Data Processing Agreement (DPA)

Effective Date: February 5, 2026
Last Updated: February 5, 2026

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service or other applicable agreement (“Agreement”) between Codas Labs, LLC, a North Carolina limited liability company (“Codas Labs,” “Processor,” “we,” “us”), and the customer or user entity (“Customer,” “Controller”) that uses Codas Labs’ products or services.

This Agreement applies only to the extent Codas Labs processes Personal Data on behalf of Customer and is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and other applicable data protection laws.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement.
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, analysis, or deletion.
• “Controller” means the entity that determines the purposes and means of processing Personal Data.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Subprocessor” means a third party engaged by Codas Labs to process Personal Data.
• “Data Protection Laws” means GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws.

2. Roles of the Parties

2.1 Customer as Controller
Customer is the Controller of Personal Data submitted to, stored in, or processed through the Services.

2.2 Codas Labs as Processor
Codas Labs acts as a Processor when processing Personal Data on behalf of Customer pursuant to Customer’s instructions.

2.3 Independent Controller Activities
Codas Labs acts as an independent Controller for:
• Its own marketing, sales, billing, compliance, and security operations
• Training, coaching, and educational services provided through Codas Media
• Leads and data collected directly by Codas Labs

These activities are governed by Codas Labs’ Privacy Policy, not this Agreement.

3. Scope of Processing

3.1 Subject Matter & Duration

Codas Labs processes Personal Data for the duration of the Agreement and as necessary to provide the Services.

3.2 Nature & Purpose

Processing may include:
• Data hosting and storage
• Messaging delivery (email, SMS, voice, automation)
• Survey and form processing
• AI-assisted analysis or generation
• Customer support and troubleshooting
• Analytics and system monitoring

3.3 Categories of Data Subjects

May include:
• Customer’s leads, prospects, users, clients, or employees
• End users interacting with Customer’s workflows

3.4 Categories of Personal Data

May include:
• Identifiers (name, email, phone number)
• Business contact information
• Message content and metadata
• Survey responses and form submissions
• Usage and interaction data

Sensitive data should not be submitted unless expressly permitted by the Agreement.

4. Customer Obligations

Customer represents and warrants that:
• It has a lawful basis to collect and process Personal Data
• Required notices and consents have been provided
• Its instructions comply with Data Protection Laws
• It will not use the Services for unlawful, deceptive, or abusive activities

Customer remains solely responsible for the legality of Personal Data it provides.

5. Codas Labs Obligations

Codas Labs shall:
• Process Personal Data only on documented instructions from Customer
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational safeguards
• Assist Customer with Data Subject requests where required
• Notify Customer of Personal Data breaches without undue delay
• Delete or return Personal Data upon termination (subject to law)

6. Subprocessors

6.1 Authorization
Customer authorizes Codas Labs to engage Subprocessors to provide the Services.

6.2 Obligations
Codas Labs ensures Subprocessors are bound by data protection obligations substantially similar to this Agreement.

6.3 Current Subprocessors
Subprocessors may include:
• Cloud hosting providers
• Payment processors (e.g., Stripe, PayPal)
• Messaging and telecom carriers
• Analytics and monitoring providers
• AI infrastructure providers

An up-to-date list may be provided upon request or published separately.

7. International Data Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Codas Labs relies on:
• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Other lawful transfer mechanisms

8. Security Measures

Codas Labs maintains a security program including:
• Access controls and authentication
• Encryption in transit and at rest (where appropriate)
• Incident detection and response procedures
• Vendor risk management

Specific technical details are confidential and subject to change.

9. Data Subject Rights

Codas Labs will assist Customer, where reasonably possible, in responding to requests for:
• Access
• Correction
• Deletion
• Restriction
• Objection
• Portability

Customer is responsible for verifying requestor identity and responding within required timeframes.

10. Data Breach Notification

Codas Labs will notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer data and provide reasonable information to support Customer’s obligations.

11. Data Deletion & Return

Upon termination of the Services:
• Customer data will be deleted or returned upon request
• Backup retention may apply for limited periods
• Data required by law may be retained

12. Audits

Customer may audit Codas Labs’ compliance:
• No more than once annually
• With reasonable notice
• Without disrupting operations
• Subject to confidentiality

Third-party certifications or summaries may satisfy audit requests.

13. Liability

Liability under this Agreement:
• Is subject to the limitations in the Master Agreement
• Does not create additional uncapped liability
• Excludes indirect, incidental, or consequential damages

14. Governing Law

This Agreement is governed by the same law and dispute resolution provisions as the Master Agreement, including arbitration where applicable.

15. Order of Precedence

If there is a conflict between this Agreement and the Master Agreement, this DPA controls solely with respect to data protection matters.

16. Acceptance

This Agreement is deemed accepted when Customer uses the Services and forms part of the binding agreement between the parties.