RIGHTRESPONSE AI, INC. — DATA PROCESSING ADDENDUM

Effective Date:  
August 1, 2025

This Data Processing Addendum (this “DPA”) is incorporated into and forms part of the agreement, online terms, order, or other contract between RightResponse AI, Inc., a Nevada corporation (“RRAI”), and the customer identified therein (“Customer”) that governs Customer’s use of RRAI’s services (the “Main Agreement”).

  1. Scope and roles

    1.1 This DPA applies to RRAI’s Processing of Personal Data on behalf of Customer in providing the Services described in the Main Agreement, including review request and response services, sentiment analysis, ranking analytics, competitor analytics, and any other features, functionality, integrations, APIs, dashboards, and related services provided by RRAI under the applicable agreement (collectively, the “Services”).

    1.2 For GDPR and UK GDPR, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and RRAI is a Processor. For U.S. state privacy laws (including the CCPA), Customer is the Business and RRAI is the Service Provider/Processor. Capitalized terms not defined here have the meaning in the applicable law or the Main Agreement.

  2. Processing instructions

    2.1 RRAI will Process Personal Data only on documented instructions from Customer, including as necessary to provide and improve the Services, prevent or address technical problems, comply with law, and as otherwise permitted by this DPA and the Main Agreement. Customer’s configuration and use of the Services, and the Main Agreement, constitute documented instructions to RRAI for the Processing of Personal Data. RRAI is not obligated to comply with any additional instructions unless agreed in writing and such instructions are consistent with this DPA, the Main Agreement, and applicable law.

    2.2 Customer is responsible for the lawfulness of its instructions and for providing the required notices to, and obtaining any required consents from, Data Subjects.

  3. Confidentiality

    RRAI will ensure that persons authorized to Process Personal Data are subject to appropriate duties of confidentiality.

  4. Security

    4.1 RRAI will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, considering the nature, scope, context, and purposes of Processing and the risks of varying likelihood and severity (the “Security Measures”). A high-level description of the Security Measures is set out in Annex B.

    4.2 Customer is responsible for properly securing its configurations, credentials, endpoints, and data inputs/outputs. The parties will cooperate in good faith to address material security risks related to integrations under Customer’s control.

  5. Personal data breaches

    RRAI will notify Customer without undue delay after confirming a Personal Data Breach affecting Customer Personal Data. Such notice may be provided by email to Customer’s designated contact. RRAI will provide information reasonably available to assist Customer in meeting its incident reporting obligations to the extent required by applicable law.RRAI may provide such information in phases as it becomes available.

  6. Subprocessors

    6.1 Customer authorizes RRAI to engage Subprocessors to Process Personal Data in connection with the Services. RRAI will impose data protection obligations on Subprocessors that are no less protective than this DPA and remains responsible for each Subprocessor’s compliance.

    6.2 RRAI will maintain a publicly available list of current Subprocessors at https://www.rightresponseai.com/legal/subprocessors (the ‘Subprocessor List’). RRAI will endeavor to provide notice of any new Subprocessor to the account owner and will post updates to the Subprocessor List. RRAI will provide at least 15 days’ advance notice by updating the Subprocessor List; the 15‑day period begins on the date of the update.

    6.3 Objection. If Customer reasonably objects to a new Subprocessor on bona fide data protection grounds within the 15-day notice period, the parties will discuss a commercially reasonable path to resolution. If no resolution is reached, RRAI may, at its discretion, permit Customer to suspend the affected Services or may continue providing the Services using the Subprocessor, unless applicable law requires otherwise.

  7. Assistance

    Taking into account the nature of the Processing and the information available to RRAI, RRAI will provide reasonable assistance to Customer, to the extent required by applicable law, to: (a) respond to requests to exercise Data Subject rights; (b) perform data protection impact assessments and prior consultations with supervisory authorities; and (c) demonstrate compliance with applicable data protection requirements. RRAI may charge reasonable costs for any such assistance.

  8. Return and deletion

    8.1 Upon termination or expiration of the Main Agreement, RRAI may retain Customer Personal Data as required by law, for legitimate business records (including billing, security or fraud prevention, or litigation hold), or as otherwise authorized in the Main Agreement. Customer may request deletion of Customer Personal Data in writing, and RRAI will comply with such request unless retention is required by law, for legitimate business records, or as otherwise authorized in the Main Agreement.

    8.2 Where data remains in routine backups, it will be deleted in accordance with RRAI’s standard backup rotation and deletion schedules, and RRAI is not required to isolate such data.

  9. International transfers

    9.1 To the extent Customer Personal Data is transferred from the EEA/Switzerland/UK to a country that does not provide an adequate level of protection, the parties agree that, where required by applicable law, the EU Standard Contractual Clauses (“SCCs”) and, for the UK, the UK International Data Transfer Addendum, are incorporated by reference as set out in Annex D, with the modules and options selected therein. The SCCs prevail to the extent of any conflict with this DPA.

    9.2 RRAI will provide additional safeguards only to the extent required by applicable law, subject to the limitations and caps in section 12.

  10. Audits and information rights

    10.1 Upon reasonable written request no more than once in any 12‑month period, and subject to confidentiality obligations, RRAI will make available existing documentation strictly to the extent required by applicable law to demonstrate compliance with this DPA (which may include current third-party audit reports such as SOC/ISO or security summaries).

    10.2 To the extent such materials are insufficient to confirm compliance, Customer may conduct an audit of RRAI’s applicable Processing records and facilities only if required by applicable law, on at least thirty (30) days’ prior written notice, during normal business hours, without disrupting operations, with scope, timing, and duration mutually agreed, and at Customer’s expense at RRAI’s then-current rates. RRAI may satisfy any such audit request by providing current independent third-party audit reports in lieu of onsite inspection.

  11. Requests from authorities

    Unless prohibited by law, RRAI will notify Customer without undue delay of any legally binding request from a public authority for disclosure of Customer Personal Data. RRAI may, at its discretion, challenge requests it considers unlawful or overbroad. RRAI will require that any request be properly domesticated and served under applicable U.S. law; where a non-U.S. authority seeks disclosure of Customer Personal Data, it must proceed via an applicable mutual legal assistance treaty or comparable diplomatic process. RRAI will disclose only the minimum Customer Personal Data necessary to comply with a lawful request and will not disclose Customer Personal Data to public authorities in a massive, indiscriminate, or disproportionate manner. To the extent permitted by law, Customer will reimburse RRAI’s reasonable costs incurred in responding to such requests, including costs of outside counsel and verifiable staff time.

  12. Liability; limitations; claim period

    12.1 To the fullest extent permitted by applicable law, all limitations and exclusions of liability in the Main Agreement apply to all liabilities arising out of or in connection with this DPA, the SCCs, the UK Addendum, and any related data-protection obligations. Any monetary liability caps in the Main Agreement are aggregate caps that apply across the Agreement (including all Orders), this DPA, any other data-protection terms between the parties or their Affiliates relating to the Services, and the SCCs/UK Addendum; such caps do not stack, and multiple claims shall not increase the cap. This Section 12 does not limit liability to data subjects under the SCCs or UK Addendum to the extent such liability cannot be limited under applicable law.

    12.2 If the Main Agreement does not specify a monetary cap applicable to this DPA, the total aggregate liability of each party for all claims arising out of or relating to this DPA, the SCCs/UK Addendum, and the Services under the applicable Order(s) will not exceed the fees paid or payable by Customer to RRAI for the Services giving rise to the claim during the twelve (12) months immediately preceding the event giving rise to liability. This is a single aggregate cap for all such claims and does not stack across instruments, Orders, or theories of liability. In no event will either party be liable for indirect, incidental, consequential, special, exemplary, or punitive damages, or lost profits, revenue, or data.

    12.3 Any claim under this DPA must be brought within one (1) year after the date the claiming party knew or should reasonably have known of the facts giving rise to the claim.

  13. CCPA and U.S. state privacy laws

    13.1 For CCPA and comparable state privacy laws, RRAI acts as Customer’s Service Provider/Processor. RRAI will not: (a) Sell or Share Customer Personal Information; (b) retain, use, or disclose it for any purpose other than as permitted under applicable law, including providing the Services, security, fraud prevention, legal compliance, and maintaining business records, including no use for Cross‑Context Behavioral Advertising; or (c) combine it with other data except to support the Services, to comply with law, for security and fraud prevention, or as otherwise permitted by applicable law.

    13.2 RRAI certifies that it understands and will comply with these restrictions. Customer will provide appropriate notices and honor Data Subject/Consumer requests applicable to Customer as a Business/Controller.

  14. Governing law; dispute resolution; language

    14.1 Except as set out in Annex D (SCCs and UK Addendum), this DPA and any dispute or claim arising out of or relating to it are governed by the laws of the State of Florida, without regard to conflicts of law principles. For clarity, disputes arising under the SCCs or the UK Addendum are governed by, and must be brought exclusively in, the fora specified in Annex D.

    14.2 Except for disputes arising under the SCCs or the UK Addendum (which are subject to the governing law and forum specified in Annex D), any dispute arising out of or relating to this DPA will be resolved by binding arbitration under the AAA Commercial Arbitration Rules. The seat and venue of arbitration is Jacksonville, Florida. The language of the arbitration and this DPA is English. The parties may participate in arbitration proceedings remotely by video conference or similar technology, unless otherwise agreed.

  15. Order of precedence and changes

    15.1 In case of conflict between this DPA and the Main Agreement, this DPA controls solely with respect to the Processing of Personal Data. Otherwise, the Main Agreement controls. In case of conflict between this DPA and the SCCs, the SCCs control.

    15.2 Updates. RRAI may update this public DPA at any time to reflect changes in law, industry standards, operational, or administrative needs. Material changes will be noted with a new effective date.

  16. Miscellaneous

    If any provision of this DPA is held invalid, the remainder remains in effect. This DPA may be executed or accepted electronically. This DPA binds the parties and their permitted successors and assigns. Nothing creates any third‑party beneficiary rights except as required by the SCCs.

Annex A — Details of Processing

A1. Subject matter and duration. Processing of Customer Personal Data for the provision of the Services for the term of the Main Agreement, plus any post‑termination period reasonably necessary for return/deletion, backups, dispute resolution, and legal compliance.

A2. Nature and purpose. Processing necessary to provide, maintain, secure, support, personalize, and improve the Services, and to develop new features and functionality, including but not limited to hosting, storage, analysis, transmission, retrieval, formatting, review request and response generation, sentiment analysis, ranking analytics, competitor analytics, integrations, reporting, and customer support.

A3. Categories of Data Subjects. Customer’s end users; Customer’s customers and prospective customers; Customer’s personnel; other individuals whose data is submitted by or on behalf of Customer.

A4. Categories of Personal Data. Names, usernames, contact details, online identifiers, device and usage data, review content and metadata, business profile data, communications records, and other data submitted by or on behalf of Customer. Customer will not submit Special Categories of Personal Data unless permitted by the Main Agreement and applicable law.

A5. Sensitive data; children. The Services are not intended for processing Special Categories of Personal Data or children’s data. RRAI has no obligation to accept or process such data. If Customer elects to submit such data, it does so at its own risk and is solely responsible for ensuring it is strictly necessary and lawful, and must notify RRAI in writing in advance.

A6. Customer responsibilities. Customer will configure the Services appropriately, provide lawful instructions, and ensure that it has a valid legal basis and appropriate notices for all Processing.

Annex B — Security Measures

B1. Organizational. Information security policies; personnel security and confidentiality agreements; role‑based access; least‑privilege and need‑to‑know principles; security awareness and training.

B2. Physical and environmental. Data center provider controls (e.g., access controls, monitoring, redundancy) where applicable; secure office access; visitor management.

B3. Logical and technical. Network security and segmentation; encryption in transit and at rest for Customer Personal Data where supported; key management; vulnerability management; change management; logging and monitoring; measures such as multi-factor authentication for administrative access; secure software development lifecycle practices including code review and dependency management,

B4. Business continuity and incident response. Documented incident response and breach management procedures; backup and recovery processes; redundancy appropriate to the Services.

B5. Vendor management. Risk‑based selection and oversight of Subprocessors and critical suppliers.

Annex C — Subprocessors

Current Subprocessors are listed at: https://www.rightresponseai.com/legal/subprocessors. RRAI may update this list without amendment, subject to section 6 (including 15 days’ advance notice by updating the list and Customer’s objection right).

Annex D — International transfers (SCCs and UK Addendum)

D1. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference as follows: (i) Module 2 (Controller-to-Processor) applies where Customer is a Controller; (ii) Module 3 (Processor-to-Processor) applies where Customer acts as a Processor on behalf of a third-party Controller. Clause 7 (Docking clause): included. Clause 9(a) Option 2 (general authorization) applies with a fifteen (15) day notice period; Clause 11 is not selected; Clause 17 governing law: Ireland; Clause 18 forum and jurisdiction: the courts of Ireland. To the extent permitted by those courts’ procedural rules, proceedings may be conducted by remote means.

D2. For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, in force 21 March 2022) is incorporated by reference, with the selections in Tables 1–4 satisfied by the parties’ details and Annexes A–C above. The governing law and courts are those required by the UK Addendum; where a choice is permitted, the laws of England and Wales and the courts of England and Wales apply. To the extent permitted by those courts’ procedural rules, proceedings may be conducted by remote means.

D3. Switzerland. References to “EU” and “Member State” include Switzerland where applicable; supervisory authority references are adapted accordingly.

Definitions

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the CPRA, and its implementing regulations. “Controller,” “Processor,” “Personal Data,” “Processing,” and other terms have the meanings given by applicable law. “Customer Personal Data” means Personal Data Processed by RRAI on behalf of Customer in providing the Services. “SCCs” means the EU Standard Contractual Clauses referenced in Annex D. “Subprocessor” means any Processor engaged by RRAI to Process Customer Personal Data.

Our mission is to help you drive customer acquisition and improve customer retention effortlessly, by using your online reviews to help you improve your business operations

Products
Review AnalysisReview ResponderMaps Rank TrackerReview Requester
Company
Contact UsAbout usPricingDone For You Services
RESOURCES
Free AI Response GeneratorFree Map Rank TrackerOur BlogMediaRestaurant Industry Reports
© Copyright 2025, All Rights Reserved by RightResponse AI, Inc
Terms of ServiceSubscription AgreementPrivacy PolicyData Processing Addendum
Your Privacy Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept