Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Adaptrix ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by Adaptrix on behalf of the Customer.

1. Definitions

• 1.1"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• 1.2"Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
• 1.3"Controller" means the Customer who determines the purposes and means of Processing.
• 1.4"Processor" means Adaptrix, which Processes Personal Data on behalf of the Controller.
• 1.5"Sub-processor" means any third party engaged by Adaptrix to Process Personal Data.
• 1.6"Data Subject" means the identified or identifiable natural person whose Personal Data is Processed.

2. Scope of Processing

2.1 Subject Matter

The Processor shall Process Personal Data on behalf of the Controller for the purpose of providing the Adaptrix AI-powered business intelligence platform and related services as described in the Terms of Service.

2.2 Duration

Processing shall continue for the duration of the subscription term plus any retention period required by law or as specified in Annex A.

2.3 Nature and Purpose

• Providing AI-powered analytics and query responses
• Generating insights and visualizations from Customer data
• Storing and securing data during the subscription term
• Providing technical support and service maintenance

2.4 Categories of Data Subjects

The Personal Data may relate to:

• •Customer's employees and contractors
• •Customer's end-customers and clients
• •Business contacts and partners

3. Controller Obligations

The Controller warrants and undertakes that:

• 3.1It has a lawful basis for Processing under GDPR Article 6 (and Article 9 where applicable).
• 3.2It has provided appropriate notice to Data Subjects regarding the Processing.
• 3.3It shall provide instructions that comply with applicable data protection laws.
• 3.4It is responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

4. Processor Obligations

The Processor shall:

5. Sub-processing

5.1 Authorized Sub-processors

The Controller grants general authorization for the Processor to engage sub-processors listed in Annex C and at /sub-processors.

5.2 Changes to Sub-processors

The Processor shall provide 30 days' notice before adding or replacing sub-processors. The Controller may object to changes by providing reasonable grounds within the notice period.

5.3 Sub-processor Obligations

The Processor shall ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.

6. Security Measures

The Processor implements comprehensive technical and organizational measures including:

Full details of technical and organizational measures are provided in Annex B.

7. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests including:

• Access (Article 15): Provide data copies within 10 business days
• Rectification (Article 16): Correct inaccurate data promptly
• Erasure (Article 17): Delete data within 30 days
• Restriction (Article 18): Restrict processing as requested
• Portability (Article 20): Export data in JSON/CSV format
• Object (Article 21): Cease processing upon valid objection

8. Data Breach Notification

Notification shall include:

• •Description of the nature of the breach
• •Categories and approximate number of Data Subjects affected
• •Contact point for further information
• •Likely consequences of the breach
• •Measures taken or proposed to address the breach

9. International Data Transfers

The Processor shall not transfer Personal Data outside the EEA unless:

• 9.1The transfer is to a country with an EU adequacy decision
• 9.2Standard Contractual Clauses (SCCs) are in place
• 9.3Other valid transfer mechanism under GDPR Chapter V applies

Current sub-processors requiring international transfers are listed in Annex C with applicable transfer mechanisms.

10. Term and Termination

• 10.1This DPA shall remain in effect for the duration of the Terms of Service.
• 10.2Upon termination, the Processor shall, at Controller's election, return or delete all Personal Data within 30 days.
• 10.3The Processor may retain Personal Data as required by applicable law, subject to confidentiality obligations.