Skip to:
Schedule a demo
Skip to main content

DPA

Last modified August 8, 2024

Data Processing Addendum

This Data Processing Addendum, including its Appendices, (“DPA”) forms part of the Agreement between Ujwal, Inc., a Delaware corporation doing business as Level AI (“Level AI”) and Customer (each individually, a “Party” and collectively, the “Parties”) for the purchase of Level AI’s cloud services and related services. The purpose of this DPA is to set out the terms and conditions under which Level AI will Process Customer Data (as defined below) on behalf of Customer in connection with such services. By signing or electronically accepting an Order Form that references this DPA, Customer accepts this DPA and agrees to its terms and conditions. This DPA is effective upon the Parties’ execution of an Order Form that references this DPA.

  1. Definitions. The terms below have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.
    1. Agreement” means the underlying agreement, whether written or electronic, between the Parties for access to and use of Level AI’s services, including without limitation: (i) the Terms of Service or Main Services Agreement, as applicable; (ii) the Order Form; and (iii) any Statements of Work, exhibits, or ancillary documents thereto.
    2. Applicable Privacy Law” means requests by governmental authority, court orders, laws, regulations, codes, orders, rules and guidelines imposed by law, competent government authority, governing body or regulator in each country and jurisdiction governing data protection and data privacy applicable to the Services and obligations in this DPA, including without limitation and to the extent applicable, the CCPA and European Data Protection Laws.
    3. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.
    4. Controller” means the entity which determines the purpose and means of the Processing of Personal Data.
    5. Customer” means the customer of the Services identified in the Agreement.
    6. Customer Data” means information, including without limitation Personal Data, that Customer discloses to Level AI, or that Level AI otherwise collects, stores, or processes on behalf of Customer, in connection with the Agreement.
    7. Data Subject” means an identified or identifiable person to whom Personal Data relates.
    8. Data Subject Request” means a request from a Data Subject seeking to exercise rights under Applicable Privacy Law.
    9. EEA” means the European Economic Area.
    10. European Data Protection Laws” means any and all Applicable Privacy Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the European Union (“EU”) or United Kingdom (“UK”), including, to the extent applicable, the Regulation (EU) 2016/679 (“GDPR”), Directive 2002/58/EC, Directive 2009/136/EC, and UK GDPR, together with any local, amending or replacement legislation in any EU member state or the UK. For this purpose UK GDPR means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018.
    11. European Personal Data” means the Personal Data subject to European Data Protection Laws.
    12. Industry Recognized Security Practices” means generally accepted industry practices, which, to the extent applicable may include, the SOC 2 Type 2 certification, the National Institute of Standards and Technology NIST Cybersecurity Framework HIPAA, PCI-DSS, internal penetration tests, and vulnerability scans.
    13. Personal Data” (or “Personal Information” as used in Applicable Privacy Law) means any information Level AI processes for Customer that (i) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Level AI’s possession or control or that the Level AI is likely to have access to, or (ii) the relevant Applicable Privacy Law defines as protected personal information or personal data.
    14. Process,” “Processing,” and “Processed” will have the meaning as defined under Applicable Privacy Law.
    15. Processor” (or “Service Provider” as used in Applicable Privacy Law) means the entity engaged to Process Personal Data on behalf of the Controller.
    16. Security Incident” means any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Level AI or its Subprocessors of which Level AI becomes aware.
    17. Services” means the products and/or services provided by Level AI to Customer pursuant to the Agreement.
    18. Standard Contractual Clauses” or “SCCs” means the European Commission’s standard contractual clauses for the transfer of personal data to third countries, as described in Article 46 of the GDPR, the current versions of which are available at the link https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, and which are incorporated herein by reference.
    19. Subprocessor” means any Processor engaged by Level AI to assist in fulfilling its obligations with respect to providing the Services defined in this DPA to Customer. This includes Subprocessors as defined under the European Data Protection Laws and subcontracted Service Providers under the CCPA.
    20. Third-Country Transfer” means a transfer of European Personal Data outside of the EEA that is not subject to an adequacy decision by the European Commission. When Level AI or its Subprocessors are certified under the EU-US Data Privacy Framework and its extensions, the Parties agree that transfers to such entities are not considered Third-Country Transfers.
  2. Data Processing.
    1. Roles of the Parties. For the purposes of this DPA: (i) Customer is the Controller, and (ii) with respect to Personal Data for which Customer is the Controller, Level AI is the Processor, Processing such Personal Data on Customer’s behalf.
    2. Details of the Processing. Appendix A (Processing Purposes and Details) attached hereto provides a description of the Processing activities carried out by Level AI, including (i) the subject matter and duration of the Processing, (ii) the nature and purpose of such Processing, and (iii) the type of Personal Data and categories of Data Subjects contemplated by this DPA.
    3. Processing Instructions.
      1. Level AI will not Process Personal Data for any purpose other than: (i) as directed by Customer through Customer’s documented instructions, including without limitation Processing in accordance with the Agreement; (ii) for the purposes of providing the Services; or (iii) as otherwise required under Applicable Privacy Law.
      2. Level AI will promptly notify Customer in writing, unless otherwise prohibited under Applicable Privacy Law, if Level AI:
        1. becomes aware that any Processing instruction from Customer violates Applicable Privacy Law; or
        2. is unable to comply with Customer’s Processing instructions.
    4. Level AI Legal/Standards Compliance. Level AI will comply with all Applicable Privacy Law in relation to the Processing of Personal Data. To the extent Level AI Processes Cardholder Data, as defined by the PCI Security Standards Council, on behalf of Customer, Level AI will at all times remain in compliance with the latest PCI DSS Standards and provide Customer with up-to-date attestations thereof upon request.
    5. Customer Processing. Customer as Controller or Processor shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Privacy Law, including any applicable requirement to provide notice to Data Subjects of or obtain consents from Data Subjects for Level AI to process their Personal Data according to this DPA. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data must comply with Applicable Privacy Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
  3. Processing of Personal Data of California Consumers. To the extent that Level AI’s Processing is subject to the CCPA, this Section 3 will apply to such Processing. For purposes of this Section 3, the terms “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings given to them by the CCPA.
    1. The Parties acknowledge and agree that Level AI is a Service Provider for purposes of the CCPA and Level AI is receiving Personal Information from Customer in order to provide the Services, which constitutes a Business Purpose.
    2. Customer is disclosing Personal Information to Level AI only for the limited and specific purpose of Level AI providing the Services.
    3. Level AI shall not Sell or Share Personal Information provided by Customer.
    4. Level AI shall not, except as required by applicable law, retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement for any purpose, including a Commercial Purpose, or as otherwise set forth in the Agreement or as permitted by the CCPA.
    5. Level AI shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship between Customer and Level AI.
    6. Level AI shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
    7. Level AI will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
    8. Level AI shall comply with all applicable requirements of the CCPA, including, without limitation, all obligations applicable to Service Providers, and shall provide Personal Information provided by Customer under the Agreement the level of privacy protection required by the CCPA.
    9. Level AI shall only engage a new Subprocessor to assist Level AI in providing the Services to Customer under the Agreement in accordance with Section 5 (Subprocessors) of this DPA, including, without limitation, by entering into a written contract with the subcontractor that requires such subcontractor to observe all of the applicable requirements set forth in the CCPA and imposes contractual obligations on the Subprocessors that are at least equivalent to those imposed on Level AI by this DPA.
    10. Level AI shall assist Customer with responding to Verifiable Consumer Requests as required by applicable CCPA requirements. Level AI shall, within three (3) business days, notify Customer of any Verifiable Consumer Requests received by Level AI from a Consumer, including without limitation requests to (i) access, delete, limit, correct, or opt-out of the sale of Personal Information and (ii) obtain additional details about the Personal Information and Customer’s or Level AI’s Processing of such information. Level AI shall maintain records of any Data Subject Request Level AI receives and how Level AI responded to such Data Subject Requests. Level AI will maintain these records for at least twenty-four (24) months from the date it receives such Verifiable Consumer Request.
    11. Level AI shall allow Customer to conduct inspections or audits in accordance with Section 8 (Audit Rights) of this DPA.
  4. Security.
    1. Confidentiality of Personnel. Level AI will ensure that any of Level AI’s personnel and any Subprocessors who have access to Customer Data have a need-to-know and are subject to an appropriate obligation of confidentiality.
    2. Security Measures. Level AI will implement administrative, physical, and technical safeguards to ensure the security of Customer Data that are no less rigorous than Industry Recognized Security Practices. Level AI will maintain, and periodically review, a documented security program to safeguard Customer Data.
    3. Security Incident. In the event of a Security Incident, Level AI will promptly, and in any event, in no more than three (3) business days, notify Customer in writing and furnish Customer with the details of the Security Incident. Level AI will cooperate with Customer in any effort, action, or proceeding to protect Customer Data and to mitigate and/or remediate the impact of the Security Incident. Level AI will reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages. The obligations in this paragraph, other than obligations to notify Customer, shall not apply to Security Incidents that are caused by Customer or Customer’s users.
  5. Subprocessors.
    1. Customer authorizes Level AI to engage Subprocessors to Process Customer Data only as reasonably necessary to provide the Services.
    2. Level AI will conduct reasonable due diligence on each Subprocessor to ensure each Subprocessor is capable of providing the level of protection required by this DPA.
    3. Level AI’s current list of Subprocessors is set forth on the webpage at https://thelevel.ai/subprocessors, as amended by Level AI from time to time (the “Subprocessor List”). Customer hereby consents to the Subprocessors on the Subprocessor List. Level AI will provide Customer with a mechanism to subscribe to notifications of new Subprocessors, and if Customer subscribes, Level AI will provide Customer notification of new Subprocessors prior to such Subprocessors Processing Customer Data.
    4. Customer may reasonably object to such a new Subprocessor in writing, within fifteen (15) days of Customer’s receipt of notice of such new Subprocessor and the Parties shall confer in good faith to resolve such objection. If the Parties cannot resolve the objection, Level AI will promptly (i) cease the Subprocessor’s involvement with the Services, which Level AI will confirm in writing to Customer thereafter; or (ii) if Level AI does not cease the Subprocessor’s involvement, Level AI will promptly notify Customer in writing, and Customer may terminate the Agreement immediately for convenience, on written notice to Level AI and Level AI shall reimburse to Customer a pro-rata amount with respect to any pre-paid fees for services not yet rendered.
    5. Level AI will enter into a written agreement with each Subprocessor that imposes no less restrictive terms than those contained in this DPA.
    6. Level AI will be liable for any breach of this DPA by its Subprocessors.
  6. Data Subject Requests. As applicable, Level AI will implement and maintain appropriate technical and organizational means to obtain information necessary to enable Customer to fulfill Customer’s obligation to respond to Data Subject Requests. With respect to Data Subject Requests related to the Parties’ Processing of Personal Data under the Agreement:
    1. Level AI will without undue delay or within the time provided in Section 3.10 for a request under the CCPA, notify Customer of such Data Subject Request;
    2. Level AI will not respond to such Data Subject Request on behalf of Customer, except on the instructions of Customer or as required by Applicable Privacy Law, in which case Level AI will, to the extent permitted by such Applicable Privacy Law, inform Customer of the legal requirement before Level AI responds to the request;
    3. Level AI will assist Customer with its response to a Data Subject Request, including as appropriate, providing Customer with information in Level AI’s custody related to a specific natural person; and
    4. Level AI shall maintain records of such Data Subject Requests and how Level AI responded to such Data Subject Requests.
    5. Upon a request from Customer to delete or correct certain Personal Data, Level AI will promptly delete or correct, as applicable, unless Applicable Privacy Law requires Level AI to retain the Personal Data, in which case Level AI will promptly provide a written statement to Customer regarding the Applicable Privacy Law which requires such retention. Each Party shall bear its own costs in relation to responding to Data Subject Requests, provided however, if the assistance required from Level AI to help Customer respond to a Data Subject Request goes beyond Level AI’s standard and reasonable processes for such assistance, Customer shall reimburse Level AI for any additional costs reasonably incurred.
  7. Requests for Personal Data. If Level AI receives a valid subpoena, court order, warrant, or other legal demand (“Request”) from a third party (including law enforcement, judicial authority, or any governmental body) (“Requesting Party”) for disclosure of Personal Data, Level AI will use commercially reasonable efforts to redirect the Requesting Party to seek that Personal Data directly from Customer. If, despite Level AI’s efforts, Level AI is compelled to disclose Personal Data to a Requesting Party, Level AI will: (i) promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy, unless prohibited from notifying Customer, in which case Level AI will use commercially reasonable efforts to obtain a waiver of that prohibition; (ii) object to any over-broad, inappropriate, or unlawful Request; and (iii) disclose only the minimum amount of Personal Data necessary to satisfy the Request.
  8. Audit Rights. Level AI grants Customer the right to audit Level AI’s Processing of Customer Data to verify compliance with Applicable Privacy Law and this DPA. Customer may instruct Level AI to promptly remediate any unauthorized Processing of Customer Data identified during such an audit, and Level AI will promptly comply with any such reasonable instructions. All audits shall be conducted by Customer or a reputable and independent third-party auditor:
    1. acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer;
    2. up to one (1) time per year with at least three (3) weeks’ advance written notice. If an emergency justifies a shorter notice period, Level AI will use good faith efforts to accommodate the request; and
    3. during Level AI’s normal business hours, under reasonable duration and shall not unreasonably interfere with Level AI’s day-to-day operations.
  9. International Data Transfers & European Data Protection Laws.
    1. General Obligations. Level AI will only transfer data across international borders and between jurisdictions to the extent permitted by this DPA and in accordance with Applicable Privacy Law.
    2. European Data Protection Laws. Level AI will Process Personal Data in accordance with European Data Protection Laws directly applicable to Level AI’s provision of the Services.
    3. EU Personal Data. If, in the performance or use of the Services, European Personal Data is subject to a Third-Country Transfer, then such Third-Country Transfer shall be governed by the applicable SCCs, hereby incorporated by reference and agreed to by the Parties with respect to such Third-Country Transfer.
  10. Disposal and Return. If in Customer’s control, Customer will eliminate Level AI’s access to all Customer Data upon expiration or termination of the Agreement. Level AI agrees to dispose securely of all Customer Data at Customer’s request, except to the extent such Customer Data is necessary for Level AI to provide the Services or retention is required by Applicable Privacy Law. Upon the expiration or termination of the Agreement, Level AI will return all Customer Data in Level AI’s possession to Customer or, at Customer’s option, destroy all Customer Data and within ten (10) days of Customer’s request. Upon expiration or termination, Level AI may retain certain Customer Data if required by Applicable Privacy Law, provided that any such Customer Data so retained will remain subject to the terms of the Agreement.
  11. Limitations of Liability. The limitations of liability set forth in the Agreement shall apply to this DPA, provided however that any exclusions from such limitations of liability or increased liability caps that apply to breaches of confidentiality under the Agreement shall also apply to a breach of this DPA.
  12. General Provisions. This DPA shall remain in full force and effect so long as Level AI continues to provide the Services to Customer and Level AI’s obligations with respect to Customer Data and Personal Data shall continue thereafter to the extent Level AI retains any such Customer Data and Personal Data. This DPA may be amended or modified only in a writing signed by Customer and Level AI. Any notices required or permitted herein shall be given in accordance with the notice provisions of the Agreement.

APPENDIX A
Processing Purposes and Details

  1. Business Purposes. Collecting and ingesting into Level AI’s platform information regarding communications between Customer’s customer service agents and Customer’s customers, including without limitation screen recordings, audio, and audio transcripts, for the purpose of deriving insights and producing analytics for Customer.
  2. Personal Data Categories. Names, emails, addresses, phone numbers, audio recordings, video recordings, device information, and any other personal information disclosed during communications between customers and employees of Customer.
  3. Data Subject Types. Customers’ employees and agents, Customer’s customers.
  4. Processing Duration. Continuous/ongoing during the term of the Agreement.
  5. Approved Subprocessors. The current list of Subprocessors used by Level AI is as set forth in Section 5.3 of the DPA.

CREATE A BRAND THAT YOUR CUSTOMERS LOVE

Request Demo
A grid with perspective
Open hand with plants behind
Woman standing on a finger
A gradient mist
Quick Links
AboutCareersPartnersRequest DemoSecurityTerms of ServicePrivacy PolicySitemap
Resources
Resource CenterEventsPressNext Level Community
Product
Quality AsssuranceAgent AssistVoice of the Customer InsightsAgent CoachingAgent Screen RecordingAnalyticsAgent GPT
Platform
Artificial IntelligenceIntegrations
Compare to
CallminerCrestaObserve AITethrPlayvoxMaestroQAUniphore
subscribe to the newsletter
Subscribe and be the first to hear about news events.

Augment your agent and QA team performance with a customer intelligence system for the modern contact center.

GDPR compliant
HIPAA Compliant Logo
© 2025 Level AI All Rights Reserved
Security
Terms of Service
Privacy Policy