Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and supplements the Agreement entered into by Spekmi and Customer.

4.1 Definitions

• “Agreement” means the service agreement between the Parties governing provision of Spekmi Products.
• “Applicable Data Protection Law” means any applicable privacy, data security, or data protection law, including GDPR and CCPA.
• “Description of Processing” means the Description attached to this DPA.
• “International Data Transfer” means any transfer of Personal Data to a Restricted Country.
• “Spekmi Products” means products and services provided by Spekmi to Customer.
• “Personal Data” means Customer Data consisting of “personal data” as defined under Applicable Data Protection Law which Spekmi Processes as a Processor.
• “Process” or “Processing” means processing of Personal Data as described in Description of Processing.
• “Restricted Country” means any country outside the EEA without an adequacy decision.
• “SCC” means Standard Contractual Clauses pursuant to GDPR.
• “Subprocessor” means any Processor appointed by Spekmi for Processing.
• “Trust Center” means Spekmi Trust Center at https://spekmi.com.

4.2 Role of the Parties and Description of Processing

Role. Customer is the Controller of Personal Data. Spekmi Processes Personal Data as a Processor on Customer's behalf.

Description. Processing description is available in the Description of Processing. Spekmi may update it to reflect new products, features, or Subprocessors.

Spekmi as Controller. Spekmi is authorized to process Personal Data as Controller for:

• Training AI models per Privacy Policy (unless Customer opted out)
• Using Feedback to train models and improve products
• Automated moderation and abuse monitoring
• Making anonymized and aggregated statistics

4.3 General Obligations of the Parties

Obligations of Spekmi:

• Process Personal Data only per documented lawful instructions
• Inform Customer if instructions infringe Applicable Data Protection Law
• Ensure persons authorized to Process Personal Data are under confidentiality duties
• Comply with Processor obligations under Applicable Data Protection Law
• Notify Customer if unable to meet obligations
• Provide reasonable and timely assistance for investigations, impact assessments, and audits

Obligations of Customer:

• Comply with Controller obligations under Applicable Data Protection Law
• Provide notice and obtain required consents for Spekmi to Process Personal Data

4.4 Data Subjects

Customer Responsibility. Customer shall provide required information to Data Subjects and respond to all Data Subject rights requests.

Assistance. Upon Customer request, Spekmi shall provide commercially reasonable assistance to respond to Data Subject requests.

Requests to Spekmi. Spekmi will transfer Data Subject requests to Customer rather than responding directly, unless legally required.

4.5 Security

Spekmi shall implement and maintain technical and organizational measures to protect Personal Data from breaches, meeting or exceeding Applicable Data Protection Law requirements. Security measures are listed in our Trust Center and may be updated provided overall security is not materially decreased.

4.6 Personal Data Breach

Notification. Spekmi shall notify Customer of any Personal Data Breach without undue delay, including:

• Contact details for more information
• Nature of the breach (categories, numbers affected)
• Measures Customer could take to mitigate effects
• Likely consequences of the breach
• Measures proposed or taken by Spekmi

Assistance. Upon request, Spekmi shall provide commercially reasonable assistance for compliance with breach notification obligations and mitigation.

4.7 Subprocessing

General Authorization. Customer authorizes Spekmi to appoint Subprocessors subject to:

• Maintaining an up-to-date Subprocessor list
• Notifying Customer of Subprocessor changes
• Written agreements with Subprocessors imposing equivalent data protection terms
• Remaining liable for Subprocessor failures

Notification. Spekmi provides reasonable notice of Subprocessor changes. Customer may object in writing within ten (10) days on reasonable data protection grounds.

4.8 International Transfers

Customer authorizes Spekmi to transfer Personal Data to countries with adequate protection or pursuant to SCCs with adequate safeguards.

4.9 Audit

Document Audit. Upon request, Spekmi will provide documents reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality.

Onsite Audit. If document audit is insufficient, Customer may conduct up to one (1) onsite audit per year with:

• 90 days advance written notice
• Independent auditor selected jointly
• Conducted during business hours
• Findings restricted to relevant information
• Costs borne by Customer

4.10 Return or Destruction of Personal Data

After end of Spekmi Products provision, Spekmi will delete or return all Personal Data per deletion policies. Personal Data will no longer be accessible thirty (30) days following termination.

4.11 General

Term. This DPA commences on effective date of Agreement or first Processing date and continues for Agreement duration.

Incorporation. This DPA is incorporated into the Agreement. In case of conflict, DPA terms prevail.

Liability. Subject to exclusions and limitations in the Agreement.

4.12 Specific Privacy Laws

CCPA. Spekmi shall not: (i) Process Personal Data for purposes other than providing Products; (ii) “sell” or “share” Personal Data; (iii) Process outside direct business relationship; or (iv) combine Personal Data with other data except as permitted for Processors.

Appendix: Description of Processing

List of Parties
Controller: Customer
Processor: Spekmi, SASU, 978 043 586 R.C.S. Paris, 90 rue de Rivoli, 75004 Paris, France
Contact: privacy@spekmi.com

Categories of Data Subjects:

• Customer's authorized users
• Any natural person whose personal data is processed by Customer using Spekmi Products

Categories of Personal Data:

• Account data
• Any personal data processed by Customer using Spekmi Products

Special Categories (if applicable): None

Duration and Frequency: On a continuous basis for Agreement duration

Nature of Processing:

• Providing Spekmi Products
• Debugging
• Assessing, testing, and verifying performance

Retention Period: Duration of the Agreement