This Data Processing Agreement ("DPA") forms part of the Agreement between Empathiq, Inc. ("Empathiq," "we," or "our") and the customer entity ("Customer") that uses our Services under the applicable Terms of Service or signed Order Form.

This DPA governs the processing of Customer Personal Data by Empathiq on behalf of the Customer in accordance with applicable Data Protection Laws, including but not limited to the GDPR, CCPA, and HIPAA.

1. Definitions

• Data Protection Laws: All applicable laws and regulations related to data protection and privacy, including GDPR (EU Regulation 2016/679), CCPA, and HIPAA where applicable.

• Customer Personal Data: Any personal data processed by Empathiq on behalf of the Customer under the Agreement.

• Subprocessor: A third-party service provider engaged by Empathiq to process Customer Personal Data.

2. Roles of the Parties

• The Customer is the Data Controller.

• Empathiq is the Data Processor acting on behalf of the Customer.

• Empathiq may engage Subprocessors under the conditions described below.

3. Scope and Purpose

Empathiq shall process Customer Personal Data only:

• To provide, maintain, and improve the Services;

• In accordance with documented Customer instructions;

• As required by law.

We shall not retain, use, disclose, or sell Customer Personal Data for any purpose other than as permitted in this DPA.

4. Security

Empathiq implements appropriate technical and organizational measures to protect Customer Personal Data, including:

• Encryption of data in transit and at rest;

• Access controls and user authentication;

• Regular audits and vulnerability assessments;

• Subprocessor due diligence.

Empathiq’s infrastructure providers maintain SOC 2 Type II, ISO 27001, and GDPR-aligned practices. PHI is only processed via HIPAA-compliant subprocessors.

5. Subprocessing

Customer authorizes Empathiq to engage subprocessors listed at: Subprocessors Page.

Empathiq shall:

• Ensure subprocessors are contractually bound to data protection standards equivalent to those in this DPA;

• Notify Customer of any intended changes to subprocessors and allow the Customer to object within a reasonable time.

6. Data Subject Rights

Empathiq shall assist the Customer in fulfilling obligations to respond to Data Subject Requests (DSRs), including:

• Access, rectification, erasure, or portability requests;

• Objections or restrictions to processing.

Requests may be routed to: hello@getempathiq.com.

7. Data Breach Notification

In the event of a Personal Data Breach, Empathiq shall:

• Notify the Customer without undue delay after becoming aware;

• Provide timely information and cooperation to address the breach;

• Assist in meeting any regulatory reporting obligations.

8. Data Transfers

Empathiq may transfer Customer Personal Data to countries outside the EEA or originating jurisdiction only:

• To subprocessors with adequate protections (e.g., Standard Contractual Clauses);

• As required by law or contract.

All subprocessors agree to adhere to applicable international transfer mechanisms.

9. Termination and Return/Deletion of Data

Upon expiration or termination of the Agreement, Empathiq shall:

• Retain Customer Personal Data only as required by law or documented agreement;

• Delete or return all Customer Personal Data upon written request.

10. Audit Rights

Customer may request an audit of Empathiq’s compliance with this DPA:

• Subject to reasonable notice and confidentiality;

• Limited to once per 12-month period, or as required by law.

11. Liability

Liability under this DPA is subject to the limitations set forth in the Agreement unless otherwise required by applicable law.

12. Governing Law

This DPA shall be governed by the same jurisdiction as the Agreement it supplements.

13. Contact

Questions regarding this DPA can be directed to: hello@getempathiq.com