Data Processing Addendum

Enterprise Bot GmbH & Customer — incorporated into the Master Service Agreement

Version	v1.5
Effective date	18 May 2026
Processor	Enterprise Bot GmbH
Primary regulatory scope	GDPR · UK GDPR · Swiss FADP · DORA · EU AI Act
Default data residency election	EU/EEA only
Switzerland access	Disabled by default; only if Customer expressly elects Switzerland in the Order Form or other written instruction
United States / Middle East / other non-EU processing	Not permitted in the standard configuration; only if Customer is US-based and requests US processing, Middle East-based and requests Middle East processing, or expressly instructs another location in writing

This version consolidates Enterprise Bot’s data-residency position, DORA obligations and EU AI Act allocation in a single document: EU/EEA processing by default; Switzerland only upon express customer election; and no US processing unless the customer is US-based or specifically requests US processing in writing.

Contracting Parties

Processor: Enterprise Bot GmbH, Dufourstrasse 22, CH-8008 Zürich, Switzerland.

Processor contacts. Legal and contract notices: legal@enterprisebot.org. Data protection and DPO enquiries: privacy@enterprisebot.org. Security and incident notifications: security@enterprisebot.org. Enterprise Bot GmbH acts as its own data protection contact point; where an Article 27 GDPR representative is required for a particular engagement, details will be provided on request.

Controller: Customer, as identified in the Master Service Agreement, Order Form or other ordering document.

Incorporation and precedence. This Data Processing Addendum ("DPA") forms part of and is incorporated into the Master Service Agreement or Order Form (the "Agreement"). In the event of conflict, this DPA prevails with respect to data protection, digital operational resilience and AI governance matters addressed herein, unless the parties expressly agree otherwise in writing.

1. Definitions

Term	Meaning
Agreement	The Master Service Agreement, Order Form or other written ordering document into which this DPA is incorporated.
Customer Data	Any Personal Data and other data submitted to, stored in, processed by or generated through the Services on behalf of Customer.
Data Protection Laws	The GDPR, UK GDPR, Swiss FADP and any other applicable data protection or privacy law binding on the parties in connection with the Services.
EU AI Act	Regulation (EU) 2024/1689, as amended or supplemented from time to time.
DORA	Regulation (EU) 2022/2554, including applicable regulatory technical standards and implementing measures.
GPAI Model	A general-purpose AI model within the meaning of the EU AI Act.
Services	Enterprise Bot's software and related services for AI-powered customer engagement, workflow automation, orchestration, analytics and communication channels, as described in the Agreement.
Sub-processor	Any third party engaged by Processor to process Personal Data on behalf of Customer in connection with the Services.

2. Scope and processing instructions

Processor shall process Personal Data solely on behalf of Customer and only for the following purposes: (a) to provide, secure, support and improve the Services as instructed by Customer; (b) as initiated by Customer's authorised users through their use of the Services; and (c) as otherwise required by applicable law.

Processor shall promptly notify Customer if, in Processor's opinion, a documented instruction infringes applicable law. Unless prohibited by law, Processor shall also notify Customer before complying with any legally compelled disclosure request relating to Customer Data.

3. Confidentiality and personnel controls

Processor shall ensure that all personnel authorised to process Personal Data are subject to confidentiality obligations and receive appropriate data protection, security and role-based training. Access to Customer Data shall be restricted on a need-to-know and least-privilege basis.

Production access shall be subject to approval controls, logging, and multi-factor authentication on privileged accounts. Background screening shall be performed for personnel granted production access, to the extent permitted by applicable law and consistent with Schedule 2.

4. Data subject rights and regulatory cooperation

Processor shall notify Customer without undue delay of any request from a data subject to exercise rights under applicable Data Protection Laws and shall not respond directly except on Customer's documented instruction or where legally required.

Taking into account the nature of the processing and the information available to Processor, Processor shall provide reasonable assistance to Customer with data subject requests, data protection impact assessments, prior consultations and other reasonably necessary compliance activities.

5. Sub-processors

Customer grants Processor a general authorisation to engage the Sub-processors identified on Processor's sub-processor list and in the applicable annexes to this DPA.

Processor shall impose written data protection and security obligations on each Sub-processor that are no less protective than the relevant obligations set out in this DPA, to the extent applicable to the nature of the services performed.

Processor shall notify Customer of any intended addition or replacement of a Sub-processor that processes Customer Data at least 30 calendar days in advance, except where an urgent replacement is required for security, resilience or business continuity reasons, in which case notice shall be given as soon as reasonably practicable.

Customer may object on reasonable data protection, security or resilience grounds during the notice period. If the parties cannot resolve the objection in good faith, Customer may terminate the affected Service upon written notice without penalty for the terminated portion.

6. Security measures and personal data breach notification

Processor shall implement and maintain appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as further described in Schedule 2.

Processor shall notify Customer without undue delay, and in any event within 48 hours after becoming aware of a confirmed Personal Data Breach affecting Customer Data. The notification shall include all information reasonably available to Processor at the time, and Processor shall provide supplemental information as further facts become available.

Nothing in this Section limits Customer's own assessment and notification obligations under applicable law.

7. Data residency and international transfers

7.1 EU/EEA by default. Processor shall configure and operate the standard Service so that Customer Data is processed and stored within the EU/EEA by default, using EU/EEA-hosted infrastructure and EU/EEA-supported processing locations for third-party model and cloud services where such locations are available for the relevant feature.

7.2 Switzerland only upon express election. Processor personnel located in Switzerland shall not access or process Customer Data for an EU/EEA-designated tenant unless Customer expressly elects Switzerland access in the applicable Order Form or otherwise instructs such access in writing. Where Customer makes that election, the parties acknowledge that Switzerland is recognised by the European Commission as providing an adequate level of protection under Article 45 GDPR, without prejudice to any additional contractual restrictions agreed by the parties.

7.3 No United States processing in the standard configuration. Processor shall not route, store, transmit or otherwise process Customer Data in the United States, or use global or US processing endpoints, in the standard configuration of the Services. United States processing may occur only where: (a) Customer is established in the United States and requests a US-hosted configuration; or (b) Customer expressly instructs such processing in writing for a specified tenant, workload or feature.

7.3a Middle East processing only upon express election. Processor shall not route, store, transmit or otherwise process Customer Data in the Middle East in the standard configuration of the Services. Middle East processing (using the AWS Middle East region, e.g. Bahrain or UAE) may occur only where: (a) Customer is established in the Middle East and requests a Middle East-hosted configuration; or (b) Customer expressly instructs such processing in writing for a specified tenant, workload or feature. Where Middle East processing constitutes a restricted transfer under applicable Data Protection Laws, the parties shall implement an appropriate transfer mechanism in accordance with Section 7.5.

7.4 Unsupported feature rule. If a requested feature is not available in an EU/EEA-supported processing location, Processor shall either refrain from enabling that feature for Customer or obtain Customer's prior written instruction approving an alternative location before enabling it.

7.5 Transfer mechanisms. Where any restricted transfer of Personal Data occurs, the parties shall implement an appropriate transfer mechanism under applicable Data Protection Laws, which may include the EU Standard Contractual Clauses, the UK Addendum or other lawful mechanism as applicable.

7.6 Change control. Processor shall provide prior notice before changing processing locations for Customer Data, except where immediate action is required to address a security, availability or legal issue. In such case, Processor shall notify Customer as soon as reasonably practicable and document the rationale for the change.

8. Audit and information rights

Processor shall make available information reasonably necessary to demonstrate compliance with this DPA, including current independent audit reports, certifications or equivalent evidence, subject to confidentiality protections.

Customer may conduct or commission a direct audit of Processor's compliance with this DPA upon at least 30 days' written notice, not more than once annually unless a Personal Data Breach, material non-compliance or regulatory investigation reasonably justifies additional review. Audits shall be conducted during normal business hours, in a manner designed to minimise operational disruption and protect the confidentiality of other customers and Processor's security measures.

9. Deletion and return of data

Upon termination or expiry of the Agreement, or upon Customer's written request following termination, Processor shall delete or return Customer Data, at Customer's election, within 60 calendar days, unless applicable law requires longer retention.

Where Customer requests return, Processor shall provide Customer Data in a commonly used, documented and machine-readable format reasonably suitable for migration.

10. Term and order of precedence

This DPA remains in force for as long as Processor processes Personal Data on Customer's behalf under the Agreement. The provisions relating to confidentiality, deletion, return, transfers, audits, DORA cooperation and AI governance survive for so long as applicable by their nature.

Schedule 1 — Details of processing

Processor	Enterprise Bot GmbH, Dufourstrasse 22, CH-8008 Zürich, Switzerland.
Nature and purpose	Provision of AI-powered customer engagement, workflow automation, orchestration, analytics, chat, voice, email triage and related support services.
Duration	For the term of the Agreement and for the limited post-termination period required to delete or return Customer Data under Section 9.
Data subjects	End users, prospects, Customer employees and agents, business partners, vendors and other individuals whose data is submitted to the Services by or on behalf of Customer.
Categories of data	Identity data, contact details, professional data, interaction and conversation content, voice transcripts, voice recordings (where call recording is enabled by Customer), email content, technical and usage metadata, audit logs, localisation data and other data submitted by Customer. Voice processing: where Customer enables voice channels, Personal Data may be captured via SIPREC or equivalent media-recording protocols at the SIP gateway, transmitted over encrypted SIP/RTP, and processed for transcription, analytics and Customer-configured workflows. Call recordings and associated transcripts are retained for the period configured by Customer in the applicable Order Form or tenant settings (default: 30 days), after which they are deleted in accordance with Section 9. The SIP signalling and media gateway is operated by Processor or its designated Sub-processor; carrier-side telephony transport remains the responsibility of Customer's chosen carrier and is outside the scope of this DPA.
Special category / sensitive data	Only where deliberately submitted by Customer or by end users through Customer's configured workflows. Customer is responsible for determining a valid legal basis and for enabling any required notices or controls.

Schedule 2 — Technical and organisational security measures

Area	Measures
Encryption	TLS 1.2 or higher in transit; AES-256 or equivalent encryption at rest; encrypted backups; key management under documented internal controls.
Access controls	Role-based access control, least privilege, MFA on privileged accounts, joiner/mover/leaver controls and access logging for administrative actions.
Monitoring and detection	Centralised logging, alerting, vulnerability scanning, security monitoring and documented incident triage procedures.
Testing	Regular vulnerability assessments, periodic penetration testing, change testing and documented remediation tracking.
Resilience	Backups, disaster recovery planning, restoration testing, capacity monitoring and business continuity procedures appropriate to the Services.
Change management	Documented change approval, emergency change handling, rollback capability and security review for material service changes.
Personnel	Confidentiality commitments, onboarding and recurring security training, and production-access screening where legally permissible.
Certifications and attestations	ISO/IEC 27001 certified information security management system; SOC 2 Type II attestation; GDPR and Swiss FADP alignment. HIPAA and PCI-DSS aligned controls available for in-scope deployments on request. Current reports and certificates available to Customer under NDA.

Annex I — International transfer framework and residency election

The following transfer and residency rules apply unless a more restrictive Customer election is stated in the Order Form.

Scenario	Default position	Permitted only when	Mechanism / note
EU/EEA processing	Enabled	—	Processor uses EU/EEA locations by default.
Switzerland access	Disabled	Customer expressly elects Switzerland in writing	Switzerland adequacy may be relied upon where applicable.
US processing	Disabled	Customer is US-based and requests US processing, or expressly instructs it in writing	No global or US endpoints in the standard configuration.
Middle East processing	Disabled	Customer is established in the Middle East and requests Middle East processing, or expressly instructs it in writing	AWS Middle East region (e.g. Bahrain/UAE); appropriate lawful transfer mechanism required for any restricted transfer.
Other non-EU/EEA	Disabled	Customer expressly instructs the location in writing	Appropriate lawful transfer mechanism required.

Annex II — Approved sub-processors and principal data locations

The current sub-processor list shall be maintained by Processor and made available to Customer. The table below reflects the principal model and cloud services contemplated by the standard configuration described in this DPA.

Provider / service	Legal entity (sub-processor)	Service role	Default data location	Residency note
Enterprise Bot	Enterprise Bot GmbH (Switzerland) — sub-processor under Art. 28 GDPR; Switzerland benefits from EU adequacy decision.	Platform orchestration, support and administration	EU/EEA by default	Swiss-based controller of the Services; Switzerland support access only if expressly elected by Customer.
Microsoft Azure OpenAI Service	Microsoft Ireland Operations Limited (Ireland) — sub-processor under Art. 28 GDPR.	Hosted OpenAI model inference via Microsoft	EU data zone or EU regional processing	No global or US deployment for EU/EEA-designated tenants.
Google Cloud Vertex AI / Gemini	Google Cloud EMEA Limited (Ireland) — sub-processor under Art. 28 GDPR.	Gemini model inference and related model services; cloud storage and supporting infrastructure for Customer Data (encrypted)	EU region or EU multi-region	No global or US endpoint for EU/EEA-designated tenants.
AudioCodes	AudioCodes Ltd. (Israel) — sub-processor under Art. 28 GDPR; Israel benefits from EU adequacy decision (Commission Decision 2011/61/EU).	SBC / SIP signalling gateway for voice channels	EU region	Operated by Processor in the EU region; carrier-side telephony transport remains Customer's responsibility.
Twilio	Twilio Ireland Limited (Ireland) — sub-processor under Art. 28 GDPR for SIP signalling; carrier-side PSTN telephony transport is outside the scope of Art. 28.	SIP trunking to PSTN for voice channels	EU region (Ireland)	Carrier-side telephony transport; transit only, no persistent storage of Customer Data by sub-processor.
Soniox	Soniox, Inc. (United States) — sub-processor under Art. 28 GDPR; cross-border transfer covered by EU SCCs (Module 3 or Module 2 as applicable).	Speech-to-text transcription for voice channels	EU region (contractually enforced for EU Customers)	For EU Customers, Customer Data processing and storage is contractually restricted to the EU region; used only where Customer enables voice transcription; processing limited to transcription output returned to the Services.
ElevenLabs	ElevenLabs, Inc. (United States) — sub-processor under Art. 28 GDPR; cross-border transfer covered by EU SCCs (Module 3 or Module 2 as applicable).	Text-to-speech and speech-to-text for voice channels	EU region (contractually enforced for EU Customers)	For EU Customers, Customer Data processing and storage is contractually restricted to the EU region; used only where Customer enables ElevenLabs voice features; processing limited to synthesis/transcription output returned to the Services.
Amazon Web Services (AWS)	Amazon Web Services EMEA SARL (Luxembourg) — sub-processor under Art. 28 GDPR.	Cloud hosting and supporting infrastructure	EU region by default for EU Customers; AWS Middle East region (e.g. Bahrain/UAE) for Customers established in or expressly electing Middle East processing	For EU Customers, hosting is contractually restricted to the EU region. Middle East hosting available only where Customer is based in the Middle East or expressly elects Middle East processing in writing; no global or US endpoints in the standard configuration.

Annex III — DORA addendum

Applicability. This Annex applies only to the extent that Customer is a financial entity subject to DORA and Customer has determined that the Services support a critical or important function, or otherwise requires these provisions to apply. This Annex supplements the Agreement and DPA and is intended to address the contractual elements described in Article 30 DORA.

1. Service description and subcontracting

Processor shall maintain a clear description of the in-scope ICT services, supported functions, service dependencies, principal processing locations and relevant Sub-processors. Where subcontracting of a service supporting a critical or important function, or a material part thereof, is permitted, the relevant conditions, oversight measures and notification obligations shall apply as set out in this DPA and the Agreement.

2. Locations and change notification

Processor shall identify the regions or countries where the contracted or subcontracted ICT services are provided and where Customer Data is processed or stored. Processor shall give Customer prior notice of any material change to those locations, except where immediate action is required for resilience, security or legal compliance reasons.

3. Availability, integrity, confidentiality and service levels

The Agreement, support terms and applicable service schedules shall include service level descriptions sufficient to enable Customer to monitor the Services effectively. Processor shall maintain appropriate controls to support the availability, authenticity, integrity and confidentiality of Customer Data and shall notify Customer of developments that may materially affect the provision of the Services.

Where the Services support a Customer critical or important function, Processor shall use commercially reasonable efforts to meet the following recovery objectives unless otherwise agreed in writing in the Order Form: Recovery Time Objective (RTO) of four (4) hours and Recovery Point Objective (RPO) of one (1) hour for critical components; RTO of twenty-four (24) hours and RPO of twenty-four (24) hours for non-critical components. Processor shall report availability and recovery performance on request and shall notify Customer of any material deviation.

4. Incident assistance and authority cooperation

In relation to ICT incidents affecting the Services provided to Customer, Processor shall provide reasonable assistance to Customer at no additional charge for standard incident handling, or at charges agreed ex ante for non-standard assistance requiring substantial additional work. Processor shall cooperate with Customer’s competent authorities, resolution authorities and any persons appointed by them to the extent required by applicable law.

Processor shall notify Customer of ICT-related incidents affecting the Services on the following timelines, measured from Processor’s confirmation of the incident: (a) Critical (significant operational impact, confirmed data breach or significant security compromise) — within four (4) hours; (b) Major (material degradation of Services but no confirmed data breach) — within twenty-four (24) hours; (c) Minor — within the next business day. Initial notifications shall contain the information then reasonably available, and Processor shall provide updates as further information becomes known, including a post-incident root-cause summary within a reasonable period after closure.

Processor shall retain records of ICT incidents affecting the Services for a minimum of five (5) years and shall make such records available to Customer on request to the extent required for Customer’s DORA incident classification, reporting and supervisory obligations.

5. Access, recovery, return and exit

Processor shall ensure that Customer can access, recover and obtain return of Customer Data in an easily accessible and documented format upon termination, insolvency, resolution, discontinuation of business operations or other service exit event. Processor shall provide transition assistance as set out in the Agreement, Order Form or exit plan agreed between the parties.

Where the Services support a Customer critical or important function, Processor shall provide transition assistance for a period of up to three (3) months following the effective date of termination or expiry, at no additional charge for standard assistance (including data export in a documented format, configuration export, read-only access to Customer Data and reasonable handover support to a successor provider). Non-standard assistance requiring substantial additional work may be charged at rates agreed ex ante. Processor shall not withhold access to Customer Data during the transition period for reasons other than non-payment of undisputed amounts already due.

Customer may terminate the affected Services for material breach, material deterioration of the Services, non-remediated security or resilience concerns, unresolved objection to a material Sub-processor change, regulatory instruction, or other termination trigger expressly set out in the Agreement. Any applicable notice periods shall be those stated in the Agreement or Order Form.

6. Security, business continuity and testing

Processor shall maintain business continuity and disaster recovery measures proportionate to the Services and shall test such measures at least annually. Processor shall maintain appropriate ICT security measures, tools and policies for the secure provision of the Services and shall, where relevant and proportionate, cooperate with agreed resilience testing relating to Customer’s DORA obligations.

Where Customer is required to conduct Threat-Led Penetration Testing (TLPT) under Article 26 DORA and the Services fall within the scope of such testing, Processor shall cooperate in good faith with Customer and any testers appointed by Customer, subject to reasonable scope, notice, safety, confidentiality and pooled-testing arrangements, and subject to protection of Processor’s other customers and infrastructure.

Processor shall grant Customer, its competent authorities and resolution authorities (and any persons appointed by them) the rights of access, inspection and audit to Processor’s relevant premises, systems and records required by Article 30(3)(e) and Article 31 DORA, including unrestricted rights of inspection in respect of ICT services supporting a critical or important function, subject to reasonable notice, confidentiality and information-security safeguards.

7. Awareness and training

Upon reasonable request and to the extent relevant to the Services, Processor shall participate in Customer's ICT security awareness, incident coordination or operational resilience meetings or training activities for key service contacts, subject to reasonable notice and scope.

Annex IV — EU AI Act addendum

Applicability. This Annex addresses the parties' allocation of responsibilities under the EU AI Act for the standard configuration of the Services as of the Effective Date. It is drafted on the basis that Enterprise Bot does not develop or place on the market its own general-purpose AI models and instead integrates third-party GPAI-enabled services provided by Microsoft and Google into the Enterprise Bot platform. The allocation of responsibilities may change for a particular deployment depending on the intended purpose, product design and actual role assumed by each party under the AI Act.

1. Allocation of roles

In the standard configuration, the underlying GPAI model provider obligations for Microsoft-hosted OpenAI models and Google Gemini models remain with the relevant model provider, not with Processor, except to the extent Processor materially modifies a model such that it becomes a provider of a new GPAI model under the EU AI Act.

Processor may act as the provider of the Enterprise Bot platform or of a downstream AI system placed on the market or put into service under the Enterprise Bot name or trademark, while Customer typically acts as deployer of the configured system in its own business context.

2. Permitted and restricted use cases

The standard, supported use cases for the Services are customer service, workflow automation, information retrieval, triage, summarisation, analytics and agent-assist scenarios that do not fall into a prohibited practice and are not treated by the parties as high-risk deployments unless expressly agreed in writing.

Customer shall notify Processor before using the Services for any potentially high-risk use case, including where the system may be used in employment, education, essential private or public services, law-enforcement or other regulated decision-making contexts, so that the parties can assess whether additional contractual, technical and documentation measures are required before the use case is enabled.

3. Transparency and AI literacy

Processor shall provide functionality or configuration support enabling Customer to disclose to end users, where required, that they are interacting with an AI system. Customer remains responsible for ensuring that legally required notices, instructions, human review steps and user-facing disclosures are actually implemented in the deployed workflow.

Customer is responsible for ensuring that its personnel using the Services have an adequate level of AI literacy appropriate to their role. Processor shall make available reasonable product documentation, training materials or usage guidance to support this obligation.

4. High-risk deployment rule

Processor does not commit in this DPA to support every possible high-risk AI use case. Where the parties expressly agree in writing to a supported high-risk deployment for which Processor acts as provider of the relevant AI system, the parties shall agree a separate compliance workstream covering, as applicable, technical documentation, instructions for use, logging, human oversight, risk management, data governance, accuracy and robustness controls, conformity assessment and any required registration before the system is put into service.

Until such separate written agreement is in place, Customer shall not place the Services into service for a use case that would require Processor to satisfy provider-side high-risk AI obligations.

Where Customer is a public authority, provides a public service, or deploys the Services for a use case listed in Article 27(1) EU AI Act (including credit-worthiness assessment, insurance risk assessment and pricing for natural persons, or access to essential services), Customer acts as deployer and is responsible for conducting a Fundamental Rights Impact Assessment (FRIA) before first deployment. Processor shall provide reasonable information about the system’s intended purpose, input data categories, logging capabilities and known limitations to support Customer’s FRIA.

5. Prohibited and sensitive practices

Processor shall not knowingly configure the standard Service to enable a prohibited AI practice under Article 5 EU AI Act. Features involving biometric identification, biometric categorisation or emotion recognition are disabled by default and may be enabled only if expressly agreed in writing, supported by the product and lawful in the relevant jurisdiction and use case.

6. Logging, human oversight and serious incident cooperation

Processor shall maintain reasonable logs and controls appropriate to the supported use case and product design. Customer remains responsible for configuring and operating any human review, escalation or override steps required for its deployment context.

Where Processor becomes aware of a serious incident or material malfunction relating to the supported AI functionality that may create a significant risk to health, safety or fundamental rights in a deployment for which Processor bears provider-side obligations, Processor shall notify Customer without undue delay and in any event within forty-eight (48) hours of becoming aware, and shall cooperate with Customer in good faith regarding assessment, containment and any required regulatory communication to the AI Office, national market surveillance authorities or other competent bodies in accordance with Article 73 EU AI Act.

7. Application dates

Under current European Commission guidance, the AI Act entered into force on 1 August 2024; prohibited practices and AI literacy obligations apply from 2 February 2025; obligations for providers of GPAI models apply from 2 August 2025; and the Act is otherwise generally applicable from 2 August 2026, subject to any later legislative amendment.

Execution

By signing below, or by executing the Agreement that incorporates this DPA, the parties agree to be bound by these terms.

Enterprise Bot GmbH (Processor)	Customer (Controller)
Authorised signature: _____________________________ Printed name: _____________________________________ Title: ____________________________________________ Date: _____________________________________________	Authorised signature: _____________________________ Printed name: _____________________________________ Title: ____________________________________________ Date: _____________________________________________

Trusted by Leading Enterprises Worldwide

Heading 1

with a request body that specifies how to map the columns of your import file to the associated CRM properties in HubSpot.... In the request JSON, define the import file details, including mapping the spreadsheet's columns to HubSpot data. Your request JSON should include the following fields:... entry for each column.