Data Processing Addendum

This Data Processing Addendum ("DPA") applies whenever Contello, Inc. ("Contello") processes personal data on behalf of a customer ("Customer") in the course of providing the Services. It forms part of, and is governed by, our Terms of Use. Where this DPA conflicts with the Terms on the subject of data processing, this DPA controls.

1. Roles of the parties

For personal data processed on the Customer's behalf, the Customer is the controller (or equivalent) and Contello acts as the processor. The Customer is responsible for the accuracy and lawfulness of the personal data it provides and for having an appropriate legal basis for the processing.

2. Scope and purpose of processing

Contello processes personal data only as necessary to provide the Services and in accordance with the Customer's documented instructions, including as set out in the Terms, this DPA, and the Customer's use of the Services. Contello will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.

3. Contello's obligations

In handling personal data on the Customer's behalf, Contello will:

• Process data only as necessary to provide the Services and per the Customer's instructions;
• Maintain appropriate security safeguards — technical and organizational measures designed to protect personal data against unauthorized access, loss, or disclosure;
• Assist with lawful data subject requests, taking into account the nature of the processing and the information available to Contello;
• Use approved subprocessors where necessary, under written terms that impose data-protection obligations consistent with this DPA;
• Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.

4. Subprocessors

The Customer authorizes Contello to engage subprocessors (such as hosting, payment, analytics, support, and AI providers) to support delivery of the Services. Contello remains responsible for its subprocessors' compliance with the obligations in this DPA. We will make available information about subprocessors on request.

5. Data subject requests

If Contello receives a request from an individual to exercise their rights (such as access, correction, or deletion) in respect of personal data processed on the Customer's behalf, Contello will, where lawful, direct the request to the Customer and assist the Customer in responding.

6. Security incidents

Contello will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer's data, and will provide information reasonably available to assist the Customer in meeting its own notification obligations.

7. International transfers

Personal data may be processed in Canada, the United States, and other jurisdictions where Contello or its subprocessors operate. Where required, appropriate safeguards are applied to cross-border transfers of personal data.

8. Deletion and return of data

On termination of the Services, Contello will delete or return personal data processed on the Customer's behalf in accordance with its data-retention practices, except where retention is required by law.

9. Governing law

This DPA is governed by the laws of the Province of Saskatchewan, Canada and the applicable federal laws of Canada.

10. Contact

Questions about this DPA or to request our subprocessor list? Reach us at privacy@contello.ai or through our contact page.