Data Processing Addendum
Last updated: September 2, 2025
This Eightfold Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement or other applicable written or electronic terms of service or subscription agreement (“MSA”) between the Eightfold entity which entered into the Agreement (“Eightfold”) and the customer signatory thereto (“Customer”). Capitalized terms used but not defined in this DPA shall have their meanings set forth in the MSA. The parties agree that this DPA shall replace any existing DPA or other data protection provisions the parties may have previously entered into in connection with the Covered Services. In consideration of the mutual obligations set forth herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the MSA.
1. Definitions
“Agreement” means the MSA and the DPA, together with those connected Sales Orders, including any exhibits, annexes or attachments applicable to the Covered Services.
“CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 – 1798.199), as amended by the California Privacy Rights Act of 2020 (“CPRA”) or otherwise, or superseded from time to time.
“Covered Services” means (i) the Cloud Services provided under the MSA; and/or (ii) any Professional Services.
“Customer Personal Data” means Personal Data that (i) is entered and uploaded to the Cloud Services under Customer’s Eightfold account; and/or that (ii) is electronically provided and/or submitted by the Customer or on Customer’s behalf to Eightfold to perform the Professional Services to implement the Cloud Services.
“Data Protection Laws” means all data protection or privacy laws applicable to the processing of Customer Personal Data.
“Europe” or “European” means the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland.
“GDPR” means either or both the (i) General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and (ii) EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) as the context may require.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
“Subprocessor” means any Processor engaged by Eightfold or its Affiliates to process Customer Personal Data with respect to the provision of the Covered Services.
The terms “Business Purpose”, “collect”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Processor”, “process”, “processing”, “Sell” and “Service Provider” have the meanings given to them in applicable Data Protection Laws.
2. Scope
2.1 Scope and Role of the Parties. This DPA applies where and only to the extent that Eightfold processes Customer Personal Data on behalf of Customer in the course of providing Covered Services pursuant to the Agreement. As between the parties, Customer acts as Controller of Customer Personal Data and Eightfold acts as Processor of Customer Personal Data. Each party will comply with its obligations related to the processing of Customer Personal Data under applicable Data Protection Laws.
2.2 Documented Instructions. The parties agree that this Agreement constitutes Customer’s documented instructions regarding Eightfold’s Processing of Customer Personal Data (“Documented Instructions”). Eightfold shall inform Customer if, in its reasonable opinion, Customer’s Documented Instructions infringe applicable Data Protection Laws. Eightfold will only access or process Customer Personal Data for the following reasons: (i) based on Customer’s Documented Instructions; (ii) consistent with the Agreement and as required to perform Eightfold’s obligations to provide the Covered Services; or (iii) for legal, safety or security purposes.
2.3 Customer as Controller of Customer Personal Data. Customer agrees that: (i) it has provided (or will provide) notice and that it has obtained (or will obtain) all consents and rights necessary for Eightfold to process Personal Data pursuant to the Agreement, including with respect to the use of cookies and similar tracking technologies deployed via Customer’s websites and mobile applications; (ii) it has and will have sole responsibility for the accuracy, quality, and legality of any and all Customer Personal Data. The Customer will promptly notify Eightfold if it is unable to comply with any of its obligations hereunder.
2.4 Description of Processing. The agreed subject-matter, the nature, purpose and duration of data processing, the types of Personal Data and categories of Data Subjects are set forth in Annex A to this DPA.
3. Subprocessors
3.1 Use of Subprocessors. By entering into this DPA, Customer provides general authorization for Eightfold to engage Subprocessors to process Customer Personal Data. Eightfold maintains an up-to-date list of its authorized Subprocessors on its website at https://eightfold.ai/subprocessors. Eightfold shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws; and must (ii) remain liable to Customer if such Subprocessor fails to fulfill its data protection obligations with regard to the relevant processing activities under the Agreement.
3.2 Subprocessor Updates. Customer may receive notifications of new Subprocessors and updates to existing Subprocessors by subscribing to updates at https://www.eightfold.ai/subprocessors-updates. Eightfold will provide a notice, to those emails subscribed, at least thirty (30) days before allowing any new Subprocessor to process Customer Personal Data. The Customer may, within (fifteen) 15 days of the receipt of the notification, object in writing to Eightfold’s appointment of a new Subprocessor, provided that such objection is based on reasonable grounds relating to the processing of Customer Personal Data by the new Subprocessor. In such an event, the parties will discuss such objection in good faith with a view to achieving resolution. If this is not possible, Eightfold may cease to provide or Customer agree not to use (temporarily or permanently) the particular aspect of a Service that would involve the use of the Subprocessor to Process Customer Personal Data.
4. International Data Transfers
4.1 Deployment Region & Processing Locations. Customer Personal Data will only be deployed in the geographic location(s) that Customer specifies via the Cloud Services (the “Deployment Region”). Customer is solely responsible for any transfer of Customer Personal Data caused by Customer’s subsequent designation of other Deployment Regions. As part of providing the Cloud Services, Eightfold may access Customer Personal Data anywhere in the world where Eightfold, its Affiliates or its Subprocessors maintain data processing operations. Eightfold will at all times provide an adequate level of protection for the Customer Personal Data processed, in accordance with the requirements of applicable Data Protection Laws.
4.2 International Transfers of Customer Personal Data. Where the transfer of Customer Personal Data is from Europe to a territory which has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data on the basis of Article 45 GDPR (or in the case of transfers from the United Kingdom, by the United Kingdom Government), Eightfold agrees to process that Customer Personal Data in compliance with the provisions outlined in Annex B, which forms an integral part of this DPA.
5. Security
5.1 Security Measures. Eightfold has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Personal Data (“Security Measures”). Eightfold’s current Security Measures are described in the Eightfold Security Addendum available at https://eightfold.ai/security-terms. Customer acknowledges that the Security Measures are subject to technical progress and development and that Eightfold may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Covered Services purchased by Customer.
5.2 Eightfold Personnel. Eightfold restricts its personnel from processing Customer Personal Data without authorization by Eightfold as described in the Security Measures and shall ensure that any person who is authorized by Eightfold to process Customer Personal Data is bound by contractual or statutory obligations of confidentiality.
5.3 Audits. Where Eightfold has obtained third-party audit reports and certifications for the Cloud Services (together “Audit Reports”), Eightfold will, at Customer’s request and subject to the confidentiality terms outlined in the Agreement, make its most recent Audit Reports available to the Customer. To the extent that Customer reasonably determines that the Audit Reports are not sufficient to demonstrate compliance with this DPA, or where required by applicable Data Protection Laws or a regulatory authority, Customer may elect to conduct audits during the term of the Agreement to assess Eightfold’s compliance with the terms of this DPA. Audits by Customer will be subject to the following terms: (i) Customer and Eightfold will mutually agree upon the scope, timing, duration and evidence requirements; (ii) the audit will be at Customer’s expense; (iii) the audit will be pre-scheduled in writing with Eightfold and will be performed not more than once a year (except as required by applicable law or mutually agreed upon for exigent circumstances); and (iv) the auditor will execute a non-disclosure and non-competition undertaking on terms acceptable to Eightfold. Neither the Customer or its auditors shall have access to any data from Eightfold’s other customers or to Eightfold systems or facilities not involved in the processing of Customer Personal Data.
5.4 Personal Data Breach. In the event that Eightfold becomes aware of a Personal Data Breach, Eightfold will notify Customer without undue delay and shall provide timely information relating to the Personal Data Breach to the Customer. Eightfold shall take appropriate measures to address and mitigate the adverse effects of the Personal Data Breach. Eightfold will reasonably cooperate with Customer as required to fulfil Customer’s obligations under applicable Data Protection Laws.
5.6 Return and Deletion of Customer Personal Data. Except if otherwise required by applicable Data Protection Laws, upon termination or expiration of the Covered Services, Eightfold shall return and/or delete the Customer Personal Data in accordance with the relevant terms described in the Agreement.
6. Requests & Cooperation Obligations
6.1 Data Subject Requests. Customer is responsible for responding to Data Subject Requests. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Cloud Services, Eightfold shall provide reasonable cooperation to assist Customer to respond to any requests from individuals involving Customer Personal Data in a manner consistent with the functionality of the Cloud Services and Eightfold’s role as processor (“Data Subject Requests”). In the event that any such Data Subject Request is made directly to Eightfold, Eightfold shall, to the extent legally permitted, submit the Data Subject Request to Customer, provided that the Data Subject has given sufficient information for Eightfold to identify the Customer. Customer authorizes Eightfold to respond to any Data Subject Request to confirm that Eightfold has forwarded the request to the Customer.
6.2 Third-Party Requests. If Eightfold receives a subpoena, court order, warrant or other legal demand from law enforcement or public or judicial authorities seeking the disclosure of Customer Personal Data, Eightfold shall, to the extent permitted by applicable laws, promptly notify Customer in writing of such request and reasonably cooperate with Customer to limit, challenge or protect against such disclosure.
6.3 Cooperation Obligations. Upon Customer’s reasonable request, and taking into account the nature of the processing, Eightfold will provide reasonable assistance to Customer in fulfilling Customer’s obligations under applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Customer cannot reasonably fulfill such obligations independently with help of available documentation provided by Eightfold.
7. CCPA Compliance
7.1 Applicability. This section applies to the extent Customer is a Business that is subject to the CCPA and submits Personal Information (as that term is defined under CCPA) as part of Customer Personal Data in connection with Eightfold’s performance of the Agreement. Customer appoints Eightfold as its Service Provider to collect and process the Customer Personal Data for the purposes outlined in section 2.2.
7.2 Service Provider Commitments. Eightfold will not (i) Sell Customer Personal Data; (ii) retain, use, or disclose the Customer Personal Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the Customer Personal Data for a commercial purpose other than providing its Covered Services under the Agreement; (iii) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Eightfold and the Customer; (iv) process the Customer Personal Data for targeted and/or cross context behavioural advertising; (v) combine Customer Personal Data that it receives from, or on behalf of, Customer, with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Consumer, if and to the extent such combination would be inconsistent with the limitations on Service Providers under the CCPA or other laws.
8. General Provisions
8.1 Customer Affiliates. If and to the extent Eightfold processes Customer Personal Data on behalf of Customer’s Affiliates, Customer enters into this DPA on behalf of itself and of its Affiliates, and references to Customer under this DPA shall include Customer and its Affiliates. Customer is responsible for coordinating all communication with Eightfold on behalf of its Affiliates with regards to this DPA. Any claims against Eightfold and/or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. No one other than a party to the Agreement, their successors and permitted assignees shall have any right to enforce any of its terms.
8.2 Termination. The term of this DPA will end at the later of (i) the termination of the MSA; or (ii) when the Customer Personal Data has been deleted or otherwise returned to the Customer.
8.3 Remedies. Customer’s remedies (including those of its Affiliates) with respect to any breach by Eightfold (including any breach caused by Eightfold’s Affiliates and Subprocessors) of the applicable terms of this DPA, and the overall aggregate liability of Eightfold and its Affiliates arising out of, or in connection with the Agreement (including this DPA) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement.
8.4 Conflict. In the event of a conflict or inconsistency between the MSA, this DPA, and the Standard Contractual Clauses attached in Annex B, the terms of the following documents will prevail (in order of precedence): the Standard Contractual Clauses; then this DPA; and then the Agreement.
8.5 Governing Law & Jurisdiction. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions set forth in the Agreement, unless required otherwise by applicable Data Protection Laws.
IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their authorized representative and this DPA shall be effective on the date both parties have signed this DPA.
| Eightfold AI, Inc. | Customer |
| By: | By: |
| Name: | Name: |
| Title: | Title: |
| Date: | Date: |
ANNEX A
DESCRIPTION OF PROCESSING
| Categories of Data Subject: | Customer may enter or upload Personal Data of Data Subjects to the Covered Services, the extent of which is determined and controlled by Customer, and which may include:
|
| Categories of Personal Data: | Customer may enter or upload Personal Data to the Covered Services, the extent of which is determined and controlled by Customer and may include the following categories:
|
| Sensitive data (if applicable): | Eightfold and/or its Subprocessors do not intentionally process Sensitive Personal Data unless entered or uploaded to the Covered Services by Customer, the extent of which is determined and controlled by Customer. For example, Customer may choose to enter or upload to the Covered Services Sensitive Personal Data such as race/ethnicity or disability information. |
| Frequency: | Continuous during the term of the Agreement. |
| Nature: | Eightfold will process Customer Personal Data only in accordance with Customer’s documented instructions and as described in the Agreement:
|
| Purposes: | Performance of the Covered Services. |
| Retention: | In accordance with the terms of the Agreement. |
| Transfers to Subprocessors: | The subject matter and duration of the processing is outlined above within this Annex A. The nature of the specific sub-processing services are further particularised within the Subprocessor List (currently available at https://eightfold.ai/subprocessors). |
ANNEX B
INTERNATIONAL TRANSFERS OF CUSTOMER PERSONAL DATA
1. Definitions
“Data Privacy Framework” means the EU-U.S., Swiss-U.S., and UK-U.S. Extension to the Data Privacy Framework maintained by the United States Department of Commerce determined to provide an adequate level of protection for Personal Data transfers to certified commercial organizations in the United States under (i) the European Commission’s Adequacy Decision 2023/4745 of July 10th 2023 and (ii) other applicable Data Protection Laws.
“Standard Contractual Clauses” means the terms located at https://eightfold.ai/sccs-eu-c2puk/
“UK Addendum” means the terms located at https://eightfold.ai/uk-addendum/
2. Data Privacy Framework. Eightfold AI Inc. participates in and certifies compliance with the Data Privacy Framework. In the event Eightfold is no longer certified under the Data Privacy Framework, or in the event that the Data Privacy Framework is invalidated or otherwise does not apply to the transfer of Customer Personal Data originating from Europe, then the Standard Contractual Clauses shall apply, according to the terms of section 3 below.
3. Standard Contractual Clauses. For transfers of Customer Personal Data from the EEA and/or Switzerland that are subject to section 4.2 of the DPA, the Standard Contractual Clauses will apply and are incorporated into the DPA by reference.
4. UK Addendum. For transfers of Customer Personal Data from the United Kingdom that are subject to section 4.2 of the DPA, the UK Addendum will apply and is incorporated into the DPA by reference.
5. Transfer Impact Assessments. Eightfold has carried out transfer impact assessments as required by Data Protection Laws evaluating Eightfold’s opinion that the Standard Contractual Clauses provide appropriate safeguards taking into account the information available to Eightfold and the nature of the processing. Upon request, Eightfold will provide the Customer with a summary of such transfer impact assessments.