Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") supplements and forms part of the SaaS and Services Agreement between the Client and Shuttle AI ("Agreement") to the extent applicable Privacy Laws apply to Shuttle AI’s processing of Client Personal Data (defined below) in provision of the Services under the Agreement.

1. Obligations of the Parties

1) This DPA applies when Client Personal Data is processed by Shuttle AI on behalf of the Client under applicable Privacy Laws.

2) For the purposes of applicable Privacy Laws, the Client is the Controller of the Client Personal Data and Shuttle AI is a Processor processing Client Personal Data on Client’s behalf.

3) The Client shall at all times provide documented instructions to Shuttle AI for the processing of Client Personal Data, in compliance with applicable Privacy Laws.

4) Details of the processing activities carried out by Shuttle AI are set forth at Schedule 1 to this DPA. Schedule 1 and the terms of this DPA constitute the Client’s documented, written instructions for the purposes of applicable Privacy Laws.

5) Shuttle AI will process Client Personal Data in accordance with the Client’s documented instructions. Any additional instructions outside the scope of this DPA and Schedule 1 (if any) shall be subject to prior written agreement between the parties.

6) Each party will comply with all laws, rules and regulations applicable to it in the performance of this DPA, including applicable Privacy Laws.

7) Client is solely responsible for the accuracy, quality, and legality of (a) the Client Personal Data provided to Shuttle AI by or on behalf of the Client; (b) how the Client acquired any such Client Personal Data (e.g., appropriate notices and/or consent); and (c) the instructions it provides to Shuttle AI regarding the processing of Client Personal Data.

8) The Client shall not provide or submit to the Services any Personal Data in breach of the Agreement, this DPA or applicable Privacy Laws or any Personal Data which would be inappropriate for the nature of the Services.

2. Confidentiality of Client Personal Data

Shuttle AI will not access or use, or disclose to any third party, any Client Personal Data, except:

- As necessary to maintain or provide the Services (such as in order to transmit such Client Personal Data to an approved Sub-processor); or

- As necessary to comply with the law, a Valid Government Request and/or a valid and binding order of a governmental body (such as a subpoena or court order).

If a governmental body sends Shuttle AI a Valid Government Request for access to Client Personal Data, Shuttle AI will use commercially reasonable efforts to attempt to redirect the governmental body to request that data directly from the Client. Shuttle AI may provide the Client’s basic contact information to the governmental body.

3. Use of Sub-processors

1) The Client hereby generally authorises Shuttle AI to engage Sub-processors in accordance with this Article 4.

2) The Client hereby provides its written consent for the appointment of the Sub-processors listed at Schedule 2.

3) The Client acknowledges that Shuttle AI may remove, replace, or appoint new or replacement Sub-processors to support the provision of the Services. Shuttle AI will provide the Client with an opportunity to object to any change in its Sub-processors where required under applicable Privacy Laws. Any objections or enquiries in this regard may be directed to Shuttle AI at [email protected].

4) If the Client reasonably objects to the engagement of a new or replacement Sub-processor, Shuttle AI, at its sole discretion, will use commercially reasonable efforts to make changes to the service or configuration.

5) If the Client does not object to a proposed Sub-processor's appointment within ten (10) days of notice by Shuttle AI, that new Sub-processor shall be deemed accepted.

4. Security

To protect Client Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, Shuttle AI shall implement and maintain the technical and organisational measures in accordance with Shuttle AI’s security commitment set out at Schedule 3 to this DPA.

5. Assistance and Personal Data Breach

1) Shuttle AI shall (at the Client’s cost) assist the Client in ensuring compliance with Client’s obligations pursuant to Articles 32 to 36 of the GDPR.

2) Shuttle AI shall notify the Client without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Client Personal Data.

6. International Transfers of Personal Data

The Client acknowledges and agrees that Shuttle AI may transfer and process Client Personal Data to and in the United States and anywhere else in the world where Shuttle AI or its Sub-processors maintain data processing operations.

7. Effect of Termination

Upon termination, at the Client’s option, Shuttle AI shall either return all Client Personal Data to the Client or securely dispose of it, except to the extent that any applicable law requires retention.

8. General Provisions

Shuttle AI’s liability arising out of or in connection with this DPA shall not exceed the total, aggregate amount of (i) 200% of the fees paid or payable by the Client to Shuttle AI for the 12-month period preceding the breach, or (ii) one million pounds (1,000,000 GBP), whichever is lower.