Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between FunctionalAI (“Processor”) and the customer (“Controller”) using the FunctionalAI service (“Service”). It applies whenever we process Personal Data on your behalf in connection with the Service.

1. Definitions

Terms such as Personal Data, Processing, Controller, Processor, Sub-processor, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the Swiss FADP, and, where applicable, the California Consumer Privacy Act / CPRA, Brazilian LGPD, and analogous laws.

2. Roles and Scope

• You are the Controller (or, where applicable, Processor on behalf of an upstream controller) of Personal Data you submit to the Service.
• FunctionalAI is your Processor and processes Personal Data only on your documented instructions, which are the Service configuration you choose plus the Terms of Service.
• We will not sell, rent, or share Personal Data for advertising or train foundation models on your Personal Data. LLM provider calls (e.g., OpenAI, Anthropic) are made under enterprise “no-training” terms in effect at time of use.

3. Subject Matter, Duration, Nature and Purpose

• Subject matter: Providing AI-powered customer support, chatbot, RAG knowledge base, and connected-channel automation.
• Duration: From your acceptance until the end of your subscription plus any retention period required to complete deletion/return of data.
• Nature and purpose: Storage, retrieval, embedding, LLM inference, transmission to connected channels (e.g., Shopify, Meta, website widget), analytics for service operation.
• Categories of Data Subjects: Controller’s customers, end-users / shoppers, employees or agents of the Controller, and any other individuals whose data the Controller submits to the Service.
• Categories of Personal Data: Contact details, messaging content and metadata, social platform identifiers, order and product data submitted by Controller, and any data included in knowledge-base files the Controller uploads. No special-category data (Art. 9 GDPR) should be uploaded without a prior written agreement with us.

4. Processor Obligations

• Process Personal Data only on the Controller’s documented instructions, including with regard to international transfers (Art. 28(3)(a) GDPR).
• Ensure persons authorized to process Personal Data are bound by confidentiality.
• Implement the technical and organizational measures set out in Annex II.
• Assist the Controller, taking into account the nature of processing, in fulfilling its obligations under Arts. 32–36 GDPR and data-subject requests under Arts. 12–23.
• At the Controller’s choice, delete or return Personal Data at the end of the Service term, and delete existing copies unless retention is required by law.
• Make available all information necessary to demonstrate compliance and allow for audits, subject to confidentiality and reasonable notice (see §9).

5. Sub-processors

The Controller provides general authorization for FunctionalAI to engage the Sub-processors listed in Annex III. FunctionalAI will notify the Controller of any intended changes to that list at least thirty (30) days in advance by email and/or a conspicuous update to this page. The Controller may reasonably object within that period; if the parties cannot resolve the objection in good faith, either party may terminate the affected Service on written notice.

FunctionalAI imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable for any breach by a Sub-processor of those obligations.

6. International Transfers

Where Personal Data of EU/UK/EEA or Swiss data subjects is transferred outside the EEA/UK/Switzerland to a country that has not received an adequacy decision, the parties rely on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, “SCCs”), which are hereby incorporated by reference, including:

• Module Two (Controller-to-Processor) when the Controller is the controller of the transferred data;
• Module Three (Processor-to-Processor) when the Controller acts as a processor for an upstream controller;
• For UK transfers: the UK International Data Transfer Addendum (issued by the ICO) to the EU SCCs;
• For Swiss transfers: the SCCs as amended by the FDPIC for use under the Swiss FADP.

The following SCC options apply: Clause 7 (docking) — enabled; Clause 9(a) Option 2 (general sub-processor authorization, 30-day notice); Clause 11 (independent dispute resolution) — not selected; Clause 17 Option 1, governing law of Poland (an EU Member State whose law allows for third-party beneficiary rights); Clause 18, forum of Warsaw, Poland.

7. Security Measures

FunctionalAI implements the technical and organizational measures described in Annex II to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8. Personal Data Breach Notification

FunctionalAI will notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.

9. Audit Rights

Upon reasonable written request (and no more than once per twelve-month period, absent material concerns), FunctionalAI will make available information necessary to demonstrate compliance with this DPA. For on-site or third-party audits, the parties will agree in advance on scope, timing, cost-sharing, and confidentiality safeguards. FunctionalAI may satisfy audit requests by providing current third-party audit reports (e.g., SOC 2, ISO 27001 where applicable).

10. Assistance with Data-Subject Requests

Taking into account the nature of the Processing, FunctionalAI will, by appropriate technical and organizational measures, assist the Controller in responding to requests to exercise data-subject rights under Arts. 15–22 GDPR (access, rectification, erasure, restriction, portability, objection). Requests received directly by FunctionalAI from a data subject concerning Controller data will be promptly forwarded to the Controller without response.

11. Deletion and Return of Data

Upon termination of the Service, FunctionalAI will, at the Controller’s choice, delete or return all Personal Data and delete existing copies within thirty (30) days, unless EU / Member State / other applicable law requires storage. Backups will be overwritten in the ordinary course but access will be disabled immediately.

12. Liability and Order of Precedence

Liability under this DPA is subject to the limitations in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to Personal Data, this DPA controls; in the event of a conflict between this DPA and the SCCs, the SCCs control.

13. Contact

Questions about this DPA or requests for a signed counterpart can be sent to:

privacy@functional-ai.com

Annex I — Description of Processing

As specified in §3 of this DPA. The Controller determines the specific Personal Data submitted by configuring the Service (knowledge-base uploads, connected channels, assistant configuration).

Annex II — Technical and Organizational Measures

• Encryption in transit: TLS 1.2+ for all external connections.
• Encryption at rest: AES-256 for databases and object storage holding customer data; Fernet encryption for application-level secrets (OAuth tokens, API keys).
• Access control: Role-based access for internal personnel; principle of least privilege; MFA required on administrative systems.
• Authentication: JWT with short lifetimes for end-user sessions; signed webhook verification for Shopify and Meta integrations.
• Network security: Private networking between application and datastores; rate limiting and WAF at the edge.
• Isolation: Per-tenant logical isolation of data; tenant identifier required on every query path.
• Backups & resilience: Managed database backups with point-in-time recovery; regular restore testing.
• Logging & monitoring: Centralized audit logs for access to sensitive data; alerting on anomalous patterns.
• Vulnerability management: Dependency scanning on CI; patching cadence aligned with severity.
• Personnel: Confidentiality obligations, background where permitted by law, security-awareness training.
• Incident response: Documented IR plan with breach-notification SLAs per §8.
• No-training policy: Customer data is not used to train FunctionalAI or any foundation model; LLM providers are engaged under terms that prohibit training on API inputs/outputs by default.

Annex III — Authorized Sub-processors

The following Sub-processors are authorized as of the “Last Updated” date above. This list may change with 30 days’ prior notice (§5).

Sub-processors listed as “only when Controller connects” process data only for customers who enable the relevant integration.