Draftout Data Processing Agreement

1.1 Definitions

• Agreement means this Data Processing and Services Agreement and all Schedules.
• Company Personal Data means any Personal Data processed by Service Provider on behalf of Company pursuant to or in connection with the Principal Agreement.
• Company Confidential Information means all non-public, proprietary, or confidential information disclosed by Company to Service Provider, including business processes, customer data, financial information, technical specifications, and strategic plans.
• Data Protection Laws means EU Data Protection Laws, Swiss Data Protection Laws, and, to the extent applicable, the data protection or privacy laws of any other country.
• Swiss Data Protection Laws means the Swiss Federal Act on Data Protection (FADP) and its implementing ordinances, as amended from time to time.
• EU Data Protection Laws means EU Directive 95/46/EC and all laws replacing, implementing or supplementing it, including the GDPR.
• GDPR means EU General Data Protection Regulation 2016/679.
• Data Transfer means a transfer of Company Personal Data from the Company to Service Provider, or an onward transfer from Service Provider to a Subprocessor or between establishments of Service Provider where such transfer would be prohibited by Data Protection Laws.
• Services means the AI-powered desktop assistant services, white glove onboarding, knowledge base creation, Draftout customization, sales coaching, and meeting assistance that Draftout provides.
• Deliverables means all work products, documents, designs, configurations, customizations, prompt designs, knowledge bases, and other materials created by Service Provider specifically for Company during the performance of Services.
• Subprocessor means any person appointed by or on behalf of Service Provider to process Personal Data on behalf of the Company in connection with the Agreement.
• White Glove Onboarding means the customized setup and configuration services provided by Service Provider to optimize the AI assistant for Company’s specific use cases and requirements.

1.2 GDPR Terms

The terms Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2.1 Comprehensive Confidentiality

Service Provider acknowledges that it may receive Company Confidential Information and Company Personal Data in connection with the Services.

• Hold all Company Confidential Information in strict confidence.
• Use Company Confidential Information solely for providing the Services.
• Not disclose Company Confidential Information to any third party without prior written consent.
• Implement and maintain appropriate safeguards to protect confidentiality.

These confidentiality obligations survive termination for five years.

2.2 Processing Obligations

• Comply with all applicable Data Protection Laws.
• Not process Company Personal Data other than on documented instructions.
• Ensure all personnel handling Personal Data are bound by enforceable confidentiality obligations.
• Provide adequate training on data protection requirements and procedures.
• Be liable for processing activities conducted outside the scope of documented instructions.

2.3 Processing Instructions

The Company instructs Service Provider to process data for:

• Real-time AI-powered sales coaching during meetings.
• Meeting transcript analysis and processing.
• Generation of automated follow-up emails.
• Provision of personalized sales context and objection handling assistance.
• White glove onboarding and knowledge base creation.
• Draftout customization and configuration.
• Processing only when Company personnel actively engage the service.

4.1 Technical and Organizational Measures

Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

4.2 Specific Security Measures

• Encryption: End-to-end encryption for data in transit and at rest using minimum TLS 1.2 and AES-256.
• Access Controls: Enterprise authentication through WorkOS with MFA and role-based access control.
• Data Minimization: Meeting transcripts are processed according to configured retention policies; audio recordings are processed in real time with configurable retention.
• Infrastructure Security: Regular security assessments, automated security updates, incident response procedures, and SOC 2 Type II compliance preparation.
• Compliance Certifications: Service Provider is pursuing SOC 2 Type II and ISO 27001 certifications.
• Zero Trust Architecture: Continuous verification and least-privilege access.
• Data Residency: Configurable data residency controls for enterprise accounts.

4.3 Risk Assessment

In assessing the appropriate level of security, Service Provider shall take account in particular of the risks presented by processing, especially risks arising from a Personal Data Breach.

5.1 Data Subject Rights

Service Provider shall assist Company in fulfilling consumer rights requests under applicable Data Protection Laws, including:

• Right to know or access personal information.
• Right to delete personal information.
• Right to correct inaccurate personal information.
• Right to object to processing.
• Right to data portability.
• Right to restrict processing.

5.2 FADP and GDPR Compliance

• Not sell or share Company Personal Data.
• Not retain, use, or disclose Company Personal Data except to perform the Services.
• Not use Company Personal Data for advertising or commercial purposes outside the Services.
• Provide the same level of privacy protection required by applicable laws.

5.3 Cross-Border Data Transfers

For transfers of personal data from Switzerland or the EU to other jurisdictions, Service Provider shall implement appropriate safeguards including standard contractual clauses or other legally recognized transfer mechanisms.

6.1 Deliverables Ownership for Paid Pilots

For paid pilot programs, all Deliverables created specifically for Company shall be owned by Company upon full payment of the applicable fees, including:

• Custom prompt designs.
• Knowledge base configurations.
• Customized AI model configurations.
• Integration specifications.
• Custom workflows and processes.

Service Provider assigns to Company all right, title, and interest in and to such Deliverables, including all intellectual property rights therein.

6.2 Service Provider Retained Rights

• Its core platform, software, and underlying technology.
• General methodologies, processes, and know-how.
• Aggregated and anonymized insights that cannot identify Company.

6.3 License Grant

Company grants Service Provider a limited, non-exclusive license to use Company Confidential Information solely for providing the Services during the term of the Agreement. Service Provider grants Company a perpetual, irrevocable, royalty-free license to use Deliverables for Company business purposes, including the right to modify and create derivative works.

7.1 Authorized Subprocessors

• Deepgram, Inc. for audio transcription services.
• AssemblyAI, Inc. for audio transcription services.
• OpenAI L.P. for AI processing and analysis services.
• Anthropic PBC for AI processing and analysis services.

7.2 Subprocessor Requirements

• Be bound by data protection and confidentiality obligations substantially equivalent to this Agreement.
• Maintain compliance with applicable Data Protection Laws.
• Process Personal Data only for purposes authorized by Company.
• Implement appropriate technical and organizational measures.

7.3 Subprocessor Changes

Service Provider shall inform Company of any intended changes to Subprocessors with at least 30 days' prior written notice. Company may object within 14 days if the changes do not meet required data protection standards.

10.1 Breach Notification

Service Provider shall notify Company at help@draftout.ai without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data or Confidential Information.

10.2 Breach Response

Service Provider shall cooperate with Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each breach.

11.1 Data Deletion

Service Provider shall delete Company Personal Data and Confidential Information within 30 days of cessation of Services, except for data required by law, Deliverables owned by Company, and aggregated anonymized data that cannot identify Company.

11.2 Certification

Service Provider shall provide written certification that it has fully complied with section 11 within 30 days of the Cessation Date.

11.3 Retention Periods

• Meeting Transcripts: Immediately deleted after processing into summary responses.
• Audio Recordings: Processed in real time and immediately deleted.
• Personalized Context: Retained only if Company chooses to save it within the system.
• Generated Summaries: Retained for the duration of the service agreement unless Company requests deletion.
• Knowledge Base Data: Retained for the duration of the service agreement.
• Deliverables: Retained permanently by Company as owner.

Annex I – Parties and Transfer

The data exporter is the party named as Customer in the Terms. The data importer is Akademische Unterstutzung GmbH, Kantonsstrasse 34, 6207 Nottwil, Switzerland, acting as Processor.

Data subjects include meeting participants such as employees, contractors, clients, and other individuals participating in recorded meetings. Categories of personal data may include audio and video data, transcripts, AI-generated insights, user account information, authentication data, and meeting metadata.

Potentially sensitive data may include business confidential information and sensitive meeting content. Applied safeguards include no recording by default for enterprise users, admin controls, data minimization, encryption, role-based access controls, configurable retention, and data residency controls.

Annex II – Technical and Organisational Measures

Technical and organisational measures include pseudonymisation and encryption, confidentiality and resilience controls, incident recovery, regular testing, user identification and authorization, transmission and storage protection, physical security, event logging, secure system configuration, internal IT governance, data minimisation, data quality, limited retention, and accountability measures.

Assistance to the controller includes enterprise authentication, encryption using TLS 1.2+ and AES-256, role-based access control, automated security updates, and SOC 2 Type II compliance preparation.