This Data Processing Agreement ("DPA") forms part of the Terms of Use ("Terms") between you ("Data Controller," "Customer," or "you") and Sosh Labs AI Inc. ("Data Processor," "Sosh Labs AI," "we," "us," or "our") for the use of the Sosh Labs AI platform (the "Service").

This DPA sets out the terms under which Sosh Labs AI processes personal data on your behalf in connection with the Service, in compliance with applicable data protection laws including the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (EU) 2016/679 (GDPR), and the California Consumer Privacy Act (CCPA).

This DPA applies automatically to all customers. Bespoke plan customers may negotiate supplemental data processing terms through a separate agreement.

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable individual, as defined under applicable data protection laws.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, erasure, or destruction.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data (you, the Customer).
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller (Sosh Labs AI).
• "Sub-Processor" means a third-party service provider engaged by Sosh Labs AI to process Personal Data on behalf of the Data Controller.
• "Data Subject" means the identified or identifiable individual to whom the Personal Data relates.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3.1 Roles

You (the Customer) are the Data Controller. Sosh Labs AI is the Data Processor. We process Personal Data only on your behalf and in accordance with your documented instructions (as expressed through your use of the Service and these Terms).

3.2 Scope of Processing

We process Personal Data for the following purposes:

• Providing and maintaining the Service
• AI-powered content generation using your brand data and prompts
• Social media account management and content publishing
• Performance analytics and strategic insights
• Email communications on your behalf (e.g., team invitations)
• Payment processing and subscription management

3.3 Categories of Personal Data

The Personal Data we process may include:

• Contact information (names, email addresses)
• Organization and business information
• Brand DNA questionnaire responses
• Content created or generated through the Service
• Social media account identifiers and metrics
• Usage data and interaction logs
• Payment identifiers (processed by Stripe; no card numbers stored by us)

3.4 Data Subjects

Data Subjects may include:

• Your employees and team members
• Your customers or audience members (to the extent their data appears in content or analytics)

Sosh Labs AI shall:

• Process Personal Data only on documented instructions from you (as expressed through your use of the Service), unless required to do so by applicable law, in which case we will inform you of that legal requirement before processing (unless prohibited by law)
• Ensure that persons authorized to process Personal Data have committed to confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 7
• Assist you, insofar as possible, in fulfilling your obligation to respond to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
• Assist you in ensuring compliance with your obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities
• At your choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless storage is required by applicable law
• Make available to you all information necessary to demonstrate compliance with our obligations under this DPA
• Notify you without undue delay upon becoming aware of a Data Breach

5.1 Authorized Sub-Processors

You authorize us to engage the following Sub-Processors to process Personal Data on your behalf:

5.2 Sub-Processor Obligations

We enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA.

5.3 Changes to Sub-Processors

We will notify you before adding or replacing any Sub-Processor. If you have a reasonable objection to a new Sub-Processor, you may notify us in writing within 14 days. We will work with you in good faith to address your concerns. If we cannot resolve your objection, you may terminate your account.

Personal Data may be transferred to and processed in Canada, the United States, and the European Union.

6.1 Transfer Mechanisms

For transfers of Personal Data from the EU/EEA to countries outside the EU/EEA, we rely on:

• Adequacy Decisions: Canada has been recognized by the European Commission as providing adequate protection for personal data under PIPEDA.
• Standard Contractual Clauses (SCCs): For transfers to the United States and other jurisdictions without adequacy decisions, we rely on SCCs approved by the European Commission.

6.2 Additional Safeguards

We implement supplementary measures where necessary, including encryption of data in transit and at rest, access controls, and contractual protections with Sub-Processors.

Sosh Labs AI implements and maintains the following technical and organizational security measures:

Technical Measures:

• TLS/SSL encryption for all data in transit
• Token-based authentication and authorization
• Webhook signature verification (HMAC) for all third-party integrations
• Content Security Policy (CSP) headers
• Strict CORS policies
• Secure HTTP headers (HSTS, X-Frame-Options, X-Content-Type-Options)
• Automated log rotation (14-day retention for server logs)
• Presigned URLs with expiry for media file access

Organizational Measures:

• Role-based access controls (Owner, Admin, Member, Viewer)
• Multi-tenant data isolation via organization-scoped access
• Principle of least privilege for internal access
• Regular security reviews
• Incident response procedures

8.1 Notification Timeline

In the event of a Data Breach affecting Personal Data processed on your behalf, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.

8.2 Notification Contents

The notification will include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of our data protection point of contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its potential adverse effects

8.3 Cooperation

We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

If we receive a request from a Data Subject to exercise their rights (access, rectification, erasure, portability, restriction, or objection) regarding Personal Data we process on your behalf, we will:

• Promptly notify you of the request
• Not respond to the request directly unless authorized by you or required by law
• Assist you in responding to the request, including by providing relevant technical measures

To request deletion of account data, Data Subjects or Customers may contact us at privacy@soshlabs.ai.

We will make available to you the information reasonably necessary to demonstrate our compliance with this DPA.

Upon reasonable written request (no more than once per year, unless a Data Breach has occurred), we will allow for and contribute to audits or inspections conducted by you or an independent auditor appointed by you, subject to:

• 30 days prior written notice
• Reasonable scope and timing to minimize disruption
• Confidentiality obligations regarding any information obtained during the audit
• The audit being conducted at your expense

11.1 During the Service

We retain Personal Data for the duration of your active use of the Service.

11.2 Upon Termination

Upon termination or expiration of your account, we will delete your Personal Data, including AI generation logs, content, brand data, and associated metadata, within 12 months of account deactivation.

11.3 Exceptions

We may retain certain data beyond the retention period where required by applicable law (e.g., tax, accounting, or regulatory requirements). Any retained data will continue to be protected in accordance with this DPA.

11.4 Deletion Confirmation

Upon written request, we will confirm in writing that Personal Data has been deleted in accordance with this section.

This DPA shall remain in effect for the duration of your use of the Service and for as long as we process Personal Data on your behalf.

This DPA automatically terminates when we no longer process Personal Data on your behalf, subject to the data retention provisions in Section 11.

The obligations under Sections 4, 7, 8, 10, and 11 shall survive termination of this DPA.

This DPA shall be governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein, consistent with the governing law provisions in the Terms of Use.

For matters involving the processing of Personal Data of EU/EEA Data Subjects, the GDPR shall apply to the extent of any conflict with local law.

For questions about this DPA or to exercise rights related to data processing, please contact:

Sosh Labs AI Inc. 159 W 2nd Ave Vancouver, BC V5Y0L8 Canada

Email: privacy@soshlabs.ai