DATA PROCESSING ADDENDUM (DPA)

STREAMMATE AI, INC.
Last Updated: November 13, 2025

This Data Processing Addendum ("Addendum" or "DPA") forms part of the Terms of Use ("Agreement") between Streammate AI, Inc. ("Company", "Processor", "we", "us", "our") and the customer or end user ("Customer", "Controller", "you") who accesses or uses the Service.

This Addendum governs the Company's Processing of Personal Data on behalf of the Customer in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any amendments or successors thereto.

1. DEFINITIONS

For the purposes of this Addendum:

  • "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Company on behalf of the Customer.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • "Data Controller" or "Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Data Processor" or "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Sub-Processor" means any third party engaged by the Processor to Process Personal Data.
  • "Applicable Law" means any data protection laws applicable to the Processing of Personal Data (including GDPR, UK GDPR, CCPA, CPRA).

2. ROLE OF THE PARTIES

  • The Customer acts as Data Controller.
  • Streammate AI, Inc. acts as Data Processor.
  • The Company processes Personal Data solely on behalf of the Customer and only in accordance with the Customer's documented instructions.

3. CUSTOMER INSTRUCTIONS

The Company will Process Personal Data only as necessary to provide the Services as described in the Agreement and this DPA.

The Company will not:

  • sell, rent, or disclose Personal Data for marketing
  • retain, use, or disclose Personal Data for purposes other than providing the Service
  • combine Personal Data with other datasets except as required for the Services

This Addendum constitutes the Customer's complete instructions for Processing.

4. TYPES OF PERSONAL DATA PROCESSED

The Company may process the following categories of Personal Data:

  • email address
  • username
  • device data (browser, OS, IP address, location approximation)
  • usage and analytics data
  • interactions with the Platform
  • uploaded or generated content used to access features of the Service

The Company does not intentionally process sensitive personal data.

5. SUB-PROCESSORS

The Customer authorizes the Company to engage Sub-Processors necessary to provide the Services.

Current Sub-Processors may include:

  • hosting providers (e.g., AWS / Google Cloud)
  • email delivery providers
  • analytics tools
  • customer support platforms

The Company will:

  • ensure Sub-Processors are bound by obligations no less protective than those in this DPA,
  • remain fully liable for their actions,
  • notify Customer of material changes to the Sub-Processor list (upon request).

6. SECURITY MEASURES

The Company implements appropriate technical and organizational measures, including:

  • encryption in transit (TLS / SSL)
  • encryption at rest where applicable
  • firewalls and access controls
  • monitoring and logging
  • password protection
  • separation of environments
  • periodic security assessments

These measures are designed to protect Personal Data from unauthorized access, disclosure, alteration, and destruction.

7. DATA BREACH NOTIFICATION

If the Company becomes aware of a Personal Data Breach, it will:

  • notify the Customer without undue delay,
  • provide information necessary to fulfill Customer's legal obligations,
  • take steps to mitigate and remedy the incident.

8. DATA SUBJECT RIGHTS

Where legally required, the Company will assist the Customer in responding to:

  • access requests
  • rectification
  • deletion
  • data portability
  • objection to processing

The Company will not respond directly to a data subject unless instructed to do so by the Customer, unless required by law.

9. INTERNATIONAL DATA TRANSFERS

Where Personal Data is transferred outside the EU/UK:

  • The Company will ensure lawful transfer mechanisms (e.g., Standard Contractual Clauses, adequacy decisions).
  • If required, the parties agree that the SCCs (Controller-to-Processor) are incorporated by reference.

10. DATA RETENTION AND DELETION

Upon termination of the Agreement:

  • The Company will delete or return all Personal Data within 30 days unless legally required to retain it.
  • Backups will be deleted on their normal rotation schedule.

11. AUDIT RIGHTS

At Customer's written request, the Company will:

  • provide information necessary to demonstrate compliance with this DPA;
  • allow non-intrusive audits, limited to one time per year, during normal business hours, subject to confidentiality.

12. CONFIDENTIALITY

All Personal Data processed by the Company is treated as confidential.

Personnel with access to Personal Data are bound by confidentiality obligations.

13. LIMITATION OF LIABILITY

Except where prohibited by law:

Company's liability under this DPA is limited to the liability cap defined in the underlying Agreement.

14. TERM

This Addendum remains in effect as long as the Company Processes Personal Data on behalf of the Customer.

15. CONTACT

For questions regarding this DPA, contact:

📩 privacy [at] streammate.ai