This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions, Master Subscription Agreement, Order Form, or other written or electronic agreement (the “Agreement”) between Inquirly, Inc. (“Inquirly,” “Processor,” “Service Provider,” or “Contractor”) and the customer entity agreeing to this DPA (“Customer,” “Controller,” or “Business”) and governs Inquirly’s Processing of Customer Personal Data in connection with the Services.
1. Definitions
“Applicable Data Protection Law” means all privacy, data protection, and data security laws applicable to the Processing of Customer Personal Data under the Agreement.
“Customer Personal Data” means any personal data, personal information, or other similar term under Applicable Data Protection Law that Inquirly Processes on behalf of Customer in connection with the Services.
“Process” or “Processing” means any operation performed on Customer Personal Data, including collection, storage, use, disclosure, transmission, deletion, or other handling.
“Subprocessor” means any third party engaged by Inquirly to Process Customer Personal Data on Inquirly’s behalf.
“Personal Data Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Inquirly.
2. Roles of the Parties
The parties acknowledge and agree that:
- Customer is the Controller, Business, or equivalent responsible party for Customer Personal Data.
- Inquirly is the Processor, Service Provider, Contractor, or equivalent recipient of Customer Personal Data.
- Each party will comply with its obligations under Applicable Data Protection Law.
3. Scope and Purpose of Processing
Inquirly will Process Customer Personal Data only:
- to provide, operate, maintain, support, and improve the Services as described in the Agreement;
- on documented instructions from Customer;
- as otherwise required by Applicable Data Protection Law; or
- as necessary to prevent fraud, abuse, security incidents, or misuse of the Services.
The subject matter, duration, nature, and purpose of the Processing, as well as the categories of data subjects and categories of Customer Personal Data, are described in Annex 1 to this DPA.
4. Customer Instructions
Customer instructs Inquirly to Process Customer Personal Data as necessary to provide the Services in accordance with:
- the Agreement;
- this DPA;
- Customer’s configuration and use of the Services; and
- any other written instructions agreed by the parties.
If Inquirly believes an instruction violates Applicable Data Protection Law, Inquirly may notify Customer and suspend the relevant Processing until the issue is resolved.
5. Confidentiality
Inquirly will ensure that persons authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations.
6. Security Measures
Inquirly will implement and maintain reasonable and appropriate technical, administrative, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
These measures may include, as appropriate:
- access controls;
- authentication controls;
- encryption in transit and at rest where appropriate;
- logging and monitoring;
- incident response procedures; and
- vendor management and security review processes.
Customer acknowledges that no security measure can guarantee absolute security.
7. Subprocessors
Customer authorizes Inquirly to engage Subprocessors to Process Customer Personal Data on Inquirly’s behalf.
Inquirly will:
- maintain an up-to-date Subprocessors Page;
- impose contractual privacy, confidentiality, and security obligations on Subprocessors that are no less protective than those set out in this DPA, as applicable to the services provided; and
- remain responsible for the performance of its Subprocessors to the extent required by law.
8. Assistance with Data Subject Requests
Taking into account the nature of the Processing, Inquirly will provide reasonable assistance to Customer to help Customer respond to requests from individuals exercising their rights under Applicable Data Protection Law, to the extent Customer cannot access such information through the Services.
9. Assistance with Compliance Obligations
To the extent required by Applicable Data Protection Law and taking into account the nature of the Processing and the information available to Inquirly, Inquirly will provide reasonable assistance to Customer with obligations relating to security, breach notifications, impact assessments, and consultations with regulators.
10. Personal Data Incidents
Inquirly will notify Customer without undue delay after becoming aware of a confirmed Personal Data Incident affecting Customer Personal Data.
Such notification will include, to the extent available:
- the nature of the incident;
- the categories of data involved;
- the likely consequences; and
- the measures taken or proposed to address the incident.
Inquirly’s notification of a Personal Data Incident is not an admission of fault or liability.
11. Deletion and Return of Data
Upon termination or expiration of the Agreement, and subject to the functionality of the Services and Applicable Data Protection Law, Inquirly will delete or return Customer Personal Data in its possession or control, unless retention is required by law or reasonably necessary for security, backup, audit, dispute resolution, or enforcement purposes.
12. Audits and Information Rights
Inquirly will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
If Customer reasonably believes additional review is necessary, the parties will work in good faith to agree on a reasonable and proportionate method, which may include questionnaires, certifications, summaries of security controls, or other documentation. Any audit must be limited in scope, non-disruptive, and subject to confidentiality obligations.
13. Data Processing Location
Customer acknowledges that Inquirly operates in the United States and may Process Customer Personal Data in the United States and other jurisdictions where Inquirly or its Subprocessors operate.
If the parties need additional transfer terms under Applicable Data Protection Law, such terms will be incorporated by reference or added as an annex to this DPA.
14. California-Specific Terms
To the extent the California Consumer Privacy Act, as amended, applies to the Processing of Customer Personal Data:
- Inquirly acts as a Service Provider or Contractor, as applicable;
- Inquirly will not sell or share Customer Personal Data received from Customer;
- Inquirly will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer or for any purpose other than the business purposes specified in the Agreement and this DPA, except as permitted by law;
- Inquirly will comply with applicable restrictions imposed on Service Providers and Contractors under California law; and
- Customer may take reasonable and appropriate steps to help ensure that Inquirly uses Customer Personal Data in a manner consistent with Customer’s obligations under California law.
15. Google Workspace and Gmail Data
To the extent Customer enables Gmail or other Google integrations:
- Inquirly will access and Process Google user data only to provide the requested Services;
- Inquirly will not use Google Workspace user data for advertising purposes;
- Inquirly will not sell Google user data; and
- Inquirly will not use Google Workspace or Gmail data obtained through restricted or sensitive scopes to train general-purpose or shared AI models.
16. AI Features
Where the Services include AI-enabled or automated features, Inquirly may Process Customer Personal Data to classify, summarize, route, prioritize, draft, or otherwise support the functionality requested by Customer within the Services.
Inquirly does not use Customer Personal Data to train general-purpose or shared AI models.
Customer remains responsible for determining whether its use of AI-enabled features is appropriate for its business, workflows, and legal obligations.
17. Limitation
This DPA does not apply to personal information for which Inquirly acts as a Controller or Business in its own right, such as website analytics, account administration, billing contact information, or direct marketing data Processed for Inquirly’s own purposes.
18. Order of Precedence
If there is any conflict between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA will control to the extent of that conflict.
Annex 1. Details of Processing
Subject Matter
Provision of Inquirly’s customer support, communication, workflow, automation, analytics, and related platform services.
Duration
For the term of the Agreement and any agreed post-termination retention or deletion period.
Nature and Purpose
Hosting, storage, organization, transmission, analysis, routing, support, automation, reporting, customer-requested integrations, account administration, and related processing required to provide the Services.
Categories of Data Subjects
- Customer account owners;
- Customer administrators;
- Customer employees and authorized users;
- Customer leads, contacts, and end users;
- individuals communicating with Customer through connected channels; and
- call participants where call features are enabled.
Categories of Customer Personal Data
- contact details;
- account and workspace data;
- messages, support tickets, and communication content;
- attachments and notes;
- call metadata, recordings, transcripts, and summaries where enabled;
- integration data from connected services; and
- usage logs and diagnostics related to the Services.
