Data Processing and Security Addendum

This Addendum defines the obligations of the parties regarding processing of personal information in connection with the use of the Milo platform by organizational customers.

The Customer determines the purposes and means of processing with respect to Customer Content and information collected from its work environment.

[Company name] will act as processor with respect to Customer Content and will process it according to the Customer instructions, except where it processes information as service operator for security, support, billing, product improvement, account management, compliance or permitted independent interests.

Processed information may include user and employee details, end customer details, browser action data, form data, process metadata, logs, documents, texts and integration data.

Processing will be performed for providing the Service, creating Workflows, logging actions, managing permissions, running processes, presenting previews, security monitoring, support, maintenance, product improvement and compliance with law.

[Company name] will process information according to the Customer instructions and the agreement unless required otherwise by law.

The Customer will not provide instructions that require the company to violate law, compromise platform security, bypass permissions or process information without a legal basis.

[Company name] will implement reasonable and customary security measures according to the nature of the information, risk level and product stage.

Measures may include access controls, tenant separation, logs, encryption, rate limiting, sensitive field filtering and browser extension risk controls.

[Company name] may use sub processors for providing the Service, including cloud, database, AI, email, monitoring, support and security providers.

The company will ensure that sub processors are subject to appropriate confidentiality and information security obligations. The sub processor list will be provided to the Customer or published in a dedicated location.

In case of a material security incident involving Customer information, the company will notify the Customer without unreasonable delay, subject to verification of the incident and availability of sufficient initial information.

The notice will include, where known at the time, a general description of the incident, categories of affected information, steps taken and recommended next steps.

Where the company receives a request from a person regarding information processed on behalf of the Customer, it may refer the request to the Customer.

The company will provide reasonable assistance to the Customer, subject to the agreement.

Upon termination, the Customer may request export or deletion of Customer information, subject to retention, audit, legal, security and company rights.

Certain audit data may be retained after operational deletion where required for security, control, proof of action, prevention of misuse or compliance with legal requirements.

The company may use usage data, metadata, statistics, errors, performance metrics, aggregated information or anonymized information for service improvement, security, research and development, provided that identifiable Customer information is not disclosed without authorization.

Where the Customer uses the platform in sensitive contexts such as insurance, credit, employment, health, legal services, financial services or decisions with material impact on a person, the Customer is responsible for performing a risk assessment, ensuring human control and preventing reliance on an automated decision alone where prohibited or restricted by law.

In pilot or MVP stages, actions such as issuing an insurance policy, changing coverage, making statements on behalf of a customer, underwriting decisions, sending a binding document or changing legal status will not be performed without human approval.