Data Processing Addendum

1. Roles

For Customer Data, the customer is the controller, business, or equivalent party that determines the purposes and means of processing. Customer Served is the processor, service provider, or equivalent party that processes Customer Data only to provide, secure, support, maintain, and improve the Service, and as otherwise instructed by the customer or required by law.

2. Processing Details

The subject matter is support desk software for Shopify brands. The duration is the term of the customer's subscription plus any retention period required for backups, legal obligations, security, billing, audit logs, or dispute resolution. The nature and purpose of processing is to host, transmit, store, retrieve, analyze, summarize, draft, classify, export, delete, and otherwise process Customer Data to provide the Service.

• Categories of data subjects may include merchant users, merchant customers, email senders and recipients, Shopify customers, Freshdesk contacts, and support agents.
• Categories of personal information may include names, email addresses, order details, shipping information, support messages, attachments, customer identifiers, tracking information, account identifiers, audit logs, and usage records.
• Sensitive data is not required for normal use of the Service. The customer must not submit sensitive data unless it has a lawful basis and appropriate safeguards.

3. Customer Instructions

We will process Customer Data only according to the customer's documented instructions, including these Terms, product settings, support requests, API calls, workspace configuration, and actions taken by authorized users. We may process Customer Data as needed to comply with applicable law, in which case we will notify the customer unless prohibited by law.

4. Customer Responsibilities

The customer is responsible for Customer Data, notices, consents, lawful bases, privacy disclosures, data subject requests, connected integrations, email forwarding, Shopify permissions, Freshdesk imports, and user access. The customer is also responsible for reviewing AI output and approving or rejecting any customer-facing message or commerce action.

5. Confidentiality

Personnel who process Customer Data are required to protect it and are subject to confidentiality obligations or professional confidentiality duties.

6. Security Measures

We maintain technical and organizational measures designed to protect Customer Data against unauthorized access, accidental or unlawful destruction, loss, alteration, disclosure, or processing. Measures may include access controls, authentication, least privilege, encryption for selected secrets and tokens, private object storage, webhook authentication, audit logging, operational monitoring, backups, and incident response procedures.

7. Subprocessors

The customer authorizes the subprocessors listed on the Subprocessors page and any replacements or additions made according to this section. We will require subprocessors to protect Customer Data under obligations materially no less protective than this DPA, to the extent applicable to the services they provide.

We may update subprocessors as the Service changes. If required by applicable law, customers may object to a new subprocessor by contacting support@customerserved.ai within 30 days of notice. If we cannot reasonably resolve the objection, the customer may stop using the affected feature or terminate the affected subscription as its exclusive remedy.

8. AI Processing

AI features may process Customer Data through AI routing providers and model providers to generate drafts, summaries, classifications, and recommendations. The customer instructs us to process Customer Data for those AI features when the customer or its users enable, request, or use them. AI output is not a final decision, legal advice, refund authorization, cancellation instruction, or customer commitment. The customer remains responsible for review and final action.

9. Security Incidents

We will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data, unless legally prohibited. Notice may include available information about the nature of the incident, affected systems or data, mitigation steps, and recommended customer actions. The customer is responsible for determining whether notice to its customers, regulators, or other parties is required.

10. Assistance

Taking into account the nature of the processing and information available to us, we will provide reasonable assistance for data subject requests, deletion, export, security, and data protection impact assessments when required by applicable law. We may charge reasonable fees for assistance that is unusually burdensome or outside normal product functionality.

11. Return and Deletion

Upon termination or written request, we will delete, return, or anonymize Customer Data according to product functionality, retention settings, backup cycles, legal obligations, security requirements, billing records, and audit needs. Deletion from backups may occur on the normal backup rotation schedule.

12. International Transfers

We may process Customer Data in Canada, the United States, and other countries where we or our subprocessors operate. If applicable data protection law requires a transfer mechanism, the parties will use a legally recognized mechanism such as standard contractual clauses or another available transfer basis.

13. Audit Information

We will make information reasonably necessary to demonstrate compliance with this DPA available through documentation, subprocessors lists, security summaries, product controls, or other reasonable means. Audits must be limited to what is legally required, must avoid disruption, must protect confidential information, and may be subject to reasonable scope, timing, and security requirements.

14. Conflict

If there is a conflict between this DPA and the Terms, this DPA controls only for processing of Customer Data as personal information. Otherwise, the Terms continue to apply, including limitations of liability.