Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Squizz the Lemon Terms of Service. It governs Twist Labs SARL's processing of personal data on behalf of the Customer (as defined below) as a data processor. By using the Service to process personal data of third parties, the Customer agrees to this DPA.

1. Definitions

• "Customer" means the user or entity that has accepted Squizz the Lemon’s Terms of Service and uses the Service to process Customer Data.
• "Customer Data" means personal data that Twist Labs SARL processes on behalf of the Customer as described in Annex I.
• "Data Protection Laws" means Moroccan Law No. 09-08, GDPR (where applicable to EEA users), and any other applicable data protection legislation.
• "Personal Data", "processing", "controller", "processor", "data subject", "personal data breach" have the meanings given to them in applicable Data Protection Laws.
• "Security Breach" means a breach of security leading to accidental or unlawful access to, disclosure of, alteration of, or destruction of Customer Data.
• "Sub-processor" means any entity engaged by Twist Labs SARL to process Customer Data.
• "SCCs" means the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914.

2. Roles

As between the parties, the Customer is the data controller and Twist Labs SARL is the data processor with respect to Customer Data. Twist Labs SARL will process Customer Data only in accordance with the Customer's documented instructions.

3. Squizz The Lemon Obligations

• Process Customer Data only on documented instructions from the Customer, including regarding international transfers, unless required to do so by applicable law
• Ensure that persons authorized to process Customer Data are subject to appropriate confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures as described in Annex II
• Not engage Sub-processors without the Customer's prior authorization (general authorisation granted for Sub-processors listed in Annex III upon acceptance of this DPA)
• Assist the Customer with Data Subject Requests as described in Section 7
• Notify the Customer of any Security Breach without undue delay upon becoming aware
• Delete or return all Customer Data upon termination of the Service as described in Section 10
• Make available to the Customer all information necessary to demonstrate compliance with this DPA
• Comply with all applicable Data Protection Laws

4. Customer's Obligations

• Represents that it has all necessary rights, consents, and legal bases to provide Customer Data to Squizz The Lemon
• Will comply with all applicable Data Protection Laws with respect to Customer Data
• Will only transfer Customer Data to Squizz The Lemon using secure and appropriate mechanisms
• Is solely responsible for the accuracy, legality, and quality of Customer Data

5. AI Model Training

Twist Labs SARL will not use, nor authorize any Sub-processor to use, Customer Data to train, retrain, fine-tune, or otherwise improve any third-party AI or ML models. Twist Labs SARL may use aggregated, de-identified, non-reversible data derived from Customer Data to improve its own Service features, solely to provide better functionality to the Customer and its users. Twist Labs SARL selects AI providers whose published terms indicate that they do not use customer data for general model training. Third-party providers' terms are beyond Twist Labs SARL's direct contractual control and may evolve.

6. Third-Party API Data

Where Customer Data includes data obtained via third-party APIs (Meta, Google, LinkedIn, TikTok, Instagram, and similar):

• Such data is used solely to provide the requested functionality to the authorized user
• Such data is not sold, rented, or shared beyond strict operational necessity
• Such data is not used for advertising or profiling beyond the authorized purpose
• Such data is not used to train or improve any AI or ML model
• Analytics on such data does not identify individual users

7. Data Subject Requests

• Squizz The Lemon will promptly forward to the Customer any Data Subject Request received relating to Customer Data
• Squizz The Lemon will not respond to Data Subject Requests directly without the Customer's authorization, unless required by applicable law
• Squizz The Lemon will provide reasonable assistance to the Customer in responding to Data Subject Requests

8. Security Breach Notification

Squizz The Lemon will notify the Customer without undue delay upon becoming aware of a Security Breach. Notification will include, to the extent available:

• The nature of the breach and categories of data affected
• The approximate number of data subjects and records involved
• The likely consequences of the breach
• The measures taken or proposed to address the breach

Squizz The Lemon’s breach response does not constitute acknowledgement of fault or liability.

9. Sub-processors

The Customer grants general authorization for Squizz The Lemon to engage the Sub-processors listed in Annex III. Squizz The Lemon will:

• Maintain a current Sub-processor list at squizzthelemon.com/sub-processors
• Provide reasonable advance notice of intended Sub-processor changes
• Impose data protection obligations on Sub-processors substantially equivalent to those in this DPA
• Remain liable to the Customer for Sub-processor compliance with this DPA

10. Term, Return, and Deletion of Customer Data

This DPA applies for as long as Squizz The Lemon processes Customer Data. Upon termination of the Service:

• Squizz The Lemon will, at the Customer's choice, delete or return Customer Data within a reasonable period
• Squizz The Lemon will instruct Sub-processors to delete Customer Data within the same timeframe
• Encrypted backup systems may retain Customer Data for a limited additional period during rotation cycles; such data is isolated and not actively processed
• Squizz The Lemon will provide written confirmation of deletion upon request

11. International Transfers

Where Customer Data is transferred outside Morocco or the EEA, Squizz The Lemon will ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or contractual protections equivalent to Law 09-08 requirements.

12. Audit Rights

The Customer may request information necessary to verify Squizz The Lemon’s compliance with this DPA, including relevant documentation or security attestations. Independent audits may be conducted at the Customer's cost, with reasonable advance notice, no more than once per year, and subject to confidentiality obligations.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

14. Governing Law

This DPA is governed by the laws of the Kingdom of Morocco. For EEA users, applicable GDPR provisions take precedence. Disputes are subject to the dispute resolution provisions in the Terms of Service.

15. Updates

Squizz The Lemon may update this DPA to reflect changes in applicable Data Protection Laws or processing activities. Material changes will be communicated with reasonable advance notice.

Annex I — Details of Processing

Subject matter

Provision of AI-powered marketing services.

Duration

For the term of the Customer's subscription to the Service.

Nature and purpose

Processing to generate marketing strategies, content, and campaign recommendations on behalf of the Customer.

Types of personal data

Contact data, professional data, marketing data, social media data, campaign performance data, and any other personal data included in User Content or retrieved via authorized API connections.

Categories of data subjects

The Customer's employees, customers, end-users, prospects, and social media audiences.

Annex II — Technical and Organizational Security Measures

Squizz The Lemon implements and maintains administrative, physical, and technical safeguards appropriate to the sensitivity of the data processed, including but not limited to:

• Encryption of data in transit and at rest
• Access controls based on the principle of least privilege
• Multi-factor authentication for privileged system access
• Regular security assessments
• Documented incident response and breach management procedures
• Regular encrypted backups with tested recovery procedures
• Security awareness training for personnel with access to Customer Data

Annex III — Approved Sub-processors

A current list of approved Sub-processors is maintained and available at squizzthelemon.com/sub-processors. Categories of Sub-processors include:

• Cloud infrastructure providers (hosting, storage, compute)
• Large Language Model API providers
• Payment processing providers
• Email and communication service providers
• Analytics and monitoring providers

Contact

Twist Labs SARL

ICE: 003933917000017 | Address: Angle Rue Mozart et Bd d'Anfa, Résidence le Petit Paradis – 7ème étage, Casablanca, Maroc

Email: legal@squizzthelemon.com | Website: https://squizzthelemon.com