adam.ai Logo
Sign in
Request a Demo

Data Processing Agreement (DPA)

Last updated: October 17, 2024

Along with Our Terms of Service and Privacy Policy, this Data Processing Agreement ("DPA") constitutes a part of the Agreement between adam.ai ("We", "Our", or "Us") and the natural or legal person agreeing to it (as well as Affiliates of such person which ordered Platforms for such Affiliate as provided in this Agreement, each "Customer", "You", or "Your"). This Agreement outlines the terms on which adam.ai will process Personal Data in connection with Your use of Our Platform and in accordance with the Agreement. This agreement may relate to You and adam.ai individually or as the "Parties" in its whole.

As stipulated in the Agreement and the Applicable Law, all capitalised phrases in this DPA shall have the same meaning.

1. Definitions and Interpretation

The following terms shall have the following meanings:

1.1 Applicable Data Protection Laws means, to the extent applicable:

(i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”), the UK Data Protection Act 2018 (“UK GDPR”), as well as any other laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom; and (ii) all privacy and data protection laws and regulations, worldwide (whether, national, state, provincial, local or otherwise), applicable to the Processing of Personal Data under the Agreement, as may be amended, extended, re-enacted, or interpreted from time-to-time; and including without limitation, any applicable jurisdiction-specific terms specified in Schedule 3.

1.2 Data Subject means the identified or identifiable person to whom Personal Data relates;

1.3 Personal Data means “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws;

1.4 Process, Processing or Processed means “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws;

1.5 Purpose means the services and the associated Processing of Personal Data as defined in Schedule 1 to this Agreement;

1.6 Standard Contractual Clauses or SCCs means the “Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” as adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914);

1.7 Terms of Service means the legal agreement between the Controller as the user and the Processor, that governs the Controller's limited, non-exclusive and terminable right to the use of the Hotjar Site and Platform as defined in the Terms of Service.

1.8 UK Addendum to the SCCs means the United Kingdom Addendum B.1.0 to the Standard Contractual Clauses issued by the United Kingdom Commissioner’s Office.

2. Appointment

2.1 adam.ai acts as the Processor of Personal Data, providing meeting management services. You, our user, act as the Controller of the Personal Data you manage using our platform, as both terms are understood under the General Data Protection Regulation (GDPR).

2.2 As the Controller, you maintain complete control over the Personal Data within your adam.ai account. adam.ai, as the Processor, will not claim any rights to control or own the Personal Data managed by you, the Controller.

2.3 It has been recognized that for adam.ai to deliver its services effectively, it will be necessary to Process certain Personal Data on behalf of you, the Controller. This agreement (DPA) is set to outline the responsibilities and compliance obligations in line with Applicable Data Protection Laws.

2.4 The services provided under the terms of adam.ai’s Terms of Service are acknowledged by both parties as commissioned data Processing activities in accordance with Article 28 of the GDPR.

2.5 adam.ai is appointed by you, the Controller, to Process Personal Data as necessary to deliver the agreed-upon services. Any future changes or expansions in the scope of Processing will be documented and agreed upon in writing, adhering to the terms of this DPA.

2.6 You, as the Controller, agree to Process Personal Data in compliance with all Applicable Data Protection Laws and regulations. adam.ai, as your Processor, will follow your instructions for data Processing, assuming those instructions are lawful. If adam.ai deems any instructions to be in violation of any laws, it reserves the right to refuse them. The responsibility for the legality, integrity, and accuracy of the Personal Data provided to adam.ai rests with you, the Controller.

2.7 You, the Controller, are responsible for ensuring that there is a lawful basis for the collection, Processing, and transfer of Personal Data to adam.ai for Processing. You also agree to authorize adam.ai's Processing activities on your behalf, in accordance with all applicable legal requirements.

3. Processing Time

3.1 adam.ai will process Personal Data in accordance with this DPA and the overarching Agreement throughout its active term. Modifications to the processing duration must be agreed upon in writing by both parties, ensuring alignment with any sections of this DPA and/or the Agreement that discuss processing duration and the implications of its end or termination.

4. Processing Data

4.1 adam.ai is tasked with processing Personal Data as per the purposes outlined in our Terms of Service, following your (the Controller's) guidance and as detailed in Schedule 1 of our agreement.

4.2 Personal Data managed by adam.ai is stored within the European Union (EU) or European Economic Area (EEA) territories, ensuring adherence to the highest data protection standards. Should the need arise to process data globally, for instance, to allow access by authorized adam.ai personnel or sub-processors essential for service delivery, such processing will respect the stringent security and organizational protocols established in this agreement. Transfers of Personal Data to countries outside of the EEA or the UK will occur only under conditions that ensure an adequate level of protection and compliance, as detailed in the sub-processor list acknowledged by you.

4.3 For Controllers operating outside the EU and EEA realms and not governed by GDPR, Standard Contractual Clauses (SCCs) will be incorporated into this DPA to ensure data protection measures are robust and in line with GDPR standards.

4.4 Controllers located within the UK will be covered by the SCCs in conjunction with the UK Addendum to these clauses, ensuring the transfer of Personal Data from the UK is conducted in compliance with this DPA and relevant data protection legislation.

4.5 The type and nature of Personal Data processed through the adam.ai platform will depend on how you, as the Controller, decide to utilize our services. The range of data categories is determined by the selected features and configurations you apply, ensuring flexibility to meet your specific data processing needs.

Data We Observe & Collect:

  • Unique User ID: A special identifier for tracking user interactions.
  • Device Information: This includes screen resolution, type of device, operating system, and browser type.
  • Activity Logs: Console logs, errors (the latter is suppressed by default for privacy).
  • Geographic and Language Preferences: Country location and preferred language.
  • User Interaction: Mouse movements, locations, clicks, and pages visited.
  • Access Details: Referring URLs, domains, and timestamps of website visits and specific events.
  • User-Provided Information: Through our Identify API, feedback, surveys, or polls, you might choose to share additional attributes or personal data with us.

Data Shared Through Engagement:

  • Research Responses: Personal data shared in research screeners or tester profiles, including demographics (name, contact details, age, gender, nationality, education, job title, marital status, and voluntarily shared social media profiles).
  • Session Content: Any personal data in audio, video, or text format during sessions.
  • Professional Data: Information related to education and profession.
  • Feedback and Communication: Personal data in file attachments, survey responses, feedback, and messages.

Affected Data Subjects:

  • Observe & Ask: End-users of the Controller’s website utilizing the adam.ai platform.
  • Engage: Testers, affiliates, and other authorized users like employees, freelancers, or contractors who have been given access to the platform, in line with our agreement.

Additional Notes:

  • Prohibition on Sale of Personal Data: adam.ai strictly prohibits the sale of personal data. We ensure that any transfer or disclosure of personal data does not equate to "selling" under any applicable data protection laws, such as the CCPA.
  • Data Subject Categories: The Controller may update or add new categories of data subjects as necessary over time, adhering to the principles of data protection and privacy by design.

adam.ai remains dedicated to safeguarding personal data, adhering to data protection laws, and providing a secure and compliant platform for all users and stakeholders involved.

5. Organisational and Technical Measures

5.1 Data security must be implemented by the Processor in compliance with the relevant data protection laws. The actions that need to be done must ensure that the systems' resilience, availability, confidentiality, and integrity are all protected to a degree that is commensurate with the risk. It is necessary to consider the state of the art, implementation costs, the type, extent, and goals of the processing, as well as the likelihood and seriousness of the risk to the rights and liberties of natural persons.

5.2 Detailed in Schedule 2, our security protocols are transparent and comprehensive.

5.3 Our security measures evolve with technology, ensuring uncompromised protection levels through adaptable and updated practices.

6. Requests from Data Subjects and adam.ai's Support

6.1 adam.ai will only modify, delete, or restrict access to Personal Data as directed by you, the Controller, unless legal obligations or our Terms of Service require otherwise. Such actions will align with your data retention policies.

6.2 Should data subjects contact adam.ai directly for their data rights under Applicable Data Protection Laws, we will promptly relay these requests to you for action. We're here to support you in addressing these requests effectively.

6.3 Upon your request, adam.ai will assist you in performing necessary data protection assessments and consultations as mandated by GDPR, providing all necessary information and cooperation to ensure compliance.

7. Commitment to Quality and Compliance

7.1 adam.ai adheres to all relevant legal requirements in executing this Agreement, including but not limited to:

  • a. We've appointed a Compliance Lead to oversee compliance with data protection laws, reachable via compliance@adam.ai.
  • b. Personal Data is kept distinct from data processed for other parties.
  • c. All data processing aligns with our Terms of Service and your specific instructions, including for international data transfers, unless overridden by legal obligations.
  • d. Our team is committed to safeguarding the confidentiality of Personal Data.
  • e. We collaborate with supervisory authorities as needed.
  • f. You'll be informed immediately of any issues impacting data processing or compliance.
  • g. Should you face regulatory inspections or legal challenges, we're here to assist.
  • h. Regular reviews of our processes and security measures ensure alignment with Applicable Data Protection Laws and protection of data subject rights.
  • i. We'll confirm that our technical and organizational safeguards meet your monitoring requirements as outlined in Schedule 2 of this DPA.

8. Controller's Oversight Rights

8.1 Controllers are entitled, with a minimum 30-day advance notice and no more than once per year, to inspect or appoint an auditor for such inspection regarding adam.ai’s data processing practices. This right does not extend to third-party services utilized by adam.ai for achieving its operational goals. However, adam.ai ensures that any data processing by third parties complies with this DPA and all Applicable Data Protection Laws.

8.2 adam.ai commits to facilitating the Controller's ability to verify our adherence to data protection obligations as outlined by Applicable Data Protection Laws. Upon request, we will supply all necessary details promptly, including proof of the technical and organizational measures implemented, as detailed in Schedule 2.

8.3 To further substantiate compliance, adam.ai can present updated certifications, audit reports, or similar documentation from recognized independent authorities (like external auditors or the Compliance Lead). This serves as additional assurance that our data processing aligns with both the agreed-upon standards in this DPA and legal requirements.

9. Handling of Security Incidents

9.1 adam.ai is dedicated to aiding you, the Controller, in fulfilling legal responsibilities related to the safeguarding of Personal Data. This commitment involves:

  • a. Implementing robust technical and organizational security measures, tailored to the nature of data processing and potential risks, to prevent and swiftly detect security incidents.
  • b. Should a security breach occur, involving unauthorized or accidental disclosure, destruction, loss, alteration, or access to Personal Data, we will inform you immediately. Together, we'll strategize on securing the data and minimizing harm to affected individuals.
  • c. In the event of a Security Breach, adam.ai pledges full cooperation. We'll share all necessary details, conduct thorough investigations, take steps to prevent further issues, and, with your consent, undertake actions to rectify the breach.
  • d. We'll support you in fulfilling your duty to notify affected Data Subjects and relevant authorities about the breach, providing necessary information and assistance.
  • e. adam.ai ensures that you receive all critical information about the breach promptly, aiding in your communication with impacted Data Subjects.

10. Controller's Directive Authority

10.1 adam.ai processes Personal Data strictly according to this DPA, our Terms of Service, and your directives as the Controller. You have the overarching authority to guide how data is processed, including specifying the nature, scope, and methods of processing. You convey your instructions through the selection of services, platform configurations, or directly via written or electronic communication.

10.2 We are committed to using your data solely for the purposes you specify and are strictly prohibited from sharing it with third parties without your explicit consent. The creation of unauthorized copies or duplicates of data is forbidden, except for necessary backup copies for data integrity or to fulfill legal retention requirements.

10.3 Should we anticipate that your instructions might conflict with Data Protection Laws, we'll notify you immediately. To ensure compliance, we'll await further direction from you before proceeding with any actions that may pose legal risks.

11. Management of Personal Data Post-Processing

11.1 Upon the conclusion of our services as outlined in our Agreement or upon your request, adam.ai commits to either deleting, anonymizing, or returning all your data and related materials within a timeframe not exceeding 30 days, unless otherwise specified. This includes any test data.

11.2 Should adam.ai directly receive any requests from Data Subjects exercising their rights under data protection laws (e.g., access, rectification, erasure), we will inform you promptly, ensuring legal compliance and enabling you to address the request directly.

11.3 adam.ai will provide technical and organizational support to help you fulfill any requests from Data Subjects, as required by law. However, the primary responsibility for data deletion rests with you, the Controller. We will align our deletion actions with the Terms of Service, ensuring we act only within the scope of our agreed responsibilities.

12. Indemnification

12.1 The Controller agrees to protect adam.ai against any liabilities, costs, and expenses arising from either a security breach caused by the Controller's actions or any failure to comply with applicable laws. Specifically:

  • a. adam.ai will promptly inform the Controller of any legal claims related to data processing.
  • b. adam.ai won't settle any claim without the Controller's agreement, except as required by law.
  • c. The Controller has the right to manage legal defenses or settlements at its expense.
  • d. This agreement does not limit the Controller's right to seek remedies for any negligence on the part of adam.ai or others.

adam.ai must notify the Controller of potential damages within 10 business days of becoming aware of them. The Controller is not liable for adam.ai's independent actions outside of the Controller's instructions.

12.2 adam.ai will cover any liabilities, costs, and expenses the Controller incurs due to data breaches or negligence by adam.ai, under these conditions:

  • a. The Controller must inform adam.ai of any claims related to a security breach in a timely manner.
  • b. adam.ai has the right to defend or settle claims at its own expense.
  • c. adam.ai's financial liability is limited as described above.
  • d. This provision does not affect adam.ai's right to defense against contributory negligence by the Controller or others.

12.3 Should a sub-processor cause a breach, adam.ai will enable the Controller to take necessary legal actions under the sub-processor's contract. adam.ai remains responsible for any breaches by its sub-processors or other third-party processors it appoints.

13. Sub-Processing

13.1 Sub-Processing, as defined in this DPA, excludes ancillary services like telecommunication and postal/transport services. Nonetheless, the Processor is committed to ensuring data protection and security for the Controller's data, even when these ancillary services are outsourced, by establishing legally binding contracts and conducting thorough inspections of sub-processors.

13.2 The Controller consents to the use of designated sub-processors, provided there's a contractual agreement aligning with Applicable Data Protection Laws.

13.3 For sub-processors outside the EEA, the Controller authorizes the Processor to engage in agreements using standard contractual clauses approved by the European Commission for data transfers to third countries, ensuring compliance with data protection standards.

13.4 The Processor can engage new sub-processors or change existing ones with prior notification to the Controller, who has ten (10) business days to object to these changes. Such objections should be reasonable, keeping in mind:

  • a. Data transfers to sub-processors commence only after meeting all regulatory requirements.
  • b. For services rendered outside the EU/EEA, the Processor ensures the sub-processor complies with Applicable Data Protection Laws.
  • c. Sub-processors are bound by data protection obligations similar to those in this DPA, ensuring adequate technical and organizational measures are in place.

13.5 Before any data processing begins, the Processor conducts due diligence to confirm the sub-processor's capability to protect Personal Data as per DPA standards. Agreements with sub-processors include terms that provide the Controller with protection levels equivalent to this DPA, satisfying GDPR Article 28(3) requirements.

SCHEDULE 1: Description of Processing Activities

The Purpose

adam.ai is an all-in-one meeting management solution designed to streamline the meeting process, from scheduling to execution and follow-up, enhancing productivity and collaboration for teams and organizations. Our platform offers A) Meeting Analytics, B) Feedback Collection, and C) Direct Interviews to enable a comprehensive understanding and improvement of meeting practices.

  • Meeting Analytics (Observe): This feature allows users to capture and analyze meeting dynamics, attendance, and engagement, providing insights into how meetings are conducted and how they can be optimized for efficiency.
  • Feedback Collection (Ask): Through targeted surveys and feedback requests, this tool gathers input directly from meeting participants, offering a channel to express opinions and suggestions on meeting outcomes and processes.
  • Direct Interviews (Engage): Facilitates the scheduling and conducting of one-on-one or group interviews, making it easier to dive deeper into specific feedback or explore new ideas that can influence future meeting strategies or product developments.

adam.ai is specifically tailored to elevate the meeting experience, enabling users to gain a deeper understanding of participant behavior and feedback within a collaborative environment. The ultimate goal is to leverage this data to improve the functionality and effectiveness of meetings, thereby enhancing overall productivity and user satisfaction.

For additional information on the types of data collected and the security measures in place to protect this data, please refer to the adam.ai Terms of Service and Privacy Policy.

SCHEDULE 2: Technical and Organizational Measures

The Processor guarantees the implementation of robust technical and organizational measures to safeguard Personal Data processed for the Controller against any form of accidental or unlawful compromise. This encompasses protection from unintended destruction, loss, alteration, unauthorized disclosures or access, especially in data transmission, and all illegal processing methods.

Key security strategies encompass:

  • Measures to prevent unauthorized physical access to data processing facilities.
  • Use of authentication systems like passwords to prevent unauthorized virtual access to data.
  • Ensuring that only authorized personnel can access specific data sets.
  • Securing the transfer of data to ensure confidentiality and integrity.
  • Tracking and logging who inputs data into data processing systems, when, and why.
  • Implementing systems to ensure data is always accessible when needed, including backup systems.
  • Keeping data collected for different purposes distinctly separate.

The Processor commits to continuously upholding these standards, including all specified within the Privacy & Security Help Center.

Upon the Controller’s request, the Processor will furnish evidence demonstrating adherence to these security commitments, such as agreements with data center providers showcasing compliance with these standards.

For the latest information on the advanced security measures adopted by our hosting provider, please visit GCP Security.