Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Vera Pax Technologies LLC (“Processor,” “we,” “us,” or “our”) and the entity or individual using Conductor (“Controller,” “you,” or “your”).

This DPA governs the processing of Personal Data in connection with the provision of the Service.

1. Definitions

For the purposes of this DPA:

“Applicable Data Protection Law” means all laws relating to data protection and privacy, including the General Data Protection Regulation (GDPR) and CCPA/CPRA, where applicable.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data, including collection, storage, use, and deletion.
“Sub-processor” means any third party engaged by the Processor to process Personal Data.

2. Roles and Scope

2.1 Roles

The Controller determines the purposes and means of processing Personal Data.
The Processor processes Personal Data on behalf of the Controller solely to provide the Service.

2.2 Scope of Processing

Processing includes:

Scheduling and calendar management
Meeting data processing (including recordings, transcripts, and notes)
AI-driven analysis and insights generation
Storage and retrieval of user data

3. Types of Personal Data and Data Subjects

3.1 Categories of Personal Data

May include:

Name, email, phone number
Calendar data and meeting metadata
Audio recordings and transcripts
Notes and documents
Usage and device data

3.2 Categories of Data Subjects

Users of the Service
Meeting participants
Business contacts and invitees

4. Purpose and Duration of Processing

4.1 Purpose

Personal Data is processed solely for:

Providing and operating the Service
Generating transcripts, summaries, and insights
Maintaining and improving functionality

4.2 Duration

Processing continues for as long as:

The Controller uses the Service, or
Until Personal Data is deleted by the Controller

5. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in fulfilling data subject rights
Notify the Controller of data breaches without undue delay
Delete or return Personal Data upon termination of the Service

6. Controller Obligations

The Controller shall:

Ensure lawful basis for processing Personal Data
Obtain necessary consents, including for recording meetings
Comply with all applicable data protection laws
Provide required notices to data subjects

The Controller is solely responsible for:

The legality of data collected
Accuracy and quality of Personal Data

7. Sub-processors

The Controller authorizes the Processor to engage sub-processors as necessary to provide the Service.

Sub-processors may include:

Cloud infrastructure providers (e.g., AWS)
Payment processors (e.g., Stripe)
AI processing providers
Analytics providers

The Processor shall:

Ensure sub-processors are bound by data protection obligations
Remain responsible for sub-processor compliance

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, including the United States.

Where required, the Processor shall implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs)
Other lawful transfer mechanisms

9. Security Measures

The Processor shall implement appropriate security measures, including:

Encryption in transit and at rest
Access controls and authentication
Monitoring and incident response procedures

10. Data Subject Rights

The Processor shall assist the Controller, where reasonably possible, in responding to:

Access requests
Rectification requests
Erasure requests
Restriction and objection requests
Data portability requests

11. Personal Data Breach

In the event of a Personal Data breach, the Processor shall:

Notify the Controller without undue delay
Provide relevant information regarding the breach
Cooperate in mitigation and remediation efforts

12. Data Deletion and Return

Upon termination of the Service:

The Controller may request deletion of Personal Data
The Processor shall delete or return Personal Data, unless retention is required by law

13. Audit Rights

Upon reasonable request, the Processor shall provide information necessary to demonstrate compliance with this DPA.

Audits shall be:

Subject to reasonable notice
Conducted in a manner that does not disrupt operations
Limited to once per year unless required by law

14. Liability

Each party's liability under this DPA shall be subject to the limitations set forth in the Terms of Service.

15. Governing Law

This DPA shall be governed by the laws specified in the Terms of Service, except where Applicable Data Protection Law requires otherwise.

16. Order of Precedence

In the event of conflict:

This DPA shall prevail over the Terms of Service with respect to data protection matters

17. Contact

For data protection inquiries:

privacy@myconductorapp.com

Annex I — Details of Processing

Controller: User of Conductor

Processor: Vera Pax Technologies LLC

Subject Matter: Provision of scheduling and meeting intelligence services

Nature of Processing:

Collection
Storage
Analysis
Retrieval
Deletion

Categories of Data:

Identity data
Communication data
Meeting and transcript data
Technical and usage data

Duration:

Until deletion by user or termination of Service

Annex II — Security Measures

The Processor implements:

Encryption (data in transit and at rest)
Role-based access controls
Secure cloud infrastructure (AWS)
Monitoring and logging systems
Incident response protocols

This DPA governs the processing of Personal Data in connection with the provision of the Service.

1. Definitions

For the purposes of this DPA:

“Applicable Data Protection Law” means all laws relating to data protection and privacy, including the General Data Protection Regulation (GDPR) and CCPA/CPRA, where applicable.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data, including collection, storage, use, and deletion.
“Sub-processor” means any third party engaged by the Processor to process Personal Data.

2. Roles and Scope

2.1 Roles

The Controller determines the purposes and means of processing Personal Data.
The Processor processes Personal Data on behalf of the Controller solely to provide the Service.

2.2 Scope of Processing

Processing includes:

Scheduling and calendar management
Meeting data processing (including recordings, transcripts, and notes)
AI-driven analysis and insights generation
Storage and retrieval of user data

3. Types of Personal Data and Data Subjects

3.1 Categories of Personal Data

May include:

Name, email, phone number
Calendar data and meeting metadata
Audio recordings and transcripts
Notes and documents
Usage and device data

3.2 Categories of Data Subjects

Users of the Service
Meeting participants
Business contacts and invitees

4. Purpose and Duration of Processing

4.1 Purpose

Personal Data is processed solely for:

Providing and operating the Service
Generating transcripts, summaries, and insights
Maintaining and improving functionality

4.2 Duration

Processing continues for as long as:

The Controller uses the Service, or
Until Personal Data is deleted by the Controller

5. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in fulfilling data subject rights
Notify the Controller of data breaches without undue delay
Delete or return Personal Data upon termination of the Service

6. Controller Obligations

The Controller shall:

Ensure lawful basis for processing Personal Data
Obtain necessary consents, including for recording meetings
Comply with all applicable data protection laws
Provide required notices to data subjects

The Controller is solely responsible for:

The legality of data collected
Accuracy and quality of Personal Data

7. Sub-processors

The Controller authorizes the Processor to engage sub-processors as necessary to provide the Service.

Sub-processors may include:

Cloud infrastructure providers (e.g., AWS)
Payment processors (e.g., Stripe)
AI processing providers
Analytics providers

The Processor shall:

Ensure sub-processors are bound by data protection obligations
Remain responsible for sub-processor compliance

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, including the United States.

Where required, the Processor shall implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs)
Other lawful transfer mechanisms

9. Security Measures

The Processor shall implement appropriate security measures, including:

Encryption in transit and at rest
Access controls and authentication
Monitoring and incident response procedures

10. Data Subject Rights

The Processor shall assist the Controller, where reasonably possible, in responding to:

Access requests
Rectification requests
Erasure requests
Restriction and objection requests
Data portability requests

11. Personal Data Breach

In the event of a Personal Data breach, the Processor shall:

Notify the Controller without undue delay
Provide relevant information regarding the breach
Cooperate in mitigation and remediation efforts

12. Data Deletion and Return

Upon termination of the Service:

The Controller may request deletion of Personal Data
The Processor shall delete or return Personal Data, unless retention is required by law

13. Audit Rights

Upon reasonable request, the Processor shall provide information necessary to demonstrate compliance with this DPA.

Audits shall be:

Subject to reasonable notice
Conducted in a manner that does not disrupt operations
Limited to once per year unless required by law

14. Liability

Each party's liability under this DPA shall be subject to the limitations set forth in the Terms of Service.

15. Governing Law

This DPA shall be governed by the laws specified in the Terms of Service, except where Applicable Data Protection Law requires otherwise.

16. Order of Precedence

In the event of conflict:

This DPA shall prevail over the Terms of Service with respect to data protection matters

17. Contact

For data protection inquiries:

privacy@myconductorapp.com

Annex I — Details of Processing

Controller: User of Conductor

Processor: Vera Pax Technologies LLC

Subject Matter: Provision of scheduling and meeting intelligence services

Nature of Processing:

Collection
Storage
Analysis
Retrieval
Deletion

Categories of Data:

Identity data
Communication data
Meeting and transcript data
Technical and usage data

Duration:

Until deletion by user or termination of Service

Annex II — Security Measures

The Processor implements:

Encryption (data in transit and at rest)
Role-based access controls
Secure cloud infrastructure (AWS)
Monitoring and logging systems
Incident response protocols