Data Processing Addendum (DPA)

for the Provision of Software (“Charles Service”)

version dated April 22, 2025

Preamble

This Data Processing Addendum (“DPA”) is part of the Agreement between Charles GmbH, Gartenstraße 86-87, 10115 Berlin (“Charles”) and its Client as specified in the Commercial Agreement ("Client").

1. Subject Matter and Defined Terms

1.1 Subject Matter. This DPA applies to any Personal Data processed by Charles on behalf of the Client (“Client Data”). For all Client Data processed in the context of the Charles Service, the Client remains the Controller and Charles remains the Processor.

1.2 Defined Terms. All capitalized terms have the meanings set forth in this DPA or the Agreement; any term not defined herein shall have its meaning under applicable law.

2. Scope of Data Processing

2.1 Responsibilities of Charles and Client. Charles shall process Client Data in accordance with data protection laws and regulations applicable in the European Union (EU) and, where applicable, United Kingdom (UK) (jointly the “Data Protection Laws”) and the instructions of the Client in line with this DPA. The Client remains solely responsible for the lawfulness of the processing of Client Data to the extent that the Client determines the details of Client Data processing within the Charles Service. In particular, the Client shall ensure that it has a valid legal basis for all processing it initiates, including obtaining all necessary consents from Data Subjects, where required under applicable Data Protection Laws.

2.2 Details of Processing. All Client Data is processed as described in Annex 1 for the duration of this DPA. Anonymized data that cannot re-identify individuals is not considered Client Data.

2.3 No discretionary disclosure. Charles shall not sell, share, or otherwise disclose Client Data for commercial purposes to anyone other than authorized Subprocessors, unless required to perform the Charles Services or with Client’s consent.

3. Charles’ role and right to issue Instructions

3.1 Documented instructions. Charles shall process Client Data only in accordance with Client’s documented lawful instructions as set forth in this DPA, as necessary to comply with Data Protection Laws, or as otherwise agreed in writing. If Charles is required to process Client Data under Data Protection Laws, it shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

3.2 Unlawful instructions. Charles shall promptly notify Client if it believes Client’s instructions violate Data Protection Laws. Charles may suspend processing on such instruction until Client confirms or modifies such instruction. Charles and the Client agree that the sole responsibility for the processing of Client Data in accordance with the instructions lies with the Client and the Charles shall assume no liability in this regard under the Agreement.

3.3 Confidentiality. Charles ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Responsibilities of Client

4.1 Provision of Personal Data. Client shall supply accurate Client Data for proper use of the Services. Failure to provide necessary data may impair the functionality of the Charles Service. Client shall promptly inform Charles of any errors or discrepancies with Data Protection Laws or its instructions when checking Charles's results.

4.2 Supporting Data Access Requests. If Charles is required to provide information about Client Data to authorities, Client shall promptly assist in fulfilling such requests.

5. Security of Data Processing

5.1 Adequate Technical and Organizational Measures (TOMs). Charles shall implement TOMs that comply with Article 32 GDPR to protect Client Data, ensuring the confidentiality, integrity, availability, and resilience of its systems. These TOMs, detailed in Annex 3, take into account the state of the art, costs, and risks to Data Subjects. Client is aware of these TOMs, and Charles is responsible for maintaining a security level appropriate to the risk. Charles shall adhere to any approved codes of conduct pursuant to Article 40 GDPR, where applicable and once adopted by the relevant supervisory authority.

5.2 Adapting Security Measures. Charles may change the agreed TOMs, provided that their level of protection is not materially lower than agreed and, in any event, the level of protection as required under the Applicable Data Protection Laws will be maintained. Substantial changes will be documented accordingly.

6. Charles AI Services

6.1 Client’s use of the Charles AI Services. This section 6 applies in addition to the obligations set out in this DPA only as far as the Client uses Charles’s AI Services as specified in the Commercial Agreement (“Charles AI Services”).

6.2 Responsibilities of Charles and Client. In the context of the Charles AI Services, Charles shall ensure compliance with all regulations on the use of AI applicable in the European Union (EU) (in particular the EU AI Act), and where applicable, United Kingdom (UK) (jointly the “AI Laws”). The Client remains solely responsible for the lawfulness of the processing of Client Data to the extent that the Client determines the details of Client Data processing within the Charles AI Service.

6.3 Charles measures. Charles shall implement reasonable technical and organizational measures to support the Client in fulfilling its transparency obligations towards Data Subjects, including - where required - ensuring that Contacts are informed when interacting with Charles AI Services. Charles shall ensure that Charles AI Services are designed and deployed in a manner that enables appropriate human oversight. Upon request, Charles shall provide a summary of AI decision-making logic used in the AI Services.

6.4 Client Data and Charles AI Services. No Client Data will be used for AI training purposes unless authorized by the Client. Unless explicitly instructed by the Client, the Charles AI Service shall not engage in automated decision-making that produces legal effects or similarly significant impacts on data subjects.

6.5 Temporary Data Caching. Personal Data processed by the Charles AI Services may be temporarily cached for up to 24 hours to optimize performance. The Client may at any time opt-out of caching.

6.6 Accuracy and Limitations of AI-Generated Outputs. Charles will take commercially reasonable steps to reduce the risk of its AI Service’s outputs containing errors, biases, or hallucinations (“Inaccuracies”). The Client acknowledges that the Charles AI Service’s outputs may contain Inaccuracies from time to time, nonetheless. The Client is responsible for monitoring all AI-generated outputs and inform Charles about any potential Inaccuracies without undue delay. Charles is not liable for decisions made by the Client or its Contacts within the Charle AI Service. Charles is not liable for Inaccuracies on AI-generated content.

7. Engagement of Subprocessors

7.1 Authorization to Use Subprocessors. Client authorizes Charles to use Subprocessors for processing Client Data in accordance with this DPA and Data Protection Laws; a current list is included in Annex 2.

7.2 Subprocessor Compliance. Charles shall bind each Subprocessor to terms consistent with this DPA and remains responsible for their performance. Integration Partners are not considered Subprocessors.

7.3 New Subprocessors. Charles shall notify Client of any changes regarding Subprocessors. Client may object within 14 days, provided the objection is based on reasonable data protection grounds. If such objection remains unresolved in good faith, Client may terminate the Subscription with two weeks’ notice. In emergencies, Charles may replace a Subprocessor and will notify Client promptly, who may then object to the replacement.

8. Data Subjects' Rights and Claims

8.1 Support by Charles. Charles will implement measures to assist Client in responding to Data Subject requests under Data Protection Laws. If Client cannot fulfill a request, Charles will, upon request, use commercially reasonable efforts to assist and provide any available information on the relevant Client Data.

8.2 Forwarding Requests. If a Data Subject’s rights request regarding Client Data is sent directly to Charles, it shall, using commercially reasonable efforts, notify Client within five (5) business days and shall not respond to the request.

8.3 Defense against Claims by Data Subjects. If a Data Subject asserts claims against Client under Data Protection Laws, Charles shall reasonably support Client in defending those claims; this also applies, mutatis mutandis, to claims against Charles.

9. Cross-Border Transfer of Client Data

9.1 Processing Locations. Client Data shall primarily be processed within the EU/the EEA, with data “at rest” stored on EU-based servers where feasible. Charles may process Client Data outside the EEA if specified in this DPA or notified to Client.

9.2 Restricted Data Transfers. Client authorizes Charles to conduct transfers of personal data outside the EEA under conditions that comply with this DPA – based on an EU adequacy decision, Standard Contractual Clauses (EU-SCC), or another safeguard under Data Protection Laws.

10. Notification Obligations of Charles

10.1 Notification of Security Breaches. Charles shall notify Client of any personal data breach affecting Client Data without undue delay and regularly within 48 hours of confirmation, including all available details to help Client meet its reporting obligations under Data Protection Laws.

10.2 Data Protection Impact Assessment and Searches, Seizures and Confiscations. Where required by Data Protection Laws, Charles shall assist Client with data protection impact assessments and supervisory authority consultations as reasonably necessary. If Client Data under this DPA is subject to search, seizure, or confiscation, Charles shall promptly notify Client and all relevant parties that Client is the responsible Data Controller.

10.5 Government Data Access Requests. If government authorities request or inquire about Client Data, Charles shall notify Client without undue delay, unless prohibited by applicable law.

11. Deletion and Return of Client Data

Charles corrects or deletes Client Data if requested by the Client and if permissible within the scope of the permitted instructions or provides technical means that enable the Client to correct or delete this data. After termination of this DPA and the Subscription, Charles will at Client`s choice delete or return Client Data - unless retention is required by applicable law, agreed otherwise, or needed for billing. Charles may retain processing documentation after termination. After the termination date, Client Data will be securely archived for 12 months (unless termination is for cause or Client requests earlier deletion), with access limited to a dedicated administrator.

12. Compliance Documentation and Audits

12.1 Provision of Documentation. Charles shall provide evidence of its compliance with this DPA upon Client’s request by providing e.g. internal assessments, compliance policies, certifications, or audit summaries.

12.2 Audits. Where the provision of documentation is not sufficient to provide such evidence, and where audits by Client or an auditor appointed by Client are necessary, Client may conduct audits during normal business hours in Germany (Mon–Fri, 10 a.m.–5 p.m. CET) without interfering with Charles’ operations after giving Chales prior notice of at least 3 business days. Prior to any audit, Charles and the Client must agree on its scope, timing, and duration. Charles may require a confidentiality agreement and may reject auditors who are competitors. Audits are generally limited to one day per calendar year unless otherwise agreed. Each Party shall bear its own costs in connection with audits.

13. Term and Termination

13.1 Term and termination of DPA. This DPA becomes effective on the Agreement Effective Date. For the avoidance of doubt, an isolated termination of this DPA without any of the above conditions of end of term or termination is excluded.

14. Liability and Indemnification

14.1 Liability under this DPA. Liability under this DPA is governed by Article 82 GDPR, except as otherwise provided in this DPA or the Agreement, to the extent permitted by Data Protection Laws.

14.2 Responsibility; Limitation of Liability. Client is solely responsible for ensuring that the processing of Client Data (including via the Charles Services, Selected Messaging Channels, and Third-Party Services) complies with applicable laws and protects Data Subject rights. Charles is not liable for Data Subject claims resulting from Client’s instructions or non-compliance, nor is it required to monitor Client’s use of the Services.

14.3 Indemnification. If any third party (including Data Subjects) asserts claims against Charles due to the processing of Client Data under this DPA, Client shall indemnify Charles upon first request. Client also indemnifies Charles for any fines imposed as a result of Client’s predominant or sole responsibility for the infringement.

15. Final provisions

15.1 Points of Contact. Charles and the Client shall agree on contact persons for notifications regarding this DPA and data protection before the Subscription begins.

15.2 Changes and precedence. Charles may update this DPA with 30 days’ prior written notice (including by email or via the Charles Service). If the Client objects within that period and no agreement is reached, either Party may terminate Agreement with 30 days’ notice. Continued use of the services after the notice constitutes acceptance of the changes. When in conflict with the Agreement on data protection, this DPA prevails.

15.3 Survival. If any provision is invalid or unenforceable, the remaining provisions remain in effect, and the invalid term shall be deemed replaced by a valid one that closely reflects the original intent and that thereby satisfies the requirements of Article 28 GDPR. The same applies to gaps.

15.4. Governing Law and Venue. The applicable law and legal venue are governed by the Agreement.

Annexes:

Annex 1: Details of the Processing of Client Data

Annex 2: Sub-Processors

Annex 3: Technical and Organizational Measures (TOMs)

Annex 1: Details of the processing of Client Data

Purpose of data processing

Enabling conversational commerce on scale for the Client through a Software as a Service (SaaS) and related Success and Support Services as outlined in the Agreement.

Categories of Personal Data

Personal Data of Contacts of the Client. The extent and categories of Contact Personal Data collected are determined and controlled by the Client in its sole discretion; this may include but is not limited to Personal Data relating to the following categories:

Messenger-IDs (e.g. WhatsApp name, cell phone number, and opt-in);
Conversations (e.g. message content including trigger events, interactions with message elements, text, audio, video, calls, or any attachments);
Additional Personal Details (e.g. contact details such as name, email, addresses, messaging channels´ account information; custom properties such as date of birth, gender, language, profile pictures; advertising or other personal preferences and history; loyalty IDs; feedback results; shopping history such as ordered products and individual discounts; service requests and claims).

Personal Data of the Clients’ Authorized Users (including internal or external employees or agents of the Client) when using the Charles Service, for login purposes and updates including

User Credentials (i.e. username or email, and password)
Business contact Details and Professional Details (such as e-mail, job title)
Usage and Technical Data (including browser, city and country code, user actions such as login/logoff with timestamps, productivity and performance metrics required to provide related Services)
Communication Data (such as with Support and Success Services)

By default, no sensitive data or payment data are processed. Client may submit sensitive data such as special categories of data to Charles as a part of its Client Data, the extent of which is determined and controlled by Client in its sole discretion.

Categories of Data Subjects

Clients` (potential) Contacts, Authorized Users (including business owners, employees, advisors, partners, agencies and freelancers)

Annex 2: Engaged Subprocessors

For Authorized Users and Contacts as specified in Annex 1
Company	Contact Details	Type of Service and Processing Purpose	Categories of Data Subjects	Categories of Data Processed	Location and Safeguards
Aiven Oy	Antinkatu 1, 00100 Helsinki, Finland	TimescaleDB: Storing and processing event data for analytics purposes	All from Annex 1	All from Annex 1	Dedicated Servers in EU (GCP)
Altlassian Pty Ltd (DBA Jira)	Level 6, 341 George St, Sydney NSW 2000, Australia	Ticketing system for product development and software maintenance; Project management for tracking bugs	All from Annex 1	All from Annex 1	EU; US transfers safeguarded by EU-US Data Privacy Framework and EU- SCC
Cloudflare Inc.	101 Townsend St., San Francisco, California 94107, United States	Error tracking and general IT-Security purposes including Firewall	All from Annex 1	All from Annex 1	US; safeguarded by EU-US Data Privacy Framework and EU-SCC
Functional Software, Inc. dba Sentry	132 Hawthorne St, San Francisco, CA 94107, United States	Troubleshooting, Error tracking and logging of Client’s use of the Charles Service for IT-Security purposes	All from Annex 1	All from Annex 1	Dedicated Servers in Germany/EU
Google Ireland Limited	Gordon House, Barrow Street, Dublin 4, Ireland	Google Cloud Hosting and related Services for Client Data (Infrastructure); Data Security Related Services; Charles Service Use Metrics	All from Annex 1	All from Annex 1	Dedicated Servers in Germany/EU
Google LLC	1600 Amphitheatre Parkway, Mountain View, California 94043, USA	Google vertex AI, Machine learning platform for training and deployment of AI applications and language models for use in AI-powered applications	All from Annex 1	All from Annex 1	Dedicated Servers in the Netherlands/ EU
Meta Platforms Ireland Limited	Merrion Road, Dublin, D04X2K5, Co Dublin, Ireland	Hosting Provider for any WhatsApp, Instagram, or Facebook services and Client’s own Meta Business Account	All from Annex 1	All from Annex 1	EU; with data transfers to US safeguarded by EU-US Data Privacy Framework and EU-SCC
Prismatic Inc.	5013 S Louise Ave #122, Sioux Falls, SD 57108, United States	Embedded integration platform (IPAAS) which allows Client the integration of external systems	All from Annex 1	All from Annex 1	Dedicated Servers in Ireland/EU
Talend Inc. (by Qlik)	Qlik Tech Inc. 211 S Gulph Rd Ste 500, King OF Prussia, PA 19406, United States	Supporting data migration, transformation, loading and export (into/from Google Cloud Service)	All from Annex 1	All from Annex 1	Dedicated Servers in Germany/EU
Weaviate B.V.	Prinsengracht 769A 1017 JZ Amsterdam The Netherlands	Storing Client’s data for use by AI Agents and searching for relevant data based on Contact's queries	All from Annex 1	All from Annex 1	Dedicated Servers in EU (GCP)
WhatsApp Ireland Limited	4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland	WhatsApp Business Account; Communication with Client’s Contact (as Client’s selected messaging Service Provider)	All from Annex 1	All from Annex 1	Dedicated Servers in Germany/EU; With temporary data Storage elsewhere (“Data-in-use TTL”); transfers to US safeguarded by EU-US Data Privacy Framework and EU-SCC
Wiz, Inc.	One Manhattan West, 52nd Floor, New York, NY 10001	Cloud security solution to identify and manage risks, providing visibility and threat detection across cloud environments	All from Annex 1	All from Annex 1	Dedicated Servers in Germany/EU

For Authorized Users only as specified in Annex 1
Company	Contact Details	Type of Service and Processing Purpose	Categories of Data Subjects	Categories of Data Processed	Location and Safeguards
Inversoft Inc., dba FusionAuth	1630 Welton Street, Denver, CO 80202, United States	Authentication for Authorized Users accessing the platform	Authorized Users as outlined in Annex 1	All mentioned In Annex 1	Dedicated Servers in Germany/EU
Hubspot Germany GmbH	Am Postbahnhof 17, 10243 Berlin, Germany	Supporting Success Service provision to Client; provision of product insights and newsletters; occasional surveys	Authorized Users as outlined in Annex 1	All mentioned In Annex 1	Germany/EU; US transfers safeguarded EU-US Data Privacy Framework and EU-SCC
Intercom R&D Unlimited Company	124 St. Stephen’s Green, Dublin 2, D02 C628, Ireland	Provision of Customer Support Services to Client; ticketing system for spotting and reporting bugs	Authorized Users as outlined in Annex 1	All mentioned In Annex 1	Dedicated Servers in Ireland/EU
Vitally Inc.	185 Wythe Ave, F2, Brooklyn, NY 11249, United States	Provision of Success Services to Client; supporting productive use of the Charles Service (limited to specific Client use cases)	Authorized Users as outlined in Annex 1	All mentioned In Annex 1	Dedicated Servers in Sweden/EU

In addition to the above service providers, we may rely on additional service providers for common communication services like Office 365 (including, inter alia, Microsoft Outlook, Microsoft Teams) or Slack by Slack Inc. (Salesforce Group). All those service providers only transfer personal data outside the EEA under conditions that comply with this DPA – based on an EU adequacy decision, Standard Contractual Clauses (EU-SCC), or another safeguard under Data Protection Laws.

Annex 3: Technical and Organizational Measures (TOMs)

The following section outlines Charles’ technical and organizational measures for protecting Client Data pursuant to Article 32 GDPR and based on the Accountability Framework recommendations for records management and security of the Information Commissioners Office (ICO). Charles may develop, enhance or otherwise change the measures anytime to ensure an appropriate state-of-the-art level of protection of Client Data in accordance with GDPR and other applicable regulations and Information Security certifications. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Client Data.

1. Compliance and Certification

a) ISO 27001-certified Information Security Management System with procedures for regular testing, assessing and evaluating the effectiveness of technical and organizational measures (Article 32 (1) d) GDPR) including reviews by higher leadership level, mandatory training of internal and external, temporary and permanent employees on data protection and IT-security as well as regular internal and external audits and penetration testing.

2. Data Security and Data Retention

a) A retention concept based on business need considering storage purposes and statutory requirements.
b) Regularly applying and reviewing pseudonymization and anonymization measures to assess and enhance Client Data minimization in retention and archiving.
c) Data Loss Prevention (DLP) procedures are utilized to monitor and control sensitive information stored or accessed on systems.
d) No Client Data on hardcopy documents/printouts enforced by internal policy.
d) Disposal of hardcopies in secured areas and by way of professional service providers.

3. Hosting and Cloud Security

a) Charles Platform is hosted on Google Cloud Platform (GCP) in the EU.
b) Cloud infrastructure undergoes continuous and automated scanning for misconfigurations, vulnerabilities, and suspicious activities.
c) All services are delivered through a Content Delivery Network with a Web Application Firewall.
d) Intrusion detection systems on vital systems processing Client Data.
e) Infrastructure provisioning and management are handled through Infrastructure-as-Code (IaC).

4. Physical and Mobile Device Security

a) Charles employees are required to use company-issued devices equipped with the following security measures: a) enforced anti-virus/malware protection, b) disk encryption, c) removable storage media limitations, d) automatic screen locking after a specified period, e) web content filtering and f) secure wiping or destruction of client data on mobile devices. These controls are centrally managed through Mobile Device Management (MDM).
b) Logging of disposal of equipment and physical information assets.
c) Centrally monitored compliance with the acceptable use policy.

5. Physical Security

a) No infrastructure is hosted on-premises; the Charles Platform is exclusively cloud-based.
b) Protected Secure Areas by entry controls including locked doors, alarm system and monitored CCTV.
c) Visitor protocols including approval and signing-in procedures and escorted access.
d) Clean desk policy enforced across the organization where Client Data is processed.

6. Development Security

a) Enforcement of a strict separation of environments. Customer Data is never stored or accessed in development environments.
b) Enforce branch protection rules and require peer reviews and approvals for code changes prior to production deployment.
c) Every code modification must adhere to established internal change management procedures.
d) Automated security scanning for each code commit.

7. Vulnerability and Patch Management

a) Vulnerability scans of vital systems processing Client Data.
b) Patch management procedures in place for systems processing Client Data.
c) Annually conducted penetration test for the Charles Platform.

8. Access Control

a) Restricted access to systems or applications processing Client Data.
b) Only authorized users are allowed, requiring practices such as Single-Sign-On (SSO), Multi-Factor Authentication (MFA), and secure credentials.
c) Protections against unauthorized access or disclosure of Client Data on approved devices (e.g., laptops) include VPN and SSO, and Remote Virtual Desktop environments.
d) Regular review of users’ access rights for critical applications and services.
e) Central enforcement of password policies for critical systems. Provision and obligatory use of a password manager is required.

9. Encryption and Key Management

a) Controls to safeguard the confidentiality and integrity of Client Data passing over public networks or over wireless networks and to protect the connected systems and applications.
b) Encryption of data in transit using TLS 1.2 or higher, and data at rest using AES-256.
c) Employing GCP's Cloud Key Management Service for secure encryption key management.

10. Logging and Monitoring

a) All physical devices and the cloud infrastructure are logged, and the logs are retained for a sufficient period of time.
b) Logging and monitoring user and system activity to detect unusual behaviour and events.
c) Logging of user access to relevant systems holding Client Data.
d) Detection and response are centralized across all log sources via a Security Information and Event Management (SIEM) system.

11. Backup, Business Continuity and Disaster Recovery Management

a) Regularly (at least annually) tested Backup, Business Continuity and Disaster Recovery Plans.

b) Leveraging GCP functionality to maintain continuous backups of Customer Data.

12. Incident Management

a) Regularly (at least annually) tested Incident Management Procedure.

b) The Incident Management Procedure is automated and integrated into security trainings and onboarding sessions for employees.

c) Market standard cyber security insurance for security incidents by a reputable international insurer.

13. Organizational Security

a) Regular risk assessments are conducted on all assets related to information security.

b) Regular security and compliance training for all employees.

c) All Charles employees and contractors undergo pre-employment reference and/or background checks in accordance with internal policies and applicable laws.

d) All Charles employees and contractors are required to sign a confidentiality agreement before starting their employment.

e) Documented and standardized onboarding and offboarding processes.

f) Vendor risk management is performed for all critical vendors.