Data Processing Agreement

v.03.25.2026

Exhibit C (Data Processing Addendum)

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum” or “DPA”) forms a part of, and is subject to, that certain Software-as-a-Service Agreement or other written or electronic terms of service or subscription agreement for the provision of services (the “Agreement”) entered into by and between [insert full name of Customer] (“Customer”) and I2H, Inc. dba Ambassador (“Ambassador”). By executing the Addendum, Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This Addendum incorporates the terms of the Agreement, and any terms not defined in this Addendum shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control.

1. Definitions

1.1 “Affiliate” means any entity controlling, controlled by or under common control with a party, where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.

1.2 “AI Agent Data” means Personal Data processed by AI Agents configured by Customer within Agent Studio, including input data submitted to AI Agents, output data generated by AI Agents, and operational metadata relating to AI Agent execution (e.g., action logs, decision triggers, and workflow traces).

1.3 “AI Services Data” means Personal Data processed in connection with AI Services (as defined in the Agreement), including data submitted to or generated by Hiro, predictive analytics, AI-generated content features, programmatic audience capabilities, and the Context API. AI Services Data includes AI Agent Data.

1.4 “AI Sub-Processor” means any third-party artificial intelligence or machine learning model provider (e.g., large language model APIs) engaged by Ambassador as a Subprocessor to process Personal Data in connection with AI Services.

1.5 “Ambassador Services” shall have the meaning set forth in the Agreement.

1.6 “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.

1.7 “CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Ambassador Processes on behalf of Customer and/or Customer’s Affiliates in connection with Ambassador’s provision of the Ambassador Services.

1.8 “Customer AI Configuration” shall have the meaning set forth in the Agreement.

1.9 “Customer Data” shall have the meaning set forth in the Agreement.

1.10 “Customer Ecosystem” shall have the meaning set forth in the Agreement.

1.11 “Customer Outcome Data” shall have the meaning set forth in the Agreement.

1.12 “Data Protection Laws” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); European Directive 2002/58/EC, as amended by Directive 2009/136/EC (“E-Privacy Directive”); the UK GDPR; and any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52; the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq.; guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; in each case, as amended from time to time.

1.13 “Data Subject” shall mean, as applicable, “data subject” as defined under the GDPR and UK GDPR, “consumer” under the CCPA and other Data Protection Laws, and any similar term under the Data Protection Laws.

1.14 “EU Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).

1.15 “GDPR Personal Data” means the “personal data” (as defined in the GDPR and UK GDPR) that Ambassador Processes on behalf of Customer and/or Customer’s Affiliates in connection with Ambassador’s provision of the Ambassador Services.

1.16 “Messaging Data” means Personal Data Processed in connection with the Messaging Services, including phone numbers used to send and receive messages, message content (text and media), and technical/delivery metadata (e.g., timestamps, routing information, and delivery status).

1.17 “Messaging Providers” means telecommunications carriers and messaging delivery platforms (including Twilio, Inc.) engaged by Ambassador as Subprocessors solely to transmit and deliver communications on behalf of Customer.

1.18 “Messaging Services” means optional functionality of the Ambassador Services that enables Customer to send and/or receive communications via SMS (short message service), MMS (multimedia messaging service), and RCS (rich communication services) to or from end users as instructed by Customer.

1.19 “Personal Data” means any information relating to a Data Subject which is subject to Data Protection Laws and which Ambassador Processes on behalf of Customer other than Anonymous Data. Personal Data includes GDPR Personal Data and CCPA Personal Information.

1.20 “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

1.21 “Subprocessor” means any third party appointed by or on behalf of Ambassador to process Personal Data in connection with the Ambassador Services.

1.22 “Third Countries” means countries which are not recognized by the Data Protection Laws as countries providing adequate protection of Personal Information.

1.23 “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

1.24 “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.25 The terms “business,” “business purposes,” “consumer,” “controller,” “personal data breach,” “process” or “processing,” “processor,” “sale,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “sharing,” “supervisory authority,” and “verifiable consumer request” shall have the meanings given to those terms in the applicable Data Protection Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Data Protection Laws, the parties agree that only the meanings in applicable Data Protection Laws will apply.

2. Processing of Personal Data

2.1 Each party will comply with the obligations applicable to it under the Data Protection Laws, including with respect to the processing of Personal Data.

2.2 Ambassador shall only process Personal Data in accordance with the instructions of Customer or as otherwise expressly permitted under the Agreement. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the processing of Personal Data in accordance with Customer’s instructions will not cause Ambassador to be in breach of the Data Protection Laws. As between Customer and Ambassador, Customer shall be responsible for (i) the means by which Customer acquired Personal Data, and (ii) the accuracy, quality, and legality of the Personal Data provided to Ambassador by or on behalf of Customer.

For the avoidance of doubt, where Customer enables the Messaging Services, Customer instructs Ambassador to Process Messaging Data for the limited purposes of transmission, delivery, routing, temporary storage/caching for delivery, logging delivery results, troubleshooting, and compliance with law and Carrier/Messaging Provider rules.

For the avoidance of doubt, where Customer enables AI Services (including Hiro, Agent Studio, predictive analytics, AI-generated content, programmatic audiences, and/or the Context API), Customer instructs Ambassador to Process AI Services Data for the limited purposes of: (a) providing AI predictions, recommendations, and generated content within Customer’s Ecosystem; (b) executing AI Agent workflows as configured by Customer; (c) training and improving AI models solely within Customer’s Ecosystem and solely for Customer’s benefit; (d) providing Context API responses derived from Customer’s own data; and (e) generating anonymized Benchmarking Data only where Customer has provided separate opt-in consent pursuant to Section 2.10(C) of the Agreement.

Customer Responsibilities for Messaging: Customer is solely responsible for (a) determining a lawful basis for Messaging (e.g., consent or legitimate interests, as applicable), (b) obtaining, recording, and honoring end-user consent and opt-out preferences, and (c) complying with applicable laws and industry policies (including, as applicable, the TCPA, CTIA messaging principles, the Twilio Messaging Policy) and any Carrier/Messaging Provider program rules. Customer will ensure that opt-out keywords (e.g., STOP and recognized equivalents) are honored promptly and that suppression lists are maintained in accordance with Customer’s compliance obligations.

Customer Responsibilities for AI Services: Customer is solely responsible for (a) determining a lawful basis for processing Personal Data through AI Services (e.g., consent, legitimate interests, or contractual necessity, as applicable); (b) ensuring that Personal Data submitted to AI Services is accurate and lawfully obtained; (c) reviewing and validating AI-generated outputs before relying on them or sharing them with Data Subjects; (d) configuring AI Agents with appropriate operational boundaries; and (e) ensuring that AI Agent actions comply with applicable Data Protection Laws, including with respect to automated decision-making under Article 22 of the GDPR where applicable.

2.3 For the purposes of this DPA, the following is deemed an instruction by Customer to process Personal Data (a) to provide and support the Ambassador Services; (b) as documented in the Agreement (including this DPA and any other agreement that requires processing of Personal Data); and (c) as further documented in any other specific written instructions given by Customer in this DPA, the Agreement, or as otherwise notified by Customer to Ambassador from time to time, where such instructions are consistent with the terms of the Agreement.

Without limiting the foregoing, Customer’s use of the Messaging Services constitutes written instructions to Ambassador to engage Messaging Providers to Process Messaging Data for transmission and delivery consistent with Section 4 (Authorized Subprocessors).

Without limiting the foregoing, Customer’s opt-in to and use of AI Services constitutes written instructions to Ambassador to Process AI Services Data within Customer’s Ecosystem consistent with Section 2.9 of the Agreement and this DPA.

2.4 The subject matter of the data processing covered by this DPA is the provision of the Ambassador Services and support by Ambassador. Schedule 1 of this DPA sets out the nature and purpose of the processing, the types of Personal Data Ambassador processes and the categories of Data Subjects whose personal data is processed.

2.5 For purposes of this DPA, Customer is the “controller” or “business,” and Ambassador is the “processor” or “service provider” of Personal Data, as such terms are defined in the Data Protection Laws per Section 1 above.

2.6 Messaging Data Retention. Ambassador will retain Messaging Data only as necessary to provide the Ambassador Services, comply with law, resolve disputes, and enforce the Agreement. Message content (including media) is generally retained only for transmission and delivery and may be stored for a limited duration for troubleshooting or compliance, or as otherwise instructed by Customer. Ambassador will make commercially reasonable efforts to support Customer-configured retention for message logs and media to the extent enabled by applicable Messaging Providers. Ambassador will not Sell or Share Messaging Data (including mobile numbers, opt-in/consent status, and message content) with third parties/affiliates for marketing or promotional purposes.

2.7 AI Data Isolation. Ambassador shall maintain logical and technical isolation of AI Services Data within each Customer’s Ecosystem. Ambassador shall not: (a) use Personal Data processed through AI Services for one Customer to train, fine-tune, or improve AI models, algorithms, or outputs that are made available to any other Customer or third party; (b) commingle AI Services Data across Customer Ecosystems; (c) permit AI Agents deployed within one Customer’s Ecosystem to access or process Personal Data from another Customer’s Ecosystem; or (d) use AI Services Data to generate intelligence, predictions, or recommendations for any other Customer. This obligation applies to Ambassador and to all AI Sub-Processors engaged pursuant to Section 4.

2.8 Automated Decision-Making. Customer acknowledges that AI Services, including AI Agents, may involve automated processing of Personal Data that could produce legal or similarly significant effects on Data Subjects. Where Customer’s use of AI Services constitutes automated decision-making subject to Article 22 of the GDPR (or equivalent provisions under other Data Protection Laws), Customer is solely responsible for: (a) determining whether such processing is lawful; (b) implementing appropriate safeguards, including the right to human intervention; and (c) providing Data Subjects with meaningful information about the logic involved. Ambassador will provide Customer with such information about the AI Services’ processing logic as is reasonably necessary to enable Customer to fulfill its transparency obligations under applicable Data Protection Laws.

3. Authorized Employees

3.1 With respect to employees who have a need to know or otherwise access Personal Data to enable Ambassador to perform their obligations under this Addendum or the Agreement (“Authorized Employees”) Ambassador shall (a) only disclose Customer Data to such Authorized employees; (b) take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee; (c) ensure that all Authorized Employees are made aware of the confidential nature of Customer Data and have executed confidentiality agreements that prevent them from disclosing or otherwise processing, both during and after their engagement with Ambassador, any Customer Data except in accordance with their obligations in connection with the Ambassador Services; and (d) take commercially reasonable steps to limit access to Customer Data to only Authorized Employees.

4. Authorized Subprocessors

4.1 Customer agrees that (a) Ambassador may engage Affiliates and Subprocessors as listed at https://trust.getambassador.com/subprocessors (“Subprocessor Page”) which may be updated from time to time and (b) such Affiliates and Subprocessors respectively may engage third-party Subprocessors to process the Personal Data on Ambassador’s behalf. By way of this Addendum, Customer provides general written authorization to Ambassador to engage Subprocessors as necessary to perform the Ambassador Services.

For the Messaging Services, Subprocessors may include Messaging Providers such as Twilio, Inc., and telecommunications carriers engaged solely to transmit and deliver communications on Customer’s behalf and subject to Ambassador’s instructions and this DPA.

For AI Services, Subprocessors may include AI Sub-Processors such as large language model providers and machine learning inference services engaged to process Personal Data in connection with AI predictions, content generation, and other AI capabilities. AI Sub-Processors are listed on the Subprocessor Page and are subject to the same notification and objection procedures set forth in Section 4.2. Ambassador shall ensure that all AI Sub-Processors are contractually prohibited from: (a) using Customer’s Personal Data for their own model training or improvement purposes; (b) retaining Customer’s Personal Data beyond what is necessary to process the specific request; and (c) commingling Customer’s Personal Data with data from other customers or sources.

4.2 At least twenty (20) days before enabling any other Subprocessors to access or participate in the processing of Personal Data, Ambassador will add such third party to the Subprocessor Page. Ambassador will provide written notification of a new Subprocessor before authorizing any new Subprocessor to process any Personal Data. Customer may reasonably object to such an engagement on legitimate grounds by informing Ambassador in writing within ten (10) days of being informed of such new Subprocessor. If Customer reasonably objects to an engagement in accordance with this Section 4.2, and Ambassador cannot provide a commercially reasonable alternative within a reasonable period of time, Ambassador may terminate this Addendum as Customer’s sole and exclusive remedy for such objection. Termination shall not relieve Customer of any fees owed to Ambassador under the Agreement; however, any prepaid and unused fees (corresponding to the period of time after the termination date) shall be promptly refunded to Customer.

4.3 If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Ambassador, that third party will be deemed an Authorized Subprocessor for the purposes of this Addendum.

4.4 Ambassador will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Ambassador under this Addendum with respect to the protection of Personal Data. In case an Authorized Subprocessor fails to fulfil its data protection obligations under such written agreement with Ambassador, Ambassador will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

5. Security of Personal Data

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ambassador shall maintain appropriate technical and organizational measures designed for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.

5.2 Ambassador shall notify Customer within seventy-two (72) hours after confirming any Personal Data Breach. Ambassador shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Ambassador deems necessary and reasonable to remediate the cause of such Personal Data Breach, to the extent the remediation is within Ambassador’s reasonable control. Ambassador will provide Customer with information and cooperation reasonably requested by Customer regarding such Personal Data Breach. Ambassador’s notification of or response to a Personal Data Breach under this Section 5.2 shall not be construed as an acknowledgment by Ambassador of any fault or liability with respect to the Personal Data Breach. Unless required by law or by Ambassador’s regulators, where Customer is the Data Controller, Ambassador shall not notify any Data Subject or any third party other than law enforcement of any Personal Data Breach involving Personal Data without first consulting with Customer. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users.

5.3 Messaging-Specific Safeguards. Without limiting Schedule 2, Ambassador will implement reasonable and appropriate technical and organizational measures for Messaging Data, which may include: encryption in transit; access controls and role-based least-privilege; opt-out handling mechanisms that prevent further outbound messaging to opted-out numbers when instructed by Customer; logging and monitoring of delivery status; media storage access controls; and configurable retention where supported by Messaging Providers.

5.4 AI-Specific Safeguards. Without limiting Schedule 2, Ambassador will implement reasonable and appropriate technical and organizational measures for AI Services Data, which shall include: (a) logical isolation of each Customer Ecosystem within AI processing infrastructure; (b) access controls ensuring AI models serving one Customer cannot access another Customer’s data; (c) encryption of Personal Data in transit to and from AI Sub-Processors; (d) audit logging of AI Agent actions that process Personal Data; (e) rate limiting and guardrails on AI Agent execution to prevent unintended mass processing of Personal Data; (f) emergency stop capabilities enabling Customer to halt AI Agent processing immediately; and (g) mechanisms to ensure AI Sub-Processors delete Personal Data after processing each request.

6. Requirements for GDPR Personal Data

This Section 6 shall only apply to the processing of GDPR Personal Data by or on behalf of Ambassador.

6.1 The parties agree that Ambassador may transfer Personal Data processed under this Addendum outside the European Economic Area (“EEA”), UK, or Switzerland as necessary to provide the Ambassador Services. If Ambassador transfers Personal Data protected under this Addendum to a jurisdiction that has not been found to provide an adequate or equivalent level of protection under the applicable Data Protection Laws, Ambassador will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

For Messaging Services, Customer acknowledges and instructs Ambassador that delivery of messages necessarily requires onward transfers of Messaging Data to Messaging Providers (including Twilio, Inc.) and downstream telecommunications carriers and aggregators, which may be located outside the EEA/UK/Switzerland. Ambassador will ensure appropriate safeguards for such transfers in accordance with Section 6 and the SCCs/UK Addendum, and will require Subprocessors to provide substantially similar safeguards.

6.2 Ambassador may engage Subprocessors pursuant to Section 4 (Authorized Subprocessors).

6.3 Transfer Mechanisms. With regard to any transfers of GDPR Personal Data from the European Economic Area or the United Kingdom to countries that do not provide adequate protection for such data (as determined by the applicable Data Protection Laws), the parties hereby enter into applicable Standard Contractual Clauses in support of such transfer.

6.4 For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the Model Clauses issued by the Information Commissioner’s Office of the United Kingdom (“UK Addendum”) (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws.

(a) Identity of the Parties: The data exporter is Customer, and the data importer is Ambassador. (b) Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum, the UK Addendum shall prevail. (c) Appendices: Responses to the Appendices to the UK Addendum are provided in Schedule 1, attached hereto. (d) Ending this Addendum when the Approved Addendum Changes: The parties agree that Importer and Exporter may end the Addendum as set out in Section 19 of the UK Addendum. (e) The Addendum EU SCCs shall be the Approved EU SCCs. Module Two will apply where Customer is a Controller and Ambassador is a Processor. In Clause 7, the optional docking clause does not apply. (f) The parties do not incorporate the optional liability clause included in the UK Addendum.

6.5 For all other transfers of Personal Data under this DPA to Third Countries, to the extent such transfers are subject to such applicable Data Protection Laws, the EU Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws.

(a) Identity of the Parties: The data exporter is Customer, and the data importer is Ambassador. Module Two (controller to processor) is the sole module applicable. (b) Conflicts: In the event of any conflict or inconsistency between this Addendum and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail. (c) Appendices: Responses to the Annexes are provided in Schedule 1. (d) In Clause 7, the optional docking clause does not apply. In Clause 9, the parties select Option 2, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.2. In Clause 11, the parties do not select the independent dispute resolution option. In Clause 13, all square brackets are removed with the text remaining.

6.6 In Clauses 17 (Option 2) and 18(b), the parties agree that the jurisdiction is the member state in which Controller is established, or if the Controller is not established in a member state, the Republic of Ireland.

6.7 Where applicable by virtue of Article 28(3)(f) of the GDPR or UK GDPR, Ambassador shall provide reasonable assistance to Customer with any data protection impact assessments which are referred to in Article 35 of the GDPR and with any prior consultations to any Supervisory Authority of Customer which are referred to in Article 36 of the GDPR, in each case solely in relation to processing of GDPR Personal Data and taking into account the nature of the processing and information available to Ambassador. Ambassador’s obligation to assist with DPIAs under this Section 6.7 extends to processing of GDPR Personal Data through AI Services, including AI Agent processing and automated decision-making. Ambassador will provide Customer with such information about the nature, scope, context, and purposes of AI processing as is reasonably necessary for Customer to conduct a DPIA, including a description of the categories of Personal Data processed, the AI processing logic at a functional level, and the technical and organizational measures in place to mitigate risks to Data Subjects.

7. Requirements for CCPA

Section 7 of this DPA shall only apply to the processing of CCPA Personal Information by Ambassador. Ambassador shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purpose of providing the Ambassador Services, or as otherwise permitted by the CCPA. Ambassador acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a purpose other than providing the Ambassador Services, except as permitted by the CCPA. Processing CCPA Personal Information outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Ambassador on additional instructions for processing. Ambassador shall also not Sell or Share any CCPA Personal Information it collects pursuant to the Agreement with Customer. Ambassador shall not retain, use, or disclose CCPA Personal Information collected pursuant to the DPA or Agreement for purposes outside the direct business relationship between Ambassador and Customer, unless expressly permitted by CCPA and its regulations. To the extent prohibited by the CCPA, Ambassador will not combine CCPA Personal Information received from Customer with Personal Data that Ambassador receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers.

For the avoidance of doubt, the prohibition on combining CCPA Personal Information under this Section 7 applies to AI model training: Ambassador shall not use CCPA Personal Information received from Customer to train, fine-tune, or improve AI or machine learning models that process CCPA Personal Information of other customers. Ambassador’s use of AI Services Data is limited to providing AI Services within Customer’s Ecosystem as set forth in Section 2.7 of this DPA and Section 2.10 of the Agreement.

8. Rights of Data Subjects

8.1 Ambassador shall, to the extent permitted by law and within five (5) business days, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Ambassador receives a Data Subject Request in relation to Customer Data, Ambassador will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Ambassador Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Ambassador, and for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

Where a Data Subject Request relates to Personal Data processed through AI Services (including data used to train or configure AI Agents within Customer’s Ecosystem, or data generated by AI Services as output), Ambassador shall provide Customer with reasonable assistance in fulfilling such request, including: (a) identifying AI Services Data associated with the Data Subject; (b) supporting erasure of such data from active AI processing systems within Customer’s Ecosystem; and (c) providing Customer with confirmation that the Data Subject’s Personal Data has been removed from active AI model inputs. Customer acknowledges that removal of Personal Data from AI model inputs does not guarantee removal of all patterns or inferences derived from such data within pre-trained model weights, and that Ambassador’s obligations are limited to commercially reasonable efforts.

8.2 Ambassador shall, at the request of Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Ambassador’s assistance and (ii) Ambassador is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Ambassador.

9. Actions and Access Requests

9.1 Ambassador shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum and retain such records for a period of two (2) years after the termination of the Agreement. Customer shall, with reasonable notice to Ambassador, have the right to review, audit and copy such records at Ambassador’s offices during regular business hours.

9.2 Upon Customer’s request, Ambassador shall, no more than once per calendar year, either (i) make available for Customer’s review copies of certifications or reports demonstrating Ambassador’s compliance with Data Protection Laws or prevailing data security standards applicable to the processing of Customer Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Ambassador’s data security infrastructure and procedures that is sufficient to demonstrate Ambassador’s compliance with its obligations under this Addendum, provided that Customer shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Ambassador’s business. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Ambassador for any time expended for on-site audits. Any such audit shall be subject to Ambassador’s security and confidentiality terms and guidelines; if Ambassador declines to comply with the terms of this Section 9.2, Customer may terminate this DPA and the Agreement upon written notice to Ambassador within thirty (30) days of Ambassador’s notice of its refusal to comply with the terms of this Section 9.2.

9.3 Ambassador shall promptly notify Customer if an instruction, in Ambassador’s opinion, infringes the Data Protection Laws or supervisory authority.

10. Return or Deletion of Customer Data

Following termination or expiration of the Agreement, Ambassador shall return or delete the Customer Data, unless further storage of Customer Data is required or authorized by applicable law, as stated under the Agreement. If return or destruction is impracticable or prohibited by law, rule or regulation, Ambassador shall take measures to block such Customer Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Customer Data remaining in its possession, custody, or control.

With respect to AI Services Data, Ambassador shall, upon Customer’s written request made within sixty (60) days following termination or expiration: (a) provide Customer with an export of Customer AI Configuration in a structured, machine-readable format (e.g., JSON); (b) delete all Customer-specific AI training data, agent configurations, and Customer Ecosystem intelligence from Ambassador’s active AI processing systems within ninety (90) days; and (c) confirm such deletion in writing. Ambassador shall ensure that AI Sub-Processors delete or return Customer’s Personal Data processed through AI Services in accordance with the same timelines. AI Services Data residing on Ambassador’s backup, disaster recovery, or business continuity systems shall be subject to the same retention terms as other Customer Data under this Section 10.

11. Affiliates

Customer acts as a single point of contact for its Affiliates with respect to compliance with Data Protection Laws such that where Ambassador gives notice to Customer, such information or notice is deemed received by Customer’s Affiliates. The parties acknowledge and agree that any claims in connection with Data Protection Laws under this DPA will be brought by Customer, whether acting for itself or on behalf of an Affiliate.

12. Limitation of Liability

THE TOTAL LIABILITY OF EACH OF CUSTOMER AND AMBASSADOR (AND THEIR RESPECTIVE EMPLOYEES, DIRECTORS, OFFICERS, AFFILIATES, SUCCESSORS, AND ASSIGNS), ARISING OUT OF OR RELATED TO THIS ADDENDUM, WHETHER IN CONTRACT, TORT, OR OTHER THEORY OF LIABILITY, SHALL NOT, WHEN TAKEN TOGETHER IN THE AGGREGATE, EXCEED THE APPLICABLE LIMITATIONS OF LIABILITY SET FORTH IN THE AGREEMENT.

Accepted and agreed to:

I2H, Inc. dba Ambassador[Customer]

By:By:

Name:Name:

Title:Title:

Date:Date:

 

SCHEDULE 1 — Data Processing Appendix

[Schedule 1 tables as set forth in the executed DPA, with the following additions to A.2 Processing Terms:]

Nature of the processing — includes:

AI Services: processing of Personal Data through artificial intelligence and machine learning models for the purpose of generating predictions, recommendations, content, audience segments, and automated actions within Customer’s Ecosystem; execution of AI Agent workflows including reading, analyzing, and acting on Customer Data and integration data as configured by Customer; processing of Personal Data through the Context API to generate intelligence responses; and, where Customer has opted in, inclusion of de-identified and aggregated data in Benchmarking Data.

Purpose of the processing — includes:

For AI Services: to provide AI-powered predictions, recommendations, and content generation; to execute AI Agent workflows as configured by Customer; to provide Context API intelligence responses; to improve AI capabilities within Customer’s Ecosystem based on Customer’s Outcome Data; and, where Customer has opted in pursuant to Section 2.10(C) of the Agreement, to generate anonymized Benchmarking Data for industry benchmarking purposes.

Type of Personal Data processed — includes:

AI Services Data (where Customer enables AI Services): Personal Data submitted by Customer or Customer’s Contacts to AI features, including text inputs, behavioral data used for predictions, engagement and conversion data used for AI training within Customer’s Ecosystem, and Personal Data processed by AI Agents in the course of executing configured workflows. AI-generated outputs that may contain or be derived from Personal Data. Customer AI Configuration data to the extent it incorporates or references Personal Data patterns.

 

SCHEDULE 2 — Technical and Organisational Measures

[Schedule 2 security measures as set forth in the executed DPA, with the following addition:]

AI Services-Specific Measures:

Ambassador will implement measures appropriate to AI Services Data, including: logical isolation of Customer Ecosystems within AI processing infrastructure ensuring one Customer’s data cannot be accessed by AI models or agents serving another Customer; encryption of Personal Data in transit to and from AI Sub-Processors (TLS 1.2 or higher); contractual and technical controls ensuring AI Sub-Processors do not retain Personal Data beyond request-level processing; access controls and role-based least-privilege for AI Agent configurations; audit logging of all AI Agent actions that read, process, or act on Personal Data; rate limiting and execution guardrails on AI Agents to prevent unintended mass processing; emergency stop mechanisms enabling Customer to halt all AI Agent processing immediately; input/output monitoring for AI Services to detect anomalous data processing patterns; and periodic review of AI Sub-Processor compliance with data isolation requirements.

 

SCHEDULE 3 — List of Subprocessors

Ambassador’s list of Subprocessors (including Affiliates) is available at https://trust.getambassador.com/subprocessors (the “Subprocessor Page”). The Subprocessor Page may be updated from time to time in accordance with this DPA.

For avoidance of doubt, Subprocessors for the Messaging Services include Messaging Providers such as Twilio, Inc., and downstream telecommunications carriers and aggregators engaged solely for message transmission and delivery.

For avoidance of doubt, Subprocessors for AI Services include AI Sub-Processors such as large language model providers and machine learning inference services engaged solely to process Personal Data in connection with AI predictions, content generation, and other AI capabilities within Customer’s Ecosystem, subject to the data isolation requirements of Section 2.7 of this DPA and Section 2.10 of the Agreement. The identity of AI Sub-Processors is disclosed on the Subprocessor Page.

SCHEDULE 3

LIST OF SUBPROCESSORS

Ambassador’s list of Subprocessors (including Affiliates) is available at https://trust.getambassador.com/subprocessors (the “Subprocessor Page”). The Subprocessor Page may be updated from time to time in accordance with this DPA.

For avoidance of doubt, Subprocessors for the Messaging Services include Messaging Providers such as Twilio, Inc., and downstream telecommunications carriers and aggregators engaged solely for message transmission and delivery.