Data Processing Addendum

1. Scope

This Data Processing Addendum ("DPA") applies when Neurofinity AI Ltd. processes personal information on behalf of a business customer through ShortURL.bot and applicable data protection law requires processor or service-provider terms. This DPA is incorporated into the Terms of Service.

2. Roles

The customer is the controller, business, or equivalent party for Customer Personal Data. We are the processor, service provider, or equivalent party when processing Customer Personal Data on the customer's behalf. For account, billing, security, abuse, domain, legal, and platform operations data, we may act as an independent controller as described in the Privacy Policy.

3. Customer Personal Data

"Customer Personal Data" means personal information that a customer submits to, collects through, or instructs us to process using forms, hosted pages, conversion tracking, APIs, MCP tools, bulk imports, Smart Replace, customer content, or similar features. It may include visitor identifiers, form responses, customer-provided email addresses or names, click IDs, conversion events, device data, and other data selected by the customer.

4. Processing Instructions

We will process Customer Personal Data only to provide, secure, support, maintain, improve, and enforce the Service; follow the customer's documented instructions; comply with law; prevent abuse; and perform obligations under the Terms. The customer's use of the Service and configuration choices are documented instructions.

5. Customer Obligations

The customer is responsible for having a lawful basis, providing required notices, obtaining required consents, honoring opt-outs, configuring retention and tracking lawfully, responding to data-subject requests, and ensuring that Customer Personal Data can be legally transferred to and processed by us and our subprocessors.

In particular, the customer shall:

• Data-subject requests. Respond to and process data-subject requests (such as access, correction, deletion, portability, objection, or opt-out requests) concerning Customer Personal Data that Customer collects, hosts, or processes through the Service, within the timeframes required by applicable law, and reasonably cooperate with us if such a request is directed to us rather than to Customer.
• Retention and deletion. Configure retention and deletion for Customer Personal Data consistent with applicable law, honor data-subject retention and erasure requests within statutory timeframes, and use the retention and export controls the Service provides.
• Security notification to us. Notify us without undue delay after becoming aware of any actual or suspected compromise of Customer credentials, API keys, webhook secrets, workspaces, or member accounts, or of any unauthorized access to or exfiltration of Customer Personal Data through the Service.

6. Confidentiality and Security

We will require personnel with access to Customer Personal Data to protect it and will maintain administrative, technical, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, and disclosure.

Authorized support, security, and administrative personnel may access a customer account or session (including through an impersonation session) for limited support, security, abuse-response, billing-investigation, or system-maintenance purposes, as described in Section 8 of our Privacy Policy. Such access is limited to what is necessary and is recorded in audit logs accessible to workspace owners where the audit-log feature is available to the customer's plan.

7. Subprocessors

The customer authorizes us to use subprocessors to provide the Service. Current key subprocessors are listed on the Subprocessors page. We will require subprocessors to protect Customer Personal Data in a manner consistent with this DPA.

8. International Transfers

Customer Personal Data may be processed in Canada, the United States, the European Economic Area, the United Kingdom, and other jurisdictions where we or our subprocessors operate. Where required, the parties will rely on applicable transfer safeguards such as standard contractual clauses, equivalent contractual protections, or other lawful transfer mechanisms.

9. Assistance

Taking into account the nature of the Service and information available to us, we will provide reasonable assistance with data-subject requests, security obligations, data protection impact assessments, and regulatory inquiries where required by law. We may charge reasonable fees for assistance that is not included in standard support.

10. Security Incidents

We will notify affected customers without undue delay and, where feasible, no later than seventy-two (72) hours after we become aware of a confirmed or reasonably suspected personal-data breach affecting Customer Personal Data, to the extent required by applicable law. The notice may describe the nature of the incident, affected data, known consequences, mitigation steps, and customer actions where reasonably available. Information that is not yet available at the time of initial notice may be provided in later updates as the investigation develops.

11. Return and Deletion

At termination or upon valid request, we will delete or return Customer Personal Data according to the Service functionality and our operational schedules, unless retention is required for legal, billing, tax, security, abuse-prevention, backup, or legitimate business purposes.

12. Audits

We will make reasonable information available to demonstrate compliance with this DPA. Any audit must be limited, confidential, pre-scheduled, non-disruptive, and subject to reasonable security and confidentiality requirements.

13. Contact

DPA questions can be sent through the Help Center or to admin@shorturl.bot.