Data Processing Addendum
In the course of providing its services, Aiquire Inc., Pixis AI Inc., Leapus Technologies Private Limited, and their respective Affiliates providing the Services under the applicable Agreement (collectively, “Pixis” or the “Pixis Group”) may process Personal Data on behalf of Customer. The Pixis Group entity identified in the applicable Order Form or Agreement shall be deemed the contracting entity responsible for the provision of the applicable Services under such Agreement (“Contracting Entity”). References to “Pixis” in this DPA shall include the applicable Contracting Entity and its Affiliates involved in the provision, support, hosting, processing, infrastructure, security, administration, or operation of the Services. The parties acknowledge that Pixis products are designed primarily for business analytics, workflow automation, campaign optimization, reporting, intelligence and software functionality, and are not primarily designed to require Personal Data. However, Personal Data may be processed incidentally depending on Customer-provided datasets, integrations, configurations, user inputs or workflows. This Data Processing Addendum (“DPA”) reflects the parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Legislation. This Data Processing Addendum (“DPA”) is incorporated by reference as part of the master services agreement (or other agreement for the purchase of Pixis’s services, hereinafter collectively “Agreement”) between Customer and Pixis
This DPA reflects the parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Legislation. This DPA shall not replace any additional rights relating to Processing of Personal Data previously negotiated by Customer in the Agreement.
This DPA will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of this DPA.
This DPA consists of two parts:
A. Data Processing Terms
B. Standard Contractual Clauses
A. DATA PROCESSING TERMS
1. DEFINITIONS
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer Data” means any data, content or information submitted to, stored in, sent through or otherwise made available to the Services by or on behalf of Customer, including any Personal Data.
“Data Protection Legislation” means all laws and regulations, including laws and regulations applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom the Personal Data pertains.
“Non-Personal Data” means information that does not identify an individual directly. It includes data that has been anonymized or aggregated to the extent that it no longer relates to an identifiable person. This type of data is typically used for statistical, analytical, or research purposes, and it is devoid of any personal identifiers such as names, addresses, or specific locations that could tie it back to an individual.
“Personal Data” means “personal data,” “personally identifiable information” or an equivalent term, as defined by applicable Data Protection Legislation to the extent such data or information is accessed, collected, stored, transmitted, processed, hosted, used, handled, or disposed of by Pixis in connection with the Agreement.
“Personal Data Breach” means a failure of Pixis’s security controls leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Pixis’s possession, custody or control, to the extent the breach materially compromises the confidentiality, security or integrity of the Personal Data.
“Processing” means any operation or set of operations which is performed by or on behalf of Pixis in connection with the Agreement upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller; where the entity Processes the Personal Data pursuant to the Controller’s instructions and solely to provide the Services.
“Services” shall mean Pixis’s customer experience and Pixis platform, provided as SaaS, and any required, usual, appropriate or acceptable activities relating to the Services, including without limitation to (a) carry out the Services or the business of which the Services are a part, (b) carry out any benefits, rights and obligations relating to the Services, (c) maintain records relating to the Services, or (d) comply with any legal or self-regulatory obligations relating to the Services.
“Sub-processor” means any Processor engaged by Pixis, the Contracting Entity, or any Pixis Affiliate in connection with the provision of the Services.
“Users” shall mean Customer’, Customer’s Affiliates’ and Customer’s contractors’ employees, entitled to use the Services under the Agreement.
2. DATA PROCESSING
2.1. The parties acknowledge and agree that with regard to the Processing of Personal Data,
- The applicable Contracting Entity and/or applicable Pixis Affiliates involved in the Processing of Personal Data are the Processor(s); and
- Customer and/or the Customer Affiliate which, determines the purposes and means of the Processing of Personal Data, is the Controller.
2.2. The parties shall each comply with their respective obligations under the Data Protection Legislation. Customer shall, in its use of the Services, Process Personal Data or Non-Personal Data in accordance with the requirements of Data Protection Legislation. Customer acknowledges that it determines the nature and scope of any Personal Data shared with Pixis and is responsible for ensuring that such disclosure is compliant with applicable Data Protection Legislation.
2.3. Customer’s instructions for the Processing of Personal Data or financial data shall comply with Data Protection Legislation. Pixis shall inform Customer immediately if, in Pixis’s opinion, an instruction from Customer violates Data Protection Legislation.
2.4. Pixis, including the applicable Contracting Entity and Pixis Affiliates involved in the provision of the Services, shall process Personal Data only on documented instructions of Customer and solely to the extent necessary to: (i) provide the Services under the Agreement; (ii) enable features configured or requested by Customer; (iii) respond to support or operational requests; (iv) maintain security, integrity, fraud prevention and service administration;
(v) comply with applicable law; or (vi) carry out other documented instructions that are lawful and consistent with the Agreement. Pixis does not independently determine the purposes of processing Customer Personal Data except where required for legal compliance, security, billing, abuse prevention or core service administration. Pixis shall not sell Customer Personal Data.
2.5. Pixis shall take reasonable steps to instruct and train any of its and/or its Sub-processors’ employees who have access to Personal Data to maintain the confidentiality and security of the Personal Data and shall limit access to Personal Data on a need-to-know basis in case any Personal Data is processed. Pixis shall ensure that access to Personal Data is restricted to personnel who require such access for the provision of the Services and that such personnel are subject to appropriate confidentiality obligations.
2.6. Customer is solely responsible for: (a) determining whether use of the Services is appropriate for its intended processing activities; (b) providing all notices required by applicable law; (c) obtaining all rights, permissions and consents required for Personal Data submitted to the Services; (d) ensuring the legality, quality and accuracy of Customer Data; (e) deciding whether to upload special category / sensitive data; and (f) configuring the Services in accordance with Customer’s compliance obligations.
2.7. Where Customer elects to use AI-enabled features: (a) Customer is responsible for ensuring it has all necessary rights and legal bases to submit prompts, inputs and Customer Data; (b) Pixis may use approved subprocessors or technology providers to generate outputs; (c) outputs may be probabilistic, incomplete or inaccurate and require human review; (d) Customer remains responsible for decisions, actions and use of outputs; and (e) Pixis will not use Customer Content to train generalized public AI models unless expressly agreed in writing.
2.8. Pixis shall implement reasonable safeguards designed to prevent unauthorized access to Customer Personal Data processed through AI-enabled functionality and shall contractually require applicable subprocessors supporting such functionality to maintain appropriate confidentiality and security obligations.
2.9. Where Customer uses the Services in connection with advertising, audience management, lead activation, CRM enrichment or marketing operations, Customer remains solely responsible for ensuring it has all rights, notices and consents necessary for the relevant Personal Data and processing activities.
3. DATA SUBJECTS’ RIGHTS REQUESTS
3.1. Pixis shall, to the extent legally permitted, promptly notify Customer if Pixis receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“DSR Request”).
3.2. Taking into account the nature of the Processing, Pixis shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a DSR Request under Data Protection Legislation.
3.3. To the extent Customer, in its use of the Services, does not have the ability to address a DSR Request, Pixis shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such a DSR Request, to the extent Pixis is legally permitted to do so and the response to such DSR Request is required under Data Protection Legislation. To the extent legally permitted, Customer shall only be responsible for reasonable and documented costs incurred by Pixis in providing assistance relating to unusually burdensome, repetitive, excessive or technically complex DSR Requests that materially exceed the standard functionality of the Services.
4. DATA PROTECTION IMPACT ASSESSMENTS
Pixis shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with a competent data protection supervisory authority, required under Data Protection Legislation, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Pixis
5. PERSONAL DATA BREACH NOTIFICATION
5.1. Pixis shall notify Customer without undue delay and, where feasible, no later than forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include information reasonably available to Pixis regarding: (a) the nature of the Personal Data Breach; (b) the categories of affected data; (c) the likely consequences of the incident; and (d) remediation or mitigation measures taken or proposed by Pixis. Where complete information is not immediately available, Pixis may provide information in phases as additional details become reasonably available.
5.2. Pixis shall make reasonable efforts to identify the cause of a Personal Data Breach and take those steps as Pixis deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within Pixis’s reasonable control.
5.3. The obligations herein shall not apply to incidents that are caused by Customer.
6. SECURITY AND OTHER SUPPLEMENTARY MEASURES
6.1. . Pixis shall maintain and implement reasonable and appropriate technical and organizational measures (“TOMs”) designed to protect the security, confidentiality and integrity of Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, alteration or disclosure. Such measures shall be appropriate to the nature of the Services, the scope of Processing, the state of the art, implementation costs, and the risks presented by the Processing. Pixis’s current Technical and Organizational Measures are described in Exhibit A (Security Measures and Technical Safeguards), which may be updated from time to time provided that such updates do not materially diminish the overall security posture of the Services.
6.2. If Pixis receives a legally binding request from a government authority for Customer Personal Data, Pixis will, where legally permitted, use reasonable efforts to redirect the requester to Customer or notify Customer before disclosure.
6.3. Upon reasonable written request and subject to confidentiality obligations, Pixis may make available summaries of relevant security documentation, audit reports, certifications, penetration testing summaries or similar materials reasonably necessary to demonstrate compliance with this DPA.
7. DELETION OR RETURN OF PERSONAL DATA
7.1. Pixis shall delete the Personal Data upon termination/expiry of the Agreement as specified in the Agreement or upon Customer’s reasonable request at any time. Where Personal Data has been processed incidentally as part of Customer-provided datasets, deletion shall be effected in accordance with standard system processes and data retention practices applicable to the Services. Pixis may retain Personal Data to the extent required by applicable laws and only to the extent and for such period as required by the applicable laws and always provided that Pixis shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
7.2. Upon termination or expiry of the Agreement, and upon Customer’s written request, Pixis shall, within a commercially reasonable period not exceeding thirty (30) days unless otherwise agreed in writing: (a) return Customer Personal Data in a commonly used electronic format where reasonably feasible; and/or (b) securely delete or render inaccessible Customer Personal Data remaining in Pixis’s systems. Notwithstanding the foregoing, Pixis may retain Personal Data: (a) as required by applicable law; (b) pursuant to standard backup or archival retention practices; (c) for security, fraud prevention, dispute resolution or compliance purposes; or (d) where technically infeasible to immediately delete from backup systems,
provided that any retained Personal Data shall remain protected in accordance with this DPA and shall not be further Processed except as permitted under applicable law.
8. AUDITS AND INSPECTIONS
8.1. Customer audit rights shall first be satisfied through documentation reasonably provided by Pixis, including security summaries, certifications, independent audit reports or questionnaire responses.
8.2. If such materials are insufficient and Customer is legally required to conduct further review, Customer may request a limited audit no more than once annually upon at least forty-five (45) days’ prior written notice.
8.3. Audits shall be limited in scope, non-disruptive, subject to confidentiality obligations, and may not include access to other customers’ data, source code, penetration testing or unrestricted physical access.
8.4. Customer shall bear its own audit costs and reimburse Pixis for reasonable internal costs incurred in supporting such audit.
8.5. Customer may not exercise audit rights more than once in any twelve-month period except following a confirmed material security incident affecting Customer Personal Data.
9. LIABILITY
9.1. . To the maximum extent permitted by applicable law, indirect, incidental, consequential, punitive and special damages are excluded to the same extent as under the Agreement. Except as expressly stated otherwise in this DPA, each party’s aggregate liability arising out of or related to this DPA shall remain subject to the limitations of liability and exclusions set forth in the Agreement, and any reference in the Agreement to a party’s liability shall include liability arising under this DPA. Notwithstanding the foregoing, nothing in this DPA or the Agreement shall limit or exclude either party’s liability to Data Subjects or competent supervisory authorities to the extent such limitation or exclusion is prohibited under applicable Data Protection Legislation, including the 2021 EU Standard Contractual Clauses. Nothing in this DPA shall be construed to restrict or prejudice the rights of Data Subjects under applicable Data Protection Legislation.
9.2. For the avoidance of doubt, the total aggregate liability of the applicable Contracting Entity and the Pixis Group for all claims from the Customer and all of Customer’s Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Customer’s Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any of Customer’s Affiliate that is a contractual party to any such DPA.
9.3. Where a Data Subject asserts any claims against a party to this DPA in accordance with applicable Data Protection Legislation, the other party shall support in defending against such claims, where possible.
10. INTERNATIONAL PERSONAL DATA TRANSFERS
10.1. Customer acknowledges and accepts that Pixis’s provision of Pixis Services under the Agreement may involve the transfer of Personal Data to, or the Processing of Personal Data in, locations outside of the EEA, or UK, including to the United States or any other country in which Pixis, Pixis Affiliates, Subprocessors, infrastructure providers, hosting providers, and service providers engaged by Pixis in connection with the Services. Customer agrees that such transfers are permitted, provided that they comply with Data Protection Legislation and are consistent with the safeguards included in this Section 13.
10.2. Pixis is an active participant in the EU-US Data Privacy Framework and agrees to maintain its participation in the EU-US Data Privacy Framework. Customers may choose to rely on the EU-US Data Privacy Framework as an adequate method of transferring Personal Data to Pixis. To the extent the EU-US Data Privacy Framework is invalidated, the parties will instead rely on the attached 2021 EU SCCs as set out in the following clauses.
10.3. The attached 2021 EU SCCs shall apply to any transfers of Personal Data under this DPA from the European Economic Area or where EU Data Protection Legislation or Swiss Data Protection Legislation applies to the Customer or Customer’s Affiliate making the transfer and where such transfer is made to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Legislation of the foregoing territories, to the extent such transfers are subject to such Data Protection Legislation.
10.4. Where legally recognized transfer mechanisms are available, including adequacy decisions, the EU-U.S. Data Privacy Framework, EU Standard Contractual Clauses, the UK International Data Transfer Addendum, Swiss addenda or successor mechanisms, Pixis may rely on any lawful mechanism reasonably selected by Pixis.
10.5. In the event of any conflict or inconsistency between this DPA, 2021 EU SCCs, the 2021 EU SCCs shall prevail.
11. SUBPROCESSORS
11.1. Customer grants general authorization for Pixis to engage subprocessors. Pixis shall maintain a current list of material subprocessors available upon request or by online notice. Pixis shall impose data protection obligations on subprocessors that are materially protective of Personal Data. Pixis may update subprocessors from time to time and will provide notice of material changes through a website posting, portal notice or email.
11.2. The applicable Contracting Entity shall remain responsible for the acts and omissions of Subprocessors will remain liable to the Customer for the acts and omissions of Pixis’s Subprocessors to the extent they relate to the provision of the Pixis Services to the Customer, consistent with the limitations of liability set forth in the Agreement.
11.3. Customer may object to a new subprocessor on reasonable data protection grounds by written notice within fifteen (15) days of notice. The parties will work in good faith to address the concern.
12. CCPA
12.1. This section shall only apply where the CCPA is applicable to the Parties. For purposes of this Section 12, the terms “Commercial Purpose,” “Sell,” “Service Provider,” and “Share” shall have the respective meanings given thereto in the CCPA, and “Personal Information” shall mean Personal Data that constitutes Personal Information governed by the CCPA.
12.2. It is the Parties’ intent that with respect to any Personal Information, Pixis is the Service Provider.
Pixis (i) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement; (ii) shall comply with applicable obligations under the CCPA, and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (iii) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help ensure that Pixis’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (iv) shall notify Customer in writing of any determination made by Pixis that it can no longer meet its obligations under the CCPA; and (v) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate use of Personal Information.
12.3. Pixis, shall not (i) Sell or Share any Personal Information; (ii) retain, use, or disclose any Personal Information for any purpose other than for the specific Business Purpose of providing the Pixis Services under and in accordance with this Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose of providing the Pixis Services or as otherwise permitted by the Agreement or applicable law; (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between Customer and Pixis; or (iv) combine Personal Information received pursuant to the Agreement with Personal Information (a) received from or behalf of another person or (b) or collected from Pixis’s own interaction with any Consumer to whom such Personal Information pertains, except as otherwise permitted under the Agreement or Applicable Law.
12.4. Customer agrees that Pixis notifying Customer of Subprocessor engagements in accordance with Section 11 of this DPA shall satisfy Pixis’s obligation under the CCPA to give notice of such engagements.
12.5. The Parties acknowledge that Pixis’s retention, use, and disclosure of Personal Information authorized by Customer’s instructions documented in the DPA are integral to the provision of the Pixis Services and the business relationship between the Parties.
13. CHANGE IN LAWS
Pixis may, on notice, amend this DPA to the extent reasonably necessary to address the requirements of Data Protection Legislation, including by replacing the relevant SCCs with (i) any new form of the relevant SCCs or any replacement thereof prepared and populated accordingly, or (ii) another transfer mechanism, other than the SCCs.
B. PARTIES AND DATA PROCESSING DETAILS
LIST OF PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union.
Name Address | Customer name as per the Agreement |
Customer address as per the Agreement | |
Contact Person’s name, position, and contact details Activities Relevant to the data transferred under these Clauses: | Customer contact as per the Agreement |
The data exporter is a customer of Pixis receiving the Services under the Agreement. | |
Role (controller/process or): | As per section 2.1 of this DPA. |
Data importer(s): Identity and contact details of the data importer(s) and, where applicable, of its/their data protection officer and/or representative in the European Union.
Name | The applicable Pixis Group entity identified in the relevant Agreement or Order Form, together with applicable Pixis Affiliates involved in the Processing activities. |
Address Contact Person’s name, position, and contact details Role (controller/process or): | The applicable Pixis Group entity identified in the relevant Agreement or Order Form, together with applicable Pixis Affiliates involved in Processing activities. |
Praveen Madhavan Pillai - IT Security and Privacy Compliance Officer Email: praveen.madhavanpillai@pixis.ai | |
Processor |
DETAILS OF PROCESSING AND DESCRIPTION OF TRANSFER
Categories of Data Subjects:
Categories of Personal Data Special Categories of Data, Sensitive | Customers, prospective customers, website users, and other individuals whose data may be included within Customer-provided datasets (including CRM systems, advertising platforms, or analytics tools), to the extent such data is made available by Customer. |
Personal Data may be included incidentally within Customer-provided datasets and may, where applicable, include:
| |
N/A |
Data and Safeguards Frequency of Transfer |
Technical and Organizational Measures Confidentiality Security Incident Response Data Transfer Data Subject Rights
|
Continuous (as required for provision of the Services) | |
Nature of Processing
Purpose of Processing | Processing is limited and incidental in nature and arises solely to the extent Personal Data is embedded within Customer-provided datasets. Such Processing may include access, retrieval, organisation, aggregation, and analysis of data for the purpose of enabling platform functionality and generating insights, diagnostics, and recommendations. Processing is primarily read-only in nature and does not involve execution of campaigns or modification of Customer systems.
|
To enable the provision of the Services, including platform-based analytics, diagnostic analysis, and advisory outputs, based on Customer-provided datasets. Pixis does not require Personal Data for the standalone operation of its platform and does not independently determine the purposes for which such Personal Data is processed.
| |
Duration of Processing/Retenti on Period |
Personal Data shall be processed for the duration of the Agreement and retained only for as long as necessary to provide the Services, or as required under applicable law.
Where Personal Data is processed incidentally as part of Customer-provided datasets, retention shall be aligned with standard system processes and applicable data retention practices. |
C. 2021 EU STANDARD CONTRACTUAL CLAUSES
Standard Contractual Clauses” means with respect to Switzerland, the standard contractual clauses adopted by the European Commission 4, 2021, the text of which is available at:
https://eur-lex.europa.eu/legal content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU Standard Contractual Clauses”),
and with respect to the United Kingdom, the EU Standard Contractual Clauses supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at:
(“International Data Transfer Addendum”) (together with the EU Standard Contractual Clauses, the “UK Standard Contractual Clauses”), including any updated, amended, or subsequent version thereof approved by the respective data protection authority.
EXHIBIT A
Technical and Organizational Measures
Pixis maintains administrative, technical and organizational security measures designed to protect Personal Data, including measures relating to:
Access Controls:
role-based access management;
least-privilege principles;
authentication and credential controls;
periodic access reviews.
Infrastructure & Network Security:
cloud security controls;
network segmentation where appropriate;
firewall protections;
endpoint monitoring.
Encryption:
encryption in transit using industry-standard protocols;
encryption at rest where applicable and technically feasible.
Logging & Monitoring:
audit logging;
security monitoring;
anomaly detection processes;
incident investigation procedures.
Confidentiality:
confidentiality obligations for authorized personnel;
security and privacy awareness measures;
restricted access to Personal Data.
Incident Response:
documented incident response procedures;
escalation and remediation workflows;
breach investigation processes.
Vendor & Subprocessor Management:
security review processes for material subprocessors;
contractual confidentiality and security obligations.
Business Continuity:
backup and recovery processes;
disaster recovery procedures where appropriate.
Security Governance:
internal security governance and review processes;
periodic assessment of security controls and risks.
Additional security documentation, certifications or audit summaries may be made available by Pixis upon reasonable request and subject to confidentiality obligations.