Where applicable, this Data Processing Addendum is hereby incorporated in the WAGS Products Terms of Service (the “General Terms”), found at https://wags-ai.com/terms, unless Customer has entered into a superseding written agreement with WAGS, in which case, it forms a part of such written agreement. Unless Customer has a superseding written agreement with WAGS, WAGS may amend this Data Processing Addendum from time to time on its Website: https://wags-ai.com/dpa, as its business evolves. Any revisions will become effective on the date WAGS publishes the changes. Customer can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Services after the effective date of any changes, that use will constitute acceptance of the revised Data Processing Addendum.
1. Definitions and Interpretation
1.1 All capitalized terms not defined herein shall have the meaning set forth in the General Terms.
1.2 The following capitalized terms shall have the meaning ascribed to them below:
●      "Account Information" means Personal Information that relates to the transactional or commercial relationship between Customer and WAGS, including Personal Information relating to Customer’s account, billing information and sales and support requests;
●      "Data Controller" has the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
●      "Data Processor" has the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
●      "Data Protection Regulator" means the applicable supervisory authority with jurisdiction over either party, including where applicable the UAE Data Office or any relevant IFZA regulatory authority, and in each case any successor body from time to time;
●      "Data Subject" has the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
●      “Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information and Sensitive Personal Information including but not limited to:
- Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”);
- the Data Protection Act 2018 and the UK GDPR;
- the California Consumer Protection Act of 2018 (CCPA) and the California Privacy Rights Act (CPRA);
- UAE Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data (PDPL) and any implementing regulations issued by the UAE Data Office; and
- the Data Protection Regulations of the International Free Zone Authority (IFZA), where applicable. 
●      "Process", "Processing" or "Processed" have the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
●      “2021 Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or any European Commission’s decision amending or replacing this decision;
●      “Standard Contractual Clauses” means collectively the 2021 Standard Contractual Clauses or the UK International Data Transfer Addendum whichever is applicable; and
●      “UK International Data Transfer Addendum” means the International Transfer Data Addendum to the 2021 Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office.
1.3 The term "including" is not limiting and means "including, without limitation".
2. Protection of Personal Information
2.1. Supersedence. Applicability of Jurisdiction-Specific Provisions.
This Data Processing Addendum shall supersede any and all provisions of the General Terms inconsistent herewith.
The provisions relating to specific jurisdictions (including, without limitation, the GDPR, UK GDPR and the UK International Data Transfer Addendum) shall apply only to the extent that the Processing of Personal Information falls within the scope of the applicable Privacy Laws of such jurisdictions.
2.2. Data Controller and Data Processor. The Parties acknowledge that with regards to the processing of Customer Personal Information, the Customer is the Data Controller and WAGS is the Data Processor of the Customer Personal Information. WAGS will Process Customer Personal Information in accordance with Schedule 1 to this Data Processing Addendum. With regards to Account Information, Customer is a Data Controller and WAGS is an independent Data Controller (and not a joint Data Controller with Customer). WAGS will process Account Information for the limited purposes of (i) managing the customer relationship, (ii) carrying out WAGS’s core business operations, (iii) implementing security measures designed to prevent unauthorized access, fraud or abuse of the Products and/or Services, (iv) complying with WAGS’s legal obligations, and (v) fulfilling any other lawful purpose authorised under Privacy Laws, this Data Processing Addendum or the General Terms.
2.3. Customer’s Obligations as Data Controller. The Customer warrants that the Customer Personal Information has been obtained fairly and lawfully and, in all respects, in compliance with the Privacy Laws, including where applicable UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and the IFZA Data Protection Regulations.
2.4. WAGS’s Obligations as Data Processor. WAGS shall:
●      2.4.1. Process the Customer Personal Information only in accordance with Section 3 of this Data Processing Addendum and any other reasonable documented instructions as provided by the Customer to WAGS from time to time ("Instructions"), including with regard to transfers of Customer Personal Information to third countries in accordance with the requirements of applicable Privacy Laws, including the UAE PDPL where applicable, save where:
2.4.1.1. such Instructions are unlawful;
o   2.4.1.2. such Instructions would cause WAGS to breach its own obligations under Privacy Laws or the General Terms or any other agreement with a third party;
o   2.4.1.3. WAGS is under a legal obligation to Process the Customer Personal Information, in which case WAGS shall inform the Customer of the legal obligation, except to the extent the law prohibits it from doing so.
●      2.4.2. inform the Customer if, in its opinion, an Instruction received from the Customer infringes the Privacy Laws;
●      2.4.3. ensure that all WAGS employees and personnel who are involved in the Processing of Customer Personal Information have committed themselves to confidentiality or are under statutory obligations of confidentiality;
●      2.4.4. not provide any new third party with access to the Customer Personal Information or sub-contract any of its obligations under the General Terms that involve Processing Customer Personal Information without providing at least thirty (30) days advance notice to the Customer via email.
●      2.4.5. ensure that any sub-contract entered into by WAGS contains provisions which comply with Privacy Laws and in any event are no less onerous than those imposed under Section 2 of this Data Processing Addendum, and where a Sub-processor fails to fulfil its data protection obligations under the Privacy Laws, WAGS shall remain liable to Customer for the performance of that Sub-processor’s obligations;
●      2.4.6. implement and maintain appropriate technical and organizational security measures to protect against unauthorised or unlawful Processing of the Customer Personal Information and against accidental loss, disclosure or destruction of, or damage to, the Customer Personal Information, taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing, as described in the Privacy Policy found at https://wags-ai.com/privacy, and including:
o   2.4.6.1. the anonymization, pseudonymization and/or encryption of Customer Personal Information;
o   2.4.6.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
o   2.4.6.3. the ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident; and
o   2.4.6.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
●      2.4.7. taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, to enable the Customer to comply with its obligations under Privacy Laws in responding to requests from Data Subjects or the Data Protection Regulator, insofar as this is possible, to the extent the anonymity of the Personal Information shall be kept confidential by WAGS, and not shared with Customer;
●      2.4.8. assist the Customer, to comply with the following obligations under the Privacy Laws, taking into account the nature of Processing and information available to WAGS, including:
o   2.4.8.1. notification and assistance to Customer without undue delay, in accordance with the provision set forth in Section 12 of the Privacy Policy, and notification to the Data Protection Regulator and Data Subjects of a Data Incident, as defined in the Privacy Policy, with regards to Customer Personal Information transmitted, stored or otherwise Processed; and, where required under applicable Privacy Laws, including the UAE PDPL or IFZA Data Protection Regulations, notification to the relevant Data Protection Regulator.
o   2.4.8.2. the Customer's obligations to carry out data protection impact assessments, or any similar assessment required under Privacy Laws, and any subsequent consultation with the Data Protection Regulator;
●      2.4.9. make available to Customer, or an independent third party auditor mandated by the Customer (but not being a competitor of WAGS), up to a maximum of once a year, or when a breach of Customer Personal Information is reasonably suspected, all reasonable information that WAGS deems necessary to demonstrate compliance with the obligations imposed on WAGS under Section 2 of this Data Processing Addendum, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance;
●      2.4.10. unless required by law, following termination or expiry of the General Terms for whatever reason, securely delete all of the Customer Personal Information in accordance with WAGS’s retention policy, or without delay at Customer’s request; and
●      2.4.11. comply with the relevant Controller to Processor provisions of the 2021 Standard Contractual Clauses which are incorporated by reference and are an integral part of this Data Processing Addendum, for the purpose of which the Parties agree that:
o   2.4.11.1. Customer is the data exporter and WAGS is the data importer.
o   2.4.11.2. Module Two of the 2021 Standard Contractual Clauses will apply where Customer is a Controller and WAGS is a Processor.
o   2.4.11.3. Clause 7 of the 2021 Standard Contractual Clauses will apply.
o   2.4.11.4. For the purpose of Clause 9, paragraph (a) of the 2021 Standard Contractual Clauses, option 2 shall apply, as per the time period specified under section 2.4.4 hereof.
o   2.4.11.5. The Parties agree that to the extent permitted by Privacy Laws any direct claims brought under the Standard Contractual Clauses by a Party shall be subject to the limitation of liability set out in the General Terms, provided however that nothing in this Data Processing Addendum shall be construed as a limitation or exclusion of a Party’s liability toward a Data Subject under the Standard Contractual Clauses.
o   2.4.11.6. For the purpose of Clause 17 of the 2021 Standard Contractual Clauses, the Parties choose option 1, and the Standard Contractual Clauses shall be governed by the law of the Republic of Cyprus, without prejudice to the application of any mandatory provisions of applicable Privacy Laws, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and any applicable IFZA Data Protection Regulations.
o   2.4.11.7. For the purpose of Clause 18 of the 2021 Standard Contractual Clauses, paragraph (b), the Parties choose the courts of the Republic of Cyprus.
o   Notwithstanding the foregoing, this shall not prevent Data Subjects or competent regulatory authorities from bringing claims before any court or authority of competent jurisdiction under applicable Privacy Laws, including the UAE Data Office or relevant IFZA regulatory authority, where applicable.
o   2.4.11.8. The contents of Appendix I of the Standard Contractual Clauses are deemed completed with the information found in Section 2 and Schedule 1 hereof.
o   2.4.11.9. In the event of any conflict between the provisions of the Standard Contractual Clauses and this Data Processing Addendum, the Standard Contractual Clauses shall prevail.
●      2.4.12. comply with the UK International Transfer Addendum.
●      2.4.13. Additional Provisions for California. To the extent that WAGS processes Personal Information of consumers subject to the CCPA, the CPRA and applicable regulations thereunder, the Parties shall comply with all applicable provisions of the CCPA, of the CPRA and of applicable regulations thereunder, as amended from time to time. The Parties shall agree to act in good faith to enter into a modified agreement in order to address any such amendment and ensure ongoing compliance with California laws. WAGS shall not (a) retain, use or disclose such Personal Information for any purpose other than for the specific purposes described under the General Terms or this Data Processing Addendum, or as otherwise permitted by the CCPA, the CPRA or applicable regulations; (b) retain, use or disclose such Personal Information for a commercial purpose other than the specific purposes described under the General Terms or this Data Processing Addendum; or (c) “sell” or “share” such Personal Information (the terms “sell” and “share” having the meaning ascribed to them in the CCPA, CPRA or applicable regulations).
●      2.4.14. Compliance with UAE Data Protection Laws.
To the extent that Personal Information processed under this Data Processing Addendum relates to individuals located in the United Arab Emirates, WAGS shall process such Personal Information in accordance with the requirements of UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and any applicable IFZA Data Protection Regulations.
●      2.4.15. Cross-Border Data Transfers.
Where Personal Information is transferred outside the jurisdiction in which it was collected, including outside the United Arab Emirates, WAGS shall ensure that such transfers comply with applicable Privacy Laws, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and any applicable IFZA Data Protection Regulations.
Where required by applicable Privacy Laws, WAGS shall implement appropriate safeguards for such transfers, which may include contractual safeguards, transfer impact assessments, or other mechanisms designed to ensure that Personal Information continues to receive an adequate level of protection.
●      2.4.16. Automated Processing and Profiling.
To the extent that WAGS uses automated systems, analytics tools, or artificial intelligence technologies in the course of providing the Products and/or Services that involve the Processing of Personal Information, such Processing shall be carried out in compliance with applicable Privacy Laws, including the UAE PDPL and any applicable IFZA Data Protection Regulations.
WAGS shall implement appropriate safeguards to ensure that such automated Processing does not result in unlawful discrimination or unlawful impact on the rights and freedoms of Data Subjects.
●      2.4.17 Relationship with UAE Data Protection Laws.
Nothing in this Data Processing Addendum or in the Standard Contractual Clauses shall limit or exclude the Parties’ obligations under applicable Privacy Laws, including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and any applicable IFZA Data Protection Regulations.
The governing law and jurisdiction provisions applicable to the Standard Contractual Clauses shall apply solely for the purposes of those clauses and shall not affect the ability of any competent UAE regulatory authority, including the UAE Data Office or relevant IFZA authority, to exercise supervisory powers under applicable Privacy Laws.

 
SCHEDULE 1: Description of the Processing of Customer Personal Information
WAGS will Process Customer Personal Information in accordance with the description below:
1) Categories of Data Subjects whose Personal Information is Processed
All Users, as defined under the General Terms and applicable Product-Specific Terms.
2) Categories of Personal Information Processed
WAGS Processes several categories of Customer Personal Information, such as:
●      User credentials (includes email and password hashes);
●      User profile data (includes name, contact information such as email address or telephone number, job title, profile picture, time zone and language preference);
●      Answers to surveys, comments and feedback (may include Personal Information based on the nature of the questions and prompts used to collect such information, such as the User’s feelings towards their workplace, information about User engagement, User preferences in the context of their employee experience, etc.);
●      User properties (may include socio-demographic Personal Information, such as age, gender and salary, which are customizable by Customer’s account administrator and collected at Customer’s discretion);
●      Other categories of Personal Information specific to the nature of WAGS’s Products (may include information about a job applicant’s work history, information about a User’s work schedule, information about a User’s skills, course enrollment and progression, information about a User’s performance, including peer feedback, manager reviews and performance ratings, information about a User’s professional life data or personal life data, information about a User’s compensation and area of responsibility, etc.).
3) Sensitive Personal Information Processed
WAGS does not intentionally process Sensitive Personal Information through the Products and/or Services. Customer is responsible to ensure that it does not collect Sensitive Personal Information, for instance by creating User properties for the purpose of collecting categories of Sensitive Personal Information. Any collection of Sensitive Personal Information by WAGS through plain text fields or other User inputs is incidental and outside of WAGS’s control.
4) Frequency of the Processing and Transfer
The Processing and Transfer of Customer Personal Information is continuous.
5) Nature of the Processing
WAGS processes Customer Personal Information in the course of providing the Products and/or Services, as described in the General Terms and in ancillary documentation further describing the nature and functionality of such Products and/or Services. Without limiting the generality of the foregoing, the Processing may entail handling, accessing, viewing, storing, transmitting, and otherwise making available the Customer Personal Information, including by automated means.
6) Purposes of the Processing and Further Processing
WAGS processes the Customer Personal Information in accordance with Customer’s documented lawful instructions, which shall be deemed to include any processing activities necessary to:
●      Provide, maintain and improve the Products and/or Services in accordance with the General Terms;
●      Prevent and address service, security, support or technical issues with the Products and/or Services;
●      Ensure the integration and synchronization of the Products with Customer’s external systems, such as Human Resources Information Systems and team collaboration systems, where applicable.
WAGS also processes Customer Personal Information to comply with its legal obligations.
7) Retention Period
Customer Personal Information is retained and processed only as long as necessary for the purposes described in paragraph 6 above, in accordance with Section 10 of WAGS’s Privacy Policy available at https://wags-ai.com/privacy.
8) Transfers to Sub-Processors
WAGS may transfer Customer Personal Information to its Sub-Processors in accordance with Section 2.4 (WAGS’s Obligations as Data Processor) or otherwise as permitted under the General Terms.
Processing activities described in this Schedule 1 shall also comply with the requirements of UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and any applicable IFZA Data Protection Regulations, where the Personal Information relates to individuals located in the United Arab Emirates.

 
SCHEDULE 2: Sub-processorsThe following categories of Sub-processors are authorized to Process Customer Data:
Cloud Infrastructure and Hosting●      Provider Type: Cloud service providers
●      Purpose: Hosting and infrastructure services
●      Location: United Arab Emirates, European Union, United States
●      Examples: Amazon Web Services (AWS), Google Cloud Platform
AI and Machine Learning●      Provider Type: AI technology providers
●      Purpose: Large language models and AI Features
●      Location: United States, other locations
●      Processing: Input processing and Output generation for conversational intelligence
Communication Services●      Provider Type: Email and messaging platforms
●      Purpose: Transactional email delivery and communications
●      Location: United States, European Union
●      Example: Mailgun (email delivery)
Payment Processing●      Provider Type: Payment processors
●      Purpose: Processing billing and payment transactions
●      Location: Various (depending on Customer location)
●      Note: PCI-DSS compliant processors; receive B2B Contact Data
Analytics and Monitoring●      Provider Type: Analytics and monitoring services
●      Purpose: Usage analytics, performance monitoring, error tracking
●      Location: United States, European Union
●      Note: Process Telemetric Data only
Security Services●      Provider Type: Security and threat detection providers
●      Purpose: Security monitoring, threat detection, vulnerability assessment
●      Location: Various
●      Note: Access limited to security-relevant data
Current List:
A detailed list of specific Sub-processor entities with names, addresses, and processing activities is available upon request at services@wags-ai.com.
Updates:
WAGS will provide at least 30 days' advance notice via email before adding or replacing any Sub-processor.