ARTISAN AI DATA PROCESSING AGREEMENT

Last updated May 17, 2026

This Data Processing Agreement (“DPA”) sets out how Artisan processes personal data on behalf of Customer in connection with the Services. This DPA is incorporated by reference into the Legal Terms at https://artisan.co/terms-of-use and any Service Orders (together, the “Agreement”) upon Customer’s request.

If there is any conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls. This DPA will remain in effect for the duration of the Agreement.

Artisan may update this DPA from time to time and will provide at least thirty (30) days' prior written notice of any material changes. If the Customer reasonably objects to such changes, the parties will negotiate in good faith to resolve the issue. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

TABLE OF CONTENTS

1. Definitions

2. Customer Responsibilities

3. Artisan AI Obligations

4. Data Subject Requests

5. Sub-Processors

6. Data Transfers

7. Demonstration of Compliance / Audit Rights

8. Additional Provisions for California Personal Information

9. General Provisions

10. Parties to this DPA

11. International Data Transfers

12. AI Processing; Outbound Communications

Exhibit A – Details of Processing

Exhibit B – Security Measures

Exhibit C – Sub-Processors

1. DEFINITIONS

"California Personal Information" means Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA").

"Consumer", "Business", "Sell", "Service Provider", and "Share" will have the meanings given to them in the CCPA.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Singapore, and Japan, in each case as amended, repealed, consolidated or replaced from time to time; with regard to Artisan AI, Data Protection Laws exclude laws governing Sensitive Information, as defined in the General Terms.

"Data Subject" means the individual to whom Personal Data relates.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

"European Data" means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.

"ePrivacy Laws" means the EU ePrivacy Directive (2002/58/EC) as implemented in applicable EU member states, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) ("PECR") in the United Kingdom, as each may be amended, superseded or replaced, including by any ePrivacy Regulation that may enter into force.

"Instructions" means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

"Outbound Communications Data" means Personal Data relating to third-party recipients of processed by the Services in connection with outbound emails, phone calls, or other communications initiated by Customer using the Services, including contact data sourced from third-party data providers made available through the Services.

“Outbound Communications Laws” means all applicable worldwide legislation relating to outbound communications made using the Services via any format including without limitation (i) the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule (TSR), and applicable state and provincial telephone solicitation laws; (ii) the CAN-SPAM Act; (iii) Canada’s Anti-Spam Legislation (CASL); (iv) ePrivacy Laws including PECR; (v) Australia’s Spam Act 2003 (Cth); and (vi) all applicable laws governing the recording or interception of communications, including the California Invasion of Privacy Act (CIPA).

"Permitted Affiliates" means any of your Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a "Customer" as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii) are subject to European Data Protection Laws.

"Personal Data" means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.

"Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to certain countries annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded or replaced.

"Sub-Processor" means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Artisan AI employee or consultant.

"Swiss Addendum" means the adaptations to the EU SCCs which are necessary for compliance with the Swiss Data Protection Laws.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as may be amended, superseded, or replaced.

2. CUSTOMER RESPONSIBILITIES

a. Compliance with Laws

With respect to Personal Data, Customer is the controller and Artisan is Customer’s processor, or alternatively, if Customer is the processor, Artisan is Customer’s sub-processor. Artisan processes Outbound Communications Data solely as a Processor on Customer’s Instructions and does not independently assess the lawfulness or consent status of any individual communication. Within the scope of the Agreement and in its use of the services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us.

In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws and Outbound Communications Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. You will inform us without undue delay if you are not able to comply with your responsibilities under this ‘Compliance with Laws’ section or applicable Data Protection Laws or Outbound Communications Laws.

b. Controller Instructions

The parties agree that the Agreement (including this DPA), together with your use of the Subscription Service in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions during the subscription term that are consistent with the Agreement, the nature and lawful use of the Subscription Service.

c. Security

You are responsible for independently determining whether the data security provided for in the Subscription Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service.

d. Sale or Share of Data

You will not take any action that would (i) render the provision of Personal Data to us a “sale” under U.S. federal and state privacy laws or a “share” under the CCPA (or equivalent concepts under U.S. federal and state privacy laws); or (ii) render us not a “service provider” under the CCPA or “processor” under U.S. federal and state privacy laws.

e. Lawful Basis.

Customer warrants that it has identified and documented a valid lawful basis under applicable Data Protection Laws (including, where applicable, a valid legal basis under GDPR Article 6 and, for special categories of data, GDPR Article 9) for each Processing activity undertaken using the Services. With respect to Outbound Communications Data, Customer acknowledges that Artisan does not verify the consent status, opt-in history, or contact preferences of any individual Data Subject, and that Customer bears sole responsibility for ensuring: (i) each outbound communication has a valid legal basis; (ii) required pre-communication disclosures have been made to Data Subjects; (iii) opt-out and unsubscribe requests are captured and honored in a timely manner; and (iv) records of consent or other legal bases are maintained for the period required by applicable law.

3. ARTISAN AI OBLIGATIONS

a. Compliance with Instructions

We will only Process Personal Data for the purposes described in this DPA and Exhibit A or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws or Outbound Communications Laws applicable to you or your industry that are not generally applicable to us.

b. Conflict of Laws

If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply.

c. Security

We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Exhibit B to this DPA. Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

d. Confidentiality

We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

e. Personal Data Breaches

We will provide initial notification without undue delay and in any event no later than forty-eight (48) hours after becoming aware of any Personal Data Breach, and upon request, will provide timely information relating to the Personal Data Breach as it becomes available: (i) a description of the nature of the Personal Data Breach, (ii) the categories and approximate number of Data Subjects and Personal Data records concerned, (iii) the likely consequences of the Personal Data Breach, and (iv) the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects. Artisan may provide an initial notification with available information and supplement it as further information becomes known, consistent with GDPR Article 33(4).

At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.

f. Deletion or Return of Personal Data

We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, upon termination or expiration of your Subscription Service, within a commercially reasonable period not exceeding ninety (90) days, unless otherwise agreed upon by the Parties in writing. This term will apply except where we are required by applicable law to retain some or all of the Customer Data, or where we have archived Customer Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices. You may request the deletion of your Artisan AI account after expiration or termination of your subscription by emailing hello@artisan.co. For clarity, we may continue to process information derived from Customer usage or data that has been de-identified, anonymized, and/or aggregated such that the data is no longer considered Personal Data under applicable Data Protection Laws and in a manner that does not identify individuals or Customer to improve our systems and services.

Upon written request, Artisan will confirm in writing the deletion of Customer Data and Personal Data within five (5) business days of completing deletion.

4. DATA SUBJECT REQUESTS

The Subscription Service provides you with a number of controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with its obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").

To the extent that you are unable to independently address a Data Subject Request through the Subscription Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance.

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

We will notify you of any Data Subject Request within five (5) business days of receipt. We will not respond substantively to any Data Subject Request on Customer’s behalf without Customer’s prior written authorization, except as required by applicable law.

With respect to Outbound Communications Data, Customer is solely responsible for maintaining and honoring opt-out, unsubscribe, erasure, or other requests received from Data Subjects contacted through the Services. Artisan will, upon Customer’s written instruction, assist with any such request as reasonably necessary and aid with technical suppression of contact records in the Subscription Service.

5. SUB-PROCESSORS

You agree we may engage Sub-Processors to Process Personal Data on your behalf. We have currently appointed, as Sub-Processors, the third parties and Artisan AI Affiliates listed our Subprocessor List available at trust.artisan.co. If we add or replace any Sub-Processors, we will notify you at least 30 days prior to any such change.

We will give you the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, cease to provide to you the particular aspect or feature of the Subscription Service that would involve use of such Sub-Processor, or permit you to suspend or terminate the affected Subscription Service without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).

Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.

Where Sub Processors provide foundation models or AI services, Artisan AI shall ensure by written contract that such Sub Processors (i) act only as processors on behalf of Customer and not as a controller or joint controller; (ii) do not use Customer Data or Personal Data (including prompts, inputs and outputs) to train, fine tune or otherwise improve any models for the benefit of other customers or for their own products; and (iii) delete such data within timelines consistent with this DPA and applicable Data Protection Laws.

6. DATA TRANSFERS

You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by Artisan AI, Inc. in the United States and to other jurisdictions where Artisan AI Affiliates and Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

7. DEMONSTRATION OF COMPLIANCE / AUDIT RIGHTS

We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections conducted by you or your auditor in order to assess compliance with this DPA, where required by applicable law. You acknowledge and agree that you will exercise your audit rights under this DPA by instructing us to comply with the audit measures described in this ‘Demonstration of Compliance’ section.

At your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect non-compliance with the DPA. Where permitted by law, we may instead make available to you a summary of the results of a third-party audit or certification reports relevant to our compliance with this DPA.

You will reimburse us for the commercially reasonable costs arising from any audit that is not (a) required by applicable Data Protection Laws or (b) in response to a Personal Data Breach.

Artisan maintains a SOC 2 Type II report for its security controls. Upon Customer's written request, no more than once annually, Artisan will provide its then-current SOC 2 Type II report or executive summary under NDA, or, where a current report is not yet available for a particular Service or infrastructure component, a bridge letter or equivalent attestation from Artisan's auditor.

8. ADDITIONAL PROVISIONS FOR CALIFORNIA PERSONAL INFORMATION

a. Scope

The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.

b. Roles of the Parties

When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.

c. Responsibilities

We certify that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA, including as described in the ‘Usage Data’ section of our Privacy Policy. Further, we certify we i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and (iii) will not combine the California Personal Information included in Customer Data with personal information that we collect or receive from another source (other than information we receive from another source in connection with our obligations as a Service Provider under the Agreement and as allowed under 11 CCR § 7052(b)).

d. Compliance

We will (i) comply with obligations applicable to us as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. We will notify you if we make a determination that we can no longer meet our obligations as a Service Provider under the CCPA.

e. CCPA Audits

You will have the right to take reasonable and appropriate steps to help ensure that we use California Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon notice, you will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.

f. Not a Sale

The parties acknowledge and agree that the disclosure of California Personal Information by the Customer to Artisan AI does not form part of any monetary or other valuable consideration exchanged between the parties.

9. GENERAL PROVISIONS

a. Amendments

Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of the General Terms will apply.

b. Severability

If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

c. Limitation of Liability

Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Limitation of Liability’ section of the Agreement (https://www.artisan.co/terms-of-use). For the avoidance of doubt, if Artisan AI, Inc. is not a party to the Agreement, the ‘Limitation of Liability’ section of the General Terms will apply as between you and Artisan AI, Inc.

d. Governing Law

This DPA will be governed by and construed in accordance with the ‘Dispute Resolution’ section of the Agreement, unless required otherwise by Data Protection Laws.

10. PARTIES TO THIS DPA

a. Permitted Affiliates

By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates.

b. Authorization

The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

c. Remedies

The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together.

d. Other Rights

The parties agree that you will, when reviewing our compliance with this DPA pursuant to the ‘Demonstration of Compliance / Audit Rights’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

11. INTERNATIONAL DATA TRANSFERS

a. The parties agree that, to the extent required by applicable Data Protection Laws, the terms of the EU Standard Contractual Clauses, as completed as described in Exhibits A, B, and C of this DPA, are deemed entered into by the parties and hereby incorporated into this DPA by reference.

b. To the extent required by applicable Data Protection Laws, the jurisdiction-specific addenda to the SCCs are also deemed entered into by the parties and incorporated herein by reference, for example, if UK GDPR governs, the UK Addendum shall apply, and if Swiss DPA governs, the Swiss Addendum shall apply, and any specified modifications to the SCCs shall apply as required.

c. Module Two (Controller to Processor) of the EU SCCs shall apply when Customer is a controller and Artisan is processing Personal Data as a processor, and Module Three (Processor to Sub-Processor) of the EU SCCs shall apply when Customer is a processor and Artisan is processing Personal Data as a sub-processor.

d. For each module of the EU SCCs, where applicable, the following applies:

i. The optional docking clause in Clause 7 does not apply;

ii. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 5 of this DPA;

iii. In Clause 11, the optional language does not apply;

iv. All square brackets in Clause 13 are hereby removed;

v. In Clause 17 (Option 1), the EU SCCs will be governed by the law of the Republic of Ireland;

vi. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;

vii. Exhibit A to this DPA contains the information required in Annex I of the EU SCCs;

viii. Exhibit B to this DPA contains the information required in Annex II of the EU SCCs; and

ix. Exhibit C to this DPA contains the information required in Annex III of the EU SCCs.

e. For the UK Addendum, if applicable, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B1.0. The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Exhibit A to this DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

12. AI PROCESSING; OUTBOUND COMMUNICATIONS

Nature of AI Processing

Customer acknowledges that the Subscription Services involve the use of large language models (LLMs) and other AI technologies to facilitate, personalize, and deliver outbound communications, including emails and voice calls, on Customer’s behalf. The following provisions govern Artisan’s obligations with respect to AI-based Processing under this DPA.

a. Artisan as Processor for AI-Generated Communications

Artisan processes Outbound Communications Data as a Processor acting solely on Customer’s Instructions. Artisan only suggests recipients based on Customer-provided criteria, does not determine the content of communications beyond executing Customer’s configured parameters, and does not assess the lawfulness of any individual communication. Customer is the Controller for all purposes with respect to Outbound Communications Data.

b. No AI Training on Customer Personal Data

Artisan will not use Personal Data contained in Customer Data (including Outbound Communications Data) to train, fine-tune, benchmark, or improve any AI model outside the scope of delivering the Subscription Services to Customer under this Agreement, without Customer’s prior express written consent, unless in anonymized or aggregated form that cannot be re-identified. Usage Data (as defined in the Agreement), once de-identified and anonymized or aggregated, may be used to improve Artisan’s services consistent with the Agreement.

c. Automated Decision-Making

The Subscription Services involve profiling of Data Subjects under GDPR Article 4(4) but are not designed or intended to automate decisions with legal or similarly significant effects on Data Subjects within the meaning of GDPR Article 22. Artisan does not represent that its Services comply with Article 22 safeguards. Customer is fully responsible for providing transparency notices required under GDPR Articles 13 and 14 to all Data Subjects whose personal data is processed using the Services, including contact data provided by third parties. Artisan will provide reasonable technical assistance to support Customer’s compliance obligations upon request.

d. Consent Records for Outbound Communications

Customer is responsible for maintaining records of consent, legitimate interest assessments (LIAs), or other legal bases relied upon for Outbound Communications Data, for such periods as required by applicable law. Artisan has no obligation to store or verify consent records on Customer’s behalf. Upon Customer’s written request, Artisan will provide reasonable technical assistance to help Customer retrieve data relating to specific contacts from the Subscription Service to support Customer’s own consent record-keeping obligations.

EXHIBIT A – DETAILS OF PROCESSING

A. List of Parties

Data Exporter:

Name: The Customer, as defined in the Artisan AI Customer Terms of Service (on behalf of itself and Permitted Affiliates)

Address: The Customer’s address, as set out in the Order Form

Contact person: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Artisan AI Account

Role: Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)

Data Importer:

Name: Artisan AI, Inc.

Address: 2261 Market Street STE 62890, San Francisco, CA 94114

Contact person: Legal/Privacy Team, Artisan AI, Inc., 2261 Market Street STE 62890, San Francisco, CA 94114, e-mail notice at privacy@artisan.co

Activities relevant to the data transferred: Processing of Personal Data in connection with Customer’s use of the Artisan AI Subscription Services under the Artisan AI Customer Terms of Service

Role: Processor (directly or acting in the capacity of a Sub-Processor, if Customer is a Processor)

B. Description of Transfer

Categories of Data Subjects

You may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

• Your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.

• Outbound Communications Data Subjects: Individuals whose contact information is provided by Customer or sourced from third-party data providers made available through the Services, including prospective customers contacted by Artisan agents on Customer’s behalf.

Categories of Personal Data Transferred

You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:

• Contact Information (as defined in the General Terms).

• Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.

• For Outbound Communications Data: name, professional email address, business phone number, professional title, employer name, LinkedIn profile URL, and other business contact details.

Sensitive Data

The parties do not anticipate the transfer of sensitive data. Customer warrants it will not submit special categories of data (as defined under GDPR Article 9) to the Subscription Services.

Frequency of Transfer

Continuous to the extent that Personal Data is needed for fulfillment of the Subscription Services.

Nature of the Processing

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

• Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or

• Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

• Generation and delivery of outbound emails and facilitation of voice calls on Customer’s behalf using AI-powered Artisan agents.

• AI-assisted lead enrichment, sequencing, and personalization of outbound communications based on Customer Data and third-party data.

Purpose of Transfer

We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.

Period for Which Personal Data Will Be Retained

Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, and any additional retention period reasonably necessary and proportionate, unless otherwise agreed in writing.

EXHIBIT B – SECURITY MEASURES

We currently observe the Security Measures described in this Exhibit B.

a. Access Control

i. Preventing Unauthorized Product Access

Outsourced processing: We host our Service with outsourced cloud infrastructure providers. We maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems.

Artisan maintains a SOC 2 Type II report for its security controls. Upon Customer's written request, no more than once annually, Artisan will provide its then-current SOC 2 Type II report or executive summary (as applicable to the relevant Services) under NDA, together with management’s remediation plans for any exceptions, or, where a current report is not yet available for a particular Service or infrastructure component, a bridge letter or equivalent attestation from Artisan's auditor.

Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure.

API access: Public product APIs may be accessed using an API key or through OAuth authorization.

ii. Preventing Unauthorized Product Use

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure, including VPC implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications.

Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of both the Artisan AI web application and internal corporate network infrastructure at least annually.

Bug bounty: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws.

iii. Limitations of Privilege & Authorization Requirements

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. Access is enabled through “just in time” (JITA) requests for access; all such requests are logged. Administrative or high risk access permissions are reviewed at least once every six months.

Background checks: Where permitted by applicable law, Artisan AI employees undergo a third-party background or reference check. All Artisan AI employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b. Transmission Control

In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for every customer site hosted on the Artisan AI products. Our HTTPS implementation uses industry standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

c. Input Control

Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel.

d. Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure.

Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.

EXHIBIT C – SUB-PROCESSORS

To help Artisan AI deliver the Subscription Service, we engage Sub-Processors to assist with our data processing activities. Please find a list of our Sub-Processors through Artisan’s Trust Center at trust.artisan.co.