This Data Processing Addendum, including all annexes and exhibits attached hereto (“DPA”), forms part of the services agreement, terms of use, order form, or other agreement governing the use of Ridge AI’s services (“Agreement”) between the applicable customer (“Customer”) and Ridge AI, Inc. (“Ridge AI”).
This DPA applies where Ridge AI Processes Personal Data on behalf of Customer in connection with the Services. This DPA is effective as of the effective date of the Agreement and is incorporated by reference into the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern with respect to the Processing of Personal Data.
Customer and Ridge AI agree as follows:
- Definitions.
“Applicable Data Protection Law” means all applicable data protection laws, rules, regulations, orders, ordinances, regulatory guidance, and industry self-regulations, including without limitation the EU General Data Protection Regulation (Regulation 2016/679), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Swiss Federal Data Protection Act of 19 June 1992 (“FADP”), and any subsequent supplements, amendments, or replacements to the same.
“Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing. “Controller” has the same meaning as “Business,” as that term is defined under Applicable Data Protection Law.
“Data Subject” means an identified or identifiable natural person.
“EU SCCs” refers to the Standard Contractual Clauses promulgated by the EU Commission Implementing Decision (EU) 2021/914 dated 4 June 2021 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj#d1e32-37-1 (or at any other official link, and as may be updated or replaced by the European Commission).
“Personal Data” means information that Ridge AI Processes on Customer’s behalf in connection with its performance of the Services or otherwise pursuant to the Agreement or this DPA that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject, or as that term or a similar term is defined under Applicable Data Protection Law.
“Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including, but not limited to, accessing, collecting, recording, organizing, structuring, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying Personal Data.
“Processor” means a natural or legal person that Processes Personal Data on a Controller’s behalf. “Processor” has the same meaning as “Service Provider,” as that term is defined under Applicable Data Protection Law.
“Sub-processor” means a natural or legal person appointed by a Processor to Process Personal Data on the Processor’s behalf and in accordance with the relevant Controller’s instructions. Where this DPA operates as a Processor-to-Sub-processor agreement, Ridge AI is the Sub-processor.
“Upstream Controller” means the Controller (typically one of Customer’s end-user customers) on whose behalf Customer, when acting in its capacity as a Processor, has engaged Ridge AI as a Sub-processor pursuant to this DPA.
“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Ridge AI.
“UK Addendum” refers to the UK’s International Data Transfer Addendum to the EU SCCs, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/appropriate-safeguards/what-are-standard-data-protection-clauses-the-uk-idta-and-the-addendum.
- Roles of the Parties. Ridge AI will Process Personal Data on Customer’s behalf, as described in more detail in Annex 1. As between Customer and Ridge AI, the parties’ respective roles are as follows: (a) Controller-to-Processor: Customer is the Controller and Ridge AI is the Processor with respect to Personal Data for which Customer acts on its own behalf and determines the purposes and means of processing. (b) Processor-to-Sub-processor: Customer is a Processor and Ridge AI is the Sub-processor with respect to Personal Data of Customer’s Upstream Controllers.
- Customer Instructions. The parties agree that the Agreement (including this DPA) sets out the complete and final documented instructions to Ridge AI for all Processing of Personal Data and, if applicable, include and are consistent with all instructions from Upstream Controllers. Any additional requested instructions must be mutually agreed by the parties in writing. Customer shall ensure its Processing instructions are lawful and that the Processing of Personal Data in accordance with such instructions will not violate Applicable Data Protection Law. Where Customer acts as a Processor, Customer’s instructions to Ridge AI shall reflect and remain within the scope of the instructions Customer has received from each relevant Upstream Controller, and Customer shall ensure that each Upstream Controller’s instructions are consistent with Applicable Data Protection Law.
Each party shall promptly notify the other party if it becomes aware that such instructions violate Applicable Data Protection Law, in which case Ridge AI may decide to suspend or cease such Processing of Customer Personal Data without owing Customer any compensation. If the Customer fails to amend its instruction, Ridge AI reserves the right to terminate the Agreement without liability for any damages or compensation arising from such termination.
- Ridge AI Responsibilities. Ridge AI agrees to:
- Process Personal Data solely in accordance with Customer’s documented instructions and for the specific business purposes and services specified in the Agreement and this DPA, which includes to prevent, detect, or investigate data security incidents, or protect against fraudulent activity to the extent authorized for Ridge AI by Applicable Data Protection Law;
- except as expressly permitted by Applicable Data Protection Law, not retain, use, disclose, or otherwise Process Personal Data (i) for any purposes other than those specified in the Agreement and in Annex 1; (ii) for any commercial purpose other than the specific business purposes specified in the Agreement and the DPA, including to provide services to a different business; and (iii) outside the direct business relationship between Customer and Ridge AI, including to combine or update Personal Data with information received from or on behalf of another source or collected from Ridge AI’s own interactions with a Data Subject unless expressly instructed by Customer for a specific purpose, and for the sole benefit of Customer, in providing the Services;
- not “sell” or “share” Personal Data, as Applicable Data Protection Law defines those terms;
- ensure that persons who Process Personal Data on Ridge AI’s behalf (such as employees) have undergone appropriate training and are bound by obligations of confidentiality;
- at Customer’s request, and taking into account the nature of the Processing and Ridge AI’s role under Section 2, update, correct, delete, supplement, transfer, and provide Customer with access to Personal Data in Ridge AI’s possession or control that has been lawfully provided by the Customer and has been Processed on Customer’s behalf;
- cooperate with and provide reasonable assistance to Customer in complying with Applicable Data Protection Law and, where Customer acts as a Processor, in enabling Customer to comply with its obligations to the relevant Upstream Controller, including, but not limited to, assisting with legally-required data protection impact assessments and consultations with regulatory bodies. To the extent that the services referred to in the preceding paragraph are appropriate and possible, Customer and Ridge AI shall agree on reasonable compensation to which Ridge AI is entitled for these services based on Ridge AI’s then-current rates; and
- upon Ridge AI’s or a subprocessor’s receipt of a legally-binding request for access to Personal Data from a public authority and where permitted by applicable law: (i) attempt to redirect the request to Customer (and Ridge AI is permitted to provide information to such public authority as reasonably necessary to redirect the request) and/or (ii) promptly notify Customer of the request for access to provide Customer the opportunity to comply with its notice and consent obligations with respect to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief), unless providing such notice is prohibited by law, and (iii) where applicable, also comply with Ridge AI’s obligations with respect to access by public authorities set forth in any applicable cross-border transfer mechanism.
- Provision of Personal Data. Customer (on its own behalf or on behalf of its Upstream Controllers) determines what Personal Data is submitted to the Services. Customer shall have sole responsibility for the accuracy, quality, and legal basis for collection of such Personal Data.
- Data Subject Requests. Ridge AI will not respond to direct requests from Data Subjects, and will refer such Data Subjects to the Customer. As between Ridge AI and Customer, Customer is responsible for responding to Data Subject requests or, where Customer acts as a Processor, for forwarding and coordinating such requests with the relevant Upstream Controller. Ridge AI will provide Customer with reasonable cooperation and assistance, taking into account the nature of the Processing, to enable Customer to fulfill its obligations to Data Subjects or to the relevant Upstream Controller.
- Subprocessors. Subject to the requirements of this Section, Customer hereby grants general authorization to Ridge AI to engage subprocessors to perform its obligations under this DPA and the Agreement. Ridge AI will impose by way of contract on its subprocessors data protection obligations no less protective than those set out in this DPA and the Agreement, and Ridge AI remains responsible for the Processing activities and omissions of its subprocessors. Customer approves Ridge AI’s current list of its subprocessors and the countries in which they are located listed at https://www.ridgedata.ai/subprocessors. In the event Ridge AI intends to make changes to the list of approved subprocessors, Ridge AI will provide Customer with at least thirty (30) days’ prior written notice. To receive notices of changes to subprocessors, Customer must enroll by emailing security@ridgedata.ai with a request to be added to our regular email updates, where we will publish any changes. If Customer raises reasonable objections regarding a new subprocessor in writing during the thirty (30) day period and Ridge AI is unable to provide an alternate subprocessor, Customer, as its sole and exclusive remedy, may terminate the Agreement upon advance written notice with respect to those aspects of the Services which cannot be provided without use of the new subprocessor. Where Customer acts as a Processor, Customer is responsible for ensuring that its use of Ridge AI and Ridge AI’s approved subprocessors is authorized by the relevant Upstream Controller and consistent with Customer’s agreement with that Upstream Controller.
- Cross-Border Data Transfers.
The parties will not engage in cross-border transfers of Personal Data without taking steps to ensure such transfers comply with Applicable Data Protection Law. To the extent Customer transfers Personal Data to Ridge AI about individuals in:
- the European Economic Area (EEA), the parties will conduct such transfers pursuant to the applicable Module of the EU SCCs (Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor)), which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism. If Customer is not established in the EEA, Customer will have an appointed representative pursuant to article 27 of the GDPR.
- the United Kingdom, the parties will conduct such transfers pursuant to the applicable Module of the EU SCCs (Module 2 for Controller-to-Processor, or Module 3 for Processor-to-Processor) in tandem with the UK Addendum, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism.
- Switzerland, the parties will conduct such transfers pursuant to the applicable Module of the EU SCCs (Module 2 for Controller-to-Processor, or Module 3 for Processor-to-Processor), which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism. In relation to Personal Data that is protected by the FADP and transferred pursuant to the EU SCCs, the EU SCCs will be amended as follows:
- references to “Regulation (EU) 2016/679” in the EU SCCs will be deemed to refer to the Swiss FADP;
- references to specific articles of “Regulation (EU) 2016/679” will be deemed replaced with the equivalent article or section of the Swiss FADP;
- references to “EU”, “Union” and “Member State” will be deemed replaced with ‘Switzerland’;
- references to the “competent supervisory authority” and “competent courts” are replaced with the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable);
- in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
- in Clause 18(b), disputes will be resolved before the competent courts of Switzerland.
- If the parties will engage in cross-border transfers of Personal Data subject to the EU SCCs and/or the UK Addendum, Ridge AI will be the “data importer,” Customer will be the “data exporter,” and Annex 1 will provide the supplementary information required. If there is any conflict between this DPA and the EU SCCs and/or UK Addendum, respectively the EU SCCs or UK Addendum will prevail.
- In the event Ridge AI engages in cross-border or onward transfers of Personal Data with a subprocessor or other third-party recipient, Ridge AI will conduct such transfers only after ensuring a lawful transfer mechanism is in place. Without prejudice to the foregoing, Customer consents to cross-border or onward transfers of Personal Data where Ridge AI has implemented a transfer solution compliant with Applicable Data Protection Law.
- Security Safeguards. Ridge AI will implement, maintain, and monitor a comprehensive written information security policy that contains appropriate administrative, technical, and organizational safeguards to ensure the confidentiality, integrity, and availability of Personal Data and prevent any unauthorized or unlawful Processing of such Personal Data. The safeguards will be appropriate to the nature of the Personal Data and comply with Applicable Data Protection Law and are detailed in Annex 2 (Information Security Measures).
- Security Breach.
- In the event Ridge AI discovers a Security Breach, Ridge AI will (i) notify Customer without undue delay and within any time period required by applicable law; and (ii) promptly take appropriate steps to investigate, mitigate, and remediate the Security Breach.
- Any notification required under this Section must satisfy the requirements under Applicable Data Protection Law and include, where feasible: (i) the details of the Security Breach available to Ridge AI at such time, which may include the number and categories of individuals affected, categories and number of records concerned, types of Personal Data affected, likely consequences of the Security Breach, and date and time of such incident; (ii) a summary of the incident that caused the Security Breach and any ongoing risks that the Security Breach poses; (iii) a description of the measures proposed or taken by Ridge AI to address the Security Breach; (iv) any other information required under Applicable Data Protection Law. Following such initial notice, Ridge AI will reasonably cooperate with Customer (including by providing information reasonably requested by Customer) to enable Customer to comply with its legal obligations to notify supervisory authorities or Data Subjects of the Security Breach. Customer will report data breaches that are subject to a statutory reporting obligation to the relevant regulator within the timeframe provided by the Applicable Data Protection Law.
- Notwithstanding the foregoing, Ridge AI’s maximum liability under this DPA will be limited pursuant to the limitations of liability set forth in the Agreement.
- Representations and Warranties.
- Customer represents and warrants that it is and will remain in compliance with all Applicable Data Protection Law in connection with the Agreement and Personal Data, including, where Customer acts as a Processor, its obligations to the relevant Upstream Controller to the extent applicable to Customer’s engagement of Ridge AI.
- Customer guarantees and warrants that the instructions given to Ridge AI are in accordance with the Applicable Data Protection Law.
- Customer represents and warrants that all Personal Data entrusted to Ridge AI have been lawfully obtained, disclosed, and made available to Ridge AI and can be lawfully Processed throughout the duration of the Agreement.
- Where this DPA operates as a Processor-to-Sub-processor agreement, Customer additionally represents and warrants that: (i) each Upstream Controller has provided all necessary consents and authorizations for Customer to engage Ridge AI as a Sub-processor for the Processing activities described in Annex 1; (ii) Customer has entered into or will enter into data processing agreements with each Upstream Controller that impose data protection obligations on Customer that are at least as protective as those in this DPA; and (iii) Customer will promptly inform Ridge AI of any instruction from an Upstream Controller that Customer believes would cause Ridge AI to violate Applicable Data Protection Law.
- Return or Destruction of Personal Data. Upon Customer’s request, or promptly upon termination of the Agreement, Ridge AI will cease all Processing of Personal Data and, at Customer’s election, either (a) return such data to Customer or (b) destroy such data and certify such destruction to Customer in writing. Ridge AI is permitted to retain Personal Data where it has a legal requirement to do so, provided that Ridge AI notified Customer of this in writing.
Annex 1 to DPA: Scope of Processing
1. Customer – Controller / Data Exporter or Processor / Data Exporter:
Name:
As provided by Customer
Address:
As provided by Customer
Activities relevant to the data Processed under the DPA:
Use of Ridge AI services for analytics, reporting, dashboarding, and AI-assisted data exploration.
Point of Contact
As provided by Customer
2. Ridge AI – Processor / Data Importer or Sub-processor / Data Importer:
Name:
Ridge AI
Address:
1522 Western Ave STE 12925, Seattle, WA 98101-1522
Activities relevant to the data Processed under the DPA:
Provision of Ridge AI’s embedded analytics, dashboarding, and AI-assisted data exploration services.
Point of Contact
security@ridgedata.ai
3. Subject Matter of Processing
The Processing is in relation to Ridge AI’s; provision of services under the Agreement.
4. Duration of Processing
The Processing will begin after the Effective Date and will end upon expiration or termination of the Agreement.
5. Nature and Purpose of Processing
The nature and purposes of Processing include
- Host and operate the Ridge AI platform
- Present and visualize customer data
- Enable dashboarding and reporting functionality
- Support AI-assisted exploration and querying of customer data
- Maintain platform security, reliability, and performance
- Provide customer support and operational monitoring
6. Types of Personal Data
Depending on Customer’s use of the Services, Personal Data may include:
- User identifiers
- Names and email addresses
- Account and organization identifiers
- Product usage and analytics data
- Customer-defined business data contained within dashboards, datasets, or reports
- Authentication and access logs
- Support communications
Ridge AI does not intentionally collect sensitive personal information unless provided by Customer.
7. Categories of Data Subjects
Data subjects may include:
- Customer employees and contractors
- Customer end users
- Users of Customer’s products or services
- Business contacts and support users
8. Period of Data Retention by Ridge AI
Ridge AI retains Personal Data during the term of the Agreement, unless otherwise agreed to by the parties, and deletes or anonymizes Customer Data within a commercially reasonable period following termination of the Agreement, unless otherwise required by law or agreed by the parties.
9. Approved Subprocessors and Data Transfers
Ridge AI may use third-party subprocessors to support delivery of the Services, including cloud infrastructure, hosting, authentication, monitoring, and collaboration providers.
A current list of subprocessors is available at https://ridgedata.ai/subprocessors.
Customer Data may be processed in the United States and other jurisdictions where Ridge AI or its subprocessors operate.
Annex 2 to DPA: Information Security Measures
Ridge AI maintains a SOC 2–aligned security program designed to protect the confidentiality, integrity, and availability of Customer Data.
Security measures include:
Access Controls
- Role-based access controls and least privilege principles
- Multi-factor authentication for administrative systems where supported
- Access provisioning and offboarding procedures
- Periodic access reviews
Infrastructure and Network Security
- Use of managed cloud and edge infrastructure providers
- Web application firewall (WAF) and DDoS protections
- Encrypted network communications using TLS
- Segregation between production and non-production environments
Application Security
- Version-controlled source code repositories
- Peer review of production code changes
- Automated testing and deployment workflows
- Vulnerability monitoring and dependency management
Monitoring and Incident Response
- Logging and monitoring of system activity
- Documented incident response procedures
- Processes for investigation, containment, remediation, and post-incident review
Data Protection
- Encryption of data in transit
- Encryption at rest where supported by infrastructure providers
- Logical tenant isolation controls
- Data retention and secure disposal procedures
Personnel Security
- Confidentiality obligations for personnel and contractors
- Security awareness and onboarding procedures
- Prompt revocation of access upon termination or role change
Vendor Management
- Review and management of critical service providers and subprocessors
- Contractual security and confidentiality obligations for subprocessors
Availability and Resilience
- Backup and recovery processes for critical systems
- Business continuity and disaster recovery procedures
- Monitoring of service availability and operational health