Data Processing Addendum (DPA)

Last Updated: April 14th, 2025

This Data Processing Addendum ("DPA") forms part of the agreement between ScriptEngine, Inc. (dba Squid, Inc.) ("Squid," "Processor") and the customer identified in the applicable Order Form or service agreement ("Customer," "Controller") (collectively, the "Parties" and each a "Party").

This DPA supplements and is incorporated into Squid's Terms of Service and any applicable Order Form. In the event of a conflict between this DPA and other agreements, this DPA shall control with respect to data processing matters.

1. DEFINITIONS

1.1 General Terms

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Squid on behalf of Customer in connection with the Services.

• "Processing" means any operation performed on Personal Data, including collection, recording, storage, analysis, use, disclosure, or deletion.

• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

• "Services" means Squid's website analytics platform and related services as described in the applicable Order Form.

• "Sub-processor" means any third party engaged by Squid to process Personal Data on behalf of Customer.

  
  

1.2 Regulatory Terms

• "GDPR" means the General Data Protection Regulation (EU) 2016/679.

• "CCPA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, California Civil Code §§ 1798.100 et seq.).

• "Business" has the meaning ascribed to it in CCPA and refers to a legal entity that determines the purposes and means of processing Personal Data.

• "Service Provider" has the meaning ascribed to it in CCPA and refers to a legal entity that processes Personal Data on behalf of a Business.

• "Sell" and "Share" have the meanings ascribed to these terms in CCPA.

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including GDPR, CCPA, and any other applicable international, federal, state, or local privacy laws.

2. SCOPE AND ROLES

2.1 Relationship of the Parties

Customer is the Controller (or "Business" under CCPA) of Personal Data processed through the Services. Squid is the Processor (or "Service Provider" under CCPA) and processes Personal Data only on behalf of and in accordance with Customer's documented instructions.

For purposes of CCPA, the parties acknowledge and agree that Squid is a "Service Provider" as defined in CCPA and not a "Third Party," and that Squid receives Personal Data from Customer for a business purpose as defined in CCPA.

2.2 Customer Instructions

Squid will process Personal Data only in accordance with Customer's documented instructions, which include:

• Instructions set forth in the applicable Order Form and Terms of Service;

• Customer's configuration and use of the Services;

• Any additional written instructions provided by Customer that Squid agrees to in writing.

Squid will notify Customer if, in Squid's opinion, an instruction violates Applicable Data Protection Law.

2.3 Prohibited Processing

Squid will not:

• Sell or share Personal Data as those terms are defined under CCPA;

• Retain, use, or disclose Personal Data except as necessary to provide the Services or as otherwise permitted by Applicable Data Protection Law;

• Process Personal Data for any purpose other than the specific purpose of providing the Services;

• Combine Personal Data received from Customer with Personal Data from other sources, except as necessary to provide the Services.

2.4 CCPA-Specific Commitments

With respect to Personal Data subject to the California Consumer Privacy Act (CCPA), Squid certifies that it:

(a) Will not "sell" or "share" Personal Data as those terms are defined in CCPA, regardless of whether CCPA applies to Squid's operations;

(b) Will not combine Personal Data received from or on behalf of Customer with Personal Data that Squid receives from or on behalf of another person or persons, or that Squid collects from its own interaction with consumers, except as necessary to provide the Services to Customer;

(c) Provides the same level of privacy protection for Personal Data as is required by CCPA;

(d) Will notify Customer within five (5) business days if Squid determines that it can no longer meet its obligations under CCPA with respect to Personal Data processed on behalf of Customer;

(e) Grants Customer the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Squid.

3. DATA SECURITY

3.1 Security Measures

Squid will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include:

• Encryption of Personal Data in transit and at rest where technically feasible;

• Logical access controls and authentication mechanisms;

• Regular security assessments and vulnerability testing;

• Incident response and security monitoring procedures;

• Employee confidentiality obligations and security training;

• Physical security controls for data center facilities.

3.2 Security Documentation

Upon reasonable request and subject to confidentiality obligations, Squid will provide Customer with information reasonably necessary to demonstrate compliance with Squid's security obligations under this DPA.

3.3 Updates to Security Measures

Squid may update or modify its security measures from time to time, provided that such updates do not result in a material reduction in the level of security provided.

4. DATA BREACH NOTIFICATION

4.1 Notification Obligation

Squid will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Squid on behalf of Customer ("Data Breach").

4.2 Notification Content

Squid's notification will include, to the extent available:

• A description of the nature of the Data Breach;

• The categories and approximate number of Data Subjects affected;

• The categories and approximate number of Personal Data records affected;

• The likely consequences of the Data Breach;

• Measures taken or proposed to address the Data Breach and mitigate its potential adverse effects.

4.3 Investigation and Remediation

Squid will reasonably cooperate with Customer in investigating and remediating any Data Breach, including providing information and assistance as reasonably requested by Customer.

4.4 No Third-Party Notification

Squid will not notify any third party (including Data Subjects, regulators, or other authorities) of a Data Breach without Customer's prior written consent, except as required by Applicable Data Protection Law.

5. SUB-PROCESSORS

5.1 Authorization

Customer authorizes Squid to engage Sub-processors to process Personal Data in connection with the Services. A current list of Sub-processors is available at https://asksquid.ai/subprocessors.

5.2 Sub-processor Requirements

Squid will:

• Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those in this DPA;

• Remain fully liable to Customer for any Sub-processor's failure to fulfill its data protection obligations.

5.3 Notice of Changes

Squid will provide Customer with reasonable advance notice (at least thirty (30) days) of the addition or replacement of any Sub-processor by updating the Sub-processor list at https://asksquid.ai/subprocessors and, where Customer has provided an email address, by email notification.

5.4 Objection Rights

Customer may object to a new Sub-processor on reasonable grounds relating to data protection by notifying Squid in writing within ten (10) business days of receiving notice. If Customer objects, the Parties will work together in good faith to find a commercially reasonable resolution. If no resolution can be found, Customer may terminate the affected Services without penalty.

6. DATA SUBJECT RIGHTS

6.1 Assistance Obligation

Squid will, to the extent legally permitted and taking into account the nature of the processing, reasonably assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights to:

• Access, rectify, or delete Personal Data;

• Restrict or object to processing;

• Data portability;

• Withdraw consent;

• Opt out of sale or sharing (under CCPA).

6.2 Direct Requests

If Squid receives a direct request from a Data Subject, Squid will promptly inform Customer and will not respond to such request without Customer's prior written authorization, except as required by law.

For requests received through Squid's online privacy policy or public-facing channels, Squid will notify Customer within three (3) business days of receipt. For CCPA-related opt-out or deletion requests, Squid will forward such requests to Customer within five (5) business days and will comply with Customer's instructions regarding such requests.

6.3 Reasonable Charges

Squid may charge reasonable fees for assistance provided under this Section 6 that requires substantial effort beyond Squid's ordinary obligations under the Agreement.

7. DATA DELETION AND RETURN

7.1 Deletion Upon Termination

Upon termination or expiration of the Agreement, or upon Customer's written request, Squid will:

• Delete or return all Personal Data in Squid's possession or control; and

• Certify in writing that such deletion or return has been completed.

7.2 Exceptions

Squid may retain Personal Data to the extent required by Applicable Data Protection Law, provided that Squid will:

• Maintain the confidentiality of such Personal Data;

• Process such Personal Data only as required by law;

• Limit retention to the minimum period required.

7.3 Retention During Subscription

During an active subscription, Squid will retain Personal Data in accordance with Customer's configuration of the Services and Squid's standard retention policies, which are designed to support the Services and comply with Applicable Data Protection Law.

8. DATA TRANSFERS

8.1 Data Storage and Processing

Personal Data may be stored and processed in the United States or any other country where Squid or its Sub-processors maintain facilities.

8.2 International Transfers

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing adequate data protection:

• Squid will implement appropriate safeguards as required by Applicable Data Protection Law;

• Upon request, Squid will enter into EU Standard Contractual Clauses or other approved transfer mechanisms.

8.3 UK and Swiss Transfers

Where applicable, this DPA and any Standard Contractual Clauses executed under this DPA shall be deemed amended to comply with UK and Swiss data protection laws, including the UK GDPR and Swiss Federal Act on Data Protection.

9. AUDITS AND COMPLIANCE

9.1 Audit Rights

Subject to reasonable advance written notice and appropriate confidentiality obligations, Customer may, no more than once per twelve (12) month period (or more frequently if required by Applicable Data Protection Law):

• Inspect Squid's relevant records and documentation to verify compliance with this DPA; or

• Request that Squid complete a security questionnaire or provide audit reports (such as SOC 2 Type II reports, if available).

9.2 Third-Party Audits

If Customer requires a physical audit of Squid's facilities or systems, Customer may appoint a qualified, independent third-party auditor (subject to Squid's approval, not to be unreasonably withheld). Such audits will be conducted at Customer's expense during normal business hours, with minimal disruption to Squid's operations.

9.3 Remediation

If an audit reveals non-compliance with this DPA, Squid will implement reasonable measures to remediate such non-compliance within a reasonable timeframe.

10. LIABILITY AND INDEMNIFICATION

10.1 Limitation of Liability

Each Party's liability under this DPA will be subject to the limitations of liability set forth in the Agreement, except where such limitations are prohibited by Applicable Data Protection Law.

10.2 Indemnification for Data Breaches

Squid does not provide indemnification for third-party privacy claims, regulatory actions, fines, or penalties as part of this standard DPA.

Customers requiring indemnification may negotiate separate terms in a signed Order Form or Statement of Work. Any such separately negotiated indemnification terms will take precedence over this Section.

Each Party's liability under this DPA remains subject to the limitation of liability provisions in the Terms of Service.

11. TERM AND TERMINATION

11.1 Term

This DPA will remain in effect for the duration of the Agreement or until all Personal Data has been deleted or returned in accordance with Section 7, whichever is later.

11.2 Survival

Sections 7 (Data Deletion and Return), 10 (Liability and Indemnification), and any other provisions that by their nature should survive, will survive termination or expiration of this DPA.

12. GENERAL PROVISIONS

12.1 Order of Precedence

In the event of a conflict between this DPA and other terms of the Agreement, this DPA shall control with respect to data processing matters.

12.2 Amendments

Squid may update this DPA from time to time to reflect changes in business practices, Applicable Data Protection Law, or industry standards. Material changes will be communicated to Customer with reasonable advance notice. Customer's continued use of the Services after such notice constitutes acceptance of the updated DPA.

12.3 Governing Law

This DPA shall be governed by the same laws as the Agreement, except where Applicable Data Protection Law requires otherwise.

12.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

CONTACT INFORMATION

For questions regarding this DPA or Squid's data processing practices:

Email: info@asksquid.ai