Data Processing Addendum

Where applicable, this Data Processing Addendum (“DPA”) is hereby incorporated in the Newo Terms of Service (the “Terms”), found at https://www.newo.ai/terms-of-service , unless you (“Customer”) have entered into a superseding written agreement with Newo Inc., a Delaware corporation with its principal place of business located at 2261 Market Street #5263 San Francisco, CA 94114 USA, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the Terms. Unless you have a superseding written agreement with Newo Inc., Newo may amend this Data Processing Addendum from time to time on its Website (https://newo.ai), as its business evolves. Any revisions will become effective on the date Newo publishes the changes. You can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Cloud Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.
DPA specifies the data protection obligations of the parties, which arise from contract data processing on behalf, as stipulated in the Terms. It applies to all activities performed in connection with the Terms in which the staff of Newo or a third party acting on behalf of Newo may come into contact with Customer Data.
DPA sets out the additional terms, requirements and conditions on which Newo will process Customer Data when providing services under the Terms. DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”).

1. DEFINITIONS AND INTERPRETATION

The following capitalized terms shall have the meaning ascribed to them below:
“Newo”, “Newo Inc.,” “we” or “us”, means Newo Inc., a Delaware corporation with its principal place of business located at 2261 Market Street #5263 San Francisco, CA 94114 USA.
“Customer” means the entity which determines the purposes and means of Processing of Customer Data.
“Customer Data” means any “Personal Data” (as defined in GDPR) that is provided by or on behalf of Customer in the course of using the Cloud Services and Processed by Newo pursuant to DPA.
“Data Protection Regulator” means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;
“Data Subject” has the meaning set out in GDPR;
“Data Controller” has the meaning set out in GDPR;
“Data Processor” has the meaning set out in GDPR;
“Instruction” means the written instruction issued by Customer to Data Processor in order to direct Data Processor to perform a specific action with regard to Customer Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instruction shall initially be specified in DPA and may, from time to time, thereafter, be amended, amplified or replaced by Customer in separate written instruction (individual instruction).
“Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Data including but not limited to Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”); and
“Process”, “Processing” or “Processed” have the meaning set out in GDPR.
“Personal Data Breach” has the meaning set out in GDPR.

2. PROTECTION OF PERSONAL INFORMATION

2.1. Supersedence. DPA shall supersede any and all provisions of the Terms inconsistent herewith.

2.2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Newo is the Data Processor of Customer Data. Newo will Process Customer Data in accordance with DPA. In some circumstances, Customer may be a Processor, in which case Customer appoints Newo as Customer’s sub-processor, which shall not change the obligations of either Customer or Newo under DPA, as Newo will always remain a Processor with respect to Customer in such event.

2.3. Customer’s Obligations. Customer warrants that Customer Data has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws.

2.4. Newo’s Obligations as Data Processor.

Newo shall:

2.4.1. Process Customer Data only within the scope of Customer’s Instructions as set-out in DPA, including with regard to transfers of Customer Data to a third country, save where:

2.4.1.1. such Instructions are not compliant with Privacy Laws;

2.4.1.2. such Instructions would cause Newo to breach its own obligations under Privacy Laws or the Terms or any other agreement with a third party;

2.4.1.3. Newo is under a legal obligation to Process Customer Data, in which case Newo shall inform Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or

2.4.1.4. such Instructions severely violate functionality of the Cloud Services (e.g. functioning of the Cloud Services IT infrastructure), including but not limited to its existence.

2.4.2. inform the Customer if, in its opinion, an Instruction received from Customer infringes the Privacy Laws;

2.4.3. ensure that all Newo employees and personnel who are involved in the Processing of Customer Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality;

2.4.4. undertake to enter into a written agreement with any applicable sub-processors and such agreement will contain the same data protection obligations as set out in DPA. Newo will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the sub-processors. Customer acknowledges that Newo’s contractual obligations hereunder, or the parts of the Cloud Services, will be performed by a subcontractor and consents to use of sub-processors by Newo as described in DPA to fulfil its contractual obligations under the Terms and to provide certain services on Newo’s behalf.

2.4.5. Newo may, by giving no less than thirty (30) days’ notice to Customer and/or publishing the changes in DPA on the Website (https://newo.ai/), add or make changes to the sub-processors. Customer may object to the appointment of an additional sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of Customer Data, in which case Newo shall have the right to cure the objection through one of the following options (to be selected at Newo’s sole discretion):

  • (a) Newo will cancel its plans to use the sub-processor with regard to Customer Data or will offer an alternative to provide the Cloud Services without such sub-processor; or

  • (b) Newo will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the sub-processor with regard to Customer Data; or

  • (c) Newo may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Cloud Services that would involve the use of such sub-processor with regard to Customer Data, subject to a mutual agreement of the parties to adjust the remuneration for the Cloud Services considering the reduced scope of the Cloud Services.

If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Newo’s receipt of Customer’s objection, either party may terminate the Terms.

2.4.5.1. Newo may use the following Subprocessors to host Customer Data or provide other infrastructure and Service functions:

  • Microsoft Corporation (Microsoft Azure, GitHub) – infrastructure, CI/CD, code repositories

  • Google LLC (Google Workplace, SSO) – infrastructure, mail & files collaboration

  • OpenAI, L.L.C., (ChatGPT) – LLM, TTS, STT

  • Anthropic, PBC (Claude.ai, Anthropic API) – LLM, TTS, STT

  • Groq, Inc. – LLM, TTS, STT

  • Atlassian Pty Ltd (Jira) – task / bug tracking

  • Wix.com Ltd. – website, marketing tools

  • Automattic Inc. (WordPress) – website, marketing tools

  • Slack Technologies – chat collaboration

  • RealtimeBoard, Inc. (Miro) – scheme collaboration

  • Salesforce.com, Inc. – customer information

  • Pipedrive Inc. – customer information

  • Zoom Video Communications, Inc. – voice collaboration

  • Sophos Ltd – antivirus, training

  • Twilio Inc. (Sendgrid) – TTS, STT, messaging, mail delivery

  • Cloudflare, Inc. – DNS, WAF, proxy

  • browserless.io, Inc. – browser automation

  • Embodied, Inc. – TTS, STT, messaging, video analytics

  • Meta Platforms Ireland Limited (WhatsApp) – messaging

  • Telegram Messenger Inc. – messaging

  • Zapier, Inc. (Zapier) – messaging, collaboration, data integration

  • Celonis, Inc. (Make.com) – messaging, collaboration, data integration

 

2.4.6. implement and maintain following appropriate technical and organizational security measures to protect against unauthorized or unlawful Processing of the Customer Data and against accidental loss, disclosure or destruction of, or damage to, the Customer Data , taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing:

2.4.6.1. pseudonymization and/or encryption of Customer Data;

2.4.6.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

2.4.6.3. the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and

2.4.6.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

2.4.7. Newo will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Customer with meeting Customer’s compliance obligations with respect to the rights exercised by Data Subjects under the Privacy Laws (particularly the Data Subject’s Rights stated in Chapter 3 of the GDPR and related to Data Subject’s requests), taking into account the nature of the Processing. Taking into account the nature of Processing and any information available to Newo, Newo will further assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Privacy Laws. In a situation where requested level of assistance will be excessive or unreasonably burdensome for Newo, any such assistance will be exercised at Customer’s cost.

2.4.8. make available to Customer or an independent third party auditor mandated by the Customer (but not being a competitor of Newo or affiliated with Newo’s competitor), to a maximum of once a year or when a Personal Data Breach is reasonably suspected, all reasonable information that Newo deems necessary to demonstrate compliance with the obligations imposed on Newo under Section 2 of DPA, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance. Notwithstanding of the above, if an audit is excessive or unreasonably burdensome for Newo, then Customer shall reimburse Newo for such excessive or unreasonably burdensome audit. Newo may object to the deployment of a specific auditor if such auditor is not subject to confidentiality regarding the results of such audit (except vis-à-vis Newo and Customer); and

2.4.9. unless required by law, at Customer’s request following termination or expiry of the Terms for whatever reason, securely delete all of the Customer Data.

2.5. Data Centers and International Data Transfers. Newo Cloud Services accessible through the domain name newo.ai are hosted in the United States by Google Cloud. Newo is authorized to process Customer Data itself as well as including its engagement of sub-processors in accordance with DPA outside the country in which Customer is located including countries where the data protection may not be as stringent in the country of (i) Customer’s domicile and/or registered address or (ii) the EEA.

Newo shall process Customer Data outside of the EEA as permitted under the Privacy Laws as follows:

(i) Customer Data of an EEA based Customer is processed in a country outside the EEA (a “third country”) that is determined by the European Union to have adequate level of data protection under Art. 45 GDPR; or

(ii) Customer Data is processed in a third country pursuant to adequate safeguards under Art. 46 GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or other appropriate safeguards (for instance EU-U.S. Privacy Shield/Swiss-U.S. Privacy Shield mechanism). In the event of using the SCC, Customer hereby (itself as well as on behalf of each Controller established within the EEA or Switzerland) accedes to the SCC between Newo and the sub-processor. Newo will enforce the SCC against the sub-processor on behalf of the Customer or Data Subject if a direct enforcement right is not available under Privacy Laws.

3. INSTRUCTIONS FOR PROCESSING OF CUSTOMER DATA

Newo will Process Customer Data in accordance with the following instructions:
Categories of Data Subjects: Customer’s employees and End-Users.

The nature of Processing under this DPA: handling (including recording, structuring, organization) storing, sharing with subprocessors, accessing and reviewing Customer Data for the Processing purposes set out in this DPA.

Categories of customer Data
1. Account ID: Email address
2. Job-related Profile Information (e.g. First and last name; Job Title; Timezone; Department/Group; Employee ID)
3. End User Activity Data (e.g. IP Address; Email Meta Data; Content of the message; Other connected corporate sources data)
4. End User other information that Shared on the Cloud Services by Customer or End Users

Purposes of processing
1. To provide Cloud Services in order to deliver End User Flow experience.z
2. To provide support services (Account ID, Job-related Profile Information)
3. To develop and improve our Cloud Services (Account ID, Job-related Profile Information, End User Activity Data and other information).

Duration of processing
During the period of duration of the Terms.
Upon written request from Customer’s authorized representative (which for purposes of this section is any Customer employee that is either a billing owner or an Administrator of the Service or who has confirmed in writing that they are authorized to make decisions on behalf of the Customer), Newo Inc. shall delete or anonymize such Personal Data from the main servers during 1 month after such request in accordance with its requirements under Applicable Law.
Newo Inc. will delete Personal Data from archival and back-up files in 6 months after such request provided by Newo’s internal data deletion practices and as required by Applicable Law.