Data Processing Agreement

### Last Modified: Aug 9, 2022

This DPA is between AI Narrator, Inc. ("Provider") and the company or person accessing or using the Service ("Customer"). If the person accepting this Agreement is doing so on behalf of a company, all use of the word “Customer” in the Agreement will mean that company. If you are accessing or using the Service on behalf of your company, you represent that you are authorized to accept this DPA on behalf of your company.

This DPA consists of: (1) the Order Form and (2) the [Common Paper DPA Standard Terms Version 1.0](https://commonpaper.com/standards/data-processing-agreement/1.0/) (“Standard Terms”). Any modifications to the DPA Standard Terms made in the Cover Page will control over conflicts with the DPA Standard Terms. Capitalized words have the meanings or descriptions given in the Cover Page, the DPA Standard Terms, or the Agreement.

</br>

# Key Terms

The key legal terms of the DPA are as follows:

<u>**Agreement**</u>: This DPA supplements the Provider’s Terms of Use (https://www.narrator.ai/terms/).

<u>**Approved Subprocessors**</u>: List of Subprocessors available at https://www.narrator.ai/subprocessors

<br/>

<u>**Provider Security Contact**</u>:

[email protected]

169 Madison Ave #2010, New York, NY 10016

<br/>

<u>**Security Policy**</u>: Provider will maintain annually updated reports or annual certifications of compliance with SOC 2 Type II and Penetration testing.

<br/><br/>

### Changes to the Agreement

<u>**Service Provider Relationship**</u>: To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement, which constitutes a business purpose. Provider will not sell any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph.

<br/><br/>

### Restricted Transfers

<u>**Governing Member State**</u>:

EEA Transfers: France

UK Transfers: England and Wales

<br/><br/>

### Annex I(A) List of Parties

<u>**Data Exporter**</u>:

Name: Customer

Address: See Agreement or relevant Order Form for details.

Contact Person: See Agreement or relevant Order Form for details.

Activities relevant to transfer: See Annex 1(B)

Role: Controller

<br/>

<u>**Data Importer**</u>:

Name: AI Narrator Inc.

Address: 169 Madison Ave #2010, New York, NY 10016

Contact Person:

Name: Narrator Privacy Team - [email protected]

Address: 169 Madison Ave #2010, New York, NY 10016

Activities relevant to transfer: See Annex 1(B)

Role: Processor

<br/><br/>

### Annex I(B) Description of Transfer and Processing Activities

<u>**Service**</u>: Narrator

<u>**Categories of Data Subjects**</u>:

Customer’s clients, including companies, end-users, or customers

Customer’s employees

<u>**Categories of Personal Data**</u>: Any data the Data Exporter has made available to Data Importer from Data Exporter's data warehouse, including but not limited to:
- Name
- Contact information such as email, phone number, or address
- Employment information such as employee ID or compensation
- Professional or biographic information such as resume or CV
- Transactional information such as account information or purchases
- User activity and analysis such as device information or IP address
- Location information

<u>**Special Category Data**</u>: No

<u>**Frequency of Transfer**</u>: Continuous

<u>**Nature and Purpose of Processing**</u>:

Provider will Process Customer Personal Data as instructed in Section 3.2 of the DPA Standard Terms.

Provider connects securely to Customer’s database, assembles a set of tables
(Activity Schema) that lives under a specified schema (a narrator.activity_stream table for example) in Customer’s database, and provides a web application for Users to generate tables, charts, materialized views, and analyses for data analysis purposes. All datasets and analyses in Provider’s analytics tool are just sets of queries on top of those tables (narrator.activity_stream for example) in Customer’s database.

The Services are as follows:
- Customer writes transformations in Provider’s application
- Provider uses transformations to process Customer’s data
- Data is processed by Provider’s infrastructure and returned back to Customer’s database


<u>**Duration of Processing**</u>:

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Company’s [Terms of Use](https://www.narrator.ai/terms/); (ii) outlined in the Nature and Purpose of Processing; or (iii) by Applicable Laws.

<br/><br/>

### Annex I(C)

<u>**Competent Supervisory Authority**</u>:

Data Importer’s supervisory authority:

For ex-EEA transfers, the supervisory authority will be

Commission Nationale de l'Informatique et des Libertés

3 Place de Fontenoy

TSA 80715

75334 PARIS CEDEX 07

FRANCE

For ex-UK transfers, the supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with the relevant provision of the UK Addendum.

<br/><br/>

### Annex II - Technical and Organizational Security Measures

**Pseudonymization and encryption of personal data:**

All data is encrypted at rest and in transit using industry-standard cryptographic protocols (TLS 1.2+).


**Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services:**

Narrator has an internal governance program that oversees compliance with external standards that include confidentiality, integrity, availability and resilience of processing systems and services. This program, along with the technical implementation, is audited annually by a third-party assessor.

We implement configuration standards in an automation manner whenever possible.

We internally and externally audit technical measures to ensure compliance.

**Ability to restore the availability of and access to Customer Personal Data in a timely manner following a physical or technical incident:**

For the database that powers the Narrator Portal: A disaster recovery test, including a test of backup restoration processes, is performed on an annual basis. Continuity of information security is considered along with operational continuity.

For Customer Personal Data: not relevant, as we do not maintain backups of Customer Personal Data. Narrator has read access to Customer Personal Data only for the purposes of providing the services.

**Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures used to secure Processing:**

External vulnerability scans are run on the production environment at least quarterly. Internal vulnerability scans are run against test environments which mirror production configurations.

Penetration tests of the applications and production network are performed at least annually. Additional scanning and testing is performed following major changes to production systems.

Information about technical vulnerabilities of information systems being used are obtained in a timely fashion, the organization's exposure to such vulnerabilities are evaluated, and appropriate measures are taken to address the associated risk. A variety of methods are used to obtain information about technical vulnerabilities, including vulnerability scanning, and penetration tests.

The IT and Engineering departments evaluate the severity of vulnerabilities, and if it is determined to be a critical or high-risk vulnerability, a service ticket is created. Tickets are assigned to the system, application, or platform owners for further investigation and/or remediation.


**User identification and authorization process and protection:**

Narrator’s primary method of assigning and maintaining consistent access controls and access rights are through the implementation of Role-Based Access Control (RBAC). Wherever feasible, rights and restrictions are allocated to groups. Individual user accounts may be granted additional permissions as needed with approval from the system owner or authorized party.

All privileged access to production systems use Multi-Factor Authentication (MFA).

Customers have control and governance over user access via fine-grained, per-account permissions


**Protecting Customer Personal Data during transmission (in transit):**
Data is encrypted in transit.


**Protecting Customer Personal Data during storage (at rest):**
Application data is encrypted at rest by default.


**Physical security where Customer Personal Data is processed:**
We have no physical locations, and thus transfer this requirement to our IAAS providers.


**Events logging:**

Production infrastructure is configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults and information security events are produced, kept and reviewed through manual or automated processes as needed. Appropriate alerts are configured for events that represent a significant threat to the confidentiality, availability or integrity of production systems or Confidential data.


**Systems configuration, including default configuration:**

We have implemented a configuration management system that automates standard configuration items. We also have CI/CD processes to ensure consistent configuration.


**Internal IT and IT security governance and management:**

The following security standards shall govern access to Narrator networks and network services:
- Technical access to Narrator networks must be formally documented including the standard role or approver, grantor, and date
- Only authorized Narrator employees and third-parties working off a signed contract or statement of work, with a business need, shall be granted access to the Narrator production networks
- Remote connections to production systems and networks must be encrypted


**Certification or assurance of processes and products:**

Narrator undergoes multiple third-party audits resulting in certification. Please see our website for a list of our industry certifications.

**Ensuring data minimization:**

Narrator collects only the personal information which is necessary for the purposes identified at the time of collection (e.g. to provide you with technical support, and to improve your services).

Narrator does not use or disclose personal information for purposes other than those which it has identified and received consent for in line with these Clauses and only retains personal information for as long as is necessary to fulfill such purposes.

**Ensuring data quality:**

Customers directly input their data into our systems. Customers have direct access to their data with the ability to modify that data.


**Ensuring limited data retention:**  

Narrator shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived.

**Ensuring accountability:**

We have a designated Data Protection Officer that reports to the highest level of executive management.

**Allowing data portability and ensuring erasure:**

Customers have direct access to their own data and can export it at will.

Upon expiry or termination, Narrator automatically destroys any caches, records, or processed data within 10 business days.

<br/><br/>

### Changes to Standard Terms

**Other Changes to Standard Terms:**

Changes to the following clauses:

The first sentence in Section 2.6(a) is amended to read “Where required by Applicable Data Protection Laws, Provider will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor.”

Section 3.2(c)(i) is amended to read “the optional docking clause in Clause 7 does apply.”

The first sentence in Section 5.3 is amended to read “In addition to the Report, where required by Applicable Data Protection Laws, Provider will respond to reasonable requests for information made by Customer to confirm Provider’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program.”