Expert AI LabsData Processing Addendum
Effective April 24, 2026 ยท Version 1.0
This DPA is incorporated by reference into our master services agreement when you sign as a customer. Standard form available below; an executed PDF version is provided on contract signing.
1. Definitions
In this Addendum, the following terms have the following meanings, in addition to any defined terms used in the Agreement:
- "Agreement" means the master services agreement, terms of service, or order form between Expert AI Labs and Customer governing access to the Service.
- "Applicable Data Protection Laws" means the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other comparable data protection or privacy laws applicable to the Processing of Customer Personal Data.
- "Customer" means the entity that has entered into the Agreement.
- "Customer Personal Data" means Personal Data that Expert AI Labs Processes on behalf of Customer in providing the Service.
- "Data Subject", "Personal Data", "Processing", "Processor", "Controller", and "Supervisory Authority" have the meanings given in the GDPR.
- "Service" means the Expert AI Labs platform and any related services provided to Customer.
- "Subprocessor" means a third party engaged by Expert AI Labs to Process Customer Personal Data.
2. Roles and scope
With respect to Customer Personal Data, Customer is the Controller and Expert AI Labs is the Processor. Each party shall comply with its respective obligations under Applicable Data Protection Laws. Expert AI Labs shall Process Customer Personal Data only for the purposes of providing the Service and on documented instructions from Customer (including those set forth in the Agreement and this Addendum).
3. Nature, purpose, and duration of Processing
- Subject matter: Processing of Customer Personal Data necessary to provide the Service.
- Duration: The term of the Agreement plus any post-termination period during which Expert AI Labs retains Customer Personal Data for backup, audit, or legal-hold purposes.
- Nature and purpose: Hosting, transmission, AI-assisted classification, content generation, workflow automation, integration with third-party services authorized by Customer, audit logging, and customer support.
- Categories of Data Subjects: Customer's employees, contractors, end users, leads, prospects, customers, and other individuals whose Personal Data is included in records Customer uploads to or generates within the Service.
- Categories of Personal Data: Name, contact details (email, phone, address), business affiliation, communication content, call recordings and transcripts, photos and media of property and damage (with possible incidental personal images), structured business records, and other categories Customer chooses to upload or capture.
4. Customer instructions
The Agreement, this Addendum, and Customer's configurations within the Service constitute Customer's complete documented instructions for the Processing of Customer Personal Data. Expert AI Labs will inform Customer if it believes an instruction violates Applicable Data Protection Laws.
5. Confidentiality of personnel
Expert AI Labs ensures that personnel authorized to Process Customer Personal Data are bound by appropriate written confidentiality obligations.
6. Security measures
Expert AI Labs implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures are summarized at /security (the "Trust Center") and include, at minimum:
- Encryption of Customer Personal Data in transit (TLS 1.3) and at rest (AES-256)
- Tenant data isolation enforced at the database layer (row-level security)
- Role-based access controls and the principle of least privilege
- Centralized, immutable audit logging
- Backup and disaster recovery procedures with point-in-time recovery
- Incident response procedures with breach-notification commitments
- A formal SOC 2 readiness program (Type I targeted within 6 months of the effective date of this Addendum)
7. Subprocessors
Customer authorizes Expert AI Labs to engage Subprocessors. The current Subprocessors are listed at /security#subprocessors and reproduced in Schedule A below. Expert AI Labs shall:
- Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this Addendum;
- Notify Customer at least thirty (30) days prior to engaging any new Subprocessor that will Process Customer Personal Data, by updating the Trust Center page and (where Customer has subscribed) sending an email notification to the Customer's designated contact;
- If Customer objects in writing within fifteen (15) days of notification, the parties will work in good faith to address Customer's concerns; if no resolution is reached, Customer may terminate the affected portion of the Service for convenience.
8. Data subject rights
Expert AI Labs shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects. Customer may exercise the following rights through the Service or by contacting privacy@expertailabs.ai: access, rectification, erasure, restriction, portability, and objection. Standard SLA: thirty (30) days.
9. Personal data breach notification
Expert AI Labs shall notify Customer without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include: a description of the nature of the breach, categories and approximate volume of Personal Data and Data Subjects affected, likely consequences, and measures taken or proposed to address the breach and mitigate possible adverse effects.
10. Data Protection Impact Assessments
Expert AI Labs shall provide reasonable assistance to Customer with any data protection impact assessments, prior consultations with Supervisory Authorities, or similar exercises required of Customer under Applicable Data Protection Laws.
11. Audits and inspections
Customer (or its authorized auditor) may, no more than once in any 12-month period, audit Expert AI Labs's compliance with this Addendum upon thirty (30) days' written notice. Such audits shall occur during normal business hours, at Customer's expense, subject to a confidentiality agreement, and shall not unreasonably disrupt Expert AI Labs's operations. Where available, Expert AI Labs's then-current SOC 2 report shall be deemed to satisfy any such audit request unless additional information is required by Applicable Data Protection Laws.
12. International data transfers
The Service is hosted in the United States. To the extent that Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed adequate under Applicable Data Protection Laws, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) by reference. The UK International Data Transfer Addendum and the Swiss-specific clauses are incorporated mutatis mutandis where applicable.
13. Return or deletion of Personal Data
Upon termination or expiration of the Agreement, and at Customer's election, Expert AI Labs shall return all Customer Personal Data to Customer in a structured, machine-readable format (default JSON), or delete all such data from its production systems within thirty (30) days. Backup copies will be deleted in accordance with Expert AI Labs's standard backup-rotation schedule, in any event no later than ninety (90) days after termination. Audit-log records of administrative actions, scrubbed of personal data beyond actor identifiers, are retained for seven (7) years.
14. Liability
Each party's liability under or in connection with this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement.
15. Governing law and order of precedence
This Addendum is governed by the law specified in the Agreement. In the event of any conflict between the Agreement and this Addendum, this Addendum prevails to the extent of the conflict, but only with respect to the Processing of Customer Personal Data.
Schedule A โ Subprocessors
Current Subprocessors as of the effective date of this Addendum. The most current list is maintained at /security#subprocessors.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel, Inc. | Application hosting, serverless compute, edge network, build pipeline | United States |
| Supabase, Inc. | Primary database, authentication, file storage, row-level security | United States (us-east-1) |
| Anthropic, PBC | Large language model inference for content generation, classification, summarization | United States |
| OpenAI, L.L.C. | Large language model inference, audio transcription (Whisper), embeddings, vision | United States |
| Resend, Inc. | Transactional email delivery, deliverability monitoring, webhook event stream | United States |
| Twilio, Inc. | SMS, voice, programmable messaging for lead-intake callback flows | United States |
| CallRail, LLC | Inbound call tracking, recording, transcription source | United States |
| Google LLC (Workspace, Ads, Maps Platform) | Email infrastructure (Workspace), conversion event reporting (Ads), business listing data (Maps), reCAPTCHA | United States |
| SemRush Inc. | SEO research, keyword ranking, competitive analysis | United States |
| HeyGen Labs, Inc. | AI video generation from text scripts (per-franchise avatar configured manually) | United States |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, bot management for public marketing surface | Global edge |
Contact
Expert AI Labs
Privacy: privacy@expertailabs.ai
Security: security@expertailabs.ai
Legal: legal@expertailabs.ai
Need a signed copy?
Email legal@expertailabs.ai with your company name and we'll execute a DPA in 1 business day.
Request signed DPA