Data-Processing Agreement

Effective Date: May 1, 2025
Last updated January 01, 2026

This Data Processing Agreement ("DPA") forms part of the Agreement between you ("Customer," "you," or "your") and Inquio LLC, a Delaware limited liability company with its principal office at 8 The Green, Suite A, Dover, Delaware 19901 ("Inquio," "we," "us," or "our"), as established by the Terms of Use or an individually negotiated Order Form (the "Agreement").

This DPA sets out the terms under which Inquio processes personal data on your behalf in connection with the Inquio Platform ("Platform"). By accepting the Terms of Use or executing an Order Form, you acknowledge and agree to this DPA. If you have negotiated separate data processing terms with us in writing, those terms will prevail over this DPA to the extent of any conflict.

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms of Use or the applicable Order Form.

1. Purpose and Scope

1.1 Our Relationship

We have entered into an Agreement under which we provide you with access to the Platform. In connection with the Platform, we may process personal data belonging to your employees, representatives, contractors, and other authorized personnel (collectively, "Personnel"), as well as personal data belonging to your customers or other third parties whose data is uploaded to the Platform ("End Users").

1.2 What This DPA Covers

This DPA serves as the data processing agreement required under Article 28 of the EU General Data Protection Regulation ("GDPR"), and as a service provider agreement under applicable U.S. state privacy laws, including without limitation the California Consumer Privacy Act as amended by the CPRA ("CCPA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), and other comparable state laws (collectively with the GDPR, "Data Protection Laws").

1.3 Roles

You are the data controller (or "business" under applicable U.S. state privacy law) and we are the data processor (or "service provider"). If you are yourself a processor acting on behalf of another controller, we act as a sub-processor. In either case, we process personal data only on your behalf and in accordance with your documented instructions, this DPA, and the Agreement.

1.4 When We Act as a Controller

With respect to certain personal data relating to you or your Personnel (e.g., account registration data, billing information), we may act as an independent data controller. Our processing of such data is described in our Privacy Policy, available on the Website.

1.5 Your Instructions

By entering into this DPA, you instruct us to process personal data as described herein. Your primary instructions consist of this DPA, the Terms of Use, the Agreement, and the actions you and your Personnel take within the Platform. If you wish to provide additional processing instructions, you must do so in writing to info@inquio.ai. If we determine that an instruction violates applicable Data Protection Laws, we will promptly notify you. If you do not withdraw or correct the instruction, we may terminate the Agreement.

2. Personal Data We Process

2.1 Personnel Data

In the course of providing the Platform, we process personal data of your Personnel. You may provide this data to us in the following ways:

(a) Through your Personnel's use of the Platform, including account creation and login

(b) By storing information about Personnel within the Platform

2.2 Categories of Personnel Data

We process only the personal data you provide to us. This typically includes:

(a) Identification data (e.g., name)

(b) Contact data (e.g., email address, phone number)

(c) Login credentials (e.g., username, password)

(d) Employment and role information (e.g., job title, role assignment, relationship to your organization)

(e) Any additional data you or your Personnel provide through the Platform or in communications with us

2.3 Purpose of Processing Personnel Data

We process Personnel data to enable you to provide your Personnel with access to and use of the Platform in accordance with the Agreement.

2.4 End User Data

In addition to Personnel data, we process personal data of your End Users that you upload to the Platform. The specific data depends on what you choose to upload. It may typically include:

(a) Identification data (e.g., name, alias, company name, identification number)

(b) Contact data (e.g., email address, phone number)

(c) Address data

(d) Business-relevant data (e.g., services provided, order status, reference numbers)

(e) Billing and financial data (e.g., bank details, payment records)

(f) Communication records (e.g., chatbot conversation transcripts)

2.5 Purpose of Processing End User Data

We process End User data to provide you with the services described in the Agreement, including chatbot quality analysis and insights.

2.6 Sensitive Data

We do not intentionally process sensitive personal data (as defined under GDPR Article 9 or equivalent categories under U.S. state privacy laws). You are responsible for ensuring that data uploaded to the Platform does not contain sensitive personal data unless you have obtained appropriate consent or have another lawful basis for processing, and you have notified us in advance.

3. How We Process Personal Data

3.1 Nature of Processing

The processing activities we perform on your behalf may include collecting, recording, storing, organizing, structuring, retrieving, using, transmitting, and erasing personal data, whether by automated or manual means, as necessary to fulfill the Agreement.

3.2 Your Responsibilities

You are responsible for ensuring that the personal data you provide to us has been collected and is being processed in compliance with applicable Data Protection Laws, including obtaining any necessary consents or establishing any required legal basis. Do not provide us with personal data that does not meet these requirements. You determine what personal data we process, for how long, and for what purpose, primarily through your use of the Platform.

3.3 Our Responsibilities

We are responsible for processing personal data in accordance with this DPA, your documented instructions, and applicable Data Protection Laws.

3.4 U.S. State Privacy Law Commitments

To the extent we process personal data subject to U.S. state privacy laws as a service provider, we will:

(a) Not sell or share (as those terms are defined under the CCPA) the personal data we process on your behalf

(b) Not process the personal data for any purpose other than performing the services specified in the Agreement, unless otherwise permitted by applicable law

(c) Not combine the personal data we receive from or on behalf of you with personal data we receive from other sources, except as permitted by applicable Data Protection Laws

(d) Comply with all applicable obligations under U.S. state privacy laws and provide the same level of privacy protection as required by those laws

(e) Notify you if we determine that we can no longer meet our obligations under applicable U.S. state privacy laws

(f) Allow you, upon reasonable notice, to take reasonable and appropriate steps to ensure that we use your personal data in a manner consistent with your obligations under applicable Data Protection Laws

4. Data Retention, Security, and Sub-Processors

4.1 Retention Period

We process personal data of your Personnel and End Users for the duration of the Agreement, unless you delete the data from the Platform earlier, in which case we will cease processing without undue delay.

4.2 Post-Termination

You may download your data in a machine-readable format within 15 days after the Agreement ends. We will delete all personal data from the Platform and all storage systems within 90 days following the end of the processing period, unless applicable law requires or permits us to retain certain data (e.g., for legal compliance or legitimate interest purposes).

4.3 Data Storage Location

All personal data is stored on servers located in the United States and/or the European Union. If data is transferred from the EU/EEA to the United States, we rely on applicable transfer mechanisms, including the EU-U.S. Data Privacy Framework (where applicable) or Standard Contractual Clauses.

4.4 Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized or accidental access, alteration, destruction, loss, unauthorized transfer, or other misuse. These measures include, at a minimum:

(a) Secure storage systems with access restricted to authorized personnel on a need-to-know basis

(b) Secured access to administrative interfaces and databases

(c) Use of software and services that meet industry-standard data security requirements

(d) No copying of personal data databases without your prior consent, except for necessary technical backups

(e) Appropriate encryption and other safeguards tailored to the nature and sensitivity of the data

(f) No third-party access to personal data without your written consent or as otherwise permitted under the Agreement

(g) Processing personal data only in the form in which it was provided to us

(h) Processing personal data only for the purposes specified in this DPA and only to the extent necessary to fulfill those purposes

4.5 Sub-Processors

We may engage third-party sub-processors ("Sub-Processors") to assist in providing the Platform. Sub-Processors include our independent contractors who participate in service delivery, as well as infrastructure, cloud, and software vendors who may have access to personal data. You grant us general authorization to engage Sub-Processors, subject to the following conditions:

(a) We will inform you of any changes to our Sub-Processors, including the addition or replacement of a Sub-Processor

(b) You may object to a new Sub-Processor within 14 days of being notified. Objections must not be unreasonable

(c) We will impose on each Sub-Processor data protection obligations no less protective than those set forth in this DPA

As of the effective date of this DPA, our Sub-Processors are:

(a) OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland (Company No. 737350)

(b) Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, United States

(c) Amazon Web Services, Inc., 410 Terry Ave. N., Seattle, WA 98109, United States

4.6 Sub-Processor Obligations

We will contractually require each Sub-Processor to comply with data protection obligations at least equivalent to those in this DPA, including compliance with applicable Data Protection Laws and implementation of adequate security measures.

5. Our Obligations to You

5.1 Assistance with Compliance

We will assist you in fulfilling your obligations under Articles 32 through 36 of the GDPR (and equivalent obligations under U.S. state privacy laws), including obligations related to data security, data protection impact assessments, and regulatory consultations, taking into account the information available to us.

5.2 Data Subject and Consumer Requests

If we receive a request from one of your Personnel or End Users exercising rights under applicable Data Protection Laws (e.g., access, deletion, correction, portability, or opt-out requests), we will promptly forward the request to you for resolution.

5.3 Confidentiality

We will maintain the confidentiality of all personal data and will not use or disclose it beyond what is necessary to perform the Agreement and comply with this DPA. Our employees and contractors who handle personal data are trained in data protection practices and are bound by confidentiality obligations consistent with Article 32 of the GDPR.

5.4 Audits

Upon your written request, we will provide information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and this DPA. We will permit you (or a qualified third-party auditor designated by you) to conduct an audit of our data processing practices, subject to the following conditions:

(a) Audits may be conducted no more than once every two years

(b) You must provide at least 30 days' prior written notice

(c) We may propose an alternative date no more than 30 days after your initially proposed date

(d) Audit costs are borne by you

(e) You (and any third-party auditor) must maintain confidentiality regarding all information obtained during the audit, including our security policies and standards

5.5 Security Incident Notification

If we become aware of a security incident involving personal data processed on your behalf, we will notify you without undue delay. The notification will include, to the extent available, a description of the nature of the incident, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to address the incident.

6. General Provisions

6.1 Changes to This DPA

We may update this DPA from time to time. We will notify you of any material changes in advance. If you believe a change violates applicable Data Protection Laws, you may notify us and we will make the necessary corrections. You may reject any change that would reduce the level of data protection below what is required by applicable law.

6.2 Governing Law

This DPA is governed by the same law that governs the Agreement (the laws of the State of Delaware), except to the extent that mandatory provisions of the GDPR or applicable U.S. state privacy laws require otherwise.

6.3 Conflict

In the event of any conflict between this DPA and the Terms of Use or an Order Form regarding the processing of personal data, this DPA will prevail.

6.4 Effective Date

This DPA takes effect upon your acceptance of the Terms of Use or execution of an Order Form. If we are providing services to you prior to that date, we will comply with this DPA from the start of those services.