Data Processing Addendum ("DPA")
Data Processing Addendum ("DPA")
Effective Date: Oct 7, 2025
This Data Processing Addendum ("DPA") forms part of the Composio Terms of Service (the "Agreement") between Sampark Inc. (d/b/a "Composio") and the Customer identified below (each a "Party" and together the "Parties"). By using the Application Services, Customer agrees to this DPA.
This Data Processing Addendum ("DPA") forms part of the Composio Terms of Service (the "Agreement") between Sampark Inc. (d/b/a "Composio") and the Customer identified below (each a "Party" and together the "Parties"). By using the Application Services, Customer agrees to this DPA.
1. Introduction
This DPA sets forth the obligations for the processing and security of Personal Information in connection with Composio’s provision, and Customer’s use, of the Application Services (as defined below). The purpose of this DPA is to reflect the Parties’ agreement regarding the Processing of Personal Information in the Application Services in accordance with applicable Data Privacy Law.
2. General Terms
2.1 Scope. This DPA applies to the Processing of Personal Information by Composio and its Affiliates and Subprocessors in providing the Application Services to Customer.
2.2 Compliance with Laws. Each Party will comply with all laws and regulations applicable to its performance under the Agreement and this DPA, including applicable security breach notification laws and Data Privacy Laws.
2.3 Affiliates. The Parties acknowledge and agree that Customer and Composio each enter into this DPA on behalf of itself and its Affiliates to the extent such Affiliate is a party to an Agreement and/or Order Form governed by the Agreement. References to “Composio” and “Customer” include their respective covered Affiliates unless otherwise stated.
3. Data Processing Terms
3.1 Roles. As between the Parties, Customer is the Controller (or equivalent term under Data Privacy Law) and Composio is the Processor (or Subprocessor where acting on behalf of Customer’s processors) of Personal Information processed within the Application Services.
3.2 Purpose and Instructions. Composio will Process Personal Information only: (i) to provide and support the Application Services as described in the Agreement and this DPA; (ii) in accordance with Customer’s documented instructions (including via product configuration and the Agreement); or (iii) as required by applicable law. Where applicable law requires Processing for other purposes, Composio will inform Customer before such Processing unless prohibited by law.
3.3 Confidentiality. Composio will ensure that persons authorized to Process Personal Information are subject to appropriate confidentiality obligations.
3.4 Disclosures. Composio will not disclose Personal Information to third parties except: (i) as instructed by Customer; (ii) as necessary to provide the Application Services (including through Subprocessors authorized under this DPA); or (iii) as required by law. Where legally permitted, Composio will notify Customer of any legally binding request for disclosure and will, where feasible, redirect such request to Customer.
3.5 Assistance. Taking into account the nature of Processing and the information available to Composio, Composio will provide reasonable assistance to Customer to: (i) respond to Data Subject requests to exercise rights under Data Privacy Law; (ii) conduct data protection impact assessments and prior consultations with supervisory authorities; and (iii) demonstrate compliance with this DPA.
4. Data Security Program
4.1 Security Measures. Without limiting Customer’s security obligations under the Agreement, Composio will implement and maintain appropriate technical and organizational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These measures are designed to provide a level of security appropriate to the risk and include, as applicable:
Information Security Program managed by designated security personnel responsible for establishing, maintaining, and enforcing security policies and standards.
Policies & Governance covering secure development, access control, incident response, vendor risk, and data classification/handling.
Technical Controls such as encryption in transit; encryption at rest (where supported by the underlying infrastructure); role‑based access control and least‑privilege access; multi‑factor authentication for privileged accounts; key and secret management; network security monitoring; vulnerability management; logging and monitoring; and change management.
Administrative Controls including security and privacy training; background checks where permitted by law; and access reviews for personnel with access to Personal Information.
Physical Security for Composio offices and use of third‑party cloud infrastructure with industry‑standard physical security controls.
Composio may update its security measures from time to time, provided that such updates will not materially lower the overall level of security of the Application Services.
4.2 Product and Documentation. Composio maintains additional security and compliance information at https://trust.composio.dev.
5. Security Incidents
Composio will notify Customer without undue delay after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information Processed by Composio (an "Incident"). Composio will investigate the Incident, provide details reasonably available about the nature and scope of the Incident, and take reasonable steps to mitigate and remediate the Incident. Customer is responsible for notifications to Data Subjects or regulators except where the Agreement or applicable law provides otherwise.
6. Documentation and Audits
6.1 Documentation. Composio makes available information reasonably necessary to demonstrate compliance with this DPA through its trust portal at https://trust.composio.dev, which may include current third‑party certifications or summaries of audit reports (if any).
6.2 Audits. No right of audit is granted to customers under the standard Terms of Service. Any additional audit rights are available only under a separate written enterprise agreement executed with Composio.
6.3 SCC/IDTA Audits. To the extent applicable law (including the Standard Contractual Clauses or UK IDTA) requires audit rights, such audits shall be satisfied through the documentation provided under Section 6.1.
7. Subprocessors
7.1 Authorization. Customer provides a general authorization for Composio to engage Subprocessors to support delivery of the Application Services. Composio will impose obligations on Subprocessors that are no less protective than those set out in this DPA and remains responsible for Subprocessors’ performance.
7.2 List and Updates. Composio’s current list of Subprocessors is published at https://trust.composio.dev. Composio will post updates to that page at least thirty (30) days prior to allowing any new Subprocessor to Process Personal Information.
7.3 Objection. Customer may object on reasonable, documented grounds relating to data protection to Composio’s appointment of a new Subprocessor by submitting an objection through the channel identified at https://trust.composio.dev within thirty (30) days of the update. If Customer objects, the Parties will work in good faith to address the objection. If no resolution is reached, Customer may terminate the affected services (without penalty) as its sole remedy.
8. Data Location; International Transfers
8.1 Location. Unless otherwise specified in the Agreement or an applicable Order Form, Composio’s primary data storage and Processing will occur in the United States. Where regional hosting options are expressly made available in the Application Services and selected by Customer, Composio will Process Personal Information in accordance with Customer’s selection.
8.2 Transfer Mechanisms. To the extent Personal Information is transferred to a country that does not provide an adequate level of protection under applicable Data Privacy Law, Composio will ensure appropriate safeguards are in place, which may include: (i) the European Commission’s Standard Contractual Clauses ("SCCs") (Modules Two and/or Three, as applicable); (ii) the UK International Data Transfer Addendum ("UK Addendum"); (iii) the Swiss adaptations to the SCCs; and/or (iv) participation in an approved transfer framework (e.g., the EU‑U.S. Data Privacy Framework) where Composio is certified. Details required by these instruments shall be deemed incorporated by reference from this DPA and the Agreement.
8.3 Clause Selections. For SCCs: (a) Clause 7 (Docking) applies; (b) Clause 9 (use of Subprocessors) follows Section 7 of this DPA; (c) Clause 11 does not apply; (d) Clause 17 Option 1 applies with the governing law of Ireland for GDPR transfers; and (e) disputes under Clause 18(b) will be brought before the courts of Ireland. For the UK Addendum: Tables 1–3 are completed by reference to the SCCs and this DPA; Table 4 (which Party may end the Addendum) is set to neither party. For Swiss transfers, references to EU law and authorities shall be read as references to Swiss law and the FDPIC and competent Swiss courts.
9. Data Retention and Deletion
Following expiration or termination of the Agreement, Composio will, upon Customer’s written request, make Personal Information available for export for thirty (30) days and then delete Personal Information from Composio‑controlled systems, unless Composio is legally required to retain it. Upon deletion, Composio will provide confirmation upon Customer’s request.
10. Notices
Notices under this DPA will be provided in accordance with the Agreement. Where this DPA requires contacting Composio for privacy or security matters (including subprocessor objections), Customer will use the contact method published at https://trust.composio.dev.
11. Liability
This DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Such limitations apply in the aggregate to all claims arising under the Agreement and this DPA.
12. Precedence
In the event of a conflict between the terms of this DPA and the Agreement, this DPA will control solely with respect to Processing of Personal Information. Otherwise, the Agreement controls.
13. Execution; Effective Date
The Parties agree that this DPA is incorporated into and forms part of the Agreement (Composio Terms of Service) as of the date Customer accepted the Terms of Service.
14. Term
This DPA remains in effect for the duration of the Agreement and thereafter as long as Composio Processes Personal Information on behalf of Customer.
15. Definitions
Affiliate means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party to the Agreement.
Application Services means the hosted services, platforms, and related support provided by Composio to Customer under the Agreement, including composio.dev and rube.app.
Controller, Processor, Data Subject, Process/Processing, Personal Data/Personal Information, and similar terms have the meanings given in applicable Data Privacy Law.
Customer Content means data, content, or information submitted to or stored in the Application Services by or on behalf of Customer.
Data Privacy Law means laws and regulations relating to the Processing of Personal Information, including, as applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), its UK and Swiss counterparts; U.S. state privacy laws (e.g., CCPA/CPRA, VCDPA, UCPA, CPA, CTDPA); and any similar laws in other jurisdictions.
Subprocessor means any third party engaged by Composio (including Composio Affiliates) to Process Personal Information on behalf of Customer in connection with the Application Services.
Incident has the meaning given in Section 5.
Schedule 1 — Jurisdiction‑ and Industry‑Specific Terms
A. GDPR (and UK/Swiss Equivalents)
Composio will assist Customer, taking into account the nature of Processing and information available to Composio, with Customer’s obligations under Articles 32–36 GDPR (security of processing, breach notification, DPIAs, and prior consultation). The Parties agree that Composio may rely on the transfer mechanisms described in Section 8 for cross‑border transfers.
B. U.S. State Privacy Laws (including CCPA/CPRA)
Roles. For Personal Information subject to the CCPA/CPRA, Customer is a Business and Composio is a Service Provider (or Contractor, as applicable) when Processing such Personal Information under the Agreement.
Purpose Limitation. Composio will not retain, use, or disclose such Personal Information for any purpose other than for the limited and specified business purposes described in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA.
No Sale/Sharing. Composio will not sell or share (as those terms are defined in the CCPA/CPRA) Personal Information processed under the Agreement, nor combine it with Personal Information received from other sources except as permitted by the CCPA/CPRA and documented by Customer.
Subcontracting. Composio will ensure its Subprocessors qualify as service providers/contractors under the CCPA/CPRA.
Notice of Inability to Comply. Composio will notify Customer if it determines it can no longer meet its obligations as a Service Provider/Contractor under the CCPA/CPRA.
C. U.S. Federal and Industry‑Specific
HIPAA. If Customer is a “covered entity” or “business associate” and intends to submit Protected Health Information (PHI) to the Application Services, the Parties must first execute a Business Associate Agreement (BAA). Composio does not knowingly accept PHI in the absence of a BAA.
Sector‑Specific Rules. To the extent other sectoral laws apply (e.g., telecommunications, financial, or education privacy laws), the Parties will cooperate in good faith to address specific compliance requirements in an Order Form or addendum.
Schedule 2 — Description of Processing Activities
Nature and Purpose of Processing. Composio Processes Personal Information to provide, secure, support, and improve the Application Services, including account administration, configuration, customer support, service delivery (e.g., orchestration of integrations and tool calls), and communications related to the Application Services.
Duration. For the term of the Agreement and for any additional period required to meet obligations under Section 9 (Retention) or applicable law.
Categories of Data Subjects. Customer’s end users; Customer personnel and contractors; individuals whose Personal Information is included in Customer Content; other Data Subjects as determined by Customer.
Categories of Personal Information. Depending on Customer’s configurations and submissions: identifiers (e.g., name, email, user IDs), contact information, usage and event data, device and technical data (e.g., IP address, user agent), authentication and authorization metadata, logs of tool/agent invocations and integrations, support communications, and other Personal Information that Customer elects to include in Customer Content. Sensitive Personal Information is not required for use of the Application Services and should not be submitted except where expressly permitted by the Agreement and applicable law.
Processing Operations. Collection, storage, retrieval, organization, transmission, display, analysis, and deletion as necessary to provide and support the Application Services and as otherwise instructed by Customer.
Data Storage and Transfers. As described in Section 8 of this DPA.
Subprocessors. As listed and updated at https://trust.composio.dev.
Customer Responsibilities. Customer is responsible for: (i) appropriately configuring and using the Application Services; (ii) ensuring that its instructions to Composio comply with Data Privacy Law; (iii) providing legally sufficient notices and, where required, obtaining consents from Data Subjects; and (iv) the accuracy, quality, and lawfulness of Personal Information provided to Composio.
1. Introduction
This DPA sets forth the obligations for the processing and security of Personal Information in connection with Composio’s provision, and Customer’s use, of the Application Services (as defined below). The purpose of this DPA is to reflect the Parties’ agreement regarding the Processing of Personal Information in the Application Services in accordance with applicable Data Privacy Law.
2. General Terms
2.1 Scope. This DPA applies to the Processing of Personal Information by Composio and its Affiliates and Subprocessors in providing the Application Services to Customer.
2.2 Compliance with Laws. Each Party will comply with all laws and regulations applicable to its performance under the Agreement and this DPA, including applicable security breach notification laws and Data Privacy Laws.
2.3 Affiliates. The Parties acknowledge and agree that Customer and Composio each enter into this DPA on behalf of itself and its Affiliates to the extent such Affiliate is a party to an Agreement and/or Order Form governed by the Agreement. References to “Composio” and “Customer” include their respective covered Affiliates unless otherwise stated.
3. Data Processing Terms
3.1 Roles. As between the Parties, Customer is the Controller (or equivalent term under Data Privacy Law) and Composio is the Processor (or Subprocessor where acting on behalf of Customer’s processors) of Personal Information processed within the Application Services.
3.2 Purpose and Instructions. Composio will Process Personal Information only: (i) to provide and support the Application Services as described in the Agreement and this DPA; (ii) in accordance with Customer’s documented instructions (including via product configuration and the Agreement); or (iii) as required by applicable law. Where applicable law requires Processing for other purposes, Composio will inform Customer before such Processing unless prohibited by law.
3.3 Confidentiality. Composio will ensure that persons authorized to Process Personal Information are subject to appropriate confidentiality obligations.
3.4 Disclosures. Composio will not disclose Personal Information to third parties except: (i) as instructed by Customer; (ii) as necessary to provide the Application Services (including through Subprocessors authorized under this DPA); or (iii) as required by law. Where legally permitted, Composio will notify Customer of any legally binding request for disclosure and will, where feasible, redirect such request to Customer.
3.5 Assistance. Taking into account the nature of Processing and the information available to Composio, Composio will provide reasonable assistance to Customer to: (i) respond to Data Subject requests to exercise rights under Data Privacy Law; (ii) conduct data protection impact assessments and prior consultations with supervisory authorities; and (iii) demonstrate compliance with this DPA.
4. Data Security Program
4.1 Security Measures. Without limiting Customer’s security obligations under the Agreement, Composio will implement and maintain appropriate technical and organizational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These measures are designed to provide a level of security appropriate to the risk and include, as applicable:
Information Security Program managed by designated security personnel responsible for establishing, maintaining, and enforcing security policies and standards.
Policies & Governance covering secure development, access control, incident response, vendor risk, and data classification/handling.
Technical Controls such as encryption in transit; encryption at rest (where supported by the underlying infrastructure); role‑based access control and least‑privilege access; multi‑factor authentication for privileged accounts; key and secret management; network security monitoring; vulnerability management; logging and monitoring; and change management.
Administrative Controls including security and privacy training; background checks where permitted by law; and access reviews for personnel with access to Personal Information.
Physical Security for Composio offices and use of third‑party cloud infrastructure with industry‑standard physical security controls.
Composio may update its security measures from time to time, provided that such updates will not materially lower the overall level of security of the Application Services.
4.2 Product and Documentation. Composio maintains additional security and compliance information at https://trust.composio.dev.
5. Security Incidents
Composio will notify Customer without undue delay after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information Processed by Composio (an "Incident"). Composio will investigate the Incident, provide details reasonably available about the nature and scope of the Incident, and take reasonable steps to mitigate and remediate the Incident. Customer is responsible for notifications to Data Subjects or regulators except where the Agreement or applicable law provides otherwise.
6. Documentation and Audits
6.1 Documentation. Composio makes available information reasonably necessary to demonstrate compliance with this DPA through its trust portal at https://trust.composio.dev, which may include current third‑party certifications or summaries of audit reports (if any).
6.2 Audits. No right of audit is granted to customers under the standard Terms of Service. Any additional audit rights are available only under a separate written enterprise agreement executed with Composio.
6.3 SCC/IDTA Audits. To the extent applicable law (including the Standard Contractual Clauses or UK IDTA) requires audit rights, such audits shall be satisfied through the documentation provided under Section 6.1.
7. Subprocessors
7.1 Authorization. Customer provides a general authorization for Composio to engage Subprocessors to support delivery of the Application Services. Composio will impose obligations on Subprocessors that are no less protective than those set out in this DPA and remains responsible for Subprocessors’ performance.
7.2 List and Updates. Composio’s current list of Subprocessors is published at https://trust.composio.dev. Composio will post updates to that page at least thirty (30) days prior to allowing any new Subprocessor to Process Personal Information.
7.3 Objection. Customer may object on reasonable, documented grounds relating to data protection to Composio’s appointment of a new Subprocessor by submitting an objection through the channel identified at https://trust.composio.dev within thirty (30) days of the update. If Customer objects, the Parties will work in good faith to address the objection. If no resolution is reached, Customer may terminate the affected services (without penalty) as its sole remedy.
8. Data Location; International Transfers
8.1 Location. Unless otherwise specified in the Agreement or an applicable Order Form, Composio’s primary data storage and Processing will occur in the United States. Where regional hosting options are expressly made available in the Application Services and selected by Customer, Composio will Process Personal Information in accordance with Customer’s selection.
8.2 Transfer Mechanisms. To the extent Personal Information is transferred to a country that does not provide an adequate level of protection under applicable Data Privacy Law, Composio will ensure appropriate safeguards are in place, which may include: (i) the European Commission’s Standard Contractual Clauses ("SCCs") (Modules Two and/or Three, as applicable); (ii) the UK International Data Transfer Addendum ("UK Addendum"); (iii) the Swiss adaptations to the SCCs; and/or (iv) participation in an approved transfer framework (e.g., the EU‑U.S. Data Privacy Framework) where Composio is certified. Details required by these instruments shall be deemed incorporated by reference from this DPA and the Agreement.
8.3 Clause Selections. For SCCs: (a) Clause 7 (Docking) applies; (b) Clause 9 (use of Subprocessors) follows Section 7 of this DPA; (c) Clause 11 does not apply; (d) Clause 17 Option 1 applies with the governing law of Ireland for GDPR transfers; and (e) disputes under Clause 18(b) will be brought before the courts of Ireland. For the UK Addendum: Tables 1–3 are completed by reference to the SCCs and this DPA; Table 4 (which Party may end the Addendum) is set to neither party. For Swiss transfers, references to EU law and authorities shall be read as references to Swiss law and the FDPIC and competent Swiss courts.
9. Data Retention and Deletion
Following expiration or termination of the Agreement, Composio will, upon Customer’s written request, make Personal Information available for export for thirty (30) days and then delete Personal Information from Composio‑controlled systems, unless Composio is legally required to retain it. Upon deletion, Composio will provide confirmation upon Customer’s request.
10. Notices
Notices under this DPA will be provided in accordance with the Agreement. Where this DPA requires contacting Composio for privacy or security matters (including subprocessor objections), Customer will use the contact method published at https://trust.composio.dev.
11. Liability
This DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Such limitations apply in the aggregate to all claims arising under the Agreement and this DPA.
12. Precedence
In the event of a conflict between the terms of this DPA and the Agreement, this DPA will control solely with respect to Processing of Personal Information. Otherwise, the Agreement controls.
13. Execution; Effective Date
The Parties agree that this DPA is incorporated into and forms part of the Agreement (Composio Terms of Service) as of the date Customer accepted the Terms of Service.
14. Term
This DPA remains in effect for the duration of the Agreement and thereafter as long as Composio Processes Personal Information on behalf of Customer.
15. Definitions
Affiliate means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party to the Agreement.
Application Services means the hosted services, platforms, and related support provided by Composio to Customer under the Agreement, including composio.dev and rube.app.
Controller, Processor, Data Subject, Process/Processing, Personal Data/Personal Information, and similar terms have the meanings given in applicable Data Privacy Law.
Customer Content means data, content, or information submitted to or stored in the Application Services by or on behalf of Customer.
Data Privacy Law means laws and regulations relating to the Processing of Personal Information, including, as applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), its UK and Swiss counterparts; U.S. state privacy laws (e.g., CCPA/CPRA, VCDPA, UCPA, CPA, CTDPA); and any similar laws in other jurisdictions.
Subprocessor means any third party engaged by Composio (including Composio Affiliates) to Process Personal Information on behalf of Customer in connection with the Application Services.
Incident has the meaning given in Section 5.
Schedule 1 — Jurisdiction‑ and Industry‑Specific Terms
A. GDPR (and UK/Swiss Equivalents)
Composio will assist Customer, taking into account the nature of Processing and information available to Composio, with Customer’s obligations under Articles 32–36 GDPR (security of processing, breach notification, DPIAs, and prior consultation). The Parties agree that Composio may rely on the transfer mechanisms described in Section 8 for cross‑border transfers.
B. U.S. State Privacy Laws (including CCPA/CPRA)
Roles. For Personal Information subject to the CCPA/CPRA, Customer is a Business and Composio is a Service Provider (or Contractor, as applicable) when Processing such Personal Information under the Agreement.
Purpose Limitation. Composio will not retain, use, or disclose such Personal Information for any purpose other than for the limited and specified business purposes described in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA.
No Sale/Sharing. Composio will not sell or share (as those terms are defined in the CCPA/CPRA) Personal Information processed under the Agreement, nor combine it with Personal Information received from other sources except as permitted by the CCPA/CPRA and documented by Customer.
Subcontracting. Composio will ensure its Subprocessors qualify as service providers/contractors under the CCPA/CPRA.
Notice of Inability to Comply. Composio will notify Customer if it determines it can no longer meet its obligations as a Service Provider/Contractor under the CCPA/CPRA.
C. U.S. Federal and Industry‑Specific
HIPAA. If Customer is a “covered entity” or “business associate” and intends to submit Protected Health Information (PHI) to the Application Services, the Parties must first execute a Business Associate Agreement (BAA). Composio does not knowingly accept PHI in the absence of a BAA.
Sector‑Specific Rules. To the extent other sectoral laws apply (e.g., telecommunications, financial, or education privacy laws), the Parties will cooperate in good faith to address specific compliance requirements in an Order Form or addendum.
Schedule 2 — Description of Processing Activities
Nature and Purpose of Processing. Composio Processes Personal Information to provide, secure, support, and improve the Application Services, including account administration, configuration, customer support, service delivery (e.g., orchestration of integrations and tool calls), and communications related to the Application Services.
Duration. For the term of the Agreement and for any additional period required to meet obligations under Section 9 (Retention) or applicable law.
Categories of Data Subjects. Customer’s end users; Customer personnel and contractors; individuals whose Personal Information is included in Customer Content; other Data Subjects as determined by Customer.
Categories of Personal Information. Depending on Customer’s configurations and submissions: identifiers (e.g., name, email, user IDs), contact information, usage and event data, device and technical data (e.g., IP address, user agent), authentication and authorization metadata, logs of tool/agent invocations and integrations, support communications, and other Personal Information that Customer elects to include in Customer Content. Sensitive Personal Information is not required for use of the Application Services and should not be submitted except where expressly permitted by the Agreement and applicable law.
Processing Operations. Collection, storage, retrieval, organization, transmission, display, analysis, and deletion as necessary to provide and support the Application Services and as otherwise instructed by Customer.
Data Storage and Transfers. As described in Section 8 of this DPA.
Subprocessors. As listed and updated at https://trust.composio.dev.
Customer Responsibilities. Customer is responsible for: (i) appropriately configuring and using the Application Services; (ii) ensuring that its instructions to Composio comply with Data Privacy Law; (iii) providing legally sufficient notices and, where required, obtaining consents from Data Subjects; and (iv) the accuracy, quality, and lawfulness of Personal Information provided to Composio.