Cloziq

Data Processing Addendum

Effective May 27, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Cloziq LLC, a Delaware limited liability company ("Cloziq," "Processor"), and the customer entity identified in the applicable order form, subscription, or click-through Terms of Service ("Customer," "Controller") for the use of the Cloziq AI sales-agent platform (the "Service"). It applies whenever Cloziq processes Personal Data (as defined below) on behalf of Customer in connection with the Service.

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service. The following terms have the meanings given them in the GDPR, UK-GDPR, CCPA, or other applicable Data Protection Law, as the context requires:

  • Controller (a.k.a. "Business" under CCPA)
  • Processor (a.k.a. "Service Provider" under CCPA)
  • Sub-Processor
  • Data Subject ("Consumer" under CCPA)
  • Personal Data ("Personal Information" under CCPA)
  • Processing
  • Security Incident
  • Data Protection Law — collectively, the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK Data Protection Act 2018 and the UK-GDPR, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA"), and any other applicable privacy or data-protection law.

2. Roles and Scope

For the purposes of Data Protection Law, Customer is the Controller and Cloziq is the Processor of Personal Data processed in connection with the Service. Cloziq will Process Personal Data:

(a) only on Customer's documented instructions, including those reflected in the Terms, this DPA, and Customer's configuration of the Service; (b) only for the purpose of providing, securing, and supporting the Service; and (c) in accordance with Data Protection Law.

The subject matter, nature, purpose, duration, and types of Personal Data and categories of Data Subjects are described in Annex I.

If Cloziq cannot comply with an instruction from Customer for legal or technical reasons, Cloziq will notify Customer without undue delay.

3. Customer Obligations

Customer is responsible for:

  • having a valid legal basis for the Processing it instructs;
  • providing all necessary notices and obtaining all necessary consents from Data Subjects, including in connection with the Instagram users whose messages will be processed by the Service;
  • ensuring its use of the Service complies with applicable laws, including Meta's Platform Terms and the Instagram Platform Policy;
  • the accuracy, quality, and legality of the Personal Data it submits to or routes through the Service.

4. Sub-Processors

Customer grants Cloziq a general authorization to engage Sub-Processors to assist in providing the Service. The list of Sub-Processors in effect on the Effective Date is set out in Annex II and is also maintained at our Privacy Policy.

Cloziq will:

  • impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA;
  • remain liable to Customer for the acts and omissions of its Sub-Processors with respect to Customer's Personal Data;
  • give Customer at least 30 days' prior notice of any new Sub-Processor or any material change in the role of an existing Sub-Processor (by email to the Customer's billing contact or via in-product notice).

Customer may object in writing within that 30-day notice period on reasonable, documented data-protection grounds. If the objection cannot be resolved, either party may terminate the affected Service without penalty, prorating any prepaid fees.

5. Security

Cloziq has implemented and will maintain a documented information-security program with administrative, technical, and physical safeguards designed to protect Personal Data, including those described in Annex III ("Security Measures"). Cloziq will update its Security Measures from time to time but will not materially diminish the overall level of protection during the term.

Cloziq personnel with access to Personal Data are bound by written confidentiality obligations.

6. Personal Data Breach Notification

Cloziq will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a confirmed Security Incident affecting Customer's Personal Data. The notification will include, to the extent then known:

  • the nature of the incident;
  • the categories and approximate volume of Personal Data and Data Subjects affected;
  • the likely consequences;
  • the measures taken or proposed to address the incident and mitigate harm;
  • a contact point for further information.

Cloziq will cooperate reasonably with Customer's investigation and any required regulatory notifications, but will not notify any regulator or Data Subject on Customer's behalf without Customer's prior written instruction unless legally required to do so.

7. Data Subject Requests

Cloziq will, taking into account the nature of the Processing, provide reasonable assistance to Customer in responding to Data Subject requests for access, rectification, erasure, restriction of Processing, data portability, objection, or to withdraw consent. If Cloziq receives a Data Subject request relating to Customer's Personal Data, Cloziq will (a) promptly inform Customer and (b) not respond directly to the Data Subject (other than to confirm receipt and route them to Customer) unless authorized by Customer or required by law.

8. International Transfers

Cloziq is based in the United States and may transfer and Process Personal Data in the United States and other locations where its Sub-Processors operate (see Annex II).

For transfers of Personal Data subject to GDPR from the EEA to a country not deemed adequate by the European Commission, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor) by reference. The clauses are deemed completed as follows:

  • Clause 7 (Docking): Optional clause not adopted.
  • Clause 9 (Sub-Processors): Option 2 (general authorization), with the 30-day notice period set in Section 4.
  • Clause 11 (Redress): The optional language is not adopted.
  • Clause 17 (Governing Law): Republic of Ireland.
  • Clause 18 (Forum and Jurisdiction): Courts of the Republic of Ireland.
  • Annex I.A, I.B, I.C: Set out in Annex I of this DPA. Supervisory authority: the Irish Data Protection Commission.
  • Annex II (Security Measures): Set out in Annex II of this DPA.
  • Annex III (Sub-Processors): Set out in Annex III of this DPA.

For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum (Version B1.0) issued by the UK Information Commissioner's Office, with the SCCs above as the "Approved EU SCCs."

Swiss Transfers. For transfers of personal data subject to the revised Swiss Federal Act on Data Protection (FADP), the parties incorporate the EU SCCs above with the following adaptations: (a) references to the GDPR are deemed to include the FADP; (b) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC); (c) the governing law is Swiss law and the forum is the courts of Switzerland; and (d) the term "EU Member State" is interpreted to include Switzerland for the purposes of data-subject enforcement under Clause 18(c).

9. Audits

Cloziq will make available to Customer, on reasonable written request, the most recent third-party audit reports, certifications, or summary security documentation it has produced (for example, a SOC 2 Type II report once available, or a summary security questionnaire response).

Customer (or its mandated auditor) may, no more than once per twelve (12) months, request an audit limited to Cloziq's compliance with this DPA. Audits will be: (a) conducted on no less than 30 days' written notice; (b) scoped reasonably; (c) at Customer's expense; (d) conducted in a manner that does not unreasonably interfere with Cloziq's operations or breach the confidentiality of other customers' data; and (e) preceded by a non-disclosure agreement. Cloziq's then-current SOC 2 Type II report (or equivalent third-party security attestation), once available, satisfies this audit obligation. In lieu of an on-site audit, Cloziq may otherwise satisfy this obligation by providing reasonable documentary evidence and answering Customer's written questions.

10. Return or Deletion

Upon termination or expiration of the Service, and subject to applicable retention obligations under Section 12, Cloziq will return Customer's Personal Data in a commercially reasonable format on Customer's written request and then delete it within the timelines set out in the Privacy Policy. Backups will roll out of rotation in the ordinary course; Cloziq will not restore Personal Data from backups other than for disaster recovery.

11. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

12. Compliance Representations

Each party represents that it will comply with applicable anti-bribery, anti-corruption, export-control, and economic-sanctions laws (including the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, and U.S. Office of Foreign Assets Control regulations) in performing under this DPA, and will not use the Service to deal with any person or entity on the U.S. Specially Designated Nationals list or in any country or region subject to comprehensive U.S. economic sanctions.

13. Term and Conflict

This DPA takes effect on the Effective Date and remains in force for so long as Cloziq Processes Personal Data on Customer's behalf. In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to the Processing of Personal Data. In the event of any conflict between this DPA and the EU SCCs, the SCCs control.

14. Miscellaneous

  • Order of precedence among legal docs: SCCs > this DPA > Terms of Service > Privacy Policy.
  • Notices under this DPA may be sent to support@cloziq.com.
  • Governing Law: This DPA is governed by the law of the Terms of Service, except where Data Protection Law mandates otherwise.

Annex I — Description of Processing

Categories of Data SubjectsCustomer's end users (Instagram users who DM Customer); Customer's authorized administrators and team members.
Categories of Personal DataIdentifiers (name, Instagram handle, email if provided); contact details (phone, when shared); business or transactional details (offers, prices, booking times); the content of Instagram conversations routed through the Service; technical data (IP address, device, timestamps).
Special CategoriesNone deliberately collected. Customer must not configure the Service to elicit special-category data (health, biometric, race, religion, etc.) from Data Subjects.
Nature and PurposeProvision of the Cloziq AI sales-agent Service: reading and replying to DMs, qualifying leads, booking calls, issuing checkout links, security, support.
DurationFor the term of the Service, plus the retention periods in the Privacy Policy.

Annex II — Security Measures

Cloziq's information-security program includes, at minimum:

  1. Access Control. Role-based access controls, multi-factor authentication for production, and periodic access reviews.
  2. Encryption. Encryption in transit using modern TLS and encryption at rest for primary data stores, object storage, and backups via provider-managed keys.
  3. Network Security. Production environments protected by network-edge controls including DDoS mitigation, rate limiting, and application-layer filtering.
  4. Logging and Monitoring. Centralized application and infrastructure logging with alerting for anomalous patterns.
  5. Vulnerability Management. Dependency monitoring, ongoing patching, and a coordinated-disclosure channel at support@cloziq.com.
  6. Personnel. Background checks where legally permitted; written confidentiality obligations; regular security training.
  7. Vendor Management. Security-and-privacy review of sub-processors prior to engagement.
  8. Incident Response. Documented incident-response plan with assigned roles and periodic exercises.
  9. Business Continuity. Encrypted backups maintained at a regular cadence with restoration verified periodically.
  10. Data Minimization. Collection limited to what is necessary for the Service; deletion per retention schedule.

These measures may evolve. Cloziq will not materially reduce overall protection during the term.

Annex III — Sub-Processors

The categories of sub-processors used to deliver the Service are summarized at /legal/privacy (Section 5.1) and incorporated here by reference.

A named list of sub-processors — including legal entity, role, region, and the personal-data categories each processes — is provided to subscribed customers under NDA on request to support@cloziq.com, and refreshed each time it materially changes. The named list is treated as Confidential Information under the Terms of Service.

Cloziq will provide notice of sub-processor changes per Section 4 of this DPA.

Contact: support@cloziq.com Entity: Cloziq LLC, Delaware