Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) is entered into by and between: (1) SUMPLER, a company incorporated in France, with its registered office at 15 Rue des Halles, 75001 Paris, France (“AnsrFast”, “we”, “us”, “our”); and (2) The customer entity that uses the AnsrFast Service (“Customer”, “you”, “your”). This DPA forms part of the agreement governing your use of the Service (the “Agreement”), such as our Terms of Service, an order form, or any written/electronic agreement between the parties. If there is a conflict, this DPA prevails regarding the processing of Customer Personal Data (as defined below).

1.1 “Data Protection Laws” means all applicable privacy and data protection laws and regulations relating to the processing of personal data, including (where applicable) the EU GDPR (Regulation (EU) 2016/679), the UK GDPR, and the Swiss FADP. 1.2 “Controller”, “Processor”, “Personal Data”, “Processing” have the meanings given in Data Protection Laws. 1.3 “Customer Personal Data” means Personal Data that AnsrFast processes as a Processor on behalf of Customer under the Agreement. 1.4 “Account Data” means Personal Data relating to Customer’s relationship with AnsrFast (e.g., billing, account administration, security logs, fraud prevention, compliance communications). 1.5 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by AnsrFast as Processor. 1.6 “Subprocessor” means any third-party Processor engaged by AnsrFast to assist in fulfilling its obligations under the Agreement and that processes Customer Personal Data. 1.7 “Restricted Transfer” means a transfer of personal data to a country outside the EEA/UK/Switzerland that is not covered by an adequacy decision, as applicable. 1.8 “SCCs” means the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914.

2.1 Scope. This DPA applies only to the extent AnsrFast processes Customer Personal Data as Processor on behalf of Customer. 2.2 Roles for Customer Personal Data. Customer is the Controller (or a Processor acting on behalf of another Controller) and AnsrFast is the Processor with respect to Customer Personal Data. 2.3 Roles for Account Data. With respect to Account Data, AnsrFast acts as an independent Controller. Account Data is governed by our Privacy Policy.

The subject-matter, nature, purpose, categories of data subjects, and types of Customer Personal Data processed are described in ANNEX 1.

4.1 Documented instructions. AnsrFast will process Customer Personal Data only on documented instructions from Customer, including as necessary to provide the Service, as set out in the Agreement, this DPA, and Customer’s configuration and use of the Service. 4.2 Unlawful instructions. If AnsrFast believes Customer’s instructions violate Data Protection Laws, AnsrFast will inform Customer (unless prohibited by law).

AnsrFast ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations (contractual or statutory).

6.1 Measures. AnsrFast implements appropriate technical and organizational measures to protect Customer Personal Data, as described in ANNEX 2. 6.2 Updates. Security measures may evolve over time, provided they do not materially degrade the overall security of the Service.

7.1 General authorization. Customer grants a general authorization for AnsrFast to engage Subprocessors to process Customer Personal Data. 7.2 Subprocessor list. Current Subprocessors are listed in ANNEX 3. 7.3 Changes and notice. AnsrFast will provide at least twenty (20) days’ notice before adding or replacing a Subprocessor, by updating ANNEX 3 (and/or a public subprocessor list, if available). 7.4 Objection. Customer may object within the notice period on reasonable grounds relating to data protection. The parties will work in good faith to find a solution. If no solution is reasonably available, Customer may terminate the affected part of the Service (or the Agreement) without penalty for future periods. 7.5 Flow-down obligations and liability. AnsrFast will impose data protection obligations on Subprocessors that are no less protective than those in this DPA, and AnsrFast remains responsible for Subprocessors’ performance of their obligations regarding Customer Personal Data.

8.1 Customer responsibility. Customer is responsible for responding to requests from data subjects (end users) regarding Customer Personal Data. 8.2 Assistance. Taking into account the nature of processing, AnsrFast will provide reasonable assistance to Customer to help Customer respond to data subject requests, insofar as possible and to the extent Customer cannot address the request through self-service features of the Service. This assistance may be provided at Customer’s cost for requests that require material engineering effort. 8.3 Direct requests. If AnsrFast receives a request directly from a data subject regarding Customer Personal Data, AnsrFast will, where legally permitted and reasonably possible, direct the data subject to Customer and/or notify Customer.

To the extent required by Data Protection Laws, AnsrFast will provide reasonable assistance to Customer with data protection impact assessments (DPIAs) and consultations with authorities, taking into account the nature of processing and information available to AnsrFast. Such assistance may be at Customer’s cost.

10.1 Notification. Upon becoming aware of a Security Incident affecting Customer Personal Data, AnsrFast will notify Customer without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of it. 10.2 Information. AnsrFast will provide information reasonably necessary for Customer to meet its breach notification obligations, to the extent such information is available.

11.1 During the account. Customer Personal Data is retained for the duration of the Customer’s account, unless deleted earlier through the Service. 11.2 After account deletion. Conversation messages and related conversation data are retained for one (1) year after account deletion, and then deleted, unless: (a) earlier deletion is requested by Customer and is technically feasible within reasonable time; or (b) retention is required by applicable law or necessary for the establishment, exercise, or defense of legal claims or for security/fraud prevention purposes (in which case access will be restricted). 11.3 Backups. Residual copies in backups may persist for a limited period according to backup cycles and will be protected and deleted in due course.

12.1 Information. AnsrFast will make available information reasonably necessary to demonstrate compliance with this DPA. 12.2 Audit. Customer (or an independent auditor not competing with AnsrFast) may audit AnsrFast’s processing of Customer Personal Data no more than once per year, upon reasonable written notice, during normal business hours, at Customer’s expense, and subject to confidentiality and security requirements. The audit scope must be limited to Customer-relevant processing.

13.1 Worldwide operations. Customer acknowledges that the Service may involve processing in multiple regions and by Subprocessors that operate globally, including outside the EEA/UK/Switzerland. 13.2 Transfer mechanism. Where a Restricted Transfer occurs, the parties agree that the SCCs are incorporated by reference and form part of this DPA. 13.3 SCC details. For SCC purposes: (a) Module Two (Controller-to-Processor) applies to transfers of Customer Personal Data from Customer to AnsrFast where Customer is a Controller. (b) Module Three (Processor-to-Processor) applies where Customer is a Processor and AnsrFast acts as a Subprocessor. (c) The annexes to the SCCs are deemed completed using ANNEX 1 (processing details), ANNEX 2 (security measures), and ANNEX 3 (subprocessors). 13.4 UK and Switzerland. Where UK or Swiss transfer rules apply, the parties will apply an appropriate UK or Swiss addendum or equivalent mechanism to the SCCs as required.

14.1 Customer warrants it has and will maintain a lawful basis and required notices/consents to provide Customer Personal Data to AnsrFast and to instruct AnsrFast to process it under the Agreement. 14.2 Customer will not intentionally submit special categories of personal data (e.g., health data) through the Service unless agreed in writing and supported by appropriate safeguards.

15.1 Changes. AnsrFast may update this DPA to comply with legal requirements. If changes materially reduce protections, AnsrFast will provide notice and Customer may object on reasonable grounds. 15.2 Governing law. This DPA is governed by the laws of France. Courts of Paris have jurisdiction, unless mandatory law provides otherwise. 15.3 Third-party rights. Nothing in this DPA creates rights for third parties, except where Data Protection Laws provide data subjects with enforceable rights (e.g., under SCCs where applicable).

A. Subject matter: Provision of a customer support chatbot that can be embedded on Customer’s website/help center; written conversations between end users and an AI assistant; escalation to Customer’s human support agents; displaying end-user identity in the agent interface when Customer provides such attributes. B. Duration: For the term of the Agreement; retention as described in Section 11. C. Nature of processing: Collection, receipt, storage, organization, retrieval, display, transmission, deletion. D. Purpose: Provide and operate the Service (support chatbot, escalation to human agents, conversation management, end-user identification in the chat interface), maintain security, prevent abuse, and provide technical support. E. Categories of data subjects: Customer’s end users (natural persons), Customer’s support agents, and Customer’s administrators. F. Types of personal data: - Conversation content (messages) and conversation metadata (timestamps, conversation IDs). - End-user identity attributes provided via Customer snippet: first name, last name, email address, profile picture (or profile picture URL), user identifier. - Technical data: IP address, user-agent, logs/events.

- Encryption in transit (TLS). - Access controls and least-privilege; MFA for sensitive/admin access. - Logical separation between customers. - Logging, monitoring, and incident response process. - Backup and restore procedures. - Vulnerability management and patching. - Secure development practices (as applicable).

The following Subprocessors may process Customer Personal Data to operate the Service: 1) Neon (database on AWS Europe Central 1 – Frankfurt, EU) — Database hosting. 2) Vercel (hosting and AI Gateway – global/edge network) — Application hosting and routing. 3) Cloudflare (including R2; Western Europe (WEUR) + global network) — CDN, security, performance, object storage. 4) Ably (global/edge network) — Realtime messaging infrastructure. 5) Resend (United States) — Transactional email delivery. 6) Apify (EU) — Automation/extraction (scope depends on Customer configuration). 7) Trigger (global/edge network) — Background jobs/automation (scope depends on Customer configuration). Note: Customer may request additional information about Subprocessors’ locations and roles by emailing contact@ansrfast.com.