Culture Engine

Data Processing Addendum (DPA)

Effective Date: May 10, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Culture Engine Terms of Service (“Terms”) entered into between Culture Engine (“Processor”) and the Customer entity agreeing to the Terms (“Controller”).

This DPA applies where Culture Engine processes Personal Data on behalf of Controller in connection with the provision of the Service.

Capitalized terms not defined in this DPA have the meanings set forth in the Terms.

1. Definitions

For purposes of this DPA:

Personal Data
any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
Data Protection Laws
all applicable laws and regulations relating to privacy, security, or processing of Personal Data, including:
  • the General Data Protection Regulation (“GDPR”);
  • the UK GDPR;
  • the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”);
  • the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021); and
  • other applicable national, state, provincial, or regional privacy laws.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council.
Processing
any operation or set of operations performed on Personal Data, whether or not by automated means.
Sub-processor
a third party engaged by Culture Engine to process Personal Data on behalf of Controller.
Customer Personal Data
Personal Data processed by Culture Engine on behalf of Controller in connection with the Service.

2. Scope and Roles

Controller appoints Culture Engine as a processor or service provider to process Customer Personal Data on Controller’s behalf for purposes of providing the Service.

The parties acknowledge and agree that:

  • Controller determines the purposes and means of processing Customer Personal Data;
  • Culture Engine processes Customer Personal Data solely on behalf of Controller and in accordance with Controller’s instructions; and
  • each party shall comply with its respective obligations under applicable Data Protection Laws.

Nothing in this DPA restricts Culture Engine from processing data for which it acts as an independent controller, including:

  • account administration data;
  • billing information;
  • operational logs;
  • security monitoring data;
  • aggregated or de-identified analytics; and
  • information processed for legal compliance purposes.

3. Nature and Purpose of Processing

Culture Engine processes Customer Personal Data solely for purposes of:

  • providing, operating, maintaining, and supporting the Service;
  • facilitating employee recognition and engagement functionality;
  • enabling integrations authorized by Controller;
  • providing customer support;
  • maintaining security and integrity of the Service;
  • detecting fraud, abuse, or unauthorized activity; and
  • complying with applicable legal obligations.

4. Categories of Personal Data and Data Subjects

Depending on Controller’s use of the Service, Customer Personal Data may include:

  • names;
  • work email addresses;
  • profile information;
  • department and job title information;
  • recognition messages and engagement activity;
  • user-generated content;
  • usage data;
  • device and log information; and
  • other information submitted through the Service.

Data subjects may include:

  • employees;
  • contractors;
  • administrators;
  • authorized users; and
  • other personnel associated with Controller.

5. Processing Instructions

Culture Engine shall process Customer Personal Data only:

  • on documented instructions from Controller;
  • as necessary to provide the Service;
  • as described in the Terms and this DPA; or
  • as otherwise required by applicable law.

If applicable law requires Culture Engine to process Customer Personal Data outside Controller’s instructions, Culture Engine shall inform Controller unless legally prohibited from doing so.

Culture Engine shall promptly notify Controller if it believes an instruction violates applicable Data Protection Laws.

6. Confidentiality

Culture Engine shall ensure that personnel authorized to process Customer Personal Data:

  • are subject to confidentiality obligations; or
  • are under an appropriate statutory duty of confidentiality.

Access to Customer Personal Data shall be limited to personnel with a legitimate business need to access such information.

7. Security Measures

Culture Engine shall implement commercially reasonable technical and organizational safeguards designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Such measures may include:

  • encryption in transit using TLS 1.2 or higher;
  • encryption at rest where appropriate;
  • role-based access controls;
  • authentication mechanisms;
  • logging and monitoring systems;
  • vulnerability management practices;
  • incident response procedures;
  • backup and recovery processes; and
  • employee security awareness training.

Culture Engine may modify or update security measures from time to time, provided such measures do not materially reduce the overall level of security protection.

8. Artificial Intelligence and Automated Processing

Culture Engine does not use Customer Personal Data, employee recognition content, comments, reactions, or workspace content submitted through the Service to train generalized artificial intelligence or machine learning models unless expressly authorized by Controller.

Culture Engine may use automated systems and artificial intelligence technologies solely to provide, support, secure, and improve functionality within the Service for the benefit of Controller.

9. Sub-processors

Controller authorizes Culture Engine to engage Sub-processors in connection with the provision of the Service.

Culture Engine shall:

  • impose data protection obligations on Sub-processors that are no less protective than those contained in this DPA;
  • remain responsible for the acts and omissions of Sub-processors to the extent required by applicable law; and
  • maintain a list of material Sub-processors upon request where required by applicable law.

Controller may reasonably object to a new Sub-processor on legitimate data protection grounds by providing written notice within fifteen (15) days of receiving notice of the Sub-processor engagement.

If the parties cannot reasonably resolve the objection, either party may terminate the affected portion of the Service upon written notice.

10. Data Subject Requests

Taking into account the nature of the processing, Culture Engine shall provide reasonable assistance to Controller in responding to requests from data subjects exercising rights under applicable Data Protection Laws.

Where Culture Engine receives a data subject request relating to Customer Personal Data directly from a data subject, Culture Engine shall:

  • promptly notify Controller; and
  • not respond directly unless legally required or authorized by Controller.

11. Data Protection Impact Assessments

Where required under applicable Data Protection Laws, Culture Engine shall provide reasonable assistance to Controller with:

  • data protection impact assessments (“DPIAs”);
  • prior consultations with supervisory authorities; and
  • security or compliance documentation reasonably necessary to satisfy Controller’s compliance obligations.

12. Security Incidents and Personal Data Breaches

Culture Engine shall notify Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

To the extent reasonably available, such notification may include:

  • a description of the nature of the breach;
  • categories of affected data;
  • categories of affected data subjects;
  • likely consequences of the breach; and
  • measures taken or proposed to mitigate the breach.

Culture Engine’s notification of a Personal Data Breach does not constitute an admission of fault or liability.

13. International Data Transfers

Customer Personal Data may be transferred to and processed by Culture Engine in the United Arab Emirates and other jurisdictions where Culture Engine or its sub-processors operate.

Where Customer Personal Data originating in the European Economic Area (“EEA”), United Kingdom, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, the parties agree to incorporate the applicable Standard Contractual Clauses (“SCCs”) approved by the European Commission, the UK International Data Transfer Agreement, or equivalent lawful transfer mechanisms under applicable law.

Such mechanisms shall be deemed incorporated into this DPA by reference where applicable.

14. Deletion and Return of Data

Within thirty (30) days of termination or expiration of the Service, Culture Engine shall delete or return Customer Personal Data in accordance with the Terms, Controller’s documented instructions, and applicable law.

Notwithstanding the foregoing, Culture Engine may retain Customer Personal Data:

  • as required by applicable law;
  • for security, fraud prevention, or dispute resolution purposes;
  • in archived backup systems subject to appropriate safeguards; or
  • where retention is otherwise permitted under applicable law.

15. Audit Rights

Upon reasonable written request, Culture Engine shall make available information reasonably necessary to demonstrate compliance with this DPA.

Where required by applicable law, Controller may conduct an audit or inspection subject to the following conditions:

  • at least thirty (30) days’ prior written notice;
  • no more than once annually unless required by law or following a confirmed security incident;
  • conducted during normal business hours;
  • no unreasonable disruption to Culture Engine’s operations;
  • subject to appropriate confidentiality obligations; and
  • Controller bears its own audit costs.

Culture Engine may satisfy audit obligations by providing relevant third-party audit reports or certifications, including SOC 2, ISO 27001, or similar independent assessments, where available.

16. CCPA/CPRA Service Provider Terms

To the extent the CCPA or CPRA applies:

  • Culture Engine acts as a “service provider” or “contractor” as defined under applicable California privacy laws;
  • Culture Engine shall not sell or share Customer Personal Data;
  • Culture Engine shall not retain, use, or disclose Customer Personal Data outside the direct business relationship with Controller except as permitted by applicable law; and
  • Culture Engine shall comply with applicable obligations imposed on service providers under California privacy laws.

17. Term and Survival

This DPA remains effective for as long as Culture Engine processes Customer Personal Data on behalf of Controller.

Obligations relating to confidentiality, security, deletion, liability limitations, and compliance with applicable Data Protection Laws survive termination of this DPA for so long as Culture Engine retains Customer Personal Data.

18. Limitation of Liability

To the maximum extent permitted by applicable law, each party’s liability arising under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms.

Nothing in this DPA limits liability to the extent prohibited by applicable Data Protection Laws.

19. Order of Precedence

In the event of a conflict between this DPA and the Terms regarding processing of Customer Personal Data, this DPA shall control solely with respect to data protection matters.

20. Contact Information

For data protection or privacy-related inquiries:

Culture Engine
hello@cultureengine.ai
www.cultureengine.ai