Legal

Data Processing Agreement

Effective date: January 1, 2025

This Data Processing Agreement (“Agreement”) is entered into by and between Echo AI Technologies, Inc., a company incorporated under the laws of the State of Delaware, with its principal place of business at 2261 Market Street STE 86852, San Francisco, CA 94114, United States (“Processor”), and the customer agreeing to the Terms of Service of the Processor, either as an individual or as a representative of a business entity (“Controller”).

This Agreement is effective upon acceptance of the Processor’s Terms of Service and governs the processing of personal data in connection with the services provided by the Processor.

1. Subject Matter and Duration

1.1. This Agreement governs the processing of personal data by Processor on behalf of Controller in connection with the provision of services under the main service agreement.

1.2. The duration of this Agreement is the same as the duration of the service agreement between the parties.

2. Nature and Purpose of Processing

2.1. Processor shall process personal data only to the extent necessary to provide the services offered through Traza AI. See Appendix 1 for details.

2.2. Processing activities include collection, storage, access, transmission, and deletion of personal data.

3. Categories of Data Subjects and Data

3.1. Data Subjects may include users of Controller’s services, customers, employees, and other individuals whose personal data is processed.

3.2. Categories of Personal Data include:

  • Names
  • Email addresses
  • Payment information
  • API credentials for third-party providers (e.g., supply chain management systems, ERP systems, databases, cloud services)
  • Content created while using the product
  • Supply chain operational data
  • Workflow and automation configurations

4. Obligations of the Processor

4.1. Processor shall:

  • Process data only on documented instructions from the Controller.
  • Implement appropriate technical and organizational security measures, including MFA, passkeys, and encryption at rest.
  • Ensure confidentiality and integrity of personal data.
  • Assist Controller in responding to data subjects’ rights where applicable.

4.2. Processor shall not engage another subprocessor without informing the Controller.

5. Subprocessors

5.1. The Controller agrees to the use of the following subprocessors:

  • Stripe (payment processing)
  • Email delivery services (transactional emails)
  • OpenAI, Anthropic (AI processing)
  • Cloud infrastructure providers (data storage and hosting)

5.2. Processor shall ensure that each subprocessor is bound by data protection obligations consistent with this Agreement.

6. International Data Transfers

6.1. Processor may transfer personal data to the United States and other jurisdictions where its service providers operate. Where required by applicable law, Processor ensures appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

7. Data Retention and Deletion

7.1. Processor will retain personal data as necessary to provide the Services and comply with legal obligations, or as otherwise specified in the Privacy Policy.

7.2. Upon termination of the service agreement or upon written request, Processor shall delete or return all personal data, subject to legal retention requirements.

8. Data Subject Rights

8.1. Processor will assist Controller in responding to data subject access requests, deletion requests, and other rights requests as required under applicable data protection laws.

8.2. Data subjects may exercise their rights by contacting the Controller or by contacting Processor at contact@traza.ai.

9. Compliance and Security

9.1. Processor complies with applicable data protection laws, including GDPR, CCPA/CPRA, and other relevant regulations.

9.2. Processor shall implement appropriate technical and organizational safeguards, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication measures
  • Regular security assessments and monitoring
  • Incident response procedures

10. Data Breach Notification

10.1. In the event of a personal data breach, Processor shall notify Controller without undue delay after becoming aware of the breach.

10.2. The notification shall include available information about the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.

11. Audits and Compliance

11.1. Controller may, upon reasonable notice and during business hours, audit Processor’s compliance with this Agreement, or may engage a qualified third-party auditor to do so.

11.2. Processor shall provide reasonable assistance and information necessary to demonstrate compliance with this Agreement.

12. Limitation of Liability

12.1. Liability for breaches of this DPA shall be governed by the main service agreement unless otherwise required by applicable law.

13. Miscellaneous

13.1. This Agreement shall be governed by the laws of the State of Delaware.

13.2. In the event of a conflict between this DPA and other terms, this DPA shall prevail with respect to the subject matter herein.

13.3. This Agreement may be updated from time to time to reflect changes in legal requirements or business practices. Material changes will be communicated to Controller.

Appendix 1: Description of the Processing

A.1 Data Subjects

The Customer Personal Data processed concerns the following categories of Data Subjects: paid customers of Traza AI and Traza AI users, including Authorized Users within Customer organizations.

A.2 Categories of Customer Personal Data

The Customer Personal Data processed concerns the following categories of data:

  • Contact information (name, email, phone number)
  • Account and authentication information
  • Usage information and interaction data
  • Profile information and preferences
  • User-generated content (AI worker configurations, workflows, prompts, operational data)
  • Supply chain data and business metrics
  • Payment and billing information
  • Technical data (IP addresses, device information, logs)

A.3 Sensitive Data

Traza AI does not knowingly collect or process sensitive personal data as defined under applicable data protection laws (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, or biometric data) unless explicitly required and authorized by the Customer for specific use cases.

A.4 Processing Operations

Traza AI will process Customer Personal Data for purposes of:

  • Providing AI-powered supply chain optimization services pursuant to the Agreement and this DPA
  • Operating and maintaining the platform infrastructure
  • Providing customer support and technical assistance
  • Improving AI models and platform functionality (subject to opt-out provisions in Enterprise plans)
  • Ensuring security, preventing fraud, and maintaining system integrity
  • Complying with legal obligations and enforcing terms of service

Duration of Processing: For the duration of the service agreement and any applicable retention period as specified in the Privacy Policy or as required by law.

Location of Processing: Customer Personal Data is primarily processed in the United States, with potential processing in other jurisdictions where Traza AI’s service providers and subprocessors operate.

A.5 Contact Information

Email: contact@traza.ai

Echo AI Technologies, Inc.
2261 Market Street STE 86852
San Francisco, CA 94114
United States