Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween you (the "Client") and Sarudo ("we," "us," or the "Processor"). This DPA sets out the terms under which Sarudo processes personal data on behalf of the Client in connection with the provision of the AI Employee platform.

1. Definitions

For the purposes of this Data Processing Agreement:

• Controller: The Client, who determines the purposes and means of processing personal data through the Sarudo AI Employee platform.
• Processor: Sarudo, who processes personal data on behalf of and under the instructions of the Controller.
• Data Subjects:Identifiable natural persons whose personal data is processed through the AI Employee platform. This may include the Client's customers, employees, partners, vendors, or other individuals who interact with the AI employee.
• Personal Data: Any information relating to an identified or identifiable natural person that is processed through the Sarudo platform. This includes names, email addresses, phone numbers, conversation contents, and any other data that can directly or indirectly identify an individual.
• Processing: Any operation performed on personal data, including collection, storage, retrieval, use, transmission, and deletion, whether by automated or manual means.
• Sub-processor: A third party engaged by Sarudo to process personal data on behalf of the Client.

2. Scope and Purpose

Sarudo processes personal data solely for the purpose of providing the AI Employee platform and related services as described in the Terms of Service. The scope of processing includes:

• Receiving, storing, and processing messages from Data Subjects via the AI employee's configured communication channels (email, messaging platforms, web chat, voice)
• Storing and indexing knowledge base content uploaded by the Client, which may contain personal data
• Generating AI-powered responses based on the Client's knowledge base and conversation context
• Maintaining conversation history and context to enable coherent multi-turn interactions
• Processing data through integrated third-party services as configured by the Client
• Performing automated backups and system maintenance on the Client's dedicated infrastructure

The types of personal data processed and the categories of Data Subjects depend on the Client's use of the AI Employee platform and the content provided to it.

3. Client Obligations

As the Controller, the Client is responsible for:

• Lawful Basis: Ensuring that there is a valid legal basis for the collection and processing of personal data through the AI Employee platform, whether through consent, legitimate interest, contractual necessity, or other applicable legal grounds.
• Informing Data Subjects: Providing appropriate privacy notices to Data Subjects whose personal data will be processed through the AI employee, including information about the use of AI in processing their communications.
• Data Accuracy: Ensuring that personal data provided to Sarudo is accurate, relevant, and not excessive for the purposes of processing.
• Instructions: Providing clear, lawful instructions to Sarudo regarding the processing of personal data. If Sarudo believes an instruction infringes applicable data protection law, we will notify the Client.
• Data Protection Impact Assessment: Conducting data protection impact assessments where required by applicable law, and consulting with relevant authorities as necessary.

4. Sarudo Obligations

As the Processor, Sarudo commits to:

• Processing on Instructions:Processing personal data only in accordance with the Client's documented instructions, unless required to do so by applicable law. In such cases, Sarudo will inform the Client of the legal requirement before processing, unless prohibited by law.
• Confidentiality: Ensuring that all personnel authorized to process personal data are subject to binding confidentiality obligations, whether contractual or statutory.
• Security Measures: Implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 6 of this DPA.
• Assistance: Assisting the Client in fulfilling its obligations under applicable data protection laws, including responding to Data Subject requests, conducting impact assessments, and notifying authorities of data breaches.
• Data Breach Notification:Notifying the Client without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach that affects the Client's data. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

5. Sub-processors

Sarudo engages third-party sub-processors to assist in providing the AI Employee platform. The Client authorizes the use of sub-processors subject to the following conditions:

• Current Sub-processors:A list of current sub-processors is available upon request. As of the effective date, sub-processors include cloud infrastructure providers for hosting the Client's dedicated VPS.
• Contractual Obligations: Sarudo ensures that all sub-processors are bound by data processing agreements that impose obligations no less protective than those set out in this DPA.
• Notification of Changes: Sarudo will notify the Client at least 30 days before engaging a new sub-processor or replacing an existing one. The notification will include the identity and role of the proposed sub-processor.
• Right to Object: The Client may object to the engagement of a new sub-processor within 14 days of receiving notification. If the Client objects and the parties cannot reach a mutually acceptable resolution, the Client may terminate the affected services.
• Liability:Sarudo remains fully liable to the Client for the performance of its sub-processors' obligations under this DPA.

6. Data Security

Sarudo implements and maintains the following technical and organizational security measures to protect personal data:

• Dedicated Infrastructure: Each Client receives a dedicated Linux VPS, ensuring physical and logical separation of data from other clients.
• Encryption: All personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 or equivalent encryption.
• Access Controls: Role-based access controls restrict access to personal data to authorized personnel only. All access is authenticated and logged.
• Network Security:Firewalls, intrusion detection systems, and regular security updates protect the Client's infrastructure from unauthorized access.
• Incident Notification: In the event of a security incident that compromises personal data, Sarudo will notify the Client within 72 hours, providing full details and remediation steps.
• Regular Testing: Sarudo conducts regular security assessments and vulnerability testing to identify and address potential security weaknesses.

7. Data Subject Rights

Sarudo assists the Client in responding to requests from Data Subjects exercising their rights under applicable data protection laws:

• Right of Access: Sarudo will provide the Client with the technical means to retrieve personal data relating to a specific Data Subject upon request.
• Right to Rectification: Sarudo will correct or update personal data as instructed by the Client.
• Right to Erasure: Sarudo will delete personal data relating to a specific Data Subject as instructed by the Client, except where retention is required by law.
• Right to Data Portability:Sarudo will provide personal data in a structured, commonly used, and machine-readable format upon the Client's request.
• Right to Restriction: Sarudo will restrict the processing of personal data as instructed by the Client.

Sarudo will respond to the Client's instructions regarding Data Subject requests within 10 business days unless a shorter timeframe is required by applicable law.

8. Data Transfer

Personal data is stored and processed on the Client's dedicated infrastructure in the region specified during the onboarding process:

• Primary Location:The Client's dedicated VPS is provisioned in the geographic region selected during onboarding. Data remains in this region during normal operations.
• Cross-Border Transfers: If personal data needs to be transferred to a jurisdiction that does not provide an adequate level of data protection, Sarudo will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms.
• Backups: Backup data may be stored in a different geographic location than the primary infrastructure for disaster recovery purposes. Backup locations are disclosed to the Client upon request.

9. Audit Rights

The Client has the right to verify Sarudo's compliance with this Data Processing Agreement:

• Security Documentation: Upon request, Sarudo will provide the Client with relevant security documentation, including descriptions of technical and organizational measures, third-party audit reports or certifications, and data processing records.
• Audit Requests:The Client may request an audit of Sarudo's data processing activities once per year, with at least 30 days' advance notice. Audits will be conducted during normal business hours and in a manner that minimizes disruption to Sarudo's operations.
• Costs: The Client bears the costs of any audit, unless the audit reveals material non-compliance with this DPA, in which case Sarudo will bear the reasonable costs of the audit.

10. Term and Deletion

This Data Processing Agreement is effective for the duration of the Client's subscription to Sarudo's services:

• During Subscription: Personal data is processed and retained as necessary to provide the AI Employee platform and related services throughout the active subscription period.
• Upon Termination:Within 30 days of the termination of the Client's subscription, Sarudo will delete all personal data from the Client's dedicated infrastructure, including backups, unless retention is required by applicable law. The Client may request a data export before deletion.
• Immediate Deletion: The Client may request immediate deletion of specific personal data at any time during the subscription period. Sarudo will process such requests within 14 business days.
• Certification:Upon the Client's request, Sarudo will provide written certification confirming the deletion of all personal data.

11. Contact

For any questions or requests related to this Data Processing Agreement, please contact us at:

• Email: hello@sarudo.com