Uniti AI, Inc. Data Processing Agreement
Last revised on: Mar 10, 2026
This Uniti AI Data Processing Agreement (“DPA”) is an agreement between you and/or the entity you represent (“Customer”) and Uniti AI, Inc. (“Uniti”).
This DPA is subject to the Services Agreement entered into between Uniti and Customer (the “Services Agreement”). All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Services Agreement.
Under the Services Agreement, Uniti provides certain services to Customer that involve Uniti handling Customer data, which may include Personal Information (defined below).
This DPA is effective as of the Effective Date of the Customer’s Services Agreement.
Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA.
Authorized Persons
The persons or categories of persons that Customer authorizes to give Uniti personal information processing instructions.
Business Purpose
The service described in the Services Agreement or any other purpose specifically identified in Appendix A.
Data Subject
An individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.
Personal Information
Any information Uniti processes for Customer that:
identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Uniti’s possession or control or that Uniti is likely to have access to; or
the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.
Processing
Any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing.
Processing includes:
obtaining
recording
holding
organizing
amending
retrieving
using
disclosing
erasing
destroying
Processing also includes transferring Personal Information to third parties.
Privacy and Data Protection Requirements
All applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of Personal Information.
Security Breach
Any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the safeguards protecting it.
This includes:
loss of Personal Information
unauthorized access
disclosure
acquisition of Personal Information
Standard Contractual Clauses (SCC)
The European Commission’s standard contractual clauses for the transfer of personal data from the European Union to third countries as set out in Commission Decision (EU) 2021/914.
This DPA is subject to the terms of the Services Agreement and is incorporated into the Services Agreement.
The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA.
A reference to writing or written includes email.
In the case of conflict between documents:
the body of this DPA prevails over the Appendices
the Appendices prevail over invoices or annexed documents
this DPA prevails over the Services Agreement
executed Standard Contractual Clauses prevail over this agreement
Personal Information Types and Processing Purposes
Customer retains control of the Personal Information and remains responsible for:
compliance with Privacy and Data Protection Requirements
providing notices
obtaining consents
issuing processing instructions
Appendix A describes the categories of Personal Information and Data Subjects Uniti may process to fulfill the Business Purposes of the Services Agreement.
Customer discloses Personal Information to Uniti only for the limited and specified Business Purposes.
Provider’s Obligations
Uniti will only process, retain, use, or disclose Personal Information:
as necessary for the Business Purposes
in accordance with Customer’s written instructions
in compliance with this DPA and applicable laws
Uniti must promptly notify Customer if Customer’s instructions violate Privacy and Data Protection Requirements.
Uniti must promptly comply with Customer instructions requiring Uniti to:
amend Personal Information
transfer Personal Information
delete Personal Information
stop or remedy unauthorized processing
Uniti will maintain the confidentiality of all Personal Information and will not:
sell Personal Information
share it for cross-contextual advertising
disclose it to third parties
Unless:
authorized by Customer, or
required by law
If law requires disclosure, Uniti will inform Customer first unless legally prohibited.
Uniti will reasonably assist Customer in meeting compliance obligations under Privacy and Data Protection Requirements.
Uniti must notify Customer of any legal or regulatory changes affecting its obligations.
Uniti will only collect Personal Information using a notice or method pre-approved by Customer containing a data privacy notice informing the Data Subject of:
Customer’s identity
processing purposes
legally required information
Uniti will not modify this notice without Customer’s written consent.
Provider’s Employees
Uniti will limit Personal Information access to:
employees who require access to meet obligations under this DPA
only the specific data required for their duties
Uniti will ensure employees:
understand confidentiality obligations
receive privacy training
understand legal duties under Privacy and Data Protection Requirements
Uniti will take reasonable steps to ensure the reliability and trustworthiness of employees with access to Personal Information.
Security
Uniti must implement appropriate technical and organizational measures to safeguard Personal Information against:
unauthorized processing
unauthorized access
copying
modification
storage
distribution
accidental loss
destruction
damage
Uniti will notify Customer of technological developments requiring updated security measures.
Uniti must maintain backup and restoration procedures to prevent corruption or loss of Personal Information.
Security Breaches and Personal Information Loss
Uniti will promptly notify Customer if Personal Information:
is lost
destroyed
corrupted
damaged
unusable
Uniti will restore such Personal Information at its own expense.
Uniti must notify Customer within 48 hours if it becomes aware of:
unauthorized processing of Personal Information
a Security Breach
After a breach, the parties will cooperate to investigate the matter.
Uniti will assist Customer by:
supporting investigations
providing facility access
facilitating employee interviews
providing logs, records, and relevant materials
Uniti will not inform third parties about a breach without Customer consent unless required by law.
Customer has sole authority to determine:
whether breach notifications are issued
notification content and delivery
remedies offered to affected Data Subjects
Uniti will reimburse Customer for reasonable breach response expenses if Uniti caused the breach.
Cross-Border Transfers of Personal Information
Appendix A lists all countries where Personal Information may be stored or processed.
Uniti may not transfer data outside these countries without Customer’s written consent.
All transfers must comply with applicable Privacy and Data Protection Requirements.
Subcontractors
Uniti may authorize subcontractors only if:
Customer has the opportunity to object within 14 days
subcontractors sign agreements equivalent to this DPA
Uniti maintains control over Personal Information
subcontractor contracts terminate with this DPA
Approved subcontractors must be listed in Appendix A.
Uniti remains fully liable for subcontractor obligations.
Data Subject Requests, Complaints, and Third Party Right
Uniti must notify Customer without delay if it receives a request from a Data Subject to exercise rights regarding Personal Information, including:
access
correction
deletion
restriction of processing
opt-out requests
Uniti must also notify Customer of complaints or communications relating to data processing.
Uniti will assist Customer in responding to such requests.
Uniti may not disclose Personal Information unless:
instructed by Customer
permitted by this DPA
required by law
Term and Termination
This DPA remains in effect while:
the Services Agreement remains active, or
Uniti retains Personal Information related to the Services Agreement.
Certain provisions continue after termination to ensure protection of Personal Information.
Data Return and Destruction
Upon request, Uniti will provide Customer with a copy of Personal Information in a reasonable format.
Upon termination of the Services Agreement, Uniti will:
destroy Personal Information, or
return Personal Information to Customer
Uniti may retain one copy for audit purposes only.
If law requires retention, Uniti will notify Customer of:
the legal basis
the retention period
the destruction timeline
Records
Uniti will maintain accurate records regarding Personal Information processing including:
access
control
security measures
subcontractors
processing purposes
These records allow Customer to verify compliance with this DPA.
Audit
Uniti will permit Customer or third-party auditors to audit compliance with this DPA:
with at least 30 days notice
during the Term
for one year after termination
Uniti will provide reasonable assistance to conduct audits.
General Compliance
Each party remains responsible for its own compliance with Privacy and Data Protection Requirements.
Customer represents that Uniti’s processing instructions comply with applicable laws.
Notice
All notices must be provided in writing.
Customer notifications will be sent to the email address specified in the Services Agreement.
Uniti notifications must be sent to:
ops@getuniti.com
Appendix A — Personal Information Processing Purposes and Details
Business Purposes
Personal Information will be processed to provide the Services including:
instant email-based lead engagement and qualification
AI-powered follow-up with dormant leads
Personal Information Categories
names
email addresses
phone numbers
location preferences
product or service interests
communication history and preferences
Data Subject Types
Customer leads and prospects
Customer clients
individuals submitting inquiries
Processing Duration
Archived data is retained for the period specified by Customer or until termination of the Services Agreement.
Approved Subcontractors
Amazon Web Services
Nylas
Stripe
Google Cloud
Twilio
Meta (WhatsApp)
OpenAI
Countries Where Data May Be Stored
USA
Appendix B — International Transfer Addendum
This International Transfer Addendum is incorporated into the Data Processing Agreement.
It governs transfers of Personal Data from:
the European Economic Area (EEA)
the United Kingdom
to countries outside those jurisdictions.
Transfers rely on the Standard Contractual Clauses (SCC) and other lawful transfer mechanisms.
Key provisions include:
Module Two SCC applies
Docking Clause applies
sub-processor objection period: 30 days
governing law: Netherlands
jurisdiction: courts of the Netherlands
Technical and Organizational Measures
This Data Processing Agreement is incorporated into Uniti AI customer agreements where applicable to the Client’s use of the Service.
A separately signed version can be provided upon request.
