This Data Processing Agreement (“Agreement”) is entered into by and between the following parties:

Controller: The customer entity subscribing to the services offered at https://www.thedbt.ai (“Controller”).

Processor: The DBT Ai, a provider of AI appointment-setting and communication automation services (“Processor”). Processor and Controller are sometimes individually referred to as a “Party” and collectively as the “Parties.”

Effective Date: The date of the Controller’s acceptance of this Agreement, typically upon execution of the applicable service or subscription agreement.

This DPA governs the processing of personal data that the Processor performs on behalf of the Controller in connection with the Controller’s use of The DBT Ai services (“Services”).

1. Definitions

1.1 “Personal Data” means any information relating to an identified or identifiable natural person processed under this Agreement.

1.2 “Processing” means any operation performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or destruction.

1.3 “Data Controller” means the entity that determines the purposes and means of the processing of Personal Data.

1.4 “Data Processor” means the entity that processes Personal Data on behalf of the Controller.

1.5 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.6 “Applicable Data Protection Law” means all applicable data protection and privacy laws to which the Parties are subject (e.g., GDPR, UK GDPR, CCPA, LGPD, etc.).

2. Roles of the Parties

The Controller determines the purposes and means of Processing Personal Data. The Processor processes Personal Data on behalf of and in accordance with the documented instructions of the Controller.

3. Subject Matter, Scope, and Purpose

3.1 Subject Matter: Personal Data processed in connection with the Controller’s use of the Services.

3.2 Purpose: To provide the AI appointment setter, lead engagement, call/text automation, scheduling, and related services as contracted by the Controller.

3.3 Scope: The Processor will Process Personal Data only to the extent necessary to perform its obligations under the Services. The scope may also include storing, hosting, analysis, and communication functions required to operate the Services. 

4. Types of Personal Data & Categories of Data Subjects

4.1 Types of Personal Data: Contact details (e.g., names, emails, phone numbers), scheduling data, message content, call transcripts, calendar metadata, user account details, and other content the Controller uploads or triggers via the Services. (Controller must accurately specify which categories they provide.)

4.2 Categories of Data Subjects: Controller’s clients, prospects, employees, and other individuals whose Personal Data is processed through the Services.

5. Controller Instructions

The Processor will process Personal Data only on documented instructions from the Controller, unless required to do otherwise by Applicable Data Protection Law. Any changes to Processor’s processing of Personal Data at the Controller’s direction will be governed by this DPA. 

6. Processor Obligations & Security Measures

6.1 Confidentiality: The Processor shall ensure that persons authorized to process the Personal Data are subject to confidentiality obligations.

6.2 Security: Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including but not limited to encryption in transit and at rest, access controls, logging, and intrusion detection.

6.3 No Independent Use: Processor shall not use Personal Data for purposes other than providing the Services unless authorized by the Controller or required by law.

6.4 Data Breach: The Processor will notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting Controller’s Personal Data and provide reasonably available information to support Controller’s breach response obligations.

7. Sub-processors

7.1 Authorization: Controller acknowledges that the Processor may engage Sub-processors to perform specific processing activities. The Processor will make available a current list of Sub-processors upon request.

7.2 Sub-processor Obligations: Processor shall impose data protection obligations on Sub-processors consistent with this DPA.

8. Data Subject Rights

Where applicable under law, the Controller remains responsible for responding to data subject rights requests (e.g., access, correction, deletion). Processor shall assist Controller, as reasonably required, to fulfill such obligations.

9. International Data Transfers

Processor may transfer Personal Data across borders as necessary to provide the Services. In doing so, Processor will implement legally required safeguards (e.g., Standard Contractual Clauses, binding agreements) to ensure lawful transfers under Applicable Data Protection Law.

10. Termination and Data Return or Deletion

Upon termination of the Services or Controller’s request, Processor will delete or return Personal Data in its possession, unless retention is required by law. Any retained backups will be deleted within a commercially reasonable time.

11. Limitation of Liability

This DPA does not limit or exclude any liability that cannot be limited or excluded under Applicable Data Protection Law. The Parties’ respective liability is further defined in the underlying Services agreement.

12. Governing Law

This Agreement shall be governed by the law specified in the Parties’ primary Service Agreement (or a mutually agreed jurisdiction if none is specified).