Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Patent Bots Terms and Conditions or other agreement ("Agreement") governing your ("Customer") use of Patent Bots. This DPA outlines the terms under which Patent Bots processes Personal Data on your behalf in accordance with applicable data protection laws, including but not limited to the European General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and the California Privacy Rights Act ("CPRA").

1. DEFINITIONS

• "Data Protection Laws" means all applicable laws relating to Processing of Personal Data and privacy that may exist now or in the future in any relevant jurisdiction, including European Data Protection Laws and US Data Protection Laws.
• "Data Controller", "Data Processor", "Subprocessor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" will be interpreted in accordance with applicable Data Protection Laws in the relevant jurisdiction. Where applicable Data Protection Laws do not define Data Processor, it means a natural or legal person that processes Personal Data on behalf of a Data Controller.
• "Services" includes any product or service provided by Patent Bots to Customer.
• "Customer Data" means any Personal Data that Patent Bots processes on behalf of Customer as a Data Processor in the course of providing Services.

2. SCOPE

For any Customer Data processed under the Agreement, Patent Bots acts as a Data Processor, and Customer and its affiliates, if any, act as the Data Controller. For any Personal Data that Patent Bots receives from the USPTO or other public sources, Patent Bots acts as a Data Controller.

The Customer will:

• ensure that all Customer Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;
• be solely responsible for ensuring that it has all obtained all necessary authorizations and consents from any Data Subjects to Process Customer Data;
• instruct Patent Bots to process Customer Data to provide the Services; and
• not provide Patent Bots with any sensitive or special categories of Personal Data.

Patent Bots will:

• comply with all applicable Data Protection Laws in the Processing of Customer Data;
• not Process Customer Data other than on Customer's documented instructions, unless required to do so by laws to which Patent Bots is subject, in such a case, Patent Bots will inform Customer of that legal requirement before Processing; and
• not directly or indirectly sell or share any Customer Data, except that Patent Bots may share Personal Data that is has received from public sources, such as the USPTO.

The types of Personal Data Processed and the purposes of Processing are described in our Privacy Policy. This Data Processing Addendum supplements those descriptions and governs our obligations as a Data Processor under applicable Data Protection Laws. Patent Bots will process the Personal Data for the duration of the Agreement with the Customer for the Services, unless otherwise required by law.

Patent Bots acknowledges that it is a Service Provider under the CCPA and that all Personal Data that it may receive from Customer will be regarded by Patent Bots as strictly confidential and held by Patent Bots in confidence.

Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including without limitation, exercising Customer's right to conduct an audit of Patent Bots, or requesting deletion or return of Personal Data.

3. SECURITY MEASURES

Patent Bots implements and maintains industry-standard technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, but are not limited to:

• Personal Data is encrypted in transit (using TLS 1.2+ protocols) and at rest (using AES-256 or equivalent encryption standards).
• Role-based access controls, multi-factor authentication (MFA) for administrative accounts, and strict access protocols to limit access to Personal Data to authorized personnel only.
• Persons authorized to access Personal Data are under agreements to maintain the confidentiality of the Personal Data.
• Annual third-party penetration tests.
• Weekly vulnerability scans.
• Annual SOC 2 audits (report available upon request).

In the event of a Personal Data Breach, Patent Bots will notify Customer without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The likely consequences of the breach.
• The measures taken or proposed to be taken by Patent Bots to address the breach and mitigate its potential adverse effects.

4. SUB-PROCESSORS

Customer authorizes Patent Bots to use the services of Sub-Processors on our Sub-Processor list.

Sub-Processors are permitted to Process Personal Data only to deliver the services that Patent Bots has retained them to provide and as defined herein. Sub-Processors are prohibited from Processing Personal Data for any other purpose.

Patent Bots may update the list of Sub-Processors from time to time. Patent Bots will provide Customer with notice of such updates at least 30 days in advance of providing any Personal Data to a new Sub-Processor. The notice will include the Personal Data to be provided to the Sub-Processor, and the Processing to be performed by the Sub-Processor. Where Customer does not agree to Patent Bots’ engagement with the Sub-Processor, Customer must terminate the Agreement for Patent Bots Services as described in the UPDATES section below.

5. DATA SUBJECT RIGHTS

Patent Bots will assist Customer in responding to Data Subject requests (e.g., access or deletion) by taking appropriate technical and organizational steps, where possible. If Patent Bots receives a Data Subject request, it will inform Customer and only respond as instructed by Customer or as required by law.

6. AUDIT RIGHTS

Patent Bots will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Where necessary and with reasonable notice, Patent Bots will cooperate with Customer’s audits or inspections to assess compliance with this DPA. Any audit rights will be at the cost of Customer, Patent Bots may charge a reasonable fee for its assistance with any audits.

7. DATA RETENTION & DELETION

Upon request, Patent Bots will delete Personal Data received from Customer, subject to the following constraints:

• Retention Periods: Any Personal Data in logs or backups will be retained according to our retention periods.
• Due Diligence: Any Personal Data may be retained where needed for auditing, disputes, or compliance.
• Feasibility: Complete deletion may not be feasible in all cases. For example, Patent Bots is not able to purge all mentions of an email address in our email clients.
• Legitimate Use: We may keep minimal personal data for business records.

8. DATA TRANSFERS AND STANDARD CONTRACTUALCLAUSES

Patent Bots stores Personal Data on its servers in the United States. Users who login to the Patent Bots website will transfer data from their location to the United States.

In the event that personal data is transferred from the European Economic Area or the United Kingdom to the United States or another third country that does not ensure an adequate level of protection for Personal Data, the Standard Contractual Clauses (SCCs) will apply as a safeguard for the transfer of Personal Data, in accordance with applicable Data Protection Laws. The EU Standard Contractual Clauses and the Appendices to the UK Standard Contractual Clauses are hereby incorporated as described below.

In relation to the EU Standard Contractual Clauses:

• optional clause 7 is excluded;
• for the purposes of clause 9, option 2 (general written authorization for subprocessors) shall apply and the Parties agree that the time period for notifying changes to the list shall be as described herein;
• for the purposes of clause 17, the clauses shall be governed by the laws of Ireland;
• for the purposes of clause 13 and clause 18, the courts of Ireland shall have jurisdiction;
• for Annex I, Patent Bots is the data importer and Data Processor, Customer is the data exporter and Data Controller, the description of transfer is described in our Privacy Policy, and the supervisory authority is the Data Protection Commission of Ireland;
• for Annex II, the technical and organizational measures to ensure the security of the data is described in our annual SOC 2 report that is available upon request; and
• for Annex III, the list of Sub-Processor is available on our sub-processor list.

In relation to the UK Standard Contractual Clauses, the details of the parties in table 1 will be as described herein; for the purposes of table 2, the Addendum shall be appended to the EU Standard Contractual Clauses as defined above; and the appendix information listed in table 3 is as described herein.

In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail with respect to Personal Data transfers.

9. UPDATES

Patent Bots may update this Data Processing Addendum or its list of Sub-Processors from time to time. Patent Bots will provide Customer with notice of such updates at least 30 days in advance of (1) the effective date of an updated Data Processing Addendum or (2) providing any Personal Data to a new Sub-Processor.

Where Customer does not agree to an updated Data Processing Addendum or Patent Bots’ engagement of a new Sub-Processor, Customer must terminate its Agreement with Patent Bots for the Services within the 30-day period. Customer will have no liability for such termination, and Patent Bots will provide Customer with a pro-rated refund for any amounts paid for the Services.

Customer's continued use of Patent Bots Services after the 30-day period constitutes agreement to the updated Data Processing Addendum and/or additional Sub-Processors.

Please contact us at support@foopatentbots.com with any questions regarding this Data Processing Addendum.

Last Updated: April 13, 2025