Legal

Data Processing Addendum

Education Bot, Inc. (operating as swivl)  ·  Effective Date: January 10, 2026  ·  Last Updated: January 10, 2026

1. Scope and Applicability

This DPA applies to any Processing of Personal Information by swivl in connection with its provision of the Services, including platform access (swivlStudio), SMS and voice AI features, hosting, Support Services, and any Professional Services performed under the Agreement. The subject matter, duration, nature, purpose, and categories of Personal Information are described in Attachment A, which forms an integral part of this DPA.

---

2. Definitions

Term	Definition
"Controller"	The entity that determines the purposes and means of Processing Personal Information. Customer is the Controller (or "Business" under CCPA) with respect to Customer Data.
"Customer Data"	All Personal Information submitted by or on behalf of Customer through or in connection with the Services, including tenant data, lead data, and communications data.
"Data Breach"	Any actual or reasonably suspected unauthorized access to, acquisition of, disclosure of, loss of, alteration of, or destruction of Personal Information Processed by swivl or its Subprocessors in connection with the Services.
"Data Protection Laws"	All applicable federal, state, provincial, and local laws relating to data privacy, protection, or security, including CCPA/CPRA, PIPEDA, and applicable Canadian provincial privacy laws.
"Personal Information"	Any information that identifies, relates to, or could reasonably be linked to an identified or identifiable natural person, as defined under applicable Data Protection Laws, including information contained within Customer Data.
"Processing"	Any operation performed on Personal Information, whether by automated means or otherwise, including collection, recording, organization, storage, use, disclosure, transmission, or deletion.
"Processor"	The entity that Processes Personal Information on behalf of the Controller. swivl acts as the Processor (or "Service Provider" under CCPA) with respect to Customer Data.
"Subprocessor"	Any third party engaged by swivl to Process Personal Information on its behalf in connection with the Services.

---

3. Roles of the Parties

Customer acts as the Controller and determines the purposes and means of Processing Personal Information submitted through the Services. swivl acts as the Processor and Processes Personal Information only on behalf of and under the instructions of Customer. Customer retains all right, title, and interest in and to Personal Information included within Customer Data. swivl acquires no rights in or to such Personal Information except as necessary to provide the Services.

---

4. Processing Instructions

4.1 Instructions

swivl shall Process Personal Information only on documented instructions from Customer, as set forth in the Agreement and this DPA, unless Processing is required by applicable law. If applicable law requires Processing beyond Customer's instructions, swivl shall inform Customer before Processing, unless prohibited by law.

4.2 Scope of Processing

swivl shall not retain, use, disclose, sell, share, or otherwise Process Personal Information for any purpose other than performing the Services as specified in the Agreement, complying with applicable laws, or as otherwise expressly permitted in writing by Customer. swivl shall not Process Customer Data for its own commercial purposes, including profiling, marketing, or advertising.

4.3 CCPA Service Provider Obligations

To the extent CCPA applies, swivl certifies that it understands the restrictions of this DPA and will comply with its obligations as a Service Provider. swivl shall not sell or share Customer's Personal Information, shall not retain, use, or disclose Personal Information for a commercial purpose other than providing the Services, and shall not combine Personal Information received from Customer with personal information received from other sources except as permitted by CCPA.

---

5. Security Measures

swivl shall implement and maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Personal Information against unauthorized access, use, disclosure, alteration, or destruction. swivl shall ensure that personnel authorized to Process Personal Information are subject to written confidentiality obligations. Details are set forth in Attachment B. swivl may update its security measures from time to time, provided that such updates do not materially reduce the overall level of security protection afforded to Customer Data.

---

6. Subprocessors

6.1 Authorization

Customer hereby grants swivl general authorization to engage Subprocessors to assist in providing the Services. swivl shall remain fully responsible for the acts and omissions of its Subprocessors. swivl shall ensure that each Subprocessor is bound by written obligations no less protective than those set forth in this DPA.

6.2 Current Subprocessors

The current list of approved Subprocessors is set forth in Attachment C.

6.3 Changes to Subprocessors

swivl shall provide Customer with at least 30 days' advance notice before engaging a new Subprocessor or making material changes to existing Subprocessor arrangements involving Customer Data. If Customer has a reasonable objection, it shall notify swivl in writing within 14 days. The parties shall work together in good faith to resolve the objection. If it cannot be resolved, Customer may terminate the applicable Services upon written notice without penalty.

---

7. Data Subject Rights

Taking into account the nature of the Processing, swivl shall assist Customer in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws, including rights of access, correction, deletion, portability, restriction, and objection. If swivl receives a request directly from a data subject regarding Personal Information in Customer Data, swivl shall promptly forward the request to Customer and shall not respond to such request without Customer's prior written authorization.

---

8. Data Breach Notification

In the event of a Data Breach, swivl shall notify Customer without undue delay and in any event within 72 hours of becoming aware. Notification shall include: a description of the nature of the Data Breach; the categories and approximate number of data subjects and records affected; contact details of swivl's privacy contact; the likely consequences; and measures taken or proposed to address the Data Breach. swivl shall take commercially reasonable steps to contain, investigate, remediate, and prevent recurrence and shall reasonably cooperate with Customer in fulfilling any legal notification obligations arising from the incident.

---

9. International Data Transfers

swivl's Services are operated from the United States. swivl shall not transfer Personal Information outside the United States except as necessary to provide the Services and in compliance with applicable Data Protection Laws. For Customer Data that includes Personal Information of Canadian residents, swivl shall implement appropriate contractual and technical safeguards to protect such information during transfer and processing.

---

10. Data Retention and Deletion

swivl shall retain Personal Information only for as long as necessary to perform the Services or as required by applicable law. Upon termination or expiration of the Agreement, and upon Customer's written request, swivl shall at Customer's election return Customer Data in a commonly used electronic format, or securely delete or destroy Customer Data. swivl shall confirm completion in writing. Where retention is required by law, swivl shall continue to protect such information in accordance with this DPA and limit further Processing.

---

11. Audit Rights

Upon reasonable written request and no more than once per calendar year, unless required by applicable law or following a material Data Breach, swivl shall provide Customer with documentation reasonably necessary to demonstrate its compliance with this DPA. swivl may satisfy this obligation by providing current independent third-party audit reports or certifications in lieu of an on-site audit. Customer shall treat any information obtained during an audit as confidential and use it solely for the purpose of verifying swivl's compliance.

---

12. Confidentiality of Personnel

swivl shall ensure that all personnel authorized to Process Personal Information are subject to binding confidentiality obligations, whether through employment agreements, contractor agreements, or equivalent written instruments, that survive termination of their engagement with swivl.

---

13. Canadian Requirements

swivl shall Process Personal Information of Canadian residents in compliance with PIPEDA and applicable provincial privacy legislation, including Quebec Law 25 where applicable. Where Customer Data includes Personal Information of Quebec residents, swivl shall: document a Privacy Impact Assessment for cross-border transfers where required by law; maintain a record of personal information processed; notify Customer within 72 hours of any confidentiality incident involving Quebec residents' personal information; and cooperate with Customer in fulfilling any obligations to notify the Commission d'acces a l'information (CAI) and affected individuals.

---

14. GDPR

swivl's standard DPA is designed for US and Canadian compliance. If Customer's operations require processing of personal data subject to the General Data Protection Regulation (EU/UK GDPR), Customer shall notify swivl prior to enabling such processing. The parties shall execute appropriate supplemental terms, including Standard Contractual Clauses where required, before swivl processes such data on Customer's behalf.

---

15. Term and Survival

This DPA shall take effect on the effective date of the Agreement and shall remain in full force and effect for as long as swivl Processes Personal Information on behalf of Customer under the Agreement. The obligations set forth in this DPA that by their nature should survive termination, including confidentiality, security, data return and deletion, and audit rights, shall survive for as long as swivl retains Personal Information.

---

16. Contact and Notices

---

Attachment A: Details of Processing

Element	Description
Data Subjects	Customer's authorized users, employees, contractors, and end customers (including tenants and prospective tenants) who interact with the System.
Categories of Personal Information	Contact information (name, email, phone, address); account credentials; communications data (SMS, voice recordings, transcriptions, email, web chat content); transaction and account status data (payment status, balances, unit information); device and technical identifiers where collected automatically.
Sensitive Categories	Not anticipated. Customer is responsible for ensuring sensitive categories of Personal Information are not submitted through the Services without appropriate authorization.
Purpose of Processing	To provide the Services, including platform access, AI-driven voice, SMS, email, and chat features, contact center functionality, automated outbound communications, reporting and analytics, and all related support services.
Duration	For the Term of the Agreement and any limited post-termination period required to complete return or deletion obligations, or as otherwise required by applicable law.

---

Attachment B: Security Measures

swivl implements and maintains the following security measures to protect Personal Information Processed in connection with the Services:

• Infrastructure: Services hosted on Heroku with US-based data residency. Telephony and SMS infrastructure provided by Twilio, a SOC 2 Type II certified provider. Network security controls including firewalls and intrusion detection.
• Encryption: TLS 1.2 or higher for data in transit. Encryption at rest where appropriate. Passwords stored using industry-standard one-way hashing.
• Access Controls: Role-based access controls limiting access to Personal Information to those with a legitimate business need. Multi-factor authentication required for administrative access to production systems. Regular review of access permissions.
• Vulnerability Management: Regular security testing and vulnerability assessments. Timely patching of known vulnerabilities. Dependency scanning for third-party libraries.
• Incident Response: Documented breach notification procedures. Designated incident management personnel. Post-incident review and remediation processes.
• Personnel: Confidentiality obligations for all personnel with access to Personal Information. Security awareness training. Background checks for sensitive roles where permitted by law.

---

Attachment C: Approved Subprocessors

The following Subprocessors are authorized to Process Personal Information in connection with the Services as of the effective date of this DPA. swivl will provide at least 30 days' advance notice of material changes to this list in accordance with Section 6.3.

Subprocessor	Location	Purpose
Heroku (Salesforce)	United States	Cloud hosting and infrastructure
Twilio	United States	Voice and SMS telephony infrastructure
OpenAI	United States	AI language model processing for conversational features
Microsoft Azure	United States	Natural language understanding and intent detection (swivlCortex)
Anthropic	United States	AI language model processing for conversational features
ElevenLabs	United States	AI voice synthesis for voice AI features