Data Processing Addendum

In the course of providing Manychat services, Manychat processes certain personal data related to сustomers, their representatives, end users and customer’s subscribers. While doing so, Manychat acts as a processor on behalf of a сustomer and as a controller. This Data Processing Addendum (“DPA”) sets forth terms and conditions of such processing by Manychat.

The DPA forms an integral part of the Terms of Service (“Agreement”) entered into by and between Manychat, Inc., its subsidiaries or affiliates, as applicable (“Manychat”) and the customer, being the party to the Agreement (“Customer”).

Table of Contents

1. Data Processing Addendum

1.1. Definitions

1.2. Relationships of the Parties

1.3. Sub-processing

1.4. Security Measures

1.5. Security Reviews and Reports

1.6. Data Breach and Notification

1.7. Data Subject Rights and Cooperation

1.8. Return or Deletion of Data

1.9. Miscellaneous

ANNEX 1. Details of Processing

1A. Manychat as a Processor

1B. Manychat as a Controller

ANNEX 2. Security Measures

ANNEX 3. International Provisions and Jurisdiction Specific Terms

1. Definitions

“Applicable Data Protection Laws” means all privacy and data protection laws and regulations applicable to either party under the Agreement. Every party determines on its own its Applicable Data Protection Laws and understands that for Manychat and Customer Applicable Data Protection Laws may be different.

"Controller” means a person or legal entity that determines the purposes and means of the Personal Data Processing.

“Customer” means Party to the Agreement with Manychat. Customer may be a client, marketing agency,  individual, individual entrepreneur or legal entity on behalf of which End Users use the Service.

“Customer Account Data” means Personal Data related to Customer, its representatives and End Users which Manychat processes as a separate Controller as more particularly described in this DPA.

“Customer Content” means Personal Data related to End Users and Customer’s Subscribers which Manychat processes on behalf of Customer as a Processor in the course of providing the Service, as more particularly described in this DPA.

“Customer’s Subscribers” Data Subjects with whom Customer communicates with use of the Service and(or) whose data is uploaded to the Service by Customer (customers, prospective customers, social media and messaging platform contacts or other individuals).

“Data Breach” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Manychat. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“End Users” means Customer and other Data Subjects with lawful access to the Service on behalf of or under a lawful authorization of Customer.

“Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws and means any information relating to Data Subject. Under this DPA, Personal Data covers Customer Content and Customer Account Data. If the term Personal Data is used, then such provisions apply to both Customer Content and Customer Account Data.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means an entity that processes Personal Data on behalf of a Controller.

“Service” means any product or service provided by Manychat to Customer pursuant to the Agreement.

“Sub-processor” means any Processor engaged by Manychat to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

2. Relationships of the Parties

2.1. Manychat as a Processor. The parties acknowledge and agree that with regard to the Processing of Customer Content, Manychat is a Processor acting on behalf of Customer (whether itself a Controller or a Processor). Manychat Processes Customer Content in accordance with Customer’s instructions as set forth in Section 2.4. Manychat shall Process Customer Content only for the purposes described in this DPA and only in accordance with Customer’s instructions.

2.2 Manychat as a Controller. The parties acknowledge that, with regard to the Processing of Customer Account Data, Manychat is an independent controller, not a joint controller with Customer. Manychat will Process Customer Account Data as a Controller in order to carry out the necessary functions, such as entering into the agreement, account management, compliance with law, accounting, tax, billing, audit, sales and marketing communication with Customer. Manychat will Process such data in accordance with its Privacy Policy, which can be found at www.manychat.com/legal/privacy, and with applicable provisions of this DPA.

2.3. Details of Data Processing. Details of Processing Customer Content and Customer Account Data are set in Annex 1. It further specifies the nature and purpose of the Processing, the duration of the Processing, the types of personal data and categories of data subjects, sources of Personal Data, Processors and Sub-processors engaged by Manychat.

2.4. Customer Instructions. Manychat will Process Customer Content only in accordance with Customer’s instructions. By entering into the Agreement, including this DPA, Customer instructs Manychat to Process Customer Content in order to provide the Service.

2.5. Customer as a Processor. If Customer is a processor on behalf of some other Controller, Customer warrants on an ongoing basis that the relevant Controller has authorized (i) the instructions described in DPA and the appointment of Manychat as a sub-processor and (ii) Manychat’s engagement of Sub-processors as described in Section 3. Customer will immediately forward to the relevant Controller any notice provided by Manychat under this DPA to Customer (on the engagement of a new Sub-processor, Data Breach, request of data subjects, etc.).

2.6. Compliance with Law. Each party will comply with its obligations under its Applicable Data Protection Laws with respect to its Processing of Personal Data.

2.7. Customer’s Obligations. Customer agrees that it shall comply with its obligations under Customer’s Applicable Data Protection Laws with respect to its Processing of Personal Data and any processing instructions it issues to Manychat. In particular, Customer must provide notice and obtain all consents (or other legal grounds) and rights necessary under Customer’s Applicable Data Protection Laws for (i) engaging Manychat to Process Customer Content on behalf of Customer and (ii) transfer of Customer Account Data to Manychat pursuant to the Agreement and this DPA.

Customer must inform Manychat about any requirements to Processing Customer Content by Manychat which are set under the Customer’s Applicable Data Protection Laws and are not covered directly by this DPA.

3. Sub-processing

3.1. Authorized Sub-processors. Customer specifically authorizes and agrees that Manychat may engage Sub-processors to Process Customer Content. The Sub-processors currently engaged by Manychat and authorized by Customer are available at www.manychat.com/legal/service-providers. Customer also generally authorizes Manychat to engage new Sub-processors to Process Customer Content subject to procedure set in Section 3.3 of DPA.

3.2. Sub-processor Obligations. With respect to all Sub-processors Manychat shall:

• enter into a legally binding agreement with the Sub-processor, imposing data protection obligations substantially similar to those set out in this DPA; and
• remain responsible for the Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Manychat to breach any of its obligations under this DPA.

3.4. Engagement of New Sub-processors. Manychat will notify Customer about the engagement of any new Sub-processor, if Customer subscribes to receive such updates at www.manychat.com/legal/subscribe-subprocessor-updates. Manychat will send such notice at least ten (10) calendar days before the new Sub-processor accesses Customer Content. If Manychat reasonably believes that engaging a new Sub-processor and providing access to Customer Content on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Content or avoid material disruption to the Service, Manychat will give such notice as soon as reasonably practicable.

3.4. Objection. If, within five (5) calendar days after receipt of notice from Manychat, Customer notifies Manychat that Customer objects to Manychat’s appointment of a new Sub-processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement and DPA for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering documents.

If Customer does not notify Manychat of objections, within the specified period, Manychat is deemed authorized to engage a new Sub-processor by Customer.

4. Security Measures

4.1. Adequate Measures. Manychat will implement and maintain throughout the term of this DPA technical and organizational security measures set forth in Annex 2 (“Security Measures”) to protect Personal Data from Data Breach and to preserve the security and confidentiality of the Personal Data, in accordance with Manychat’s security standards.

4.2. Confidentiality of Processing. Manychat shall ensure that any person who is authorized by Manychat to Process Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.3. Customer Responsibilities. Customer acknowledges and agrees that:

• it has reviewed and assessed the list of Security Measures and deems it appropriate for the protection of Personal Data under Customer’s Applicable Data Protection Laws and provides appropriate safeguards for cross-border transfer of Personal Data, if applicable. Upon a Customer request, Manychat may implement additional measures or safeguards that may be reasonably required to enable the lawful transfer of Personal Data.
• except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Personal Data when in transit, securing Customer’s systems and devices that it uses for accessing the Service.

4.4. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Manychat may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer. Customer is responsible for reviewing the information made available by Manychat relating to updated data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Customer’s Applicable Data Protection Laws.

5. Security Reviews and Reports

5.1. Security Reports. Manychat uses external auditors to verify the adequacy of its security measures and obtained ISO 27001 certification for the Service. Such audits are performed at least annually by independent third-party security professionals at Manychat’s selection and result in the generation of a confidential audit report (“Audit Report”). Upon written request, and subject to reasonable confidentiality controls, Manychat will make available to Customer a summary copy of Manychat’s most recent Audit Report.

5.2. Security Due Diligence. In addition to the Audit Report, Manychat will respond to reasonable requests for information sent by Customer to confirm Manychat’s compliance with this DPA, including responses to Customer’s information security and due diligence questionnaires. Customer shall not exercise this right more than once per calendar year.

6. Data Breach and Notification

6.1. Notification Timeframe. Upon becoming aware of a confirmed Data Breach, Manychat will notify Customer without undue delay and in no event later than 52 hours after the discovery of such incident unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Manychat’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay.

6.2. Content of Notification. Such notices will describe, to the extent possible, details of the Data Breach, including steps taken to mitigate the potential risks and steps Manychat recommends Customer take to address the Data Breach.

6.3. Cooperation by Manychat. Manychat shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach. Manychat’s notification of or response to a Data Breach under this section will not be construed as an acknowledgment by Manychat of any fault or liability with respect to the Data Breach.

6.4. Data Breach Notification to Authorities and Data Subjects. Customer is solely responsible for fulfilling any third-party notification obligations related to any Data Breach under the Customer’s Applicable Data Protection Laws (e.g. notification to data protection authorities or communication to Data Subjects).

7. Data Subject Rights and Cooperation

7.1. Data Subjects Requests. Manychat will upon Customer’s request provide Customer with the assistance that may be reasonably required by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws to respond to Data Subjects’ requests to exercise their rights under Customer’s Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection), in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Service.

7.2. Authorization for Direct Requests to Manychat. If Manychat receives a request from a Data Subject in relation to Customer Content, (i) for unsubscription of the Data Subject from messages sent by Customer through the Service or (ii) for deletion of Customer Content in the Service with respect to the Data Subject in part or entirely, Customer authorizes and instructs Manychat to unsubscribe or delete Content Data related to such Data Subject.

7.3. Assistance by Manychat. Manychat will provide Customer with reasonable assistance specifically requested by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws, taking into account the nature of processing and the information available to Manychat as a Processor (e.g. with respect to the security of Processing, notification of Data Breach, data protection impact assessment, prior consultations with supervisory authorities). If such reasonable assistance requires Manychat to assign significant resources to that effort, it will be provided at a Customer’s expense.

8. Return or Deletion of Data

8.1. Upon receipt of a request by Customer and following the termination of the Agreement, Manychat must delete or return to Customer all Customer Content from Manychat’s systems. Notwithstanding the foregoing, Customer understands that Manychat may have to retain some parts of Customer Content if required by law according to its data retention policies and such data will remain subject to the requirements of this DPA.

9. Miscellaneous

9.1. Processing in the United States. Customer acknowledges that provision of the Service and related Manychat’s activities as a Controller may also require processing of Personal Data by Sub-processors or Processors in countries outside the EEA and, including in the United States.

9.2. Way of Communication. Manychat shall send all notifications mentioned in DPA via email provided by Customer during the sign-up process or post them in the user interface of the Service. All objections and requests by Customer mentioned in DPA or other communication related to Processing of Personal Data must be sent by Customer to the same email from which Customer received a Manychat’s notification or to privacy@manychat.com.

9.3. Claims. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.

9.4. No Third-party Beneficiary Rights. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

9.5. Governing Law. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Customer’s Applicable Data Protection Laws or set in Jurisdiction Specific Terms under Annex 3.

9.6. Termination. This Addendum will automatically terminate upon expiration or termination of the Agreement. Termination of DPA is only possible subject to termination of the Agreement.

9.7. Liability. Customer further agrees that any regulatory penalties incurred by Manychat in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any Customer’s Applicable Data Protection Laws shall count toward and reduce Manychat’s liability under the Agreement as if it were a liability to the Customer under the Agreement. Manychat is liable for any regulatory penalties incurred by Customer or Manychat in relation to the Personal Data that arise as a result of, or in connection with, Manychat’s failure to comply with its obligations under this DPA or Manychat’s Applicable Data Protection Laws.

Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of its Applicable Data Protection Laws.

9.8. Relationship with the Agreement. This DPA forms an integral part of the Agreement and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern. The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Service.

ANNEX 1. Details of Processing

1A. Manychat as a Processor

Purpose and nature of Processing	Provision of the Service under the Agreement, including provision of support to the Customer, communicating regarding Customer Account (sending announcements, technical notices, updates, security alerts, and support and administrative messages) and responding to Service-related requests, questions and feedback, logging of activities, errors and incidents tracking, bugs and errors fixing, ensuring the accessibility, security and usability of the Service and its improvement in the interest of Customer.
Period for which the personal data will be retained	Until the termination or expiration of the Agreement in accordance with its terms.
Categories of data subjects	- End Users - Customer’s Subscribers
Categories of personal data	End Users: identification information (name, email), publicly available social media profile information, linked pages and accounts, IT information (IP addresses, geographic location, usage data, cookies data, browser data), financial information (credit card details, account details, payment information). Customer’s Subscribers: - identification information, publicly available social media profile information (photo, name, date of birth, gender, geographic location), -chat history and content, chatbot usage information and other electronic data submitted, stored, sent, or received by End Users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion, - IT information (IP addresses, geographic location, usage data, cookies data, browser data).
Sensitive data	No. Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.
The frequency of the transfer	On a continuous basis until it is deleted in accordance with the Agreement and DPA terms.
Data source	Customers (or End Users) sign-up process and use of the Service by Customer (End User), including communication with subscribers and third-party integrations and apps linked by Customer (e.g. Facebook, Inc., Instagram, Telegram, Zapier and other integrations and apps specified at www.apps.manychat.com/ which are linked by Customer to its account in the Service).
Onward transfer	See the list of Sub-processors at www.manychat.com/legal/service-providers. The duration of sub-processing is limited to the retention period of Processing by Manychat specified in this table.

1B. Manychat as a Controller

Purpose and nature of Processing	Entering into the Agreement, account management, compliance with laws, including sanction laws, accounting, tax, billing, audit, sales and marketing communication with Customer.
Period for which the personal data will be retained	Until the termination of the Agreement, unsubscription from marketing communications and expiration of retention period required by law.
Categories of data subjects	- Customer and its representatives - End Users
Categories of personal data	Customer and its representatives: full name, title, company, email. End Users: identification information (id, name, email, status), linked pages and accounts, products in use, IT information (IP addresses, geographic location), financial information (credit card details, account details, payment information).
Sensitive data	Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.
The frequency of the transfer	On a continuous basis until it is deleted in accordance with the Agreement and DPA terms.
Data source	Customers sign up process and use of the Service by Customer.
Onward transfer	See the list of Service Providers at www.manychat.com/legal/service-providers. We may also disclose Personal Information to public authorities, such as law enforcement, if we are legally required to do so.

ANNEX 2. Security Measures

Manychat implements and maintains technical and organizational security measures designed to protect Personal Data from Data Breaches. We currently observe the Security Measures described in this Annex 2. If applicable, this Annex 2 serves as Annex II to the EU Standard Contractual Clauses.

1. Security Program and Policies

1.1. Manychat maintains and enforces a risk-based security program and framework that addresses how we manage security.  Manychat’s security framework is based on the ISO 27001 Information Security Management System and includes the following areas: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response.

1.2. Our security program includes:

• documented policies that we approve, publish and communicate to appropriate personnel internally and review at least annually,
• documented, clear assignment of responsibility and authority for security program activities,
• regular testing of the key controls, systems and procedures.

2. Risk and Asset Management

2.1. Manychat utilizes an integrated risk management approach with a focus on both technical and operational security practices. Ongoing and systematic risk assessment is a consistent part of selecting appropriate improvement protection controls and ensuring that Personal Data is safe.

2.2. Manychat takes reasonable actions to identify assets and their level of criticality. The full inventory and categorization are the basis to select and implement optimal technical and organizational security measures to make sure that the assets and information are protected.

3. Personnel security and awareness

3.1. Manychat’s personnel (employees and contractors) do not process Personal Data without authorization. Personnel is obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.

3.2. Manychat’s personnel (employees and contractors) acknowledge their data security and privacy responsibilities under Manychat’s policies.

3.3. Manychat is focused on employee security awareness as a key driver to improve overall security maturity level and culture. Manychat’s personnel (employees and contractors) conduct security and privacy training at least annually.

3.4. Pre-employment verification checks are carried out on all new employees and contractors.

4. Access Management

4.1. Manychat manages access based on “Need to know” and “Least privilege” principles. That means that personnel is only permitted to have access to Personal Data when needed for the performance of their functions.

4.2. Manychat deactivates the authentication credentials of personnel immediately upon the termination of their employment or services.

4.3. In order to access the production environment and critical systems, a user must have a unique username and password and multi-factor authentication enabled.

4.4. Manychat implements measures to prevent information systems from being used by unauthorized persons, including the following measures (a) user identification and authentication procedures; (b) unique username/password (c) password complexity policies (special characters, minimum length, change of password) (c) automatic blocking (e.g., password or timeout).

4.5. Manychat performs access monitoring and logging for the production environment and critical systems.

5. Technical and Application Security Measures

5.1. Manychat has implemented and will maintain appropriate technical and application security measures, internal controls, and information security routines intended to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:

• Segregation of environments. Manychat segregates development and production environments to make sure that Personal Data is protected from any kind of unauthorized access.
• Encryption in transit. All external network communications are protected with encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 hash functions, whenever supported by the clients.
• Encryption at rest. Customer data at rest is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Manychat’s systems—relational databases, file drives, backups, etc. Access to cryptographic keys is restricted to a limited number of authorized Manychat personnel.
• Redundancy. Manychat selects IT Infrastructure suppliers that are committed to provide mechanisms with built-in security best practices for confidentiality, integrity, and availability. Manychat’s main IaaS provider AWS (Frankfurt, EU) is committed to meet the strict Disaster Recovery (DR) Service Level Agreement.
• Vulnerability assessment. Manychat performs automated and manual application and infrastructure security testing to identify and patch potential security vulnerabilities. Critical software patches are evaluated, tested, and applied proactively.
• Penetration Testing. We engage independent service providers to perform penetration tests to assess the potential system security threats at least on an annual basis.
• Software Development and Acquisition. Manychat follows security-by-design principles across different phases of the Service creation lifecycle from requirements gathering and product design all the way through product deployment. For the software developed by Manychat, Manychat follows secure coding standards and procedures set out in its standard operating procedures.
• Storage. Manychat’s production databases and data processing servers are hosted in a data center located in AWS (Frankfurt, EU). Manychat maintains complete administrative control over the databases and virtual servers, and no third-party vendors have logical access to Personal Data.
• Change Management. Manychat implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for Manychat’s software, information systems or network architecture.
• Network security. All network access between servers is restricted, using access control lists to allow only authorized services to interact in the network. We utilize third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.

6. Third-Party Provider Management

6.1. Manychat may use third-party providers to provide the Services. In selecting third-party providers who may gain access to, store, transmit or use Personal Data, Manychat conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.

6.2. Manychat enters into written agreements with all of its providers which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Personal Data that these providers may Process.

7. Physical and Environmental Security

7.1. Manychat uses AWS data centers to host its production infrastructure. AWS data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week.

7.2. Manychat offices have a physical security program that manages visitors, building entrances, video surveillance, and overall office security. All employees, contractors, and visitors are required to wear identification badges.

7.3. Manychat reviews third-party audit reports to verify that Manychat’s service providers maintain appropriate physical access controls for the managed data centers.

8. Resilience and Service Continuity

8.1. Manychat implements measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including:

• Ongoing Personal Data backup procedures. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.
• Manychat uses specialized tools to monitor the Service performance. The alert is triggered in the event of any suboptimal server performance or overloaded capacity.
• Disaster recovery plans are in place to recover in case of Personal Data availability issues.

9. Security Certifications and Attestations.

9.1. Manychat holds the following security-related certifications and attestations:

• ISO 27001 Certification. The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. This certification is valid for 3 years (renewal audits) and is subject to annual touchpoint audits (surveillance audits).

9.2. SOC 2 Type 2 report. The SOC 2 Type 2 report, part of the Service Organization Control (SOC) framework from the American Institute of Certified Public Accountants (AICPA), evaluates the effectiveness of a service organization's controls over time, focusing on security, availability, and confidentiality. SOC 2 Type 2 report examines operational effectiveness over a period. It provides assurance on the consistent application of controls, crucial for client and stakeholder trust. This report requires annual renewal to maintain ongoing compliance.

10. Information Security Incident Management

10.1. Manychat implements security incident management policies and procedures that address how we manage Data Breach and other security incidents.

10.2. In case of Data Breach Manychat will promptly investigate the incident upon discovery. To the extent permitted by applicable law, Manychat will notify Customer of a  Data Breach. Data Breach incident notifications will be provided to Customers via email or in the other way agreed with Customer.

ANNEX 3. International Provisions and Jurisdiction Specific Terms

1. California

If the Customer’s Applicable Data Protection Laws include the California Consumer Privacy Act (“CCPA”) the following provisions apply. The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA. With respect to Customer Content, Manychat is a service provider under the CCPA.

Manychat will not (i) sell Customer Data; (ii) retain, use or disclose any Customer Data for any purpose other than for the specific purpose of providing the Service, including retaining, using or disclosing the Customer Content for a commercial purpose other than providing the Service; or (iii) retain, use or disclose the Customer Content outside of the direct business relationship between Manychat and Customer.

The parties acknowledge and agree that the Processing of Customer Content authorized by Customer’s instructions described in Section 2.4 of DPA is integral to and encompassed by Manychat’s provision of the Service and the direct business relationship between the parties.

Notwithstanding anything in the Agreement, the parties acknowledge and agree that Manychat’s access to Customer Content does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

Notwithstanding any use restriction contained elsewhere in this section, Manychat may de-identify or aggregate Customer Content as part of performing the Service specified in this DPA and the Agreement.

Where Sub-processors Process Personal Data, Manychat takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Manychat has entered into a written contract that includes terms substantially similar to this “California” section or are otherwise exempt from the CCPA’s definition of “sale”. Manychat conducts appropriate due diligence on its Sub-processors.

With respect to Customer Account Data Manychat is the business with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at www.manychat.com/legal/privacy.

2. European Economic Area, Switzerland and the United Kingdom.

If the Customer’s Applicable Data Protection Laws include the General Data Protection Regulation (EU 2016/679) (“GDPR”), the Swiss Federal Act on Data Protection (“FADP”), or corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018) (“UK GDPR”) the following provisions apply.

Transfer of Personal Data to Manychat under the Agreement is regulated by the Standard Contractual Clauses attached as follows:

1. for transfers of Personal Data subject to GDPR the parties apply Standard Contractual Clauses approved under the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=en (“EU SCCs”):

   • for Customer Content: Module Two (Controller to Processor) or Module Three (Processor to Processor) depending on the status of Customer with respect to Customer Content.
   • for Customer Account Data (e.g. if Customer transfers to Manychat data of its End Users or representatives): Module One (Controller to Controller).

   For each Module of EU SCCs, the following  provisions apply, where applicable:

   • in Clause 7 of EU SCCs, the optional docking clause will not apply;

   • in Clause 9 of EU SCCs, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 3.3 of DPA (Engagement of New Sub-processors);

   • in Clause 11 of EU SCCs, the optional part on lodge of a complaint with an independent dispute resolution body will not apply;

   • in Clause 17 (Option 1) of EU SCCs will be governed by the law of Germany;

   • in Clause 18(b) of EU SCCs, disputes will be resolved before the courts of Germany;

   • for Annex I, Part A of EU SCCs, the List of Parties is the following:

     • Activities relevant to the data transferred under EU SCCs: The data importer provides the Service to the data exporter in accordance with the Agreement (Terms of Service and Data Processing Addendum);
     • Signature and date: The Parties agree that acceptance of the Terms of Service by Customer as specified in the Terms of Service, shall constitute execution of EU SCCs by both parties;
     • Data exporter(s) name, address: The Customer, as defined under the DPA, the Customer's address;
     • Contact person’s name, position and contact details: Contact details for the data exporter are specified in the Terms of Service and, if not, are available to the data importer in the admin console of the Service (where such details have been provided by the data exporter);
     • Role: for Module One (transfer of Customer Account Data): controller; for Module Two (transfer of Customer Content): controller; for Module Three (transfer of Customer Content): processor;
     • Data importer(s) name, address: MANYCHAT, INC., 450 Lexington Ave, 4th Floor, New York, NY 10017;
     • Contact person’s name, position and contact details: Rickert Rechtsanwaltsgesellschaft mbH (Representative in the EU) email: art-27-rep-manychat@rickert.law;
     • Role: for Module One (transfer of Customer Account Data): controller; for Module Two and Module Three (transfer of Customer Content): processor;
     • for Annex I, Part B of EU SCCs, the Description of transfer is specified in Annex 1A to DPA for Customer Content and in Annex 1B to DPA for Customer Account Data transfer.
     • for Annex I, Part C of EU SCCs, the Customer's competent supervisory will be determined in accordance with the GDPR and Clause 13 of EU SCCs.

   • for Annex II of EU SCCs, the list of technical and organizational measures, including measures to ensure the security of the data are specified in Annex 2 to DPA.

   • for Annex III of EU SCCs, the list of sub-processors (for transfer of Customer Content under Module Two and Module Three) which the controller has authorized is specified at www.manychat.com/legal/service-providers.

2. for transfers of Personal Data subject to FADP the parties apply EU SCCs as specified above with respect to Customer Content and Customer Account Data with the following modifications:

   • references to "Regulation (EU) 2016/679" will be interpreted as references to the FADP;
   • references to "EU law", "Union law" and "Member State law" will be interpreted as references to Swiss law;
   • references to "EU", "Union" and "Member State" will be interpreted as references to Switzerland, and in particular, Clause 18 of EU SCCs must be interpreted as entitling data subjects to exercise their rights at their place of habitual residence in Switzerland;
   • references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".

3. for transfers of Personal Data subject to UK GDPR the parties apply EU SCCs as specified above with respect to Customer Content and Customer Account Data, together with the International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Adopted by ICO, Version B1.0, in force 21 March 2022) published at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as follows:

Part 1: Tables

Table 1: Parties

Start date	Effective date of the Terms of Service and Data Processing Addendum.
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: MANYCHAT INC. Trading name (if different): n/a Main address (if a company registered address): 450 Lexington Ave, 4th Floor, New York, NY 10017 Official registration number (if any) (company number or similar identifier): 81-1410171	Full legal name: Customer (as set forth in the Terms of Service) Trading name (if different): Main address (if a company registered address): as set forth in the Terms of Service Official registration number (if any) (company number or similar identifier):
Key Contact	Full Name (optional): Rickert Rechtsanwaltsgesellschaft m.b.H Job Title: Representative in the EU Contact details including email: art-27-rep-manychat@rickert.law	Full Name (optional): Job Title: as set forth in the Terms of Service Contact details including email: as set forth in the Terms of Service
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs	☑ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: EU SCCs as specified in Section 2A of this Annex 3: - For Customer Content (Module Two: Transfer controller to processor, Module Three: Transfer processor to processor) - For Customer Account Data (Module One: Transfer controller to controller)

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: see Section 2A of this Annex 3.
Annex 1B: Description of Transfer: see Annex 1 to DPA.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: see www.manychat.com/legal/dpa
Annex III: List of Sub processors (Modules 2 and 3 only): see the list of Sub-processors at www.manychat.com/legal/service-providers.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes	Which Parties may end this Addendum as set out in Section 19: ☑ Importer ☑ Exporter ☐ neither Party

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses	Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.