Data Processing Addendum

1. Purpose and Scope

This DPA describes the parties' obligations regarding the processing of personal data in connection with the my859 Services. It applies to personal data processed by my859 on behalf of Customer where applicable privacy or data protection laws require such terms.

2. Definitions

• "Controller" means the entity determining the purposes and means of processing personal data.
• "Processor" means the entity processing personal data on behalf of a Controller.
• "Personal Data" means information relating to an identified or identifiable individual.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• "Subprocessor" means a third party engaged by my859 to assist in providing the Services.

Applicable privacy law definitions shall control where required.

3. Roles of the Parties

To the extent applicable under privacy laws:

• Customer acts as the Controller of Customer Personal Data.
• my859 acts as a Processor of Customer Personal Data processed through the Services.

Customer is responsible for obtaining necessary permissions and consents, providing lawful instructions, and ensuring its use of the Services complies with applicable laws.

4. Nature and Purpose of Processing

my859 may process personal data for the purpose of providing the Services, including:

• AI-generated summaries
• Workflow automation
• Communication analysis
• Productivity recommendations
• Scheduling functionality
• Email and calendar integrations
• User authentication
• Customer support
• Security monitoring
• Platform operations

Processing activities are performed solely to provide functionality requested by Customer and authorized users.

5. Categories of Data

Depending on Customer usage and connected integrations, my859 may process:

• Names
• Email addresses
• Account information
• Calendar information
• Email metadata and content
• Communications data
• Task and workflow information
• Usage data
• Device and technical information

The scope of processing depends on the integrations and permissions authorized by Customer.

6. AI Processing and Model Training Restrictions

Customer Personal Data processed through my859 is NOT used to train public or shared AI models. my859 does not contribute identifiable customer data, prompts, emails, files, or communications into generalized AI training datasets. AI processing is performed solely to provide Services directly requested by Customer and authorized users.

7. Customer Instructions

my859 shall process Customer Personal Data only pursuant to Customer instructions, as necessary to provide the Services, and as required by applicable law. Customer instructions are primarily defined through:

• Use of the platform
• Configuration settings
• Integration authorizations
• API usage
• Administrative controls

8. Confidentiality

my859 personnel authorized to process Customer Personal Data are subject to confidentiality obligations and access restrictions appropriate to their responsibilities. Access to Customer data is limited to authorized personnel with legitimate operational purposes such as customer support, technical troubleshooting, security operations, infrastructure maintenance, and legal compliance.

9. Security Measures

my859 implements commercially reasonable technical and organizational safeguards designed to protect Customer Personal Data. Security measures may include:

• Encryption in transit
• Encryption at rest
• Access controls
• Authentication protections
• Infrastructure security controls
• Monitoring and logging
• Environment separation

Additional information is available in the my859 Security Overview.

10. Subprocessors

Customer authorizes my859 to engage subprocessors as reasonably necessary to provide the Services. Subprocessors may include providers supporting:

• Cloud infrastructure
• Authentication
• AI processing
• Analytics
• Payment processing
• Monitoring
• Customer support
• Communications delivery

my859 remains responsible for managing subprocessors in accordance with applicable obligations.

11. International Data Transfers

Customer acknowledges that personal data may be processed in the United States and other jurisdictions where my859 or its subprocessors operate. Where applicable, my859 will take commercially reasonable steps intended to support lawful transfer mechanisms under relevant privacy laws.

12. Data Retention and Deletion

my859 retains Customer Personal Data only as long as reasonably necessary to provide the Services, maintain platform operations, comply with legal obligations, resolve disputes, and maintain backups and disaster recovery systems.

Upon account termination or valid deletion requests, my859 will take commercially reasonable steps to delete or anonymize Customer Personal Data, subject to legal obligations, backup retention schedules, and security and operational requirements.

13. Security Incident Notification

In the event my859 becomes aware of a material security incident affecting Customer Personal Data, my859 will take commercially reasonable steps to investigate the incident, mitigate potential harm, restore system integrity, and notify affected parties when required by applicable law.

14. Assistance and Cooperation

Where reasonably appropriate and considering the nature of the Services, my859 may provide commercially reasonable assistance to Customer regarding privacy-related inquiries, data subject requests, security matters, and compliance obligations.

15. Limitation of Liability

The liability limitations and disclaimers contained within the my859 Terms of Service apply to this DPA unless otherwise required by applicable law.

16. Governing Law

This DPA shall be governed by the laws specified in the my859 Terms of Service unless otherwise required by applicable law.

17. Contact Information

For privacy or data processing questions, contact privacy@my859.ai.