Data Processing Agreement

Last amended November 3, 2025

This Data Processing Agreement (“DPA”) is governed by and hereby attached to the Sensi.AI’s Terms and Conditions (“Agreement”) executed by and between Customer, from one side, and Clanz Ltd. D/B/A Sensi.AI (Sensi.AI”), from the other side. This DPA supplements the Agreement, inclusive of all exhibits, addenda, statements of work, work orders and similar documents entered into by the parties pursuant to such Agreement with regard to the Processing of Personal Data (as such terms are defined below) in the United States. Capitalized terms used but not defined in this DPA shall have the meanings assigned to them in the Agreement or under U.S. Data Protection Laws. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail as to the subject matter of conflict. 

1. DEFINITIONS  

  1. The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Personal Data”, “Personal Information”, “Processing” or “Processor”, “Sale”, “Sell” and Share”, “Sensitive Data”, “Service Provider”, shall all have the same meanings as ascribed to them under the U.S. Data Protection Laws. “Personal Data” shall include “Personal Information” under this DPA, and a “Controller” shall include a “Business” and a “Processor” shall include and refer to a “Service Provider” under this DPA. 
  2. Customer Data means the Personal Data related to the provision of the Services and utilization of the Sensi.Ai’s technology (as defined in the Agreement), shared and processed by the parties under the Agreement.
  3. Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. 
  4. U.S. Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA, and any implementing regulations and amendment thereto.

2. ROLES; COMPLIANCE WITH LAWS

  1. With respect to the Processing of Customer Data, the parties agree and acknowledge that Customer is the Business or a Controller, and Sensi.AI is the Service Provider or Processor. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the U.S. Data Protection Laws.
  2. The subject matter, duration, nature and purpose of the Processing, types of Personal Data Processed, and categories of Data Subjects are as described in Annex I.

3. SENSI.AI OBLIGATIONS

  1. Sensi.AI shall process the Customer Data only on behalf of and under the instructions of the Customer, for the limited Business Purpose outlined under Annex I, in accordance with US Data Protection Laws and shall not: (i) Sell Customer Data or otherwise making Customer Data available to any third party for monetary or other valuable consideration; (ii) Share Customer Data with any third party for cross-context behavioral advertising; (iii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose or as specified in the Agreement; (iv) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects independently; (v) process any Personal Data that Sensi.AI is aware, or should have known, was created, received or generated unlawfully and shall notify Customer immediately upon becoming aware. Without limiting the foregoing, Sensi.AI will notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Data Protection Laws. Sensi.AI hereby certifies that it understands the restrictions in the applicable U.S. Data Protection Laws and will comply with them. 
  2. To the extent applicable, Sensi.AI shall comply with the requirements set forth under applicable U.S. Data Protection Laws with regards to processing of de-identified data.

4. CONSUMER REQUESTS

  1. Sensi.AI shall provide assistance and procures that its Sub-Processor (as defined below) will provide assistance, as Customer may reasonably request, where and to the extent applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the U.S. Data Protection Laws, including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s respective obligation.

5. SUB-PROCESSORS

  1. The Customer acknowledges that Sensi.AI may transfer Customer Data to and otherwise interact with third party sub-processor or sub-contractor (“Sub-Processor”). The Customer hereby authorizes Sensi.AI to engage and appoint such Sub-Processors already engaged by Sensi.AI to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf, and to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a fourteen (14) days prior notice of its intention to do so to the Customer (such notice can be provided through the Customer account or through an email correspondence) (“Notice” and “Notice Period” respectively). In case the Customer has not objected to the adding or replacing of a Sub-Processor within Notice Period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, within Notice Period, Sensi.AI may, under Sensi.AI’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Customer

6. DATA PROTECTION ASSESSMENTS

  1. Upon Customer’s reasonable request, Sensi.AI will make available such information in Sensi.AI’s possession as reasonably necessary for Customer to conduct and document data protection assessments in accordance with U.S. Data Protection Laws. Customer will have the right to: (i) take reasonable and appropriate steps to ensure that Sensi.AI uses Customer Data in a manner consistent with Sensi.AI’s obligations under this DPA and as required by U.S. Data Protection Laws; and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Customer Data under and as required by applicable U.S. Data Protection Laws. 

7. AUDIT

  1. Sensi.AI shall maintain accurate written records of any and all the Processing activities of any Customer Data carried out under this DPA and shall make such records available to the Customer upon Customer’s thirty (30) days prior written request, however no more than once per twelve (12) months of engagement (“Audit Reports”). A summary of the ISO27001/ISO27701 certification, SOCII report or recent penetration tests, as well as information provided through Customer’s questionnaire shall be defined as a sufficient Audit Report. The Audit Report provided shall be considered Sensi.AI’ Confidential Information and shall be subject to the corresponding confidentiality obligations or require signed a non-disclosure agreement.  
  2. Alternatively, in the event the Audit Report is reasonably determined as not sufficient for the purpose of demonstrating compliance, Sensi.AI shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer or by Sensi.AI, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Sensi.AI may object to an auditor appointed by the Customer in the event Sensi.AI reasonably believes the auditor is not suitably qualified or is a competitor of Sensi.AI. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Sensi.AI’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Sensi.AI shall agree to an Audit solely under the following terms: (i) a thirty (30) day prior written notice was provided; and (ii) restrict its findings only to information relevant to Customer Data or an applicable Security Incident.
  3. Nothing in this DPA will require Sensi.AI to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Sensi.AI’s customer; (ii) Sensi.AI’s internal accounting or financial information; (iii) any trade secret of Sensi.AI or its affiliates; (iv) any information that, in Sensi.AI’s reasonable opinion, could compromise the security of any Sensi.AI’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the U.S. Data Protection Laws. No access to any part of Sensi.AI’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.

8. CERTIFICATION 

  1. Sensi.AI certifies that it understands the rules, requirements and definitions of the U.S. Data Protection Laws and agrees to refrain from Selling or Sharing Personal Information. Sensi.AI acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Personal Information for a Business Purpose or as specified in the Agreement.

9. SECURITY OF PROCESSING

  1. Sensi.AI shall implement and maintain reasonable security procedures, practices, and controls, as may be appropriate based on the nature of the information, designed to protect Customer Data from unauthorized access, disclosure or destruction. 
  2. Sensi.AI will notify the Customer without undue delay upon becoming aware of any Security Incident involving the Customer Data as required by the data breach provisions under the U.S. Data Protection Laws. The notification regarding or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Sensi.AI of any fault or liability with respect to the Security Incident.
  3. Sensi.AI will: (i) take reasonably necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) upon Customer’s request, co-operate with the Customer and provide the Customer with such reasonable assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident, if applicable, obligation to notify the affected Data Subjects. Upon Customer’s request and taking into account the nature of the Processing and the information available to Sensi.AI, Sensi.AI will provide a report or written notice detailing the Security Incident, the affected Personal Data and Data Subjects.

10. TERM AND TERMINATION

  1. This DPA shall be effective as of the effective date and shall remain in force until the Agreement terminates or as long as Sensi.AI Processes Customer Data. 
  2. Sensi.AI shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements, provided Customer did not provide updated instructions to cure such infringement within ten (10) days from receiving applicable notice from Sensi.AI. Alternately, Sensi.AI may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without liability to the Customer and without prejudice to any fees incurred by Customer prior to suspension date
  3. Following the termination of this DPA, Sensi.AI shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that Sensi.AI continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer’s choice shall be provided in writing to Sensi.AI, following effect of termination. Notwithstanding the foregoing, Sensi.AI may retain Customer Data (i) as required by applicable laws; or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Sensi.AI will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Data and not further Process it except as required by applicable law or regulatory requirements.

ANNEX I

AI Agent Dashboard, App Hardware
Type of Consumers (Data Subjects)  Leads Dashboard and App authorized users, Customer’s Personnel End Users, Customer Personnel, Visitors, Senior Guardians (as defined in the Privacy Policy)
Type of Personal Data Leads’ contact information.

Content Customer uploads to or generate through the AI Agent, including calls recording and correspondence.

Any other personal data made available through the Customer Data, as defined in the Agreement.

 Contact details

Access logs, support requests

 Voice Prints

Data Driven Insights

Notices regarding distressed movement or behavior
Nature and Purpose of Processing Providing the Services as defined in the Agreement, including by transmitting, accessing, hosting, disclosing and sharing
Duration of Processing For as long as it is necessary to provide the Service by Sensi.AI; provided there is no legal obligation to retain the Customer Data past termination or unless otherwise requested by the Customer