Data Processing Agreement

1. Scope

This Data Processing Agreement ("DPA") forms part of the Product Signal Terms of Service, Order Form, or other written agreement between Product Signal and the customer that uses the Service (the "Agreement").

This DPA applies when Product Signal processes Customer Personal Data on behalf of Customer in connection with the Service. "Customer Personal Data" means personal data contained in Customer Data, as defined in the Agreement.

Capitalized terms not defined in this DPA have the meanings given in the Agreement or applicable data protection law.

2. Roles of the Parties

For Customer Personal Data, Customer is the controller and Product Signal is the processor, unless the parties agree otherwise in writing. If Customer acts as a processor for a third-party controller, Product Signal acts as Customer's subprocessor.

Customer is responsible for ensuring that it has all rights, notices, consents, permissions, and lawful bases needed to provide Customer Personal Data to Product Signal and to instruct Product Signal to process it through the Service.

3. Processing Instructions

Product Signal will process Customer Personal Data only on Customer's documented instructions. Customer's documented instructions include the Agreement, this DPA, applicable Order Forms, Customer's configuration and use of the Service, and written instructions provided by Customer.

Product Signal will promptly inform Customer if, in Product Signal's reasonable opinion, an instruction infringes applicable data protection law, unless prohibited from doing so by law.

4. Details of Processing

The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are described in Annex A.

5. Confidentiality

Product Signal will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to an appropriate statutory obligation of confidentiality.

6. Security Measures

Product Signal will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

The current security measures are described in Annex B. Product Signal may update those measures from time to time, provided the updates do not materially reduce the overall level of protection for Customer Personal Data.

7. Subprocessors

Customer gives Product Signal general authorization to engage subprocessors to process Customer Personal Data for the purpose of providing the Service. Product Signal's current subprocessors are listed on the Subprocessors page.

Product Signal will impose data protection obligations on subprocessors that are substantially equivalent to those in this DPA. Product Signal remains responsible for its subprocessors' performance of those obligations.

Product Signal will notify Customer at least 14 days before adding or replacing a subprocessor. Customer may object on reasonable data protection grounds by contacting legal@productsignal.com. The parties will work in good faith to address the objection.

8. International Transfers

Customer authorizes Product Signal and its subprocessors to transfer Customer Personal Data outside the European Economic Area, the United Kingdom, Switzerland, or other applicable jurisdictions as needed to provide the Service.

Where required by applicable data protection law, Product Signal will use appropriate transfer safeguards, such as adequacy decisions, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent lawful transfer mechanisms.

9. Assistance

Taking into account the nature of the processing and the information available to Product Signal, Product Signal will provide reasonable assistance to Customer with:

• Responding to data subject requests.
• Meeting security and personal data breach obligations.
• Conducting data protection impact assessments where required.
• Consulting with data protection authorities where required.

Customer is responsible for handling data subject requests. If Product Signal receives a request directly from a data subject relating to Customer Personal Data, Product Signal will not respond to the request except to direct the individual to Customer or as legally required.

10. Personal Data Breaches

Product Signal will notify Customer without undue delay after becoming aware of a personal data breach involving Customer Personal Data. Product Signal will provide information reasonably available to it to help Customer meet its breach notification obligations.

Notification of a personal data breach is not an admission of fault or liability by Product Signal.

11. Deletion and Return

Upon termination of the Agreement, Product Signal will delete or return Customer Personal Data as described in the Agreement, applicable Order Form, or Customer's written instructions, unless applicable law requires continued retention.

Customer may request export of Customer Data within the period stated in the Agreement. Backup copies may remain for a limited period according to Product Signal's backup and retention practices and will remain protected under this DPA until deleted.

12. Audit and Compliance Information

Product Signal will make available information reasonably necessary to demonstrate compliance with this DPA. Customer may request that information by contacting legal@productsignal.com.

If legally required and the information Product Signal provides is not sufficient, Customer may request a reasonable audit. Any audit must be conducted on reasonable notice, during normal business hours, in a way that does not disrupt the Service or compromise the security, confidentiality, or privacy of other customers.

13. Restricted Data

Customer must not submit sensitive personal data, special category data, payment card data, health data, government identifiers, children's data, or data subject to heightened regulatory requirements unless Product Signal has expressly agreed in writing.

14. Order of Precedence

If this DPA conflicts with the Agreement, this DPA controls for the processing of Customer Personal Data. If applicable Standard Contractual Clauses conflict with this DPA or the Agreement, the Standard Contractual Clauses control for the relevant international transfer.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent prohibited by applicable law.

Annex A: Processing Details

Subject matter: Product Signal's processing of Customer Personal Data to provide the Service.

Duration: The term of the Agreement and any period required for deletion, return, backup retention, or legal compliance.

Nature and purpose: Hosting, storing, syncing, indexing, searching, analyzing, generating embeddings, generating AI-assisted outputs, drafting and sending outreach, collecting responses, providing support, maintaining security, troubleshooting, and improving the Service.

Categories of personal data: Names, email addresses, organization details, job or role information, customer feedback, notes, transcripts, call or meeting content, source URLs, metadata, topics, hypotheses, evidence, outreach messages, response content, usage logs, technical identifiers, and other personal data submitted to or generated through the Service.

Categories of data subjects: Customer's authorized users, administrators, employees, contractors, customers, prospects, contacts, interview participants, feedback authors, and other individuals whose personal data is included in Customer Data.

Customer obligations: Customer must provide lawful instructions, use the Service in compliance with applicable law, and ensure that Customer Personal Data may lawfully be processed by Product Signal.

Annex B: Security Measures

• Encryption in transit using TLS where supported.
• Access controls for Product Signal systems and customer workspaces.
• Least-privilege access for personnel and service accounts.
• Authentication and session controls for authorized users.
• Logical separation of customer workspaces and organization-scoped access.
• Logging and monitoring for operational and security events.
• Backups and recovery practices appropriate for the Service.
• Personnel access limited to authorized roles with a business need.
• Subprocessor review before engagement.
• Incident response procedures for investigating and responding to security events.

Annex C: Subprocessors

Product Signal's current subprocessors and customer-directed integrations are listed on the Subprocessors page.