Last Updated May 11, 2025

Data Processing Addendum

This Data Processing Addendum ("DPA" or "Addendum") supplements the Terms of Service (the "Principal Agreement") and applies to all customers ("Customer" or "you") who use our services.



Thatworks.xyz Inc ("Provider," "we," "us," or "our"), a Delaware corporation with a business registered at 2140 South Dupont Highway, Camden, DE 19934, USA, provides this DPA to explain how we process personal data on behalf of our customers.



This DPA is automatically incorporated into your agreement with us when you use our services. For customers who require a signed version of this DPA, please contact us at privacy@thatworks.ai.

BACKGROUND

(A) Provider offers AI-powered platform for delivering automated insights, summaries, and contextual work reports, which may process personal data on behalf of its customers.



(B) Customer wishes to use Provider's services in accordance with the Principal Agreement.



(C) The Parties have agreed to enter into this DPA to ensure compliance with applicable Data Protection Laws with respect to Personal Data processed by Provider on behalf of Customer.

1. DEFINITIONS

1.1. In this DPA, the following terms shall have the meanings set out below:



"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Principal Agreement, including but not limited to: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the UK GDPR and Data Protection Act 2018; (iii) the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"); (iv) the Virginia Consumer Data Protection Act ("VCDPA"); (v) the Colorado Privacy Act; and (vi) any other applicable data protection or privacy laws;



"AI Processing" means the use of artificial intelligence, machine learning, or automated systems to analyze, process, or generate insights from Personal Data;



"Controller," "Processor," "Data Subject," "Personal Data," "Process," "Processing," "Special Categories of Personal Data," and "Supervisory Authority" shall have the meanings given to them in Applicable Data Protection Laws;



"Customer Data" means any data, including Personal Data, provided by or on behalf of Customer to Provider for Processing pursuant to the Principal Agreement;



"Customer Personal Data" means the Personal Data contained within Customer Data;



"Data Protection Impact Assessment" means an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, as required by Applicable Data Protection Laws;



"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data;



"Risk Committee" means Provider's committee consisting of internal personnel and at least one independent member that has oversight responsibilities related to internal security controls;



"Services" means the services provided by Provider to Customer pursuant to the Principal Agreement;



"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to processors established in third countries adopted by the European Commission or by a Supervisory Authority and approved by the European Commission.



"Subprocessor" means any Processor engaged by Provider to Process Customer Personal Data.



1.2. Terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement or Applicable Data Protection Laws.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer may act either as a controller or processor and, except as expressly stated in this Addendum or the Principal Agreement, Provider is a processor.



2.2. Details of Processing. Appendix 1 to this DPA sets out the subject matter, nature and purpose of the Processing, the types of Customer Personal Data, and categories of Data Subjects.



2.3. Compliance with Instructions. Provider shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Laws; in such a case, Provider shall inform Customer of that legal requirement before Processing, unless prohibited by law.



2.4. Authorized Personnel. Provider shall ensure that persons authorized to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All Provider employees sign confidentiality agreements upon hire as required by our People Security Policy.

3. AI PROCESSING REQUIREMENTS

3.1. Transparency. Provider shall: (a) Provide clear information about how AI Processing is used within the Services; (b) Explain how Customer Personal Data is processed by our AI systems; and (c) Notify Customer of material changes to our AI systems that may affect the Processing of Customer Personal Data.



3.2. Control and Fairness. Provider shall: (a) Implement measures to ensure AI Processing delivers consistent, accurate, and fair results; (b) Take reasonable steps to identify and mitigate unfair bias in AI Processing; and (c) Ensure AI models do not use Customer Personal Data beyond the purposes specified in this DPA.



3.3. Data Minimization. Provider shall ensure that only the Customer Personal Data necessary for the functioning of Provider's AI systems is used for AI Processing.

4. SECURITY

4.1. Security Measures. Provider shall implement appropriate technical and organizational measures to protect Customer Personal Data, including measures to ensure the ongoing confidentiality, integrity, availability, and resilience of systems processing Customer Personal Data. The specific security measures implemented by Provider are set out in Appendix 2 to this DPA and align with our Information Security Policy.



4.2. Security Incidents. Provider shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data and shall provide reasonable information and cooperation to Customer regarding the breach.

5. SUBPROCESSING

5.1. General Authorization. Customer provides general authorization for Provider to engage Subprocessors, provided that Provider: (a) Maintains an up-to-date list of its Subprocessors on Provider's website at https://thatworks.ai/legal/subprocessors, including their locations and the Processing activities they perform; (b) Enters into a written agreement with each Subprocessor imposing data protection obligations not less protective than those in this DPA; and (c) Remains fully liable to Customer for the performance of the Subprocessor's obligations.



5.2. Changes to Subprocessors. Provider shall give notice to Customer of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to object to such changes on reasonable grounds within 10 business days of being notified. If Customer objects to a new Subprocessor, Provider shall make reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's use of the Services to avoid Processing of Customer Personal Data by the objected-to Subprocessor. If Provider is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, Customer may terminate the affected parts of the Services by providing written notice to Provider.



5.3. Vendor Review. Provider assesses all Subprocessors based on their criticality and risk before engagement and reviews them at least annually thereafter, as outlined in our Vendor Management Policy.

6. DATA SUBJECT RIGHTS

6.1. Assistance with Data Subject Requests. Provider shall, taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising the Data Subject's rights under Applicable Data Protection Laws.



6.2. Direct Data Subject Requests. If Provider receives a request from a Data Subject to exercise the Data Subject's rights under Applicable Data Protection Laws with regard to Customer Personal Data, Provider shall: (a) Promptly notify Customer of the request; (b) Not respond to the request except on the documented instructions of Customer or as required by Applicable Data Protection Laws; and (c) Provide Customer with cooperation and assistance in relation to the request.

7. PERSONAL DATA BREACH

7.1. Notification. Provider shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.



7.2. Information to be Provided. The notification shall: (a) Describe the nature of the Personal Data Breach; (b) Communicate the name and contact details of Provider's data protection contact; (c) Describe the likely consequences of the Personal Data Breach; and (d) Describe the measures taken or proposed to address the Personal Data Breach.



7.3. Assistance. Provider shall cooperate with Customer to investigate and remediate the Personal Data Breach following our established Incident Management Policy and procedures.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

8.1. Provider shall provide reasonable assistance to Customer with any Data Protection Impact Assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Provider.

9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

9.1. Provider shall, at the choice of Customer, delete or return all the Customer Personal Data to Customer after the end of the provision of Services relating to Processing, and delete existing copies unless Applicable Data Protection Laws require storage of the Customer Personal Data.



9.2. Provider retains Customer Personal Data only for as long as necessary to fulfill its purposes unless otherwise required by law or to meet legal and customer contractual obligations, in accordance with our Data Handling Policy. As specified in our Information Security Policy, we securely dispose of Sensitive and Confidential data following defined processes once it is no longer necessary for legal, regulatory, or business requirements or it has reached the end of its retention period.



9.3. Upon termination of the Services, Provider will securely dispose of Customer Personal Data using appropriate methods, including:



  • Purging and deleting data from all system components using a secure wipe program in accordance with industry-accepted standards for secure deletion

  • Destroying any data that is in a hard copy format through appropriate means such as cross-shredding

  • For electronic media stored on system components no longer in use, disposing of data through disintegration, shredding, pulverization, or incineration as appropriate



9.4. Instances of customer data disposal are tracked via a ticketing system to document the steps taken to complete the removal.

10. AUDIT RIGHTS

10.1. Upon request, Provider shall make available to Customer information necessary to demonstrate compliance with this DPA, which may include third-party certifications or audit reports.



10.2. No more than once per year, Customer may request an audit of Provider's data protection practices relevant to Customer Personal Data processed under this DPA. Any such audit shall be: (a) Subject to reasonable confidentiality provisions; (b) Conducted during normal business hours and with reasonable advance notice; and (c) Limited to the Customer Personal Data processed under this DPA.

11. INTERNATIONAL TRANSFERS

11.1. Provider shall not transfer Customer Personal Data outside of the European Economic Area (EEA), the United Kingdom, or Switzerland without the prior written consent of Customer.



11.2. When Provider transfers Customer Personal Data to a country not recognized by the European Commission as providing an adequate level of protection for Personal Data (and without any other valid transfer mechanism), the Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA as set out in Appendix 3.

12. GENERAL TERMS

12.1. Governing Law. This DPA shall be governed by the laws of Delaware, USA.



12.2. Order of Precedence. In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Agreement or any other agreement between the Parties, the provisions of this DPA shall prevail.



12.3. Changes in Data Protection Laws. The Parties agree to negotiate in good faith to amend this DPA as necessary to comply with new or amended data protection requirements to which either or both of the Parties are subject.



12.4. Severability. Should any provision of this DPA be invalid or unenforceable, the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

13. EXECUTION

This DPA is automatically incorporated into the Principal Agreement between Provider and Customer. Customers who require a signed version of this DPA may request one by contacting privacy@thatworks.ai. Upon such request, Provider will provide a version of this DPA for signature by both parties.



For questions about this DPA or to exercise any rights hereunder, please contact us at:

Thatworks.xyz Inc

Attn: Data Protection Officer

2140 South Dupont Highway,

Camden, DE 19934, USA

Email: privacy@thatworks.ai




APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

Subject matter of Processing: Provider processes Customer Personal Data as necessary to provide its AI-powered platform for delivering automated insights, summaries, and contextual work reports in accordance with the Principal Agreement.



Duration of Processing: Provider will Process Customer Personal Data for the duration of the Principal Agreement, plus any additional period during which Provider is legally required to retain Customer Personal Data. As specified in our Information Security Policy, backups in AWS and Microsoft Azure are retained for sixty (60) days.



Nature and purpose of Processing: Provider will Process Customer Personal Data for the purpose of providing the Services to Customer, including:



  • Providing access to and use of That Works

  • Generating automated insights, summaries, and reports

  • Improving the models used within the Services (using anonymized or aggregated data only)

  • Creating and managing user accounts and authentication

  • Providing customer and technical support

  • Monitoring service performance and optimizing the Services

  • Ensuring security and preventing fraud or unauthorized access

  • Generating analytics and metrics about Customer's use of the Services

  • Helping teams stay current on critical information without manual check-ins or searching for context

  • Complying with applicable legal obligations



Types of Personal Data: Customer Personal Data may include the following types of Personal Data:



  • Contact information (name, email address)

  • Account credentials and authentication data

  • User preferences and configuration settings

  • Usage data and analytics

  • IP addresses and other online identifiers

  • Content and data uploaded by Customer or its users into the Services

  • Metadata associated with Customer's use of the Services

  • Communication content and context (from integrated systems)



Based on our Data Handling Policy, we classify data as:



  • Sensitive: Most sensitive business information with strictly limited access (e.g., passwords, encryption keys)

  • Confidential: Less sensitive business information intended for use solely by the Company and/or its customers (including Personally Identifiable Information (PII), balance sheets, income statements, internal market research, audit reports)

  • Public: All other information that does not clearly fit into the above classifications



Provider does not intentionally collect or process Special Categories of Personal Data.

Categories of Data Subjects: Customer Personal Data may concern the following categories of Data Subjects:

  • Customer's employees, contractors, and authorized users

  • Customer's clients or customers (if applicable)

  • Other individuals whose data is provided to the Services by Customer or its users


APPENDIX 2: SECURITY MEASURES

Provider implements and maintains the following technical and organizational security measures to protect Customer Personal Data:

1. Access Control

  • Multi-factor authentication (MFA) for all system access

  • Role-based access controls with principle of least privilege

  • Secure cloud hosting with Microsoft Azure and AWS

  • Automated account provisioning and de-provisioning procedures

  • Strong password policies

  • Regular access rights reviews conducted quarterly

2. Data Security

  • TLS 1.2 or higher encryption for all data in transit

  • AES 256 encryption for sensitive data at rest

  • Logical separation between different customers' data

  • Sanitization of production data before use in non-production environments

  • Secure backup procedures with backups retained for 60 days

  • Regular security assessments and penetration testing at least annually

3. Operational Security

  • Security awareness training for all employees within 30 days of hire and annually thereafter

  • Background checks for employees with access to sensitive systems

  • Confidentiality agreements with all employees, contractors, and vendors

  • Documented information security policies and procedures

  • Incident response procedures with defined roles and responsibilities

  • Regular vulnerability scanning at least quarterly

4. AI System Security

  • Monitoring for AI model behavior and potential bias

  • Separation of customer data between training and production environments

  • Logging and auditing of AI system activities



Provider may update these security measures from time to time provided that such updates do not result in a material degradation of the overall security of the Services.


APPENDIX 3: STANDARD CONTRACTUAL CLAUSES

For transfers of Customer Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries that do not ensure an adequate level of data protection, the parties agree to be bound by the applicable Standard Contractual Clauses as provided below.


For Transfers from the EEA

For transfers from the EEA, the Standard Contractual Clauses adopted by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") are hereby incorporated by reference and form an integral part of this DPA.



The complete text of the EU SCCs can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN



For purposes of the EU SCCs:



  1. Module Two (Controller to Processor) will apply when Customer is a controller of Customer Personal Data and Provider is a processor;

  2. Module Three (Processor to Processor) will apply when Customer is a processor of Customer Personal Data and Provider is a sub-processor; and

  3. For each module, the following applies:

    • The optional docking clause in Clause 7 does not apply;

    • In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.2 of this DPA;

    • In Clause 11, the optional language does not apply;

    • In Clause 17, Option 1 applies, and the EU SCCs will be governed by the laws of Ireland;

    • In Clause 18(b), disputes shall be resolved before the courts of Ireland;

    • Annex I.A and I.B of the EU SCCs are deemed completed with the information set out in Appendix 1 of this DPA;

    • Annex I.C of the EU SCCs is deemed completed by designating the Irish Data Protection Commission as the competent supervisory authority;

      • Annex II of the EU SCCs is deemed completed with the information set out in Appendix 2 of this DPA; and

    • Annex III of the EU SCCs is deemed completed with the information on Sub-processors that Provider makes available on its website at https://thatworks.ai/legal/subprocessors.


For Transfers from the UK

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum") issued by the Information Commissioner under s.119A(1) Data Protection Act 2018 is hereby incorporated by reference and forms an integral part of this DPA.



The complete text of the UK Addendum can be found at:

https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf




The UK Addendum shall be deemed completed as follows:



  1. Table 1 of the UK Addendum is deemed completed with the information contained in Appendix 1 of this DPA;

  2. In Table 2 of the UK Addendum, the first option is selected, and the EU SCCs as referenced above shall apply;

  3. In Table 3 of the UK Addendum, the appendices shall be populated as described above with respect to the EU SCCs; and

  4. In Table 4 of the UK Addendum, either party may end the UK Addendum as set out in Section 19 of the UK Addendum.


For Transfers from Switzerland

For transfers from Switzerland, the EU SCCs as referenced above, with the following modifications, shall apply and are hereby incorporated by reference:



  1. References to "Regulation (EU) 2016/679" or "that Regulation" are interpreted as references to the Swiss Federal Data Protection Act ("FDPA");

  2. References to specific Articles of Regulation (EU) 2016/679 are replaced with the equivalent provisions under the FDPA;

  3. References to "EU", "Union", "Member State" and "Member State law" are replaced with "Switzerland" and "Swiss law";

  4. The term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with the EU SCCs' Clause 18(c);

  5. The "competent supervisory authority" under Clause 13 of the EU SCCs means the Swiss Federal Data Protection and Information Commissioner; and

  6. The EU SCCs shall protect the data of legal entities until the effective date of the revised FDPA of 25 September 2020.



This Data Processing Addendum ("DPA" or "Addendum") supplements the Terms of Service (the "Principal Agreement") and applies to all customers ("Customer" or "you") who use our services.



Thatworks.xyz Inc ("Provider," "we," "us," or "our"), a Delaware corporation with a business registered at 2140 South Dupont Highway, Camden, DE 19934, USA, provides this DPA to explain how we process personal data on behalf of our customers.



This DPA is automatically incorporated into your agreement with us when you use our services. For customers who require a signed version of this DPA, please contact us at privacy@thatworks.ai.

BACKGROUND

(A) Provider offers AI-powered platform for delivering automated insights, summaries, and contextual work reports, which may process personal data on behalf of its customers.



(B) Customer wishes to use Provider's services in accordance with the Principal Agreement.



(C) The Parties have agreed to enter into this DPA to ensure compliance with applicable Data Protection Laws with respect to Personal Data processed by Provider on behalf of Customer.

1. DEFINITIONS

1.1. In this DPA, the following terms shall have the meanings set out below:



"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Principal Agreement, including but not limited to: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the UK GDPR and Data Protection Act 2018; (iii) the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"); (iv) the Virginia Consumer Data Protection Act ("VCDPA"); (v) the Colorado Privacy Act; and (vi) any other applicable data protection or privacy laws;



"AI Processing" means the use of artificial intelligence, machine learning, or automated systems to analyze, process, or generate insights from Personal Data;



"Controller," "Processor," "Data Subject," "Personal Data," "Process," "Processing," "Special Categories of Personal Data," and "Supervisory Authority" shall have the meanings given to them in Applicable Data Protection Laws;



"Customer Data" means any data, including Personal Data, provided by or on behalf of Customer to Provider for Processing pursuant to the Principal Agreement;



"Customer Personal Data" means the Personal Data contained within Customer Data;



"Data Protection Impact Assessment" means an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, as required by Applicable Data Protection Laws;



"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data;



"Risk Committee" means Provider's committee consisting of internal personnel and at least one independent member that has oversight responsibilities related to internal security controls;



"Services" means the services provided by Provider to Customer pursuant to the Principal Agreement;



"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to processors established in third countries adopted by the European Commission or by a Supervisory Authority and approved by the European Commission.



"Subprocessor" means any Processor engaged by Provider to Process Customer Personal Data.



1.2. Terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement or Applicable Data Protection Laws.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer may act either as a controller or processor and, except as expressly stated in this Addendum or the Principal Agreement, Provider is a processor.



2.2. Details of Processing. Appendix 1 to this DPA sets out the subject matter, nature and purpose of the Processing, the types of Customer Personal Data, and categories of Data Subjects.



2.3. Compliance with Instructions. Provider shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Laws; in such a case, Provider shall inform Customer of that legal requirement before Processing, unless prohibited by law.



2.4. Authorized Personnel. Provider shall ensure that persons authorized to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All Provider employees sign confidentiality agreements upon hire as required by our People Security Policy.

3. AI PROCESSING REQUIREMENTS

3.1. Transparency. Provider shall: (a) Provide clear information about how AI Processing is used within the Services; (b) Explain how Customer Personal Data is processed by our AI systems; and (c) Notify Customer of material changes to our AI systems that may affect the Processing of Customer Personal Data.



3.2. Control and Fairness. Provider shall: (a) Implement measures to ensure AI Processing delivers consistent, accurate, and fair results; (b) Take reasonable steps to identify and mitigate unfair bias in AI Processing; and (c) Ensure AI models do not use Customer Personal Data beyond the purposes specified in this DPA.



3.3. Data Minimization. Provider shall ensure that only the Customer Personal Data necessary for the functioning of Provider's AI systems is used for AI Processing.

4. SECURITY

4.1. Security Measures. Provider shall implement appropriate technical and organizational measures to protect Customer Personal Data, including measures to ensure the ongoing confidentiality, integrity, availability, and resilience of systems processing Customer Personal Data. The specific security measures implemented by Provider are set out in Appendix 2 to this DPA and align with our Information Security Policy.



4.2. Security Incidents. Provider shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data and shall provide reasonable information and cooperation to Customer regarding the breach.

5. SUBPROCESSING

5.1. General Authorization. Customer provides general authorization for Provider to engage Subprocessors, provided that Provider: (a) Maintains an up-to-date list of its Subprocessors on Provider's website at https://thatworks.ai/legal/subprocessors, including their locations and the Processing activities they perform; (b) Enters into a written agreement with each Subprocessor imposing data protection obligations not less protective than those in this DPA; and (c) Remains fully liable to Customer for the performance of the Subprocessor's obligations.


5.2. Changes to Subprocessors. Due to the nature of our business, our subprocessors may change from time to time. We will update this page when we engage new subprocessors or change the purpose for which an existing subprocessor processes customer data.

Customers can receive their own copy about changes to our subprocessor list by emailing privacy@thatworks.ai with the subject line "Subprocessor Update Copy."


5.3. Vendor Review. Provider assesses all Subprocessors based on their criticality and risk before engagement and reviews them at least annually thereafter, as outlined in our Vendor Management Policy.

6. DATA SUBJECT RIGHTS

6.1. Assistance with Data Subject Requests. Provider shall, taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising the Data Subject's rights under Applicable Data Protection Laws.



6.2. Direct Data Subject Requests. If Provider receives a request from a Data Subject to exercise the Data Subject's rights under Applicable Data Protection Laws with regard to Customer Personal Data, Provider shall: (a) Promptly notify Customer of the request; (b) Not respond to the request except on the documented instructions of Customer or as required by Applicable Data Protection Laws; and (c) Provide Customer with cooperation and assistance in relation to the request.

7. PERSONAL DATA BREACH

7.1. Notification. Provider shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.



7.2. Information to be Provided. The notification shall: (a) Describe the nature of the Personal Data Breach; (b) Communicate the name and contact details of Provider's data protection contact; (c) Describe the likely consequences of the Personal Data Breach; and (d) Describe the measures taken or proposed to address the Personal Data Breach.



7.3. Assistance. Provider shall cooperate with Customer to investigate and remediate the Personal Data Breach following our established Incident Management Policy and procedures.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

8.1. Provider shall provide reasonable assistance to Customer with any Data Protection Impact Assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Provider.

9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

9.1. Provider shall, at the choice of Customer, delete or return all the Customer Personal Data to Customer after the end of the provision of Services relating to Processing, and delete existing copies unless Applicable Data Protection Laws require storage of the Customer Personal Data.



9.2. Provider retains Customer Personal Data only for as long as necessary to fulfill its purposes unless otherwise required by law or to meet legal and customer contractual obligations, in accordance with our Data Handling Policy. As specified in our Information Security Policy, we securely dispose of Sensitive and Confidential data following defined processes once it is no longer necessary for legal, regulatory, or business requirements or it has reached the end of its retention period.



9.3. Upon termination of the Services, Provider will securely dispose of Customer Personal Data using appropriate methods, including:



  • Purging and deleting data from all system components using a secure wipe program in accordance with industry-accepted standards for secure deletion

  • Destroying any data that is in a hard copy format through appropriate means such as cross-shredding

  • For electronic media stored on system components no longer in use, disposing of data through disintegration, shredding, pulverization, or incineration as appropriate



9.4. Instances of customer data disposal are tracked via a ticketing system to document the steps taken to complete the removal.

10. AUDIT RIGHTS

10.1. Upon request, Provider shall make available to Customer information necessary to demonstrate compliance with this DPA, which may include third-party certifications or audit reports.



10.2. No more than once per year, Customer may request an audit of Provider's data protection practices relevant to Customer Personal Data processed under this DPA. Any such audit shall be: (a) Subject to reasonable confidentiality provisions; (b) Conducted during normal business hours and with reasonable advance notice; and (c) Limited to the Customer Personal Data processed under this DPA.

11. INTERNATIONAL TRANSFERS

11.1. Provider shall not transfer Customer Personal Data outside of the European Economic Area (EEA), the United Kingdom, or Switzerland without the prior written consent of Customer.



11.2. When Provider transfers Customer Personal Data to a country not recognized by the European Commission as providing an adequate level of protection for Personal Data (and without any other valid transfer mechanism), the Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA as set out in Appendix 3.

12. GENERAL TERMS

12.1. Governing Law. This DPA shall be governed by the laws of Delaware, USA.



12.2. Order of Precedence. In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Agreement or any other agreement between the Parties, the provisions of this DPA shall prevail.



12.3. Changes in Data Protection Laws. The Parties agree to negotiate in good faith to amend this DPA as necessary to comply with new or amended data protection requirements to which either or both of the Parties are subject.



12.4. Severability. Should any provision of this DPA be invalid or unenforceable, the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

13. EXECUTION

This DPA is automatically incorporated into the Principal Agreement between Provider and Customer. Customers who require a signed version of this DPA may request one by contacting privacy@thatworks.ai. Upon such request, Provider will provide a version of this DPA for signature by both parties.



For questions about this DPA or to exercise any rights hereunder, please contact us at:

Thatworks.xyz Inc

Attn: Data Protection Officer

2140 South Dupont Highway,

Camden, DE 19934, USA

Email: privacy@thatworks.ai




APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

Subject matter of Processing: Provider processes Customer Personal Data as necessary to provide its AI-powered platform for delivering automated insights, summaries, and contextual work reports in accordance with the Principal Agreement.



Duration of Processing: Provider will Process Customer Personal Data for the duration of the Principal Agreement, plus any additional period during which Provider is legally required to retain Customer Personal Data. As specified in our Information Security Policy, backups in AWS and Microsoft Azure are retained for sixty (60) days.



Nature and purpose of Processing: Provider will Process Customer Personal Data for the purpose of providing the Services to Customer, including:



  • Providing access to and use of That Works AI Chief-of-Staff platform

  • Generating automated insights, summaries, and contextual work reports

  • Training, tuning, and improving the AI models used within the Services (using anonymized or aggregated data only, unless Customer has explicitly opted in to allow use of identifiable data)

  • Creating and managing user accounts and authentication

  • Providing customer and technical support

  • Monitoring service performance and optimizing the Services

  • Ensuring security and preventing fraud or unauthorized access

  • Generating analytics and metrics about Customer's use of the Services

  • Helping teams stay current on critical information without manual check-ins or searching for context

  • Complying with applicable legal obligations



Types of Personal Data: Customer Personal Data may include the following types of Personal Data:



  • Contact information (name, email address, phone number, etc.)

  • Account credentials and authentication data (excluding passwords, which are encrypted)

  • User preferences and configuration settings

  • Usage data and analytics

  • IP addresses and other online identifiers

  • Content and data uploaded by Customer or its users into the Services

  • Metadata associated with Customer's use of the Services

  • Professional information (job titles, departments, reporting relationships)

  • Communication content and context (from integrated systems)



Based on our Data Handling Policy, we classify data as:



  • Sensitive: Most sensitive business information with strictly limited access (e.g., passwords, encryption keys)

  • Confidential: Less sensitive business information intended for use solely by the Company and/or its customers (including Personally Identifiable Information (PII), balance sheets, income statements, internal market research, audit reports)

  • Public: All other information that does not clearly fit into the above classifications



Provider does not intentionally collect or process Special Categories of Personal Data. If Customer chooses to submit Special Categories of Personal Data to the Services, Customer must ensure it has a valid legal basis for doing so and must notify Provider.



Categories of Data Subjects: Customer Personal Data may concern the following categories of Data Subjects:



  • Customer's employees, contractors, and authorized users

  • Customer's clients or customers (if applicable)

  • Other individuals whose data is provided to the Services by Customer or its users

APPENDIX 2: SECURITY MEASURES

Provider implements and maintains the following technical and organizational security measures to protect Customer Personal Data:

1. Access Control

  • Multi-factor authentication (MFA) for all system access

  • Role-based access controls with principle of least privilege

  • Secure cloud hosting with Microsoft Azure and AWS

  • Automated account provisioning and de-provisioning procedures

  • Strong password policies requiring at least 8 characters, upper and lowercase letters, numbers, and special characters

  • Regular access rights reviews conducted quarterly

2. Data Security

  • TLS 1.2 or higher encryption for all data in transit

  • AES 256 encryption for sensitive data at rest

  • Logical separation between different customers' data

  • Sanitization of production data before use in non-production environments

  • Secure backup procedures with backups retained for 60 days

  • Regular security assessments and penetration testing at least annually

3. Operational Security

  • Security awareness training for all employees within 30 days of hire and annually thereafter

  • Background checks for employees with access to sensitive systems

  • Confidentiality agreements with all employees, contractors, and vendors

  • Documented information security policies and procedures

  • Incident response procedures with defined roles and responsibilities

  • Regular vulnerability scanning at least quarterly

4. AI System Security

  • Monitoring for AI model behavior and potential bias

  • Separation of customer data between training and production environments

  • Logging and auditing of AI system activities



Provider may update these security measures from time to time provided that such updates do not result in a material degradation of the overall security of the Services.

APPENDIX 3: STANDARD CONTRACTUAL CLAUSES

For transfers of Customer Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries that do not ensure an adequate level of data protection, the parties agree to be bound by the applicable Standard Contractual Clauses as provided below.

For Transfers from the EEA

For transfers from the EEA, the Standard Contractual Clauses adopted by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") are hereby incorporated by reference and form an integral part of this DPA.



The complete text of the EU SCCs can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN



For purposes of the EU SCCs:



  1. Module Two (Controller to Processor) will apply when Customer is a controller of Customer Personal Data and Provider is a processor;

  2. Module Three (Processor to Processor) will apply when Customer is a processor of Customer Personal Data and Provider is a sub-processor; and

  3. For each module, the following applies:

    • The optional docking clause in Clause 7 does not apply;

    • In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.2 of this DPA;

    • In Clause 11, the optional language does not apply;

    • In Clause 17, Option 1 applies, and the EU SCCs will be governed by the laws of Ireland;

    • In Clause 18(b), disputes shall be resolved before the courts of Ireland;

    • Annex I.A and I.B of the EU SCCs are deemed completed with the information set out in Appendix 1 of this DPA;

    • Annex I.C of the EU SCCs is deemed completed by designating the Irish Data Protection Commission as the competent supervisory authority;

      • Annex II of the EU SCCs is deemed completed with the information set out in Appendix 2 of this DPA; and

    • Annex III of the EU SCCs is deemed completed with the information on Sub-processors that Provider makes available on its website at https://thatworks.ai/legal/subprocessors.

For Transfers from the UK

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum") issued by the Information Commissioner under s.119A(1) Data Protection Act 2018 is hereby incorporated by reference and forms an integral part of this DPA.



The complete text of the UK Addendum can be found at:

https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf




The UK Addendum shall be deemed completed as follows:



  1. Table 1 of the UK Addendum is deemed completed with the information contained in Appendix 1 of this DPA;

  2. In Table 2 of the UK Addendum, the first option is selected, and the EU SCCs as referenced above shall apply;

  3. In Table 3 of the UK Addendum, the appendices shall be populated as described above with respect to the EU SCCs; and

  4. In Table 4 of the UK Addendum, either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

For Transfers from Switzerland

For transfers from Switzerland, the EU SCCs as referenced above, with the following modifications, shall apply and are hereby incorporated by reference:



  1. References to "Regulation (EU) 2016/679" or "that Regulation" are interpreted as references to the Swiss Federal Data Protection Act ("FDPA");

  2. References to specific Articles of Regulation (EU) 2016/679 are replaced with the equivalent provisions under the FDPA;

  3. References to "EU", "Union", "Member State" and "Member State law" are replaced with "Switzerland" and "Swiss law";

  4. The term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with the EU SCCs' Clause 18(c);

  5. The "competent supervisory authority" under Clause 13 of the EU SCCs means the Swiss Federal Data Protection and Information Commissioner; and

  6. The EU SCCs shall protect the data of legal entities until the effective date of the revised FDPA of 25 September 2020.