Privacy policy.

Last Updated: September 11, 2024

1. IMPORTANT TERMS

This Eximus Data Processing Addendum (the “DPA”) governs Eximus’ processing of DPA Data that is required to provide the Service under the Terms of Service or other agreement between You and Eximus pertaining to the use of Eximus’ software-as-a-service offering (the “Agreement”). This DPA is part of your Terms with Eximus. In the event of any conflicting language between the Agreement, the other Terms, or any operative Order Form, the terms of this DPA control.

You and Eximus each agree to comply with their respective obligations under Data Protection Law.

Data Processing Roles

As between You and Eximus, You are the Data Controller, and Eximus is the Data Processor, processing DPA Data on Your behalf.

Data Processing Purposes

Eximus will process DPA Data as your Data Processor to: (i) provide or maintain the Service; and (ii) for the purposes set forth in this DPA and the Agreement. Eximus acknowledges that you are disclosing DPA Data for these limited and specific purposes.

2. DEFINITIONS

The definitions in Section 15 (Defined Terms) apply to this DPA. All terms in quotation marks in the body of this DPA are also defined terms. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

3. PROCESSING REQUIREMENTS

As a Data Processor, Eximus will:

3.1. Process DPA Data on Your behalf, according to Your instructions, and only in a manner that is necessary for the performance of the Service. Specifically, Eximus agrees to process DPA Data: (i) for the purpose of providing, providing access to, servicing, and supporting Your use of the Service; and (ii) in compliance with the instructions received from You;

3.2. Promptly notify You in writing if it cannot comply with the requirements of this DPA;

3.3. Promptly inform You if, in Eximus’ opinion, an instruction from You infringes applicable Data Protection Law; and

3.4. Ensure that all persons authorized by Eximus to process DPA Data are subject to a duty of confidentiality.

4. SUBPROCESSORS

Eximus will:

4.1. Engage the organizations or persons listed at eximus.ai/legal/subprocessors (the “Subprocessor List”) as necessary to perform the Service. You consent to Eximus’ use of its existing Subprocessors and grant Eximus a general written authorization to engage Subprocessors to perform all or part of the processing activities required to provide the Service. If You subscribe to receive email notifications at the Subprocessor List, then Eximus will notify You if Eximus intends to add one or more Subprocessors to the list at least 30 days before the change takes effect. You may, within fifteen (15) days of receiving the notice, reasonably object to Eximus’ use of a Subprocessor on reasonable grounds relating to the protection of DPA Data (the “Objection”) by following the instructions set forth in the Subprocessor List or by contacting privacy@eximus.ai (the “Objection Notice”). If You object, Eximus may address the Objection through one of the following options: (i) offer an alternative to provide the Service without such Subprocessor; (ii) take corrective steps requested by You in the Objection Notice; (iii) temporarily or permanently cease providing the affected Service feature; or (iv) cease processing DPA Data. If none of these options are commercially feasible, and the Objection remains unresolved within thirty (30) days, either party may terminate applicable subscriptions or usage for cause. In such cases, You will receive a refund for any prepaid but unused fees. This termination right is Your exclusive remedy for objecting to a new Subprocessor.

4.2. Enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security as provided in this DPA. Eximus remains fully liable to You for each Subprocessor’s performance of data protection obligations.

5. NOTICE TO CUSTOMER

Eximus will inform You, to the extent legally permitted, if Eximus receives:

5.1. Any legally binding request for disclosure of DPA Data by a law enforcement authority. If prohibited from notifying You, Eximus will use best efforts to request a waiver and will document that request. Eximus will notify You once the prohibition is lifted.

5.2. Any notice, inquiry, or investigation by a Supervisory Authority regarding DPA Data.

5.3. Any complaint or request from a Data Subject exercising their rights under Data Protection Law. Other than requesting further information or identifying the Data Subject, Eximus will not respond to such requests without Your prior authorization.

6. PERSONAL DATA BREACH

If Eximus experiences any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to DPA Data (“Personal Data Breach”), Eximus will notify You according to the timeframe in the Security Addendum, incorporated into this DPA.

7. ASSISTANCE TO CUSTOMER AND AUDITS

Upon Your written request, Eximus will assist You with:

7.1. Data Subject Requests related to Eximus’ Processing of DPA Data;

7.2. Data protection impact assessments related to the Processing of DPA Data by Eximus;

7.3. Audits to confirm compliance with this DPA, as set out in the Security Addendum.

8. REQUIRED PROCESSING

If Eximus is legally required to Process DPA Data outside of Your instructions, Eximus will notify You unless legally prohibited.

9. SECURITY

Eximus will:

9.1. Implement and maintain a security program as outlined in the Security Addendum to protect DPA Data;

9.2. Ensure personnel authorized to Process DPA Data adhere to security requirements.

10. US-SPECIFIC DATA PROTECTION OBLIGATIONS

Eximus certifies compliance with US State Privacy Laws, including prohibiting the sale of DPA Data and only processing data per lawful purposes.

11. CUSTOMER OBLIGATIONS

You represent and warrant having necessary rights to provide DPA Data and agree to cooperate with Eximus for data requests.

12. CROSS-BORDER DATA TRANSFERS

Data transfers to Eximus in the United States must comply with applicable Data Protection Law.

13. FUTURE AI REGULATIONS

Both parties will review the DPA if new AI-specific regulations are implemented.

14. RETENTION PERIOD

The DPA remains in effect while Eximus Processes DPA Data on Your behalf or until termination of the Agreement.

15. DEFINED TERMS

Refer to Section 15 for definitions such as Data Controller, Data Processor, and Data Protection Law.

Unlock the potential of personalized AI with ELI by Eximus