Effective Date: March 20, 2026
This Prism AI Data Processing Addendum ("DPA") supplements, and is incorporated into, the Prism AI Services Agreement ("Agreement") governing use of the Services and is entered as of the Effective Date between the customer identified above ("Customer") and Prism AI, Inc. d/b/a Bigspin, a Delaware corporation ("Prism AI"). Capitalized terms not defined in the DPA have the meanings provided in the Agreement. In this DPA, Prism AI and Customer are each referred to as a "Party" and collectively as the "Parties."
To execute this DPA, please contact legal@bigspin.ai.
1.1. Scope and Roles. As part of providing the Services to the Customer under the Agreement, Prism AI may Process Customer Data on behalf of Customer. Prism AI acts as a Data Processor on the Customer's behalf, and this DPA governs such Processing.
1.2. Details of Processing. Prism AI will only Process Customer Data for the purposes of delivering the Services to Customer pursuant to the Agreement and this DPA. Details regarding the nature, duration, as well as the types of Customer Data and categories of Data Subjects involved, are set out in Schedule 1 (Details of Processing) to this DPA. Prism AI and Customer each agree to comply with their respective obligations under Data Protection Laws in connection with the Services.
2.1. Customer Instructions. The Parties agree that this DPA, the Agreement (including the Order Form), and any instructions provided via the configuration tools and other tools within the Services made available by Prism AI, constitute Customer's documented instructions regarding Prism AI's processing of Customer Data ("Customer Instructions"). Prism AI will process Customer Data only in accordance with Customer Instructions, unless required to do so by applicable law to which Prism AI is subject, in which case Prism AI will inform Customer of this requirement prior to processing unless legally prohibited from doing so.
2.2. Notices to Customer. Prism AI will promptly inform Customer in writing if, in Prism AI's opinion, a Customer Instruction violates Data Protection Laws. Prism AI will, to the extent legally permitted, inform Customer if Prism AI receives a legally binding request for disclosure of Customer Data by a law enforcement authority.
2.3. Confidentiality. Prism AI will ensure that all persons authorized by Prism AI to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.4. Data Subject Requests. Prism AI will, to the extent legally permitted, inform Customer if Prism AI receives a request to exercise data subject rights pursuant to Data Protection Laws ("Data Subject Request") in respect of Customer Data. Prism AI will not respond to any such request without Customer's prior written authorization, except that Customer authorizes Prism AI to redirect Data Subject Requests as necessary to allow Customer to respond directly. Taking into account the nature of the processing, Prism AI will assist Customer by implementing appropriate technical and organizational measures, in so far as this is possible, to allow Customer to respond to Data Subject Requests.
2.5. Security. Prism AI will implement and maintain reasonable and appropriate organizational and technical security measures to protect Customer Data, as set forth in the Agreement. These measures include, at a minimum: encryption of Customer Data at rest and in transit; access controls at the Organization, Workspace, and Project levels; audit logging of key user activities; and regular security audits as part of Prism AI's SOC 2 compliance program.
2.6. Assistance to Customer. Prism AI will, taking into account the nature of the processing and the information available to Prism AI, provide reasonable assistance to Customer to help Customer comply with its obligations under Data Protection Laws including, where appropriate, the preparation of data protection impact assessments with respect to Prism AI's processing of Customer Data and, where necessary, the Customer consulting with a supervisory authority with jurisdiction over such processing, if such consultation is required by Data Protection Laws.
2.7. Personal Data Breaches. Prism AI will notify Customer without undue delay after becoming aware of any Personal Data Breach. Such notification will include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to mitigate the breach. Prism AI will provide reasonable assistance to Customer to help Customer comply with its obligations under Data Protection Laws in respect of such Personal Data Breach.
2.8. Assessing Compliance. Prism AI will, on Customer's reasonable written request and to the extent required by Data Protection Laws: (i) no more than once per year, provide Customer with Prism AI's privacy and security policies and other such information necessary to demonstrate compliance with Prism AI's obligations under this DPA; and (ii) provided that the Parties have an appropriate confidentiality agreement in place, allow for and contribute to audits or inspections by, or on behalf of, Customer at Customer's sole expense. Such audit or inspection must be: (A) conducted in a manner that is minimally disruptive to Prism AI's business; (B) necessary to confirm that Prism AI is processing Customer Data in a manner consistent with this DPA; and (C) occur no more than once per year. Where permitted by Data Protection Laws, Prism AI may instead make available to Customer a summary of relevant audit reports, including SOC 2 reports, relevant to Prism AI's compliance with this DPA. Such results and documentation, including the results of any audits or inspections, shall be the Confidential Information of Prism AI.
2.9. Engagement of Sub-processors. Customer hereby provides a general authorization to Prism AI to engage the Sub-processors listed in the Sub-processor List to process Customer Data in connection with the Services. Prism AI will notify Customer of any changes to the Sub-processor List via the Sub-processor List page, notification within the Services, or via email if Customer subscribes to email notifications. Customer may object to the use of such additional Sub-processor within 30 days of receiving notice of the change by contacting privacy@bigspin.ai. In such case, Prism AI will work with Customer to address its concerns and offer commercially reasonable alternatives or solutions. If none of the alternatives or solutions are commercially feasible, in Prism AI's reasonable judgment, or if the objections have not been resolved to the satisfaction of the Parties within 30 days of Prism AI's receipt of Customer's objection notice, then either Party may terminate the Agreement or any Order Forms or usage regarding the Services that cannot be provided without the use of the new Sub-processor. In such case, Customer will be refunded any applicable pre-paid fees to the extent they cover periods or terms following the date of such termination.
2.10. Sub-processor Obligations. Prism AI shall enter into contractual arrangements with each Sub-processor that impose on them obligations comparable to those imposed on Prism AI under this DPA. Subject to the limitations of liability included in the Agreement, Prism AI will remain liable for the acts and omissions of its Sub-processors to the same extent Prism AI would be liable under this DPA if it performed such acts or omissions itself.
2.11. Data Return or Deletion. Following expiry or termination of the Agreement, Prism AI will, at Customer's instruction, return or delete Customer Data, and existing copies unless retention of Customer Data is required under applicable laws, in which case Prism AI will isolate and protect it from any further processing except to the extent required by applicable laws. Upon Customer's written request, Prism AI will provide written certification of the deletion of Customer Data.
3.1. Notices and Authorizations. Customer represents, warrants and covenants that it has provided all necessary notices, and has and shall maintain throughout the Term all necessary rights, consents and authorizations, to the extent required under Data Protection Laws, to provide the Customer Data to Prism AI and to authorize Prism AI to process Customer Data in connection with the Agreement, including this DPA.
3.2. Cooperation. Customer shall reasonably cooperate with Prism AI to assist Prism AI in performing any of its obligations under applicable Data Protection Laws.
3.3. Configurations. Without prejudice to Prism AI's security obligations in Section 2.5 of this DPA, Customer acknowledges and agrees that it is responsible for certain configurations and design decisions for the Services and for implementing such configurations and design decisions (e.g., retention periods, deletion, access controls, etc.) in a manner that complies with applicable Data Protection Laws.
4.1. Data Storage. Customer Data is stored and processed in the United States. Where Customer Data is transferred outside the jurisdiction from which it originates, Prism AI will ensure that appropriate safeguards are in place in compliance with Data Protection Laws.
4.2. EEA and Swiss Data. Customer Data processed by Prism AI under this DPA may fall within the scope of the Data Protection Laws of the European Economic Area or Switzerland ("EEA and Swiss Data"). To the extent Prism AI transfers EEA and Swiss Data to Sub-processors or otherwise processes it outside the European Economic Area or Switzerland, it will do so on the basis of agreements containing SCCs that ensure appropriate safeguards for the protection of Customer Data are in place, or an adequacy decision issued by the European Commission under Article 45 GDPR. The SCCs details applicable to EEA and Swiss Data transfers are set out in Schedule 1, Section 8.
To the extent U.S. Privacy Laws apply:
5.1. Prism AI agrees to (a) not provide Customer with monetary or other valuable consideration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not "sold" (as such term is defined by U.S. Privacy Laws) Customer Data to Prism AI; (b) not "sell" (as such term is defined by U.S. Privacy Laws) or "share" (as such term is defined by the CCPA) Personal Data; (c) to the extent that Customer permits or instructs Prism AI to process Customer Data subject to U.S. Privacy Laws in a de-identified form as part of the Services, Prism AI shall (i) adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such de-identified data in that form and not attempt to re-identify the information, except as may be permitted by U.S. Privacy Laws; and (iii) before sharing de-identified data with any other party, including Sub-processors, contractually obligate any such recipients to comply with the requirements of this provision (c)(i)-(iii); and (d) where the Customer Data is subject to the CCPA (i) not retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement, including without limitation as set out in Schedule 1 of this DPA; (ii) not retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between Prism AI and Customer; (iii) not combine any Customer Data with Personal Data that Prism AI receives from or on behalf of any other third party or collects from Prism AI's own interactions with individuals, provided that Prism AI may so combine Customer Data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA; (iv) notify Customer without undue delay if Prism AI determines that it can no longer meet its obligations under the CCPA; and (v) if Customer reasonably believes that Prism AI's Processing of Customer Data is not consistent with the requirements of the CCPA and upon Customer's reasonable notification of the same to Prism AI, the Parties will work together in good faith to remedy the issue, or, if after working together Customer reasonably determines that the issue cannot be remedied, Prism AI will stop Processing the affected Customer Data upon written instruction from Customer.
5.2. Customer agrees to not take any action that would (a) render the provision of Customer Data to Prism AI a "sale" under U.S. Privacy Laws or a "share" under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (b) render Prism AI not a "service provider" under the CCPA or "processor" under U.S. Privacy Laws.
"Customer Data" means Personal Data processed by Prism AI on behalf of Customer to provide the Services.
"Data Controller" has the meaning assigned to the term "controller" (or another analogous term) under Data Protection Laws.
"Data Processor" has the meaning assigned to the term "processor" (or another analogous term) under Data Protection Laws.
"Data Protection Laws" means data privacy and data protection laws applicable to Prism AI's processing of Customer Data in connection with the Services.
"Data Subject" has the meaning assigned to the term "data subject" (or another analogous term) under Data Protection Laws.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
"Personal Data" has the meaning assigned to the term "personal data" or "personal information" (or another analogous term) under Data Protection Laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data stored, transmitted or otherwise processed by Prism AI, its Sub-processors, or any other third parties acting on Prism AI's behalf.
"Processing" has the meaning assigned to the term "processing" (or another analogous term) under Data Protection Laws.
"SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on June 4, 2021 (as may be amended, updated or replaced from time to time).
"Sub-processors" means the sub-processors engaged by Prism AI to process Customer Data in connection with the Services, listed in the Sub-processor List.
"Sub-processor List" means the list available at https://app.bigspin.ai/sub-processors.
"U.S. Privacy Laws" means the subset of Data Protection Laws applicable to residents of the United States, including without limitation the California Consumer Privacy Act ("CCPA").
1. Nature and Purpose: The performance of the Services under the Agreement, including the Bigspin Behavior Design Platform's ingestion, analysis, and reporting on Customer-provided conversation transcripts and related data using artificial intelligence and large language models.
2. Duration: The Term and such time required thereafter for the Parties to perform their applicable obligations following the end of the Term, including data deletion.
3. Categories of Customer Data: Customer may submit Personal Data to the Services, the categories of which will depend upon Customer's use of the Services which is determined and controlled by Customer in its sole discretion, but it may include, but is not limited to:
4. Categories of Data Subjects: The data subjects may include, but are not limited to, Customer's employees, customers, contractors, and generally end users of Customer's products and services whose conversations are analyzed through the Services.
5. Sensitive Data Transferred (if applicable): No sensitive data is intended to be transferred. However, Customer controls what data is submitted to the Services, and conversation transcripts may incidentally contain sensitive information. Customer is responsible for ensuring that any sensitive data submitted complies with applicable Data Protection Laws.
6. Frequency: Continuous basis depending on Customer's use of the Services.
7. Transfers to Sub-processors: As per Section 2.9 of the DPA, Sub-processors will Process Customer Data as necessary to perform the Services. Such Processing will be for the duration of the Agreement, unless otherwise agreed in writing.
8. SCCs Information for the Transfer of EEA and Swiss Data under Section 4.2:
8.1. Module Two (Controller to Processor) of the SCCs apply when Customer is a Data Controller and Prism AI is processing Customer Data as a Data Processor. Module Three (Processor to Sub-Processor) of the SCCs apply when Customer is a Data Processor and Prism AI is processing Customer Data as a sub-processor.
8.2. For each module of the SCCs, where applicable, the following applies: (i) The optional docking clause in Clause 7 does not apply; (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 2.9 of the DPA; (iii) In Clause 11, the optional language does not apply; (iv) All square brackets in Clause 13 are hereby removed; (v) In Clause 17 (Option 1), the SCCs will be governed by the laws of Ireland; (vi) In Clause 18(b), disputes will be resolved before the courts of Ireland; (vii) This Schedule 1 contains the information required in Annex I and Annex III of the SCCs; (viii) Section 2.5 (Security) of the DPA contains the information required in Annex II of the SCCs; (ix) the competent supervisory authority is the Irish Data Protection Commission.
8.3. Data exporter(s): the Customer under the Agreement. Data importer(s): Prism AI, Inc., 440 Missouri St, San Francisco, CA 94107, Data Protection Contact: privacy@bigspin.ai.
To execute this Data Processing Addendum, please contact legal@bigspin.ai. You will receive an execution form to complete and the agreement for review and signature.
