DATA PROCESSING AGREEMENT

Latest Update: May 2nd, 2025

This Data Processing Agreement (the “DPA”) is between the customer identified in an Order (the “Customer”) and Trampoline AI Inc., with a registered address at 5715 rue Marquette, Montréal, QC H2G 2X8, Canada (“Trampoline”) and governs the Processing of Customer Data in connection with the Services.

1. INTERPRETATION.

1. Definitions. The expressions not defined in this DPA are defined in the Terms of Services available at the following URL, as modified from time to time (the “TOS”). The expressions defined in this have the meaning set forth below in this DPA.

• Privacy Laws: Any laws, treaties, and regulations applicable to the Processing of Personal Data by either party pursuant to the Terms, including, as applicable, United States Federal Laws and Regulations and any state’s law in the United States related to the protection of Personal Data, Canada’s Personal Information Protection and Electronic Documents Act, Quebec’s Act Respecting the Protection of Personal Information in the Private Sectors and any Canadian provincial privacy laws.
• Security Incident: The unauthorized use, access modification or disclosure of Personal Data, or a breach of security safeguards involving the unauthorized access, use or disclosure of Customer Data.

2. Conflict. In the event of any conflict, inconsistency, or ambiguity between the provisions of this DPA and the remaining of the Terms, the provisions of this DPA will take precedence and prevail to the extent of such conflict, inconsistency, or ambiguity, solely with respect to the Processing of Customer Data and the parties’ respective data protection obligations.

2. PERSONAL DATA PROCESSING

1. Instructions: Trampoline will process the Personal Data based on the instructions of Customer, including, as required provide the Services, as further described in the Privacy Policy available at the following URL as modified from time to time. If Trampoline becomes aware that such instructions are in violation of Privacy Laws, Trampoline will inform the Customer without undue delays. Trampoline may refuse to process Personal Data based on an instruction it believes is in violation of Privacy Laws.

2. Legal Obligation: If Trampoline must process the Personal Data to comply with Applicable Laws, or the administration thereof, Trampoline will inform Customer of such obligation prior to processing the Personal Data, unless prevented so under such Applicable Laws.

3. Legal Request. Trampoline will not disclose Personal Data to law enforcement or a governmental authority (a “Legal Request”) unless it reasonably believes that it is required by Applicable Laws. If Trampoline receives such as a Legal Request, Trampoline will attempt to redirect the law enforcement and governmental authority to Customer, and to the full extent permitted under applicable laws, Trampoline will inform Customer of Legal Requests before complying with a Legal Request, including to give Customer, the reasonable opportunity to object to the Legal Request. At Customer’s costs and expenses, Trampoline will assist Customer to object and contest such Legal Request, where practicable. Upon receipt of a Legal Request, Trampoline will make a prompt and careful assessment of its legality, validity and appropriateness. If Trampoline must respond to the Legal Request, it will respond only to the extent required under applicable laws. 

4. PIA: If you are required to perform a privacy impact assessment (“PIA”) to comply with Privacy Laws, we will collaborate in good faith, such as by making information reasonably requested available in a timely manner. Additional support by Trampoline to Customer in this regard may be subject to payment of additional fees by Customer to Trampoline.

5. Privacy Request: Each party agrees to collaborate with the other party to respond to requests from concerned individuals regarding their Personal Data (a “Privacy Request”). Trampoline will promptly inform Customer if it receives a Data Subject Request. Trampoline will implement and maintain necessary technical and organizational measures to respond to Privacy Requests in accordance with Privacy Laws.

6. Anonymization: To the extent permitted in the Terms. Trampoline may generate Anonymized Data, and Aggregated Data, from the Personal Data provided by Customer and Authorized Users. Trampoline will only de-identify or anonymize Personal Data as permitted under Privacy Laws, including in accordance with industry standards.

3. SUBCONTRACTING

1. Authorization. Nothing in the Terms will limit Trampoline’s right to use third-party service providers to support the provision of the Services, including hosting, infrastructure and data processing functions. Customer acknowledges and agrees that Trampoline has the right to use such subcontractors, if Trampoline remains responsible for their compliance with the obligations set forth in the Terms. Upon written request, Trampoline will provide a list of subcontractors that Process Personal Data on its behalf.

2. Due Diligence: Prior to allowing a subcontractor to process Customer Data on its behalf, Trampoline will (a) conduct a reasonable due diligence of such subprocessors, and (b) enter into an agreement containing terms substantially similar to those contained herein regarding the protection of Customer Data.  

3. Changes: Trampoline will notify the Customer in writing at least 15 days before adding or replacing a subcontractor that Processes Personal Data (a “Subprocessor”). If the Customer reasonably objects to a change affecting Subprocessors, it must provide written notice within 15 days of receiving the notification. The parties will discuss the concerns in good faith. If no resolution is reached within 30 days, Customer may terminate the Terns without penalty, and Trampoline will refund the Subscription Fees paid in advance for Subscription Services not used as of the termination date, but excluding for any Flexible Subscription, for which there is no reimbursement of any Fee.

4. DATA HOSTING AND PROCESSING

1. Data Maintenance.  The customer is solely responsible for managing and maintaining the accuracy, completeness, and relevance of Customer Data and Customer AI Inputs. This includes reviewing and deleting outdated, inaccurate, or irrelevant data to ensure the quality and reliability of the information used in the Services. Trampoline shall not be responsible for any consequences arising from Customer’s failure to properly manage its data.

2. Data Hosting and Transfer. Trampoline hosts Customer Data in the United States and Canada, and Customer Data may be Processed outside of the region in which the Customer is located, as outlined in the Privacy Policy. Customer acknowledges and agrees that Trampoline may transfer Customer Data internationally as required to provide the Services, subject to appropriate safeguards in compliance with Applicable Laws. For reference purposes, a list of subprocessors is accessible at the following URL.

3. Use of Customer AI Inputs. Customer acknowledges that the Customer AI Outputs are generated based on Customer AI Inputs and may contain inaccuracies, outdated information, or unintended biases. The customer is solely responsible for:

1. Reviewing and verifying the accuracy, completeness, and appropriateness of Customer AI Outputs before use.

2. Ensuring that Customer AI Inputs do not include Highly Sensitive Information or Personal Data that should not be processed by AI. Only business contact information should be used in AI-generated content.

3. Complying with Privacy Laws, IP rights and contractual obligations when using the Services, including by obtaining all authorization and consents regarding the use of the Customer AI Outputs.

Trampoline does not perform human validation of Customer AI Outputs and does not assume liability for errors or misrepresentations arising from their use.

4. Authorization and Compliance. Customer represents and warrants that it has obtained all necessary rights, consents, and authorizations to provide Customer AI Inputs to Trampoline, including for Processing such data through AI Technologies. The customer further acknowledges that its use of AI Technologies in connection with RFP responses must comply with all Applicable Laws and industry best practices.

5. SECURITY MEASURES

1. Trampoline will implement commercially reasonable measures to protect against Security Incidents. The customer has reviewed and confirms that these security measures are appropriate to the use of the Services intended by the Customer, which shall be for the Intended Purposes, and taking into consideration the state of technological development and the cost of implementing any measures. These measures will minimally include Customer Data encryption in transit and at-rest.

2. Trampoline will ensure that all personal authorized to process Customer Data are bound by confidentiality obligations, either through contractual agreements or statutory requirements, and have received appropriate training on their responsibilities. Access to Customer Data is provided on a need-to-know basis, and based on the principle of least privilege.

3. Trampoline shall implement logical data segregation measures to ensure that Customer Data remains isolated from other customers’ data within the shared multi-tenant environment. Customer Data will be logically separated using unique access controls, role-based permissions, and dedicated identifiers to prevent unauthorized access or data leakage.

6. SECURITY INCIDENT

1. Notification: In the event of a Security Incident, Trampoline will inform the Customer without undue delay of being aware of the Personal Data Breach, but no later than within 48 hours of becoming aware of the Security Incident. The notification will include:  

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected, and the categories and approximate number of Customer Data records concerned.  
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to be taken by Trampoline to address the Security Incident, including measures to mitigate its possible adverse effects. 

2. Follow-Ups: If such information is not available at the time of the initial disclosure, Trampoline will follow up promptly with as such information becomes available. Trampoline will also inform the Customer of remediation actions taken or to be taken regarding the Security Incident, ensuring that it takes prompt and appropriate remediation measures, including patching vulnerabilities, implementing additional safeguards, or taking other necessary corrective actions to prevent recurrence.

3. Cooperation: Trampoline will cooperate with the Customer regarding a Security Incident including to take reasonable measures to assist in the investigation, mitigation and remediation of the Security Incident in accordance with Privacy Laws. Trampoline will also provide reasonable assistance to the Customer in case a notification to the authorities, concerned individuals, or third parties is required.

7. DELETION & RETURN

1. Customer Data: Upon Customer’s request or within 30 days following the expiration or termination of the then-current Subscription Term, Trampoline will securely delete or, at Customer’s request, return and then securely delete Customer Data. Notwithstanding the foregoing, Trampoline may retain Customer Data strictly as required under Applicable Laws or for business continuity purposes in encrypted backups, provided such data remains subject to confidentiality and security obligations.

2. Personal Data.  Trampoline will securely delete Personal Data that is no longer necessary for the purposes of Processing. However, the Customer remains responsible for managing and deleting accounts, assets, and any associated data that are no longer required, including by requesting the deletion of Authorized Users’ accounts and ensuring the removal of their credentials. Trampoline will not be liable for retaining Personal Data resulting from Customer’s failure to take such actions.

8. AUDITS AND COMPLIANCE

1. Audit Rights: Once per calendar year, upon giving Trampoline at least 30 days’ written notice, Customer may audit Trampoline’s compliance with this DPA during office hours, by way of a questionnaire. Trampoline will provide all information reasonably required to demonstrate compliance. All information provided by Trampoline during these audits shall remain confidential.

2. Audit Process.  Audit Process Audits must be conducted during regular business hours and in a manner that minimizes disruption to Trampoline’s operations. Auditors must be subject to confidentiality obligations and must not pose a conflict of interest. If the audit identifies any material non-compliance, the parties will agree on a remediation plan with reasonable timelines for implementation, and Trampoline will provide periodic updates on the corrective actions taken.

3. Follow-Up Audits: If an audit reveals any material non-compliance, the Customer may conduct a follow-up audit within the same calendar year to verify that the remediation plan has been properly implemented.

4. Breach. Each party will notify the other party in writing without undue delay of a breach of this DPA or Data Protection Laws (“Violation”) within 48 hours of becoming aware of such a Violation. The parties will collaborate in good faith to mitigate the impacts of any Violation, and prevent the recurrence of the Violation.

5. Compliance. If required by Privacy Laws, Trampoline may amend this DPA by providing a prior notice of 10 days to the Customer. If Customer disagrees with the changes during this period, Customer may contact Trampoline at privacy@trampoline.ai otherwise, the changes will be considered in force after this period.

Data Processing Agreement - Schedule 1

OVERVIEW OF ACTIVE SECURITY MEASURES

1. Access Control

1. Role-based access controls (RBAC) to restrict access based on least privilege.
2. Authentication with strong passwords and mandatory 2FA for admin and backend access.
3. Regular review and revocation of inactive or unnecessary user accounts.
4. User permissions are managed through predefined roles.
   

2. Data Encryption

1. TLS encryption for data in transit (HTTPS with strong ciphers).
2. Encryption of personal data at rest using AES-256 or similar.
3. Encryption of backups and database dumps.
4. Encryption extends to stored commercial documents and client data exports.
   

3. Secure Development Practices

1. Use of secure coding frameworks and libraries.
2. Regular code review and static analysis for vulnerabilities.
3. Separation of development, testing, and production environments.
4. Data is anonymized in non-production environments to avoid exposure.
5. Patches and updates are tested using predefined test plans before deployment.
   

4. Logging and Monitoring

1. Security-relevant events (e.g. login failures, data exports) are logged.
2. Automated alerting tools are used to detect anomalies and unauthorized access.
3. Security logs are centralized and regularly reviewed.
4. Logs are retained based on legal and minimization obligations.
   

5. Incident Response

1. A detailed five-phase incident response plan is in place:

1. Detection & Alerting: Anyone can report; alerts go to a dedicated Slack channel.
2. Containment: Procedures for each incident type (e.g. device loss, malware, intrusion).
3. Investigation: Logs are reviewed, root cause analysis is conducted.
4. Communication: Clients notified with pre-approved message templates based on severity.
5. Post-Mortem: Held within 72h to document lessons and update protocols. Designated roles: Incident Manager, Tech Lead & Support & Client Communication

2. Emergency contact information and redundant escalation channels are included.
3. All new employees are trained on escalation protocol.

6. Physical and Infrastructure Security

1. Use of SOC 2 / ISO 27001 certified cloud service providers.
2. No general on-prem infrastructure; physical access is extremely limited.
3. Redundant systems, backups, and disaster recovery plans are in place and tested.
   

7. Data Minimization & Retention

1. Only the minimum required personal data is collected.
2. Stale or unused data is deleted or anonymized automatically.
3. Data retention policies are reviewed periodically.
   

8. Vendor and Sub-Processor Management

1. Due diligence is conducted on all subprocessors.
2. Standard Contractual Clauses (SCCs) and equivalent obligations flow down to all vendors.
3. Subprocessor security controls are reviewed annually.
4. A maintained list of subprocessors is available on request.
   

9. Employee Training & Awareness

1. Security onboarding is mandatory for all employees.
2. Employees are trained to detect and escalate incidents.
3. Ongoing campaigns cover phishing and social engineering.
4. All employees sign NDAs and confidentiality clauses.
   

10. Regular Testing and Evaluation

1. Hourly vulnerability scans are run automatically.
2. Patching cycles are in place with test plans prior to rollout.
3. Annual simulations of incident response (tabletop exercises) are conducted.
4. Security policies are reviewed and updated periodically.
   

11. Data Classification

1. A data classification matrix is maintained.
2. Data is categorized and handled according to sensitivity levels.
3. Access is restricted accordingly.
   

12. Privacy Governance

1. A named privacy officer oversees compliance.
2. Data Subject Access Requests (DSARs), breach notifications, and contractual obligations are coordinated by this role.
3. Clients can request data deletion at any time (privacy@trampoline.ai)