Data Processing Addendum

1.Roles of the Parties

For Customer Personal Data, Customer is the controller and Mass is the processor, processing only on Customer’s documented instructions (including the Terms and Customer’s use of the Services). For data Mass processes about its own account holders, Mass acts as an independent controller under its Privacy Policy.

2.Details of Processing

• Subject matter — provision of the Services described in the Terms;
• Duration — the term of the agreement, plus any legally required retention;
• Nature and purpose — hosting, storing, generating, transmitting, and otherwise processing data to deliver the Services and AI Output;
• Types of data — contact and CRM records, account and profile data, content you submit, and usage data;
• Data subjects — Customer’s personnel, contacts, leads, and end customers.

3.Mass’s Obligations

• Process Customer Personal Data only on Customer’s documented instructions, unless required by law;
• Ensure personnel authorized to process the data are bound by confidentiality;
• Implement and maintain the security measures described below;
• Assist Customer, taking into account the nature of processing, with data-subject requests and with security, breach notification, and impact assessments;
• Make available information reasonably necessary to demonstrate compliance.

4.Security Measures

Mass maintains technical and organizational measures appropriate to the risk, including encryption of data in transit, access controls and least-privilege administration, network and application security, logging and monitoring, and regular review of its controls. Customer is responsible for configuring its use of the Services securely and for safeguarding its credentials.

5.Subprocessors

Customer authorizes Mass to engage subprocessors to provide the Services. Mass imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA and remains responsible for their performance. Mass will provide notice of new subprocessors and a reasonable opportunity to object on data-protection grounds.

Current categories of subprocessors

• Cloud hosting and storage — infrastructure on which the Services run;
• AI model providers — process inputs to generate Output, under contractual no-training commitments for your content beyond providing the service and abuse monitoring;
• Payment processors — handle billing and transactions; full card data is not stored by Mass;
• Email and messaging providers — deliver transactional and customer-initiated messages;
• Analytics and monitoring providers — measure performance and diagnose errors.

A current list of named subprocessors is available on request at support@mass.new.

6.International Transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum, as applicable), which are incorporated into this DPA by reference, together with any supplementary measures required.

7.Data-Subject Requests and Breach Notification

Taking into account the nature of processing, Mass will assist Customer in responding to data-subject requests it receives that relate to Customer Personal Data, and will promptly forward any such request it receives directly. Mass will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data and provide information reasonably needed for Customer to meet its notification obligations.

8.Audits

Mass will make available information necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allow for and contribute to audits, including by providing relevant third-party certifications or reports where available. Audits are limited to once per year unless required by a supervisory authority or following a breach.

9.Return and Deletion

On termination of the Services, Mass will, at Customer’s choice, delete or return Customer Personal Data within a commercially reasonable period, except where retention is required by law. Backups are deleted in the ordinary course of Mass’s retention cycle.

10.Order of Precedence and Contact

In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls. For questions about this DPA or to request the current subprocessor list, contact support@mass.new.