Conversion Data Processing Addendum

This OpenAI Conversion Data Processing Addendum (“Conversion DPA”) supplements and is incorporated into the Conversion Terms and is entered into as of the effective date between the organization agreeing to these terms (“Customer” or “you”) and the OpenAI entity that is a party to the Conversion Terms (“OpenAI”). OpenAI and Customer are each a “Party” and collectively the “Parties”. Capitalized terms not defined here have the meanings given in the Conversion Terms. By using or enabling the Conversion Tools, you agree to this Conversion DPA and represent that you have authority to bind the applicable entity.

• 1.1. Roles. Except for Restricted Processing, each Party acts as an independent Data Controller with respect to Personal Data Processed through the Conversion Tools. The Parties are not joint Data Controllers, Data Controllers in common, or Data Processors of one another with respect to such Processing. 
• 1.2. OpenAI Processing. As an independent Data Controller, OpenAI may Process Personal Data received through the Conversion Tools for the purposes permitted under the Conversion Terms and Data Protection Laws. 
• 1.3. Customer Responsibilities. Customer represents and warrants that it has provided all required notices and obtained and will maintain all rights, consents, permissions, and legal bases required for Customer to collect, use, share, and provide Personal Data to OpenAI, and for OpenAI to Process such Personal Data as an independent Data Controller as described in the Conversion Terms and this Conversion DPA. Customer will not provide OpenAI with (a) Prohibited Data, (b) Personal Data of individuals who have opted out of, objected to, or withdrawn consent for the relevant Processing where honoring that choice requires Customer to stop making such Personal Data available to OpenAI, or (c) event names, audience names, parameters, tags, or similar fields that reveal or imply Prohibited Data or sensitive categories of Personal Data.
• 1.4. Configurations; Third-Party Use. Customer is responsible for configuring, implementing, and using the Conversion Tools in compliance with Data Protection Laws, the Conversion Terms, and applicable documentation. Customer will not place or enable the Conversion Tools on properties, apps, pages, or platforms that Customer does not own, operate, or have sufficient legal authority to use for such purpose. If Customer uses the Conversion Tools on behalf of, together with, or for the benefit of a third party, Customer represents that it has authority to do so and is responsible for ensuring that such third party complies with obligations at least as protective as those set forth in this Conversion DPA.
• 1.5. Requests and Complaints. Customer is responsible for responding to and honoring Data Subject Requests, opt-outs, objections, and consent withdrawals it receives, including by ceasing to make affected Personal Data available to OpenAI where required by Data Protection Laws. Customer will promptly notify OpenAI of any actual or threatened complaint, inquiry, claim, or regulatory request relating to Customer’s collection, use, sharing, or provision of Personal Data through the Conversion Tools and will reasonably cooperate with OpenAI in responding to such matter.
• 1.6. Security Incident Notification. Unless prohibited by Data Protection Laws, each Party will notify the other without undue delay after becoming aware of a Security Incident involving Personal Data Processed by that Party under this Conversion DPA, to the extent the Security Incident is reasonably likely to affect the other Party’s rights or obligations under Data Protection Laws.

• 2.1. Application. Solely with respect to Restricted Processing, Customer is the Data Controller and OpenAI is the Data Processor. The Processor DPA applies to Restricted Processing, subject to the modifications in this Section 2.
• 2.2. Construction. For purposes of applying the Processor DPA to Restricted Processing: (a) references to “Customer Data” mean Personal Data subject to Restricted Processing; (b) references to the “Services” mean the Conversion Tools; (c) references to the “Agreement” mean the Agreement, including the Conversion Terms and this Conversion DPA; and (d) references to the “Sub-Processor List” mean the Conversion Sub-Processor List.
• 2.3. Conflicts. If there is a conflict between the Processor DPA and this Conversion DPA with respect to Restricted Processing, this Conversion DPA controls.
• 2.4. Sub-processors. Customer authorizes OpenAI to use the sub-processors listed in the Conversion Sub-Processor List for Restricted Processing. OpenAI will provide notice of changes to the Conversion Sub-Processor List via notification within the Services or other reasonable means.

• 3.1. General. Each Party will comply with Data Protection Laws applicable to its international transfers of Personal Data under this Conversion DPA.
• 3.2. Independent Controller Processing. For Personal Data Processed under Section 1, to the extent Customer transfers Personal Data to OpenAI in a jurisdiction that does not provide an adequate level of protection under applicable Data Protection Laws, the Parties will rely on Module One of the SCCs, unless another valid transfer mechanism applies.
• 3.3. Restricted Processing. For Restricted Processing, international transfers are governed by the Processor DPA in accordance with Section 2. 
• 3.4. UK and Switzerland. For transfers of Personal Data subject to UK Data Protection Laws, the UK Addendum applies to the SCCs. For transfers of Personal Data subject to Swiss Data Protection Laws, the SCCs will apply with the modifications required by Swiss Data Protection Laws.

In the event of a conflict between the SCCs, the Conversion Terms, the Agreement, and this Conversion DPA, the following order of precedence will apply: (a) the SCCs, (b) this Conversion DPA, (c) the Conversion Terms, and (d) the Agreement.

“Agreement” means the agreement, online terms, or other written terms between you and OpenAI or its Affiliate that govern your use of the Services and under which OpenAI makes the Conversion Tools available to you. 

“Conversion Terms” means OpenAI’s Conversion Terms available at https://openai.com/policies/conversion-terms⁠.     

“Conversion Sub-Processor List” means the list available at https://openai.com/policies/conversion-subprocessors⁠.

“Data Protection Laws” means the data privacy and data protection laws applicable to the Processing of Personal Data in connection with the Conversion Terms. 

“Data Subject Request” means a request from a Data Subject to exercise rights under Data Protection Laws with respect to Personal Data. 

“Processor DPA” means OpenAI’s Data Processing Addendum available at https://openai.com/policies/data-processing-addendum/⁠. 

“Prohibited Data” has the meaning given in the Conversion Terms. 

“SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on 4 June 2021 (as may be amended, updated or replaced from time to time). 

“Security Incident” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed under this Conversion DPA.

“Services” means the applicable services provided by OpenAI or its Affiliate in connection with which the Conversion Tools are made available. 

“Swiss Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data in Switzerland, including the Swiss Federal Act on Data Protection and its implementing ordinances, each as amended, superseded, or replaced from time to time.

“UK Addendum” means the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018. 

“UK Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data in the United Kingdom, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, each as amended, superseded, or replaced from time to time.

The terms “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processing”, and “Data Processor” have the meanings assigned to them under applicable Data Protection Laws. 

SCC Appendix - Independent Controller Processing

1. SCC Selections. Module One applies to Independent Controller Processing. Clause 7 does not apply. Clause 11 optional language does not apply. For Clause 17, Option 1 applies and the SCCs are governed by the laws of Ireland. For Clause 18(b), disputes will be resolved by the courts of Ireland.

2. Annex I.A; Parties. Customer is the data exporter and OpenAI is the data importer. Customer’s contact details are as set out in the Agreement. OpenAI’s contact details are as set out in the Agreement or otherwise made available by OpenAI. Customer and OpenAI are each Data Controllers for Independent Controller Processing.

3. Annex I.B; Description of Transfer. 

• 3.1. Categories of Data Subjects. Data Subjects include individuals whose Personal Data is provided through the Conversion Tools, including Customer’s users, customers, visitors, prospects, or other individuals who interact with Customer’s websites, apps, stores, ads, or other properties. 
• 3.2. Categories of Personal Data. Categories of Personal Data include Conversion Data, which may include email addresses, phone numbers, cookies, online identifiers, device or browser information, event data, transaction data, purchase data, conversion data, and related metadata. 
• 3.3. Sensitive Data. Customer will not provide Prohibited Data or sensitive categories of Personal Data through the Conversion Tools. 
• 3.4. Frequency of Transfer. The transfer occurs on a continuous basis depending on Customer’s use of the Conversion Tools. 
• 3.5. Nature and Purpose of Transfer. The nature and purpose of Processing are as described in the Conversion Terms and this Conversion DPA. 
• 3.6. Period for which Personal Data will be Retained. The duration is the term of the Agreement and any period required or permitted under the Agreement, the Conversion Terms, this Conversion DPA, or Data Protection Laws.

4. Annex I.C; Supervisory Authority. The competent supervisory authority will be determined in accordance with Clause 13 of the SCCs.

5. Annex II; Technical and Organizational Measures. OpenAI maintains commercially reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, use, disclosure, alteration, and destruction.