Data Processing Addendum
Revised and effective: November 25, 2025
This Data Processing Addendum ("DPA") supplements and forms a part of the Agreement found at https://capacity.com/services-agreement/ ("Agreement") between Subscriber and AI Software, LLC (referred to herein as "Capacity"). This DPA prevails over any directly conflicting term of the Agreement but does not otherwise modify the Agreement. Terms used herein but not defined herein have the meanings set forth in the Agreement.
- Definitions. In this DPA:
- "Controller", "Data Subject", "Personal Data", "Processing", "Processor", and "Supervisory Authority" have the meaning given to them in Data Protection Law;
- "Data Protection Law" means: a) for individuals residing in the European Economic Area and Switzerland: Regulation (EU) 2016/679, Directive 2002/58/EC (as amended by Directive 2009/136/EC); and b) for individuals residing in the United Kingdom: the United Kingdom General Data Protection Regulation. Data Protection Law further includes all other applicable data protection laws of the relevant jurisdictions in which individuals reside, including but not limited to the California Privacy Rights Act ("CPRA"), the Colorado Privacy Act ("CPA") (effective July 1, 2023), the Connecticut Data Privacy Act ("CTDPA") (effective July 1, 2023), the Utah Consumer Privacy Act ("UCPA") (effective December 31, 2023), the Virginia Consumer Data Privacy Act ("VCDPA"); and any legal instrument for International Data Transfers; each as applicable, and as may be amended or replaced from time to time;
- "Data Subject Rights" means all rights granted to Data Subjects by Data Protection Law, including the right to informwation, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;
- "International Data Transfer" means any transfer of Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom, and includes any onward transfer of Personal Data from the international organization or the country outside of the EEA, Switzerland or the United Kingdom to another international organization or to another country outside of the EEA, Switzerland and the United Kingdom;
- "Personnel" means any natural person acting under the authority of Capacity;
- "Personal Data Breach" means any unauthorized disclosure, destruction, or loss or access of Personal Data Processed on behalf of Subscriber;
- "Sensitive Data" means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;
- "Subprocessor" means an affiliate, subsidiary, agent, subcontractor, or other third party engaged by Capacity to assist Capacity in providing the Processing Services; and
- "EU Standard Contractual Clauses" or "EU SCCs" means: for individuals residing in the European Economic Area or Switzerland: the clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council.
- "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
- "UK Addendum" means the UK Addendum to the EU Standard Contractual Clauses.
- Roles
Subscriber is a Controller and appoints Capacity as a Processor on behalf of Subscriber.
- Scope
- This DPA applies to the Processing of Personal Data by Capacity in the context of the Agreement.
- The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Appendix 1, which is an integral part of this DPA, the Agreement, and any applicable statement of work.
- Instructions
- Subscriber shall only disclose Personal Data to Capacity solely for a valid business purpose as set forth in the Agreement, and solely in connection with the Services.
- Capacity must only Process Personal Data on documented instructions of and on behalf of Subscriber as necessary to carry out the purposes of the Agreement in accordance with Appendix 1 or as otherwise authorized by Subscriber in writing ("Processing Purposes") and is prohibited from Processing Personal Data for any other purpose.
- For the avoidance of doubt, Capacity will not engage in the sale (i.e., "share" under applicable Data Protection Law) of Personal Data, nor will Capacity combine Personal Data of Subscriber with any other Personal Data held by or accessible to Capacity in identifiable form to provide services to any other entity or customer of Capacity.
- Subscriber shall be solely responsible for, and represents and warrants that, any documented instructions it provides hereunder shall comply with Data Protection Law. Moreover, Subscriber shall have sole responsibility for the accuracy, quality, and legality of Subscriber Personal Data and the means by which Subscriber acquired Subscriber Personal Data.
- Where an applicable Data Protection Law requires Capacity to Process Personal Data under terms other than those of this DPA, or other written instructions of Subscriber, Capacity shall notify Subscriber of such legal requirement before Processing in accordance with the legal requirement, unless the applicable law prohibits disclosure. In addition, Capacity shall notify Subscriber if, in Capacity's assessment, any of Subscriber's instructions infringe applicable law, including but not limited to applicable Data Protection Law. In the event that Capacity determines that it can no longer meet its obligations under this DPA, Capacity shall notify Subscriber promptly after making such a determination.
- Subscriber has taken and further undertakes that throughout the Term it shall take all necessary steps (having regard to the nature of the circumstances in which Subscriber Personal Data will be collected) to provide affected data subjects with an accurate, comprehensible, concise, conspicuous and easily accessible description of all processing of Subscriber Personal Data carried out under and in connection with the DPA, which are sufficient to meet the standards and requirements of Article 13/14 of the GDPR.
- Subscriber may issue additional instructions to Capacity as it deems necessary to comply with Data Protection Law. Subscriber shall be responsible for any additional fees, or costs arising from any such additional instructions, which fees or costs shall be mutually agreed upon by the Parties.
- Subprocessing
- The parties agree that Capacity has general authorization to engage Subprocessors subject to the terms of this Section 5. The current Subprocessors of Capacity are set out in Appendix 3.
- Capacity will inform Subscriber if there are any changes concerning the addition or replacement of such Subprocessors by making available an up-to-date list at https://capacity.com/capacity-sub-processors/, to which changes Subscriber has the right to object within fifteen (15) days. The parties shall cooperate in good faith to address any such objection.
- Capacity will take appropriate steps to confirm that all Subprocessors are capable of providing the level of protection for Personal Data as is required by Data Protection Law and this DPA.
- Capacity must enter into a binding written agreement with all Subprocessors which imposes materially the same obligations on the Subprocessors as this DPA imposes on Capacity.
- If any Subprocessor fails to fulfill its obligations under Data Protection Law, this DPA, or the agreements between Capacity and Subprocessor, Capacity will be responsible to Subscriber for the performance of such obligations.
- International Data Transfers
- EU Standard Contractual Clauses. As applicable to the Agreement and to the extent required by Applicable Data Protection Laws, the parties agree that the clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") will apply to Personal Data that is transferred under the Agreement from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs, Module 2 (Controller to Processor), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- In Clause 7, the optional docking clause will not apply;
- In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in Appendix 3 (Subprocessors) of this Addendum;
- In Clause 11, the optional redress language will not apply;
- In Clause 13(a), all three options may be retained and apply, depending on the circumstances, and as relevant where the transfer falls within the territorial scope of the Regulation (EU) 2016/679;
- In Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law;
- In Clause 18(b), disputes will be resolved before the courts of Ireland; and
- Appendix 1 (Description of Processing) of this Addendum serves as Annex I of the EU SCCs; Appendix 2 (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum serves as Annex II of the EU SCCs and Appendix 3 (List of Subprocessors) serves as Annex III of the EU SCCs.
- UK Addendum. As applicable to the Agreement and in relation to Personal Data that is protected by the UK GDPR, the UK Addendum shall apply. To the extent that the UK Addendum applies, Annexes A, B, and C of this Addendum shall also apply. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- For Table One, the details as set out in Appendix 1 of this Addendum shall apply.
- For Table Two, the check-box referring to the following shall apply: "the Approved EU SCCs, including the Appendix Information and with only the modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of the UK Addendum."
- For Table Three, the following shall apply to the referenced columns: Appendix 1 (Description of Processing) of this Addendum shall apply to the columns entitled Annex IA and Annex IB; Appendix 2 (Technical and Organizational Security Measures Implemented by the Service Provider) of this Addendum shall apply to the column entitled Annex II; and Appendix 3 (List of Subprocessors) shall apply to the column entitled Annex III.
- For Table Four, data exporter and data importer shall have the right to terminate this Addendum.
- EU Standard Contractual Clauses. As applicable to the Agreement and to the extent required by Applicable Data Protection Laws, the parties agree that the clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") will apply to Personal Data that is transferred under the Agreement from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs, Module 2 (Controller to Processor), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
- Personnel
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Capacity must implement appropriate technical and organizational measures to ensure that Personnel do not Process Personal Data except on the instructions of the Controller.
- Capacity must ensure that all Personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality.
- Capacity must regularly train Personnel regarding the protection of Personal Data.
- Security and Personal Data Breaches
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Capacity must implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing consistent with applicable Data Protection Law and as further described in Appendix 2 to this DPA ("Security Measures"). Capacity may update or modify the Security Measures set out in Appendix 2 from time to time.
- In assessing the appropriate level of security, Capacity shall take into account the risks that are presented by the Processing under this Agreement, in particular from accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of, or access to Data Controller's Personal Data transmitted or stored.
- Capacity must inform Subscriber without undue delay after becoming aware of a Personal Data Breach. Capacity shall reasonably cooperate in the investigation and remediation of the Personal Data Breach and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Personal Data Breach.
- Assistance
- Taking into account the nature of the Processing, Capacity may reasonably assist Subscriber, by implementing appropriate technical and organizational measures, for fulfillment of Subscriber's own obligations under Data Protection Law if and to the extent Subscriber cannot meet such obligations without Capacity's assistance, including:
- Complying with Data Subjects' requests to exercise Data Subject Rights;
- Replying to inquiries or complaints from Data Subjects;
- Replying to investigations and inquiries from Supervisory Authorities;
- Conducting data protection impact assessments or similar activity;
- Conducting prior consultations with Supervisory Authorities; and
- Assisting with Personal Data Breaches as described in Section 8.3.
- Unless prohibited by applicable law, Capacity must inform Subscriber without undue delay if Capacity:
- Receives a request, complaint, claim or other inquiry regarding the Processing of Personal Data from a Data Subject or Supervisory Authority;
- Receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
- Receives a request, complaint, claim or other inquiry from Subscriber's employees or other third parties, other than those set forth in this DPA.
- Is subject to a legal obligation that requires Capacity to Process Personal Data in contravention of Subscriber's instructions;
- Is otherwise unable to comply with Data Protection Law or this DPA.
- Unless prohibited by applicable law, Capacity must obtain Subscriber's written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in Section 9.2.
- Taking into account the nature of the Processing, Capacity may reasonably assist Subscriber, by implementing appropriate technical and organizational measures, for fulfillment of Subscriber's own obligations under Data Protection Law if and to the extent Subscriber cannot meet such obligations without Capacity's assistance, including:
- Accountability
- Capacity must maintain records of Processing of Personal Data Processed on behalf of Subscriber, including at a minimum the categories of information required under Data Protection Law.
- If and to the extent required by applicable Data Protection Law, Subscriber may request, upon thirty (30) days written notice to Capacity, an audit, through itself or through an independent third-party auditor. The audit may be carried out once in any calendar year and at Subscriber's sole expense. Audits shall be subject to all applicable confidentiality obligations agreed to by Subscriber and Capacity, and any independent auditor shall be required to enter into a non-disclosure agreement with Capacity, containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Capacity's confidential and proprietary information. Audits shall be conducted in a manner that minimizes any disruption of Capacity's performance of services and other normal operations. For the avoidance of doubt, any information disclosed by Capacity in connection with this DPA will be subject to the confidentiality (including non-use) provisions in the Agreement.
- Liability
- Any liability imposed on or incurred by Capacity under this DPA shall be subject to any exclusions or limitations of liability under the Agreement.
- Subscriber represents and warrants that on the effective date of this DPA and during the term of this DPA:
- Personal Data has been and will be collected and Processed by Subscriber in accordance with the Data Protection Laws;
- The Processing of Personal Data in accordance with this DPA by Capacity will not violate the Data Protection Laws;
- Subscriber shall provide Data Subjects with appropriate opt-outs where applicable under the Data Protection Laws, and shall inform Capacity of any exercise of such rights by a Data Subject; and
- Subscriber will take all steps necessary to ensure it achieves the foregoing, including without limitation, by providing Data Subjects with appropriate privacy notices, obtaining any required consent, and ensuring that there is a lawful basis for Capacity to Process Personal Data.
- Term and duration of the Processing
- Notwithstanding any other provision of the Agreement or this Addendum to the contrary, when Capacity ceases to perform Processing Services for Subscriber upon termination of the Agreement or otherwise (e.g., per the request or explicit instruction of Subscriber), Capacity shall, if requested by Subscriber and within sixty (60) days of the request: (i) return Personal Data to Subscriber; and/or securely purge, delete, and destroy Personal Data, to the extent practicable, excluding Personal Data that is stored in a back-up or archived format in accordance which shall be deleted in accordance with its normal retention schedule so long as such Personal Data is otherwise retained in accordance with this DPA, and unless Capacity is obligated by applicable law to maintain all or part of the Personal Data of Subscriber, in which case all such Personal Data shall be used only for the purposes for which it must be maintained and in accordance with the terms of this Addendum.
- Modification of this DPA This DPA may only be modified by a written amendment signed by both Subscriber and Capacity. To the extent required by Applicable Data Protection Laws, the parties agree to make all commercially reasonable efforts to make necessary amendments to this Addendum, including all Annexes. The parties will agree on the necessary changes in good faith, taking into account the obligation to carry out this contractual relationship in compliance with Applicable Data Protection Laws.
- Invalidity and severability If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
- Certification of Understanding Both parties certify that they understand and will comply with all restrictions imposed upon their Processing of Personal Data under this Addendum.
1. List of Parties
If the EU SCCs apply, the data exporter(s) and importer(s) are identified as follows:
| Data Exporting Organisation | Name/Address/Contact details: As specified in Agreement Activities relating to the transferred Personal Data: As specified in the Agreement Signature and date: By entering into the Agreement, data exporter is deemed to have signed these EU Standard Contractual Clauses and UK Addendum incorporated herein as of the effective date of the Agreement. Role: Controller |
|---|---|
| Data Importing Organisation | Name: AI Software, LLC, d/b/a Capacity Address/Contact details: As specified in Agreement Activities relating to the transferred Personal Data: SaaS Services – Capacity will host and process personal data in the course of providing its texting platform and related services to Subscriber. Signature and date: By entering into the Agreement, data importer is deemed to have signed these EU Standard Contractual Clauses and UK Addendum incorporated herein as of the effective date of the Agreement. Role: Processor |
2. Description of Transfer
1. Categories of Data Subjects whose Personal Data is Transferred:
The Personal Data Processed concern the following categories of Data Subjects (please specify):
| # | Category | Description |
|---|---|---|
| 1 | Mobile Users | Mobile users of Subscriber that Subscriber is providing services to or otherwise communicating with |
| 2 | Business partners | Entities that partner with Subscriber |
2. Categories of Personal Data Transferred
The Personal Data Processed concern the following categories of data (please specify):
| # | Category | Description |
|---|---|---|
| 1 | Name | First name, last name |
| 2 | Contact Information | Phone number, contact lists (synching of contacts) |
| 3 | Communications | Text messages, emails, recordings |
| 4 | Other Identifiers | Call center agent identification number, call center interaction identifiers |
3. Special Categories of Data
The Personal Data Processed concern the following special categories of data (please specify): None.
4. Frequency of the Transfer
Ongoing.
5. Nature of the Processing
As specified in the Agreement.
6. Purpose of the Data Transfer and Further Processing
As specified in the Agreement.
7. Retention Period
As specified in the Agreement.
8. Subject Matter, Nature and Duration of Transfers to Subprocessors
As specified in the Agreement.
3. Competent Supervisory Authority Irish Data Protection Commission
Appendix 2Technical and Organizational Security Measures Implemented by CapacityDescription of the technical and organizational security measures implemented by Capacity:
To the extent that Data Controller provides to Service Provider or Service Provider otherwise accesses Data Controller's Personal Data in connection with this Addendum, Service Provider shall implement an Information Security Program that includes administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity and availability of Personal Data, and protect against unauthorized access, use, disclosure, alteration or destruction of Personal Data. In particular, Service Provider's Information Security Program shall include, without limitation, the following safeguards where appropriate or necessary to ensure the protection of Personal Data:
- the pseudonymisation of Personal Data where reasonable and appropriate;
- the encryption of personal data in transit and at rest;
- the measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Capacity's processing systems and services, and the Personal Data;
- the measures designed to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of Capacity's Information Security Program designed to ensure the security of Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, undisclosed disclosure or access.
Subscriber authorizes Capacity to engage the following Subprocessors: