Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Customer”) and Ember AI (“Ember”) governing your use of the Service, and describes how Ember processes personal data on the Customer’s behalf. Capitalized terms not defined here have the meaning given in our Terms of Service and Privacy Policy.

1. Roles of the parties

As between the parties, the Customer is the controller of the personal data it provides or makes accessible through connected accounts, and Ember acts as a processor that processes that data only on the Customer’s documented instructions, including as set out in the Terms, this DPA, and the Customer’s use of the Service.

2. Scope and purpose of processing

Ember processes personal data solely to provide and improve the Service — reading relationship context, drafting email, and sending Customer-approved email from the Customer’s connected inbox — and for no other purpose. The categories of data subjects are the Customer’s contacts and correspondents; the categories of personal data include names, email addresses, message content and metadata, and CRM records and activities.

3. Confidentiality

Ember ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access data on a need-to-know basis.

4. Security

Ember maintains appropriate technical and organizational measures designed to protect personal data, including least-privilege access, per-user and per-team data scoping, encryption in transit, and secure storage of integration credentials. See our Security page for more detail.

5. Subprocessors

The Customer authorizes Ember to engage subprocessors to deliver the Service. Current subprocessors include Supabase (database and authentication), Railway (hosting), Anthropic, OpenAI, and Google Cloud (AI/language models), Cohere (embeddings and ranking), Composio (integration and OAuth token management), Attio (CRM integration), Stripe (payments), Sentry (error monitoring), and Cloudflare (network and security). Ember remains responsible for its subprocessors’ compliance with this DPA and will give notice of material changes to its subprocessor list.

6. International transfers

Where personal data is transferred across borders, Ember relies on lawful transfer mechanisms as required by applicable data protection law.

7. Data subject requests

Taking into account the nature of the processing, Ember provides reasonable assistance to help the Customer respond to requests from data subjects to exercise their rights, and promptly forwards any such request it receives directly.

8. Personal data breaches

Ember will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, and will provide information reasonably available to help the Customer meet its own notification obligations.

9. Deletion and return

On termination of the Service, or when the Customer disconnects an integration, Ember ceases ongoing access and deletes or returns the relevant personal data, subject to legal retention requirements and the timelines described in our Privacy Policy.

10. Audits

Ember will make available information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits as required by applicable law, subject to reasonable confidentiality and security safeguards.

11. Contact

For data processing inquiries, email hello@withember.ai.