Overlook Data Processing Addendum
Version 1.0 · Effective Date: May 1, 2026
Issued by Overlook AI, Inc., a Delaware corporation
This Data Processing Addendum (this “DPA”) forms part of, and is incorporated into, the Overlook Subscription and Software License Agreement, Terms of Service, Order Form, Professional Services Addendum, or other written agreement between Overlook AI, Inc. (“Overlook”) and the customer that has accepted or executed the applicable agreement (“Customer”) governing Customer’s use of the Services (the “Agreement”). This DPA applies to the extent Overlook Processes Customer Personal Data on behalf of Customer in connection with the Services. Except as expressly modified by this DPA, the Agreement remains in full force and effect.
This DPA is intended to satisfy, where applicable, the requirements for agreements between controllers and processors under Article 28 of the GDPR, equivalent requirements under UK Data Protection Law and Swiss Data Protection Law, and service provider, contractor, processor, or equivalent contract requirements under applicable United States state privacy laws. This DPA does not authorize Customer to submit categories of data that are prohibited under the Agreement, the Acceptable Use Policy, or an applicable Order Form.
1. Definitions
For purposes of this DPA, the terms “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Process,” “Processed,” “Processing,” “Processor,” “Subprocessor,” and “Supervisory Authority” have the meanings given to them under Applicable Data Protection Law. To the extent a term is not defined under a particular Applicable Data Protection Law, it has the meaning most closely analogous to the meaning used under the GDPR. Capitalized terms not defined in this DPA have the meanings given in the Agreement.
“Applicable Data Protection Law” means all privacy, data protection, data security, and breach notification laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, which may include, as applicable, the GDPR, UK Data Protection Law, Swiss Data Protection Law, the California Consumer Privacy Act as amended by the California Privacy Rights Act and its implementing regulations (the “CCPA”), and other United States state privacy laws that impose controller, processor, business, service provider, contractor, or similar obligations.
“Customer Personal Data” means Personal Data contained in Customer Data, Customer Materials, Customer Content, Customer assessment responses, completed Business-led AI Management Canvas entries, AI Profile content, workshop inputs, service notes, support communications, or other Customer-controlled information that Overlook Processes on behalf of Customer in connection with the Services. Customer Personal Data does not include Overlook Account Data or Overlook Proprietary Materials.
“Overlook Account Data” means Personal Data that Overlook Processes as an independent controller for its own business purposes, including account administration, billing administration, contracting, security, fraud prevention, legal compliance, product communications, customer relationship management, and similar business operations, as described in the Overlook Privacy Policy.
“Overlook Proprietary Materials” means Overlook’s software, platform, APIs, documentation, templates, frameworks, methods, scoring logic, weighting structures, Business-led AI Management Assessment and Scorecard, Business-led AI Management Canvas design, non-public concepts, service delivery methods, training materials, facilitation guides, internal playbooks, know-how, and related intellectual property. Overlook Proprietary Materials are not Customer Personal Data merely because Customer receives, views, uses, or interacts with them in connection with the Services.
“Restricted Data” means categories of information that the Services are not intended to receive or process unless expressly authorized in a written agreement, including protected health information subject to HIPAA, payment card data subject to PCI DSS, classified information, export-controlled technical data, precise government sensitive information requiring special handling, biometric identifiers, special-category personal data, or other highly sensitive regulated information requiring safeguards not expressly included in the applicable Order Form.
2. Roles of the Parties
The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller, business, or equivalent determining party, and Overlook is the Processor, service provider, contractor, or equivalent processing party, except to the extent Customer acts as a Processor on behalf of a third-party Controller, in which case Overlook acts as Customer’s Subprocessor. Overlook will Process Customer Personal Data only for the limited and specified purposes described in the Agreement, this DPA, the applicable Order Form, and Customer’s documented instructions.
Overlook may Process Overlook Account Data as an independent controller for its own lawful business purposes. The parties acknowledge that this DPA does not apply to Overlook Account Data except to the extent Applicable Data Protection Law requires otherwise. Overlook’s Processing of Overlook Account Data is governed by the Overlook Privacy Policy.
For clarity, Customer-specific assessment responses, Customer-specific assessment results, completed Customer Canvas entries, Customer-specific AI Profile content, Customer-specific operating-area information, Customer-specific service notes, and Customer-specific product records may constitute Customer Personal Data to the extent they contain Personal Data. The underlying Assessment, Scorecard, scoring logic, Canvas design, facilitation methodology, product workflow, training materials, and other Overlook Proprietary Materials remain Overlook property and are not Customer Personal Data.
3. Customer Instructions
Customer instructs Overlook to Process Customer Personal Data as necessary to provide, secure, support, maintain, improve, and administer the Services purchased or used by Customer, to perform professional services and support activities requested by Customer, to comply with the Agreement, to comply with applicable law, and as otherwise documented in the Agreement, an Order Form, a Services Schedule, a support request, product configuration, or other written instruction from Customer. Overlook will not Process Customer Personal Data for any purpose materially inconsistent with those instructions unless required by applicable law.
If Overlook believes that a Customer instruction infringes Applicable Data Protection Law, Overlook will inform Customer unless prohibited by law. Overlook is not responsible for determining whether Customer’s instructions comply with laws applicable to Customer’s business, Customer’s AI systems, Customer’s end users, or Customer’s use cases.
Customer acknowledges that use of certain product features, integrations, customer-managed deployments, support channels, or professional services may require Customer to provide additional instructions through configuration choices or communications with Overlook. Customer is responsible for the accuracy, lawfulness, and sufficiency of those instructions.
4. Customer Responsibilities
Customer is responsible for Customer’s compliance with Applicable Data Protection Law, including determining the lawful basis for Processing Customer Personal Data, providing required notices, obtaining required consents or authorizations, responding to Data Subjects where Customer controls the relationship, ensuring the accuracy and appropriateness of Customer Personal Data, and determining whether the Services are suitable for the categories of Personal Data Customer elects to submit.
Customer shall not submit Restricted Data to the Services unless expressly authorized in a written agreement that identifies the relevant data category and any additional required safeguards. Unless Overlook has executed a separate business associate agreement, Overlook is not acting as a business associate under HIPAA. Unless expressly agreed in writing, Overlook does not provide PCI DSS payment-card processing services for Customer Data and Customer shall not submit full payment card data to the Services.
Customer shall ensure that Customer’s authorized users, administrators, contractors, consultants, and other representatives use the Services in compliance with the Agreement, the Acceptable Use Policy, this DPA, and Customer’s own privacy obligations. Customer remains responsible for access controls, user permissions, endpoint security, Customer-managed infrastructure, and the privacy impact of Customer’s use of the Services.
Where Customer uses the Services to manage information concerning Customer’s AI systems, operating AIs, AI Profiles, behavior scenarios, assessment results, Canvas entries, validation records, verification records, or related operational artifacts, Customer remains responsible for determining whether that information includes Personal Data, whether Customer has authority to provide it to Overlook, and whether Customer’s use of that information complies with laws applicable to Customer’s industry, workers, customers, citizens, patients, users, or other affected persons.
5. Overlook Processor Obligations
Overlook will Process Customer Personal Data only in accordance with this DPA and Customer’s documented instructions. Overlook will not sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, retain, use, or disclose Customer Personal Data outside the business relationship with Customer except as permitted by the Agreement and Applicable Data Protection Law, or combine Customer Personal Data with Personal Data received from other customers except as permitted by Applicable Data Protection Law.
Overlook will ensure that personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations or an appropriate statutory duty of confidentiality. Overlook will take commercially reasonable steps to ensure that such personnel Process Customer Personal Data only as necessary to provide the Services and perform their obligations.
Overlook will not use Customer Personal Data to train generally available artificial intelligence models or third-party foundation models except where Customer expressly authorizes such use in a written agreement. Overlook may use de-identified or aggregated information derived from operation of the Services to improve, secure, and analyze the Services, provided such information does not identify Customer or any Data Subject and is maintained in accordance with applicable de-identification requirements.
Overlook will reasonably cooperate with Customer to help Customer demonstrate compliance with Customer’s obligations under Applicable Data Protection Law, taking into account the nature of the Processing, the information available to Overlook, the functionality of the Services, and the parties’ respective roles. Overlook may charge reasonable fees for assistance that exceeds standard product functionality or ordinary support, unless prohibited by law or expressly included in the applicable Order Form.
6. Security Measures
Overlook will implement and maintain commercially reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. Those measures are described generally in the Security Addendum and Schedule 2 to this DPA. Overlook may update or modify security measures from time to time, provided that Overlook will not materially diminish the overall security posture applicable to Customer Personal Data during a then-current paid subscription term without a legitimate security, legal, operational, or technical reason.
Customer acknowledges that security is a shared responsibility. Overlook is responsible for the security of systems under Overlook’s operational control. Customer is responsible for secure configuration and use of the Services, account administration, user permissions, identity-provider settings, endpoint security, Customer-managed infrastructure, Customer-selected integrations, and any customer-cloud, on-premises, air-gapped, or other customer-controlled environment unless the applicable Order Form expressly assigns a responsibility to Overlook.
7. Subprocessors
Customer grants Overlook general authorization to engage Subprocessors to Process Customer Personal Data in connection with the Services. Subprocessors may include cloud hosting providers, infrastructure providers, communications providers, support tools, analytics providers, identity, billing, security, and professional services providers. Overlook will enter into a written agreement with each Subprocessor imposing data protection obligations materially consistent with the obligations imposed on Overlook under this DPA to the extent applicable to the Subprocessor’s services.
Overlook will make available a list of material Subprocessors upon reasonable request or through a trust page, documentation page, or other designated notice mechanism. Overlook will provide notice of material new Subprocessors where required by Applicable Data Protection Law or the Agreement. Customer may object to a material new Subprocessor on reasonable data protection grounds by providing written notice within ten (10) business days after notice is given. The parties will work in good faith to address Customer’s objection. If the parties cannot resolve the objection, Customer’s sole remedy will be to terminate the affected Services to the extent Overlook cannot provide them without the objected-to Subprocessor, and Overlook will refund prepaid unused fees for the terminated affected Services, if any, as set forth in the Agreement.
Overlook remains responsible for Subprocessors’ performance of their data protection obligations to the extent required by Applicable Data Protection Law and subject to the limitations of liability in the Agreement.
8. Data Subject Requests
Taking into account the nature of the Processing and the functionality of the Services, Overlook will provide commercially reasonable assistance to Customer in responding to requests from Data Subjects exercising rights under Applicable Data Protection Law, including requests to access, correct, delete, restrict, object to, or receive a copy of Customer Personal Data. To the extent Customer can fulfill a request through the Services, Customer is responsible for doing so.
If Overlook receives a request from a Data Subject concerning Customer Personal Data, Overlook may direct the Data Subject to Customer unless Overlook is legally required to respond directly. Customer is responsible for verifying the identity and authority of Data Subjects and for determining whether a request should be granted, denied, or limited under Applicable Data Protection Law.
9. Personal Data Breach and Security Incidents
Overlook will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data Processed by Overlook on behalf of Customer. Overlook’s notice will include information reasonably available to Overlook and reasonably necessary for Customer to meet Customer’s breach notification obligations, taking into account the nature of the incident and the information available to Overlook at the time.
Overlook will take commercially reasonable steps to investigate, contain, mitigate, and remediate a confirmed Personal Data Breach affecting Customer Personal Data under Overlook’s control. Overlook may provide updates as additional material information becomes available. Notification of, or response to, a Personal Data Breach does not constitute an admission of fault, liability, or violation of law.
Customer is responsible for determining whether to notify Data Subjects, regulators, customers, employees, contractors, or other third parties of a Personal Data Breach, except to the extent Applicable Data Protection Law requires Overlook to provide notice directly. Customer shall not identify Overlook in any public statement concerning a Personal Data Breach without Overlook’s prior written consent unless required by law, in which case Customer shall provide Overlook with advance notice where legally permitted.
10. DPIAs, Risk Assessments, and Regulatory Cooperation
Taking into account the nature of the Processing and the information available to Overlook, Overlook will provide commercially reasonable assistance to Customer with data protection impact assessments, privacy risk assessments, transfer assessments, cybersecurity assessments, and consultations with Supervisory Authorities or regulators, to the extent such assistance is required by Applicable Data Protection Law and relates to Overlook’s Processing of Customer Personal Data.
Customer remains responsible for determining whether Customer’s use of the Services triggers an impact assessment, risk assessment, cybersecurity audit, automated decision-making notice, human review requirement, or similar legal obligation. Overlook’s assistance under this section does not constitute legal advice, regulatory certification, compliance attestation, or a guarantee that Customer’s use of the Services satisfies Customer’s legal obligations.
11. Return and Deletion
Upon expiration or termination of the Agreement, Overlook will delete or return Customer Personal Data in accordance with the Agreement, the applicable product functionality, Overlook’s retention practices, and applicable law. Customer is responsible for exporting Customer Personal Data before termination where product functionality permits export.
Overlook may retain Customer Personal Data to the extent required by law, maintained in backups or archival systems pending ordinary deletion cycles, necessary to resolve disputes, enforce agreements, prevent fraud or abuse, maintain security logs, comply with legal obligations, or protect legal rights. Any retained Customer Personal Data remains subject to this DPA for so long as Overlook retains it.
12. Audits and Information Rights
Overlook will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, audit summaries, third-party assessment reports, certifications if then-currently available, standard questionnaires, or written responses. Customer shall treat such information as Overlook Confidential Information.
If the information provided by Overlook is insufficient to meet Customer’s audit obligations under Applicable Data Protection Law, Customer may request an audit of Overlook’s relevant Processing of Customer Personal Data. Any audit must be conducted no more than once in any twelve-month period unless required by a regulator or following a confirmed Personal Data Breach, must be conducted during normal business hours, must not unreasonably interfere with Overlook’s operations, must be subject to reasonable confidentiality, security, and access restrictions, and must not include access to systems, data, or confidential information of other customers. Overlook may satisfy audit requests through independent third-party reports or certifications where reasonably appropriate.
Customer shall reimburse Overlook for reasonable costs associated with audit assistance that exceeds Overlook’s standard compliance materials, unless prohibited by Applicable Data Protection Law or expressly included in an Order Form.
13. International Data Transfers
Customer authorizes Overlook and its Subprocessors to Process Customer Personal Data in the United States and other jurisdictions where Overlook or its Subprocessors operate, subject to this DPA and Applicable Data Protection Law. Where Customer Personal Data is transferred from a jurisdiction that requires an approved transfer mechanism to a jurisdiction that has not been recognized as providing adequate protection, the parties agree that the applicable transfer mechanism described in Schedule 4 will apply.
For transfers of Customer Personal Data subject to the GDPR from the European Economic Area to Overlook in a country not subject to an adequacy decision, the parties incorporate the European Commission standard contractual clauses for international transfers adopted by Commission Implementing Decision (EU) 2021/914, as applicable. Unless otherwise stated in Schedule 4, Module Two applies where Customer is a Controller and Overlook is a Processor, and Module Three applies where Customer is a Processor and Overlook is a Subprocessor.
For transfers of Customer Personal Data subject to UK Data Protection Law, the parties incorporate the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses or another lawful transfer mechanism recognized under UK Data Protection Law, as applicable. For transfers subject to Swiss Data Protection Law, the EU SCCs will be interpreted to account for Swiss requirements as described in Schedule 4.
If the applicable transfer mechanism is invalidated, amended, replaced, or no longer reasonably supports the transfer, the parties will cooperate in good faith to implement a replacement mechanism that permits continued lawful Processing of Customer Personal Data. Customer acknowledges that Overlook may be unable to provide some Services if a lawful transfer mechanism is unavailable.
14. United States State Privacy Law Terms
To the extent Customer Personal Data is subject to the CCPA or another United States state privacy law that imposes contractual requirements on processors, service providers, contractors, or similar entities, Overlook will Process such Customer Personal Data only for the limited and specified business purposes described in the Agreement, this DPA, and Customer’s documented instructions. Overlook will not sell or share such Customer Personal Data, retain, use, or disclose such Customer Personal Data outside the direct business relationship between Overlook and Customer, or retain, use, or disclose such Customer Personal Data for a commercial purpose other than the business purposes specified in the Agreement, except as permitted by applicable law.
Overlook will not combine Customer Personal Data subject to the CCPA with Personal Data that Overlook receives from or on behalf of another person or collects from its own interaction with a consumer, except as permitted for service providers or contractors under the CCPA. Overlook certifies that it understands and will comply with the restrictions in this section to the extent applicable.
Overlook will notify Customer if Overlook determines that it can no longer meet its obligations under applicable United States state privacy laws with respect to Customer Personal Data. Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including by providing written instructions to Overlook, subject to the Agreement, this DPA, and reasonable technical and operational limitations.
15. Professional Services Data
If Customer purchases professional services, onboarding, workshops, training, assessments, guided implementation, Business-led AI Management Foundations services, or similar services, this DPA applies to Customer Personal Data Processed by Overlook in connection with those services. Customer-specific assessment responses, Customer-specific assessment results, completed Canvas entries, AI Profile content, Customer operating-area information, workshop notes, and Customer-specific service outputs are treated as Customer Personal Data to the extent they contain Personal Data and are subject to the Agreement, this DPA, and the Professional Services Addendum.
Overlook Proprietary Materials used or disclosed during professional services, including the Business-led AI Management Assessment, Scorecard, Canvas design, interpretive frameworks, scoring logic, workshop methods, facilitation techniques, training materials, service playbooks, and non-public concepts, are not Customer Personal Data and are not transferred to Customer by virtue of their use in a services engagement. Customer shall not use Customer Personal Data rights, privacy requests, audit rights, or similar mechanisms to obtain Overlook Proprietary Materials or reverse engineer Overlook methodologies.
16. De-Identified and Aggregated Information
Subject to the Agreement and Applicable Data Protection Law, Overlook may create and use de-identified, anonymized, or aggregated information derived from the Services for security, analytics, product improvement, benchmarking, operational insights, and development of Overlook methodologies, provided that such information does not identify Customer or any Data Subject and Overlook maintains such information in de-identified, anonymized, or aggregated form except as permitted by law.
Nothing in this section permits Overlook to disclose Customer Confidential Information in identifiable form or to use Customer Personal Data in a manner prohibited by this DPA.
17. Licensed Software and Customer-Controlled Environments
Where Customer deploys Licensed Software in a Customer-controlled environment and Overlook does not host or access Customer Personal Data, Overlook may not Process Customer Personal Data for that deployment except as Customer submits information to Overlook for support, maintenance, professional services, telemetry, logs, diagnostics, or other agreed services. In those circumstances, this DPA applies only to Customer Personal Data actually Processed by Overlook.
Customer remains responsible for privacy, security, retention, deletion, access control, logging, and regulatory compliance in Customer-controlled deployments except to the extent an Order Form or separate written agreement expressly assigns specific responsibilities to Overlook.
18. Order of Precedence
In the event of a conflict between this DPA and the Agreement concerning the Processing of Customer Personal Data, this DPA controls solely to the extent of the conflict. In the event of a conflict between this DPA and the EU SCCs, UK Addendum, or another transfer mechanism required by Applicable Data Protection Law, the applicable transfer mechanism controls solely to the extent required by law. In the event of a conflict between this DPA and a negotiated Order Form or data protection exhibit expressly signed by both parties, the negotiated document controls solely with respect to the specific subject matter it expressly modifies, unless prohibited by Applicable Data Protection Law.
19. Liability
Each party’s liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent such limitations or exclusions are prohibited by Applicable Data Protection Law or would impair Data Subject rights under the EU SCCs or another mandatory transfer mechanism. This DPA does not expand either party’s remedies except as expressly required by Applicable Data Protection Law.
20. Changes to this DPA
Overlook may update this DPA from time to time to reflect changes in the Services, Applicable Data Protection Law, transfer mechanisms, subprocessors, security practices, or business operations. Overlook will not materially reduce protections for Customer Personal Data during a then-current paid subscription term except as required by law or to address a legitimate security, compliance, operational, or technical concern. If Customer objects to a material update on reasonable data protection grounds, the parties will discuss the objection in good faith.
SCHEDULE 1
DETAILS OF PROCESSING
This Schedule 1 describes the Processing of Customer Personal Data for purposes of Article 28 of the GDPR and analogous requirements under other Applicable Data Protection Laws. The actual Processing depends on Customer’s configuration, use of the Services, Order Forms, and any professional services purchased by Customer.
| Subject Matter | Provision of Overlook’s business-led AI management platform, hosted services, licensed software support, professional services, onboarding, training, configuration assistance, customer support, security, administration, and related services. |
|---|---|
| Duration | For the term of the Agreement and any applicable Order Form, and for any additional period during which Overlook Processes Customer Personal Data in accordance with the Agreement, this DPA, retention obligations, backup cycles, legal requirements, or dispute preservation needs. |
| Nature and Purpose | Hosting, storing, transmitting, organizing, displaying, configuring, analyzing, securing, troubleshooting, supporting, and otherwise Processing Customer Personal Data as necessary to provide and improve the Services, perform professional services, administer Customer accounts, support users, maintain security, comply with law, and follow Customer’s documented instructions. |
| Categories of Data Subjects | Customer’s authorized users, administrators, employees, contractors, representatives, business stakeholders, workshop participants, support contacts, and any individuals whose Personal Data Customer includes in Customer Data, Customer Materials, AI Profiles, assessment responses, Canvas entries, operating-area records, or other Customer-controlled content. |
| Categories of Personal Data | Business contact information, user account identifiers, authentication data, role and permission information, support communications, usage metadata, device and network information, Customer-provided operational information, assessment responses, Customer-specific scorecard outputs, Canvas entries, AI Profile information, workshop notes, and other Personal Data Customer elects to submit. |
| Sensitive Data | The Services are not intended to Process Restricted Data unless expressly authorized in a written agreement. Customer is responsible for avoiding submission of Restricted Data absent written authorization. |
| Frequency of Transfer | Continuous or as initiated by Customer, Customer’s authorized users, the Services, support interactions, professional services activities, or integrations configured by Customer. |
| Subprocessors | Overlook may use Subprocessors as described in Section 7 and Schedule 3. |
SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Overlook will maintain commercially reasonable technical and organizational measures designed to protect Customer Personal Data. These measures may evolve over time based on the Services, deployment model, threat environment, legal requirements, and Overlook’s business maturity, provided that Overlook will not materially reduce the overall level of protection during a then-current paid subscription term without a legitimate reason.
| Security Governance | Overlook maintains an information security program designed to protect the confidentiality, integrity, and availability of the Services and Customer Personal Data under Overlook’s operational control. |
|---|---|
| Access Controls | Overlook uses role-based access controls, least-privilege principles, authentication controls, and administrative access restrictions designed to limit access to personnel with a business need. |
| Encryption | Overlook uses commercially reasonable measures to encrypt data in transit over public networks and may use encryption at rest for systems and storage layers under Overlook’s operational control where commercially reasonable and appropriate. |
| Logging and Monitoring | Overlook maintains logging, monitoring, and alerting practices designed to support security operations, troubleshooting, incident investigation, and service reliability. |
| Vulnerability Management | Overlook maintains commercially reasonable vulnerability identification, patching, and remediation processes, with remediation prioritized based on severity, exploitability, operational risk, and service impact. |
| Personnel Controls | Overlook personnel authorized to Process Customer Personal Data are subject to confidentiality obligations and receive security guidance appropriate to their roles. |
| Subprocessor Controls | Overlook evaluates and engages Subprocessors subject to written obligations materially consistent with the data protection obligations applicable to their services. |
| Business Continuity | Overlook maintains commercially reasonable backup, resilience, and recovery measures for Hosted Services under Overlook’s operational control. Recovery commitments, if any, are governed by the SLA or applicable Order Form. |
| Customer-Managed Environments | For Licensed Software, customer-cloud, on-premises, air-gapped, or other Customer-controlled environments, Customer is responsible for infrastructure security, operating system security, network controls, identity configuration, backups, monitoring, patching of Customer-managed components, and physical security unless expressly agreed otherwise. |
SCHEDULE 3
SUBPROCESSOR TERMS
Customer authorizes Overlook to use Subprocessors as described in this DPA. Material Subprocessors may include cloud infrastructure providers, hosting providers, billing providers, identity providers, email and communication providers, analytics and logging providers, customer-support tools, security tools, and professional services contractors. Overlook will make a current list of material Subprocessors available upon reasonable request or through designated documentation. Customer’s objection rights are set forth in Section 7.
SCHEDULE 4
INTERNATIONAL DATA TRANSFER TERMS
This Schedule 4 applies to Restricted Transfers of Customer Personal Data that require an approved transfer mechanism under Applicable Data Protection Law.
For transfers subject to the GDPR, the parties incorporate the European Commission standard contractual clauses for international transfers adopted by Commission Implementing Decision (EU) 2021/914. Module Two applies where Customer is a Controller and Overlook is a Processor. Module Three applies where Customer is a Processor and Overlook is a Subprocessor. Clause 7 (docking clause) applies if the parties expressly agree to its use. Clause 9(a) option 2 (general written authorization for subprocessors) applies, with the notice period described in Section 7 of this DPA. Clause 11(a) optional language does not apply. Clause 17 and Clause 18 are governed by the law and forum determined under the SCCs, unless the parties identify a specific permitted member state in an Order Form or transfer exhibit.
For transfers subject to UK Data Protection Law, the parties incorporate the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, unless the parties execute the UK International Data Transfer Agreement or another lawful transfer mechanism. For purposes of the UK Addendum, the information required by the tables is deemed completed by the Agreement, this DPA, Schedule 1, Schedule 2, and the applicable Order Form, and the importer may end the UK Addendum as permitted by its terms only where a valid replacement transfer mechanism applies.
For transfers subject to Swiss Data Protection Law, references in the SCCs to the GDPR will be interpreted to include the Swiss Federal Act on Data Protection, references to EU member states will be interpreted to permit Data Subjects in Switzerland to exercise rights in Switzerland, and the Swiss Federal Data Protection and Information Commissioner will be the competent authority to the extent required by Swiss law.
The annexes to the SCCs are completed as follows: Annex I.A is completed by the parties’ information in the Agreement and Order Form; Annex I.B is completed by Schedule 1; Annex I.C is the competent Supervisory Authority determined under Clause 13 of the SCCs; Annex II is completed by Schedule 2; and Annex III is completed by Schedule 3.
SCHEDULE 5
OVERLOOK CONTACTS
Privacy notices, data protection requests, and DPA-related communications may be sent to privacy@overlookai.com. Legal notices may be sent to legal@overlookai.com in accordance with the notice provisions of the Agreement. Overlook’s mailing address is Overlook AI, Inc., 8 The Green STE B, Dover, DE 19901, USA.