Data Processing Agreement

This Data Processing Agreement (“DPA”) is between XAscend LLC (“Processor,” “we,” “us,” or “our”) and you, the customer (“Controller,” “you,” or “your”).

This DPA adds to the Terms of Service (“Agreement”). It covers how XAscend LLC handles personal data on your behalf through the Praising.ai platform (the “Services”).

This DPA applies when we handle personal data on your behalf that falls under data protection laws. These include the GDPR (EU) 2016/679, the UK GDPR, the CCPA/CPRA, and other privacy laws that apply.

1. ROLES AND RESPONSIBILITIES

You are the Controller. You set the goals and means for handling personal data. You choose what data to collect, what messages to send, and how to use the Platform. You must make sure you have the right legal bases, consents, and privacy notices in place.

We are the Processor. We provide the tech platform that handles personal data on your behalf, per your instructions. We do not choose what data you collect, who you contact, or what messages you send.

YOU — NOT XASCEND LLC — MUST MAKE SURE YOUR USE OF THE PLATFORM FOLLOWS ALL DATA PROTECTION LAWS THAT APPLY. THIS INCLUDES GETTING PROPER CONSENT FROM YOUR CUSTOMERS, GIVING PRIVACY NOTICES, AND REPLYING TO DATA SUBJECT REQUESTS.

2. SCOPE OF PROCESSING

2.1 What We Process

We handle personal data that you or your buyers send to the Platform, such as:

• Names, email addresses, and phone numbers of your buyers;
• Review content and feedback replies;
• SMS and email records;
• Any other data you upload or type into the Platform.

2.2 Why We Process It

We handle this data only to run the Services you signed up for, such as:

• Storing and managing your buyer contact info;
• Sending SMS, email, and review request messages on your behalf;
• Creating AI-powered review reply drafts;
• Running analytics and reporting dashboards;
• Running review widgets on your website.

2.3 What We Do Not Process

The Platform is not built for sensitive or special types of personal data (health data, race, religion, biometrics, etc.). Do not upload sensitive data to the Platform.

3. OUR OBLIGATIONS AS PROCESSOR

We will:

• Handle personal data only per your written instructions, unless the law says otherwise;
• Make sure staff who handle personal data are bound by privacy duties;
• Put in place fair technical and team-level security steps (see Annex I);
• Use fair efforts to help you reply to data subject requests (access, deletion, portability, etc.), as far as the Platform allows;
• Let you know without undue delay if we learn of a data breach that affects data handled on your behalf;
• After your account ends, delete personal data we handled for you within a fair time, unless the law requires us to keep it.

3.1 Important Limitations

You acknowledge and agree that:

• We provide the Platform as a SaaS tool. How fast we can meet some DPA duties (like data deletion or breach alerts) depends on the tech limits and help of our third-party providers.
• We will use fair efforts to meet data protection duties. But we do not promise exact response times for breach alerts, data subject requests, or data deletion beyond what is doable.
• The security steps in Annex I show our current practices. We may update them over time, as long as they stay at least as strong as those in place when this DPA was signed.

THE PLATFORM IS PROVIDED “AS IS” FOR DATA HANDLING. TO THE FULLEST EXTENT THE LAW ALLOWS, WE DISCLAIM ALL WARRANTIES ABOUT THE PLATFORM'S FIT WITH ANY DATA PROTECTION FRAMEWORK OR BADGE, EXCEPT AS STATED IN THIS DPA.

4. YOUR OBLIGATIONS AS CONTROLLER

You alone are in charge of:

• Having a lawful basis (consent, contract, real interest, etc.) to collect and handle all personal data you send to the Platform;
• Giving clear privacy notices to your buyers and end-users that show how their data is handled;
• Getting all needed consents from your buyers before sending SMS, email, or other messages through the Platform;
• Replying to data subject requests from your buyers (you may use Platform tools or ask us for help, but the duty to reply is yours);
• Making sure all personal data you upload is correct and lawful;
• Following all data protection laws that apply in your region;
• Not uploading sensitive or special types of data to the Platform.

5. SUB-PROCESSORS

We use third-party providers (sub-processors) to help run the Services. By signing this DPA, you give us broad approval to use sub-processors.

Our current sub-processors include:

We will let you know about big changes to our sub-processors by updating this list. You can sign up for alerts by emailing support@praising.ai. If you have a real concern about a new sub-processor, contact us and we will work with you to find a fair fix.

6. INTERNATIONAL DATA TRANSFERS

Personal data may be sent to and handled in the United States and other places where our sub-processors work. For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) per the European Commission (Decision 2021/914);
• The UK Data Transfer Addendum, where it applies;
• Other lawful transfer tools allowed by the law that applies.

7. DATA BREACH NOTIFICATION

If we learn of a data breach that affects data handled on your behalf, we will:

• Let you know without undue delay after we learn of the breach;
• Share what we know about the breach, the types of data likely hit, and the steps we are taking;
• Work with you and give fair help to look into and limit the breach.

We will use fair efforts to send the first alert as soon as we can. That said, how fast we can spot and act on breaches depends on the event and our providers. Telling you about a breach does not mean we admit fault.

8. DATA RETENTION AND DELETION

We keep personal data handled on your behalf while your account is active. When it ends:

• You may export your data through the Platform's export tools (where offered) before your account closes;
• We will delete personal data from our live systems within a fair time after your account ends;
• Some data may stay in backups for a short time and will be removed during normal backup cycles;
• We may keep some data where the law requires it (e.g., billing records for tax use).

9. COMPLIANCE INFORMATION

On fair written request (no more than once a year), we will give you info needed to show we follow this DPA. This may include:

• A summary of our current security practices;
• Relevant badges or audit reports, where we have them;
• Written replies to fair compliance questions.

We do not have to give access to our systems, source code, private setup, or our providers' systems. If you need a deeper audit, we will work with you in good faith to find a path that works for both sides, at your cost.

10. LIABILITY

Each party's liability under this DPA follows the limits set in the Terms of Service.

TO THE FULLEST EXTENT THE LAW ALLOWS, OUR TOTAL LIABILITY UNDER THIS DPA WILL NOT GO PAST THE AMOUNTS IN THE LIABILITY SECTION OF THE TERMS OF SERVICE. WE ARE NOT LIABLE FOR ANY FINES, PENALTIES, OR ACTIONS PLACED ON YOU DUE TO YOUR OWN FAILURE TO FOLLOW DATA PROTECTION LAWS.

11. TERM

This DPA takes effect the date you first use the Services. It stays active as long as we handle personal data for you. Sections that should last beyond the end (Sections 7, 8, 10) do survive.

12. GOVERNING LAW

This DPA follows the laws named in the Terms of Service (State of Wyoming, United States). The one exception: where data protection law says otherwise (e.g., GDPR matters for EEA controllers follow the law of the controller's EU Member State).

ANNEX I — SECURITY MEASURES

We use the following fair security steps:

• Data encrypted in transit (TLS/HTTPS);
• Data encrypted at rest;
• Access controls based on least-access rules;
• Strong password rules and multi-factor login for admin access;
• Regular backups;
• Logging and live tracking of access and security events;
• Privacy duties for staff with access to personal data.

These steps may change as we improve our security. Any change will keep at least the same level of safety.

CONTACT

For questions about this DPA: