Data Processing Addendum

How we process and protect your data when acting as a data processor on your behalf.

HomeLegal CenterData Processing Addendum

Posted: April 1, 2026

1. Important Terms

This White Shoe AI Data Processing Addendum (“DPA”) governs White Shoe AI’s processing of DPA Data required to provide the Service under the SaaS Agreement or other agreement between You and White Shoe AI pertaining to the software-as-a-service offering (“Agreement”). This DPA is part of Your Terms with White Shoe AI. In the event of conflicting language between the Agreement, other Terms, or operative Order Form, this DPA’s terms control.

You and White Shoe AI each agree to comply with respective obligations under Data Protection Law.

Data Processing Roles: You are the Data Controller; White Shoe AI is the Data Processor, processing DPA Data on Your behalf.

Data Processing Purposes: White Shoe AI processes DPA Data as Your Data Processor for providing or maintaining the Service in accordance with Instructions. White Shoe AI acknowledges DPA Data disclosure for limited, specific purposes.

Categories of Personal Data: Personal Data contained within Customer Data and Content, including name and demographic information.

Categories of Data Subjects: Individuals identified in Customer Data and Content, including White Shoe AI application users and their clients.

Duration of Processing: Subject to the Terms and Section 15 of this DPA, DPA Data will be processed for the Agreement term.

2. Definitions

The definitions in Section 17 apply to this DPA. All terms in quotation marks throughout this DPA are defined terms. Capitalized terms not defined in this DPA have meanings given in the Agreement.

3. Processing Requirements

As a Data Processor, White Shoe AI will:

3.1.
Process DPA Data on Your behalf according to Instructions, only in the manner necessary for Service performance.
3.2.
Promptly notify You in writing if it cannot comply with DPA requirements.
3.3.
Promptly inform You if, in White Shoe AI’s opinion, Your instruction infringes applicable Data Protection Law.
3.4.
Ensure all persons authorized by White Shoe AI to process DPA Data are subject to a duty of confidentiality.

4. Sub-Processors

White Shoe AI will:

4.1.

Engage organizations or persons listed at whiteshoe.ai/legal/sub-processors (“Sub-Processor List”) as necessary to perform the Service. You consent to White Shoe AI’s existing sub-processors and grant general written authorization to engage sub-processors performing all or part of required processing activities.

White Shoe AI will notify You of intended sub-processor additions at least 15 days before implementation. Within 10 days of receiving notice, You may reasonably object to sub-processor use on grounds relating to DPA Data protection (“Objection”) by contacting [email protected] (“Objection Notice”).

White Shoe AI shall cure the Objection through: (i) offering alternative Service provision without such sub-processor; (ii) taking corrective steps requested in the Objection Notice; (iii) ceasing provision of, or You agreeing not to use, the particular aspect or feature involving such sub-processor; or (iv) You ceasing DPA Data provision to White Shoe AI.

If none of the above are commercially feasible and the Objection remains unresolved within 30 days of White Shoe AI’s receipt of the Objection Notice, either party may terminate Service subscriptions, order forms, or usage for cause. You will receive refunds for pre-paid but unused fees covering periods following the termination date. Accepting White Shoe AI’s cure is Your sole exclusive remedy if objecting to a new sub-processor.

4.2.
Enter into contractual arrangements with each sub-processor binding them to provide the same data protection and information security level provided in this DPA. White Shoe AI remains fully liable to You for each sub-processor’s performance to the extent the sub-processor fails fulfilling data protection obligations under its applicable data processing agreement with White Shoe AI.

5. Notice to Customer

White Shoe AI will inform You, to the extent legally permitted, if White Shoe AI receives:

5.1.
Any legally binding disclosure request for DPA Data by a law enforcement authority. If White Shoe AI is legally prohibited from notifying You, White Shoe AI will use best efforts requesting the prohibition be waived and will document that request. White Shoe AI will notify You once the prohibition expires or has been lifted, providing as much relevant information as reasonably possible.
5.2.
Any notice, inquiry, or investigation by a Supervisory Authority regarding DPA Data.
5.3.
Any complaint or request from a Data Subject (including “verifiable consumer requests” as defined by CCPA) exercising rights under Data Protection Law to: (i) access DPA Data; (ii) have DPA Data corrected or erased; (iii) restrict or object to DPA Data Processing; or (iv) data portability (collectively “Data Subject Request”). Except to request further information or identify the Data Subject, White Shoe AI will not respond to any Data Subject Request without prior written authorization from You.

6. Personal Data Breach

If White Shoe AI experiences a security breach leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data (“Personal Data Breach”), White Shoe AI will:

6.1.
Notify You within 72 hours after becoming aware of the Personal Data Breach. Notification will be directed to the security notice email address specified on Your order form or, if none is specified, to the primary contact email on Your account.
6.2.
Promptly take reasonable steps to contain, investigate, and mitigate the Personal Data Breach. Relevant logs will be preserved for at least one year.
6.3.
Provide timely information about the nature of the Personal Data Breach, its consequences, the status of the investigation, and the mitigation measures taken or proposed.

Communications in connection with a Personal Data Breach will not be construed as acknowledgment by White Shoe AI of any fault or liability.

7. Assistance to Customer and Audits

Upon Your written request, White Shoe AI will provide reasonable assistance regarding:

7.1.
Your obligations to respond to Data Subject Requests relating to White Shoe AI’s DPA Data Processing.
7.2.
Your data protection impact assessments preparation regarding White Shoe AI’s DPA Data processing and, where necessary, consultations with any Supervisory Authority with Processing jurisdiction.
7.3.
Information, assessments, or audits, to the extent required by Data Protection Law, necessary to confirm White Shoe AI is processing Personal Data consistent with this DPA. All audits and assessments will be performed in accordance with the Customer Audit Rights set out in Section 12. All reports and documentation provided to You are White Shoe AI’s Confidential Information.

8. Required Processing

If White Shoe AI is required by applicable law to Process DPA Data outside Your Instructions, White Shoe AI will inform You of this requirement in advance of processing, unless White Shoe AI reasonably believes it is legally prohibited from informing You of such processing.

9. Security

White Shoe AI will:

9.1.
Implement and maintain a written information security program with data security measures as described in Section 11 of this DPA to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of DPA Data and to protect Data Subject rights.
9.2.
Take appropriate steps confirming all White Shoe AI personnel and persons or entities authorized to Process DPA Data on White Shoe AI’s behalf are protecting DPA Data security, privacy, and confidentiality consistent with DPA requirements.

10. US State Data Protection Obligations

To the extent applicable under US State Privacy Law, White Shoe AI certifies it understands and will comply with US State Privacy Law obligations to:

10.1.
Only process DPA Data for purposes set out in this DPA, Agreement, or Terms, unless otherwise permitted by law.
10.2.
Not “sell” or “share” (as defined by CCPA) DPA Data.
10.3.
Not retain, use, or disclose DPA Data outside the direct business relationship between White Shoe AI and Customer unless otherwise required or permitted by law.
10.4.
Process DPA Data providing no less privacy protection level than required by US State Privacy Law.
10.5.
Not combine any DPA Data with Personal Data White Shoe AI receives from or on behalf of a third party other than You or collects from White Shoe AI’s own individual interactions, provided White Shoe AI may combine Personal Data as permitted under US State Privacy Laws or if directed by Customer.
10.6.
Not attempt reidentifying any deidentified data You provide to White Shoe AI, except for the sole purpose of determining whether deidentification processes comply with applicable Data Protection Law.
10.7.
Grant You the right to take reasonable and appropriate steps to: (i) ensure White Shoe AI uses DPA Data consistent with Data Protection Law and (ii) stop and remediate unauthorized DPA Data use.

11. Security Measures

The following security measures apply to the Service. The computing services utilized to offer the Service are cloud-based and provided to White Shoe AI via one or more cloud service providers (“Cloud Environment”).

11.1 Encryption

White Shoe AI encrypts Customer Data and Content at rest using AES 256-bit (or better) encryption. White Shoe AI uses Transport Layer Security 1.2 (or better) for Customer Data and Content in transit over public or untrusted networks. Encryption keys are logically separated from Customer Data and Content.

11.2 System and Network Security

11.2.1.
White Shoe AI personnel access to the Cloud Environment uses unique user IDs consistent with least privilege principles. Access requires secure connections, multi-factor authentication, and passwords meeting reasonable length and complexity requirements.
11.2.2.
White Shoe AI personnel will not access Customer Data or Content except: (i) to provide or support the Service or (ii) to comply with the law or a binding order.
11.2.3.
Industry-standard threat detection tools monitor for suspicious activities and malicious code with regularly updated signatures.
11.2.4.
Automated tools scan vulnerability databases. Critical vulnerabilities are addressed within 7 days, high-severity within 30 days, and medium-severity within 90 days.

11.3 Administrative Controls

11.3.1.
Security awareness training occurs at onboarding and annually thereafter, covering information security responsibilities, cyber threat protection, and device security requirements.
11.3.2.
White Shoe AI personnel sign confidentiality agreements and must report security incidents involving Customer Data and Content.
11.3.3.
Access to critical systems containing Customer Data is removed within 1 day for separated personnel; all system access is removed within 3 days. Access privileges are reviewed quarterly.
11.3.4.
Background screening for personnel with Customer Data access includes identity verification, right to work verification, and criminal history checks, where legally permitted.

11.4 Physical Data Center Controls

Cloud service providers’ data centers maintain appropriate physical security controls, including:

  • Physical access controlled at building entry points
  • Visitors required to present identification and sign in
  • Server access managed by access control devices
  • Physical access privileges reviewed regularly
  • Monitor and alarm response procedures
  • CCTV surveillance
  • Fire detection and protection systems
  • Backup and redundancy systems
  • Appropriate climate control systems

11.5 Audit Logging

White Shoe AI creates, protects, and retains information system audit records enabling monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Human user actions are uniquely traceable. Audit logs are retained for a minimum of 1 year, protected against tampering.

11.6 Business Continuity and Disaster Recovery

White Shoe AI maintains business continuity plans detailing operations maintenance during unplanned service disruptions. Plans address business processes, assets, human resources, and business partners, covering key information, systems, and services.

12. Customer Audit Rights

12.1.
Upon request, White Shoe AI will provide You with documentation evidencing compliance with this DPA, including any available third-party audit reports, penetration test summaries, and data flow diagrams. Third-party auditors must execute confidentiality agreements; White Shoe AI may object if auditors lack suitable qualifications. White Shoe AI is not responsible for auditor expenses.
12.2.
Annually, You may submit reasonable security questionnaires (not to exceed 100 questions total) and documentation requests, with White Shoe AI providing results in a timely manner at its own cost.
12.3.
For Personal Data Breaches involving Customer Data, White Shoe AI will engage an independent forensic specialist at its own cost and provide results to You in a timely manner if Your data is impacted.

13. Obligations of Customer

13.1.
You represent, warrant, and covenant You have and shall maintain throughout the term all necessary rights, consents, and authorizations to provide DPA Data to White Shoe AI and authorize White Shoe AI to Process DPA Data as contemplated by this DPA, Agreement, Terms, and/or other Instructions provided to White Shoe AI. By using the Service, You are instructing White Shoe AI to process DPA Data as reflected in Documentation.
13.2.
You shall reasonably cooperate with White Shoe AI to assist White Shoe AI in performing obligations under Data Protection Law regarding DPA Data.
13.3.
You acknowledge and agree You, rather than White Shoe AI, are responsible for certain Service configurations and design decisions and are responsible for implementing those configurations and design decisions securely and in compliance with applicable Data Protection Law. Without limitation, You represent, warrant, and covenant You shall only transfer DPA Data to White Shoe AI using secure, reasonable, and appropriate mechanisms.
13.4.
You shall not provide DPA Data to White Shoe AI except through agreed mechanisms. For example, You shall not include DPA Data in technical support tickets or transmit DPA Data to White Shoe AI by email.
13.5.
You are responsible for managing and securing access methods (passwords, SSO, email authentication). Credentials must remain confidential and must not be shared. Single accounts may not be shared among multiple persons. You must promptly report suspicious account activities.
13.6.
You are responsible for maintaining updated and appropriately patched IT systems (such as browsers) used to access the Service.

14. Cross-Border Data Transfers

14.1 General

You acknowledge that unless You and White Shoe AI have agreed, in a currently operative order form or otherwise in writing, to process and store DPA Data exclusively in a different geographic location, You may transfer Personal Data to White Shoe AI in the United States for White Shoe AI to provide the Service. If a transfer comprises DPA Data requiring a Data Transfer Mechanism, the provisions of this Section 14 apply.

14.2 Transfer Mechanisms

Where required by Data Protection Law, cross-border transfers of DPA Data shall be governed by the following mechanisms, in order of precedence:

14.2.1.
Data Privacy Framework. To the extent White Shoe AI maintains self-certification under the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Data Privacy Framework, as applicable), such framework shall apply. White Shoe AI will notify You without undue delay if its certification status changes.
14.2.2.
EU Standard Contractual Clauses. Module 2 (Controller to Processor) of the standard contractual clauses set out in European Commission Implementing Decision (EU) 2021/914 (“EEA SCCs”) are incorporated by reference, where You are the data exporter and White Shoe AI is the data importer. The data importer shall process the personal data only on documented instructions from the data exporter.
14.2.3.
UK International Data Transfer Addendum. For transfers subject to UK Data Protection Law, the UK International Data Transfer Addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office applies, with England and Wales courts designated for dispute resolution.
14.2.4.
Swiss Transfers. For transfers subject to Swiss data protection law, the EEA SCCs apply with appropriate modifications, designating the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.

14.3 Data Importer Details

White Shoe AI, Inc.
Email: [email protected]

15. Retention and Deletion

This DPA shall remain in effect until (i) the Service is terminated and (ii) White Shoe AI no longer processes DPA Data on Your behalf. Within 30 days following Service termination or upon Your reasonable request, White Shoe AI shall, and shall direct each sub-processor to, return to You or delete DPA Data, unless White Shoe AI is required by law to retain DPA Data.

16. Future Regulations

16.1.
In the event new legislation and regulations governing artificial intelligence solutions use are implemented, both parties agree to review this DPA ensuring compliance with such legislation and regulations.
16.2.
If substantial modifications are required to this DPA’s terms and conditions rendering it or the Parties’ performance compliant with regulations implemented following the Effective Date, both parties shall negotiate in good faith making necessary amendments.
16.3.
Should new regulations render continued service provision under this contract infeasible or unlawful, either party may initiate termination providing written notice to the other party. Termination shall be effective after a reasonable notice period, as agreed upon by both parties.
16.4.
This DPA’s termination due to the aforementioned regulations shall not relieve either party from outstanding obligations or liabilities incurred prior to termination.
16.5.
If any DPA provision is found inconsistent with future regulations, such provision shall be interpreted consistent with applicable laws, or if necessary, deemed null and void without affecting the remaining provisions’ validity.

17. Defined Terms

“Data Controller”
The person or entity determining DPA Data Processing purposes and means, which may include equivalent concepts under Data Protection Law (for example, “Business” as defined by CCPA).
“Data Processor”
The person or entity processing DPA Data on behalf of the Data Controller, which may include equivalent concepts under Data Protection Law (for example, “Service Provider” as defined by CCPA).
“Data Protection Law”
Privacy and data protection law applicable to Your Service use. Data Protection Law may include, depending on circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended and implementing regulations (“CCPA”) and the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
“Data Subject”
An identified or identifiable natural person to which DPA Data relates, to the extent their Personal Data is protected by Data Protection Law.
“Data Transfer Mechanism”
A transfer mechanism enabling lawful DPA Data cross-border transfer under Data Protection Law. This includes transfer mechanisms required under EEA, UK, and Switzerland Data Protection Law such as the Data Privacy Framework, EEA SCCs, UK International Data Transfer Addendum, and any data transfer mechanism available under Data Protection Law incorporated into this DPA.
“DPA Data”
Customer Data or Your Content provided through the Service that is Personal Data.
“EEA”
The European Economic Area.
“EEA SCCs”
Module 2 (Controller to Processor) standard contractual clauses set out in European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for Personal Data transfer to third countries according to the GDPR.
“Instructions”
Any (i) documented communication from You which includes actions taken or input provided through the Service; or (ii) agreement between You and White Shoe AI requiring White Shoe AI to provide the Service; or (iii) Documentation.
“Personal Data”
Any information relating to an identifiable natural person protected under Data Protection Law and Processed in connection with Your Service use. This includes equivalent concepts as defined by Data Protection Law (for example, “personal information” as defined under CCPA).
“Processing”
Any operation or set of operations performed on Your behalf on DPA Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, or dissemination. “Process”, “Processes”, and “Processed” will be interpreted accordingly.
“Sub-Processor”
An entity White Shoe AI engages to Process DPA Data on White Shoe AI’s behalf, to carry out specific processing activities on Your behalf.
“Supervisory Authority”
An independent public authority which is (i) established by a member state pursuant to GDPR Article 51; or (ii) a public authority governing data protection having supervisory jurisdiction over You.
“UK International Data Transfer Addendum”
The international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office which came into force in accordance with s119A of the UK Data Protection Act on 21 March 2022.
“You”
The organization contracting for Service use.
“US State Privacy Law”
All state laws relating to Personal Data protection and processing in the United States of America, which may include, without limitation, CCPA, Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act.

Contact Information

If you have any questions or concerns about this Data Processing Addendum or how we handle your data, please contact us at:

White Shoe AI, Inc.
Email: [email protected]