Data Processing Addendum

Last Updated: May 05, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written agreement (in either case, the "Agreement") entered into between Automatan, Inc. ("Automatan") and you ("Customer") that incorporates this DPA by reference. This DPA governs the processing of Personal Data by Automatan in providing the Service as defined in the Agreement.

By entering into the Agreement and using the Service, Customer agrees to the terms of this DPA. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

1. Definitions

1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to: the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("FADP"); U.S. state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and any other applicable data protection or privacy law, in each case as amended, superseded, or replaced from time to time.

1.2 "Controller," "Processor," "Data Subject," "Processing" (and "Process"), "Supervisory Authority," and "personal data" each have the meaning given to them under Applicable Data Protection Law, as appropriate.

1.3 "Controller to Processor SCCs" means Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914, as updated or replaced from time to time.

1.4 "European Data" means Personal Data that is subject to the protection of European Data Protection Laws.

1.5 "European Data Protection Laws" means (a) the GDPR; (b) the UK GDPR and Data Protection Act 2018; and (c) the Swiss FADP; in each case as amended, superseded, or replaced from time to time.

1.6 "Personal Data" means any information relating to an identified or identifiable natural person that is contained within Customer Data and that Customer submits to the Service, the extent of which is determined and controlled by Customer in its sole discretion.

1.7 "Personal Data Breach" means a confirmed breach of security of the Service or Automatan's systems leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Automatan. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.8 "Sensitive Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or any other category of Personal Data afforded enhanced protection under Applicable Data Protection Law.

1.9 "Sub-processor" means any third-party Processor engaged by Automatan to process Personal Data on behalf of Customer.

1.10 "Sub-processor List" means Automatan's list of Sub-processors, available upon request or as maintained by Automatan and updated from time to time.

1.11 "Swiss Amendments" means the Controller to Processor SCCs with the modifications required to ensure compliance with the Swiss FADP, including references to the Swiss Federal Data Protection and Information Commissioner ("FDPIC") as the competent supervisory authority where applicable.

1.12 "UK Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner's Office and laid before Parliament in accordance with section 119A of the Data Protection Act 2018, in force from 21 March 2022, as updated or replaced from time to time.

1.13 "U.S. Privacy Laws" means all U.S. state privacy laws applicable to the processing of Personal Data under this DPA, including the CCPA/CPRA, Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act.

All other capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.

2. Description of Processing

For information about Automatan's controller-mode processing, see the Privacy Policy.

2.1 Categories of Data Subjects. As set out in Schedule 1.

2.2 Types of Personal Data. As set out in Schedule 1.

2.3 Subject-Matter and Nature of Processing. The subject-matter of processing of Personal Data by Automatan is the provision of the Service to Customer. Personal Data will be subject to those processing activities that Automatan needs to perform in order to provide the Service pursuant to the Agreement.

2.4 Purpose of Processing. Personal Data will be processed by Automatan solely for the purpose of providing the Service as set out in the Agreement and this DPA.

2.5 Duration of Processing. Personal Data will be processed for the duration of the Agreement, subject to Section 12 of this DPA.

3. Processing Requirements

3.1 Automatan will process Personal Data in its capacity as Processor (a) for the purpose of providing and supporting the Service in accordance with the Agreement, this DPA, and any other documented lawful instructions from Customer; (b) as otherwise required by Applicable Data Protection Law, in which case Automatan will inform Customer of such legal requirement before processing, unless prohibited from doing so by law. Automatan will at all times comply with Applicable Data Protection Law in processing Personal Data under the Agreement.

3.2 Automatan will not: (a) retain, use, or disclose Personal Data other than as provided in the Agreement or as necessary to perform the Service; (b) sell or share Personal Data as those terms are defined under U.S. Privacy Laws; (c) process Personal Data except as necessary for the business purposes specified in the Agreement or this DPA; or (d) use Personal Data to train, develop, fine-tune, or improve any general machine learning or artificial intelligence models, except as expressly agreed in a separate written instrument signed by both parties.

3.3 If Automatan cannot process Personal Data in accordance with Customer's instructions due to a legal requirement, Automatan will (a) promptly notify Customer in writing of such legal requirement before carrying out the relevant processing, to the extent permitted by applicable law, and (b) cease all processing (other than storing and maintaining the security of the affected Personal Data) until Customer provides new instructions.

3.4 Customer is solely responsible for (a) the accuracy, quality, and legality of Personal Data and the means by which Customer acquired it; (b) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law, including obtaining any necessary consents and authorizations; (c) ensuring Customer has the right to transfer or provide access to Personal Data to Automatan for processing in accordance with the Agreement; and (d) ensuring that Customer's instructions to Automatan regarding the processing of Personal Data comply with Applicable Data Protection Law.

3.5 Customer is responsible for independently determining whether the data security provided for in the Service adequately meets Customer's obligations under Applicable Data Protection Law. Customer represents, warrants, and covenants that it will only transfer Personal Data to Automatan using secure, reasonable, and appropriate mechanisms.

3.6 The Service is not intended or designed for the processing of Sensitive Data, and Customer agrees not to submit any Sensitive Data through the Service unless expressly agreed in writing by Automatan. The parties agree that Customer provides Personal Data to Automatan as a condition precedent to Automatan's performance of the Service and that Personal Data is not exchanged for monetary or other valuable consideration.

4. Security

Automatan will implement and maintain throughout the term of the Agreement reasonable and appropriate technical and organizational measures designed to protect Personal Data against unauthorized or accidental access, loss, alteration, disclosure, or destruction, as further described in Schedule 2 of this DPA. Automatan will provide reasonable assistance to Customer in conducting any legally required data protection impact assessments with respect to Automatan's processing of Personal Data, if required by Applicable Data Protection Law, taking into account the nature of the processing and the information available to Automatan.

5. Security Incidents

If Automatan becomes aware of a Personal Data Breach, Automatan will (a) notify Customer without undue delay, and not later than seventy-two (72) hours after Automatan becomes aware of the Personal Data Breach, and (b) make reasonable efforts to identify the cause of the Personal Data Breach, mitigate its effects, and remediate the cause to the extent within Automatan's reasonable control. Upon Customer's request, and taking into account the nature of the applicable processing, Automatan will assist by providing information reasonably necessary for Customer to meet its breach notification obligations under Applicable Data Protection Law. Automatan's notification of a Personal Data Breach is not an acknowledgment of fault or liability.

6. Confidentiality

Automatan will ensure that all personnel authorized to process Personal Data are subject to binding obligations of confidentiality, whether by contract or by operation of law, and will process Personal Data only to the extent necessary to provide the Service.

7. Data Subject Requests

Customer is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Data processed by Automatan under this DPA. If Automatan receives a request directly from a Data Subject relating to Personal Data processed under Customer's account, Automatan will notify Customer and advise the Data Subject to submit the request to Customer. Customer will be responsible for responding to any such request. Taking into account the nature of the processing, Automatan will provide reasonable assistance to Customer to enable Customer to fulfill its obligations to respond to Data Subject requests under Applicable Data Protection Law.

8. Audits

8.1 To the extent necessary and required by Applicable Data Protection Law, Customer may, at Customer's sole expense, conduct a reasonable audit pursuant to a mutually agreed-upon audit plan with Automatan that is consistent with the requirements of this Section 8.

8.2 Customer may exercise such audit right: (a) to the extent Automatan's provision of third-party audit reports (such as SOC 2 Type II reports) does not provide sufficient information to verify Automatan's compliance with this DPA; and (b) where required by Applicable Data Protection Law or a relevant government authority.

8.3 Each such audit must: (a) be conducted by Customer or through a third-party auditor that enters into a confidentiality agreement with Automatan; (b) be limited in scope to matters reasonably required to assess Automatan's compliance with this DPA and Applicable Data Protection Law; (c) occur no more than once annually unless required by Applicable Data Protection Law; (d) cover only processing facilities directly controlled by Automatan; (e) restrict findings to Customer's Personal Data only; and (f) treat any results as Automatan's Confidential Information.

9. Sub-processors

9.1 Customer provides a general authorization for Automatan to engage the organizations listed on the Sub-processor List Subprocessor List (each a "Sub-processor") to help process Personal Data in connection with the Service.

9.2 Subject to the limitations of liability in the Agreement, Automatan will remain liable for the acts and omissions of its Sub-processors to the same extent Automatan would be liable under this DPA if it performed such acts or omissions itself.

9.3 Automatan will maintain a current Sub-processor List, including Sub-processors' functions and locations, as specified in the Sub-processor List.

9.4 Automatan may update the Sub-processor List from time to time. In the event of any update, Automatan will provide fourteen (14) days' advance written notice, which may be via email, a posting, or other reasonable means.

9.5 If Customer does not wish to consent to the use of a new Sub-processor, Customer may notify Automatan within fourteen (14) days of receiving such notice, stating the reasonable grounds for objection. The parties will discuss such concerns in good faith.

9.6 If the parties are unable to reach a mutually agreeable resolution, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience, and Automatan will refund any prepaid, unused fees covering the period following the effective date of termination.

10. Data Transfers

10.1 In connection with the performance of the Agreement, Customer authorizes Automatan to transfer Personal Data internationally, including to the United States and other jurisdictions where Automatan and its Sub-processors have operations. Whenever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with Applicable Data Protection Law.

10.2 To the extent Automatan receives European Data, Automatan will comply with the following:

10.2.1 Standard Contractual Clauses. To the extent a transfer of European Data requires a lawful transfer mechanism under Applicable Data Protection Law, the applicable Standard Contractual Clauses will be incorporated by reference and form part of this DPA as follows:

  • the Controller to Processor SCCs where the transfer is subject to the GDPR and Automatan acts as Customer's Processor;
  • the Swiss Amendments where the transfer consists of Personal Data originating from Switzerland; and
  • the UK Addendum where the transfer is subject to the UK GDPR.

10.2.2 For the Controller to Processor SCCs, the following options apply: (a) the optional docking clause in Clause 7 does not apply; (b) in Clause 9, Option 2 (general written authorization) applies; (c) in Clause 11, the optional language does not apply; (d) in Clause 17, the SCCs are governed by the law of the Republic of Ireland; (e) in Clause 18, disputes will be resolved before the courts of the Republic of Ireland; (f) Schedule 1 of this DPA contains the information required in Annex I of the SCCs; and (g) Schedule 2 of this DPA contains the information required in Annex II of the SCCs.

10.2.3 For UK transfers under the UK Addendum: (a) the information required for Table 1 is contained in Schedule 1 of this DPA; (b) the version of the EU Clauses to which the UK Addendum applies is Module Two (Controller to Processor); (c) the list of parties, description of transfer, technical and organizational measures, and Sub-processor list are as set out in Schedule 1, Schedule 2, and Section 9 of this DPA respectively; and (d) neither party may terminate the UK Addendum under clause 19 of Part 2 of the UK Addendum.

11. Information and Assistance

11.1 Automatan will make available its privacy and security policies and such other information as is reasonably necessary to demonstrate compliance with the obligations set out in this DPA, upon Customer's reasonable written request. Automatan will respond to reasonable written requests for compliance information within thirty (30) days unless a shorter period is required by Applicable Data Protection Law.

11.2 Taking into account the nature of the applicable processing, Automatan will assist Customer in fulfilling Customer's obligations under Applicable Data Protection Law to carry out data protection impact assessments related to Customer's use of the Service, including, if required, by assisting with consultations with relevant Supervisory Authorities.

11.3 If a law enforcement agency sends Automatan a demand for Personal Data, Automatan will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Personal Data to a law enforcement agency, Automatan will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, to the extent Automatan is legally permitted to do so.

12. Data Return and Deletion

Promptly following termination or expiration of the Agreement, Automatan will, at Customer's election made within twenty-eight (28) days of termination, either return Customer's Personal Data in a commonly used machine-readable format or securely delete it, unless Applicable Data Protection Law requires retention of all or part of the Personal Data. Residual copies may remain in backup systems for up to ninety (90) days following deletion from active systems, after which they will be deleted in accordance with Automatan's backup retention schedules.

13. U.S. Privacy Law Requirements

To the extent U.S. Privacy Laws apply, Automatan agrees to: (a) not provide Customer with monetary or other valuable consideration in exchange for Personal Data; (b) not sell or share Personal Data as those terms are defined under U.S. Privacy Laws; (c) not retain, use, disclose, or otherwise process Personal Data except as necessary for the business purposes specified in the Agreement; (d) not retain, use, disclose, or otherwise process Personal Data outside of the direct business relationship between Automatan and Customer; (e) not combine Personal Data with personal data received from other sources except as permitted under U.S. Privacy Laws or as directed by Customer; and (f) notify Customer without undue delay if Automatan determines it can no longer meet its obligations under applicable U.S. Privacy Laws.

Customer agrees not to take any action that would render the provision of Personal Data to Automatan a "sale" or "share" under U.S. Privacy Laws or that would render Automatan not a "service provider" or "processor" under U.S. Privacy Laws.

14. Modifications

Automatan may update this DPA from time to time as required to comply with changes in Applicable Data Protection Law, Supervisory Authority guidance, or changes to Automatan's Sub-processors or security measures. Automatan will provide Customer with reasonable notice of material changes. Continued use of the Service after the effective date of any update constitutes acceptance of the revised DPA.

Schedule 1 — List of Parties and Description of Transfer

Data Exporter:

Name: Customer (as identified in the Agreement)
Address: As detailed in the Agreement or Order Form
Contact: As detailed in the Agreement or Order Form
Activities relevant to the transfer: Receipt and use of the Service
Role: Controller (or Processor where Customer processes Personal Data on behalf of its own customers)

Data Importer:

Name: Automatan, Inc.
Address: 4695 Chabot Drive #200
Pleasanton, CA 94588 USA
Contact: legal@automatan.ai
Activities relevant to the transfer: Provision of the Service
Role: Processor

Description of Transfer

Categories of Data Subjects: Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include Personal Data relating to: Customer's employees, contractors, representatives, and Authorized Users; and individuals whose Personal Data is contained in Customer Data submitted to the Service, including Customer's customers, candidates, clients, partners, and other third parties.

Categories of Personal Data: Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include: identifiers such as name, email address, phone number, and account identifiers; professional or employment-related data such as job title and work history; communication data such as messages and email content submitted through the Service; user-generated content such as documents, files, prompts, and inputs; technical data such as IP addresses, device identifiers, and usage logs; and any other Personal Data included in Customer Data submitted to the Service.

Sensitive Data: None. Customer is prohibited from submitting Sensitive Data to the Service under the terms of the Agreement unless otherwise expressly agreed in writing by Automatan.

Frequency of Transfer: Continuous, depending on Customer's use of the Service.

Nature and Purpose of Processing: The performance of the Service pursuant to the Agreement, including AI-powered automation, data transformation, workflow processing, and related functionality.

Retention Period: For the duration of the Agreement and the post-termination period set out in Section 12 of this DPA.

Sub-processors: As set out in Automatan's Sub-processor List, available upon request.

Competent Supervisory Authority: The competent Supervisory Authority will be determined in accordance with the GDPR and applicable national law based on Customer's establishment or, where Customer is not established in the EEA, based on the location of Customer's Data Subjects. Where Customer is established in the UK, the competent authority is the UK Information Commissioner's Office (ICO).

Schedule 2 — Technical and Organizational Measures

Automatan will maintain the following administrative, physical, and technical safeguards for the Service. All capitalized terms not defined herein have the meanings set forth in the DPA.

1. Security Governance

Automatan maintains an information security program designed to: (a) protect Customer Personal Data against accidental or unlawful loss, access, or disclosure; (b) identify reasonably foreseeable internal and external risks to security; and (c) minimize security risks through risk assessment and regular testing. Automatan's security program covers application security, infrastructure security, monitoring and incident response, vulnerability management, governance and compliance, and security awareness training.

2. Access Control

2.1 Preventing Unauthorized Access. Automatan hosts the Service using third-party cloud infrastructure providers subject to contractual data protection and security obligations. Access to the Service requires authentication. Automatan supports multi-factor authentication and recommends that all Customers enable it on their accounts. Authorization controls are designed to ensure that only appropriately assigned individuals can access relevant features and data. API access is managed via API keys or OAuth, with credentials stored in encrypted form.

2.2 Preventing Unauthorized Use. Automatan implements network access controls to prevent unauthorized protocols from reaching production infrastructure, including VPC implementations and firewall rules. Automatan conducts static code analysis, annual penetration testing, and maintains a vulnerability disclosure program.

2.3 Limitations of Privilege. Access to Customer Personal Data is limited to Automatan personnel who require such access to provide the Service, provide support, or respond to security incidents. All such personnel are required to execute confidentiality agreements and comply with Automatan's security policies. Automatan conducts background checks on relevant personnel to the extent permitted by applicable law.

3. Encryption

Customer Personal Data is encrypted in transit using TLS 1.2 or higher. Customer Personal Data is encrypted at rest using industry-standard encryption where technically supported.

4. Logging and Monitoring

Automatan maintains extensive logging of system behavior, access, authentication events, and application activity. Internal systems aggregate log data and alert relevant personnel of potentially malicious or anomalous activities. Automatan maintains records of known security incidents and follows documented response and resolution procedures.

5. Data Deletion and Portability

Automatan enables Customers to delete their accounts and export or delete their data in a manner consistent with the functionality of the Service, as further described in the Agreement and this DPA.

6. Availability and Business Continuity

The Service is designed to ensure redundancy and minimize single points of failure. Automatan maintains and regularly tests business continuity and disaster recovery programs. Infrastructure providers are selected for their resilience and availability standards.

7. Sub-processor Management

Automatan conducts appropriate due diligence on Subprocessor List before engagement and requires Sub-processors to maintain technical and organizational measures consistent with this Schedule 2 and the obligations in this DPA.

This DPA is automatically incorporated into Automatan's Terms of Service. By accepting the Terms of Service, you agree to the terms of this DPA. If you require a countersigned copy for your records, please contact legal@automatan.ai.