Data Processing Addendum

SIGNATURE AI: DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) SIGNATURE AI LIMITED, a company incorporated and registered in the United Kingdom with company number 15689879 with its registered office at 68-80 Hanbury Street, London, England, E1 5JL (“Signature AI”); and (2) the entity who is a counterparty to the Agreement (as defined below) (“Customer”), together the “Parties” and each a “Party”.

HOW AND WHEN THIS DPA APPLIES

  • This DPA applies to the extent Applicable Data Protection Laws (including the GDPR) govern Signature AI’s Processing of Customer Personal Data in performance of the Service(s) as a Processor. 
  • Accordingly, this DPA does not apply to Signature AI’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.


1 INTERPRETATION

In this DPA (including the introduction above), the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

Addendum Effective Date” means the effective date of the Agreement.

Agreement” means the agreement between Signature AI and Customer formed on the basis of an Order Form incorporating the Signature AI: Platform Terms and Conditions displayed from time to time at https://www.signature.ai/legal/platform-terms-conditions (or any successor page), or any other agreement entered into by and between the Parties that provides that this DPA will be incorporated therein by reference.

Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction directly applicable to Signature AI’s Processing of Customer Personal Data under the Agreement (including the UK GDPR, as defined below). 

Cross-Border Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government.

Customer Personal Data” means any Personal Data within the Inputs and Connected Data Processed by Signature AI or its Sub-Processor on behalf of Customer to perform the Services under the Agreement.

Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates. 

Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.

EEA” means the European Economic Area.

GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”). 

Order Form” means the Signature AI Order Form entered into by and between the Parties on or around the date of execution of this DPA.

Personal Data Breach” means a breach of Signature AI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in Signature AI’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data.

Services” means those services and activities to be supplied to or carried out by or on behalf of Signature AI for Customer pursuant to the Agreement (including provision of access to the Signature AI’s Platform in the manner described therein).

Staff” means a person’s employees, agents, consultants, contractors or other staff.

Sub-Processor” means any third party appointed by or on behalf of Signature AI to Process Customer Personal Data.

Supervisory Authority” means any governmental or regulatory body with competent authority to enforce any Applicable Data Protection Laws, including: (i) in the context of the EEA and the EU GDPR, a “supervisory authority” within the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office.

“UK Transfer Tool” means either (i) the template International Data Transfer Agreement version A.1.0; or (ii) template International Data Transfer Addendum version B.1.0, in each case as issued by the UK Information Commissioner’s Office and laid before the UK Parliament in accordance with s119A of the UK Data Protection Act 2018 on 2 February 2022 and in each case as revised under the relevant Mandatory Clauses thereof set out in Part 4 or Part 2 (respectively).

Unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Agreement. The terms “Controller”, “Personal Data”, “Process” (and its grammatical inflections) and “Processor” shall each have the meaning given to that term in the GDPR.

2 PROCESSING OF CUSTOMER PERSONAL DATA

2.1 The Parties acknowledge and agree that the details of Signature AI’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA. 

2.2 Signature AI shall not Process Customer Personal Data other than: (a) on Customer’s instructions; or (b) as required by applicable laws provided that, in such circumstances, Signature AI shall inform Customer in advance of the relevant legal requirement requiring such Processing if and to the extent Signature AI is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Customer instructs Signature AI to Process Customer Personal Data to provide the Services to Customer and in accordance with the Agreement (as further described in Annex 1 (Data Processing Details).  The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Signature AI only pursuant to any written amendment to this DPA signed by both Parties.  Where required by Applicable Data Protection Laws, if Signature AI receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Signature AI shall notify Customer.

2.3 Signature AI shall take commercially reasonable steps designed to ascertain the reliability of any Signature AI Staff who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Signature AI Staff who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.

3 SECURITY 

Signature AI shall implement and maintain technical and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 2 (Security Measures) (the “Security Measures”).  Signature AI may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

4 DATA SUBJECT RIGHTS

Signature AI, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Signature AI receives a Data Subject Request, Customer will be responsible for responding to any such request. Signature AI shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.

5 PERSONAL DATA BREACH

Signature AI shall notify Customer without undue delay upon Signature AI’s confirmation of a Personal Data Breach affecting Customer Personal Data. Signature AI shall provide Customer with information (insofar as such information is within Signature AI’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Signature AI) to allow Customer to meet its obligations under Applicable Data Protection Laws to report the Personal Data Breach. Signature AI’s notification of or response to a Personal Data Breach shall not be construed as Signature AI’s acknowledgement of any fault or liability with respect to the Personal Data Breach. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.

6 SUB-PROCESSING

6.1 Customer generally authorises Signature AI to appoint Sub-Processors in accordance with this Section 6. Information about Signature AI’s Sub-Processors, including their functions and locations is as shown in the Sub-Processor list displayed from time to time at [PAGE] or any successor page (the “Sub-Processor List”). Without limitation, Customer authorises Signature AI engagement of the Sub-Processors listed on the Sub-Processor List as of the Addendum Effective Date.

6.2 Signature AI shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor by updating the Sub-Processor List and providing a means by which Customer may subscribe to receive notice of such updates (or otherwise providing written notice to Customer). Customer agrees that Customer is solely responsible for ensuring that it subscribes to such updates, and it shall do so. If, within fourteen (14) days of receipt of that notice, Customer notifies Signature AI in writing of any objections (on reasonable grounds based on good faith concerns that the use of that proposed Sub-Processor would cause Customer to be in breach of Applicable Data Protection Laws causing unavoidable or irreparable harm) to the proposed appointment: (a) Signature AI shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within thirty (30) days from Signature AI’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then Customer may terminate the Agreement by written notice to Signature AI as its sole and exclusive remedy. If Customer does not object to Signature AI’s appointment of a Sub-Processor during the objection period referred to in Section this 6.2, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.

6.3 With respect to each Sub-Processor, Signature AI shall maintain a written contract between Signature AI and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). Signature AI shall remain liable for any breach of this DPA caused by a Sub-Processor. 

7 AUDITS 

7.1 Signature AI shall make available to Customer on request, such information as Signature AI (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. 

7.2 Subject to Sections 7.3 to 7.5, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Signature AI pursuant to Section 7.1 is not sufficient in the circumstances to demonstrate Signature AI’s compliance with this DPA, Signature AI shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Signature AI.

7.3 Customer shall give Signature AI reasonable notice of any audit or inspection to be conducted under Section 7.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Signature AI’s premises, equipment, Staff, data, and business (including any interference with the confidentiality or security of the data of Signature AI’s other customers or the availability of Signature AI’s services to such other customers).

7.4 Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Signature AI will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Signature AI security, privacy, employment or other relevant policies). Signature AI will work cooperatively with Customer to agree on a final audit plan.  

7.5 Signature AI need not give access to its premises for the purposes of such an audit or inspection: (a) where a third-party audit report or certification (e.g., SOC 2 Type 2, ISO 2700x, NIST or similar audit report or certification) is accepted in lieu of such access (such acceptance not to be unreasonably withheld or conditioned); (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Signature AI has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Signature AI on terms acceptable to Signature AI; (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer is required to carry out under the GDPR or by a Supervisory Authority. Nothing in this DPA shall require Signature AI to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 7 shall be construed to obligate Signature AI to breach any duty of confidentiality.

8 RETURN AND DELETION

8.1 Following expiration or earlier termination of the Agreement, Signature AI shall promptly return and/or delete all Customer Personal Data in Signature AI’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement. To the extent that deletion of any Customer Personal Data contained in any back-ups’ maintained by or on behalf of Signature AI is not technically feasible within the timeframe set out in Customer’s instructions, Signature AI shall (a) securely delete such Customer Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Signature AI’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Customer Personal Data beyond use.

8.2 Notwithstanding the foregoing, Signature AI may retain Customer Personal Data where required by applicable laws, provided that Signature AI shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention. 

9 DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Signature AI shall, taking into account the nature of the Processing and the information available to Signature AI, provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Signature AI.  

10 CUSTOMER’S RESPONSIBILITIES

10.1 Customer agrees that, without limiting Signature AI’s obligations under Section 3 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing Customer’s systems and devices that Signature AI uses to provide the Services.

10.2 Customer shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Signature AI of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all applicable laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) that all Data Subjects have (i) been presented with all required notices and statements required by applicable laws having regard to the nature of the Services and associated Processing (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Signature AI of Customer Personal Data. 

10.3 Customer shall not provide or otherwise make available to Signature AI any Customer Personal Data that contains any: (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 16 years of age; or (j) any other information that falls within any special categories of Personal Data (as set out in Article 9(1) of the GDPR) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).

11 DATA TRANSFERS 

11.1 Customer acknowledges and agrees that Signature AI may effect Cross-Border Transfers to third parties under or in connection with this Agreement, subject to Section 11.2 (including where Signature AI’s use of a Sub-Processor involving a Cross-Border Transfer is approved in accordance with Section 6).

11.2 Signature AI agrees that it shall not make any Cross-Border Transfer in connection with Signature AI’s Processing of Customer Personal Data as Customer’s Processor otherwise than in reliance on a ‘transfer mechanism’ under Chapter V of the GDPR for that Cross-Border Transfer, for which purpose Customer agrees that Signature AI’s entry into a UK Transfer Tool with the relevant ‘importer’ shall be sufficient in relation to any Cross-Border Transfer.

12 MISCELLANEOUS 

12.1 Liability. The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement.

12.2 Variation. Signature AI may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time.  

12.3 Conflict. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency relating to the Processing of Customer Personal Data.



ANNEX 1

Data Processing Details

SIGNATURE AI DETAILS

Name:

Signature AI Ltd, a company incorporated and registered in the United Kingdom with company number 15689879 

Address:

68-80 Hanbury Street, London, England, E1 5JL

Contact Details for Data Protection:

Role: General Counsel

Email: legal@signature.ai

Signature AI Activities:

Signature AI is a provider of a generative AI platform through which customers can build dedicated AI models to create a variety of advertising-related intellectual property tailored to their brand and markets.

Role: 

Processor

CUSTOMER DETAILS

Name:

The entity who is a counterparty to the Agreement

Address:

Customer’s address is the address shown in the Order Form; or if no such address is contained within the Order Form, Customer’s principal business trading address – unless otherwise notified to Signature AI’s contact point noted above.

Contact Details for Data Protection:

As set forth in the Order Form or elsewhere in the Agreement between Customer and Signature AI.

Customer agrees that it is solely responsible for ensuring that such contact details are valid and up to date, and direct relevant communications to the appropriate individual within its organisation.

Customer Activities:

Customer’s activities relevant to this DPA are the use and receipt of the Services as part of its ongoing business operations under and in accordance with the Agreement.

Role: 

  • Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and 
  • Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates if and where applicable).

DETAILS OF PROCESSING

Categories of Data Subjects:

Any individuals whose Personal Data is comprised within Inputs and Connected Data submitted to the Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Services (including as a result of the integration and configuration of any Connected Applications) – which may include any models and other individuals whose name, image or likeness is included Inputs and/or Connected Data (including in any images and videos). 

Categories of Personal Data:

Any Personal Data comprised within Inputs and Connected Data submitted to Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Services (including as a result of the integration and configuration of any Connected Applications) – which may include individuals’: 

  • Name
  • Image
  • Likeness 

Sensitive Categories of Data, and associated additional restrictions/safeguards:

Categories of sensitive data: None – as noted in Section 10.3 of the DPA, Customer agrees that Restricted Data, which includes ‘special categories of Personal Data’ (as set out in Article 9(1) of the GDPR), must not be submitted to the Services. 

Additional safeguards for sensitive data: N/A

Nature of the Processing:

Processing operations required in order to provide the Services in accordance with the Agreement, which may include collection, recording, organisation, structuring, storage, consultation, redaction, analysis, use, alignment or combination, restriction, erasure and / or destruction. 

Purpose of the Processing:

The Customer instructs Signature AI to Process any Customer Personal Data for the following purposes: Processing necessary to provide the Services as initiated by Customer in its use thereof, including any development and improvement-related purposes permitted under the Agreement.

Duration of Processing / Retention Period:

For the period determined in accordance with the Agreement and DPA, including Section 8 of the DPA.


ANNEX 2

Security Measures

Signature AI will implement and maintain the Security Measures as set out in this Annex 2. 

  1. Organisational management and staff responsible for the development, implementation and maintenance of Signature AI’s information security program. 
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Signature AI’s organisation, monitoring and maintaining compliance with Signature AI’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data.
  4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
  5. Password controls designed to manage and control password strength, expiration and usage.
  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity. 
  7. Physical and environmental security of production resources relevant to the Services is maintained by the relevant Sub-Processor(s) (and their vendors) engaged from time-to-time by Signature AI to host those resources. Signature AI takes steps to ensure that such Sub-Processors provide appropriate assurances and certifications that evidence such physical and environmental security – including security of data centre, server room facilities and other areas containing Customer Personal Data designed to: (a) protect information assets from unauthorised physical access; (b) manage, monitor and log movement into and out of Sub-Processor facilities, and (c) guard against environmental hazards such as heat, fire and water damage.
  8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Signature AI’s possession.
  9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Signature AI’s technology and information assets.
  10. Incident management procedures designed to allow Signature AI to investigate, respond to, mitigate and notify of events related to Signature AI’s technology and information assets. 
  11. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
  12. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.