Data Processing Agreement

Data Processing Agreement

Last Updated: 16 December, 2024

This Data Processing Agreement ("DPA") is entered into by and between:

  1. Ethos Artificial Intelligence Limited (“Ethos UK”), a company registered in the United Kingdom with its registered office at Ethos Artificial Intelligence Limited  c/o Cogency Global, 6 Lloyd's Avenue, London, EV3V 3AX, United Kingdom (“Processor"), and

  2. User ("Data Controller").


This DPA is entered into in connection with the agreement between User and Somo Labs Inc. ("Ethos") governing User’s utilization of the software platform made available by Ethos (the “Agreement”), under which Ethos has agreed to provide certain services to the Data Controller.


As part of the provision of those services, Ethos has designated its subsidiary, the Processor, to perform certain processing activities on behalf of the Data Controller, as described below.

Roles and Scope

  1. User as Data Controller:
    The User is the Data Controller under applicable data protection laws, determining the purposes and means of processing the personal data covered by this DPA.

  2. Ethos UK as Processor:
    The Processor (Ethos UK) will process personal data directly on behalf of the Data Controller under this DPA, as required to fulfill the obligations set forth in the Agreement between the Parent Company and the Data Controller.

  3. Ethos’s Role:
    Ethos, while a party to the Agreement, does not process personal data directly but facilitates the relationship between the Data Controller and the Processor. The Processor is directly responsible for fulfilling the obligations outlined in this DPA.


Purpose of this DPA

This DPA sets forth the terms under which the Processor will process personal data on behalf of the Data Controller, ensuring compliance with:

  • The UK General Data Protection Regulation (UK GDPR);

  • The General Data Protection Regulation (EU GDPR), where applicable;

  • Other applicable data protection or privacy legislation.

The Processor will process Personal Data exclusively:

  1. In accordance with the written instructions of the Data Controller, as detailed in this DPA and the Agreement.

  2. For the purposes necessary to fulfill the services defined in the Agreement and any related agreements.


Relationship Clarification

  • The Data Controller acknowledges that the Processor is engaged directly to process Personal Data as part of the services described in the Agreement.

  • Ethos is not a processor or subprocessor under this DPA but acts solely in an administrative and facilitative role to ensure the services are delivered.

This DPA governs all transfers and processing activities performed by the Processor on behalf of the Data Controller and ensures that Personal Data is handled in compliance with applicable legal and regulatory requirements. Ethos and User are together the “Parties”, and each a “Party”. The Parties agree to comply with the provisions of this DPA with respect to the Processing of all Personal Data collected on behalf of or submitted by User in relation to the provision or receipt of products and/or services.  The Parties also agree to comply with all applicable Data Protection Laws (as defined herein).



DEFINITIONS

“Adequate Country” means:

(a) for Personal Data processed subject to the EU GDPR: the European Economic Area, or a country or territory recognized as ensuring adequate protection under the EU GDPR;

(b) for Personal Data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; or

(c) for Personal Data processed subject to the Swiss FADP: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, if applicable; or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FADP;

in each case, other than on the basis of an optional data protection framework.



Authorized Persons” means Ethos employees, contractors, agents, customers, and auditors who have a need-to-know or otherwise access Personal Data to enable Ethos to perform its obligations under the Agreement and this DPA.



"Data Protection Laws" means the European Union General Data Protection Regulation (EU) 2016/679 (“GDPR”); and the other data protection laws and regulations of the European Union, the European Economic Area and their member states, and the United Kingdom.



Data Subject Request” means a request made by a Data Subject, consumer, or other individual conferred rights under Data Protection Laws.



Personal Data” means any personal data or personal information, as defined by Data Protection Laws, that Ethos processes on behalf of User.



Platform” has the same meaning as in the Agreement.



Regulatory Authority” means any local, state, national, or multinational agency, department, official, parliament, public or statutory person, government or professional body, regulatory authority or supervisory authority, or board or other body responsible for administering Data Protection Laws.



Security Incident” means any data breach as defined by applicable Data Protection Laws, or any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed or otherwise controlled by User.



User” means the signatory to an Order Form governed by the Agreement.



Business Purpose”, “Personal Controller”, “Processor”, “Processing”, “Data Subject”, “Personal Data”, “Sensitive Data”,  and “Sub-processor” if appearing in this DPA shall have the same meaning as in the Data Protection Laws.



1. ROLES OF THE PARTIES


1.1 Ethos UK is a Processor under this DPA and will Process Personal Data in accordance with Attachment A.

1.2 User is a Controller under this DPA. 


2. RESPONSIBILITY AND TERM



2.1 Ethos UK will Process Personal Data only as set forth by User for the term set forth in the Agreement. Ethos will not collect, use, retain, disclose, sell, or otherwise make Personal Data available for any purpose other than for the specific purposes set forth in the Agreement.

2.2 Ethos UK will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the User, the Agreement, or this DPA specifically authorizes the disclosure, or as required by domestic law, court, or Regulatory Authority. 

2.3 Ethos UK will reasonably assist User with meeting compliance obligations under Data Protection Laws. 



3. REPRESENTATIONS, WARRANTIES, AND CERTIFICATIONS



  1.       User represents and warrants that:



  1. User has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Ethos; 

  2. User has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Ethos to process Personal Data for the purposes described in the Agreement;

  3. User has the sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which User acquired Personal Data;

  4. User has ensured that Ethos’s processing of the Personal Data in accordance with User’s instructions will not cause Ethos to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws;

  5. User will only give Ethos the minimum necessary amount of Personal Data necessary to achieve the purposes of the Agreement and this DPA; 

  6. User will only give Ethos Personal Data in compliance with this DPA; and

  7. Any Personal Data User provides to or processes via Ethos-provided products or services does not and will not contain any U.S. Social Security numbers or other government-issued identification numbers; protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, or other health-related data subject to protection under applicable laws and regulations; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; any payment card information subject to the Payment Card Industry Data Security Standard; Personal Data of children under 16 years of age; or any other information that falls within any special categories of data or is considered Sensitive Data (as defined in Data Protection Laws).


3.2 Ethos UK certifies that it:


  1. Shall not “sell” or “share” Personal Data as those terms are defined under the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA).

  2. Shall process Personal Data only for the business purpose specified in this Agreement.

  3. Shall cooperate with the Controller to fulfill consumer rights requests, including requests to access, delete, or opt out of data sales/sharing.

  4. Nothing in this DPA shall be construed to require Ethos to comply with the CCPA/CPRA beyond its obligations as a service provider as defined under the CCPA/CPRA.



4. AUTHORIZED PERSONS



4.1 Ethos UK will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all Authorized Persons with access to the Personal Data. Ethos shall ensure that Authorized Persons shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).



5. SECURITY 



5.1 Ethos UK will at all times implement appropriate technical and organizational measures to protect Personal Data.



6. SECURITY INCIDENTS



6.1 Upon becoming aware of a Security Incident, Ethos UK shall: 



  1. Notify User without undue delay or as otherwise required by Data Protection Laws; and

  2. Promptly take reasonable steps to contain and investigate any Security Incident.



6.2 Ethos UK’s notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by Ethos UK of any fault or liability with respect to the Security Incident.



7. SUB-PROCESSORS



7.1 User agrees that Ethos UK may engage Sub-processors to process Personal Data. A list of all of Sub-processors can be found on the Ethos= website at http://askethos.com/subprocessors (the “Sub-processor Site”). When Etho UK engages any new Sub-processor after the effective date of the Agreement, Ethos UK will notify User of such engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Sub-processor Site or by other written means. If User objects to such engagement, User may within 15 days of receipt of notice from Ethos UK, as its sole and exclusive remedy, terminate the Agreement and cease use of the Platform by providing written notice to Ethos UK and pay Ethos UK for all amounts due and owing under the Agreement as of the date of such termination.



7.2 Ethos UK will enter into a written contract with each Sub-processor that provides no less protection than the protections in this DPA, to the extent applicable to provide User with products and services. 



8. INQUIRIES BY DATA SUBJECTS 



8.1 Ethos UK will inform User of all Data Subject Requests involving Personal Data, and take reasonable measures to enable User to comply with the rights of Data Subjects under Data Protection Laws.



9. RECORDS AND AUDIT



9.1 Ethos UK shall make available to User all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, no more than once annually, at no additional cost to Ethos UK so that User may assess compliance with this DPA. 



10. RETURN OR DESTROY DATA UPON TERMINATION



10.1 Upon termination or expiration of the Agreement, Ethos UK shall (at User’s election) delete or return to User all Personal Data in its possession or control, except that this requirement shall not apply to the extent Ethos UK is required by applicable law to retain some or all of the Personal Data, or as otherwise specified by the Agreement. 



11. DATA TRANSFERS



11.1 The Parties acknowledge that the provision of the products and/or services under the Agreement may require the transfer or Processing of Personal Data in countries outside the United Kingdom from time to time.



11.2 In such event, a legal data transfer mechanism consistent with the applicable Data Protection law will be established.



11.3 The Parties acknowledge that the Data Protection Laws do not require the Standard Contractual Clauses or an Alternative Transfer Solution in order for Personal Data to be processed in or transferred to an Adequate Country. 

11.4 Should a change in Data Protection Laws occur, or a decision of a competent authority be made which might affect the validity of an international transfer or adequacy of an international transfer method, the Parties agree to promptly address any agreements necessary to restore the validity, adequacy, or compliance of such international transfers under Data Protection Laws. If any transfer mechanisms must be changed for compliance with Data Protection Laws, the Parties shall enter into a separate, written agreement detailing the new transfer methods. 



12. COOPERATION WITH REGULATORY AUTHORITIES



12.1 Ethos UK shall notify User within a reasonable time of all inquiries from a Regulatory Authority that Ethos receives which relate to the Processing of Personal Data, the Agreement, or either Party's obligations under this DPA, unless prohibited from doing so by Data Protection Laws or by a Regulatory Authority.



12.2 Ethos UK shall provide User with such assistance and information as User may reasonably request in order for User to comply with any obligation to carry out a data protection impact assessment (DPIA) or consult with a Regulatory Authority pursuant to Articles 35 and 36 of GDPR, respectively.  



13. LIMITATION OF LIABILITY & INDEMNIFICATION



13.1 The limitations of liability and indemnification provisions are as set forth in the Agreement, except the limitations shall not apply with respect to any of User’s violation of this DPA. 



14. MISCELLANEOUS



14.1 Ethos UK may update the terms of this DPA from time to time upon at least thirty (30) days prior written notice to User. The then-current terms of this Agreement are available at askethos.com/dpa.

 




ATTACHMENT A

A. ROLE OF PARTIES



Ethos UK Role: Processor 

User Role: Controller



B. DESCRIPTION OF TRANSFER



Data Subjects:



User data subjects. 



Subject Matter of Processing:



Personal Data identified in the Agreement.



Duration of Processing: Duration of the Agreement.



Nature and Purpose of Processing:



Ethos UK will Process Personal Data for the purposes of providing services to User in accordance with the Agreement and this DPA.



Type of Data:



Personal Data.



Sensitive Data:



User may not give Ethos UK any sensitive or other similar Personal Data without written approval from Ethos UK.