Data Protection Addendum

Last updated: August 22, 2025

This Addendum is between Tailshift Inc. ("Tailshift") and the Customer (as defined in the applicable agreement) and forms part of the Tailshift Terms of Service available at https://www.tailshift.ai/terms-of-use/ or any other written or electronic agreement between Tailshift and Customer that expressly incorporates this Addendum (the "Agreement").

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and that have not entered into a separate data protection addendum with Tailshift. For purposes of this Addendum only, references to "Customer" include such Affiliates.

The Parties agree that the terms below are added as an addendum to the Agreement and will apply to Tailshift’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws.

1. Definitions

Capitalized terms not defined below have the meanings in the Agreement. In this Addendum:

"Affiliate" means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party, where control means direct or indirect ownership or control of more than 50% of the voting interests of an entity or otherwise having the power to direct its management and policies.
"Customer Personal Data" means any Personal Data provided by or made available by Customer to Tailshift, or collected by Tailshift on behalf of Customer, that Tailshift Processes to provide the Services.
"Controller to Processor SCCs" means: (i) the standard contractual clauses adopted by the European Commission on 4 June 2021 for transfers of Personal Data to third countries (including as amended or replaced from time to time), together with any Swiss FDPIC and/or UK ICO modifications; and (ii) the UK International Data Transfer Addendum ("UK Addendum").
"Data Protection Laws" means all laws and regulations relating to data protection, privacy, security and breach notification to the extent applicable to the Processing of Customer Personal Data under the Agreement, which may include, as applicable: the EU GDPR, UK GDPR, Swiss DPA, the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA"), state privacy laws in the United States, HIPAA and its implementing regulations, and any similar or successor laws.
"EU Area" means the European Union, European Economic Area, the United Kingdom and Switzerland.
"EU Area Law" means the EU GDPR, UK GDPR, Swiss DPA and any national laws implementing or supplementing them.
"HIPAA" means the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (including the Privacy, Security, Breach Notification and Enforcement Rules at 45 C.F.R. Parts 160 and 164).
"PHI" means protected health information as defined under HIPAA.
"Security Incident" means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Tailshift. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Personal Data (e.g., unsuccessful log‑ins, pings, scans, denial of service without data access).
"Services" means the services provided by Tailshift to Customer under the Agreement.
"Subprocessor" means any third party engaged by Tailshift to Process Customer Personal Data on Tailshift’s behalf to provide the Services.
The terms Business, Business Purpose, commercial purpose, Contractor, Controller, Data Subject, Personal Data, Personal Data Breach, Process/Processing, Processor, Sell, Service Provider, Share, Supervisory Authority and Third Party shall have the meanings given in applicable Data Protection Laws.

2. Scope; Relationship of the Parties

Scope. This Addendum applies to Tailshift’s Processing of Customer Personal Data under the Agreement to the extent that such Processing is subject to Data Protection Laws. Unless required otherwise by Data Protection Laws, this Addendum is governed by the governing law specified in the Agreement.
Roles. As further described in Annex 1, Customer is a Controller (or Business under CCPA) and Tailshift acts as a Processor (or Service Provider/Contractor under CCPA) with respect to Customer Personal Data. Where Tailshift acts as a Subprocessor, Tailshift will comply with the obligations applicable to Subprocessors herein.
HIPAA Role (if applicable). If and only to the extent Tailshift receives, creates, maintains or transmits PHI on behalf of Customer (acting as a Covered Entity or Business Associate), Tailshift shall act as Customer’s Business Associate and the parties will execute a separate Business Associate Agreement (BAA), which is incorporated by reference or attached as Annex 3 (if executed). In case of conflict between the BAA and this Addendum with respect to to PHI, the BAA controls.

3. Description and Purposes of Processing

The subject matter, nature, categories of data subjects and Personal Data, Processing purposes, and retention are set out in Annex 1. The Parties may reasonably update Annex 1 from time to time by written agreement. The purpose of Processing under this Addendum is Tailshift’s provision of the Services and performance of the Agreement and any order forms.

4. Customer Obligations and Instructions

Compliance. Customer will comply with Data Protection Laws in its use of the Services and in providing instructions to Tailshift. Customer is solely responsible for the accuracy, quality and legality of Customer Personal Data and the means by which Customer acquired it, including providing all required notices and obtaining all necessary consents.
Instructions. Tailshift will Process Customer Personal Data only on Customer’s documented instructions, including as set forth in the Agreement, this Addendum, Customer’s configuration and use of the Services, and as otherwise documented in writing by Customer. Tailshift will notify Customer if Tailshift determines it can no longer meet its obligations under Data Protection Laws or if, in Tailshift’s opinion, an instruction infringes Data Protection Laws (in which case Tailshift may refrain from Processing until the instruction is confirmed or modified).
Special Categories & PHI. Customer will not provide Special Categories of Personal Data (as defined by GDPR) or PHI unless expressly permitted by the Agreement or Annex 1 and (for PHI) a BAA is in effect. If such data is permitted, Customer represents that it has a lawful basis and will configure the Services accordingly.

5. Tailshift Obligations

Use Restrictions (including CCPA). Tailshift will not Sell or Share Customer Personal Data and will not retain, use or disclose Customer Personal Data for any purpose other than for the specific Business Purpose of performing the Services or as otherwise permitted by Data Protection Laws. Tailshift certifies that it understands and will comply with the restrictions in this Section 5.1. Tailshift will not combine Customer Personal Data with Personal Data obtained from other sources except as permitted by CCPA (e.g., to detect security incidents, protect against fraud, or to improve the quality of the Services without using such data to perform services for another person), or as otherwise authorized by Customer.
Confidentiality. Tailshift will ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations or statutory duties of confidentiality.
Security. Taking into account the state of the art, costs, nature, scope, context and purposes of Processing, and the risk to Data Subjects, Tailshift will implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect Customer Personal Data as required by Article 32 GDPR and other applicable laws. Tailshift maintains an information security program aligned with SOC 2 Type 2 controls and a HIPAA Security Rule–aligned program. A description of TOMs appears in Annex 1, Section 4.
Audit & Reports. Upon written request no more than once annually (unless otherwise required by a Supervisory Authority or following a Security Incident impacting Customer Personal Data), Tailshift will make available information reasonably necessary to demonstrate compliance with this Addendum, which may include responses to security questionnaires and summaries of independent assessments (e.g., a current SOC 2 Type 2 report under NDA). If such materials are insufficient to establish compliance, Customer may conduct an on‑site or remote audit during normal business hours upon reasonable prior notice and in a manner that avoids undue disruption. Customer will bear its audit costs and reasonable Tailshift time and out‑of‑pocket costs.
Subprocessors. Customer authorizes Tailshift to engage Subprocessors to Process Customer Personal Data, including those listed in Annex 2. Tailshift will: (a) enter into a written contract with each Subprocessor imposing data protection obligations materially no less protective than those in this Addendum; (b) remain responsible for Subprocessors’ performance; and (c) provide Customer with at least 30 days’ advance notice of any new or replacement Subprocessors (via email or a publicly posted list). Customer may object on reasonable data protection grounds within 30 days; the Parties will work in good faith to find a reasonable solution. If none is found within 30 days, either Party may terminate the affected Services without penalty.
Government & Third‑Party Requests. To the extent legally permitted, Tailshift will promptly notify Customer of any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, court or other public body. Where legally permissible, Tailshift will challenge unlawful or overbroad requests and disclose only the minimum data required, keeping records of disclosures.
Data Subject Requests. Taking into account the nature of the Processing, Tailshift will provide reasonable assistance to Customer by appropriate technical and organizational measures to enable Customer to respond to requests to exercise Data Subject rights under Data Protection Laws. Tailshift will not respond directly to such requests unless required by law or authorized in writing by Customer. Customer will reimburse Tailshift’s reasonable costs for assistance that is not included in the Services.
Security Incidents. Upon becoming aware of a Security Incident affecting Customer Personal Data, Tailshift will notify Customer without undue delay and provide information reasonably available to Tailshift to assist Customer in meeting its breach notification obligations. Tailshift will take reasonable steps to investigate, mitigate and remediate the Security Incident and keep Customer reasonably informed. Notification is not an acknowledgment of fault.
Assistance (DPIAs, HIPAA). Taking into account the nature of Processing and information available to Tailshift, Tailshift will provide reasonable assistance to Customer with obligations under Articles 32–36 GDPR (including DPIAs and prior consultations) and with HIPAA Security Rule risk analysis and risk management where Tailshift’s systems are in scope. Customer will reimburse Tailshift’s reasonable costs for assistance outside the Services.
Return or Deletion. Upon termination or expiration of the Agreement, Tailshift will, at Customer’s choice, delete or return Customer Personal Data (unless applicable law requires retention). Where deletion is chosen, Tailshift will render Customer Personal Data unrecoverable, subject to standard backup retention periods, after which backups are overwritten in the ordinary course.
Records. Tailshift will maintain records of Processing of Customer Personal Data as required by Article 30 GDPR and other applicable laws.

6. Restricted Transfers; International Data Transfers

SCCs & UK Addendum. Where Customer Personal Data is transferred from the EU Area to a country without an adequacy decision and such transfer is subject to EU Area Law, the Parties agree the Controller–Processor SCCs (Module Two) are incorporated by reference and form part of this Addendum as completed below, together with the UK Addendum where the UK GDPR applies:
- Clause 7 (Docking): applies.
- Clause 9 (Subprocessors): Option 2 applies with the notice period in Section 5.5.
- Clause 11 (Redress): does not apply.
- Clause 17 (Governing law): Irish law.
- Clause 18 (Forum and jurisdiction): Courts of Ireland.
- Annex I to the SCCs: completed by Annex 1 of this Addendum.
- Annex II to the SCCs: completed by Annex 1, Section 4 of this Addendum.
- For Swiss transfers, references to the GDPR shall be read as references to the Swiss DPA; references to Member States shall be to Switzerland; governing law and forum shall be Swiss law and competent Swiss courts.
- For UK transfers, the UK Addendum applies; Part 1 tables are completed by Annex 1; in Table 4, both Importer and Exporter may make changes.
Additional Measures. If the SCCs or UK Addendum are insufficient to safeguard transfers in light of the laws of the destination country, Tailshift will implement supplementary measures (e.g., encryption at rest and in transit, pseudonymization, access controls, transparency reporting) to ensure an essentially equivalent level of protection.
Processing Locations & AI/ML. Tailshift Processes Customer Personal Data in the regions described in Annex 1 (or as otherwise agreed in writing). If Tailshift provides optional AI/ML features, Tailshift will Process Personal Data only to the extent necessary to provide those features and in accordance with this Addendum and Data Protection Laws. Tailshift will not use Customer Personal Data to train generalized models for third‑party benefit without Customer’s written authorization.

7. California Privacy (CCPA/CPRA) Provisions

Tailshift acts as a Service Provider/Contractor to Customer. Tailshift will: (a) comply with applicable obligations under CCPA; (b) provide the same level of privacy protection as is required of Service Providers/Contractors by CCPA; (c) grant Customer the right to take reasonable and appropriate steps to ensure Tailshift uses Customer Personal Data in a manner consistent with Customer’s obligations under CCPA; (d) notify Customer if Tailshift determines it can no longer meet its obligations; and (e) permit Customer, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
Tailshift will assist Customer in responding to verifiable consumer requests under CCPA to the extent the request relates to data Tailshift holds as Service Provider.

8. Warranties

Each Party warrants that it will comply with its respective obligations under applicable Data Protection Laws. Tailshift represents it maintains an information security program aligned with SOC 2 Type 2 and a HIPAA Security Rule compliance program.

9. Indemnity

To the extent permitted by law, Customer will defend, indemnify and hold harmless Tailshift and its Affiliates from and against third‑party claims and related liabilities, damages, fines, penalties, costs and expenses arising from Customer’s breach of this Addendum or of Data Protection Laws. Tailshift may participate with counsel of its choosing at its own expense.

10. Precedence; Severability; Miscellaneous

Order of Precedence. In case of conflict: (a) the SCCs/UK Addendum (and any other transfer mechanism agreed in writing) prevail; then (b) the BAA (for PHI); then (c) this Addendum; then (d) the Agreement.
Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
Privacy by Design. Tailshift applies privacy by design and by default in its development lifecycle and change management.
Notices. Notices under this Addendum must be given pursuant to the notice provisions of the Agreement. Privacy‑specific notices may be sent to the contacts in Annex 1.
No Legal Advice. This Addendum is a template for commercial use and is not legal advice. Parties should consult their counsel.

Annex 1 — Description of Processing

1. Parties

Data Exporter (Controller/Business)

Name: Customer (as set forth in the Agreement)

Address: As set forth in the relevant order form

Contact: As set forth in the relevant order form

Role: Controller/Business

Data Importer (Processor/Service Provider)

Name: Tailshift Inc.

Address: [Insert Tailshift address]

Contact: [email protected] (or as otherwise specified)

Role: Processor/Service Provider

2. Competent Supervisory Authority

As determined in accordance with Clause 13 of the SCCs (and the Swiss DPA/UK Addendum, as applicable).

3. Processing Details

Data Subjects. Customer’s employees, contractors, end‑users and other individuals whose Personal Data is submitted to or collected by the Services at Customer’s direction.

Categories of Personal Data. Depending on Customer’s configuration and use of the Services, categories may include: identifiers (name, business email, username), professional information (role, employer), account metadata, audit logs, support communications, usage data, and any other Personal Data that Customer elects to submit to the Services. If permitted by the Agreement/BAA and configured by Customer, this may include Special Categories (GDPR Art. 9) and/or PHI.

Sensitive/PHI. Not Processed unless expressly permitted by the Agreement/Annex and, for PHI, a BAA is in effect. If processed, Tailshift will apply HIPAA Security Rule controls and the TOMs in Section 4.

Frequency & Duration. Continuous/transactional during the term of the Agreement, plus any retention period specified below.

Nature and Purpose of Processing. Provision, operation, maintenance, configuration, support and security of the Services; account administration; troubleshooting; detection/prevention of fraud and abuse; quality and performance optimization; analytics necessary to deliver and improve the Services (without using Customer Personal Data to provide services to another person without authorization); and as otherwise described in the Agreement.

Retention. Tailshift retains Customer Personal Data for the term of the Agreement and deletes or returns it upon termination per Section 5.10, subject to legally required retention and standard backup cycles.

Business Purposes under CCPA (as applicable):

Helping to ensure security and integrity in a reasonably necessary and proportionate manner.
Debugging to identify and repair errors that impair intended functionality.
Performing services on behalf of the business (account servicing, customer service, order processing, analytics, storage, payments if applicable).
Undertaking internal research for technological development and demonstration.
Verifying or maintaining the quality or safety of the Services, and improving, upgrading or enhancing the Services.
Retaining and employing another service provider or contractor as a subcontractor under CCPA requirements.
Preventing, detecting, or investigating security incidents or malicious, deceptive, fraudulent, or illegal activity.

Processing Locations; Storage; AI/ML. Tailshift may Process Customer Personal Data in the following regions: United States (primarily). If Customer selects a region in product settings (where available), Tailshift will honor that selection. Optional AI/ML features, if enabled by Customer, will Process Personal Data only as necessary to provide those features and not to train generalized models for third‑party benefit without Customer’s written authorization.

4. Technical and Organizational Measures (TOMs)

Tailshift maintains an information security program aligned with SOC 2 Type 2 controls and HIPAA Security Rule requirements, including:

Governance & Risk Management

Designated security leadership and cross‑functional privacy committee.
Documented security, privacy, acceptable use, and access control policies; annual reviews.
Formal risk assessments; vulnerability management; penetration testing at least annually; patch management; vendor security reviews.

Personnel Security

Background checks as permitted by law for personnel with access to Customer Personal Data.
Confidentiality agreements; role‑based security/privacy training; least‑privilege access; MFA for administrative access.

Access Controls

Unique IDs and strong authentication (including MFA/SSO); least‑privilege and need‑to‑know access; periodic access reviews; session timeouts; detailed access logging.

Data Security

Encryption in transit (TLS 1.2+); encryption at rest using industry‑standard algorithms.
Logical tenant isolation; environment segregation (prod/test/dev); secrets management; secure key management.
Data minimization and pseudonymization where feasible; secure deletion procedures and verified destruction of media.

Network & Infrastructure Security

Hardened images; configuration management; firewalls/security groups; IDS/IPS and anomaly detection; DDoS protections at cloud edge; time‑synchronized logs shipped to centralized logging.

Application Security

Secure SDLC with code review, dependency scanning and SAST/DAST; change management; segregation of duties; security testing prior to releases.

Resilience & Availability

Redundancy across availability zones; backups with tested restorations; disaster recovery and business continuity plans with defined RTO/RPO; monitoring and alerting.

Incident Response & Breach Notification

Documented incident response plan with defined roles; 24×7 monitoring; prompt triage, containment, eradication and recovery; customer notification per Section 5.8 and applicable laws (including HIPAA Breach Notification Rule when PHI is involved).

Subprocessor Management

Written data protection terms; security reviews prior to onboarding; ongoing monitoring.

Audit & Assurance

Independent assessments (e.g., SOC 2 Type 2) and provision of reports/summaries under NDA; support for Customer audits as described in Section 5.4.

HIPAA‑Specific Controls (if PHI is in scope)

Administrative, Physical, and Technical Safeguards per 45 C.F.R. §164.308–312; security incident procedures; contingency plans; device/media controls; transmission security; workforce security and sanction policy; BA flow‑down to Subprocessors handling PHI.

Annex 2 — Subprocessors

Tailshift currently engages the following Subprocessors to support the Services (subject to change per Section 5.5):

Subprocessor	Purpose	Processing Location	Data Categories	Security/Compliance Notes
AWS	Data storage, Transformation and Calculations	US - East	All categories necessary to host Services	SOC 2
Sendgrid	Transactional email	US - East	Contact identifiers, notifications	SPF/DKIM/TLS
AWS Cloudwatch	Logging & monitoring	US - East	Metadata, telemetry	Data minimization; retention limits
Internal (email based)	Ticketing/support	US - East	Contact data, case details	Access controls; MFA

Annex 3 — Business Associate Agreement (Optional; if PHI is in scope)

If Tailshift will act as Business Associate, the Parties will execute a separate BAA. In summary and without limiting the BAA terms: Tailshift may use and disclose PHI only to perform the Services, for proper management and administration, and as required by law; will implement the HIPAA Security Rule safeguards; will report breaches of unsecured PHI and other security incidents to Customer without unreasonable delay; will ensure any subcontractors that create, receive, maintain or transmit PHI on Tailshift’s behalf agree to equivalent restrictions; and will return or destroy PHI at termination per Customer’s instruction unless infeasible. The executed BAA governs PHI in case of conflict.