DATA PROCESSING ADDENDUM

Last Updated: December 3, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written or electronic agreement between Oli Labs, Inc. ("Oli Labs," "we," "us," or "Processor") and the entity identified as Customer ("Customer," "you," or "Controller") for the provision of the Oli software services (the "Agreement").

This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Laws.

1. DEFINITIONS

1.1 In this DPA, the following terms shall have the meanings set out below:

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
  
  
• "Controller" means the entity which determines the purposes and means of the processing of Personal Data.
  
  
• "Customer Data" means the Personal Data processed by Oli Labs on behalf of Customer in the course of providing the Services.
  
  
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including:
  
  
  
  • EU General Data Protection Regulation 2016/679 ("GDPR")
  • UK GDPR and Data Protection Act 2018 ("UK Data Protection Laws")
  • Swiss Federal Act on Data Protection ("FADP")
  • California Consumer Privacy Act and California Privacy Rights Act (collectively "CCPA")
  • Any other applicable privacy or data protection laws

‍

• "Data Subject" means an identified or identifiable natural person about whom Personal Data relates.
  
  
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Oli Labs on behalf of Customer in the provision of Services.
  
  
• "Processing" has the meaning given to it in the GDPR and "process," "processes," and "processed" shall be interpreted accordingly.
  
  
• "Processor" means the entity which processes Personal Data on behalf of the Controller.
  
  
• "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  
  
• "Services" means the Oli software platform and related services provided by Oli Labs to Customer under the Agreement.
  
  
• "Standard Contractual Clauses" or "SCCs" means:
  
  
  
  • For EEA transfers: the standard contractual clauses approved by the European Commission in Decision 2021/914
  • For UK transfers: the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs
  • For Swiss transfers: the standard contractual clauses approved by the Swiss Federal Data Protection and Information Commissioner
• "Sub-processor" means any Processor engaged by Oli Labs to process Personal Data in connection with the Services.
  
  

1.2 The terms "Data Exporter" and "Data Importer" shall have the meanings set out in the Standard Contractual Clauses.

2. SCOPE AND ROLES

2.1 Parties' Roles

The parties acknowledge and agree that:

• Customer is the Controller of the Personal Data
• Oli Labs is the Processor of the Personal Data
• This DPA applies where and only to the extent that Oli Labs processes Personal Data on behalf of Customer in the provision of Services and such processing is subject to Data Protection Laws

2.2 Customer Obligations

Customer represents and warrants that:

• It has complied and will continue to comply with all applicable Data Protection Laws
• It has provided and will continue to provide all required notices and obtained all required consents necessary for Oli Labs to process Personal Data as contemplated by the Agreement and this DPA
• It has the legal right to transfer the Personal Data to Oli Labs for processing in accordance with the terms of the Agreement and this DPA

2.3 Details of Processing

The subject matter, nature, purpose, duration, and types of Personal Data and categories of Data Subjects processed under this DPA are set forth in Annex I (Details of Processing).

3. OLI LABS' OBLIGATIONS

3.1 Compliance with Instructions

Oli Labs shall:

• Process Personal Data only in accordance with Customer's documented instructions as set forth in this DPA and the Agreement, unless required to process by applicable law (in which case, Oli Labs shall inform Customer of such legal requirement before processing, unless prohibited by law)
• Immediately inform Customer if, in Oli Labs' opinion, an instruction from Customer infringes Data Protection Laws

3.2 Confidentiality

Oli Labs shall ensure that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

3.3 Security Measures

Oli Labs shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents.

3.4 Sub-processors

(a) Authorized Sub-processors

Customer provides general authorization for Oli Labs to engage Sub-processors to process Personal Data.

(b) Current Sub-processors

The list of current Sub-processors is set forth in Annex II (Sub-processors).

3.5 Data Subject Rights

Oli Labs shall, to the extent legally permitted and taking into account the nature of the processing:

• Provide reasonable assistance to Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, correction, deletion, portability, and objection)
• Promptly notify Customer if it receives a request from a Data Subject and, unless otherwise required by law, not respond to that request without Customer's prior authorization

3.6 Data Protection Impact Assessments

Oli Labs shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and to the extent Customer does not otherwise have access to the relevant information.

3.7 Security Incident Notification

Oli Labs shall:

• Notify Customer without undue delay after becoming aware of any Security Incident
• Provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Security Incident under Data Protection Laws
• Take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident
• Cooperate with Customer and take such reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of the Security Incident

3.8 Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, Oli Labs shall (at Customer's election):

• Delete all Personal Data (including copies) in its possession or control, except to the extent Oli Labs is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Oli Labs shall securely isolate, protect from further processing, and delete in accordance with its deletion practices.

4. AUDITS AND COMPLIANCE

4.1 Records and Information

Oli Labs shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Data Protection Laws.

4.2 Audit Rights

Oli Labs shall allow for and reasonably cooperate with audits, including inspections, by Customer (or an independent third-party auditor appointed by Customer) to verify compliance with this DPA, provided that:

• Customer provides at least 30 days' prior written notice
• Audits are conducted during normal business hours and do not unreasonably interfere with Oli Labs' business operations
• Customer (and any third-party auditor) executes a reasonable confidentiality agreement before the audit
• Audits are conducted no more than once per year, unless required by a supervisory authority or in response to a Security Incident

4.3 Certifications and Reports

In lieu of an audit, Customer may accept applicable third-party audit reports or certifications (such as SOC 2 Type II reports or ISO 27001 certifications) as evidence of Oli Labs' compliance with its obligations under this DPA.

5. INTERNATIONAL DATA TRANSFERS

5.1 Data Transfer Mechanisms

The parties acknowledge that Oli Labs may transfer and process Personal Data to countries outside the EEA, UK, and Switzerland, including the United States.

5.2 Standard Contractual Clauses

To the extent that Oli Labs processes Personal Data protected by European Data Protection Laws and transfers such data to countries that have not been recognized by the European Commission, UK authorities, or Swiss authorities as providing an adequate level of data protection:

(a) The parties agree to comply with the Standard Contractual Clauses, which are incorporated into and form part of this DPA as follows:

• For EEA transfers: Module Two (Controller-to-Processor) of the EU Standard Contractual Clauses as set forth in Annex IV
• For UK transfers: The UK IDTA or UK Addendum to the EU SCCs as set forth in Annex V
• For Swiss transfers: The Swiss-approved SCCs as set forth in Annex VI

(b) For purposes of the Standard Contractual Clauses:

• Customer is the "data exporter" and Oli Labs is the "data importer"
• The optional docking clause in Clause 7 is included
• Under Clause 9 (Use of Sub-processors), Option 2 (General written authorization) applies
• Under Clause 11 (Redress), the optional language is not included
• Under Clause 17 (Governing law), the laws of Ireland apply (for EU SCCs)
• Under Clause 18 (Choice of forum and jurisdiction), the courts of Ireland apply (for EU SCCs)

‍

6. CCPA AND U.S. STATE PRIVACY LAWS

6.1 Applicability

Where Oli Labs processes Personal Information (as defined in the CCPA) on behalf of Customer as a Service Provider or Processor (as such terms are defined in the CCPA):

6.2 Obligations

Oli Labs shall:

• Process Personal Information only for the specific business purposes set forth in the Agreement and this DPA
• Not sell or share (as those terms are defined in the CCPA) Personal Information
• Not retain, use, or disclose Personal Information for any purpose other than performing the Services, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the Services
• Not combine Personal Information with information received from another source, except as permitted by the CCPA
• Provide the same level of privacy protection as required of Customer under applicable U.S. state privacy laws
• Notify Customer if it determines it can no longer meet its obligations under the CCPA

6.3 Certifications

Oli Labs certifies that it understands the restrictions of this Section 6 and will comply with them.

7. LIMITATION OF LIABILITY

7.1 Each party's liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations and exclusions of liability set forth in the Agreement.

7.2 Any claims under this DPA shall be brought solely against the entity that is a party to the Agreement.

8. TERM AND TERMINATION

8.1 This DPA shall commence on the Effective Date of the Agreement and shall remain in effect until the termination or expiration of the Agreement.

8.2 Following termination or expiration, the provisions of Section 3.8 (Deletion or Return of Personal Data) shall continue to apply.

9. GENERAL PROVISIONS

9.1 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency with respect to the processing of Personal Data.

9.2 Changes to Data Protection Laws

The parties agree to work together in good faith to negotiate an amendment to this DPA if required to comply with changes in Data Protection Laws.

9.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

9.4 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral.

ANNEXES

The following Annexes form part of this DPA:

• Annex I: Details of Processing
• Annex II: List of Sub-processors
• Annex III: Standard Contractual Clauses (EU)
• Annex IV: UK IDTA or UK Addendum
• Annex V: Swiss Standard Contractual Clauses

ANNEX I: DETAILS OF PROCESSING

A. LIST OF PARTIES

Data Exporter(s):

• Name: Customer (as identified in the Agreement)
• Address: As specified in the Agreement
• Contact person's name, position and contact details: As specified in the Agreement
• Role: Controller

Data Importer(s):

• Name: Oli Labs, Inc.
• Address: 28 W Flagler St., Ste. 300B #254, Miami, FL 33130
• Attention: Legal Team
• Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects:

• Website visitors and customers of the Data Exporter
• Sales leads and prospects
• End users who interact with the Oli chat assistant
• CRM contacts and leads

Categories of Personal Data:

• Contact information (name, email address, phone number, company name, job title)
• Communication content (chat messages, conversation history, inquiries)
• Technical data (IP addresses, browser type, device identifiers, session data)
• Behavioral data (website interactions, conversation patterns, engagement metrics)
• Sales and marketing data (lead scores, sales stage, purchase intent, preferences)
• CRM data (deal information, account information, opportunity data)
• Any other information provided by Data Subjects during interactions with the Oli software

Sensitive Data (if applicable):

• None, unless specifically configured by Customer

Frequency of Transfer:

• Continuous during the term of the Agreement

Nature of Processing:

• Collection, recording, organization, structuring, storage, analysis, use, disclosure, and deletion

Purpose(s) of Processing:

• Providing the Oli sales assistant software services
• Managing inbound sales inquiries via embedded chat
• Nurturing sales leads through outbound engagement
• Integrating with Customer's CRM platform
• Analyzing conversation data to improve lead qualification
• Providing analytics and reporting to Customer
• Training and improving AI models (using non-personally identifiable data only)

‍

Period of Retention:

• For the duration of the Agreement and as necessary to provide the Services
• Following termination: deleted within 5 days (active data) or 90 days (backup copies)
• Except where longer retention is required by applicable law

Sub-processors:

• As set forth in Annex II

C. COMPETENT SUPERVISORY AUTHORITY

For transfers subject to EU GDPR:

• [To be determined based on Data Exporter's establishment]

For transfers subject to UK Data Protection Laws:

• The UK Information Commissioner's Office (ICO)

For transfers subject to Swiss FADP:

• The Swiss Federal Data Protection and Information Commissioner (FDPIC)

‍

ANNEX II: LIST OF SUB-PROCESSORS

Oli Labs currently engages the following Sub-processors to process Personal Data:

Sub-processor Name

Service Provided

Location of Processing

Data Categories Processed

Amazon Web Services (AWS)

Cloud infrastructure 

us-east-2 

All Categories

OpenAI

AI/ML processing for chat capabilities

United States

All Categories

Twilio SendGrid

Email

United States

Identifiers and some personal information 

Notes:

• The current and complete list is maintained at: 
• Customer will receive 30 days' prior notice of changes to this list
• Each Sub-processor has entered into written agreements requiring data protection standards no less protective than this DPA

ANNEX III: STANDARD CONTRACTUAL CLAUSES (EU)

[This Annex incorporates by reference the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021]

MODULE TWO: Controller to Processor

The parties agree that the Standard Contractual Clauses are incorporated by reference and form an integral part of this DPA.

Clause 7 - Docking clause The optional docking clause is INCLUDED.

Clause 9 - Use of sub-processors OPTION 2: GENERAL WRITTEN AUTHORISATION applies. The time period for prior notice of sub-processor changes: 30 days

Clause 11 - Redress The optional language is NOT INCLUDED.

Clause 17 - Governing law The SCCs shall be governed by the law of: Ireland (for customers established in the EU)

Clause 18 - Choice of forum and jurisdiction The courts of Ireland shall have jurisdiction.

Annex I to the SCCs The information required in Annex I to the SCCs is set forth in Annex I to this DPA.

Annex II to the SCCs The list of Sub-processors required in Annex II to the SCCs is set forth in Annex II to this DPA.

ANNEX IV: UK INTERNATIONAL DATA TRANSFER ADDENDUM OR UK ADDENDUM TO EU SCCs

[This Annex incorporates the UK International Data Transfer Agreement (IDTA) or the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum), as appropriate]

For transfers subject to UK Data Protection Laws:

The parties agree to be bound by either:

1. The UK International Data Transfer Agreement (version B1.0) issued by the UK Information Commissioner's Office, OR
2. The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0)

Key Terms:

• Importer: Oli Labs, Inc.
• Exporter: Customer
• Selected SCCs modules: Module 2 (Controller to Processor)
• Tables 1-4: As set forth in Annexes I, II, and III of this DPA
• Start date: The Effective Date of the Agreement

The UK Addendum is available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

ANNEX V: SWISS STANDARD CONTRACTUAL CLAUSES

[This Annex incorporates the Standard Contractual Clauses as approved by the Swiss Federal Data Protection and Information Commissioner]

For transfers subject to Swiss FADP:

The parties agree that:

1. The EU Standard Contractual Clauses incorporated in Annex IV apply to transfers of Personal Data subject to Swiss data protection law
2. References to "Regulation (EU) 2016/679" shall be understood as references to the Swiss Federal Act on Data Protection
3. References to the "General Data Protection Regulation" or "GDPR" shall be understood as references to the Swiss Federal Act on Data Protection
4. The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC)
5. The applicable law is Swiss law
6. Data Subjects in Switzerland are third-party beneficiaries of the clauses

END OF DATA PROCESSING ADDENDUM

By using the Services, Customer agrees to the terms of this Data Processing Addendum. This DPA is incorporated into and forms part of the Agreement between the parties.

‍

‍