and network devices, changes in access privileges: user registration, deregistration and modification, changes in roles, etc., changes in security systems, such as activation/deactivation or changes in antimalware scanner configuration, access to the source code of the developed systems, activation/deactivation or changes in the configuration of the mechanisms generating audit logs, modification or deletion of audit log data. Access to audit logs and the control mechanisms which generate the logs is only granted to authorized individuals. Audit logs are stored using tamper proof methods in order to guarantee log integrity and prevent unauthorized manipulation or deletion of audit log data.

Annex 3 – Artificial Solutions’ Sub-processors

Annex 3.a. - SaaS Enterprise Sub-processors’ information

Artificial Solutions’ Entities acting as joint processors.

NAME	ACTUAL LOCATION OF THE PROCESSING	PURPOSE OF PROCESSING
Artificial Solutions International AB (HQ)	Sweden	Delivery of SaaS Products
Artificial Solutions Scandinavia AB	Sweden	Delivery of SaaS Products
Artificial Solutions Iberia, S. L.	Spain	Delivery of SaaS Products
Artificial Solutions B.V.	Netherlands	Delivery of SaaS Products

Sub-Processors

NAME	ACTUAL LOCATION OF THE PROCESSING	PURPOSE OF PROCESSING
Orange Business Services AS (former Basefarm AS)	Norway	Azure Cloud management services
Orange Business Services AB (former Basefarm AB)	Sweden	Azure Cloud management services
Orange Business Services B.V. (Basefarm – Part of Log*In Consultants Nederland B.V)	Netherlands	Azure Cloud management services
Microsoft Corporation	Europe North	Azure Services Database storage in Azure Cloud

Annex 3.b. - SaaS Pro Sub-processors’ information

Artificial Solutions’ Entities acting as joint processors.

NAME	ACTUAL LOCATION OF THE PROCESSING	PURPOSE OF PROCESSING
Artificial Solutions International AB (HQ)	Sweden	Delivery of SaaS Products
Artificial Solutions Scandinavia AB	Sweden	Delivery of SaaS Products
Artificial Solutions Iberia, S. L.	Spain	Delivery of SaaS Products
Artificial Solutions B.V.	Netherlands	Delivery of SaaS Products

Sub-Processors

NAME	ACTUAL LOCATION OF THE PROCESSING	PURPOSE OF PROCESSING
Orange Business Services AS (former Basefarm AS)	Norway	Azure Cloud management services
Orange Business Services AB (former Basefarm AB)	Sweden	Azure Cloud management services
Orange Business Services B.V. (Basefarm – Part of Log*In Consultants Nederland B.V)	Netherlands	Azure Cloud management services
Microsoft Corporation	Europe North	Azure Services Database storage in Azure Cloud

Schedule A

General Terms and Conditions

Schedule B

Schedule C

Service Level Agreement

Schedule D

DPA