Data Processing Addendum
Last modified: July 6, 2026
This Data Processing Addendum (including all Schedules attached hereto, the "DPA") is incorporated into, and is subject to the terms and conditions of, the Terms of Service or other written or electronic agreement ("Agreement") between GrowthX AI, Inc. (the "Company") and the entity identified as "Customer" in the Agreement ("Customer"). This DPA applies to the extent the Company's Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
1. Definitions
For the purposes of this DPA:
"Customer Personal Data" means the Personal Data described under Schedule 1 to this DPA;
"Data Protection Laws"means all laws relating to data protection and privacy applicable to the Company's Processing of Customer Personal Data in any jurisdiction where Customer and/or the Company operates, including without limitation, European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent applicable to the relevant party;
"Data Subjects" means the individuals identified in Schedule 1;
"European Data Protection Law"means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area ("EEA"), and their respective Member States, Switzerland and the United Kingdom ("UK"), including without limitation the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (the "UK GDPR"), and all laws implementing or supplementing the foregoing.
"Personal Data" means any information that reasonably relates, directly or indirectly, to an identified or identifiable Data Subject;
"Processing"(including its cognates "Process" and "Processed") means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"Security Incident" means a material and confirmed breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data; and
"Standard Contractual Clauses"means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the "EU SCCs").
"UK Addendum"means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner's Office, in force as of 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Processing of Customer Personal Data
The Company will Process Customer Personal Data on behalf of Customer and in accordance with Customer's prior written instructions, including any instructions provided through Customer's use of the Service. The Company is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA and in accordance with Data Protection Laws.
The Company will inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws, unless it is prohibited from doing so by law on important grounds of public interest.
The details of the Company's Processing of Customer Personal Data are described in Schedule 1.
If applicable laws preclude the Company from complying with Customer's instructions, the Company will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
Each of Customer and the Company will comply with their respective obligations under the Data Protection Laws.
3. Restricted Data Transfers
In the event that Customer is subject to European Data Protection Law and the transfer of Customer Personal Data to the Company would be restricted in the absence of the Standard Contractual Clauses, the parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the "data exporter" and the Company as the "data importer."
For purposes of the EU SCCs the parties agree that:
- In Clause 7, the optional docking clause will not apply;
- In Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 5.1 of this DPA;
- In Clause 11, the optional language will not apply;
- For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;
- For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
- For Annex I, Section A (List of Parties), (i) the data exporter's and the data importer's identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a controller, and the Company is a processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party's signature of Annex I, Section A, as of the effective date of this DPA;
- For Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes the Company's Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) the Company uses Subprocessors to support the provision of the Services.
- For Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to the Company. Unless and until Customer communicates a competent supervisory authority to the Company, the competent supervisory authority shall be the Irish Data Protection Commission.
- For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.
For the purposes of the UK Addendum, the parties agree that Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like the equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the importer.
4. Confidentiality and Security
The Company will require the Company's personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.
The Company will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
To the extent required by Data Protection Laws, the Company will provide Customer with additional reasonable assistance, at Customer's expense, as necessary for the fulfilment of Customer's obligations under Data Protection Laws to maintain the security of Customer Personal Data.
5. Subprocessing
Customer agrees that the Company may use third-party suppliers to Process Customer Personal Data ("Subprocessors") in accordance with the terms of this DPA by posting to website https://growthx.ai/legal/subprocessors which shall have a mechanism allowing Customer to subscribe to notifications of new Subprocessors (the "Notification Mechanism"), and sending email notification to Customers who have subscribed to the Notification Mechanism. If Customer does not subscribe to such notifications, Customer shall be deemed to have received notice of a new Subprocessor when such changes are posted to the Subprocessors list website. In response to Customer's reasonable objection, the parties will work together in good faith to determine an appropriate resolution.
The Company will impose on its Subprocessors substantially the same obligations that apply to the Company under this DPA. The Company will be liable to Customer for any breaches of this DPA caused by its Subprocessors' acts and omissions as it would be for its own.
6. Data Subject Rights
Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data ("Requests"). If the Company receives any Requests during the term, the Company will advise the Data Subject to submit the request directly to Customer. The Company will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.
7. Security Incidents
Upon becoming aware of a Security Incident affecting Customer Personal Data, the Company will (i) promptly take measures designed to remediate the Security Incident and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer. At Customer's request, the Company will reasonably assist Customer's efforts to notify Security Incidents to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. The Company's notice of or response to a Security Incident under this Section 7 will not be an acknowledgement or admission by the Company of any fault or liability with respect to the Security Incident.
8. Data Protection Impact Assessment; Prior Consultation
Taking into account the nature of the Processing and the information available to the Company, the Company will reasonably assist Customer, at Customer's expense, in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by the Company of Customer Personal Data.
9. Deletion of Customer Personal Data
Customer instructs the Company to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer's written request. Notwithstanding the foregoing, the Company may retain Customer Personal Data to the extent and for the period required by applicable laws, and in compliance with the Company's retention policies, provided that the Company maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
10. Audits
Customer may audit the Company's compliance with its obligations under this DPA up to once per year. The Company shall contribute to such audits to the extent required under applicable Data Protection Laws governing the Company's processing of Customer Personal Data. In addition, Customer may perform more frequent audits in the event: (1) the Company suffers a Security Incident affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding the Company's compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. The Company will contribute to such audits by providing Customer or Customer's regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.
To request an audit, Customer must submit a detailed proposed audit plan to privacy@growthx.ai at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. The Company will review the proposed audit plan and provide Customer with any concerns or questions (for example, the Company may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise the Company confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least 30 days in advance of the proposed audit start date. Nothing in this Section 10 shall require the Company to breach any duties of confidentiality.
The Company may object to third party auditors that are, in the Company's reasonable opinion, not suitably qualified or independent, a competitor of the Company, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.
If the requested audit scope is addressed in an SOC 2, ISO, NIST or similar audit report performed by a qualified third party auditor on the Company's systems that Process Customer Personal Data ("Audit Reports") within twelve (12) months of Customer's audit request and the Company confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.
The audit must be conducted at a mutually agreeable time during regular business hours at the applicable business facility, subject to the agreed final audit plan and the Company's health and safety or other relevant policies and may not unreasonably interfere with the Company business activities.
Any audits are at Customer's expense and Customer will promptly disclose to the Company any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10.
11. Analytics Data
Customer acknowledges and agrees that the Company may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject ("Analytics Data"), and use, publicize or share with third parties such Analytics Data to improve the Service and for the Company's other legitimate business purposes in accordance with Data Protection Laws.
12. Liability
Each party's liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
Customer acknowledges that the Company is reliant on Customer for direction as to the extent to which the Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, the Company will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by the Company in compliance with Customer's instructions or (b) from Customer's failure to comply with its obligations under the Data Protection Laws.
13. California Consumer Privacy Act
To the extent the Company Processes Personal Data of California residents on behalf of Customer, the parties acknowledge that Customer is acting as a "Business" (or as a "Service Provider" to other Businesses) and the Company is acting as a "Service Provider" to Customer within the meaning of the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq., as amended by the California Privacy Rights Act) ("CCPA").
The Company hereby certifies that it understands and will comply with the restrictions applicable to Service Providers under the CCPA and all implementing regulations. In addition, the Company shall not:
(a) Sell or Share Customer Personal Data as those terms are defined under the CCPA;
(b) Retain, use, or disclose Customer Personal Data for any purpose other than the Business Purposes specified in this DPA and the Agreement, except as otherwise permitted by the CCPA;
(c) Retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties; or
(d) Combine Customer Personal Data received from or on behalf of Customer with Personal Data received from or collected in connection with any other customer, or collected from the Company's own interactions with consumers, except as permitted under the CCPA.
The Company shall notify Customer if the Company determines that it can no longer meet its obligations as a Service Provider under this Section 13. Upon receiving such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
14. General Provisions
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
Schedule 1: Details of Processing
1. Categories of Data Subjects
This DPA applies to the Company's Processing of Customer Personal Data relating to Customer's employees, contractors, clients/consumers, and other authorized users of the Service ("Data Subjects").
2. Types of Personal Data
The extent of Customer Personal Data Processed by the Company is determined and controlled by Customer in its sole discretion and includes account and authentication data (name, email, credentials), usage and behavioral data (platform interactions, analytics), website visitor data received through third-party integrations, content and materials uploaded by Customer that may contain Customer Personal Data, and any other Personal Data that may be transmitted through the Service.
3. Subject-Matter and Nature of the Processing
Customer Personal Data will be subject to the Processing activities that the Company needs to perform in order to provide the Service pursuant to the Agreement.
4. Purpose of the Processing
The Company will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.
5. Duration of the Processing
Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.
Schedule 2: Security Measures
The Company will implement and maintain the security practices and procedures set out in this Schedule 2.
- Organizational management and staff responsible for the development, implementation and maintenance of the Company's information security program.
- Periodic review and assessment of risks to the Company's organization, monitoring and maintaining compliance with Company's policies and procedures, and reporting the condition of its information security and compliance to internal senior management as appropriate.
- Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and use of commercially available and industry standard encryption technologies for Customer Personal Data as appropriate.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
- Authentication controls designed to manage and control password strength, password management requirements, multi-factor authentication, and single sign-on (SSO) for assigned Company credentials as appropriate.
- Change management procedures and tracking mechanisms designed to test, approve and monitor changes to the Company's technology and information assets.
- Incident response procedures design to allow the Company to investigate, respond to, mitigate and notify events related to Company's technology and information assets.
- Network security controls that provide for the use of firewalls and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack, as appropriate.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
- Logging controls including authentication, access, and system activity monitoring designed to record security-relevant events, detect anomalous behavior, support incident investigation, and maintain audit trails for a commercially reasonable retention period.