Peekly Data Processing Addendum (DPA)

Effective Date: June 2025

This Data Processing Addendum ("DPA") forms part of the agreement between the business client ("Client") and Tiltely LLC, the parent company offering Peekly as a service ("Peekly", "we", "us", or "our"), located in Wyoming, USA. This DPA governs the processing of personal data by Peekly on behalf of the Client in accordance with data protection laws including, but not limited to, the General Data Protection Regulation (EU 2016/679) ("GDPR") and other applicable global privacy regulations.

1. Definitions

• Controller: The entity which determines the purposes and means of the processing of personal data.
• Processor: The entity which processes personal data on behalf of the Controller.
• Subprocessor: A third party engaged by the Processor to process personal data.
• Data Subject: The individual whose personal data is being processed.
• Applicable Data Protection Laws: GDPR, CCPA/CPRA, and other relevant privacy regulations.

2. Scope and Roles

This DPA applies when Peekly processes personal data on behalf of the Client, whether through website chat widgets, third-party messaging platform integrations (including WhatsApp), or any other channel supported by the Service. The Client is the Data Controller, and Peekly is the Data Processor. The parties agree to comply with applicable data protection laws when handling such data. Peekly disclaims responsibility for any unlawful, unauthorized, or negligent data collection or instruction issued by the Client. Peekly shall not be considered a Joint Controller for any data collected, stored, or processed through chatbot configurations defined solely by the Client.

The Client agrees not to configure Peekly for the collection of personal data from children under 13, or under the age of digital consent as defined in their jurisdiction, unless legally authorized to do so. Peekly disclaims all liability for unlawful deployment targeting minors.

Peekly shall assist the Client in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, including data protection impact assessments (DPIA), upon reasonable request. Peekly shall assist the Client, upon request, in conducting a Data Protection Impact Assessment (DPIA) where the nature of the chatbot deployment involves high-risk processing, as defined under Article 35 GDPR, stating that it is the Client's sole responsibility to initiate a Data Protection Impact Assessment (DPIA) when using AI-powered processing tools.

3. Purpose and Instructions

Peekly shall only process personal data on documented instructions from the Client unless required to do so by law. These instructions include processing for chatbot interactions across all supported channels (including website and WhatsApp), analytics, data routing, and service delivery.

Peekly will inform the Client if, in its opinion, any instruction violates applicable data protection laws. Peekly shall not be held liable for actions taken under instructions that later prove to be legally noncompliant.

4. Subprocessing

Peekly uses authorized subprocessors to provide its services. A list of current subprocessors is:

• Digital Ocean
  • Role: Cloud Service Provider
  • Location: United States
• OpenAI
  • Role: AI engine provider
  • Location: United States
• Pinecone
  • Role: Vector database services
  • Location: United States
• Cloudflare
  • Role: CDN, security & DNS services
  • Location: United States
• Stripe
  • Role: Payment processor
  • Location: United States
• Meta Platforms, Inc.
  • Role: WhatsApp Business messaging platform (message delivery and receipt via WhatsApp Cloud API)
  • Location: United States

Peekly shall:

• Ensure that all subprocessors are contractually bound to comply with data protection obligations equivalent in substance to those set out in this DPA, and that appropriate technical and organizational safeguards are implemented.
• Notify the Client of any intended addition or replacement of subprocessors, giving the Client an opportunity to object.
• Not be held liable for the actions of subprocessors beyond Peekly's contractual due diligence and legal obligations.

Peekly limits subprocessor access to only what is necessary for service provision and contractually prohibits use for independent purposes. Clients acknowledge that certain subprocessors (such as Meta Platforms, Inc.) may independently process data in accordance with their own privacy policies and terms when the Client enables integrations with their platforms.

5. Confidentiality

Peekly shall ensure that all employees and subprocessors authorized to process personal data are bound by confidentiality obligations and have received proper training. Peekly shall not be liable for breaches caused by the Client's disclosure of confidential data or credentials to unauthorized third parties.

6. Security Measures

Peekly implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and while stored
• Access controls
• Secure software development practices
• Incident response protocols

Encrypted backups may persist for up to 30 days for system continuity and disaster recovery. These are automatically deleted on a rolling basis and cannot be selectively purged.

Peekly and Tiltely shall not be held liable for unauthorized access, data loss, or data breach resulting from external cyberattacks, hacking attempts, or other malicious actions beyond their reasonable control.

7. Data Subject Rights

Peekly will assist the Client in responding to data subject requests regarding:

• Access
• Rectification
• Erasure
• Data portability
• Objection to processing

Peekly shall not respond directly to any data subject request unless authorized in writing by the Client. Peekly shall not be held liable for a Client's failure to respond to such requests.

8. Personal Data Breach

Peekly will notify the Client without undue delay and no later than 72 hours after becoming aware of a personal data breach. Such notification shall include:

• The nature of the breach
• The likely consequences
• The measures taken to mitigate its effects

Peekly's responsibility is limited to providing timely notification and mitigation support; the Client assumes responsibility for additional regulatory obligations or communications required under applicable laws. Peekly's obligation is limited to notifying the Client. The Client remains responsible for fulfilling any End User notifications or regulatory filings required under applicable laws.

9. Data Transfers

Peekly may transfer personal data to subprocessors located outside the Client's jurisdiction, provided appropriate safeguards (such as Standard Contractual Clauses) are in place.

Peekly shall not be held liable for the data protection failures of foreign subprocessors acting outside Peekly's contractual or technical control. Peekly uses the European Commission's Standard Contractual Clauses (SCCs) 2021/914/EU as the basis for data transfers to subprocessors outside the EEA.

10. Return or Deletion of Data

At the choice of the Controller, the Processor shall delete or return all the personal data to the Controller after the end of the provision of services, unless Union or Member State law requires storage of the personal data.

11. Audit Rights

The Client has the right to request information necessary to demonstrate compliance with this DPA. Upon reasonable notice, Peekly will allow for audits by the Client or an independent auditor, limited to once annually and under confidentiality obligations. Peekly reserves the right to limit the scope, duration, and manner of audits to protect system security, proprietary information, and other clients' data.

Peekly may retain encrypted system backups for operational continuity for up to 30 days. These backups would be automatically purged on a rolling basis. Personal data in backups cannot be selectively deleted but is erased entirely upon expiration.

12. Limitation of Liability

Peekly's liability arising out of or in connection with this DPA shall be subject to the limitations of liability agreed in the underlying service agreement. Peekly shall not be liable for any indirect, incidental, special, punitive, or consequential damages, including data loss, business interruption, loss of profits, or reputational harm, even if advised of the possibility of such damages.

Peekly reserves the right to recover damages or enforcement costs, including legal and administrative fees, resulting from a breach of this DPA.

13. Jurisdiction and Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Wyoming, USA, and any disputes shall be subject to the exclusive jurisdiction of its courts.

IN WITNESS WHEREOF, the parties agree to this Data Processing Addendum either by signature or by executing the main Service Agreement, or by continuing to use the Peekly Service after the DPA's effective date, which shall constitute binding acceptance.