LastBot Customer Service Agreement

    Revision 2.0
    This LastBot Customer Service Agreement ("Agreement") governs Customer's access to and use of Services provided by Provider.

    KEY TERMS SUMMARY

    TopicSummary
    OrderingService Orders incorporate this Agreement. Auto renew by default.
    SupportEmail and portal support provided as described in Agreement.
    Limits & AUPTechnical and commercial limits apply. Acceptable Use restrictions apply.
    FeesActivation and Service Fees are nonrefundable. Charges based on Provider-measured usage.
    DataCustomer owns Customer Data. Provider owns Service Data and Services.
    PrivacyProcessing per Agreement and Provider Privacy Policy. GDPR-compliant DPA included.
    ComplianceDo-not-contact, privacy, and export compliance obligations apply.
    LiabilityCap equals one-year fees; standard exclusions apply.

    1. Definitions

    Terms appear at first use and as specified in this section.

    • Activation Fee: One-time fee for initial activation or implementation of Service.
    • Agreement: This LastBot Customer Service Agreement, including all Exhibits.
    • Confidential Information: Nonpublic information disclosed under this Agreement.
    • Customer: The entity identified as Customer in the Agreement Details section.
    • Customer Data: Information provided by or for Customer through Services.
    • Customer Inputs: Customer Data required to provision or operate Service.
    • Fees: All charges specified in the Price List including Activation Fees, Service Fees, and Resource Fees.
    • Free Trial: A time-limited, capacity-limited no-charge evaluation of Service subject to Free Trial Constraints.
    • Free Trial Constraints: Restrictions on Free Trial usage as specified in Exhibit C.
    • IPR: Intellectual Property Rights.
    • Laws: Applicable statutes, regulations, rules, and binding standards.
    • Limits: Technical, commercial, or performance limits set out in Service Specification.
    • Non-Provider Services: Third-party products or services that interoperate with Services.
    • Privacy Policy: LastBot's privacy policy available at lastbot.com/privacy-policy.
    • Professional Services: Any consulting, implementation, training, or other services beyond standard Services, charged separately.
    • Provider: LastBot Europe Oy.
    • Resources: External telecom, cloud, models, APIs, data access, licensed software, and other third-party services used to provide Services.
    • Resource Fee: Usage-based metered charges for Customer's use of Resources.
    • Resource Deposit: A prepaid, non-interest-bearing security posted by Customer against Resource Fees.
    • Service: Provider's AI-powered customer service platform identified in this Agreement and specified in Service Specification.
    • Service Data: Operational data, metrics, telemetry, transcripts, learnings, and models generated from or about Services.
    • Service Fee: Recurring fee for Service as specified in Price List.
    • Service Specification: Documentation describing features, limits, and requirements of a Service (see Exhibit A).
    • Service Term: The period for Service as specified in Service Order Details.
    • Transferable Service: Other Service tiers eligible for upgrade or downgrade as identified in Service Specification.

    2. Service Provision

    2.1 Service Delivery

    Provider will provide Customer with access to the Services in accordance with this Agreement, the Service Specification, and the Service Order Details. Services may be delivered through automated systems, Provider personnel, subcontractors, or a combination thereof.

    2.2 Provisioning

    Provisioning begins after Provider receives applicable Activation Fees and any required Resource Deposit. Provider will use commercially reasonable efforts to provision Services within 5 business days of receipt of all required fees and information.

    2.3 Service Access

    Customer will receive administrative credentials and access to the Provider's platform to configure and manage the Service. Customer is responsible for maintaining the security and confidentiality of access credentials.

    3. Support

    3.1 Support Levels

    Provider will provide technical support for Services as follows:

    • Email Support: Available via support@lastbot.com during business hours (9:00–17:00 EET, Monday–Friday, excluding Finnish public holidays)
    • Portal Support: Available 24/7 via support.lastbot.com
    • Response Times: Provider will use commercially reasonable efforts to respond to support requests within 24 hours during business days

    3.2 Scope of Support

    Support includes assistance with Service configuration, troubleshooting, integration guidance, and resolution of Service defects. Support does not include development of custom features, Professional Services, or support for Non-Provider Services.

    3.3 Enhanced Support

    Enhanced support options (including dedicated support contacts, faster response times, or phone support) may be available as a separately priced add-on upon mutual agreement.

    4. Limits and Acceptable Use

    4.1 Service Limits

    Service includes technical, commercial, or performance limits set out in the Service Specification. Provider may adjust limits to protect security, integrity, and fair use. Customer will receive notice of material limit changes affecting Customer's use.

    4.2 Customer Inputs and Customer Data

    Service may require Customer Inputs defined in Service Specification. Service performance depends on Customer Data quality and external conditions. Provider is not liable for Service performance issues resulting from inadequate or inaccurate Customer Data.

    4.3 Acceptable Use Policy

    Customer must not use Service to:

    • Conduct illegal or harmful activities
    • Abuse or disrupt networks, spam, phishing, or distribute malware
    • Bypass safety or security controls
    • Generate unlawful hate speech, harassment, or incitement
    • Impersonate others or intentionally mislead recipients
    • Make automated decisions affecting legal rights without appropriate human oversight
    • Resell, sub-license, or commercialize access to Service for third parties
    • Train competing AI models using Services or Service outputs
    • Exceed usage limits or attempt to circumvent metering or billing systems

    4.4 No Professional Advice

    Service outputs are informational only and do not constitute professional, legal, medical, financial, or other expert advice. Customer is solely responsible for decisions made based on Service outputs.

    4.5 Compliance Responsibility

    Customer is responsible for ensuring its use of Services complies with all applicable Laws, including but not limited to data protection, telecommunications, consumer protection, and industry-specific regulations.

    5. Fees and Payment

    5.1 Fees

    Customer agrees to pay all Fees as specified in the Price List (Exhibit B). Fees include:

    • Activation Fees: One-time charges for Service setup and activation
    • Service Fees: Recurring charges for Service access
    • Resource Fees: Usage-based charges for external Resources consumed

    5.2 Billing and Payment Terms

    • Service Fees are billed in advance for the billing period
    • Resource Fees are billed monthly in arrears based on actual usage
    • All Fees are calculated from usage measured by Provider's systems
    • Provider's metering and logs are the final and binding record of usage for billing purposes, absent manifest error
    • Invoices are due and payable within 14 days of invoice date
    • Payment methods: bank transfer, credit card, or other methods as agreed
    • All Fees are exclusive of taxes, which Customer is responsible for

    5.3 Resource Deposits

    If specified in Service Order Details, Customer must pay a Resource Deposit before Service activation. The deposit is held as security against Resource Fees and does not accrue interest. Unused deposit amounts are returned within 30 days after termination, less any undisputed amounts due.

    5.4 Non-Refundable Fees

    All Activation Fees and Service Fees are non-refundable, including in connection with early termination of this Agreement, except as explicitly provided in Section 5.6.

    5.5 Late Payment

    Unpaid undisputed amounts accrue interest at the higher of 1.5% per month or the maximum allowed by applicable law. Provider may suspend Services for non-payment in accordance with Section 6.1.

    5.6 Service Transfers and Upgrades

    Customer may change from one Service tier to another Transferable Service at any time by providing written notice. If the new Service Term is at least as long as the remaining term of the prior Service, Customer will receive credit for unused prepaid Service Fees and unused Resource Deposits, applied to charges for the new Service. Cash refunds are not provided.

    5.7 Fee Disputes

    Customer must notify Provider of billing disputes within 30 days after invoice date. Undisputed amounts must be paid when due. Provider will investigate disputed amounts in good faith and respond within 15 business days.

    6. Suspension and Termination

    6.1 Suspension by Provider

    Provider may suspend access to Services, in whole or in part, if:

    • Customer fails to pay undisputed amounts within 7 days after written notice
    • Customer breaches this Agreement and fails to cure within 7 days after written notice
    • Provider reasonably determines that Customer's use presents a legal, regulatory, or security risk
    • Customer misuses Services, including exceeding permitted scope, interfering with system integrity, or violating Section 4.3
    • Continued access could harm Provider, its systems, or other users

    Suspension does not extend the Service Term or create any right to refunds or credits. Provider will provide notice before suspension where reasonably practicable, except for immediate security or legal threats.

    6.2 Termination for Cause

    Either party may terminate this Agreement upon written notice if the other party materially breaches this Agreement and fails to cure within 30 days after written notice. Provider may terminate immediately for misuse, illegal activity, or integrity or security threats.

    6.3 Termination for Convenience

    Either party may terminate this Agreement at the end of the then-current Service Term by providing written notice at least 30 days before the renewal date. Termination does not relieve Customer of payment obligations for the current Service Term.

    6.4 Effect of Termination

    Upon termination:

    • All Services cease immediately
    • Customer must pay all undisputed amounts accrued through the termination date
    • Customer's access to the platform and Customer Data is suspended
    • Each party must return or destroy the other's Confidential Information upon request, except for archival copies retained in accordance with standard data retention practices
    • Provider will make Customer Data available for export for 30 days after termination, after which Provider may delete Customer Data in accordance with Section 7.3.10
    • Unused Resource Deposits are returned less undisputed amounts due

    6.5 Survival

    Sections 4.3–4.5, 5, 6.4, 7–12, and 13–16 survive termination or expiration of this Agreement.

    7. Data and Ownership

    7.1 Customer Data Processing

    Provider may store and process Customer Data to provide, secure, test, improve, analyze, and operate Services, keep records, and comply with Laws. Customer instructs Provider to process for these purposes and represents it has the authority and required notices and consents.

    7.2 Data Ownership

    • Customer Data: Customer owns all Customer Data
    • Service Data: Provider owns all Service Data, including operational data, metrics, telemetry, transcripts, learnings, and models generated from Services
    • Services: Provider owns all Services, modifications, and derivative works

    If Provider enriches Customer Data with additional attributes or processing, Customer retains ownership of its original data; the enrichment and resulting Service Data belong to Provider.

    7.3 Data Processing Agreement

    This Section 7.3, together with Section 8 (Privacy), Exhibit D (Data Processing Annex), and the Privacy Policy, forms a data processing agreement under Art. 28 GDPR and equivalent laws.

    7.3.1 Roles and Scope

    Customer is the Controller for Customer Data. Provider is the Processor processing Customer Data on documented instructions from Customer. For Service Data, Provider acts as Controller.

    Customer instructs Provider to process Customer Data to:

    • Provide, secure, support, maintain, test, improve, and operate Services
    • Perform analytics and measurement
    • Prevent fraud and abuse
    • Comply with Laws
    • Perform other purposes documented in this Agreement, Service Specifications, and Customer's written instructions

    Categories of data and data subjects are as described in the Privacy Policy and Service Specifications. Special-category data is not required for Services; if Customer submits it, Provider processes only under Customer's responsibility and instructions.

    7.3.2 Customer Instructions

    Provider will process Customer Data only on documented instructions from Customer, including:

    • This Agreement and Service Specifications
    • Customer-configured settings within the Service platform
    • Written requests via designated support channels specified in Section 3

    Acceptable instruction channels: (i) Service Order Details, (ii) admin and settings functionality in Service platform, (iii) written requests via support@lastbot.com. If Provider determines that an instruction infringes applicable Laws, Provider will notify Customer without undue delay.

    7.3.3 Confidentiality

    Provider ensures that personnel authorized to process Customer Data are bound by confidentiality obligations and receive appropriate privacy and security training.

    7.3.4 Security Measures

    Provider implements appropriate technical and organizational measures to protect Customer Data against unauthorized access, alteration, disclosure, or destruction, as further described in Exhibit D.

    7.3.5 Sub-processors

    General Authorization: Customer authorizes Provider to engage sub-processors. Provider will maintain a list available upon request to info@lastbot.com.

    Notice: Provider will notify Customer of material changes (new sub-processor or change materially increasing risk) at least 15 days before use. Notice is not required for: (i) Provider Affiliates under the same security program; (ii) like-for-like replacements not increasing risk; (iii) providers not accessing Personal Data; or (iv) Customer-enabled integrations.

    Objection: Customer may object to a noticed material change on reasonable, specific data-protection grounds within the notice period. Provider may cure by changing the sub-processor or proposing remediation. If unresolved within 30 days, Customer may terminate the affected Service with pro-rated refund of prepaid, unused fees.

    Flow-down: Provider binds sub-processors to obligations no less protective than this Section 7.3 and remains responsible for their performance.

    7.3.6 Personal Data Breach

    Provider will notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Data. Notice will describe the breach nature, likely consequences, measures taken or proposed, and point of contact. Provider will promptly take steps to mitigate and remediate.

    7.3.7 Assistance

    Provider will assist Customer in ensuring compliance with Articles 32–36 GDPR considering the nature of processing and information available to Provider.

    7.3.8 International Transfers

    EU/EEA to Non-EEA: Where processing involves transfer of Customer Data to a country without adequate protection under Applicable Data Protection Law, the parties rely on appropriate transfer tools. For transfers from the EEA, the parties incorporate EU Standard Contractual Clauses 2021/914: Module 2 (Controller → Processor), including relevant Annexes. The parties select Clause 9(a) with 30-day notification; Clause 11 not applicable; Clause 17 Option 2 (Finland law); Clause 18(b) (Finnish courts).

    UK and Switzerland: For transfers from the UK, the UK ICO International Data Transfer Addendum applies. For transfers from Switzerland, Swiss FDPIC-approved terms apply.

    Supplementary Measures: Provider implements reasonable supplementary measures and conducts transfer risk assessments where required. General information on global processing appears in the Privacy Policy.

    7.3.9 Compliance Audits

    Upon written request no more than once per 12 months, subject to confidentiality and safety restrictions, Provider will:

    • Make available current third-party compliance audit reports or certifications and security questionnaires
    • Permit Customer-initiated compliance audit (remote or onsite) by Customer or independent auditor bound by confidentiality, on 30 days' notice, during business hours, without unreasonably interfering with operations

    Audits are at Customer's expense unless they reveal material non-compliance.

    7.3.10 Deletion and Return

    Upon termination, expiry, or Customer's written request, Provider will, at Customer's choice, return or delete Customer Data within 30 days, excluding standard backups retained as permitted by Laws. If applicable law requires retention, Provider will isolate Customer Data from further processing and delete as soon as legally allowed.

    7.3.11 Government Requests

    Unless prohibited by law, Provider will notify Customer of legally binding requests from public authorities for disclosure of Customer Data and will challenge unlawful or disproportionate requests where reasonable. Provider discloses only the minimum required by law.

    7.3.12 Precedence and Liability

    If conflict exists between this Section 7.3 and other Agreement provisions regarding processing of Customer Data, this Section 7.3 controls. This Agreement's liability caps apply to this Section 7.3 except where Applicable Data Protection Law prohibits limitation of liability.

    7.3.13 Records

    Provider maintains records of processing activities required by Laws and makes them available to supervisory authorities on request.

    7.3.14 Definitions

    Terms used but not defined in this Section 7.3 have meanings given in this Agreement, Privacy Policy, or Applicable Data Protection Law. "Applicable Data Protection Law" includes GDPR, UK GDPR and Data Protection Act 2018, and Swiss FADP.

    8. Privacy

    8.1 Privacy Policy

    Processing is subject to this Agreement and Provider's Privacy Policy available at lastbot.com/privacy-policy.

    8.2 Security

    Provider uses reasonable technical and organizational measures as described in Section 7.3.4 and the Privacy Policy. Provider may engage subprocessors subject to confidentiality and security obligations as set forth in Section 7.3.5.

    8.3 Retention and Deletion

    Retention and deletion follow the Privacy Policy and Service Specifications. Upon request and subject to law and technical limits, Provider will delete or return Customer Data as set forth in Section 7.3.10.

    9. Recordings and Notices

    9.1 Call and Message Recordings

    Calls and messages handled by or through Services may be recorded at all times, including while on hold or after transfer. Customer is responsible for ensuring compliance with applicable Laws regarding recording notifications and consents.

    9.2 Automated Notices and Consents

    Where required or authorized by Laws, Provider may insert automated disclosures or consent prompts in communications. Customer may configure standard disclosure messages through the Service platform.

    9.3 Disclosure Example

    An example disclosure message: "Calls and messages may be recorded for quality and training. By continuing, you acknowledge and consent as required by applicable law." Local variants compatible with applicable Laws may be used.

    10. Compliance

    10.1 Customer Compliance Obligations

    Customer is responsible for its use of Services and must comply with all applicable Laws, including:

    • Data protection and privacy laws (GDPR, national data protection laws)
    • Telecommunications regulations
    • Consumer protection laws
    • Do-not-contact and marketing consent requirements
    • Industry-specific regulations applicable to Customer's business

    10.2 Do-Not-Contact and Privacy

    Customer must honor opt-out and do-not-contact requests as required by Law. Customer must obtain all required consents for communications and maintain appropriate records.

    10.3 Export Controls and Sanctions

    Customer must comply with export, re-export, import, and sanctions Laws as updated from time to time and must not use Service for prohibited end-uses or with prohibited parties.

    10.4 Sector Restrictions

    Customer represents that it is not primarily engaged in the following sectors without Provider's prior written approval: firearms and weapons; gambling and betting; adult entertainment; alcohol; recreational drugs; high-risk financial services and unlicensed money services; surveillance and spyware; or any sanctioned entities or jurisdictions.

    11. Free Trial

    11.1 Free Trial Terms

    If Free Trial is selected in Service Order Details, Customer may evaluate Service at no charge for the specified period, subject to Free Trial Constraints in Exhibit C.

    11.2 Free Trial Limitations

    Free Trials are subject to capacity and feature limitations as specified in Exhibit C. Free Trials are intended for evaluation purposes only.

    11.3 Auto-Conversion

    If any Free Trial Constraint is exceeded, the Free Trial automatically converts to a paid Service. Upon auto-conversion, Customer is bound to this Agreement and applicable Service Specification as if it had executed a paid Service Order. Provider will invoice Customer for all usage from the conversion date.

    11.4 Free Trial Termination

    Either party may terminate a Free Trial at any time without notice or liability. If Customer does not convert to paid Service before Free Trial expiration, access will be suspended and Customer Data may be deleted in accordance with Section 7.3.10.

    12. Integrations with Non-Provider Services

    12.1 Third-Party Integrations

    If Customer enables Non-Provider Services (third-party applications, APIs, or services) to integrate with or access the Service, Customer permits those services to access Customer Data as necessary for the integration.

    12.2 Customer Responsibility

    Customer is solely responsible for:

    • Compliance with third-party terms and conditions
    • Security and privacy of data shared with Non-Provider Services
    • Any fees charged by Non-Provider Services
    • Performance and availability of Non-Provider Services

    12.3 No Provider Warranty

    Provider does not warrant interoperation or continued availability of Non-Provider Services and may cease related features without liability or refunds if third-party services become unavailable or incompatible.

    13. Intellectual Property

    13.1 Provider IP Rights

    Services, any modifications, and derivative works are Provider's exclusive property. Provider retains all right, title, and interest in Services, Service Data, Provider's technology, algorithms, models, and know-how.

    13.2 Customer Data Rights

    Customer retains all right, title, and interest in Customer Data. Customer grants Provider a limited license to use Customer Data solely to provide Services in accordance with this Agreement.

    13.3 Service Data Rights

    Provider owns all Service Data, including operational data, metrics, telemetry, transcripts, aggregated or anonymized data, learnings, and models generated from Services. Provider may use Service Data to improve Services, develop new products, and for other business purposes.

    13.4 No Transfer of Rights

    This Agreement does not assign, license, or transfer any IPR of either party to the other party, unless explicitly set out in this Agreement.

    13.5 Feedback

    If Customer provides suggestions, ideas, or feedback about Services, Provider may use such feedback without obligation or compensation to Customer.

    14. Changes to Agreement and Services

    14.1 Unilateral Amendments

    Provider may amend this Agreement, Price List, or Service Specifications with at least 30 days' written notice to Customer. If Customer objects, Customer may terminate this Agreement by written notice received before the effective date of the amendment, with termination effective on the amendment date.

    14.2 No Retroactive Changes

    No unilateral amendment retroactively alters disputed resolution terms for pending disputes or removes a right already exercised without Customer's written agreement.

    14.3 Service Changes

    Provider may add new features, modify existing features, or discontinue features with 30 days' notice, except where a third-party Resource provider changes terms or discontinues a Resource on shorter notice, in which case Provider will provide as much notice as reasonably practicable.

    14.4 Price Changes

    Changes to Fees take effect on the next renewal date after notice. Customer's continued use after the effective date constitutes acceptance of changed Fees.

    15. Indemnification

    15.1 Indemnification by Provider

    Provider will defend and indemnify Customer against third-party claims alleging personal injury or property damage caused by Provider's negligence or willful misconduct.

    15.2 Indemnification by Customer

    Customer will defend and indemnify Provider against third-party claims alleging:

    • Personal injury or property damage caused by Customer's negligence or willful misconduct
    • Customer's breach of this Agreement
    • Unauthorized, illegal, or fraudulent use of Services by Customer or its end users
    • Customer Data infringement of third-party rights

    15.3 Claims Process

    The indemnified party must:

    • Provide prompt written notice of the claim
    • Allow the indemnifying party to control defense and settlement
    • Cooperate reasonably in the defense

    Consent is required for any settlement imposing admission, payment, or non-monetary obligations on the indemnified party. If control is not assumed within 60 days, the indemnified party may defend at the indemnifying party's cost and risk.

    16. Limitation of Liability

    16.1 Exclusion of Consequential Damages

    No party is liable for indirect, incidental, consequential, exemplary, special, or punitive damages, including lost profits, data loss, delays, or third-party network failures, except for intentional acts or gross negligence.

    16.2 Liability Cap

    Except for intentional acts or gross negligence, each party's aggregate liability for all claims is capped at one times (1×) the Fees paid and payable by Customer to Provider in the 12 months before the event giving rise to liability.

    16.3 Exceptions to Cap

    The liability cap does not limit or exclude:

    • Customer's obligation to pay unpaid Fees, charges, or interest due to Provider
    • Either party's indemnification obligations under Section 15
    • Liability that cannot be limited under applicable law (including personal injury or data protection violations)

    16.4 Allocation of Risk

    The parties acknowledge that the Fees reflect the allocation of risk set forth in this Agreement and that neither party would enter into this Agreement without these limitations on liability.

    17. General Provisions

    17.1 Governing Law and Venue

    This Agreement is governed by the laws of Finland, without regard to conflict of law principles. Any disputes arising from this Agreement will be subject to the exclusive jurisdiction of the courts of Helsinki, Finland.

    17.2 Injunctive Relief

    Any breach of this Agreement may cause irreparable harm for which monetary damages would be inadequate. Each party is entitled to seek injunctive or equitable relief, including specific performance, in any court of competent jurisdiction worldwide, without necessity of posting bond or proving actual damages.

    17.3 Confidentiality

    Each party must protect the other's Confidential Information with at least reasonable care and use it only for purposes of this Agreement. Exceptions: information that is public, known without restriction, lawfully disclosed by a third party, or independently developed.

    17.4 Force Majeure

    No party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, pandemics, power outages, strikes, acts of government, or supplier failures, provided it mitigates impact and resumes performance promptly.

    17.5 Subcontractors

    Provider may use subcontractors and remains responsible for their acts and omissions. Provider remains liable for subcontractor performance as if performed by Provider directly.

    17.6 Assignment

    Neither party may assign this Agreement without the other's prior written consent, except to an Affiliate or successor in a merger, reorganization, consolidation, or sale of substantially all assets or equity. Any attempted assignment in violation of this section is void.

    17.7 Notices

    All notices must be in writing and sent by email, registered mail, or courier to the addresses specified in Agreement Details. Notices are deemed received on delivery (or email confirmation for email notices).

    • Notices to Provider: info@lastbot.com
    • Notices to Customer: the email address in Agreement Details or as updated in writing

    17.8 Entire Agreement and Order of Precedence

    This Agreement constitutes the entire agreement between the parties on the subject matter and supersedes all prior or contemporaneous agreements, understandings, representations, and warranties, whether written or oral.

    Order of Precedence: In the event of conflict: (1) this Agreement; (2) Service Specifications (Exhibit A); (3) other Exhibits; (4) Privacy Policy.

    17.9 Amendments

    Amendments must be in a signed writing that expressly states it amends this Agreement, except for unilateral amendments permitted under Section 14.

    17.10 Severability

    If any provision is held unenforceable, the remaining provisions remain in effect, and the provision will be enforced to the maximum extent permitted by law.

    17.11 No Waiver

    No failure or delay in exercising any right operates as a waiver of that right. No waiver is effective unless in writing and signed by the waiving party.

    17.12 Independent Contractors

    The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, or employment relationship.

    17.13 Attorney's Fees

    In any action to enforce this Agreement, the prevailing party is entitled to recover reasonable attorneys' fees and costs.

    17.14 Execution

    This Agreement may be executed in counterparts and by electronic signatures, each of which is deemed an original and all of which together form one instrument.

    17.15 Headings

    Headings are for convenience only and do not affect interpretation.

    Exhibit D: Data Processing Annex

    D.1 Subject Matter and Duration

    • Subject Matter: Processing of Customer Data to provide AI-powered customer service platform
    • Duration: For the Service Term and 30 days thereafter for deletion/return

    D.2 Nature and Purpose of Processing

    Nature: Automated processing, storage, analysis, and generation of responses using AI/ML models

    Purpose:

    • Provide customer service automation (chat, voice, email, WhatsApp)
    • Train and improve AI models for Customer's specific use case
    • Generate analytics and insights
    • Maintain Service security and integrity
    • Comply with legal obligations

    D.3 Types of Personal Data

    Customer Data may include:

    • Contact Information: Names, email addresses, phone numbers, mailing addresses
    • Identification Data: Customer IDs, account numbers, usernames
    • Communication Content: Chat messages, voice recordings and transcripts, email content, WhatsApp messages
    • Technical Data: IP addresses, device identifiers, browser information, session data
    • Transaction Data: Order history, payment information (if processed), purchase records
    • Usage Data: Service interaction logs, timestamps, feature usage
    • Custom Data: Any additional data Customer configures Service to process

    D.4 Categories of Data Subjects

    • Customer's end customers and service users
    • Customer's employees and representatives
    • Third parties communicating with Customer through Services

    D.5 Sub-processors

    Current Sub-processors (as of agreement date):

    Sub-processorServiceLocation
    Amazon Web Services (AWS)Cloud infrastructureEU (Ireland), US
    OpenAI / Microsoft AzureAI/ML modelsEU, US
    TwilioVoice and messagingUS, EU
    Google Cloud PlatformCloud servicesEU, US

    Note: This list is subject to change. Provider will maintain current list and notify Customer of material changes per Section 7.3.5.

    D.6 International Data Transfers

    Transfer Mechanisms:

    • EU Standard Contractual Clauses 2021/914 (incorporated by reference in Section 7.3.8)
    • EU-US Data Privacy Framework (where applicable)
    • UK International Data Transfer Addendum (for UK transfers)
    • Swiss-approved transfer mechanisms (for Swiss transfers)

    Data Locations: Customer Data may be processed in the European Economic Area, United Kingdom, Switzerland, and United States. Customer may request data residency requirements; additional fees may apply.

    D.7 Technical and Organizational Measures

    Access Control

    • Role-based access control (RBAC)
    • Multi-factor authentication for administrative access
    • Regular access reviews and least-privilege principles
    • Automated access logging

    Data Security

    • TLS 1.3 encryption in transit
    • AES-256 encryption at rest
    • Regular vulnerability scanning and penetration testing
    • Security incident response procedures
    • Annual third-party security audits

    Data Integrity

    • Automated backup and recovery procedures
    • Database replication and redundancy
    • Data validation and integrity checks
    • Version control and change management

    Operational Security

    • 24/7 security monitoring and alerting
    • Intrusion detection and prevention systems
    • DDoS protection and rate limiting
    • Security awareness training for personnel
    • Background checks for personnel with data access

    Availability and Resilience

    • Multi-region infrastructure deployment
    • Automated failover capabilities
    • 99.9% uptime SLA (for paid services)
    • Disaster recovery and business continuity plans
    • Regular testing of recovery procedures

    Compliance

    • GDPR compliance framework
    • Regular compliance assessments

    D.8 Assistance Obligations

    Provider will assist Customer with:

    • Data Subject Requests: Portal for data export, deletion, and rectification within 5 business days
    • Data Protection Impact Assessments: Provide relevant technical and organizational measures documentation
    • Prior Consultations: Assist with supervisory authority consultations as reasonably requested
    • Security Incidents: 72-hour breach notification and ongoing incident updates
    • Audits: Annual audit rights with 30 days' notice (Section 7.3.9)

    D.9 Contact Information

    Provider Data Protection Contact:
    Email: privacy@lastbot.com
    Address: Kimmeltie 10, 90630 Oulu, Finland

    Contact Information

    LastBot Europe Oy
    Kimmeltie 10
    90630 Oulu, Finland
    Email: info@lastbot.com
    Business ID: 3361305-7