Isara Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as “DPA”) is executed by and between Tappa Operations Inc. (the provider of the “Isara” service under the Terms of Service, hereinafter “Tappa” or “Processor”) and the Client (hereinafter “Controller”).

In this DPA, Tappa and the Client are each referred to as a “Party” and jointly as the “Parties.” Regarding the processing activities undertaken in connection with the Isara service (the “Services”), Tappa acts as a Processor on behalf of the Client, who acts as the Controller of the personal data.

1. General Data Processing Terms

1.1  Role of the Parties: Where Tappa processes personal data (“Personal Data”) on behalf of the Client in the course of providing the Services, it does so as a Processor for the Client and undertakes to comply with the EU General Data Protection Regulation (GDPR) and the provisions of this DPA, in accordance with and for the purposes of Article 28 of the GDPR.

1.2  Compliance with Instructions and Law: Tappa undertakes to carry out the processing of Personal Data only in accordance with the obligations imposed by the GDPR, this DPA, and the documented instructions of the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions.

1.3  Documentation of Instructions: The Controller’s initial instructions to the Processor regarding data processing are reflected in this DPA. Any additional or alternate instructions must be agreed upon in writing (including electronic form) in advance, and the Processor will ensure all such instructions are documented and followed.

1.4  Controller’s Authorizations and Responsibilities: The Controller warrants that it has all necessary authority and legal basis to provide the Personal Data to the Processor and to instruct the Processor to perform the processing described in this DPA. The Controller is responsible for ensuring that any required notices have been provided to, and any necessary consents obtained from, data subjects for the processing of their Personal Data by the Processor as described herein. In particular, if the Controller elects to use the Services to monitor or evaluate the performance of the Controller’s own personnel (e.g. support agents), the Controller shall ensure that it has notified those employees and obtained any consent or lawful authorization required by applicable privacy or employment laws before their Personal Data (e.g. support ticket communications) is processed through the Services.

2. Details of Processing 

2.1  The Parties acknowledge and agree that the processing of Personal Data by the Processor under this DPA shall cover the following aspects, in accordance with Article 28(3) of the GDPR:

2.2  Subject-Matter: The Processor’s provision of the Isara customer support conversation analytics and monitoring Services to the Controller, as described in and governed by the applicable Terms of Service.

2.3  Duration of Processing: Personal Data will be processed by the Processor only for as long as necessary to fulfill the purposes of the Services. By default, the Processor will not retain any Personal Data obtained through the Services for more than 60 days from the date of its collection or generation, unless otherwise expressly instructed by the Controller or required by law. The Controller may issue instructions at any time for deletion or return of Personal Data (including prior to termination of the Services), and the Processor will promptly comply with such instructions.

2.4  Nature and Purpose of Processing: The Processor will retrieve and analyze customer support communications and related data on behalf of the Controller in order to provide the functionalities of the Isara Service. This includes collecting support ticket and conversation data from the Controller’s integrated helpdesk platforms (such as Zendesk, Intercom, HubSpot, Salesforce, or similar systems), and performing automated processing — including natural language processing and large language model inference — on the text of those communications to generate useful insights for the Controller. Such insights include, for example, sentiment or frustration indicators, conversation summaries, suggested tags or categorizations, and recommended actions or training opportunities for support agents. All processing is carried out for the purpose of helping the Controller monitor and improve its customer support services and customer satisfaction, and for no other purposes. The Processor will use only pre-trained machine learning models (e.g. large language models such as Mistral, Gemini, Llama) to analyze the data and will not use the Controller’s Personal Data to train, fine-tune, or improve any AI models, in accordance with the Controller’s instructions.

2.5  Type of Personal Data: The Personal Data processed via the Services includes information contained in or related to customer support interactions. Depending on how the Controller uses the Isara Service, the data may include: identification and contact information of individuals (such as names, email addresses, phone numbers, or user IDs of the Controller’s customers and support agents); the content of support communications (for example, the text of emails, chats, or ticket messages between the Controller’s customers and support staff, which may contain personal information provided by those parties); metadata and identifiers associated with support conversations (such as ticket numbers or conversation IDs, timestamps, and any internal references which, if directly linked to individuals, are treated as personal data); and any additional personal data that the Controller chooses to import or provide for analysis through the Service (for instance, personal data that might be contained in customer documentation or knowledge base articles the Controller integrates with Isara for context). The Processor will treat any personal data within the Controller’s uploaded documentation or knowledge base as Personal Data under this DPA and will process it only for the Controller’s purposes as instructed.

2.6  Categories of Data Subjects: The categories of data subjects include the individuals who interact via the support communications processed by the Service. This typically encompasses the Controller’s end-users or customers who initiate support requests or are the subject of support tickets, and the Controller’s support agents or employees who correspond with those customers through the helpdesk platform. Accordingly, both the Controller’s customers and its support personnel (and any other individuals whose personal data is contained in the support exchanges or related documentation) are data subjects under this DPA.

3. Processing on Documented Instructions Only

The Processor, including any person acting under the Processor’s authority who has access to Personal Data, shall process the Personal Data only on documented instructions from the Controller (as set forth in this DPA and Terms of Service(TOS) or as subsequently provided in writing) and solely for the purpose of performing the Services for the Controller. The Processor shall not process the Personal Data for any other purpose or in any other manner unless required to do so by applicable law (in which case Processor will inform the Controller of that legal requirement prior to processing, unless the law prohibits such notice). For the avoidance of doubt, any data, analytics, tags, summaries or other insights generated by the Processor from the Controller’s Personal Data are considered part of the Controller’s Personal Data and shall be used and disclosed by the Processor only as directed by the Controller and for the purposes of providing the Services.

4. Confidentiality and Personnel

The Processor warrants that it has appointed employees or authorized contractors to process Personal Data strictly on a need-to-know basis and only to the extent necessary for the provision of the Services, in accordance with this DPA and the TOS. The Processor shall ensure that all such persons authorized to process Personal Data are under appropriate contractual or statutory confidentiality obligations. They must be bound to keep the Personal Data (and any other confidential information of the Controller they may encounter) confidential and are required to undergo training on data protection and privacy principles relevant to their duties.

5. Security Measures

5.1  The Processor shall implement and maintain all appropriate technical and organizational security measures required by Article 32 of the GDPR (and equivalent provisions of other applicable data protection laws) to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Such measures include, among others, access controls, encryption of data in transit and at rest, and pseudonymization or anonymization of Personal Data where appropriate.

5.2  In the event of a personal data breach (security incident) affecting Personal Data processed by the Processor on behalf of the Controller, the Processor will promptly notify the Controller and take all necessary and appropriate corrective actions to mitigate the breach. The Processor will further cooperate with the Controller in investigating the breach and fulfilling any obligations to notify affected individuals or supervisory authorities, as required by law.

6. Assistance to Controller

The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations under applicable data protection laws, taking into account the nature of the processing and the information available to the Processor. This includes reasonably assisting with: (a) responses to data subjects’ requests to exercise their rights (such as access, rectification, erasure, restriction, objection, or data portability requests) with respect to Personal Data processed by the Processor; (b) the Controller’s obligation to implement appropriate security measures and to notify personal data breaches to supervisory authorities and/or data subjects; (c) where necessary, conducting data protection impact assessments (DPIAs) and consulting with supervisory authorities in relation to processing performed by the Processor; and (d) handling any inquiries or complaints received from public authorities (such as a Data Protection Authority) regarding the processing of Personal Data under this DPA.

7. Return or Deletion of Data

Upon termination of the Services, upon fulfillment of all processing purposes, or at any time upon the Controller’s request, the Processor will return to the Controller (or a third party designated by the Controller) all Personal Data, and delete or securely destroy all copies of Personal Data in its systems and files, unless applicable law requires the Processor to retain certain data. Upon termination of the Services, including the expiration of any subscription or free trial, Personal Data will be automatically deleted within sixty (60) days unless the Controller requests its return or deletion. In no case will the Processor retain Personal Data longer than necessary for the purposes of processing, except to the extent that applicable law obligates the Processor to retain copies for a longer period (for example, to comply with tax, accounting, or archiving laws). If such legal retention requirements apply, the Processor will continue to protect the confidentiality of the Personal Data and will not actively process it for any other purpose.

The Processor may retain and use de-identified, anonymized, or aggregated data derived from the Client’s use of the Services exclusively for the purposes of improving, developing, and optimizing the Processor’s algorithms, models, and service features, as well as for benchmarking and overall service quality enhancement. Such data shall be irreversibly anonymized in accordance with applicable data protection laws and recognized industry best practices, ensuring that no natural person can be identified, directly or indirectly.

Any such processing shall not involve Personal Data as defined under the GDPR, and the Processor shall implement appropriate technical and organizational measures to ensure the refectiveness of the anonymization process. The Processor shall further ensure that such anonymized or aggregated outputs cannot reasonably be re-associated with the Client or any Data Subject.

8. Audits

The Processor shall make available to the Controller all information necessary to demonstrate the Processor’s compliance with its obligations under this DPA and applicable data protection laws. Upon reasonable request, the Processor will provide documentation or certificates describing the security measures and relevant internal practices. In the event that such documentation is not sufficient for the Controller to verify Processor’s compliance, the Controller is entitled to audit the Processor’s processing of Personal Data. The Controller (or its mandated auditor, provided any external auditor is bound by appropriate confidentiality obligations) may conduct an on-site inspection of the Processor’s relevant facilities and systems, solely to the extent necessary to evaluate such compliance. Any audit must be conducted with reasonable prior notice (at least 30 business days) to the Processor, during normal business hours, and in a manner that does not unreasonably interfere with the Processor’s operations. The Parties shall mutually agree on the scope and timing of the audit and shall cooperate in good faith to minimize disruption and expense.

1. Sub-processors

9.1  The Controller provides a general authorization for the Processor to engage sub-processors (subcontractors engaged in processing Personal Data) as needed for the performance of the Services. The Processor will maintain a list of approved sub-processors. As of the Effective Date of this DPA, the Controller expressly consents to the Processor’s use if the Sub-processors in Annex 1.[AH1] 

9.2  Whenever the Processor engages a sub-processor to process Personal Data, the Processor shall do so via a written contract that imposes on the sub-processor the same level of data protection obligations as those imposed on the Processor under this DPA. The Processor remains fully liable to the Controller for the sub-processor’s performance of its obligations.

1. International Data Transfers

The Processor will ensure that Personal Data processed by sub-processors is, by default, only processed or stored in geographic locations (countries) that are either within the European Economic Area (EEA) or in a country deemed by the European Commission to provide an adequate level of data protection. The Processor currently processes and stores Personal Data in data centers located in such approved jurisdictions (or ensures appropriate safeguards are in place if otherwise). If at any time the Processor or any sub-processor intends to transfer or access Personal Data from a country outside of the EEA that is not recognized as providing adequate protection, the Processor shall ensure that a valid transfer mechanism is in place to lawfully facilitate that transfer in compliance with GDPR Chapter V. Such mechanisms may include, as applicable, the execution of the European Commission’s Standard Contractual Clauses (SCCs) or other transfer tools approved by the EU (or the UK International Data Transfer Agreement/Addendum, for UK transfers), or reliance on an applicable derogation under Article 49 GDPR if appropriate.

1. US State Privacy Law Terms

The following terms apply to the Processor’s handling of Personal Data when and to the extent such data is subject to U.S. State privacy laws (such as the California Consumer Privacy Act (CCPA) as amended by the CPRA, the Virginia Consumer Data Protection Act (VCDPA), and other similar state privacy laws – collectively, “US State Privacy Laws”):

1. Service Provider/Processor Status: With respect to any Personal Data subject to US State Privacy Laws that the Processor processes on behalf of the Controller via the Isara Service, the Processor agrees that it is acting as a “service provider” or “processor” (as those terms are defined in applicable law) for the Controller. The Processor will process such Personal Data in compliance with all applicable requirements of the US State Privacy Laws and solely for the limited and specified purposes set forth in this DPA and the TOS, and in accordance with the Controller’s instructions. The Processor certifies that it understands the restrictions of this DPA and will comply with them.

2. No Selling or Additional Use: The Processor shall not: (a) retain, use, disclose, or otherwise process Personal Data subject to US State Privacy Laws for any purpose other than the specific purposes of performing the Services for the Controller as described in this DPA or as otherwise permitted by US State Privacy Laws; (b) “sell” or “share” such Personal Data (as those terms are defined in applicable US State Privacy Laws) to or with any third party; or (c) retain, use, disclose, or otherwise process such Personal Data outside of the direct business relationship between the Processor and the Controller. In particular, the Processor will not combine such Personal Data with personal information it receives from other clients or from its own interactions, except as permitted under relevant US State Privacy Laws. The Processor acknowledges that it is prohibited from using Personal Data for cross-context behavioral advertising or profiling in furtherance of decisions about natural persons to the extent such use is restricted by law.

3. Notification of Inability to Comply: The Processor shall notify the Controller without undue delay if the Processor determines that it can no longer meet its obligations under this Section (the US State Privacy Law Terms) or under any US State Privacy Laws. Upon such notice, or if the Controller otherwise reasonably believes that the Processor cannot carry out its obligations in accordance with applicable law, the Controller may direct the Processor to cease processing the affected data and take appropriate steps to remediate and address any unauthorized processing. The Parties will work together in good faith to reasonably resolve the issue; if compliance cannot be achieved, the Controller may terminate the portion of Services involving the affected Personal Data, notwithstanding any contrary term in the TOS.

4. Deidentified Data: To the extent the Controller provides de-identified data to the Processor, or the Processor derives deidentified data from Personal Data (as “deidentified” is defined in US State Privacy Laws), the Processor shall (a) implement technical and organizational measures to ensure that the deidentified data cannot be associated with or re-identified to any individual or household; (b) commit to maintain and use such data only in a de-identified form and not to attempt to re-identify the data, except as needed to test and improve the Processor’s de-identification techniques in compliance with US State Privacy Laws; and (c) contractually obligate any recipient of deidentified data (including any sub-processor or contractor) to comply with the requirements of this section. The Processor will not disclose deidentified data to any third party unless that party is contractually bound to comply with similar obligations to prevent re-identification.