U.S. Privacy Law Addendum

This United States Privacy Law Addendum (the “Addendum”) supplements the Latent Agent End User License Agreement (the “Agreement”) entered into by and between Customer and Latent AI, Inc. (“Company”) (and, together, the “Parties”). This Addendum includes the terms of the Agreement. Any capitalized terms that are used but not defined herein shall have the definitions set forth in the Agreement. Where there is a conflict between the Agreement and this Addendum, this Addendum will control.

Definitions.

1. “Authorized Subprocessor” means a third-party party entity engaged by Company to process Personal Data in order to provide the Services and that has been approved by Customer in accordance with Section 6.
2. “Company Account Data” means personal data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account.
3. “Company Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and similar data.
4.  “Consumer” means a natural person whose Personal Data is protected by Privacy Laws.
5. “Consumer Request” means a request from a Consumer to exercise their rights over Personal data afforded pursuant to Privacy Laws.
6.  “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing Personal Data. “Controller” includes the term “Business” or equivalent term under Privacy laws.
7. “Personal Data” means any information provided to Company by or on behalf of Customer in connection with the Services that relates to an identified or identifiable Consumer and constitutes “personal data,” “personal information,” or equivalent term under Privacy Laws.
8. “Privacy Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the processing of Personal Data. Privacy Laws include but are not limited to U.S. state comprehensive privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), in each case as updated, amended or replaced from time to time. The terms “affiliates,” “business purpose,” “Controller,” “Personal Data Breach,” “Processor,” “process” or “processing,” “sell,” or “share,”  shall have the meaning set forth for that or any equivalent term under Privacy Laws. For the avoidance of doubt, the terms “Controller” and “Processor” include “Business” and “Service Provider,” respectively, as defined in the CCPA.

Description of Processing.

1. Nature and Purpose of Processing:  Except with respect to Company Account Data and Company Usage Data, Company shall process Personal Data provided by Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Such purposes shall include provision of the Services set forth under the agreement, including processing in connection with providing the LEIP Tools and Latent AI Platform. Such processing includes use of Personal Data to fine tune AI models on the Latent AI Platform.
2. Duration of Processing: Company shall process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Agreement, or (ii) by applicable law or regulation.
3. Categories of Consumers: Company may process Personal Data relating to the following categories of Consumers: Customer end-users/customers and Customer employees.
4. Categories of Personal Data: Company may process any Personal Data made available by the Customer.

Customer’s Obligations.

Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Company to be in breach of the Privacy Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith.

Use of Personal Data.  

Company shall not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside of Company’s direct business relationship with Customer or for any purpose other than to perform the Services and other obligations under the Agreement, which constitutes a business purpose under the Privacy Laws, except as otherwise permitted in Agreement or by Privacy Laws; and (iii) combine Personal Data received from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another party or person, except as necessary to provide the Services or as otherwise instructed by Customer.

Audit.

To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either (i) make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards applicable to the processing of Personal Data provided by Customer under the Agreement, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of Company’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits. To the extent permitted under Privacy Laws, if Customer determines that Company is processing Personal Data in an unauthorized manner, Customer may, taking into account nature of Company’s processing and the nature of the Personal Data processed by Company on behalf of Customer, and upon providing prior written notice, take commercially reasonable and appropriate steps to stop and remediate such unauthorized processing.

Authorized Subprocessors.

1. A list of Company’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto, at a link provided to Customer, via email or through another means made available to Customer.  Such List may be updated by Company from time to time.  Company may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, Company will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Company within ten (10) days of receipt of the aforementioned notice to Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. If Customer does not object during this period, that third party will be deemed an Authorized Subprocessor. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Company from offering the Services to Customer.
2. If Customer reasonably objects to an engagement in accordance with Section 6.1, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company.  Discontinuation shall not relieve Customer of any fees owed to Company under the Agreement.
3. Company will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Company under this Addendum with respect to the protection of Personal Data.  In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

Confidentiality and Security of Personal Data.

1. Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company’s confidentiality obligations in the Agreement. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this Addendum, the Agreement, or the provision of Services to Customer.
2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.

Personal Data Breach.

1. In the event of a Personal Data Breach, Company shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach, to the extent that remediation is within Company’s reasonable control.
2. In the event of a Personal Data Breach, Company shall, taking into account the nature of the processing and the information available to Company, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Privacy Laws with respect to notifying (i) the relevant regulatory agency and (ii) Consumers affected by such Personal Data Breach without undue delay.
3. The obligations described in Sections 8.1 and 8.2 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Company’s obligation to report or respond to a Personal Data Breach under Sections 8.1 and 8.2 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.

Data Protection Assessments.

Taking into account the nature of Company’s processing and the information available to Company, Company shall reasonably cooperate with Customer to conduct any data protection or privacy impact assessments as required by Privacy Laws, including by providing Customer with information and documents necessary for such assessments that Customer cannot otherwise obtain without Company’s assistance. Notwithstanding the foregoing, Customer and Company each remain responsible only for the measures respectively allocated to them under Privacy Laws pertaining to any such assessment.

Consumer Request.

Company shall, to the extent permitted by Privacy Laws, notify Customer upon receipt of a Consumer Request. If Company receives a Consumer Request in relation to Personal Data, Company will advise the Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Consumer Requests communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.

Return or Destruction of Personal Data.

Upon the termination or expiration of the Agreement, at Customer’s choice, Company shall return or delete Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.

Company’s Role as a Controller.

The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Privacy Laws and in accordance with this DPA and the Agreement. Company may also process Company Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Privacy Laws. Any processing by Company as a controller shall be in accordance with Company’s privacy policy.