Data Processing Agreement

1.1. "Applicable Data Protection Laws"

means all laws and regulations relating to the processing of Personal Data and privacy applicable to the Controller and Processor.

1.2. "Personal Data"

means any information relating to an identified or identifiable natural person.

1.3. "Processing"

means any operation performed on Personal Data, whether or not by automated means.

1.4. "Data Subject"

means the individual to whom Personal Data relates.

1.5. "Sub-processor"

means any processor engaged by CoPilot to process Personal Data on behalf of the Controller.

2.1. Application

This DPA applies to the Processing of Personal Data by CoPilot on behalf of the Customer in connection with the provision of the AI-powered chat service.

2.2. Processing Requirements

CoPilot shall Process Personal Data only:

• In accordance with Customer's documented instructions
• As necessary to provide the Service
• As required by applicable laws

3.1. Categories of Data Subjects

• Customer's end users
• Customer's employees and contractors
• Other individuals whose data is provided to the Service

3.2. Types of Personal Data

• User account information
• Communication content and metadata
• Usage data and logs
• IP addresses and device information
• Other data provided through Service usage

3.3. Processing Operations

• Collection and storage
• Analysis and processing for Service functionality
• AI model training and optimization
• Service improvement and maintenance
• Security and fraud prevention

4.1. Security Measures

CoPilot shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data
• Regular security testing and monitoring
• Access controls and authentication
• Data backup and recovery procedures
• Regular security training for personnel

4.2. Confidentiality

CoPilot shall ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality.

4.3. Sub-processors

• CoPilot may engage Sub-processors for Processing Personal Data
• CoPilot shall inform Customer of any intended changes concerning Sub-processors
• CoPilot shall impose data protection obligations on Sub-processors similar to those in this DPA

4.4. Data Subject Rights

• Assist Customer in responding to Data Subject requests
• Provide tools and documentation to help Customer fulfill Data Subject rights
• Not respond directly to Data Subject requests without Customer's authorization

4.5. Data Breach Notification

• Notify Customer without undue delay after becoming aware of a Personal Data breach
• Provide sufficient information to allow Customer to meet any legal reporting obligations
• Document all breaches and remedial actions taken

5.1. Customer Responsibilities

• Ensure it has the legal right to Process Personal Data
• Comply with Applicable Data Protection Laws
• Provide documented instructions for Processing
• Notify CoPilot of any legal requirements affecting Processing

6.1. Transfer Restrictions

CoPilot shall not transfer Personal Data outside the United States unless:

• Customer has provided explicit authorization
• Appropriate safeguards are in place
• Transfer is required by applicable law

7.1. Audit Procedures

Customer may audit CoPilot's compliance with this DPA by:

• Requesting documentation and certifications
• Conducting on-site inspections with reasonable notice
• Receiving third-party audit reports where available

8.1. Data Usage for AI Training

• CoPilot may use Personal Data to train and improve its AI models
• Training shall be conducted in a secure, controlled environment
• Personal Data used for training shall be anonymized where possible

8.2. Training Safeguards

• Segregation of training environments
• Regular auditing of training data usage
• Mechanisms to remove specific data from training sets upon request

9.1. Data Handling Upon Termination

• Return or delete all Personal Data upon termination of services
• Provide written certification of deletion if requested
• Remove Personal Data from backup systems within standard retention periods

10.1. Liability

• Each party shall be liable for its own actions
• Limitations of liability as specified in the main agreement apply
• Parties shall cooperate in addressing claims from Data Subjects

11.1. Duration

• This DPA shall remain in effect as long as CoPilot Processes Personal Data
• Termination of the main agreement will automatically terminate this DPA
• Data protection obligations survive termination

12.1. Applicable Law

• This DPA shall be governed by the laws of the United States
• Any disputes shall be resolved in the courts of California
• Parties submit to the exclusive jurisdiction of these courts

13.1. Amendment Process

• Modifications require written agreement of both parties
• Changes required by law shall be implemented as required
• Customer shall be notified of any material changes