Data Processing Addendum

You are the controller and Settr is the processor of the Personal Data processed through the Service. You are responsible for the lawfulness of the Personal Data and of your instructions, and for having an appropriate legal basis and any required consents to engage your leads and contacts.

• Subject matter: provision of the Service (an AI appointment setter) to you.
• Duration: for the term of the Terms and until deletion or return of Personal Data as described below.
• Nature and purpose: receiving, qualifying, replying to, and booking leads across your connected channels, and related operation, security, and support of the Service.
• Types of Personal Data: identifiers and contact details (such as names, handles, phone numbers, email addresses), the content and metadata of messages and conversations, and booking details.
• Categories of data subjects: your leads, prospects, and contacts who communicate through your connected channels.

We will process the Personal Data only on your documented instructions, including as set out in the Terms, this DPA, and your configuration of the Service, unless required to act otherwise by applicable law (in which case we will inform you where permitted). If we believe an instruction infringes data-protection law, we will inform you.

We ensure that personnel authorized to process the Personal Data are bound by appropriate confidentiality obligations and process the Personal Data only as needed to provide the Service.

Taking into account the state of the art and the risks, we implement appropriate technical and organizational measures to protect the Personal Data, including encryption of credentials and sensitive data at rest, encryption in transit, isolation between customer workspaces, access controls and least-privilege practices, and logging and monitoring. We may update these measures provided the level of protection is not materially reduced.

You authorize us to engage subprocessors to provide the Service, including providers of cloud hosting and databases, AI and large-language-model processing, messaging and telephony, email infrastructure, calendar and scheduling, voice and audio processing, and payments. We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance. We will make available a list of subprocessors and provide a mechanism to receive notice of changes, and you may object on reasonable data-protection grounds.

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects to exercise their rights (such as access, correction, deletion, restriction, portability, and objection). If we receive such a request directly, we will, where permitted, direct the data subject to you.

We will notify you without undue delay after becoming aware of a personal data breach affecting the Personal Data, and will provide information reasonably available to help you meet your notification and other obligations.

We will provide reasonable assistance with your data-protection impact assessments and prior consultations with supervisory authorities, to the extent required and taking into account the information available to us.

On termination of the Service, and at your choice, we will delete or return the Personal Data, and delete existing copies, unless retention is required by applicable law. Routine deletion may take place within a reasonable period as part of standard operations.

We will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, security, scheduling, and scope limitations.

Where the provision of the Service involves transferring Personal Data across borders, we will ensure an appropriate transfer mechanism is in place where required by applicable law, such as standard contractual clauses.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.