Data Processing Agreement

1. Definitions

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data, being the customer of AktAI.
• "Processor" means AktAI, which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) of the GDPR.
• "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2. Scope of Processing

2.1 Types of Personal Data

The Processor processes the following categories of Personal Data on behalf of the Controller:

• Employee names
• Email addresses
• Department information
• Training completion scores
• AI system descriptions

2.2 Categories of Data Subjects

• Employees of the Controller
• Designated AI compliance contacts

2.3 Purpose of Processing

Personal Data is processed for the purpose of providing EU AI Act compliance assistance, including but not limited to:

• AI system inventory management
• Risk classification of AI systems
• Compliance document generation
• AI literacy training delivery and tracking

3. Duration of Processing

The Processor shall process Personal Data for the duration of the service agreement between the Controller and the Processor. Upon termination of the service agreement, the Processor shall delete or return all Personal Data in accordance with Section 11 of this DPA.

4. Obligations of the Processor (AktAI)

The Processor shall:

• Process on documented instructions only. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject.
• Ensure confidentiality. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement security measures. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 8 of this DPA.
• Assist with data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR.
• Delete or return data upon termination. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
• Make information available for audits. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

• Ensure that there is a lawful basis for the processing of Personal Data in accordance with Articles 6 and, where applicable, Article 9 of the GDPR.
• Inform Data Subjects about the processing of their Personal Data in accordance with Articles 13 and 14 of the GDPR.
• Maintain a record of processing activities as required under Article 30 of the GDPR.
• Provide documented processing instructions to the Processor and ensure that the processing is carried out in accordance with applicable data protection laws.

6. Sub-processors

The Controller provides general authorization for the Processor to engage the following Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

7. International Data Transfers

Where Personal Data is transferred from the European Economic Area (EEA) to countries outside the EEA that have not received an adequacy decision from the European Commission, the Processor ensures that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs). The Processor has entered into Standard Contractual Clauses as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) with each Sub-processor located outside the EEA to provide adequate data protection safeguards for EU-to-US transfers.
• EU-US Data Privacy Framework. Where applicable, the Processor relies on Sub-processors that have been certified under the EU-US Data Privacy Framework as an additional transfer mechanism.

The Processor shall inform the Controller of any changes to the transfer mechanisms and shall ensure that any transfer of Personal Data complies with applicable data protection legislation.

8. Technical and Organizational Measures

The Processor implements and maintains the following technical and organizational security measures to protect Personal Data:

• Encryption at rest and in transit. All Personal Data is encrypted using industry-standard encryption protocols (TLS 1.2+ for data in transit, AES-256 for data at rest).
• Access controls. Role-based access controls ensure that only authorized personnel can access Personal Data. Administrative access requires multi-factor authentication.
• Row-Level Security (RLS) multi-tenancy. Data isolation between customers is enforced at the database level through PostgreSQL Row-Level Security policies, ensuring that each organization can only access its own data.
• Regular security reviews. The Processor conducts regular security assessments, including code reviews, dependency audits, and vulnerability scanning.
• Incident response procedures. The Processor maintains documented incident response procedures to detect, respond to, and recover from security incidents in a timely manner.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller within 72 hours. The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting the Controller's Personal Data.
• Provide required information. The notification shall include: (a) the nature of the personal data breach, including where possible the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact details of the Processor's data protection point of contact.
• Document the breach. The Processor shall document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken, and make this documentation available to the Controller upon request.

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under the GDPR, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to object (Article 21 GDPR)

The Processor shall promptly inform the Controller if it receives a request from a Data Subject to exercise any of the above rights, and shall not respond to such a request without the Controller's prior written authorization, unless required to do so by applicable law.

11. Data Deletion and Return

Upon termination of the service agreement:

• Data export. The Controller may request an export of all Personal Data in a commonly used, machine-readable format within 30 days of termination.
• Data deletion. The Processor shall delete all Personal Data within 90 days of termination, unless retention is required by Union or Member State law.
• Certification of deletion. Upon request, the Processor shall provide the Controller with written certification that all Personal Data has been deleted.

12. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

• Annual audit right. The Controller may conduct or commission an audit of the Processor's data processing activities up to once per calendar year.
• 30-day advance notice. The Controller shall provide the Processor with at least 30 days' written notice of any planned audit.
• Reasonable scope. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Processor's operations, and shall be limited in scope to matters directly relevant to this DPA.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the main Terms of Service between the Controller and the Processor. Nothing in this DPA shall limit either party's liability for breaches of its obligations under applicable data protection laws where such limitation is not permitted.

14. Term and Termination

This DPA shall commence on the date the Controller begins using the AktAI platform and shall remain in effect for the duration of the main service agreement between the Controller and the Processor. This DPA shall automatically terminate upon termination of the main service agreement, subject to the Processor's obligations regarding data deletion and return as described in Section 11.

15. Contact

For questions regarding this Data Processing Agreement or to exercise any rights described herein, please contact us at:

support@aktai.eu