Terms of ServiceVersion 2026-02-26

DonNe AI, Inc. Data Processing Addendum (DPA)

Last Updated: February 26, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between DonNe AI, Inc. (“Processor,” “DonNe”) and the customer identified in the applicable Order Form (“Controller,” “Customer”) (the “Agreement”). This DPA applies to DonNe’s Processing of Personal Data on behalf of Customer in connection with the Service.

If there is a conflict between this DPA and the Agreement regarding data protection, this DPA controls.

1) Definitions

Capitalized terms not defined here have the meanings in the Agreement. In this DPA:

  • “Applicable Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including (as applicable) the GDPR, UK GDPR, Swiss FADP, and U.S. state privacy laws.
  • “Controller,” “Processor,” “Personal Data,” “Processing,” “Data Subject,” “Supervisory Authority” have the meanings given in Applicable Data Protection Laws.
  • “Customer Personal Data” means Personal Data contained in Customer Data that DonNe Processes on behalf of Customer.
  • “Subprocessor” means a Processor engaged by DonNe to Process Customer Personal Data.
  • “Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2) Roles, Instructions, and Use of Data

2.1 Roles

  • Customer is the Controller (or “Business”) of Customer Personal Data.
  • DonNe is the Processor (or “Service Provider/Processor”) of Customer Personal Data.

2.2 Customer Instructions

DonNe will Process Customer Personal Data only:

  • to provide, secure, maintain, and support the Service;
  • as documented in the Agreement, Documentation, and this DPA; and
  • as otherwise instructed by Customer in writing, where such instructions are consistent with the Agreement.

2.3 Customer Responsibilities

Customer is responsible for: determining the lawful basis for Processing and providing required notices to Data Subjects; ensuring it has all necessary rights, permissions, and consents to provide Customer Personal Data to DonNe (including for Email Metadata and any uploaded CSV data); ensuring its use of the Service complies with Applicable Data Protection Laws.

Customer acknowledges that restrictions in the Agreement regarding Outputs and DonNe Generated Data (including prohibitions on resale, redistribution, and database replication) apply regardless of whether such Outputs contain Personal Data.

2.4 Service Improvement; Model Training (Including AI Models)

  • Service Improvement. Customer instructs DonNe to Process Customer Personal Data as necessary to provide, maintain, secure, and improve the Service, including to improve model performance, quality, and safety.
  • Third-Party Licensed Data Exclusion. Notwithstanding anything to the contrary in the Agreement, this DPA, or any Documentation, DonNe will not use any Third-Party Licensed Data (as defined below), or any data points that constitute or reproduce Third-Party Licensed Data, to train, fine-tune, or improve any machine learning or artificial intelligence models where such use is prohibited by the applicable third-party terms.
  • Definition. “Third-Party Licensed Data” means any data, content, or materials obtained by or through the Service from a third-party provider (including via API or integration) that is subject to contractual restrictions on use, storage, redistribution, expungement, or model training (for example, Crunchbase Content).
  • Training Controls. DonNe may use Customer Personal Data for model training and improvement only: (a) in aggregated and/or de-identified form where feasible; and/or (b) with technical and organizational controls designed to limit exposure of Customer Personal Data (including access controls, minimization, and logging).
  • No intentional disclosure. DonNe will maintain controls designed to prevent the Service from outputting Customer Personal Data of one customer to another customer.
  • B2B Opt-Out Available. For B2B Customers, DonNe will provide an option to opt out of using Customer Personal Data for model training and improvement upon written request to legal@donneai.com, subject to reasonable technical limitations and potential impact on certain features. If Customer opts out, DonNe may still process Customer Personal Data to provide the Service, including for security, abuse prevention, and legal compliance.
  • Data Minimization and Expungement for Third-Party Licensed Data. Customer acknowledges that, to comply with third-party contractual restrictions applicable to Third-Party Licensed Data (including restrictions on storing significant portions of content and requirements that content remain expungeable), DonNe may implement technical controls such as field-level minimization, short-term caching, time-to-live (TTL) limits, and deletion workflows, and may store only derived, non-reversible signals instead of raw third-party records.

2.5 De-identified and Aggregated Data

DonNe may create and use de-identified and/or aggregated data derived from Customer Data for product improvement, analytics, and benchmarking, provided such data does not identify Customer or any individual and is not reasonably capable of re-identification.

3) Details of Processing (Article 28(3))

The subject matter, duration, nature, and purpose of Processing, types of Personal Data, and categories of Data Subjects are described in Schedule 1.

4) Confidentiality

DonNe will ensure that persons authorized to Process Customer Personal Data are bound by confidentiality obligations (contractual or statutory).

5) Security Measures

5.1 Security Program

DonNe will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents, taking into account the state of the art, costs of implementation, nature/scope/context/purposes of Processing, and risks to individuals.

5.2 Security Measures Summary

DonNe’s security measures are described in Schedule 2.

5.3 Customer Security Responsibilities

Customer is responsible for:

  • maintaining appropriate security of its systems and credentials;
  • configuring the Service securely (including user access controls); and
  • limiting access to Customer Personal Data to Authorized Users with a need to know.

6) Subprocessors

6.1 Authorization

Customer provides DonNe a general authorization to engage Subprocessors.

6.2 Subprocessor Obligations

DonNe will:

  • enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to those in this DPA; and
  • remain responsible for Subprocessors’ performance of their obligations.

6.3 Subprocessor List and Notice

DonNe maintains a list of Subprocessors (including their primary processing location, currently the United States) at: . DonNe will provide notice of material changes to Subprocessors by updating the list and/or by email.

6.4 Objection Right

Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within 30 days of notice. If the parties cannot resolve the objection, DonNe may (at its option) (a) not use the Subprocessor for Customer, (b) provide a commercially reasonable alternative, or (c) allow Customer to terminate the affected Order Form and receive a prorated refund of prepaid fees for the terminated portion of the subscription term (B2B only).

7) Data Subject Requests

Taking into account the nature of Processing, DonNe will provide reasonable assistance to Customer to respond to Data Subject requests (e.g., access, deletion, objection) to the extent Customer cannot fulfill the request through the Service.

DonNe may charge reasonable fees for assistance beyond what is required by law.

8) Assistance with Compliance

DonNe will provide reasonable assistance to Customer with:

  • security obligations;
  • Security Incident notifications; and
  • DPIAs and prior consultations, to the extent required and applicable to DonNe’s Processing.

9) Security Incidents

9.1 Notification

DonNe will notify Customer without undue delay after becoming aware of a Security Incident involving Customer Personal Data and will provide information reasonably necessary for Customer to meet its notification obligations.

9.2 Investigation and Mitigation

DonNe will take reasonable steps to investigate, mitigate, and remediate the Security Incident.

9.3 No Admission

DonNe’s notification of a Security Incident is not an admission of fault or liability.

10) Audits and Assessments

10.1 Audit Rights

Upon written request, DonNe will make available information reasonably necessary to demonstrate compliance with this DPA.

10.2 Third-Party Reports

Where available, DonNe may satisfy audit requests by providing third-party audit reports or summaries (e.g., SOC 2) and/or responses to security questionnaires.

10.3 On-Site Audits

If Customer reasonably requires an on-site audit, it must:

  • provide at least 30 days’ prior written notice;
  • limit audits to once per 12 months (unless a Security Incident occurs);
  • ensure audits do not unreasonably interfere with DonNe’s operations; and
  • enter into appropriate confidentiality obligations.

DonNe may charge reasonable fees for on-site audits.

11) Return or Deletion of Customer Personal Data

Upon termination or expiration of the Agreement, DonNe will, at Customer’s request, return or delete Customer Personal Data in accordance with the Agreement and Documentation, unless retention is required by law. DonNe may retain limited data as necessary for legal compliance, dispute resolution, and enforcement, subject to confidentiality obligations.

12) International Transfers (EU/UK/Swiss)

Customer acknowledges DonNe stores and processes Customer Personal Data in the United States and does not currently offer EU-only data residency.

12.1 EU SCCs

To the extent Customer Personal Data is transferred from the EEA to the United States (or another country not recognized as adequate), the parties agree the EU Standard Contractual Clauses (“EU SCCs”) apply (Commission Implementing Decision (EU) 2021/914), incorporated by reference as follows:

  • Module: Module Two (Controller to Processor)
  • Clause 7 (Docking): Optional docking clause applies
  • Clause 9 (Use of Subprocessors): Option 2 (general written authorization) with the notice mechanism in Section 6
  • Clause 11 (Redress): Optional language does not apply
  • Clause 17 (Governing law): Ireland
  • Clause 18 (Forum): Courts of Ireland

The Annexes to the EU SCCs are completed by Schedule 1 and Schedule 2 of this DPA.

12.2 UK Addendum

For transfers subject to the UK GDPR, the EU SCCs are amended by the UK International Data Transfer Addendum (“UK Addendum”), incorporated by reference and completed consistent with this DPA.

12.3 Swiss Addendum

For transfers subject to Swiss law, the EU SCCs apply with modifications required by Swiss FADP (e.g., references to “Member State” interpreted as Switzerland, and competent authority as the FDPIC).

12.4 Supplementary Measures

DonNe will implement supplementary measures as described in Schedule 2 and will provide reasonable information to support Customer’s transfer assessments.

13) U.S. State Privacy Terms (CPRA/Other)

To the extent Applicable Data Protection Laws include U.S. state privacy laws (e.g., CPRA), the parties agree:

  • DonNe acts as a Service Provider/Processor for Customer Personal Data.
  • DonNe will not sell or share Customer Personal Data (as those terms are defined by CPRA).
  • DonNe will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Service under the Agreement, except as permitted by Applicable Data Protection Laws.
  • DonNe will not combine Customer Personal Data with personal data obtained from other sources except as permitted by law (e.g., to prevent fraud/security incidents, to ensure security and integrity, or to provide the Service as instructed).
  • DonNe will provide reasonable assistance for Customer to respond to verified consumer requests, as described in Section 7.

14) Liability

Liability under this DPA is subject to the limitations of liability and exclusions in the Agreement, unless prohibited by Applicable Data Protection Laws.

15) Order of Precedence

If there is a conflict between this DPA and the Agreement regarding data protection, this DPA controls. If there is a conflict between this DPA and the EU SCCs/UK Addendum, the EU SCCs/UK Addendum control for international transfers.

Schedule 1 — Processing Details (EU SCC Annex I / Article 28(3))

A. List of Parties

Data Exporter (Controller): Customer identified in the Order Form. Role: Controller

Data Importer (Processor): DonNe AI, Inc. Address: 300 Creek View Road, Suite 209. Newark, Delaware 19711.

Contact: legal@donneai.com Role: Processor

B. Categories of Data Subjects

May include:

  • Customer’s employees, contractors, and Authorized Users
  • Customer’s clients (e.g., executive search agency clients)
  • Candidates, prospects, leads, and professional contacts
  • Individuals whose Email Metadata is processed to map professional relationships

C. Categories of Personal Data

May include:

  • Identifiers and contact details (name, email address, phone number, employer, title)
  • Professional profile information (employment history, role changes, seniority indicators)
  • Email Metadata (sender/recipient, timestamps, subject lines, message IDs, routing fields)
  • Relationship/network graph data derived from Email Metadata
  • Usage data and device/technical data (IP address, logs, authentication events)
  • Outputs and inferences that may relate to individuals (e.g., potential role changes or opportunities), to the extent such Outputs contain Personal Data.
  • Customer-uploaded files (including CSV files) containing professional contact/candidate data

Special Categories of Data: Not intended to be processed. Customer will not provide special category data (e.g., health data) unless expressly agreed in writing.

D. Processing Activities / Purpose

  • Providing the Service features, including network ingestion, relationship mapping, predictive intelligence, and generation of draft communications
  • Model training and improvement (including improving prediction quality, reducing errors, and improving safety), subject to Section 2.4
  • Account administration, authentication, and access control
  • Security monitoring, fraud prevention, and abuse detection
  • Customer support and troubleshooting
  • Service analytics and performance monitoring
  • Compliance with legal obligations

E. Duration of Processing

For the term of the Agreement plus any retention period required by law or as described in the Agreement/Documentation.

F. Frequency of Transfer

Continuous, as Customer uses the Service.

Schedule 2 — Security Measures (EU SCC Annex II)

DonNe maintains a security program designed to protect Customer Personal Data. Measures may include:

  • Access Controls
  • Role-based access controls and least-privilege principles
  • Multi-factor authentication for administrative access (where supported)
  • Logging of access to production systems
  • Encryption
  • Encryption in transit using industry-standard TLS
  • Encryption at rest for stored Customer Personal Data (where supported by underlying systems)
  • Operational Security
  • Change management and deployment controls
  • Vulnerability management and patching practices
  • Monitoring for suspicious activity and abuse
  • Data Minimization
  • Email ingestion limited to Email Metadata by default (no email body content or attachments unless expressly enabled and agreed in writing)
  • Incident Response
  • Documented incident response process
  • Security Incident notification procedures consistent with Section 9
  • Business Continuity
  • Backup and recovery procedures designed to support restoration of availability
  • Subprocessor Management
  • Due diligence and contractual controls for Subprocessors
  • Maintenance of a Subprocessor list and change notification process
  • AI / LLM Controls (where applicable)
  • Controls designed to limit the amount of Customer Personal Data sent to third-party model providers
  • Access controls and logging around prompts/requests
  • Vendor management and contractual controls with model providers

Schedule 3 — Subprocessors (EU SCC Annex III)

DonNe maintains a list of Subprocessors at:

Acceptance / Execution

This DPA is incorporated into and becomes part of the Agreement. Where required, the parties agree this DPA (including the EU SCCs and UK Addendum) is deemed executed upon execution of the Agreement/Order Form or acceptance of the Terms.

Questions? Email legal@donneai.com.