Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Operator Terms of Service(the "Agreement") between you ("Customer") and Operator AI LLC ("Operator"). It applies when Operator processes Personal Data on Customer's behalf in connection with the service. To the extent there is a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

Capitalized terms used and not defined in this DPA have the meaning given in applicable Data Protection Laws (including the GDPR, UK GDPR, and CCPA/CPRA). For convenience:

• Personal Data means information relating to an identified or identifiable natural person that Operator processes on Customer's behalf.
• Processing means any operation performed on Personal Data.
• Controller and Processor have the meaning given under the GDPR. With respect to CCPA/CPRA, "Business" and "Service Provider" apply correspondingly.
• Sub-processor means any third-party Processor engaged by Operator to assist in providing the service.

Customer is the Controller of Personal Data. Operator is the Processor. Operator will process Personal Data only to provide the service in accordance with the Agreement and the documented instructions of Customer (which include this DPA, the Customer's configuration of the service, and the OAuth scopes Customer grants). Operator will notify Customer if it believes a Customer instruction violates applicable Data Protection Laws.

Subject matter: Provision of the Operator service (autonomous business agents, market intelligence, billing, and related functionality).

Duration: The term of the Agreement, plus any period of retention required by law or described in the Privacy Policy.

Categories of data subjects:Customer's owners, employees, customers, prospects, suppliers, and other individuals whose data Customer connects to the service.

Categories of Personal Data: Identifiers (name, email, phone), account credentials issued by Operator, communication content (messages, call transcripts), commercial information (orders, invoices), and any additional categories Customer chooses to connect through integrations.

Operator personnel authorized to process Personal Data are bound by written confidentiality obligations and receive training on data protection appropriate to their role.

Operator implements and maintains technical and organizational measures designed to protect Personal Data, including:

• Encryption of Personal Data in transit (TLS) and at rest.
• Row-level security keyed to the business identifier so one business's data is not accessible to another.
• Role-based access control for Operator personnel, with access limited to what is needed to operate the service.
• Secrets and integration credentials held in a managed key store; access logged.
• Logging of administrative actions and agent actions to support audit and incident response.
• Backups and recovery procedures with periodic restore testing.
• Vulnerability management and timely patching of supported components.

A more detailed overview is available at operator.fyi/security.

Customer authorizes Operator to engage sub-processors to provide the service. Operator imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for each sub-processor's performance.

The current list is on the Sub-processors page and is also available on request at operator@operator.fyi. We will give Customer reasonable advance notice of any new sub-processor that processes Personal Data; Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection.

Taking into account the nature of the processing, Operator will assist Customer through appropriate technical and organizational measures, to the extent possible, to respond to requests from data subjects to exercise their rights under applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection). If Operator receives a request directly from a data subject relating to Customer's data, Operator will, unless prohibited by law, promptly forward the request to Customer.

Operator will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data and will provide information reasonably required for Customer to meet its own breach-notification obligations.

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, the parties will rely on the Standard Contractual Clauses (and the UK Addendum or Swiss equivalent, as applicable) on the terms set out by the European Commission, the UK ICO, or the FDPIC, respectively. By entering into this DPA, the parties are deemed to have entered into the applicable SCCs as Controller-to-Processor, with Operator as "data importer" and Customer as "data exporter".

Operator will make available to Customer, on reasonable request, information necessary to demonstrate compliance with the obligations in this DPA (including the most recent third-party security report or equivalent attestation, where available). Customer may, no more than once per year and on reasonable prior notice, audit Operator's compliance, subject to a mutually agreed scope and confidentiality terms.

On termination of the Agreement, Operator will, at Customer's choice, return or delete Personal Data processed on Customer's behalf, except to the extent retention is required by law or for the period described in the Privacy Policy for billing, dispute resolution, and similar legitimate purposes.

With respect to Personal Data subject to the CCPA/CPRA, Operator acts as a Service Provider. Operator will not (a) sell or share such Personal Data; (b) retain, use, or disclose it for any purpose other than performing the services described in the Agreement, except as otherwise permitted by the CCPA/CPRA; or (c) combine Personal Data received under the Agreement with Personal Data Operator collects from or on behalf of any other person, except as permitted by the CCPA/CPRA.

DPA, sub-processor, and privacy contact: operator@operator.fyi. Operator AI LLC, Wyoming, USA.