Data Processing Agreement

Introduction

This Data Processing Agreement (“DPA”) is entered into by and between KUGA AI LTD (“Processor,” “we,” “us,” or “our”), a Private Limited Company with Share Capital, registered in England under company number 16189235 and located at 128 CITY ROAD, LONDON, EC1V 2NX, UNITED KINGDOM, and the Client (“Controller,” “you,” “your,” or “Customer”), an entity or individual using KUGA AI LTD’s services under the terms of a Master Services Agreement, Subscription Agreement, or any similar contract (the “Principal Agreement”). This DPA forms part of the Principal Agreement. If any provision of this DPA conflicts with the Principal Agreement regarding the processing of personal data, this DPA prevails.

Purpose and Scope

This DPA governs the processing of personal data that the Controller provides or makes available to the Processor in connection with the services, platforms, and software (including chatbots) covered by the Principal Agreement (“Services”). The Processor processes personal data on behalf of the Controller according to the Controller’s instructions and in compliance with all applicable data protection and privacy legislation, including the UK General Data Protection Regulation, the Data Protection Act 2018, the EU General Data Protection Regulation 2016/679, and the California Consumer Privacy Act, along with any amendments or successors. By using or accessing the Services, the Controller agrees to the terms of this DPA.

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller. “Processing” or “Process” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, alteration, retrieval, use, disclosure, or erasure. “Sub-processor” means any third party appointed by the Processor to process Personal Data under the Controller’s instructions. “Data Subjects” include any individuals whose data is processed under this DPA, such as the Controller’s customers, employees, or other end users.

Roles and Responsibilities

The Controller acts as the entity that determines the purposes and means of processing Personal Data. The Processor acts solely on the Controller’s behalf and processes Personal Data strictly in accordance with the Controller’s instructions, unless applicable law requires otherwise. If the Processor believes an instruction violates any data protection law, it will inform the Controller. The Controller is responsible for ensuring it has the right to transfer or provide access to Personal Data for processing, and for providing any necessary notices or obtaining consents from Data Subjects as required by law.

Processing Activities

The Processor processes Personal Data only to the extent needed to perform the Services described in the Principal Agreement or any written agreement between the parties. Processing may include storing, recording, organizing, analyzing, transmitting, or deleting Personal Data to facilitate the operation of chatbots, lead management, analytics, or other features as requested by the Controller. The types of Personal Data may include names, email addresses, phone numbers, property preferences, and any additional data voluntarily submitted by end users. The Controller decides which categories of Data Subjects are involved (for example, prospects, clients, or employees).

Confidentiality and Security

The Processor ensures that individuals authorized to process Personal Data are bound by confidentiality obligations. Appropriate technical and organizational measures are maintained to protect Personal Data against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. Such measures take into account the nature of the data, the risks involved, and the current state of technological development. If the Processor becomes aware of a confirmed data breach affecting Personal Data, it will notify the Controller without undue delay and provide reasonable assistance to investigate and address the breach as required by law.

Sub-processors

The Controller authorizes the Processor to engage Sub-processors as necessary to provide the Services. The Processor ensures that each Sub-processor is bound by contractual obligations that provide the same level of protection for Personal Data as those set out in this DPA. If the Controller objects to any new Sub-processor, the Processor will discuss alternative arrangements in good faith. A list of current Sub-processors is made available upon request.

International Transfers

If the Processor transfers Personal Data to a third country or international organization outside the UK or European Economic Area, it will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or another lawful transfer mechanism. The Controller agrees that the Processor may transfer Personal Data internationally if necessary to perform the Services, subject to these safeguards.

Data Subject Rights

If a Data Subject submits a request to access, rectify, erase, or restrict the processing of their Personal Data under applicable law, and the Processor receives that request directly, the Processor will inform the Controller. The Processor will not act on such requests without the Controller’s prior written instruction, unless required by law. The Controller remains responsible for responding to Data Subject requests and for complying with any legal obligations relating to such requests.

Data Retention and Deletion

The Processor retains Personal Data only for as long as necessary to fulfill the purposes outlined in the Principal Agreement or to comply with legal requirements. Upon termination or expiration of the Principal Agreement, or upon the Controller’s request, the Processor will securely delete or return all Personal Data, unless applicable law requires its continued retention. If returning or deleting data is impossible or unreasonably burdensome, the Processor will take measures to prevent further processing of the data, except as required by law.

Audits and Compliance

The Processor makes available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. If the Controller requires an audit of the Processor’s relevant data processing activities, the Controller must provide reasonable notice and conduct the audit in a manner that does not disrupt the Processor’s normal business operations. Any third-party auditor must be mutually agreed upon and bound by confidentiality.

Liability

Liability under this DPA is subject to the exclusions and limitations set forth in the Principal Agreement. The Processor’s liability for breaches of this DPA will not exceed the limits agreed upon in the Principal Agreement, and nothing in this DPA should be interpreted to limit or exclude liability that cannot lawfully be limited or excluded.

Term and Termination

This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Principal Agreement. Termination of the Principal Agreement automatically terminates this DPA, except for provisions that are intended to survive, such as confidentiality, liability, and obligations relating to Personal Data that remain in the Processor’s possession.

Miscellaneous

This DPA is governed by and construed in accordance with the laws specified in the Principal Agreement. Any dispute arising out of or in connection with this DPA is subject to the jurisdiction agreed upon in the Principal Agreement. If any provision of this DPA is found unenforceable, the remaining provisions remain in full force and effect.

Contact Information

For questions or concerns regarding this DPA or data protection matters, please contact KUGA AI LTD at:

Email: dpa@kuga.ai

Address: KUGA AI LTD, 128 CITY ROAD, LONDON, EC1V 2NX, UNITED KINGDOM

Phone: +44 330 1331 033

By using the Services under the Principal Agreement, the Controller acknowledges that it has read, understood, and agrees to this DPA. The parties affirm their acceptance of this DPA by continuing their contractual relationship regarding the Services.