Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between XAscend LLC (“Processor,” “we,” “us,” or “our”) and you, the customer (“Controller,” “you,” or “your”).

This DPA supplements the Terms of Service (“Agreement”) and governs the processing of personal data by XAscend LLC on your behalf in connection with the Praising.ai platform (the “Services”).

This DPA applies to the extent that we process personal data on your behalf that is subject to applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), and other applicable privacy laws.

1. ROLES AND RESPONSIBILITIES

You are the Controller. You determine the purposes and means of processing personal data. You decide what data to collect from your customers, what messages to send, and how to use the Platform's features. You are responsible for ensuring you have all necessary legal bases, consents, and privacy notices in place.

We are the Processor. We provide the technology platform that processes personal data on your behalf, according to your instructions. We do not determine what data you collect, who you contact, or what messages you send.

YOU — NOT XASCEND LLC — ARE RESPONSIBLE FOR ENSURING THAT YOUR USE OF THE PLATFORM COMPLIES WITH ALL APPLICABLE DATA PROTECTION LAWS. THIS INCLUDES OBTAINING PROPER CONSENT FROM YOUR CUSTOMERS, PROVIDING PRIVACY NOTICES, AND RESPONDING TO DATA SUBJECT REQUESTS.

2. SCOPE OF PROCESSING

2.1 What We Process

We process personal data that you or your customers submit to the Platform, including:

• Names, email addresses, and phone numbers of your customers;
• Review content and feedback responses;
• SMS and email communication records;
• Any other data you upload to or input into the Platform.

2.2 Why We Process It

We process this data solely to provide the Services you subscribed to, including:

• Storing and managing your customer contact information;
• Sending SMS, email, and review request messages on your behalf;
• Generating AI-powered review response suggestions;
• Providing analytics and reporting dashboards;
• Operating review widgets on your website.

2.3 What We Do Not Process

The Platform is not designed for sensitive or special categories of personal data (health data, racial or ethnic origin, religious beliefs, biometric data, etc.). Do not upload sensitive data to the Platform.

3. OUR OBLIGATIONS AS PROCESSOR

We will:

• Process personal data only on your documented instructions, unless required by law;
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations;
• Implement commercially reasonable technical and organizational security measures (see Annex I);
• Use commercially reasonable efforts to assist you in responding to data subject requests (access, deletion, portability, etc.), to the extent technically feasible within the Platform;
• Notify you without unreasonable delay if we become aware of a personal data breach affecting data processed on your behalf;
• Upon termination of your account, delete personal data processed on your behalf within a commercially reasonable period, except where retention is required by law.

3.1 Important Limitations

You acknowledge and agree that:

• We provide the Platform on a software-as-a-service basis. Our ability to fulfill certain obligations under this DPA (such as data deletion timelines or breach response times) depends on the technical capabilities and cooperation of our third-party infrastructure and service providers.
• We will use commercially reasonable efforts to meet data protection obligations, but we do not guarantee specific response times for breach notification, data subject requests, or data deletion beyond what is technically feasible.
• The security measures described in Annex I reflect our current practices. We reserve the right to update these measures from time to time, provided they remain at least as protective as those in place at the time of this DPA.

THE PLATFORM IS PROVIDED “AS IS” FOR DATA PROCESSING PURPOSES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM ALL WARRANTIES REGARDING THE PLATFORM'S COMPLIANCE WITH ANY SPECIFIC DATA PROTECTION FRAMEWORK OR CERTIFICATION, EXCEPT AS EXPRESSLY STATED IN THIS DPA.

4. YOUR OBLIGATIONS AS CONTROLLER

You are solely responsible for:

• Ensuring you have a lawful basis (consent, contract, legitimate interest, etc.) for collecting and processing all personal data you submit to the Platform;
• Providing appropriate privacy notices to your customers and end-users that accurately describe how their data is processed;
• Obtaining all required consents from your customers before sending SMS, email, or other communications through the Platform;
• Responding to data subject requests from your customers (you may use Platform features or contact us for assistance, but the obligation to respond is yours);
• Ensuring the accuracy and legality of all personal data you upload;
• Complying with all applicable data protection laws in your jurisdiction;
• Not uploading sensitive or special category data to the Platform.

5. SUB-PROCESSORS

We use third-party service providers (sub-processors) to help deliver the Services. By entering into this DPA, you provide general authorization for us to use sub-processors.

Our current sub-processors include:

We will notify you of material changes to our sub-processors by updating this list. You may subscribe to notifications by emailing support@praising.ai. If you have a legitimate objection to a new sub-processor, contact us and we will work with you to find a reasonable solution.

6. INTERNATIONAL DATA TRANSFERS

Personal data may be transferred to and processed in the United States and other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914);
• The UK International Data Transfer Addendum, where applicable;
• Other lawful transfer mechanisms recognized under applicable law.

7. DATA BREACH NOTIFICATION

If we become aware of a personal data breach affecting data processed on your behalf, we will:

• Notify you without unreasonable delay after becoming aware of the breach;
• Provide available information about the nature of the breach, the types of data likely affected, and steps we are taking to address it;
• Cooperate with you and provide reasonable assistance in investigating and mitigating the breach.

We will use commercially reasonable efforts to provide initial notification as promptly as possible. However, our ability to detect and respond to breaches depends on the nature of the incident and the cooperation of our infrastructure providers. Notification of a breach is not an acknowledgment of fault or liability.

8. DATA RETENTION AND DELETION

We retain personal data processed on your behalf for the duration of your account. Upon termination:

• You may export your data through the Platform's export features (where available) before your account is closed;
• We will delete personal data from our active systems within a commercially reasonable period after account termination;
• Some data may be retained in backups for a limited period and will be deleted in the ordinary course of backup rotation;
• We may retain certain data where required by law (e.g., billing records for tax purposes).

9. COMPLIANCE INFORMATION

Upon reasonable written request (no more than once per year), we will provide you with information reasonably necessary to demonstrate our compliance with this DPA. This may include:

• A summary of our current security practices;
• Relevant certifications or audit reports, where available;
• Written responses to reasonable compliance questions.

We are not obligated to provide access to our systems, source code, proprietary infrastructure, or the systems of our third-party providers. If you require a more detailed audit, we will work with you in good faith to find a mutually acceptable approach, at your cost.

10. LIABILITY

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, OUR TOTAL LIABILITY UNDER THIS DPA SHALL NOT EXCEED THE AMOUNTS SET FORTH IN THE LIMITATION OF LIABILITY SECTION OF THE TERMS OF SERVICE. WE SHALL NOT BE LIABLE FOR ANY FINES, PENALTIES, OR REGULATORY ACTIONS IMPOSED ON YOU AS A RESULT OF YOUR OWN NON-COMPLIANCE WITH DATA PROTECTION LAWS.

11. TERM

This DPA is effective from the date you first use the Services and continues for as long as we process personal data on your behalf. Provisions that by their nature should survive (Sections 7, 8, 10) survive termination.

12. GOVERNING LAW

This DPA is governed by the laws specified in the Terms of Service (State of Wyoming, United States), except where applicable data protection law mandates otherwise (e.g., GDPR-related matters for EEA controllers are governed by the law of the controller's EU Member State).

ANNEX I — SECURITY MEASURES

We implement the following commercially reasonable security measures:

• Encryption of data in transit (TLS/HTTPS);
• Encryption of data at rest;
• Access controls based on least-privilege principles;
• Strong password policies and multi-factor authentication for administrative access;
• Regular backups;
• Logging and monitoring of access and security events;
• Confidentiality obligations for personnel with access to personal data.

These measures are subject to change as we improve our security practices. Changes will maintain at least an equivalent level of protection.

CONTACT

For questions about this DPA: