Data Processing Agreement – Auctor AI Inc.

This Data Processing Agreement ("DPA") forms part of the Cloud Services Agreement General Terms ("Principal Agreement") between [COMPANY NAME] (the "Company" or "Customer") and Auctor AI Inc. (the "Processor" or "Auctor") (together as the "Parties"). 

‍

If there is a conflict between this DPA and the Principal Agreement, this DPA shall prevail.

‍

WHEREAS

(A) The Company may act as a controller of Personal Data or as a processor on behalf of its End Customers.

(B) The Company wishes to engage the Processor to process Personal Data in connection with the Principal Agreement.

(C) This DPA sets forth the parties' data protection obligations under applicable law.

(D) When the Company acts as a controller, the Processor acts as a processor. When the Company acts as a processor, the Processor acts as a subprocessor.

‍

IT IS AGREED AS FOLLOWS:

‍

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1. "Agreement" or "DPA" means this Data Processing Agreement and all Annexes;

1.1.2. "Company Personal Data" means that portion of Customer Data (as defined in the Principal Agreement) that constitutes Personal Data under applicable Data Protection Laws;

1.1.3. "Company" and "Customer" shall have the same meaning and may be used interchangeably in this DPA and the Principal Agreement. Similarly, "Processor" and "Auctor" shall have the same meaning.

1.1.4. "Data Protection Laws" means all applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including European Data Protection Laws and US Data Protection Laws;

1.1.5. "EEA" means the European Economic Area;

1.1.6. "EU Personal Data" means Personal Data to which data protection legislation of the European Union, or of a Member State of the European Union or EEA, applies;

1.1.7. "European Data Protection Laws" means the GDPR, UK Data Protection Act 2018, the UK GDPR, ePrivacy Directive 2002/58/EC, FADP, and any associated or additional legislation in force in the EU, EEA, Member States of the European Union, Switzerland, and the United Kingdom as amended, replaced or superseded from time to time;

1.1.8. "FADP" means the Swiss Federal Act on Data Protection and its Ordinances, as amended from time to time;

1.1.9. "FDPIC" means the Swiss Federal Data Protection and Information Commissioner;

1.1.10. "GDPR" means General Data Protection Regulation EU2016/679;

1.1.11. "UK GDPR" means General Data Protection Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);

1.1.12. "US Data Protection Laws" means data privacy, data protection, and cybersecurity laws of the United States applicable to the Processing of Personal Data under the Principal Agreement, including the California Consumer Privacy Act (as amended, the "CCPA"), and similar state privacy laws;

1.1.13. "Protected Area" means (a) for EU Personal Data, the European Union and the EEA and any country for which an adequacy decision under GDPR applies; or (b) for UK Personal Data, the United Kingdom and any country for which an adequacy decision applies; or (c) for Swiss Personal Data, any country which is recognized as adequate by the FDPIC or the Swiss Federal Council;

1.1.14. "Personal Data" means any information provided by Company to Processor that is protected as "personal data," "personal information," "personally identifiable information," or similar terms defined in Data Protection Laws;

1.1.15. "Services" or "Cloud Service" means the AI-enabled platform for systems integration support the Processor provides pursuant to the Principal Agreement, including AI Systems that capture and structure requirements, auto-generate implementation artifacts, maintain document synchronization, and integrate with Company's existing tools;

1.1.16. "Subprocessor" means any person appointed by or on behalf of Processor to Process Personal Data on behalf of the Company in connection with this DPA.

1.1.17. "Standard Contractual Clauses" means:

1.1.17.1. in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 ("UK Standard Contractual Clauses");

1.1.17.2. in respect of EU Personal Data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 ("EU Standard Contractual Clauses"), as follows: (a) where Company acts as a controller with respect to the transferred Personal Data, Module 2 (Controller to Processor) shall apply; (b) where Company acts as a processor on behalf of an End Customer (as controller) with respect to the transferred Personal Data, Module 3 (Processor to Processor) shall apply; (c) no optional clauses are included;

1.1.17.3. in respect of Swiss Personal Data, the EU Standard Contractual Clauses with the necessary adaptations and amendments for the purposes of the FADP as required by the FDPIC in its Statement of 27 August 2021;

1.1.18. "Swiss Personal Data" means Personal Data to which the FADP applies;

1.1.19. "UK Personal Data" means Personal Data to which the laws of the United Kingdom apply.

1.2. The following terms have the meanings given in Section 1 of the Principal Agreement: "Aggregated Data," "AI Systems," "Authorized Users," "End Customer," "Outputs," and "Usage Data."

1.3. The terms "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR and UK GDPR, and their cognate terms shall be construed accordingly with other Data Protection Laws.

1.4. The terms "sell," "sale," "share," "sharing," and "Service Provider" shall have the same meanings as in the CCPA.

‍

2. Processing of Company Personal Data

2.1. The Company shall:

2.1.1. ensure that any and all information or data, including without limitation Company Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;

2.1.2. be responsible for obtaining all necessary authorizations and consents from Data Subjects to Process Company Personal Data according to applicable law;

2.1.3. instruct the Processor to process Company Personal Data to provide the Services;

2.1.4. acknowledge that the Services incorporate AI Systems and that Company Personal Data will be processed through such AI Systems to provide the Services and generate Outputs;

2.1.5. agree that: (a) Processor shall not use Company Personal Data in identifiable form to train, fine-tune, or develop AI models, whether for Company's use or otherwise; and (b) Processor's use of Aggregated Data and Usage Data shall be limited to the purposes set forth in Section 2.7 of this DPA;

2.1.6. acknowledge and agree that: (a) when Company acts as a controller, the Processor acts as a processor; and (b) when Company acts as a processor for an End Customer (as controller), the Processor acts as a Subprocessor. In the latter case, Company shall ensure that it has obtained all necessary authorizations from the End Customer to engage Subprocessors and that appropriate data processing terms are in place with the End Customer;

2.1.7. acknowledge that Processor may Process Company Personal Data relating to the operation, support, or use of the Services for its own internal business purposes, such as billing, account management, data analysis, benchmarking, technical support, and compliance with law;

2.1.8. notify Processor without undue delay if it makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Data Protection Laws, in which case, Processor shall not be required to continue processing such Personal Data.

2.2. Processor shall:

2.2.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data;

2.2.2. Process Company Personal Data only on Company's documented instructions. If legally required to process otherwise, Processor will inform Company before Processing, unless prohibited by law;

2.2.3. not directly or indirectly sell or share any Personal Data.

2.3. Annex I.A sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects. The obligations and rights of the Company are as set out in this DPA.

2.4. With respect to Personal Data subject to US Data Protection Laws: (a) Processor is a "Service Provider" as defined in the CCPA and processes Personal Data for the business purposes described in Annex I.A; (b) Processor will not sell or share Personal Data; (c) Processor will not retain, use, or disclose Personal Data except to perform the Services or as permitted by law; (d) Processor will not combine Personal Data from Company with data from other sources, except as permitted by law; and (e) Processor certifies that it understands and will comply with applicable Service Provider obligations.

2.5. If Company believes Processor has used Personal Data in an unauthorized manner, Company may, upon written notice: (a) exercise audit rights under Section 8; (b) request deletion or return of Personal Data; or (c) terminate the Principal Agreement in accordance with its terms.

2.6. When Company permits End Customer personnel to access the Services, Company will have a written agreement with the End Customer containing data protection terms that enable Company to comply with this DPA.

2.7. Processor may create and use Aggregated Data (i) for product analytics, such as usage data, to understand what materials and artifacts are uploaded into the Cloud Service, and for chat traces; and (ii) to ensure Cloud Service uptime and functionality. Processor may collect and use Usage Data to provide and improve the Cloud Service. Aggregated Data and Usage Data belongs to Processor. For the avoidance of doubt, Aggregated Data excludes Customer Confidential Information.

‍

3. Processor Personnel & Confidentiality

3.1. Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Processor will take reasonable steps to ensure the reliability of personnel who have access to Company Personal Data and ensure that such individuals are subject to confidentiality obligations consistent with and no less protective than Section 5 of the Principal Agreement.

‍

4. Security

4.1. Processor will implement appropriate technical and organizational security measures; such measures are described at Annex II.

‍

5. Subprocessing

5.1. The Company authorizes Processor to engage the Subprocessors in Annex III.

5.2. Processor shall enter into a written contract with any Subprocessor imposing equivalent data protection obligations as those in this Agreement. Where a Subprocessor fails to fulfill its data protection obligations, Processor shall remain fully liable to the Company for the Subprocessor's performance.

5.3. Processor may update the list of Subprocessors from time to time as applicable, providing the Company with notice of such update (and an opportunity to object) at least fourteen (14) days in advance of such updates.

5.4. Company may object to the change in Subprocessors. If the Company objects to a Subprocessor, the Company must notify Processor in writing within seven (7) days. Processor will use reasonable efforts to address the objection by (a) canceling plans to use that Subprocessor or offering an alternative; or (b) taking corrective steps. If the objection is not addressed within thirty (30) days of Company's objection, Company may terminate the affected Service.

5.5. To the extent the Services incorporate third-party artificial intelligence models, services, or components that process Company Personal Data, Processor will ensure that any such third-party providers are engaged as Subprocessors in accordance with this Section 5 and are bound by data protection obligations consistent with this DPA.

‍

6. Data Subject Rights and Cooperation

6.1. Taking into account the nature of the Processing, Processor will provide reasonable assistance to Company to respond to Data Subject requests to exercise rights under applicable Data Protection Laws.

6.2. Processor shall:

6.2.1. notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws to which the Processor is subject.

6.3. Where required by Data Protection Laws, Processor shall provide reasonably requested information to enable Company to conduct data protection impact assessments or consult with data protection authorities, taking into account the nature of processing and information available to Processor.

6.4. For assistance beyond the scope of the Processor's obligations under applicable law, Processor may charge a reasonable fee.

6.5. With respect to Personal Data subject to US Data Protection Laws, Processor shall assist Company in responding to verifiable consumer requests to exercise rights under such laws, including rights to know, delete, correct, opt-out, and limit use of sensitive personal information. Processor shall notify Company promptly upon receiving any such request directly from a consumer.

‍

7. Personal Data Breach

7.1. Processor will notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data and provide Company with sufficient information to meet its obligations to report to Supervisory Authorities, Data Subjects, or End Customers.

7.2. Processor shall cooperate with the Company and take reasonable steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7.3. For the avoidance of doubt, Processor's indemnification obligations with respect to Personal Data Breaches caused by Processor's breach of this DPA are set forth in Section 11.1 of the Principal Agreement.

‍

8. Audits

8.1. The Processor shall make available to the Company, upon reasonable, written request no more than once per calendar year, information reasonably necessary to demonstrate compliance with this Agreement, including evidence of SOC 2 Type 2 certification. Subject to confidentiality and security requirements and prior written notice (at least thirty (30) days in advance), the Processor shall, at the cost of the Company and no more than once per calendar year, allow for and contribute to audits, including inspections by the Company or a mutually agreed third-party auditor during normal business hours, in order to assess compliance with this Agreement. Where permitted by Data Protection Laws, Processor may instead make available to Company a summary of the results of a third-party audit or certification reports relevant to Processors' compliance with this DPA. Processor shall not be required to give Company access to information or systems to the extent doing so would cause Processor to be in violation of confidentiality obligations owed to other customers or its legal obligations.

‍

9. Deletion or Return of Company Personal Data

9.1. At the end of the Services, the Company may, within sixty (60) days following termination or expiration of the Principal Agreement, request in writing that Processor securely return Company Personal Data or delete all copies. After such sixty (60) day period, Processor may delete Company Personal Data in its possession, except that Processor may retain data: (a) as required by applicable law; (b) to resolve disputes; or (c) in anonymized or aggregated form.

‍

10. Data Center Location and Transfers Outside of the Protected Area

10.1. Transfers. The Company acknowledges that the Processor will Process the Company Personal Data outside of the Protected Area including in the US and elsewhere as identified in Annex III to provide the Services. Company agrees to authorize the transfers to these countries.

10.2. Standard Contractual Clauses. The Parties agree to comply with the Standard Contractual Clauses, with Company as the "data exporter" and Processor as "data importer". Annexes I to III to this DPA serve as the annexes/appendices to the Standard Contractual Clauses.

10.3. In relation to the EU Standard Contractual Clauses, the Parties agree that:

10.3.1. for the purposes of clause 9, option 2 (general written authorization for subprocessors) shall apply and the Parties agree that the time period for notifying changes to the list shall be in accordance with Clause 5.3 above;

10.3.2. for the purposes of clause 17, the clauses shall be governed by the laws of Ireland;

10.3.3. for the purposes of clause 18, the courts of Ireland shall have jurisdiction; and

10.3.4. for the purposes of clause 13 and Annex I.C, the competent supervisory authority shall be determined in accordance with the GDPR, based on the data exporter's establishment or representative within the EEA.

10.4. For purposes of the EU Standard Contractual Clauses: (a) Module 2 (Controller to Processor) applies where Company is the controller of the transferred Personal Data; (b) Module 3 (Processor to Processor) applies where Company is a processor acting on behalf of an End Customer; (c) the applicable module shall be determined based on Company's role with respect to the specific Personal Data being transferred; (d) for the purposes of Module 3, Clause 9 Option 2 (general written authorization) applies.

10.5. In relation to the UK Standard Contractual Clauses, the Parties agree to change the format of the information set out in Part 1 of the Addendum so that:

10.5.1. the details of the parties in table 1 shall be as set out in Annex I (with no requirement for signature);

10.5.2. for the purposes of table 2, the Addendum shall be appended to the EU Standard Contractual Clauses as defined above; and

10.5.3. the appendix information listed in table 3 is set out in Annex I to III.

10.6. For Swiss Personal Data transferred outside of the Protected Area, the EU Standard Contractual Clauses shall apply with the following amendments:

10.6.1. references to the GDPR shall be interpreted as references to the FADP;

10.6.2. references to the EU and EU Member States shall be interpreted to mean Switzerland;

10.6.3. the competent supervisory authority under Clause 13(a) and Annex I, Part C is the FDPIC insofar as the transfers are governed by the FADP;

10.6.4. data subjects in Switzerland shall not be excluded from suing in their place of habitual residence under Clause 18(c).

10.7. In the event of any conflict between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

10.8. If an adequacy decision or transfer mechanism relied upon by Company is invalidated or suspended by a court or supervisory authority, the Parties shall implement an appropriate alternative transfer solution.

‍

11. General Terms

11.1. Notices. All notices under this Agreement must be provided in accordance with the requirements stipulated in the Principal Agreement.

11.2. Governing Law and Jurisdiction. This DPA is governed by the laws and choice of jurisdiction stipulated in the Principal Agreement.

11.3. Limitation of Liability. Processor's liability arising out of or relating to this DPA, including any Personal Data Breach, breach of Data Protection Laws, or breach of this DPA, is subject to the limitations of liability set forth in Section 12 of the Principal Agreement, including the Data Incident Liability cap set forth in Section 12.4 thereof.

11.4. This DPA is incorporated by reference into and forms part of the Principal Agreement. By executing the Principal Agreement, Customer accepts and agrees to this DPA.

‍

ANNEX I

‍

A. Processing Activities

Subject matter of the processing: The Processor will process Company Personal Data to provide AI-powered software implementation and delivery services.

Nature and purpose of the processing: Processing consists of: (i) processing Company inputs to structure requirements; (ii) generating implementation artifacts; (iii) maintaining document sync throughout the delivery lifecycle; and (iv) providing supporting operations needed to deliver the Services.

Duration: For the duration of the Principal Agreement.

Categories of data subjects: Company's personnel; Authorized Users; End Customers; End Customer personnel; and other data subjects whose Personal Data is submitted to or collected by the Services.

Categories of personal data processed: Personal details and contact information including name, address, email address, title, position, contact information, social profile information, IP address, unique user IDs and marketing profiles. Documents and Content: Documents, images, and content uploaded to the Services in electronic form which may contain any type of Personal Data.

Sensitive categories of personal data processed (if applicable): N/A

‍

B. List of Parties

The data exporter shall be: the Company at the following address [COMPANY ADDRESS]; the contact person for the Company shall be [REPRESENTATIVE NAME]; the role of the exporter is controller (where Module 2 applies); or processor (where Module 3 applies).

The data importer shall be: the Processor at the following address: 426 W 14th St., Floor 2, New York, NY 10014; the contact person for the Processor shall be: founders@getauctor.com; the role of the importer is processor (where Module 2 applies); or subprocessor (where Module 3 applies).

‍

C. Description of Transfer

Categories of data subjects whose personal data is transferred: See 'A. Processing Activities' above.

Categories of personal data transferred: See 'A. Processing Activities' above.

Sensitive data transferred (if applicable): N/A

Frequency of transfer: On a continuous basis.

Nature of the processing / processing operations: See 'A. Processing Activities' above.

Purpose(s) of the data transfer and further processing: See 'A. Processing Activities' above.

Period for which the personal data will be retained: See 'A. Processing Activities' above.

ANNEX II

Technical and Organizational Security Measures

The Processor maintains SOC 2 Type 2 certification. Processor's Technical and Organizational Measures documentation is available at https://compliance.getauctor.com/documents and is incorporated herein by reference.

‍

ANNEX III

Subprocessors

Processor's current Subprocessor list is available at https://compliance.getauctor.com/subprocessors and is incorporated herein by reference.

‍