Legal

Data Processing Addendum (DPA)

Last Updated: April 14th, 2025

This Data Processing Addendum ("DPA") forms part of the agreement between ScriptEngine, Inc. (dba Squid, Inc.) ("Squid," "Processor") and the customer identified in the applicable Order Form or service agreement ("Customer," "Controller") (collectively, the "Parties" and each a "Party").

This DPA supplements and is incorporated into Squid's Terms of Service and any applicable Order Form. In the event of a conflict between this DPA and other agreements, this DPA shall control with respect to data processing matters.

1. Definitions

1.1 General Terms

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Squid on behalf of Customer in connection with the Services.

"Processing" means any operation performed on Personal Data, including collection, recording, storage, analysis, use, disclosure, or deletion.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Services" means Squid's website analytics platform and related services as described in the applicable Order Form.

"Sub-processor" means any third party engaged by Squid to process Personal Data on behalf of Customer.

1.2 Regulatory Terms

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"CCPA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, California Civil Code §§ 1798.100 et seq.).

"Business" has the meaning ascribed to it in CCPA and refers to a legal entity that determines the purposes and means of processing Personal Data.

"Service Provider" has the meaning ascribed to it in CCPA and refers to a legal entity that processes Personal Data on behalf of a Business.

"Sell" and "Share" have the meanings ascribed to these terms in CCPA.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including GDPR, CCPA, and any other applicable international, federal, state, or local privacy laws.

2. Scope and Roles

2.1 Relationship of the Parties

Customer is the Controller (or "Business" under CCPA) of Personal Data processed through the Services. Squid is the Processor (or "Service Provider" under CCPA) and processes Personal Data only on behalf of and in accordance with Customer's documented instructions.

For purposes of CCPA, the parties acknowledge and agree that Squid is a "Service Provider" as defined in CCPA and not a "Third Party," and that Squid receives Personal Data from Customer for a business purpose as defined in CCPA.

2.2 Customer Instructions

Squid will process Personal Data only in accordance with Customer's documented instructions, which include:

Squid will notify Customer if, in Squid's opinion, an instruction violates Applicable Data Protection Law.

2.3 Prohibited Processing

Squid will not:

2.4 CCPA-Specific Commitments

With respect to Personal Data subject to the California Consumer Privacy Act (CCPA), Squid certifies that it:

3. Data Security

3.1 Security Measures

Squid will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include:

3.2 Security Documentation

Upon reasonable request and subject to confidentiality obligations, Squid will provide Customer with information reasonably necessary to demonstrate compliance with Squid's security obligations under this DPA.

3.3 Updates to Security Measures

Squid may update or modify its security measures from time to time, provided that such updates do not result in a material reduction in the level of security provided.

4. Data Breach Notification

4.1 Notification Obligation

Squid will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Squid on behalf of Customer ("Data Breach").

4.2 Notification Content

Squid's notification will include, to the extent available:

4.3 Investigation and Remediation

Squid will reasonably cooperate with Customer in investigating and remediating any Data Breach, including providing information and assistance as reasonably requested by Customer.

4.4 No Third-Party Notification

Squid will not notify any third party (including Data Subjects, regulators, or other authorities) of a Data Breach without Customer's prior written consent, except as required by Applicable Data Protection Law.

5. Sub-Processors

5.1 Authorization

Customer authorizes Squid to engage Sub-processors to process Personal Data in connection with the Services. A current list of Sub-processors is available at https://asksquid.ai/subprocessors.

5.2 Sub-processor Requirements

Squid will:

5.3 Notice of Changes

Squid will provide Customer with reasonable advance notice (at least thirty (30) days) of the addition or replacement of any Sub-processor by updating the Sub-processor list at https://asksquid.ai/subprocessors and, where Customer has provided an email address, by email notification.

5.4 Objection Rights

Customer may object to a new Sub-processor on reasonable grounds relating to data protection by notifying Squid in writing within ten (10) business days of receiving notice. If Customer objects, the Parties will work together in good faith to find a commercially reasonable resolution. If no resolution can be found, Customer may terminate the affected Services without penalty.

6. Data Subject Rights

6.1 Assistance Obligation

Squid will, to the extent legally permitted and taking into account the nature of the processing, reasonably assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights to:

6.2 Direct Requests

If Squid receives a direct request from a Data Subject, Squid will promptly inform Customer and will not respond to such request without Customer's prior written authorization, except as required by law.

For requests received through Squid's online privacy policy or public-facing channels, Squid will notify Customer within three (3) business days of receipt. For CCPA-related opt-out or deletion requests, Squid will forward such requests to Customer within five (5) business days and will comply with Customer's instructions regarding such requests.

6.3 Reasonable Charges

Squid may charge reasonable fees for assistance provided under this Section 6 that requires substantial effort beyond Squid's ordinary obligations under the Agreement.

7. Data Deletion and Return

7.1 Deletion Upon Termination

Upon termination or expiration of the Agreement, or upon Customer's written request, Squid will:

7.2 Exceptions

Squid may retain Personal Data to the extent required by Applicable Data Protection Law, provided that Squid will:

7.3 Retention During Subscription

During an active subscription, Squid will retain Personal Data in accordance with Customer's configuration of the Services and Squid's standard retention policies, which are designed to support the Services and comply with Applicable Data Protection Law.

8. Data Transfers

8.1 Data Storage and Processing

Personal Data may be stored and processed in the United States or any other country where Squid or its Sub-processors maintain facilities.

8.2 International Transfers

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing adequate data protection:

8.3 UK and Swiss Transfers

Where applicable, this DPA and any Standard Contractual Clauses executed under this DPA shall be deemed amended to comply with UK and Swiss data protection laws, including the UK GDPR and Swiss Federal Act on Data Protection.

9. Audits and Compliance

9.1 Audit Rights

Subject to reasonable advance written notice and appropriate confidentiality obligations, Customer may, no more than once per twelve (12) month period (or more frequently if required by Applicable Data Protection Law):

9.2 Third-Party Audits

If Customer requires a physical audit of Squid's facilities or systems, Customer may appoint a qualified, independent third-party auditor (subject to Squid's approval, not to be unreasonably withheld). Such audits will be conducted at Customer's expense during normal business hours, with minimal disruption to Squid's operations.

9.3 Remediation

If an audit reveals non-compliance with this DPA, Squid will implement reasonable measures to remediate such non-compliance within a reasonable timeframe.

10. Liability and Indemnification

10.1 Limitation of Liability

Each Party's liability under this DPA will be subject to the limitations of liability set forth in the Agreement, except where such limitations are prohibited by Applicable Data Protection Law.

10.2 Indemnification for Data Breaches

Squid does not provide indemnification for third-party privacy claims, regulatory actions, fines, or penalties as part of this standard DPA.

Customers requiring indemnification may negotiate separate terms in a signed Order Form or Statement of Work. Any such separately negotiated indemnification terms will take precedence over this Section.

Each Party's liability under this DPA remains subject to the limitation of liability provisions in the Terms of Service.

11. Term and Termination

11.1 Term

This DPA will remain in effect for the duration of the Agreement or until all Personal Data has been deleted or returned in accordance with Section 7, whichever is later.

11.2 Survival

Sections 7 (Data Deletion and Return), 10 (Liability and Indemnification), and any other provisions that by their nature should survive, will survive termination or expiration of this DPA.

12. General Provisions

12.1 Order of Precedence

In the event of a conflict between this DPA and other terms of the Agreement, this DPA shall control with respect to data processing matters.

12.2 Amendments

Squid may update this DPA from time to time to reflect changes in business practices, Applicable Data Protection Law, or industry standards. Material changes will be communicated to Customer with reasonable advance notice. Customer's continued use of the Services after such notice constitutes acceptance of the updated DPA.

12.3 Governing Law

This DPA shall be governed by the same laws as the Agreement, except where Applicable Data Protection Law requires otherwise.

12.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Contact Information

For questions regarding this DPA or Squid's data processing practices:

Email: [email protected]