Data Processing Addendum

This Data Processing Addendum, including its Annexes (“Data Processing Addendum” or “Addendum”), is entered into by and between ContactMonkey, an Ontario corporation, having its principal place of business at 468 King St W, Toronto, ON, M5V 1L8 (“Company” or “ContactMonkey”) and you (“Customer”).

This Data Processing Addendum forms part of the ContactMonkey software-as-a-service agreement or other written or electronic agreement between ContactMonkey and Customer for the purchase of hosted online services  (including any associated offline, mobile or software components) from ContactMonkey (identified as either “Services”, “ContactMonkey Solution”, “ContactMonkey Services” or otherwise in the applicable agreement, and hereinafter defined as the “Services”)  (the “Agreement”), to reflect the Parties’ agreement with regard to the Processing of Personal Information.

To complete this Data Processing Addendum, the Customer must:

1.   Complete the information in the signature box;

2.  Send the signed Data Processing Addendum to ContactMonkey by email to  privacy@contactmonkey.com, indicating, if applicable the Customer’s account number (as set out on an applicable Order Form or invoice).

Upon receipt of the validly completed Data Processing Addendum by ContactMonkey at this email address above, this Data Processing Addendum will become legally binding. This Data Processing Addendum shall only become binding between ContactMonkey and Customer when the formalities set out above have been fully completed and then such Data Processing Addendum will then become an addendum to and forms part of the Agreement.

In the event of any conflict between the Agreement and this Data Processing Addendum, the terms and conditions of this Data Processing Addendum shall control to the extent of the conflict.  Except to the extent expressly superseded or modified in this Data Processing Addendum, the terms and conditions of the Agreement will apply to this Data Processing Addendum and remain in full force and effect.

1. Definitions

1.1 “Data Protection Laws” means all applicable laws and regulations relating to the privacy or security of Personal Information as amended, modified or replaced from time to time, including for example and without limitation Regulation (EU) 2016/679 (“GDPR”) and Directive 2002/58/EC, the UK GDPR, the Personal Information Protection and Electronic Documents Act, s.c. 2000, and the California Consumer Privacy Act and related regulations and guidance (“CCPA”), as well as any implementing legislation or further particularising rules, regulatory decisions or orders, or regulations.

1.2 “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including any information that is defined as “personally identifiable information,” “personal information,” “personal data” or other similar term under Data Protection Laws.

1.3 “Processing” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, recording, organization, structuring, use, modification, retrieval, disclosure, storage, anonymization, deletion, and/or management Personal Information.

1.4 “Security Incident” means a breach of Company’s Security Measures described in Annex B leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information in Company’s possession, custody, or control.  Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems

2. Data Processing and Security Responsibilities

2.1 Compliance with Data Protection Laws. Customer and Company shall each comply with all Data Protection Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum, as set out in the description of Services in Annex A to this Addendum.

2.2 Customer Responsibilities. Customer agrees that it has:

• made and shall maintain all necessary registrations and notifications as required in order to permit Company to perform its obligations and exercise its rights under this Addendum;
• obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Company to perform its obligations and exercise its rights under this Addendum, and shall inform Company immediately if any such consents are withdrawn;
• ensured and shall continue to ensure that all Personal Information Processed by Company is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Company to perform its obligations and exercise its rights under this Addendum;
• ensured and shall continue to ensure that there are valid legal bases to enable Company to Process Customer’s Personal Information;
• Processed and will continue to Process the Personal Information in accordance with all applicable Data Protection Laws.

2.3 Roles of the Parties. Customer acknowledges that Customer (a) is the controller of any Customer Personal Information that Company Processes on behalf of Customer; and (b) sets permissions for authorized users to access Customer Personal Information. Customer is responsible for reviewing and evaluating whether the documented functionality of the Services meets Customer’s required security obligations relating to Customer Personal Information under Data Protection Laws.

2.4 Company Obligations. In the course of Processing Personal Information on behalf of Customer in connection with the Services as set out in Annex A to this Addendum, Company shall:

2.4.1 only Process Personal Information as reasonably necessary for the purposes of providing the Services and in accordance with the Agreement and as otherwise instructed by Customer in writing from time to time, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law. Company shall not retain, use, disclose, or otherwise Process Personal Information outside of the direct business relationship between Company and Customer;

2.4.2 immediately inform the Customer if, in Company’s opinion, any instruction received from the Customer infringes any Data Protection Laws;

2.4.3 not disclose (and not allow any of its employees, or permitted agents or representatives to disclose) any Personal Information to any third party without the prior written authorization of Customer unless required to do so under applicable law;

2.4.4. (i) not sell Personal Information; (ii) not share Personal Information except as necessary to provide the Services; (iii) combine Personal Information with personal data received from other customers for any secondary purpose; or (iv) use Personal Information to train generalized artificial intelligence or machine learning models. For clarity, Company may use Personal Information in aggregated, de-identified, or contextual form to analyze usage, improve features, and develop or enhance Company’s products and AI-enabled functionality, provided such use does not involve training models on Customer Personal Information itself;    

2.4.5 where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law);

2.4.6 promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under applicable law regarding Personal Information, and provide prompt reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, erase or restrict the processing of Personal Information; (ii) complaint or correspondence received by Company relating to the Processing of Personal Information, and (iii) order, demand, warrant or any other document purporting to compel the production of any Personal Information, and provide reasonable assistance at Customer’s cost to facilitate Customer’s compliance with Customer’s obligations under Data Protection Laws;

2.4.7 implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Information, to protect the Personal Information against loss, theft, destruction, damage, alteration and unauthorized or unlawful access, use, disclosure or other risks incurred by Processing in pursuit of the Services, as further described in Annex B, as would allow Company to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services and to provide reasonable assistance at Customer’s cost to ensure compliance with Customer’s obligations to implement such security measures;

2.4.8 limit access to Personal Information only to those employees and authorized agents of Company who need to have access to the Personal Information and solely for the purposes of Company rendering the Services;

2.4.9 ensure or cause each of the employees and permitted contractors of Company to agree in writing to keep and to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum, and otherwise properly advise and train each of its employees and permitted subcontractor of the requirements of Company under this Addendum and applicable Privacy Law;

2.4.10 ensure that each employee or permitted contractor of Company involved in rendering the Services hereunder is appropriately screened to confirm the suitability of the performance of their duties in connection with the Services, including the access to and Processing of Personal Information;

2.4.11 except as otherwise agreed to in writing by Customer, primarily maintain and otherwise Process the Personal Information in Canada and the United States. Any onward transfers shall be subject to appropriate safeguards in accordance with applicable Data Protection Laws; and

2.4.12 provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Data Protection Laws to carry out a data protection impact assessment or to consult with the relevant supervisory authority in respect of any such data protection impact assessment.

3. Audit Rights

Company shall provide and Customer agrees to accept Company’s most current third-party certifications as may be relevant and available in respect of the Services. Company may satisfy audit requests by providing its most recent third-party security audit reports or certifications (including SOC 2 Type II or equivalent) as the primary means of demonstrating compliance with this Addendum. Company shall provide Customer (or its representatives) with access to information necessary to demonstrate Company’s compliance with this Addendum and to the records, facilities and premises of Company during business hours and upon at least 30 days’ advance notice in writing, at most once per year, only where reasonably necessary, for the purposes of verifying Company’s compliance with this Addendum. To the extent any such audit incurs in excess of 10 hours of Company’s personnel time, Company may charge Customer on a time and materials basis for any such excess hours.

4. Subcontracting

4.1 Use of Sub-processors. Customer acknowledges and agrees that Company shall use sub-processors (including Company affiliates) to provide the Services set out in Annex A. Company shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Company under this Addendum.  Company shall only retain sub-processors that Company can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Information. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Company shall notify Customer of such sub-processors, whereupon Customer shall have 30 days to object to such appointment by providing detailed reasons based on reasonable grounds relating to data protection for such objection to Company. Customer’s failure to object within such 30-day period shall be deemed a waiver of Customer’s right to object to Company’s use of such new Sub-processor added to the Sub-processor List.

4.2 Notice of New Sub-processors. Company shall maintain an up-to-date list of its sub-processors in its Trust Center or similar secure portal and shall grant Customer access to such Trust Center. Customer may subscribe to receive notifications of changes to Company’s sub-processors through the Trust Center or other notification mechanism made available by Company. Updating the Trust Center and, where Customer has subscribed, providing such notification shall constitute notice.

4.3 Objection Rights. Where Company is unable to reasonably address Customer’s objection, Customer may, as its sole and exclusive remedy, terminate only the affected Services. For the avoidance of doubt, Company shall not be required to change its sub-processors for other customers.

4.4 Emergency Sub-processors. Notwithstanding the foregoing, where a change in sub-processors is required on an expedited basis due to circumstances beyond Company’s reasonable control, including security incidents, service continuity issues, insolvency of a sub-processor, or legal or regulatory requirements, Company may appoint such sub-processor immediately and shall notify Customer as soon as reasonably practicable thereafter.

5. Data Transfers

5.1 General. Company will transfer Personal Information in accordance with applicable Data Protection Laws.

5.2 Transfers from the EEA and UK. As Company is a Canadian company subject to PIPEDA transfers from the European Economic Area and the UK to Company are permitted pursuant to European Commission Decision 2002/2/EC (as amended or replaced from time to time).

5.3. Standard Contractual Clauses. Where Personal Information is transferred from the European Economic Area or the United Kingdom to a country that does not provide an adequate level of protection, such transfers shall be made pursuant to the Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, together with the UK International Data Transfer Addendum (or successor transfer mechanism), which are incorporated by reference and shall apply automatically. In accordance with Clause 2 of the Standard Contractual Clauses, the Parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of any data subjects. Company and Customer accordingly agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent they are permitted under the Standard Contractual Clauses, the following clarifications to the Standard Contractual Clauses:

5.3.1 Module. Module Two terms apply to the extent Customer is a Controller of European Personal Information and Module Three applies to the extent Customer is a Processor of European Personal Information.

5.3.2 Docking Clause. The Parties agree Section 7 shall not apply to this Agreement.

5.3.3 Instructions. For the purposes of clause 8.1(a) of Module 3, Customer’s complete and final instructions to Process Personal Information are set out in the Agreement and this Addendum. Any additional or alternate instructions must be consistent with the terms of this Agreement.

5.3.4 Copies of Clauses. In the event a data subject requests a copy of the Standard Contractual Clauses or this Addendum in accordance with clause 8.3, the data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.

5.3.5 Certification of Deletion. Certification of deletion of Customer Personal Information under clause 8.5 and clause 16(d) shall be provided upon the written request of the data exporter.

5.3.6 Security of Processing. For the purposes of clause 8.6(a), Customer agrees that the Security Measures set forth in this Addendum provide a level of security appropriate to the risk with respect to Personal Information. For the purposes of clause 8.6(c) and (d) of Module 3, Personal Information breaches will be handled in accordance with this Addendum, and breach notifications shall only be sent to Customer. 

5.3.7 Onward Transfer Implementation. The data importer shall be deemed in compliance with clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

5.3.8 Audits and Certifications. Any information requests or audits provided for in clause 8.9 of Module 3 shall be fulfilled in accordance with Audit section of this Addendum.

5.3.9 Engagement of New Sub-processors. Pursuant to clause 9(a) Option 2, the data exporter acknowledges and expressly agrees that the data importer may engage new Sub-processors as described in Subcontracting clause of this Addendum. With respect to clause 9, the Parties select the time period set forth in the Subcontracting clause of this Addendum.

5.3.10 Data Subject Rights. For the purpose of clause 10 of Module 3, data subject requests and related assistance shall be handled in accordance with the data subject request provisions set forth in the Data Processing and Security Responsibilities section of this Addendum with respect to Module 3, Company shall be required to communicate requests only to Customer.

5.3.11 Complaints. The optional language under clause 11 is not applicable.

5.3.12 Liability. The relevant Sections of the Agreement which govern indemnification and limitations of liability, shall apply to the Data Importer’s liability under clause 12.

5.3.13 Supervisory Authority. For purposes of clause 13, the following shall apply:

• EU Member State. If Customer is established in an EU Member State, the supervisory authority responsible for compliance by Data Protection Laws shall be the relevant supervisory authority;
• United Kingdom. If Customer is established in the United Kingdom, the United Kingdom’s Information Commissioner’s Office shall be the relevant supervisory authority; or
• Switzerland. If Customer is established in Switzerland, the Swiss Federal Data Protection and Information Commissioner shall be the relevant supervisory authority.

5.3.14 Notification of Government Access Requests. For the purpose of clause 15(1), Company shall provide notification to Customer only and not individual Data Subjects.

5.3.15 Governing Law.  For the purposes of clause 17, the Parties select the laws of the governing jurisdiction of the Agreement. If the Agreement is not governed by EU law, the SCCs will be governed by the laws of Ireland, or where the Agreement is governed by the laws and courts of the United Kingdom, the laws of the England and Wales.

5.3.16 Choice of Forum and Jurisdiction. For the purposes of clause 18, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland, or where the Agreement is governed by the laws and courts of the United Kingdom, the laws of the England and Wales.

5.3.17 Annexes. The Annexes of the Standard Contractual Clauses are populated as follows:

• Annex I.A is populated with the details as outlined in the preamble and signature block of this Addendum. 
• Annex I.B is populated with the details in Annex A (Data Processing Description) of this Addendum.
• Annex I.C is determined in accordance with the Supervisory Authority provisions set forth in the Data Transfers section of this Addendum.
• Annex II is populated with the Annex B (Security Measures) of this Addendum

5.4 Transfers from the UK

If Customer transfers Customer Personal Information to Company that is subject to UK Data Protection Laws, the Parties are deemed to enter into the addendum issued by the UK Information Commissioner and approved by the UK Parliament (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (the “UK Addendum”).

Tables 1 to 3 of the UK Addendum are populated as follows: Table 1 (Parties) with the party details set forth in the preamble and signature block of this Addendum; Table 2 (Selected SCCs) with the Standard Contractual Clause selections set forth in the Data Transfers section of this Addendum; and Table 3 (Appendix Information) with the details set forth in Annex A and Annex B of this Addendum.

Neither party may end the UK Addendum without the other Party’s written permission.

References in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in UK Data Protection Laws.

5.5 Transfers from Switzerland

If Customer transfers Customer Personal Information to Company that is subject to the FADP, the Standard Contractual Clauses shall apply to such transfers.

References in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss Data Protection Laws.

6. Security Incident Notification

6.1 Notification Timeline. Company shall notify Customer within 48 hours upon Company becoming aware of Security Incident.

6.2. Cooperation. Company shall reasonably cooperate with Customer in notifying individuals affected by a Security Incident and other parties, including relevant supervisory authorities, in accordance with applicable law.

6.4. Public Statements. Company shall not make any public statement, press release, or regulatory notification that identifies Customer or could reasonably be expected to identify Customer in connection with a Security Incident without Customer’s prior written consent, unless required by applicable law.

7. Termination

Upon the termination of the Agreement or at such other times as instructed by Customer in writing, Company shall either return or, upon the written instruction of Customer, securely dispose of the Personal Information and all existing copies within ninety (90) days. In the event applicable law does not permit Company to comply with the delivery or destruction of the Personal Information, Company warrants that it shall ensure the confidentiality of the Personal Information in accordance with applicable law.

8. Liability

Any liability arising out of or in connection with this Data Processing Addendum shall be subject to the limitations of liability provision set forth in the Agreement.

IN WITNESS WHEREOF, the parties’ authorized signatories have duly executed this Addendum:

ContactMonkey                                                               Customer Name: _________________________

Signature: ___________________________                   Signature: ______________________________

Print Name: __________________________                  Print Name: _____________________________

Title:   _______________________________                 Title: __________________________________

Date:   _______________________________                 Date: __________________________________

ANNEX A

DATA PROCESSING DESCRIPTION

Subject-matter and duration of the Processing.

The Services are intended to allow the customer to design their HTML employee newsletters, send those newsletters to their employees from their email client (Outlook or Gmail), and track the engagement of those emails.

The duration of the Processing is the duration of the Agreement.

Nature and purposes of the Processing.

Personal Data will be Processed by Company for purposes of providing the Services set out in the Agreement and any applicable statement of work.

Data Categories.

The following types of Personal Information will be Processed:

• Name, email address, phone number and other contact information and other Personal Data needed to perform the Services.

• IP address, location, email open and click rates

The following categories of Data Subjects are involved:

• Employees of Customer

ANNEX B

SECURITY MEASURES

Technical and Organizational Measures to Ensure the Security of Personal Data

ContactMonkey has implemented and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons.

These measures are subject to ongoing review and improvement in line with evolving security threats, operational requirements, and technological developments, and apply generally to all processing activities carried out under this Agreement.

1. Information Security Governance and Management

ContactMonkey maintains an information security management framework supported by documented policies, standards, and procedures governing the protection of information assets and Personal Data throughout their lifecycle.

• A dedicated security function is responsible for overseeing the information security and compliance program.
  
• Roles and responsibilities for information security and data protection are formally defined and communicated.
  
• Security controls and policies are reviewed periodically and updated as necessary.
  
• Compliance with internal security policies is monitored through ongoing oversight, internal reviews, and external assessments.
  
• ContactMonkey maintains a SOC 2 Type II report covering relevant trust service criteria, which is reviewed regularly as part of its assurance program.

2. Access Control and Identity Management

Access to systems and services processing Personal Data is restricted to authorized personnel based on business need and the principle of least privilege.

• Role-based access control (RBAC) is used to assign and manage access rights.
  
• Unique user identifiers are required; shared user accounts are prohibited except where explicitly approved and controlled.
  
• Multi-factor authentication (MFA) is enforced for privileged access and access to production systems.
  
• Access requests, approvals, and changes are documented and auditable.
  
• User access rights are reviewed periodically and promptly revoked or adjusted upon role change or termination.
  
• Segregation of duties is implemented to reduce the risk of unauthorized or unintentional modification or misuse of systems and data.

3. Encryption and Cryptographic Controls

ContactMonkey implements cryptographic controls to protect Personal Data during transmission and storage.

• Data in transit is protected using industry-standard encryption protocols (e.g., TLS 1.2 or higher).
  
• Personal Data stored in production systems and backups is encrypted at rest using industry-accepted encryption standards.
  
• Cryptographic keys and secrets are managed and protected in accordance with documented key management practices.
  
• Passwords are protected using appropriate hashing or encryption mechanisms and are subject to defined complexity and rotation requirements.

4. Secure Development and Change Management

Information security and privacy are integrated into the system development lifecycle.

• Secure-by-design and privacy-by-design principles are applied to the development and maintenance of applications and systems.
  
• Development, testing, and production environments are logically segregated.
  
• Customer Personal Data is not used in development, testing, or demo environments unless explicitly authorized and appropriately protected.
  
• Code changes are subject to peer review and formal change management procedures.
  
• Security testing, including vulnerability scanning and remediation, is performed at defined development stages.
  
• Developers receive regular secure coding training relevant to their roles.

5. Logging, Monitoring, and Detection

ContactMonkey maintains logging and monitoring controls to support the detection, investigation, and response to security events.

• Access to systems and Personal Data is logged where appropriate.
  
• Logs are protected against unauthorized access and modification.
  
• Monitoring mechanisms are used to identify anomalous or suspicious activity.
  
• Security-relevant events are reviewed and investigated in accordance with established procedures.

6. Incident Response and Breach Management

ContactMonkey maintains a documented incident response program designed to promptly identify, contain, investigate, and remediate security incidents.

• All employees and contractors are required to report suspected security events or incidents.
  
• Incidents are classified by severity and handled in accordance with defined escalation procedures.
  
• Incident response activities are documented, and root cause analyses are performed for material incidents.
  
• Incident response procedures are reviewed and tested at least annually.
  
• In the event of a Personal Data Breach, ContactMonkey will notify Customers without undue delay and cooperate in accordance with applicable data protection laws and contractual obligations.

7. Availability, Backup, and Disaster Recovery

ContactMonkey has implemented measures designed to ensure the availability and resilience of processing systems and services.

• Customer data is backed up regularly and stored in encrypted form.
  
• Backup restoration procedures are tested periodically.
  
• Disaster recovery and business continuity procedures are documented and reviewed.
  
• Processing infrastructure is hosted with reputable cloud service providers that implement appropriate technical and organizational security measures and maintain industry-recognized certifications.
  
• Continuity measures are designed in accordance with a shared responsibility model applicable to cloud-hosted services.

8. Third-Party and Cloud Security

ContactMonkey engages third-party service providers only where appropriate safeguards are in place.

• Third-party providers with access to Personal Data are subject to due diligence and contractual security obligations.
  
• Cloud infrastructure providers are selected based on their security capabilities and certifications.
  
• Third-party access to systems and data is limited to what is necessary for service delivery and is subject to access controls and monitoring.

9. Physical and Environmental Security

Physical access controls are implemented to prevent unauthorized access to facilities and environments where Personal Data may be processed.

• Office access is restricted to authorized personnel and monitored.
  
• Visitors are subject to identification and escort requirements.
  
• Processing infrastructure is hosted in secure data centers operated by cloud service providers that implement physical and environmental security controls consistent with industry standards.

10. Data Minimization, Retention, and Data Subject Rights

ContactMonkey implements controls to support data protection principles throughout the data lifecycle.

• Access to Personal Data is limited to what is necessary for defined processing purposes.
  
• Personal Data is retained only for as long as necessary and deleted or anonymized in accordance with documented retention schedules.
  
• Processes are in place to support the exercise of data subject rights, including access, rectification, erasure, and data portability, as applicable.

Additional details regarding Company’s security practices are available in Company’s Trust Center.

ANNEX C

SUBCONTRACTORS

Subcontractor	Activity	Country
Amazon Web Services	Computer storage, network services, and hosting services, including the provision of cloud computing infrastructure.	US/Canada/ Ireland/Australia
Zendesk, Inc.	Platform to manage customer support requests.	US
Intercom	In-app customer support and messaging.	US
Vero	Transactional email delivery for user notifications.	US
SendGrid	Email delivery service for “Email at Scale” (opt-in).	US
Telnyx	SMS delivery provider (opt-in).	US
OpenRouter*	Model routing for AI features (opt-in).	US
OpenAI*	Generate email content with AI (opt-in).	US
DeepL*	Translate content within multi-language emails (opt-in).	US
Google LLC*	AI-powered email editorial checks (opt-in).	US

 *Optional AI functionality – if disabled, Processor will not transit any Customer Data to Sub-processor.