DATA PROCESSING AGREEMENT

This DATA PROCESSING AGREEMENT (“DPA”) is executed as of 2024-11-20 between:

  1. Perceptric AI AB (“Processor”), as defined in the overarching Agreement; and

  2. Subscriber (“Controller”), as defined in the overarching Agreement.

Together, the Processor and the Controller are referred to individually as a “Party” and collectively as the “Parties.”

1. BACKGROUND

1.1 The Parties have entered into an overarching agreement (the “Agreement”) under which Perceptric AI AB provides the Subscriber with a subscription to access its platform and related services.

1.2 This DPA constitutes an integral part of the Agreement, outlining the terms specific to the processing of Subscriber Data. In the event of any conflict between the Agreement and this DPA, the provisions of this DPA shall take precedence.

1.3 The Parties agree that the Subscriber may use the services offered by Perceptric AI AB to process data on behalf of its own organization and any affiliated entities (“Affiliates”). As such, the Subscriber will act as the Controller for itself and its Affiliates during the term of the Agreement. Should any mandatory legal requirements apply specifically to an Affiliate, the Subscriber will provide the Processor with appropriate instructions to ensure compliance.

1.4 This DPA establishes the respective rights and responsibilities of the Subscriber as the Data Controller and Perceptric AI AB as the Data Processor in relation to the processing of Subscriber Data, which includes Personal Data and other data types.

2. DEFINITIONS

2.1 “Subscriber Data” refers to all data provided by the Subscriber for processing via the platform, including but not limited to personal data, business data, or technical data.

2.2 “Personal Data” refers to any information relating to an identified or identifiable natural person, as defined under the General Data Protection Regulation (GDPR).

2.3 “Processing” refers to any operation performed on Subscriber Data, including collection, analysis, transmission, or deletion.

2.4 “Controller” refers to the Subscriber, who determines the purposes and means of processing the Subscriber Data.

2.5 “Processor” refers to Perceptric AI AB, which processes Subscriber Data on behalf of the Controller.

2.6 “Subprocessor” refers to any third party engaged by the Processor to process Subscriber Data on behalf of the Controller.

3. SCOPE OF PROCESSING

3.1 Purpose: The Processor will process Subscriber Data solely for the purpose of providing the platform and associated services under the Agreement.

3.2 Subscriber Data Types: Subscriber Data may include:

  • Personal Data: Information relating to individuals (e.g., names, email addresses) provided by the Controller for analysis.

  • Non-Personal Data: Other data such as business metrics, technical logs, and aggregated datasets uploaded for processing.

3.3 Duration: Processing will occur for the duration of the Agreement or as instructed by the Controller, unless retention is required by law.

3.4 Nature of Processing: The Processor will process Subscriber Data to enable analysis, visualization, and other functionalities as instructed by the Controller.

3.5 Categories of Data Subjects: Where Subscriber Data includes Personal Data, categories of data subjects may include employees, customers, or other individuals associated with the Controller.

4. OBLIGATIONS OF THE PARTIES

4.1 Processor Obligations

The Processor agrees to:

  • Process Subscriber Data only on documented instructions from the Controller.

  • Ensure that all personnel authorized to process Subscriber Data are bound by confidentiality.

  • Implement appropriate technical and organizational measures to ensure the security of Subscriber Data, including encryption and secure access controls.

  • Notify the Controller promptly in the event of a data breach, as detailed in Section 8.

  • Delete or return all Subscriber Data to the Controller upon termination of the Agreement, unless retention is required by law.

4.2 Controller Obligations

The Controller agrees to:

  • Ensure that all Subscriber Data provided to the Processor has been collected lawfully.

  • Provide clear and lawful instructions for processing Subscriber Data.

  • Maintain responsibility for the accuracy and legality of the Subscriber Data uploaded to the Processor’s platform.

  • Notify the Processor of any mandatory legal requirements applicable to Affiliates that require specific handling of Subscriber Data.

5. SUBPROCESSORS

5.1 The Processor may engage Subprocessors to fulfill its obligations under this Agreement. Subprocessors may include hosting providers, payment processors, and analytics services.

5.2 The Processor will maintain an up-to-date list of Subprocessors, available upon request. The Controller will be notified of any intended changes to Subprocessors and may object within 30 days of notification.

5.3 The Processor ensures that any Subprocessors are bound by data protection obligations equivalent to those in this DPA.

6. RIGHTS OF DATA SUBJECTS

The Processor will assist the Controller in fulfilling its obligations to respond to data subject requests, including requests to:

  • Access, rectify, or delete Personal Data.

  • Restrict or object to the processing of Personal Data.

  • Port Personal Data to another controller.

All requests received by the Processor from data subjects will be directed to the Controller, unless legally prohibited.

7. SECURITY MEASURES

The Processor will implement and maintain appropriate technical and organizational measures to protect Subscriber Data, including but not limited to:

  • Encryption of data during transmission.

  • Secure access controls and authentication mechanisms.

  • Regular security audits and assessments.

8. DATA BREACHES

8.1 The Processor will notify the Controller without undue delay, and no later than 72 hours, upon becoming aware of a data breach.

8.2 The notification will include:

  • A description of the breach.

  • Categories and number of affected data subjects.

  • Measures taken to address the breach.

8.3 The Processor will cooperate with the Controller to investigate and mitigate the breach.

9. DATA TRANSFERS

If Subscriber Data is transferred outside the European Economic Area (EEA), the Processor will ensure that adequate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Verification of the recipient country’s data protection adequacy.

10. TERM AND TERMINATION

This DPA will remain in effect for the duration of the Agreement. Upon termination, the Processor will delete or return all Subscriber Data to the Controller unless retention is required by law.

Privacy Policy

© 2024 Perceptric AI AB. All rights reserved.

Terms of Service

Data Processing Agreement