Data Processing Addendum

1.1. “Artificial Intelligence System” means a machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments.

1.2. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or otherwise, and any regulations promulgated thereunder.

1.3. “Controller” means “controller” and “business” (and analogous variations of such terms) as defined under Data Protection Law.

1.4. “Customer Personal Data” means Personal Data contained within User Content that Fireflies.ai Processes on behalf of Customer in connection with providing the Services.

1.5. “Data Protection Law” means all applicable state, federal, and international data protection laws.

1.6. “Data Subject” means an identified or identifiable natural person.

1.7. “Data Subject Request” means a request from a Data Subject to exercise a right under Data Protection Law relating to Customer Personal Data.

1.8. “Data Transfer” means the cross-border transfer of Customer Personal Data where additional measures are required under Data Protection Law to facilitate such transfer in a lawful manner.

1.9. “Deidentified Data” means information that cannot reasonably be linked to or associated with a Data Subject.

1.10. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.11. “Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) as defined under Data Protection Law.

1.12. “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.

1.13. “Processor” means “processor” and “service provider” (and analogous variations of such terms) as defined under Data Protection Law.

1.14. “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on June 4, 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be updated, replaced, or superseded from time to time.

1.15. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data stored, transmitted, or otherwise Processed by Fireflies.ai or its Subprocessors. For clarity, Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).

1.16. “Security Measures” means the appropriate technical and organizational measures that Fireflies.ai will implement and are designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law, as set forth at https://fireflies.ai/security.

1.17. “Services” means the services provided by Fireflies.ai pursuant to the Terms.

1.18. “Subprocessors” means subcontractors engaged by Fireflies.ai to Process Customer Personal Data in connection with providing the Services.

1.19. “Subprocessors List” means Fireflies.ai's list of identified Subprocessors, available at https://trust.fireflies.ai/subprocessors.

1.20. “UK GDPR” means the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, each as amended, superseded, or replaced.

1.21. “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf.

2.1. Roles and Responsibilities

As part of providing the Services to Customer, Fireflies.ai may Process Customer Personal Data on behalf of Customer. When Customer acts as a Controller, Fireflies.ai acts as a Processor with respect to Customer Personal Data. When Customer acts as Processor, Fireflies.ai acts as a Subprocessor with respect to Customer Personal Data. Each party will comply with its obligations under Data Protection Law. In the event Fireflies.ai receives written notice from Customer that Fireflies.ai has Processed Customer Personal Data without authorization, Fireflies.ai will take reasonable and appropriate steps to stop and remediate such Processing. Fireflies.ai also agrees to notify Customer without undue delay if it can no longer meet its obligations under Data Protection Law.

2.2. Instructions

Fireflies.ai will Process Customer Personal Data only in accordance with Customer's instructions. Customer instructs Fireflies.ai to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Terms, including as specified in Attachment 1 (Scope of Processing). This DPA, the Terms, and any instructions provided by Customer through configuration tools made available by Fireflies.ai constitute Customer's documented instructions regarding Fireflies.ai's Processing of Customer Personal Data. Additional instructions provided by Customer require prior written agreement by Customer and Fireflies.ai, including agreement on any additional fees to carry out such instructions. Customer will not instruct Fireflies.ai to perform any Processing of Customer Personal Data that violates any Data Protection Law. Fireflies.ai may suspend Processing based upon any Customer instructions that Fireflies.ai reasonably suspects violate Data Protection Law, provided Fireflies.ai promptly informs Customer.

2.3. Processing Restrictions

Fireflies.ai agrees to not use Customer Personal Data for targeted advertising or otherwise “sell” or “share” Customer Personal Data, as those terms are defined under Data Protection Law. In addition, where Customer Personal Data is subject to the CCPA, Fireflies.ai agrees: (i) not retain, use, disclose, or otherwise Process Customer Personal Data, except as necessary for the business purposes specified in the Terms and this DPA; (ii) not retain, use, disclose, or otherwise Process Customer Personal Data in any manner outside of the direct business relationship between Fireflies.ai and Customer; and (iii) not to combine any Customer Personal Data with Personal Data that Fireflies.ai receives from or on behalf of any other third party or collects from Fireflies.ai's own interactions with individuals, provided that Fireflies.ai may combine Customer Personal Data for a purpose permitted under the CCPA.

2.4. Confidentiality

Fireflies.ai will ensure that persons authorized by Fireflies.ai to Process any Customer Personal Data are subject to appropriate confidentiality obligations.

2.5. Disposal

Following expiration or termination of the Terms, Fireflies.ai will, at Customer's instruction, delete or return all Customer Personal Data, unless applicable law requires the retention of such data, in which case Fireflies.ai will isolate and protect it from further Processing to the extent permitted by applicable law.

2.6. Deidentified Data

Fireflies.ai may create and derive Deidentified Data to improve Fireflies.ai's products and services and for other business purposes. With respect to Deidentified Data, Fireflies.ai will: (a) take reasonable technical and organizational measures designed to ensure that such data cannot be associated with a Data Subject and (b) Process such data only in a de-identified fashion and not attempt to re-identify such data, except as permitted by Data Protection Law.

2.7. Service Data

Notwithstanding anything to the contrary in the Terms and this DPA, Customer agrees that Fireflies.ai shall have the right to Process data relating to the operations, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, sales, marketing, customer support, product development, and for any other lawful purposes. To the extent that such data includes Personal Data, Fireflies.ai is the Controller for such Processing and will Process it in accordance with Fireflies.ai's Privacy Policy and Data Protection Law. For clarity, the data covered by this section does not include User Content and is not subject to the terms of this DPA.

3.1. Data Subject Requests

Customer shall be responsible for responding to Data Subject Requests that relate to Customer Personal Data. In the event a Data Subject Request is made directly to Fireflies.ai, Fireflies.ai will, to the extent legally permitted, inform Customer of the request without undue delay. Fireflies.ai will not respond to the request directly, other than to advise the Data Subject to submit the request to Customer directly. To the extent Customer does not have the ability to address the Data Subject Request on its own, Fireflies.ai will, at Customer's request, provide commercially reasonable assistance to Customer to respond to such request.

3.2. Data Protection Impact Assessments, Cybersecurity Audits, and Regulatory Consultations

Taking into account the nature of Processing and the information available to Fireflies.ai, Fireflies.ai will provide commercially reasonable efforts to assist Customer in ensuring compliance with obligations related to data protection impact assessments, cybersecurity audits, and consultations with regulatory authorities, to the extent required by Data Protection Law.

4.1. Security

Fireflies.ai will implement and maintain appropriate Security Measures. Fireflies.ai may, from time to time, update its Security Measures, provided the new measures do not materially reduce the level of security. Customer agrees that the Services, the Security Measures, and Fireflies.ai's commitments under this DPA are adequate to meet Customer's needs, including with respect to any security obligations of Customer under Data Protection Law, and provide a level of security appropriate to the risk taking into account the nature of Customer Personal Data. To the extent Customer Personal Data is collected, stored, or otherwise processed by an Artificial Intelligence System, Fireflies.ai will assist Customer in complying with requirements related to the security of Processing Customer Personal Data.

4.2. Notice and Assistance

Fireflies.ai will notify Customer without undue delay if it becomes aware of a Security Incident. Fireflies.ai will provide Customer with information (insofar as such information is within Fireflies.ai's possession and knowledge and does not otherwise compromise the security or confidentiality of any other data in Fireflies.ai's possession or control) designed to allow Customer to meet its obligations under Data Protection Law. Fireflies.ai will take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident. Fireflies.ai will take commercially reasonable steps, as may be requested by Customer, to assist in the investigation of the Security Incident. Fireflies.ai's notification of, or response to, a Security Incident shall not be construed as Fireflies.ai's acknowledgement of any fault or liability with respect to the Security Incident.

4.3. Notification to Fireflies.ai

If Customer decides to notify any governmental entity, Data Subject(s), the public, or others of a Security Incident, to the extent such notice directly or indirectly refers to or identifies Fireflies.ai, Customer will notify Fireflies.ai in writing in advance of such notice and will, in good faith, consult with Fireflies.ai and consider any clarifications or corrections Fireflies.ai may reasonably recommend or request.

5.1. Fireflies.ai will, on Customer's reasonable written request and no more than once per year, provide Customer with information to demonstrate compliance with Fireflies.ai's obligations under this DPA and Data Protection Law. Such information will be deemed Fireflies.ai's confidential information.

5.2. Fireflies.ai will allow for and contribute to audits and inspections by, or on behalf of Customer, at Customer's sole expense. Such audits or inspections must be conducted in a manner that is minimally disruptive to Fireflies.ai's business, necessary to confirm that Fireflies.ai is Processing Customer Data in a manner consistent with this DPA, and conducted no more than once per year. Where permitted by Data Protection Law, Fireflies.ai may instead provide Customer with a summary of its audit reports. Such results and documentation, including the results of any audits or inspections, shall be Fireflies.ai's confidential information, and Fireflies.ai has no obligation to share confidential information until the parties execute a nondisclosure agreement.

6.1. Appointment of Subprocessors

Customer authorizes Fireflies.ai to use Subprocessors. Customer specifically consents to Fireflies.ai's appointment of the Subprocessors identified in the Subprocessors List.

6.2. Objection Right for New Subprocessors

Fireflies.ai will notify Customer of any changes to the Subprocessor List prior to engaging a new Subprocessor. If Customer objects to the use of a new Subprocessor, it must send an email to [email protected] within thirty (30) days of receiving notice of the changes, clearly indicating its desire to object. Fireflies.ai and Customer will cooperate in good faith to resolve Customer's objection. If the parties are unable to resolve Customer's objection within a reasonable timeframe, then Customer may, as its sole and exclusive remedy, cancel the Services that Fireflies.ai indicates cannot be provided without the objected-to Subprocessor by providing written notice to Fireflies.ai and receive a refund of any prepaid, unused fees related to the canceled Services. If Customer does not object to Fireflies.ai's appointment of a Subprocessor during the objection period, Customer shall be deemed to have approved the engagement and ongoing use of that Subprocessor.

6.3. Liability

Fireflies.ai will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Fireflies.ai will remain liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.

7.1. Overview

The parties will collaborate to ensure that the Processing of Customer Personal Data under the DPA complies with Data Transfer restrictions under Data Protection Law.

7.2. Data Privacy Framework

Fireflies.ai is self-certified under the Data Privacy Framework. When Customer transfers Customer Personal Data originating from the European Economic Area (“EEA”), the UK or Switzerland to Fireflies.ai for Processing in the United States, Fireflies.ai will receive such data under the Data Privacy Framework and comply with the data privacy principles set out in the Data Privacy Framework. Fireflies.ai will notify Customer, without undue delay, if its self-certification under the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated.

7.3. EU Standard Contractual Clauses

In the event the parties cannot rely on the Data Privacy Framework to validate Data Transfers from the EEA, UK or Switzerland to the United States, the parties will conduct such Data Transfers pursuant to the SCCs, which are incorporated into this DPA and deemed executed by this reference. The parties agree to comply with the general clauses and with Module 2 (where Customer is a Controller) or Module 3 (where Customer is a Processor).

7.4. UK International Data Transfer Addendum

To the extent Customer Personal Data subject to the UK GDPR is subject to a Data Transfer, the parties will conduct such transfers pursuant to the SCCs in tandem with the UK IDTA, which is incorporated by this reference.

7.5. Transfers Subject to Swiss Data Protection Law

To the extent Customer Personal Data subject to the Swiss Federal Act on Data Protection (“FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the Data Transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.

Subject Matter and Duration of Processing

Fireflies.ai Processes Customer Personal Data to provide the Services in accordance with the Terms. The duration of Processing will be the duration of the Terms and such time required thereafter for the parties to perform their applicable obligations following termination or expiration of the Terms, including data deletion.

Nature and Purpose of Processing

Fireflies.ai will Process Customer Personal Data to provide the Services and for the following business purposes:

• Ensuring security and integrity of Customer Personal Data
• Debugging to identify and repair errors that impair existing intended functionality
• Maintaining or servicing accounts
• Providing customer service
• Providing analytics services
• Providing storage services
• Providing advertising and marketing services, except for cross-context behavioral advertising
• Auditing related to counting ad impressions or verifying positioning and quality of ad impressions

Types of Customer Personal Data

Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to, the following categories of data:

• Calendar or meeting details (e.g., meeting titles, calendar details or metadata)
• Meeting content (e.g., audio or visual streams, recordings, or voice inputs collected during a meeting)
• Communications content (e.g., emails, chat logs, and messages)
• Text and other submitted materials (e.g., notes, uploaded text, prompt inputs, photos/other materials)
• Transcript data and content derived from User Content (e.g., meeting transcripts or summaries)
• Any other Personal Data included in User Content that Customer provides or makes available

Categories of Data Subjects

Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include Personal Data relating to Customer's prospects, customers, end users, business partners, vendors, employees, agents, advisors, contractors, and freelancers.

EU SCCs Elections

The SCCs will be modified as follows:

• Clause 7: the optional docking language is deleted.
• Clause 8.9: the audits shall be conducted according to the audit provisions of this DPA.
• Clause 9: option 2 applies and changes to Subprocessors will be notified in accordance with the Subprocessors section of this DPA.
• Clause 11: the optional language is deleted.
• Clauses 17 and 18: Fireflies.ai and Customer agree that the governing law and forum for disputes will be the laws and courts of France (without reference to conflicts of law principles).

The Annexes of the SCCs will be deemed completed with the information set forth in this DPA. The supervisory authority that will act as competent supervisory authority will be determined in accordance with the GDPR.

Special Categories of Data (as applicable)

To the extent that such data is submitted to the Services, it is determined and controlled by Customer in its sole discretion. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer's end users to transmit or process, any special categories of data or sensitive data via the Services.

Frequency of Transfers

Fireflies.ai will import Customer Personal Data on a continuous basis.