Data Processing Addendum

1. Scope and incorporation

This Data Processing Addendum (DPA) applies where Shifter processes Customer Personal Data on behalf of a Customer as part of a paid service, pilot, implementation or managed workflow. It is incorporated into the applicable Order and Terms.

2. Roles and definitions

The Customer is the controller or equivalent decision-maker for Customer Personal Data. Shifter acts as processor/service provider when processing Customer Personal Data on the Customer's behalf and under Customer instructions. Terms such as personal data, processing, controller, processor and data subject have the meanings given under applicable data protection law.

3. Customer instructions and compliance

Shifter will process Customer Personal Data to provide, secure, support, monitor, troubleshoot and improve the contracted services, and as otherwise documented in the Order, Terms or Customer instructions. The Customer is responsible for lawful basis, notices, consents, suppression lists, data accuracy, platform permissions and compliance for its business and campaigns.

4. Confidentiality and security measures

Shifter will restrict Customer Personal Data access to personnel and providers who need it to provide the services and are subject to confidentiality obligations. We maintain reasonable administrative, technical and organisational safeguards appropriate to the nature and risk of the processing, including access controls, secure credential handling, review steps or audit trails where appropriate, reasonable vendor selection and incident response procedures.

5. Subprocessors

Customer authorises Shifter to use subprocessors and customer-directed systems needed to provide the services. Public subprocessor categories are listed on the Subprocessors page. We remain responsible for subprocessors we appoint directly, subject to the limitations in the agreement.

Customers may object to a new subprocessor on reasonable data protection grounds by contacting us. We will work in good faith to address reasonable objections, which may include using an alternative provider, disabling a feature or allowing termination of the affected service according to the applicable Order.

6. AI providers and automated tools

Shifter may use AI providers and automated tools to process Customer Personal Data for the service, including drafting, summarising, routing, extraction, classification, research, QA and workflow support. We do not intentionally use Customer Personal Data to train third-party public AI models unless expressly agreed or provider settings/terms support no-training for that data.

7. International transfers

Customer Personal Data may be processed in the United Arab Emirates and other countries where Shifter, subprocessors or customer-selected systems operate. Where required, the parties will use appropriate contractual, technical and organisational safeguards for international transfers.

8. Data subject requests, incidents and audits

Shifter will reasonably assist the Customer with data subject requests, regulatory enquiries and security incidents relating to Customer Personal Data, taking into account the nature of the processing and information available to us. If we become aware of a confirmed personal data breach affecting Customer Personal Data, we will notify the Customer without undue delay as required by applicable law.

9. Return, deletion and retention

After termination or expiry of the relevant Order, Shifter will return or delete operational Customer Personal Data within a reasonable period, generally within 90 days, unless the Customer asks otherwise or legal, security, backup, accounting, platform, dispute or compliance requirements require longer retention.

10. Processing details