Data Processing Agreement

This Data Processing Agreement (the "DPA") is made between Customer ("Controller"), and AI Tools, Inc., a Delaware Corporation ("Spawn") (each a "Party," and collectively the "Parties"), and entered into as of the date of the last signature below. This DPA is entered into as of the effective date of the Terms of Service that this DPA is attached to, which governs the services where Controller Personal Data is Processed by Spawn (the "Governing Agreement"). In the event of a conflict between the provisions of this DPA and the Governing Agreement, this DPA shall control solely with respect to the subject matter herein. Any terms not defined herein shall have the same meaning as set forth in the Terms of Service.

The Parties agree as follows:

I. DEFINITIONS

  1. "Data Privacy Laws" means applicable U.S. state or federal consumer protection or privacy or data protection or privacy laws and regulations (currently in effect or effective after the Effective Date) that govern the collection, use, disclosure, or Processing of Personal Data, including, but not limited to, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended, and its implementing regulations and other similar U.S. state comprehensive data privacy or data protection laws.

  2. "Data Incident" means a known or reasonably suspected unauthorized or unlawful access to, disclosure, modification, destruction, deletion, loss of, or disruption or loss of access to Controller Personal Data.

  3. "Personal Data" shall have the same meaning as "personal data" and "personal information" under each applicable Data Privacy Laws. "Controller Personal Data" means Personal Data of users submitted or otherwise provided on User Apps that is provided by Controller to Spawn, collected by Spawn on behalf of Controller, or otherwise Processed by Spawn, pursuant to the Governing Agreement.

  4. "Process," "Processed" or "Processing" means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, including by automated means, and pursuant to the instructions set forth herein.

  5. "Sensitive Personal Data" means Personal Data that includes an individual's: Social Security or government-issued identification number; account log-in information, financial or payment-card number with any required security or access code, password, or credentials; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of communications; genetic data. Sensitive Personal Data also includes the Processing of biometric information for identification purposes; Personal Data concerning an individual's health, sex life, or sexual orientation; or "sensitive personal information" as defined under applicable Data Privacy Laws.

  6. Capitalized terms that are not defined herein shall have the same meaning as in applicable Data Privacy Laws.

II. PROCESSING RIGHTS AND REQUIREMENTS

  1. Scope of the Processing. Spawn provides a web-based Service in the form of a platform on which Controller may create web-based games, applications and solutions (collectively, "User Apps") through the use of a variety of products, features, services and tools provided through the platform. Additionally, Controller has the ability to host and operate their User Apps on Spawn's platform and access and interact with the User Apps of other users. Controller acknowledges and agrees that, in connection with the Services under the Governing Agreement, users may submit or otherwise provide their Personal Data on User Apps created and operated by Controller but hosted on the platform. With respect to Controller Personal Data on User Apps created and operated by Controller, Spawn will Process such Controller Personal Data pursuant to the purpose set forth herein, and in compliance with this DPA and applicable Data Privacy Laws. For purposes of this DPA, Spawn is a "service provider," "contractor," or "processor" or similar applicable term defined under applicable Data Privacy Law. Spawn will not disclose Controller Personal Data to any third party, except pursuant to this DPA. For avoidance of doubt, this DPA does not apply to Spawn's Processing of Personal Data that does not constitute Controller Personal Data and/or any other Processing of Personal Data with respect to Customer and Customer's users conducted by Spawn as a data controller.

  2. Controller Obligations. Controller will comply with all applicable laws, including applicable Data Privacy Laws, at all times and in compliance with this DPA with respect to Controller Personal Data, including Personal Data of users submitted or otherwise provided on User Apps created and operated by Controller, including, without limitation: (i) ensuring the accuracy, quality and legality of Personal Data and the means by which Controller acquired such Personal Data on User Apps; (ii) providing any required notices to users on User Apps regarding Controller's data collection, use and disclosure practices (including any required privacy policies on User Apps); (iii) obtaining any necessary consents and authorizations from users on User Apps for Spawn to Process their Personal Data; and (iv) ensuring that Controller has the right to transfer, share or otherwise disclose such Personal Data of users on User Apps with Spawn. Controller will promptly inform Spawn without undue delay if Controller is unable to comply with its obligations under any applicable laws, including applicable Data Privacy Laws, or this DPA. Controller further acknowledges and agrees that Controller will not provide nor require Spawn to Process any Sensitive Personal Data.

  3. Spawn Obligations. Spawn will Process Controller Personal Data in compliance with applicable laws, including applicable Data Privacy Laws, at all times and in compliance with this DPA. Spawn is prohibited from and represents and certifies its understanding that Spawn is prohibited from:

    a. Selling, Sharing or otherwise disclosing Controller Personal Data to any third party, as such concepts are defined under applicable Data Privacy Laws;

    b. using, retaining or disclosing Controller Personal Data for any purpose other than the purpose(s) set forth in Section II(1) or engaging a sub-processor in compliance with this DPA, including any other commercial purpose;

    c. using, retaining or disclosing Controller Personal Data outside of the direct relationship between Controller and Spawn;

    d. using, retaining or disclosing Controller Personal Data against Controller's instructions; and

    e. combining or updating Controller Personal Data with Personal Data received from another source, including Spawn's own direct interaction with the user, unless expressly permitted applicable laws, including applicable Data Privacy Laws.

III. PROCESSING OBLIGATIONS

  1. Data Subject Requests. Spawn shall reasonably cooperate with, and provide all commercially reasonable support to cause Controller to comply with Controller's obligations to data subjects under Data Privacy Laws, including responding to data subject requests. Upon written request from Controller, Spawn shall provide necessary information to Controller to fulfill its obligations under Data Privacy Laws. In the event that any user submits a data subject request directly to Spawn concerning Controller Personal Data, Spawn shall promptly forward the request to Controller. Spawn shall not respond to the request without Controller's prior authorization other than to inform the user that Spawn is not authorized to directly respond to a request and advise that Spawn has forwarded the request to Controller.

  2. In the event that any request from applicable regulatory or legal authorities is made directly to Spawn, Spawn shall promptly forward the request to Controller, to the extent legally permitted to do so. Spawn shall not respond to such communication directly without Controller's prior authorization other than to inform the requestor that Spawn is not authorized to directly respond to a request, unless legally required to do so. If Spawn is legally required to directly respond to such a request, Spawn will promptly notify Controller and provide it with a copy of the request unless legally prohibited from doing so.

  3. Data Retention and Deletion/Return. Spawn shall only retain Controller Personal Data for the duration of the Governing Agreement. Except as required under applicable law, upon termination or expiration of the Governing Agreement, Spawn shall return, delete and/or destroy all Controller Personal Data.

  4. Confidentiality. Spawn shall take commercially reasonable efforts to ensure that any Spawn personnel or sub-processor that Process Controller Personal Data keep such Controller Personal Data confidential.

IV. SUB-PROCESSORS

Controller acknowledges and agrees that Spawn can engage sub-processors to assist Spawn in Processing any Controller Personal Data and Spawn shall take commercially reasonable efforts to ensure that any sub-processor keep any Controller Personal Data confidential.

V. AUDITS

Spawn grants Controller the right to take reasonable and appropriate steps to ensure that Spawn uses Controller Personal Data in a manner consistent with Controller's obligations under applicable Data Privacy Laws, including, without limitation, any assessments, or reports of any assessments, of Spawn's internal system(s) conducted either by Spawn internally or by a third party on behalf of Spawn, provided that they are conducted in compliance with a reasonably appropriate and accepted control standard or framework and audit procedure. Upon reasonable notice, Controller shall have the right to take, and Spawn shall comply with, reasonable and appropriate steps to remediate or stop any unauthorized Processing of Controller Personal Data.

VI. INFORMATION SECURITY

Spawn shall implement and maintain commercially reasonable technical and organizational security measures to protect the security, confidentiality and integrity of Controller Personal Data from any Data Incident and to ensure a level of security appropriate to the risk. Further, Spawn shall provide commercially reasonable assistance in meeting Controller's obligations regarding the security of Processing Controller Personal Data, including in relation to any applicable notice obligations in a Data Incident. If Spawn becomes aware of a Data Incident, Spawn shall promptly, but in no more than 72 hours, notify Controller, provide relevant information, to the extent known, about the Data Incident to Controller and reasonably cooperate with Controller to support Controller's reasonable reporting and notification obligations.

VII. CHANGES TO THE DPA

In the event that either Party wants to amend these terms to comply with changes to Data Privacy Laws or for other reasons, the Parties agree to cooperate in good faith to negotiate such amendments.

VIII. CERTIFICATION AND NOTIFICATION OBLIGATIONS

The Parties certify that it understand and will comply with their respective requirements set forth herein. If either Party becomes aware or makes a determination that it can no longer meet its obligations under applicable Data Privacy Laws or this DPA, it shall promptly notify the other Party.

IX. CONTACT INFORMATION

For any inquiries related to this Data Processing Agreement, please contact Spawn at:

Email: contact@spawn.co

Mailing Address:
AI Tools Inc.
25 Crescent Dr. #A224
Pleasant Hill, CA 94523