DATA PROCESSING ADDENDUM (DPA)
Spottable AI, Inc. d/b/a Sherlock AI
Last Updated: Jan 2026
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement, order form, or other written or electronic agreement referencing this DPA (the “Agreement”) between Spottable AI, Inc., a Delaware corporation, doing business as Sherlock AI (“Spottable”), and the customer entering into the Agreement (“Customer”).
This DPA applies to the extent Spottable Processes Personal Data on behalf of Customer in connection with Customer’s use of the Sherlock AI services (the “Services”).
1. Definitions
1.1 “Applicable Privacy Laws” means all data protection, privacy, and security laws applicable to a party in its role with respect to Personal Data, including, as applicable:
the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA/CPRA”);
other U.S. state privacy laws (including those of Colorado, Connecticut, Utah, Virginia, and similar laws);
Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”);
the GDPR as incorporated into United Kingdom law and the UK Data Protection Act 2018 (“UK GDPR”);
Swiss data protection law; and
India’s Digital Personal Data Protection Act, 2023 and related rules.
1.2 “Customer Data” means data submitted to, processed by, or stored in the Services by or on behalf of Customer, including Personal Data.
1.3 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual, as defined under Applicable Privacy Laws.
1.4 “Process” / “Processing” means any operation performed on Personal Data, including collection, storage, use, analysis, disclosure, or deletion.
1.5 “Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data containing Personal Data.
1.6 “Subprocessor” means a third party engaged by Spottable to Process Personal Data in order to provide the Services.
1.7 “SCCs” means the Standard Contractual Clauses approved by the European Commission under Decision (EU) 2021/914.
“UK Addendum” means the UK addendum to the SCCs issued by the UK Information Commissioner.
2. Roles and Scope
2.1 Roles of the Parties.
Customer determines the purposes and means of Processing Personal Data and acts as the Controller (or Business under CCPA/CPRA).
Spottable Processes Personal Data on behalf of Customer and acts as the Processor (or Service Provider/Processor under U.S. state privacy laws).
2.2 Scope.
This DPA applies only to Personal Data for which Customer is the Controller/Business and Spottable is Processing on Customer’s behalf.
3. Processing Instructions
3.1 Customer Instructions.
Spottable shall Process Personal Data only in accordance with Customer’s documented instructions, including those set forth in the Agreement and this DPA, unless required to do otherwise by applicable law.
3.2 Legal Requirements.
If Spottable is required by law to Process Personal Data outside Customer’s instructions, Spottable will notify Customer unless prohibited by law.
3.3 Unlawful Instructions.
Spottable will promptly inform Customer if it believes an instruction violates Applicable Privacy Laws.
4. Confidentiality
4.1 Personnel Confidentiality.
Spottable shall ensure that personnel authorized to Process Personal Data are subject to confidentiality obligations or appropriate statutory duties of confidentiality.
4.2 Access Controls.
Access to Personal Data will be limited to personnel who require access to provide, secure, or support the Services.
5. Security Measures
5.1 Security Program.
Spottable shall maintain a written information security program with administrative, technical, and physical safeguards appropriate to the nature of the Services and the risks to Personal Data.
5.2 Minimum Controls.
Such safeguards include, at a minimum:
encryption of data in transit using industry-standard protocols;
encryption at rest where supported by the underlying storage systems;
logical access controls and least-privilege principles;
multi-factor authentication for privileged access;
vulnerability management and patching;
logging and monitoring of security-relevant events;
backup and disaster recovery measures appropriate to the Services; and
security awareness training for relevant personnel.
5.3 Updates.
Spottable may update its security measures to reflect technological developments, provided such updates do not materially reduce overall security.
6. Subprocessors
6.1 Authorization.
Customer grants Spottable general authorization to engage Subprocessors to provide the Services.
6.2 Subprocessor List.
Spottable maintains a list of Subprocessors and their processing locations, available upon request or via its website.
6.3 Notice of Changes.
Spottable will provide advance notice (at least 15 days, or 30 days where commercially practicable) of material changes to its Subprocessors.
6.4 Objections.
Customer may object to a new Subprocessor on reasonable data protection grounds. If the parties cannot resolve the objection within 30 days, Customer may discontinue the affected portion of the Services.
6.5 Flow-Down Obligations.
Spottable shall impose written data protection obligations on Subprocessors that are at least as protective as those in this DPA.
6.6 Responsibility.
Spottable remains responsible for the acts and omissions of its Subprocessors.
7. Assistance and Data Subject Requests
7.1 Requests.
If Spottable receives a request from a data subject relating to Customer Personal Data, Spottable will promptly notify Customer and will not respond except as required by law or to direct the requestor to Customer.
7.2 Assistance.
Spottable will provide reasonable assistance to Customer in responding to data subject requests, considering the nature of the Processing and information available to Spottable.
7.3 Assessments.
Spottable will reasonably assist Customer with data protection impact assessments and regulatory consultations limited to the Services.
8. Security Incidents
8.1 Notification.
Spottable will notify Customer without undue delay and, in any event, within 72 hours after confirming a Security Incident affecting Customer Personal Data.
8.2 Information.
Notification will include, to the extent known, the nature of the incident, categories of data affected, approximate scope, mitigation measures taken or planned, and a contact point.
8.3 Cooperation.
Spottable will reasonably cooperate with Customer in investigating and remediating the Security Incident.
8.4 No Admission.
Notification of a Security Incident does not constitute an admission of fault or liability.
9. Retention, Return, and Deletion
9.1 Retention.
Spottable will retain Personal Data only as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.
9.2 Deletion or Return.
Upon termination of the Agreement, Spottable will, at Customer’s option, delete or return Personal Data within a reasonable period (default: 30 days), unless retention is legally required.
9.3 Backups.
Residual copies may remain in backups for a limited period consistent with standard backup cycles and will be protected until deleted.
10. International Transfers
10.1 Processing Locations.
Customer Data may be processed in the United States and other jurisdictions where Spottable or its Subprocessors operate.
10.2 Transfer Mechanisms.
Where required under Applicable Privacy Laws, transfers are governed by the SCCs and, where applicable, the UK Addendum.
10.3 Supplementary Measures.
Spottable will implement appropriate supplementary safeguards where required by law.
11. Compliance and Audit
11.1 Compliance Information.
Upon reasonable request (no more than once annually unless a Security Incident occurs), Spottable will provide information reasonably necessary to demonstrate compliance, such as SOC 2 reports, summaries of controls, or relevant certifications (subject to confidentiality).
11.2 Audit Right.
If such information is insufficient, Customer may conduct an audit upon at least 30 days’ written notice, during normal business hours, at Customer’s expense, and subject to reasonable scope, confidentiality, and security limitations.12. U.S. State Privacy Law Terms
To the extent Applicable Privacy Laws include U.S. state privacy laws, Spottable shall:
Process Personal Data solely to provide the Services;
not sell or share Personal Data for cross-context behavioral advertising;
not retain, use, or disclose Personal Data outside the business relationship except as permitted by law;
ensure Subprocessors are bound by obligations consistent with this DPA; and
cooperate with reasonable remediation efforts upon notice of unauthorized Processing.
13. AI and Model Training
13.1 No Training by Default.
Spottable does not use Customer Personal Data to train or fine-tune general-purpose AI models for other customers unless Customer explicitly opts in in writing.
13.2 Permitted Use.
Spottable may Process Personal Data to provide, secure, and improve the Services for Customer, including integrity analysis, fraud detection, debugging, and security.
13.3 Aggregated Data.
Spottable may use de-identified or aggregated data for analytics and service improvement, provided it cannot reasonably identify Customer or individuals.
14. Sensitive and Regulated Data
14.1 Customer Responsibility.
Customer is responsible for determining what data is collected and ensuring lawful notices and consents.
14.2 Restricted Data.
Unless expressly agreed in writing, Customer shall not provide data subject to HIPAA, PCI DSS, or similar regulated regimes.
14.3 Configuration Acknowledgment.
If Customer enables audio, video, or similar features, such data may include sensitive content depending on Customer use. Customer remains responsible for lawful collection and configuration.
15. Legal Requests
Spottable will notify Customer of legally binding requests for Customer Personal Data where permitted by law and will disclose only what is legally required.
16. Order of Precedence
In the event of conflict, the following order applies:
SCCs and UK Addendum (if applicable);
this DPA;
the Agreement.
17. Term
This DPA remains in effect for as long as Spottable Processes Personal Data on behalf of Customer.