Auctor raises $20M led by Sequoia Capital
This Data Processing Agreement (“DPA”) forms part of the Cloud Services Agreement General Terms (“Principal Agreement”) between [COMPANY NAME] (the “Company” or “Customer”) and Auctor AI Inc. (the “Processor” or “Auctor”) (together as the “Parties”).
If there is a conflict between this DPA and the Principal Agreement, this DPA shall prevail.
WHEREAS
(A) The Company may act as a controller of Personal Data or as a processor on behalf of its End Customers.
(B) The Company wishes to engage the Processor to process Personal Data in connection with the Principal Agreement.
(C) This DPA sets forth the parties’ data protection obligations under applicable law.
(D) When the Company acts as a controller, the Processor acts as a processor. When the Company acts as a processor, the Processor acts as a subprocessor.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Agreement” or “DPA” means this Data Processing Agreement and all Annexes;
1.1.2. “Company Personal Data” means that portion of Customer Data (as defined in the Principal Agreement) that constitutes Personal Data under applicable Data Protection Laws;
1.1.3. “Company” and “Customer” shall have the same meaning and may be used interchangeably in this DPA and the Principal Agreement. Similarly, “Processor” and “Auctor” shall have the same meaning.
1.1.4. “Data Protection Laws” means all applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including European Data Protection Laws and US Data Protection Laws;
1.1.5. “EEA” means the European Economic Area;
1.1.6. “EU Personal Data” means Personal Data to which data protection legislation of the European Union, or of a Member State of the European Union or EEA, applies;
1.1.7. “European Data Protection Laws” means the GDPR, UK Data Protection Act 2018, the UK GDPR, ePrivacy Directive 2002/58/EC, FADP, and any associated or additional legislation in force in the EU, EEA, Member States of the European Union, Switzerland, and the United Kingdom as amended, replaced or superseded from time to time;
1.1.8. “FADP” means the Swiss Federal Act on Data Protection and its Ordinances, as amended from time to time;
1.1.9. “FDPIC” means the Swiss Federal Data Protection and Information Commissioner;
1.1.10. “GDPR” means General Data Protection Regulation EU2016/679;
1.1.11. “UK GDPR” means General Data Protection Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);
1.1.12. “US Data Protection Laws” means data privacy, data protection, and cybersecurity laws of the United States applicable to the Processing of Personal Data under the Principal Agreement, including the California Consumer Privacy Act (as amended, the “CCPA”), and similar state privacy laws;
1.1.13. “Protected Area” means (a) for EU Personal Data, the European Union and the EEA and any country, for which an adequacy decision under GDPR applies; or (b) for UK Personal Data, the United Kingdom and any country, for which an adequacy decision applies; or (c) for Swiss Personal Data, any country, which is recognized as adequate by the FDPIC or the Swiss Federal Council;
1.1.14. “Personal Data” means any information provided by Company to Processor that is protected as “personal data,” “personal information,” “personally identifiable information,” or similar terms defined in Data Protection Laws;
1.1.15. “Services” or “Cloud Service” means the AI-enabled platform for systems integration support the Processor provides pursuant to the Principal Agreement, including AI Systems that capture and structure requirements, auto-generate implementation artifacts, maintain document synchronization, and integrate with Company’s existing tools;
1.1.16. “Subprocessor” means any person appointed by or on behalf of Processor to Process Personal Data on behalf of the Company in connection with this DPA.
1.1.17. “Standard Contractual Clauses” means:
1.1.17.1. in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 (“UK Standard Contractual Clauses”):
1.1.17.2. in respect of EU Personal Data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 (“EU Standard Contractual Clauses”), as follows:
(a) where Company acts as a controller with respect to the transferred Personal Data, Module 2 (Controller to Processor) shall apply;
(b) where Company acts as a processor on behalf of an End Customer (as controller) with respect to the transferred Personal Data, Module 3 (Processor to Processor) shall apply;
(c) no optional clauses are included;
1.1.17.3. in respect of Swiss Personal Data, the EU Standard Contractual Clauses with the necessary adaptations and amendments for the purposes of the FADP as required by the FDPIC in its Statement of 27 August 2021;
1.1.18. "Swiss Personal Data” means Personal Data to which the FADP applies;
1.1.19. “UK Personal Data” means Personal Data to which the laws of the United Kingdom apply;
1.1.20. The following terms have the meanings given in Section 1 of the Principal Agreement: “Aggregated Data,” “AI Systems,” “Authorized Users,” “End Customer,” “Outputs,” “Third-Party AI Components,” and “Usage Data.”
1.2. The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR and UK GDPR, and their cognate terms shall be construed accordingly with other Data Protection Laws. For example, Data Subject shall include such analogous terms as Consumer under US Data Protection Laws.
1.3. The terms “sell,” “sale,” “share,” “sharing,” and “Service Provider” shall have the same meanings as in the CCPA.
2. Processing of Company Personal Data
2.1. The Company shall:
2.1.1. ensure that any and all information or data, including without limitation Company Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;
2.1.2. be responsible for obtaining all necessary authorizations and consents from Data Subjects to Process Company Personal Data. Where Company acts as a processor on behalf of an End Customer, Company shall ensure through a written agreement that the End Customer has assumed this responsibility. Required consents include those for: (a) collection, processing, and transmission of data through AI Systems; (b) applicable cookie or electronic communications requirements; and (c) applicable federal or state recording laws, including laws governing the interception, recording, or monitoring of communications;
2.1.3. instruct the Processor to process Company Personal Data to provide the Services;
2.1.4. acknowledge that the Services incorporate AI Systems and that Company Personal Data will be processed through such AI Systems to provide the Services and generate Outputs;
2.1.5. agree that: (a) Processor may use Company Personal Data to customize or optimize AI models for Company's use in connection with the Services; (b) Processor may use Usage Data and Aggregated Data to develop or improve the Services; and (c) Company Personal Data in identifiable form will not be used to train AI models for other customers;
2.1.6. acknowledge and agree that: (a) when Company acts as a controller, the Processor acts as a processor; and (b) when Company acts as a processor for an End Customer (as controller), the Processor acts as a Subprocessor. In the latter case, Company shall ensure that it has obtained all necessary authorizations from the End Customer to engage Subprocessors and that appropriate data processing terms are in place with the End Customer;
2.1.7. acknowledge that Processor may Process Company Personal Data relating to the operation, support, or use of the Services for its own internal business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law;
2.1.8. notify Processor without undue delay if it makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Data Protection Laws, in which case, Processor shall not be required to continue processing such Personal Data.
2.2. Processor shall:
2.2.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.2.2. Process Company Personal Data only on Company’s documented instructions. If legally required to process otherwise, Processor will inform Company before Processing, unless prohibited by law.
2.2.3. not directly or indirectly sell or share any Personal Data;
2.3. Annex I.A sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects. The obligations and rights of the Company are as set out in this DPA.
2.4. With respect to Personal Data subject to US Data Protection Laws: (a) Processor is a “Service Provider” as defined in the CCPA and processes Personal Data for the business purposes described in Annex I.A; (b) Processor will not sell or share Personal Data; (c) Processor will not retain, use, or disclose Personal Data except to perform the Services or as permitted by law; (d) Processor will not combine Personal Data from Company with data from other sources, except as permitted by law; and (e) Processor certifies that it understands and will comply with applicable Service Provider obligations.
2.5. If Company believes Processor has used Personal Data in an unauthorized manner, Company may, upon written notice: (a) exercise audit rights under Section 8; (b) request deletion or return of Personal Data; or (c) terminate the Principal Agreement in accordance with its terms.
2.6. When Company permits End Customer personnel to access the Services, Company will have a written agreement with the End Customer containing data protection terms that enable Company to comply with this DPA.
2.7. Processor may create and use Aggregated Data to develop and improve the Services. Processor may collect and use Usage Data to provide and improve the Cloud Service. Aggregated Data and Usage Data belongs to Processor.
3. Processor Personnel & Confidentiality
3.1. Processor will take reasonable steps to ensure the reliability of personnel who have access to Company Personal Data and ensure that such individuals are subject to confidentiality obligations consistent with and no less protective than Section 6 of the Principal Agreement.
4. Security
4.1. Processor will implement appropriate technical and organizational security measures; such measures are described at Annex II.
5. Subprocessing
5.1. The Company authorizes Processor to engage the Subprocessors in Annex III.
5.2. Processor shall enter into a written contract with any Subprocessor imposing equivalent data protection obligations as those in this Agreement. Where a Subprocessor fails to fulfill its data protection obligations, Processor shall remain fully liable to the Company for the Subprocessor's performance.
5.3. Processor may update the list of Subprocessors from time to time as applicable, providing the Company with notice of such update (and an opportunity to object) at least fourteen (14) days in advance of such updates.
5.4. Company may object to the change in Subprocessors. If the Company objects to a Subprocessor, the Company must notify Processor in writing within seven (7) days. Processor will use reasonable efforts to address the objection by (a) canceling plans to use that Subprocessor or offering an alternative; or (b) taking corrective steps. If the objection is not addressed within thirty (30) days of Company’s objection, Company may terminate the affected Service.
5.5. The Services may incorporate Third-Party AI Components. Processor will ensure that providers of Third-Party AI Components processing Company Personal Data are bound by data protection obligations consistent with this DPA.
6. Data Subject Rights and Cooperation
6.1. Taking into account the nature of the Processing, Processor will provide reasonable assistance Company to respond to Data Subject requests to exercise rights under applicable Data Protection Laws.
6.2. Processor shall:
6.2.1. notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws to which the Processor is subject.
6.3. Where required by Data Protection Laws, Processor shall provide reasonably requested information to enable Company to conduct data protection impact assessments or consult with data protection authorities, taking into account the nature of processing and information available to Processor.
6.4. For assistance beyond what is included in the Services, Processor may charge a reasonable fee.
6.5. With respect to Personal Data subject to US Data Protection Laws, Processor shall assist Company in responding to verifiable consumer requests to exercise rights under such laws, including rights to know, delete, correct, opt-out, and limit use of sensitive personal information. Processor shall notify Company promptly upon receiving any such request directly from a consumer.
7. Personal Data Breach
7.1. Processor will notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data and provide Company with sufficient information to meet its obligations to report to Supervisory Authorities, Data Subjects, or End Customers.
7.2. Processor shall cooperate with the Company and take reasonable steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Audits
8.1. The Processor shall make available to the Company, upon reasonable, written request no more than once per calendar year, information reasonably necessary to demonstrate compliance with this Agreement, including evidence of SOC 2 Type 2 certification. Subject to confidentiality and security requirements and prior written notice (at least thirty (30) days in advance), the Processor shall, at the cost of the Company and no more than once per calendar year, allow for and contribute to audits, including inspections by the Company or a mutually agreed third-party auditor during normal business hours, in order to assess compliance with this Agreement. Where permitted by Data Protection Laws, Processor may instead make available to Company a summary of the results of a third-party audit or certification reports relevant to Processors’ compliance with this DPA. Processor shall not be required to give Company access to information or systems to the extent doing so would cause Processor to be in violation of confidentiality obligations owed to other customers or its legal obligations.
9. Deletion or return of Company Personal Data
9.1. At the end of the Services, the Company may, within sixty (60) days following termination or expiration of the Principal Agreement, request in writing that Processor securely return Company Personal Data or delete all copies. After such sixty (60) day period, Processor may delete Company Personal Data in its possession, except that Processor may retain data: (a) as required by applicable law; (b) to resolve disputes; or (c) in anonymized or aggregated form.
10. Data Center Location and Transfers Outside of the Protected Area
10.1. Transfers. The Company acknowledges that the Processor will Process the Company Personal Data outside of the Protected Area including in the US and elsewhere as identified in Annex III to provide the Services. Company agrees to authorize the transfers to these countries.
10.2. Standard Contractual Clauses. The Parties agree to comply with the Standard Contractual Clauses, with Company as the “data exporter” and Processor as “data importer”. Annexes I and II to this DPA serve as the annexes/appendices to the Standard Contractual Clauses.
10.3. In relation to the EU Standard Contractual Clauses, the Parties agree that:
10.3.1. for the purposes of clause 9, option 2 (general written authorization for subprocessors) shall apply and the Parties agree that the time period for notifying changes to the list shall be in accordance with Clause 5.3 above;
10.3.2. for the purposes of clause 17, the clauses shall be governed by the laws of Ireland;
10.3.3. for the purposes of clause 18, the courts of Ireland shall have jurisdiction; and
10.3.4. for the purposes of clause 13 and Annex I.C, the competent supervisory authority shall be determined in accordance with the GDPR, based on the data exporter’s establishment or representative within the EEA.
10.3.5. For purposes of the EU Standard Contractual Clauses:
(a) Module 2 (Controller to Processor) applies where Company is the controller of the transferred Personal Data. In this case, Company is the “data exporter” acting as controller, and Processor is the “data importer” acting as processor.
(b) Module 3 (Processor to Processor) applies where Company is a processor acting on behalf of an End Customer (as controller) with respect to the transferred Personal Data. In this case, Company is the “data exporter” acting as processor, and Processor is the “data importer” acting as subprocessor.
(c) The applicable module shall be determined based on Company’s role with respect to the specific Personal Data being transferred. Where Company processes Personal Data in both capacities, the appropriate module shall apply to each category of Personal Data according to Company’s role with respect to that data.
(d) For the purposes of Module 3, Clause 9 Option 2 (general written authorization) applies, and Company has authorized the use of subprocessors as set forth in Section 5 of this DPA.
10.4. In relation to the UK Standard Contractual Clauses, as permitted by clause 17 of such Addendum, the Parties agree to change the format of the information set out in Part 1 of the Addendum so that:
10.4.1. the details of the parties in table 1 shall be as set out in Annex I (with no requirement for signature);
10.4.2. for the purposes of table 2, the Addendum shall be appended to the EU Standard Contractual Clauses as defined above (including the selection of modules and options and the disapplication of optional clauses as noted in the definition above); and
10.4.3. the appendix information listed in table 3 is set out in Annex I and II.
10.5.For Swiss Personal Data transferred outside of the Protected Area, the EU Standard Contractual Clauses (as set out above) shall apply with the following amendments:
10.5.1. references to the GDPR shall be interpreted as references to the FADP;
10.5.2. references to the EU and EU Member States shall be interpreted to mean Switzerland;
10.5.3. the competent supervisory authority under Clause 13(a) and Annex I, Part C is the FDPIC insofar as the transfers are governed by the FADP;
10.5.4. data subjects in Switzerland shall not be excluded from suing in their place of habitual residence under Clause 18(c).
10.6.In the event of any conflict between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
10.7. If an adequacy decision or transfer mechanism relied upon by Company is invalidated or suspended by a court or supervisory authority, the Parties shall implement an appropriate alternative transfer solution.
11. General Terms
11.1. Notices. All notices under this Agreement must be provided in accordance with the requirements stipulated in the Principal Agreement.
11.2. Governing Law and Jurisdiction. This DPA is governed by the laws and choice of jurisdiction stipulated in the Principal Agreement.
This DPA is incorporated by reference into and forms part of the Principal Agreement. By executing the Principal Agreement, Customer accepts and agrees to this DPA.
ANNEX I
A. Processing Activities:
Subject matter of the processing
The Processor will process Company Personal Data to provide AI-powered software implementation and delivery services. This includes operating agentic AI that captures and structures requirements from Company inputs, auto-generates key implementation artifacts (e.g., proposals, SOWs, user stories, BRDs, diagrams), keeps artifacts in sync as requirements evolve, and integrates with Company’s existing tools and historical documentation to accelerate discovery-to-delivery.
Nature and purpose of the processing
Processing consists of: (i) processing Company inputs to structure requirements; (ii) generating implementation artifacts; (iii) maintaining document sync throughout the delivery lifecycle; and (iv) providing supporting operations needed to deliver the Services. Processing also includes the creation and use of Aggregated Data and Usage Data.
Duration
For the duration of the Principal Agreement.
Categories of data subjects
The personal data processed relates to the following categories of data subjects:
Company’s personnel; Authorized Users; End Customers; End Customer personnel; and other data subjects whose Personal Data is submitted to or collected by the Services (including prospects, customers, and contractors of Company and End Customers).
Categories of personal data processed
The personal data processed comprises the following categories of data:
(As determined at the discretion of the Company):
Sensitive categories of personal data processed (if applicable)
The personal data transferred concern the following special categories of data:
N/A
B. List of Parties:
The data exporter shall be:
The data importer shall be:
C. Description of Transfer
Categories of data subjects whose personal data is transferred:
See ‘A. Processing Activities’ above
Categories of personal data transferred:
See ‘A. Processing Activities’ above
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
N/A
If sensitive data are transferred, see Annex C, Part B for applicable restrictions and safeguards
Frequency of transfer (e.g. whether on a one-off or continuous basis) (EU Standard Contractual Clauses only):
On a continuous basis.
Nature of the processing/ processing operations:
See ‘A. Processing Activities’ above.
Purpose(s) of the data transfer and further processing (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.
The subject matter, nature and duration of the processing (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.
ANNEX II
Technical and Organizational Security Measures
The Processor maintains SOC 2 Type 2 certification. Additional information about the Processor’s Technical and Organizational Security Measures is available upon request.
ANNEX III
Processor’s Subprocessor list is available upon request.
