EN
Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) is entered into by and between the Customer (as defined in the Main Agreement) ("Controller") and ContemplatorAI ("Processor"). This DPA is incorporated into and forms part of the main agreement governing the use of the ConbaseAI services ("Main Agreement").
1. Definitions
- "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including but not limited to the GDPR, UK GDPR, and CCPA.
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings ascribed to them in the GDPR.
- "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Services" means the data processing and automation services provided by Processor through its ConbaseAI platform as described in the Main Agreement.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
2. Roles and Responsibilities
2.1. The parties agree that for the purposes of this DPA, the Customer is the Controller and ContemplatorAI is the Processor of Personal Data.
2.2. The Processor shall only process Personal Data on behalf of and in accordance with the Controller’s documented instructions. The Main Agreement and this DPA constitute the Controller's initial instructions.
2.3. The details of the processing activities are set out in Annex I of this DPA.
3. Processor's Obligations
3.1. Confidentiality: The Processor shall ensure that its personnel authorized to process Personal Data are subject to a duty of confidentiality.
3.2. Security: The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction.
3.3. Sub-processing:
a. The Controller provides a general authorization for the Processor to engage Sub-processors. The Processor shall maintain an up-to-date list of its Sub-processors, as set out in Annex II.
b. The Processor shall notify the Controller of any intended changes concerning Sub-processors, giving the Controller an opportunity to object.
c. Where the Processor engages a Sub-processor, it shall do so by way of a written contract that imposes data protection obligations no less protective than those in this DPA.
3.4. Data Subject Rights: The Processor shall provide reasonable assistance to the Controller to enable the Controller to respond to Data Subject requests under Applicable Data Protection Laws.
3.5. Personal Data Breach: The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach and provide reasonable assistance to the Controller.
3.6. Data Protection Impact Assessments: The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities.
3.7. Deletion or Return of Data: Upon termination of the Main Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data.
3.8. Audits: The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or their mandated auditor.
4. Special Clause: Customer's Use of Third-Party AI Providers ("Bring Your Own Key" Model)
4.1. If the Controller configures the Services to use its own API key for a third-party AI provider ("Customer-Designated Provider"):
a. Processor's Role: ContemplatorAI's role is limited to acting as a technical intermediary. The obligations in this DPA apply to Personal Data while it is in the Processor's possession.
b. Controller's Direct Relationship: The processing of Personal Data by the Customer-Designated Provider is governed by the agreement between the Controller and that Provider. The Controller is responsible for having a compliant DPA in place with its chosen provider.
5. International Transfers
5.1. The Processor shall not transfer Personal Data outside of the European Economic Area (EEA), Switzerland, or the UK to a country not deemed adequate by the European Commission ("Third Country"), unless it has put in place appropriate safeguards.
5.2. The Controller acknowledges that Sub-processors may be in a Third Country (e.g., the United States). The Processor will ensure that such transfers are protected by safeguards such as the EU-U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).
6. Term
This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Main Agreement.
Annex I: Details of Processing
- Subject Matter: To provide the ConbaseAI Services as defined in the Main Agreement.
- Duration: For the term of the Main Agreement.
- Nature and Purpose: To enable the Controller to upload, manage, transform, and enrich data using AI-powered tools as initiated by the Controller.
- Types of Personal Data: Personal Data submitted by the Controller, which may include product information, customer-provided content, and contact information of the Controller's authorized users.
- Categories of Data Subjects: The Controller’s customers, end-users, employees, agents, and contractors.
Annex II: List of Sub-processors
| Sub-processor Name | Service Provided | Location |
|---|---|---|
| OpenAI, Inc. | AI Model and Data Processing Services | United States |
| Supabase, Inc. | Backend Infrastructure and Database | United States |
| Replit, Inc. | Application Hosting | United States |
