Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement ("Agreement") between:

and the entity or individual that accesses or uses the Services ("Customer", "Controller", "Business").

This DPA applies where Sentiments processes Personal Data on behalf of Customer in connection with the Services available at https://sentiments.com.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

"Applicable Data Protection Law" means all laws applicable to the processing of Personal Data, including GDPR, UK GDPR, CPRA, and similar state or international privacy laws.

"Personal Data" means any information relating to an identified or identifiable natural person processed by Sentiments on behalf of Customer.

"Processing" has the meaning given under GDPR Article 4.

"Subprocessor" means any third party engaged by Sentiments to process Personal Data.

"Customer Personal Data" means Personal Data submitted to or processed through the Services by or on behalf of Customer.

2. Roles of the Parties

2.1 Controller and Processor

Customer acts as the Controller of Customer Personal Data.

Sentiments acts as a Processor, processing Customer Personal Data solely on behalf of Customer and in accordance with this DPA.

2.2 Service Provider (CPRA)

For purposes of the CPRA, Sentiments acts as a Service Provider and processes Personal Data solely to provide the Services, not for its own commercial purposes.

3. Scope of Processing

3.1

Sentiments processes Customer Personal Data only:

• to provide, maintain, and improve the Services;
• to generate analytics, insights, and sentiment analysis requested by Customer;
• to maintain platform security, integrity, and performance;
• as otherwise documented in this DPA or the Agreement.

3.2

Sentiments determines the technical means of processing but does not determine the independent purposes of processing Customer Personal Data.

4. Customer Obligations

Customer represents and warrants that:

• it has a lawful basis to collect and provide Customer Personal Data to Sentiments;
• it has provided all required notices and obtained all necessary consents;
• it will not provide Personal Data that violates Applicable Data Protection Law.

Customer agrees not to upload or process Special Category Data (including protected health information, financial account numbers, government identifiers, or children's data) unless expressly agreed in writing by Sentiments.

5. Confidentiality

Sentiments ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations and access such data only as necessary to perform the Services.

6. Security Measures

6.1

Sentiments implements appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6.2

Such measures include, as appropriate:

• encryption in transit;
• role-based access controls;
• access limitation to authorized personnel;
• logging and monitoring;
• backup and recovery systems.

Additional details are described in Annex B (Technical and Organizational Measures).

7. Subprocessors

7.1

Customer authorizes Sentiments to engage Subprocessors.

7.2

Sentiments will:

• impose data protection obligations on Subprocessors equivalent to this DPA;
• remain responsible for Subprocessors' compliance.

7.3

Sentiments maintains a list or description of Subprocessors available upon request or via a designated webpage.

7.4

Customer may object to a new Subprocessor on reasonable data protection grounds within a reasonable notice period.

8. Data Subject Rights

8.1

Sentiments will reasonably assist Customer in fulfilling requests from Data Subjects under Applicable Data Protection Law.

8.2

If Sentiments receives a Data Subject request directly, it will direct the Data Subject to Customer unless legally required to respond.

9. Personal Data Breach

9.1

Sentiments will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data.

9.2

Notification will include information reasonably available to allow Customer to comply with its legal obligations.

10. Data Retention and Deletion

10.1 During Active Accounts

Customer Personal Data is processed while Customer maintains an active account.

10.2 Post-Termination Retention

Upon termination of the Agreement, Customer Personal Data will be archived and access-restricted and retained for up to 36 months, unless earlier deletion is requested.

Permitted purposes include:

• account reactivation;
• service continuity;
• fraud prevention;
• legal compliance;
• platform integrity.

10.3 Deletion

Customer may request deletion or anonymization at any time. Sentiments will comply within a reasonable timeframe.

At the end of the 36-month retention period, Customer Personal Data will be automatically deleted or anonymized.

10.4 Backups

Customer Personal Data may remain in encrypted backups for a limited rolling period and will be deleted in accordance with standard backup cycles.

10.5 Aggregated and Anonymized Data

Aggregated or anonymized data is not Personal Data and may be retained indefinitely, including for analytics and AI model training.

11. AI and Model Training

11.1

Sentiments does not train models on identifiable Customer Personal Data.

11.2

Sentiments may use aggregated and anonymized data derived from the Services for:

• analytics;
• benchmarking;
• product improvement;
• AI and machine learning model training.

Such data cannot be used to identify Customer or any individual.

12. Audits

12.1

Upon reasonable request, Sentiments will make available information necessary to demonstrate compliance with this DPA.

12.2

Audits shall be limited to:

• written responses;
• questionnaires;
• documentation reviews.

No physical access to systems is required unless mandated by law.

13. International Transfers

13.1

Where Customer Personal Data is transferred outside the EEA or UK, such transfers are governed by the EU Standard Contractual Clauses (SCCs).

13.2

The SCCs are incorporated by reference and apply where required.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement, except where prohibited by law.

15. Term and Termination

This DPA remains in effect for as long as Sentiments processes Customer Personal Data under the Agreement.

16. Governing Law

This DPA is governed by the laws specified in the Agreement. For GDPR purposes, the governing law is the law of an EU Member State as required by the SCCs.