Last Updated: May 4, 2026

Website Version: This Data Processing Addendum is Eddie AI’s standard data processing addendum for customers. It is effective only when incorporated into an applicable agreement, order form, terms of service, master subscription agreement, or other written or electronic agreement between Eddie AI and Customer. Posting this DPA on Eddie AI’s website does not by itself create a contract with any person or entity.

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement, order form, terms of service, master subscription agreement, statement of work, or other written or electronic agreement between Press Play Labs, Inc. d/b/a Eddie AI (“Vendor,” “Eddie,” “we,” “us,” or “our”) and the customer identified in such agreement (“Customer,” “you,” or “your”) governing Customer’s use of the Eddie AI services (the “Agreement”).

This DPA applies only to the extent Vendor Processes Customer Personal Data on behalf of Customer in connection with the Services. If there is a conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA will control to the extent of that conflict. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

1.1 “Applicable Data Protection Laws” means all privacy, data protection, and data security laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, which may include, as applicable, the GDPR, UK GDPR, Swiss DPA, CCPA/CPRA, and other U.S. state privacy laws.

1.2 “CCPA/CPRA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act and its implementing regulations, as amended or superseded from time to time.

1.3 “Controller” means the entity that determines the purposes and means of Processing Personal Data, including a “business” under the CCPA/CPRA where applicable.

1.4 “Customer Content” means video, audio, images, transcripts, text, files, metadata, project files, comments, instructions, and other content submitted to, uploaded to, connected to, or generated through the Services by or on behalf of Customer.

1.5 “Customer Personal Data” means Personal Data contained in Customer Content or otherwise Processed by Vendor on behalf of Customer in connection with the Services.

1.6 “Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates, including a “consumer” under the CCPA/CPRA where applicable.

1.7 “Data Subject Request” means a request by or on behalf of a Data Subject to exercise rights under Applicable Data Protection Laws.

1.8 “EEA” means the European Economic Area.

1.9 “EU SCCs” means the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, replaced, or superseded from time to time.

1.10 “GDPR” means Regulation (EU) 2016/679.

1.11 “Personal Data” has the meaning given to “personal data,” “personal information,” or substantially similar terms under Applicable Data Protection Laws.

1.12 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise Processed by Vendor.

1.13 “Process,” “Processing,” and “Processed” have the meanings given to those terms under Applicable Data Protection Laws.

1.14 “Processor” means an entity that Processes Personal Data on behalf of a Controller, including a “service provider,” “contractor,” or substantially similar term under Applicable Data Protection Laws where applicable.

1.15 “Restricted Transfer” means a transfer of Customer Personal Data from the EEA, United Kingdom, or Switzerland to a country that does not provide an adequate level of protection under Applicable Data Protection Laws, to the extent such transfer is subject to transfer restrictions under Applicable Data Protection Laws.

1.16 “Services” means Eddie AI’s software, applications, websites, integrations, APIs, processing services, support services, and related services provided to Customer under the Agreement.

1.17 “Subprocessor” means a third party engaged by Vendor to Process Customer Personal Data on behalf of Customer in connection with the Services.

1.18 “Swiss DPA” means the Swiss Federal Act on Data Protection, as amended or superseded from time to time.

1.19 “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under Section 119A of the UK Data Protection Act 2018, as amended, replaced, or superseded from time to time.

1.20 “UK GDPR” means the GDPR as incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018, as amended.

2.1 Roles of the Parties. As between the parties, Customer is the Controller of Customer Personal Data and Vendor is the Processor of Customer Personal Data, except where the parties expressly agree otherwise in writing. Customer appoints Vendor to Process Customer Personal Data on Customer’s behalf for the purposes described in this DPA and the Agreement.

2.2 Customer Instructions. Vendor will Process Customer Personal Data only as necessary to provide, secure, maintain, support, troubleshoot, and improve the Services for Customer; as otherwise permitted under Section 13; to comply with Customer’s documented instructions; to comply with the Agreement; and as required by applicable law. The Agreement, this DPA, Customer’s configuration of the Services, Customer’s use of the Services, and Customer’s written instructions constitute Customer’s documented instructions. Vendor will inform Customer if, in Vendor’s opinion, Customer’s documented instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by applicable law.

2.3 No Sale or Sharing. Vendor will not sell or share Customer Personal Data as those terms are defined under the CCPA/CPRA. Vendor will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes permitted under the Agreement, this DPA, and Applicable Data Protection Laws.

2.4 Compliance with Law. Each party will comply with Applicable Data Protection Laws in connection with its performance under this DPA. Customer is responsible for ensuring that Customer has a lawful basis for submitting Customer Personal Data to the Services and for issuing Processing instructions to Vendor.

2.5 Customer Responsibilities. Customer is responsible for:

(a) providing all required notices and obtaining all required consents, permissions, and rights for Customer’s use of the Services and the Processing of Customer Personal Data;

(b) ensuring that Customer Content may lawfully be uploaded, connected, transferred, transcribed, analyzed, edited, exported, and otherwise Processed through the Services;

(c) responding to Data Subject Requests where Customer can reasonably do so through its own access to the Services;

(d) ensuring that Customer’s use of the Services complies with Applicable Data Protection Laws; and

(e) not uploading or submitting regulated, highly sensitive, or restricted data unless expressly permitted under the Agreement or an applicable order form.

2.6 Restricted Data. Unless expressly agreed in writing, Customer will not submit to the Services: protected health information subject to HIPAA, payment card data subject to PCI DSS, government identification numbers, biometric identifiers used for identification, children’s data, special categories of personal data under GDPR, criminal offense data, or other sensitive data subject to heightened legal restrictions. Customer acknowledges that video, audio, and transcript content may incidentally reveal sensitive information depending on the content Customer chooses to upload, and Customer remains responsible for obtaining any required rights, notices, consents, and legal bases for such content.

3.1 Vendor will Process Customer Personal Data to provide the Services, including as applicable: ingesting, hosting, storing, syncing, transcribing, analyzing, organizing, editing, logging, indexing, searching, exporting, and otherwise processing Customer Content; generating rough cuts, logs, transcripts, summaries, and project files; providing integrations with third-party platforms selected by Customer; providing customer support; maintaining account functionality; securing and monitoring the Services; preventing abuse; troubleshooting; and complying with legal obligations.

3.2 Details regarding the subject matter, duration, nature, and purpose of the Processing; categories of Data Subjects; categories of Customer Personal Data; and applicable retention periods are set out in Annex I.

4.1 Vendor will ensure that personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or otherwise.

4.2 Vendor will limit access to Customer Personal Data to personnel and Subprocessors who need such access to provide, secure, maintain, support, or improve the Services or to comply with applicable law.

4.3 Vendor will maintain commercially reasonable access controls, authentication controls, and personnel security practices designed to protect Customer Personal Data.

5.1 Vendor will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature, scope, context, and purposes of Processing and the risk to Data Subjects.

5.2 Vendor’s technical and organizational measures are described in Annex II. Customer acknowledges that security measures may evolve over time, provided that Vendor does not materially decrease the overall security of the Services during the term of the Agreement.

5.3 Customer is responsible for securely configuring its account, managing its users and access permissions, safeguarding credentials, and determining what Customer Content is submitted to the Services.

6.1 Vendor will notify Customer without undue delay after confirming a Personal Data Breach affecting Customer Personal Data and, where feasible, within seventy-two (72) hours after confirmation.

6.2 Vendor’s notice will include, to the extent reasonably available:

(a) a description of the nature of the Personal Data Breach;

(b) the categories and approximate number of affected Data Subjects and records, if known;

(c) the likely consequences of the Personal Data Breach, if known;

(d) measures taken or proposed to address the Personal Data Breach; and

(e) a contact point for follow-up.

6.3 Vendor’s notification of or response to a Personal Data Breach is not an acknowledgment of fault or liability. Customer is responsible for determining whether the Personal Data Breach requires notice to Data Subjects, regulators, or other third parties, except to the extent Applicable Data Protection Laws impose a direct obligation on Vendor.

7.1 Customer authorizes Vendor to engage Subprocessors to Process Customer Personal Data in connection with the Services.

7.2 Vendor will maintain a list of Subprocessors and will provide the list to Customer upon written request. The Subprocessor list will include the name of each Subprocessor and a description of the processing activities performed by the Subprocessor.

7.3 Vendor will impose written data protection obligations on each Subprocessor that are no less protective in all material respects than those imposed on Vendor under this DPA, taking into account the nature of the services provided by the Subprocessor.

7.4 Vendor will remain responsible for the performance of its Subprocessors’ obligations to the same extent Vendor would be responsible if performing the relevant Processing directly.

7.5 Vendor may add or replace Subprocessors from time to time. Vendor will provide Customer with at least ten (10) days’ prior notice of material new Subprocessors, where commercially practicable, by updating its Subprocessor list, email notice, in-product notice, or another reasonable method.

7.6 Customer may object to a material new Subprocessor on reasonable data protection grounds by providing written notice to Vendor within ten (10) business days after Vendor’s notice. Customer’s objection must explain the reasonable data protection basis for the objection. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection within a reasonable period, Customer may terminate only the affected portion of the Services that cannot be provided without use of the objected-to Subprocessor. Such termination will be Customer’s sole and exclusive remedy for the unresolved objection.

7.7 Customer authorizes Vendor to use emergency replacement Subprocessors where reasonably necessary to maintain the security, availability, or continuity of the Services. Vendor will provide notice of such emergency replacement as soon as reasonably practicable.

7.8 Customer-Selected Third-Party Services. Customer may choose to enable, connect, or use third-party services or integrations with the Services. Where Customer independently enables, connects, or controls such third-party services, those services are not Subprocessors of Vendor, and their processing of Customer Personal Data is governed by Customer’s agreement with the applicable third-party provider.

8.1 Customer is responsible for responding to Data Subject Requests. Vendor will provide reasonable assistance to Customer, taking into account the nature of the Processing and the information available to Vendor, to help Customer respond to Data Subject Requests where Customer cannot reasonably fulfill the request using its own access to the Services.

8.2 If Vendor receives a Data Subject Request relating to Customer Personal Data, Vendor may redirect the Data Subject to Customer. Vendor will not independently respond to such request except to confirm that the request relates to Customer or as required by applicable law.

8.3 Vendor may charge Customer for reasonable costs incurred in providing assistance with Data Subject Requests if such assistance is disproportionate, burdensome, or outside the ordinary functionality of the Services.

9.1 Taking into account the nature of the Processing and the information available to Vendor, Vendor will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent required by Applicable Data Protection Laws and to the extent Customer cannot reasonably complete such obligations without Vendor’s assistance.

9.2 Vendor may charge Customer for reasonable costs incurred in providing assistance under this Section 9 if the assistance is extensive, bespoke, or outside the ordinary course of providing the Services.

10.1 If Vendor receives a legally binding request from a government authority, law enforcement agency, court, or regulator for Customer Personal Data, Vendor will, to the extent legally permitted and reasonably practicable, notify Customer and direct the requesting authority to seek the Customer Personal Data directly from Customer.

10.2 If Vendor is legally prohibited from notifying Customer or is legally compelled to disclose Customer Personal Data, Vendor may disclose Customer Personal Data to the extent required by law.

10.3 Vendor will not voluntarily provide government authorities with access to Customer Personal Data except as required by law or to prevent imminent harm, fraud, abuse, or security threats.

11.1 Upon expiration or termination of the Agreement, or upon Customer’s written request, Vendor will delete or return Customer Personal Data within a commercially reasonable period, unless retention is required by law or permitted under the Agreement.

11.2 Customer acknowledges that residual copies of Customer Personal Data may remain in backups, logs, audit records, and disaster recovery systems for a limited period in accordance with Vendor’s standard retention practices, provided that such copies remain protected under this DPA and are not used for any active Processing except restoration, security, compliance, or legal purposes.

11.3 Vendor may retain aggregated, de-identified, or anonymized data that does not identify Customer or any Data Subject, provided such retention complies with Applicable Data Protection Laws.

12.1 Upon Customer’s written request, and no more than once annually unless required by a regulator or following a confirmed Personal Data Breach affecting Customer Personal Data, Vendor will make available information reasonably necessary to demonstrate Vendor’s compliance with this DPA. Such information may include, as available and applicable, security documentation, summaries of security controls, responses to reasonable security questionnaires, certifications, third-party audit reports, or other documentation.

12.2 To the extent Vendor has completed a SOC 2 or similar independent security audit applicable to the Services, Vendor may provide the applicable report or a summary of such report under confidentiality restrictions. Vendor does not commit to maintaining any particular certification or audit report unless expressly stated in the Agreement or an order form.

12.3 Customer may request an audit only if the information provided under Sections 12.1 and 12.2 is insufficient to satisfy Customer’s obligations under Applicable Data Protection Laws. Any audit must be:

(a) limited to matters reasonably necessary to verify Vendor’s compliance with this DPA;

(b) conducted by Customer or an independent auditor that is not a competitor of Vendor and is bound by confidentiality obligations acceptable to Vendor;

(c) conducted during normal business hours with at least thirty (30) days’ prior written notice;

(d) conducted remotely where reasonably possible;

(e) conducted in a manner that avoids unreasonable disruption to Vendor’s business; and

(f) subject to Vendor’s reasonable security, confidentiality, and safety requirements.

12.4 Audits will not include access to Vendor’s source code, product roadmaps, pricing information, non-public financial information, privileged information, trade secrets, internal vulnerability details that could compromise security, production systems, or data of other customers.

12.5 Customer will bear its own audit costs and will reimburse Vendor for reasonable costs incurred in connection with any audit that is extensive, on-site, or outside standard documentation review.

13.1 Vendor will not use Customer Personal Data or Customer Content to train third-party foundation models or general-purpose AI models, except as expressly authorized by Customer in writing.

13.2 Vendor may Process Customer Personal Data and Customer Content to provide, maintain, secure, support, troubleshoot, and improve the Services for Customer, including improving Customer-specific outputs, system reliability, abuse prevention, quality assurance, and service performance.

13.3 Vendor may create and use aggregated, de-identified, or anonymized data derived from use of the Services for analytics, benchmarking, security, product development, and improvement, provided such data does not identify Customer, Customer’s users, or any Data Subject and cannot reasonably be used to re-identify them.

13.4 Customer is responsible for ensuring that Customer has all required rights and permissions to use AI-enabled processing features with Customer Content, including any required consents for transcribing, analyzing, editing, or generating outputs from recordings of individuals.

14.1 Customer authorizes Vendor and its Subprocessors to Process Customer Personal Data in the United States and other jurisdictions where Vendor or its Subprocessors operate, subject to this DPA and Applicable Data Protection Laws.

14.2 Where Vendor Processes Customer Personal Data subject to the GDPR, UK GDPR, or Swiss DPA and the Processing involves a Restricted Transfer, the parties agree that the applicable SCCs or other lawful transfer mechanism will apply.

14.3 For Restricted Transfers from Customer as Controller/data exporter to Vendor as Processor/data importer, the EU SCCs will apply as follows:

(a) Module Two will apply;

(b) Clause 7, the optional docking clause, will not apply unless the parties agree otherwise in writing;

(c) Clause 9, Option 2, general written authorization, will apply and the notice period for Subprocessor changes will be as set out in Section 7 of this DPA;

(d) Clause 11 optional language will not apply;

(e) Clause 17, Option 1, will apply and the EU SCCs will be governed by the laws of Ireland;

(f) Clause 18(b) will provide that disputes are resolved before the courts of Ireland;

(g) Annex I to the EU SCCs is completed by Annex I of this DPA;

(h) Annex II to the EU SCCs is completed by Annex II of this DPA; and

(i) Annex III to the EU SCCs is completed by Annex III of this DPA.

14.4 For Restricted Transfers from Vendor as Processor/data exporter to a Subprocessor/data importer, the appropriate module of the EU SCCs or another lawful transfer mechanism will apply as necessary.

14.5 For Restricted Transfers subject to the UK GDPR, the UK Addendum will apply and will be completed as follows:

(a) the EU SCCs, as completed by this DPA, will apply;

(b) Tables 1 to 3 of the UK Addendum will be deemed completed with the information in this DPA and the Agreement;

(c) Table 4 will be deemed completed with “Importer” selected; and

(d) the start date of the UK Addendum will be the effective date of this DPA.

14.6 For Restricted Transfers subject to the Swiss DPA, the EU SCCs will apply as completed by this DPA with the following modifications:

(a) references to the GDPR will be interpreted as references to the Swiss DPA;

(b) references to the EU, Union, Member State, and Member State law will be interpreted as references to Switzerland and Swiss law;

(c) references to a competent supervisory authority will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner, to the extent applicable; and

(d) references to competent courts will be interpreted as references to competent Swiss courts, to the extent applicable.

14.7 If there is any conflict between the SCCs and this DPA, the SCCs will control to the extent required by Applicable Data Protection Laws.

15.1 Each party’s liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.

15.2 This DPA does not create any additional indemnities, warranties, representations, or remedies except as expressly stated in this DPA.

16.1 This DPA will remain in effect for as long as Vendor Processes Customer Personal Data on behalf of Customer.

16.2 Sections that by their nature should survive expiration or termination will survive, including confidentiality, deletion, audit limitations, international transfers, liability, and any provisions necessary to protect Customer Personal Data retained after termination.

17.1 If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

17.2 Any notices under this DPA will be provided in accordance with the notice provisions of the Agreement, unless otherwise stated.

17.3 Updates to this DPA. Vendor may update this DPA from time to time by posting an updated version on Vendor’s website or otherwise providing notice to Customer. Vendor will not make updates that materially reduce the overall protection of Customer Personal Data during the term of an Agreement. Unless otherwise stated in the Agreement or required by Applicable Data Protection Laws, updates will become effective upon posting or notice. For signed enterprise agreements or order forms that incorporate a specific version of this DPA, amendments will be handled in accordance with the applicable Agreement.

17.4 Electronic Acceptance. This DPA may be accepted by electronic signature, click-through acceptance, incorporation by reference into an Agreement, or other legally recognized method of acceptance.

Name: Customer identified in the Agreement or applicable order form.

Address: As set out in the Agreement or applicable order form.

Contact: As set out in the Agreement or applicable order form.

Role: Controller, unless otherwise stated in the Agreement or order form.

Activities relevant to the transfer: Use of the Eddie AI Services, including uploading, connecting, processing, transcribing, analyzing, editing, organizing, and exporting Customer Content.

Name: Press Play Labs, Inc. d/b/a Eddie AI

Address: 1887 Whitney Mesa Dr, #3907, Henderson, NV 89014

Contact: [email protected]

Role: Processor

Activities relevant to the transfer: Provision, maintenance, support, security, and improvement of the Eddie AI Services.

Subject Matter: Vendor’s provision of the Services to Customer under the Agreement.

Duration: For the term of the Agreement and thereafter as necessary to comply with the Agreement, this DPA, Customer instructions, backup retention cycles, and applicable law.

Nature of Processing: Collection, receipt, upload, download, access, hosting, storage, organization, transcription, indexing, analysis, editing, syncing, generation of logs and rough cuts, export, transmission, retrieval, deletion, security monitoring, troubleshooting, support, and other Processing necessary to provide the Services.

Purpose of Processing: To provide, secure, maintain, support, troubleshoot, and improve the Services for Customer; to generate outputs requested by Customer; to enable Customer’s integrations and exports; and to comply with applicable legal obligations.

Frequency of Transfer: Continuous or as initiated by Customer during the term of the Agreement.

Categories of Data Subjects: Customer’s employees, contractors, agents, users, administrators, guests, clients, prospects, interviewees, speakers, podcast guests, video participants, event attendees, and other individuals appearing in, speaking in, referenced in, or otherwise identifiable from Customer Content.

Categories of Customer Personal Data: Names, email addresses, account identifiers, user IDs, authentication metadata, usage data, file names, project names, video content, audio content, image content, likeness, voice, transcript text, captions, speaker labels, comments, prompts, edit instructions, metadata, support communications, integration metadata, and other Personal Data submitted by or on behalf of Customer through the Services.

Sensitive Data: Vendor does not require Customer to submit sensitive data. Customer Content may incidentally include sensitive data depending on what Customer uploads or connects to the Services. Unless expressly agreed in writing, Customer will not submit sensitive or regulated data requiring heightened legal obligations.

Retention Period: Customer Personal Data is retained for the term of the Agreement and deleted or returned in accordance with the Agreement, this DPA, Customer settings, Vendor’s standard backup-retention cycles, and applicable law.

Transfers to Subprocessors: Subprocessors may Process Customer Personal Data as necessary to provide cloud hosting, storage, infrastructure, transcription, AI processing, analytics, customer support, communications, security, monitoring, payments, and other services necessary to provide, secure, maintain, and support the Services. The duration of Subprocessor Processing is for as long as necessary to provide the applicable Subprocessor services to Vendor and Customer.

For purposes of the EU SCCs, the competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs. Where required and where Customer is not established in the EEA, the competent supervisory authority will be the Irish Data Protection Commission, unless otherwise required by Applicable Data Protection Laws.

Vendor maintains appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature, scope, context, and purposes of Processing and the risks presented by the Processing. Such measures may include the following, as applicable to the Services:

Customer authorizes Vendor to use Subprocessors in accordance with Section 7 of this DPA. Not all Subprocessors process all Customer Personal Data. Vendor uses Subprocessors only as necessary to provide the applicable Services, features, integrations, support, security, billing, analytics, or processing selected by or provided to Customer.

This DPA is effective when incorporated into an Agreement between Eddie AI and Customer, including by reference in Eddie AI’s terms of service, an order form, master subscription agreement, statement of work, or other written or electronic agreement. If Customer requires a signed copy of this DPA, Customer may contact Eddie AI at [email protected].