AMP Data Processing Addendum for Customers

This DPA applies where Jam 7 processes Personal Data on behalf of the Customer in connection with the provision of AMP.

For the purposes of this DPA:

Applicable Data Protection Law means all laws and regulations applicable to the processing of Personal Data under the Agreement including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and, where applicable, the EU GDPR.

Controller, Processor, Data Subject, Personal Data, Processing, Special Category Data and Supervisory Authority have the meanings given under Applicable Data Protection Law.

Customer Data means Personal Data processed by Jam 7 on behalf of the Customer through AMP.

Security Incident means accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data processed by Jam 7.

Subprocessor means a third party engaged by Jam 7 to process Customer Data on behalf of the Customer.

UK GDPR means the United Kingdom General Data Protection Regulation as defined in section 3(10) of the Data Protection Act 2018.

The Customer acts as Controller of Customer Data processed through AMP except where Applicable Data Protection Law provides otherwise.

Jam 7 acts as Processor when processing Customer Data on behalf of the Customer in connection with AMP.

Nothing in this DPA prevents Jam 7 from acting as Controller where Jam 7 independently determines the purposes and means of processing under Applicable Data Protection Law including for account administration, security monitoring, fraud prevention, legal compliance, service analytics, audit logging, abuse prevention and operational integrity.

The Customer is responsible for ensuring a lawful basis for processing, providing notices where required, obtaining required consents and ensuring that its use of AMP complies with Applicable Data Protection Law.

Jam 7 provides AMP, an AI-assisted marketing and commercial workflow platform used by authorised business users.

Processing activities may include hosting, storage, retrieval, organisation, AI-assisted generation, summarisation, search, workflow orchestration, analytics, vector indexing, support, debugging, security monitoring and deletion of Customer Data.

AMP is designed to support human-led marketing and commercial workflows and is not intended to operate autonomously without user review.

AMP is not intended for medical, legal, financial, insurance, employment, credit, housing or other regulated high-risk decision-making activities.

Customer Data processed through AMP may include business contact information, account information, prompts, uploaded files, generated outputs, communications, CRM records, knowledge base material, support data, marketing content, metadata and workspace activity information.

The Customer controls the categories of Personal Data submitted to AMP.

AMP is not intended for Special Category Data, children's data, payment card data or highly sensitive regulated data unless expressly authorised in writing by Jam 7 and supported by appropriate contractual, technical and organisational safeguards.

Data Subjects may include Customer personnel, employees, contractors, clients, prospects, business contacts, marketing recipients, suppliers, authorised users and other individuals whose Personal Data is submitted to AMP by the Customer.

Jam 7 will process Customer Data to provide AMP, in accordance with the Agreement, in accordance with documented Customer instructions and as required by Applicable Data Protection Law.

The Agreement, customer configuration choices and authorised use of AMP constitute the Customer's documented instructions.

If Jam 7 believes an instruction violates Applicable Data Protection Law, Jam 7 may suspend the relevant processing and notify the Customer where legally permitted.

Jam 7 will ensure that personnel authorised to process Customer Data are subject to confidentiality obligations, receive appropriate access restrictions and access Customer Data only where reasonably necessary for operational, security, support, legal or compliance purposes.

Access to Customer Data is restricted through role-based access controls and authentication safeguards.

Privileged administrative access is protected through multi-factor authentication controls.

Jam 7 maintains logging and monitoring controls relating to privileged operational activity and security events.

Jam 7 implements technical and organisational measures designed to protect Customer Data taking into account the nature of processing, the risks involved, the state of the art, implementation costs and the nature of AMP as a cloud-based AI-assisted workflow platform.

These measures may include encrypted communications, access controls, role-based permissions, authentication protections, logical access and organisational separation controls, vulnerability scanning, logging safeguards, audit events, deployment controls, malware and abuse protections, backup procedures, incident response procedures and operational monitoring.

Jam 7 uses security tooling and operational controls including AWS CloudTrail, AWS GuardDuty, AWS Security Hub, AWS CloudWatch, application audit logging, infrastructure logging and monitoring alerts.

Jam 7 performs periodic review of security controls and access privileges.

Jam 7 may update and modify security measures from time to time provided that overall security protections are not materially reduced.

AMP uses AI agents and language models to generate, analyse, transform and review marketing and commercial content.

Customer Data submitted to AI systems may include prompts, uploaded text, selected workspace context, extracted content, CRM data, generated drafts and workflow instructions.

AI-generated outputs may be inaccurate, incomplete, fabricated, biased or unsuitable for publication or legal compliance.

The Customer remains responsible for reviewing outputs, determining suitability for publication, ensuring legal and regulatory compliance and maintaining appropriate human oversight.

Jam 7 configures AI routing and provider controls intended to restrict provider-side training, model improvement use and unauthorised human review of Customer Data where supported by the relevant provider.

Jam 7 does not use Customer Data to train externally shared or publicly available general-purpose AI models unless expressly agreed with the Customer.

Jam 7 seeks to minimise unnecessary Personal Data exposure within AI processing workflows where reasonably practicable.

The Customer authorises Jam 7 to engage Subprocessors in connection with AMP.

Current Subprocessors may include providers supporting hosting, infrastructure, databases, vector search, authentication, logging, analytics, communications, AI routing, integrations and operational support. These providers may include AWS, Auth0, MongoDB Atlas, Pinecone, OpenRouter, Microsoft Clarity, HubSpot, Notion, Slack, GitHub and other providers used to support AMP.

Jam 7 will impose data protection obligations on Subprocessors that are materially protective of Customer Data.

Jam 7 maintains a Subprocessor register and will provide notice of material new Subprocessors where required under the Agreement.

The Customer may object to a material new Subprocessor on reasonable data protection grounds by notifying Jam 7 within 14 days of receiving notice. Jam 7 will use reasonable efforts to address the objection, including by providing further information, implementing additional safeguards or, where reasonably available, offering an alternative. If the objection cannot reasonably be resolved, either party may terminate the affected services on written notice.

Primary production workloads are hosted within the United Kingdom and European Economic Area where commercially and technically appropriate for AMP operations.

Some Subprocessors or AI providers may process Customer Data outside the United Kingdom or European Economic Area.

Where Customer Data is transferred internationally, Jam 7 relies on transfer safeguards recognised under Applicable Data Protection Law including adequacy regulations, contractual safeguards, Standard Contractual Clauses, UK Addenda and equivalent transfer mechanisms where applicable.

Jam 7 seeks to implement contractual and technical measures intended to reduce unauthorised retention, training and onward use of Customer Data by providers where supported by the relevant provider relationship.

Jam 7 continues to review provider transfer positions, contractual safeguards and operational controls as part of its ongoing compliance programme.

Jam 7 maintains an incident response process designed to identify, investigate, contain and respond to Security Incidents.

Following confirmation of a Security Incident affecting Customer Data, Jam 7 will notify the Customer without undue delay where required by Applicable Data Protection Law.

Such notification may include the nature of the incident, categories of affected data where known, likely consequences and mitigation steps reasonably available at the time.

Jam 7 will take reasonable steps to mitigate the effects of confirmed Security Incidents and cooperate with the Customer where reasonably required.

Taking into account the nature of processing and information available to Jam 7, Jam 7 will provide reasonable assistance to the Customer regarding Data Subject requests, security obligations, breach notifications, impact assessments, consultations with Supervisory Authorities and compliance obligations under Applicable Data Protection Law.

Where requests relate to Customer-controlled workspace data, the Customer remains primarily responsible for responding as Controller.

Jam 7 may charge reasonable costs for assistance that is excessive, repetitive or outside the standard scope of AMP support obligations.

Jam 7 retains Customer Data only for as long as reasonably necessary to provide AMP, comply with legal obligations, maintain security and audit evidence, support backups and disaster recovery and protect the integrity of AMP.

Retention periods may vary depending on customer configuration, operational requirements, security needs, legal obligations, backup policies and contractual requirements.

Operational logs and infrastructure logs may follow configured retention schedules.

Backups and archived copies may persist temporarily after deletion requests in accordance with backup lifecycle and recovery procedures.

Upon termination of the Agreement or written request, Jam 7 will delete or return Customer Data in accordance with the Agreement and Applicable Data Protection Law unless retention is required by law or legitimate security, audit or dispute requirements.

Jam 7 will make available information reasonably necessary to demonstrate compliance with this DPA.

Where reasonably required and proportionate, the Customer may request additional information regarding Jam 7's security and compliance controls.

Formal audits may be conducted only on reasonable prior written notice, during normal business hours, subject to confidentiality obligations and in a manner that does not unreasonably disrupt Jam 7 operations or compromise security obligations to other customers.

Jam 7 may satisfy audit obligations through security documentation, policies, questionnaires, third-party assessments, governance records or other appropriate evidence.

This DPA forms part of the Agreement and is subject to the liability limitations and exclusions contained in the Agreement unless Applicable Data Protection Law requires otherwise.

Nothing in this DPA limits liability that cannot lawfully be limited under Applicable Data Protection Law.

This DPA is governed by the laws of England and Wales unless the Agreement expressly requires otherwise.

The courts of England and Wales have exclusive jurisdiction over disputes arising from this DPA unless mandatory law requires otherwise.

If there is a conflict between this DPA and the Agreement regarding data protection obligations, this DPA will prevail to the extent of that conflict.

Subject Matter: Provision of AMP as a cloud-based AI-assisted marketing and commercial workflow platform.

Duration: For the duration of the Agreement and any applicable retention period.

Nature and Purpose: Hosting, storage, AI-assisted processing, workflow execution, search, retrieval, generation, support, analytics, vector indexing, communications, logging and related operational processing.

Categories of Personal Data: As described in Sections 4 and 5 of this DPA.

Categories of Data Subjects: As described in Sections 4 and 5 of this DPA.

Special Category Data: Not intended unless expressly authorised and appropriately safeguarded.

Measures may include TLS encrypted communications, access controls, RBAC, MFA for privileged access, infrastructure logging, CloudTrail monitoring, GuardDuty monitoring, Security Hub monitoring, audit events, vulnerability scanning, deployment controls, backup procedures, incident response processes, operational monitoring, security alerting and periodic access reviews.

Jam 7 may modify security measures over time provided overall protections are not materially reduced.