Download

Data Processing Agreement

EffectiveMay 28, 2026

Contents
  1. Introduction
  2. Specification of data processing
  3. Processing of Personal Data
  4. Subprocessors
  5. Cross-border data transfers
  6. Information security and confidentiality
  7. Personal Data breach notification
  8. Assistance, impact assessments, and audits
  9. Obligations of the Customer
  10. US State Privacy Law obligations
  11. Term and measures upon completion
  12. Liability, governing law, and amendments
  13. Definitions

1. Introduction

1.1 This Data Processing Agreement (the "DPA") governs the processing of Personal Data in connection with the provision of the Services by Moonage, Inc. ("Moonage") to the Customer, and forms part of the Agreement between the parties.

1.2 This DPA regulates the parties' respective rights and obligations when Moonage processes Personal Data on behalf of the Customer under the Agreement. As between the parties, the Customer is the Data Controller and Moonage is the Data Processor, processing Personal Data on the Customer's behalf.

1.3 The purpose of this DPA is to regulate the processing of Personal Data in accordance with Applicable Data Protection Laws. Terms used in this DPA are interpreted in accordance with Applicable Data Protection Laws.

1.4 In the event of any conflict between the rest of the Agreement and this DPA, this DPA prevails with respect to its subject matter. Capitalized terms used but not defined in this DPA have the meaning given in the Agreement.

1.5 The specification of processing in Section 2, the pre-approved subprocessor list referenced in Section 4, and the security measures in the Security Policy each form part of this DPA.

2. Specification of data processing

The Customer's instructions to Moonage regarding the subject matter and duration of the processing, the nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out below and in the Customer's use of the Services:

Subject matter. Moonage's processing of Personal Data contained in Customer Data in order to provide the Services under the Agreement.

Duration. For the term of the Agreement and until Moonage no longer processes Personal Data on the Customer's behalf, as set out in Section 11.

Nature and purpose. Provision, operation, support, and maintenance of the Services, including the AI agent, meeting, and calendar features, in accordance with the Customer's Instructions.

Categories of Personal Data. Personal Data contained within Customer Data, which may include names, contact details, employer and role, and — where the Customer enables the relevant features — calendar data, meeting audio and transcriptions, recordings, and derivatives such as conversation transcripts. The Customer determines the data it submits and must not submit Sensitive Data except as expressly agreed.

Categories of Data Subjects. Individuals identified in Customer Data, such as the Customer's Authorized Users and their meeting participants, contacts, and clients.

3. Processing of Personal Data

3.1 Moonage will process Personal Data only on behalf of the Customer, for the purposes set out in this DPA, and in accordance with the Customer's documented Instructions, unless otherwise required by Applicable Data Protection Laws. By using the Services, the Customer instructs Moonage to process Personal Data as reflected in the Documentation. If Moonage is required by law to process Personal Data outside the Customer's Instructions, it will inform the Customer in advance unless legally prohibited from doing so.

3.2 As Data Processor, Moonage will: (a) comply with all Applicable Data Protection Laws applicable to it as a processor; (b) promptly notify the Customer in writing if it cannot comply with this DPA; (c) promptly inform the Customer if, in Moonage's opinion, an Instruction infringes Applicable Data Protection Laws; and (d) ensure that all persons authorized to process Personal Data are bound by a duty of confidentiality.

3.3 Moonage will, without undue delay and to the extent legally permitted, inform the Customer of: (a) any legally binding request for disclosure of Personal Data by a law-enforcement or governmental authority (and, if prohibited from notifying the Customer, use best efforts to obtain a waiver); (b) any notice, inquiry, or investigation by a Supervisory Authority concerning the Personal Data; and (c) any request from a Data Subject to exercise their rights. Other than to request further information or to identify the Data Subject, Moonage will not respond to a Data Subject request without the Customer's prior written authorization, and will instead refer such requests to the Customer to the extent permitted by law.

3.4 Moonage certifies that it will not: (a) retain, use, or disclose Personal Data outside the direct relationship between Moonage and the Customer, other than to provide the Services or as permitted by Applicable Data Protection Laws; (b) sell or share Personal Data (as those terms are defined under US State Privacy Law); (c) combine Personal Data with personal information obtained from other sources, except as permitted by Applicable Data Protection Laws or directed by the Customer; or (d) use Personal Data to train or fine-tune AI models, nor permit its subprocessors to do so.

4. Subprocessors

4.1 The Customer grants Moonage a general written authorization to engage subprocessors to carry out processing activities necessary to provide the Services, provided that Moonage binds each subprocessor by a written agreement imposing data-protection obligations materially equivalent to those in this DPA. Moonage remains fully liable to the Customer for each subprocessor's performance of its data-protection obligations.

4.2 Moonage maintains a list of subprocessors and will notify the Customer of any intended addition or replacement at least thirty (30) days before the change takes effect (for example, by updating the subprocessor list, to which the Customer may subscribe for notifications). The Customer may object on reasonable grounds relating to data protection by written notice within fifteen (15) days of the notice.

4.3 If the Customer objects, Moonage may (a) offer an alternative means of providing the Services without the subprocessor, (b) take corrective steps and proceed, or (c) cease providing, or the Customer may agree not to use, the affected feature of the Services. If none of these is commercially feasible in Moonage's reasonable judgment and the objection is not resolved within thirty (30) days, either party may terminate the affected subscriptions for cause, and the Customer will be refunded any prepaid, unused fees for the terminated portion. Accepting an offered cure or exercising this termination right is the Customer's sole and exclusive remedy for an objection to a new subprocessor.

5. Cross-border data transfers

5.1 Personal Data is stored and processed within the EU/EEA by default. The Customer acknowledges that, to provide the Services, Personal Data may be transferred to or accessed by Moonage in the United States, unless the parties have agreed in the Order Form or otherwise in writing to process and store Personal Data exclusively in a different location.

5.2 Where a transfer of Personal Data constitutes a Restricted Transfer, Moonage will ensure that an appropriate Data Transfer Mechanism is in place, providing safeguards consistent with Chapter V of the GDPR. Such mechanisms include reliance on an adequacy decision, the EU-US Data Privacy Framework (and its UK extension) where applicable, or the Standard Contractual Clauses (together with the UK International Data Transfer Addendum where the UK GDPR applies). Where the Standard Contractual Clauses apply, Module Two (Controller to Processor) or, for onward transfers to a subprocessor, Module Three, applies, and the Clauses are incorporated into this DPA by reference.

5.3 On request, Moonage will provide the Customer with reasonably relevant information about a Restricted Transfer, including the destination country, to enable the Customer to make an informed decision. Moonage has no reason to believe that laws or practices applicable to it or its subprocessors prevent it from fulfilling its obligations under this DPA or any applicable Standard Contractual Clauses, and will promptly notify the Customer if it becomes unable to do so.

6. Information security and confidentiality

6.1 Moonage will implement and maintain the appropriate technical and organizational measures described in the Security Policy to protect Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to Personal Data, and against other forms of unlawful processing.

6.2 Moonage will ensure that only personnel and representatives who require access to Personal Data to fulfill Moonage's obligations have such access, that all such persons are bound by confidentiality obligations, and that they receive sufficient training covering data-protection awareness.

7. Personal Data breach notification

7.1 If Moonage becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data (a "Personal Data Breach"), Moonage will notify the Customer without undue delay, and in any case within seventy-two (72) hours after becoming aware, in accordance with the incident-response provisions of the Security Policy, which are incorporated into this DPA.

7.2 Moonage will provide the Customer with the information reasonably required to meet the Customer's own breach-notification obligations under Applicable Data Protection Laws, including the information described in the Security Policy. Any costs associated with such assistance are subject to the limitations of liability in the Agreement.

8. Assistance, impact assessments, and audits

8.1 Taking into account the nature of the processing and the information available to it, Moonage will provide reasonable assistance to the Customer, at the Customer's reasonable expense, with: (a) responding to Data Subject requests; (b) implementing appropriate security measures; and (c) carrying out data protection impact assessments and any prior consultations with a Supervisory Authority. Such assistance is at the Customer's expense unless the need for it results directly from an act or omission of Moonage, in which case Moonage bears the cost.

8.2 The Customer may audit Moonage's processing of Personal Data to verify compliance with this DPA, no more than once in any 12-month period unless the Customer has clear grounds to believe Moonage has materially breached this DPA. Audits are conducted in the manner set out under "Customer rights and shared responsibility" in the Security Policy, by an appropriately qualified auditor bound by confidentiality. The Customer acknowledges that audits will not include access to information belonging to Moonage's other customers, some of whom may be subject to professional confidentiality obligations. Reports and documentation Moonage provides are its Confidential Information.

8.3 The Customer bears the costs of audits, except that where an audit concludes that Moonage has materially breached this DPA, Moonage will reimburse the Customer's reasonable and verified audit costs.

9. Obligations of the Customer

9.1 The Customer represents, warrants, and covenants that it has and will maintain throughout the term all necessary rights, legal bases, consents, and authorizations to provide Personal Data to Moonage and to authorize Moonage to process it as contemplated by this DPA and the Agreement, and that it complies with all Applicable Data Protection Laws applicable to it as Data Controller.

9.2 The Customer is responsible for the configuration and design decisions it makes for the Services and for implementing them securely and in compliance with Applicable Data Protection Laws. The Customer will transfer Personal Data to Moonage only through secure, reasonable, and appropriate mechanisms, and will limit the Personal Data it provides to what is necessary for the Agreement. For example, the Customer will not include Personal Data, other than technical contact information, in technical support tickets or transmit Personal Data to Moonage by email.

10. US State Privacy Law obligations

To the extent US State Privacy Law applies, Moonage acts as a "service provider" (or equivalent) and certifies that it understands and will comply with its obligations to: process Personal Data only for the purposes set out in this DPA and the Agreement; not sell or share Personal Data; not retain, use, or disclose Personal Data outside the direct business relationship with the Customer except as permitted by law; provide a level of privacy protection no less than required by US State Privacy Law; not combine Personal Data with personal information from other sources except as permitted; and not attempt to re-identify any deidentified data except to verify that the deidentification is compliant. The Customer has the right to take reasonable steps to ensure Moonage uses Personal Data consistently with US State Privacy Law and to stop and remediate any unauthorized use.

11. Term and measures upon completion

11.1 This DPA remains in effect for as long as Moonage processes Personal Data for which the Customer is Data Controller, or until it is replaced by another data processing agreement between the parties.

11.2 Within thirty (30) days following termination of the Services, or upon the Customer's reasonable written request, Moonage will, at the Customer's choice, securely delete or return all Personal Data and will direct each subprocessor to do the same, unless Applicable Data Protection Laws require continued retention.

11.3 If return or deletion is impracticable or prohibited by a valid legal requirement, Moonage will inform the Customer, block the Personal Data from further processing (except as necessary for continued hosting or as required by law), continue to protect it with appropriate safeguards, and require any subprocessor that retains Personal Data to take the same measures. Where Moonage is legally required to retain archival copies, it will (a) inform the Customer in writing of the obligation and the affected data, (b) use the data only to comply with that obligation, and (c) remain bound by its confidentiality and security obligations under the Agreement and this DPA.

12. Liability, governing law, and amendments

12.1 The liability provisions and limitations set out in the Agreement apply to this DPA. Except as otherwise required by Applicable Data Protection Laws, this DPA is governed by, and disputes are resolved in accordance with, the governing-law and dispute-resolution provisions of the Agreement.

12.2 Any amendment to this DPA must be in writing and signed by authorized representatives of both parties, except that the Customer may update its written processing Instructions as reflected in its use of the Services. If new laws or regulations governing artificial intelligence or data protection take effect, the parties will review this DPA in good faith and negotiate any amendments necessary for compliance; if such regulations make continued performance infeasible or unlawful, either party may terminate on reasonable written notice without affecting obligations incurred before termination.

13. Definitions

  • "Applicable Data Protection Laws" means all binding data protection laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU GDPR, the UK GDPR, other privacy laws of the EEA and the United Kingdom, and US State Privacy Law, in each case as amended or supplemented from time to time.
  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data, including equivalent concepts under Applicable Data Protection Laws (such as "business" under the CCPA).
  • "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller, including equivalent concepts under Applicable Data Protection Laws (such as "service provider" under the CCPA).
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates and whose Personal Data is protected by Applicable Data Protection Laws.
  • "Data Transfer Mechanism" means a mechanism enabling the lawful cross-border transfer of Personal Data under Applicable Data Protection Laws, including an adequacy decision, the EU-US Data Privacy Framework, the Standard Contractual Clauses, and the UK International Data Transfer Addendum.
  • "Instructions" means the Customer's documented instructions to Moonage, including actions taken and input provided through the Services, the Agreement, and the Documentation.
  • "Personal Data" means any Customer Data that relates to an identified or identifiable natural person, or that otherwise constitutes "personal data" or "personal information" under Applicable Data Protection Laws.
  • "Personal Data Breach" has the meaning given in Section 7.1.
  • "Processing" means any operation performed on Personal Data on the Customer's behalf, whether or not by automated means, such as collection, recording, storage, alteration, retrieval, use, disclosure, or deletion (and "process" and "processed" are interpreted accordingly).
  • "Restricted Transfer" means any transfer of Personal Data that requires a Data Transfer Mechanism under Applicable Data Protection Laws.
  • "Standard Contractual Clauses" means the standard contractual clauses adopted by the European Commission on 4 June 2021 (Implementing Decision (EU) 2021/914), or any clauses replacing them.
  • "Supervisory Authority" means an independent public authority responsible for enforcing Applicable Data Protection Laws with jurisdiction over the Customer or the relevant processing.
  • "US State Privacy Law" means US state laws relating to the protection and processing of Personal Data, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, as amended from time to time.