Data Processing Agreement

Your data, secured. Our Data Processing Agreement (DPA) outlines how we legally and securely processes your personal data, complying with laws like GDPR.

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms and Conditions https://www.intelligenic.ai/terms-and-conditions (“the Agreement”) between the customer entity that accepts the Agreement (“Customer”) and the provider of the SaaS generative AI solution Intelligenic, Inc. (“Provider”). By entering into the Agreement, Customer is deemed to have executed this DPA. The Effective Date of this DPA shall be the date the Customer entered into the Agreement. If there is any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

1. Definitions

  • Applicable Data Protection Laws means all laws and regulations relating to data protection, privacy, and security applicable to the processing under this DPA, including: the EU General Data Protection Regulation (EU) 2016/679 (GDPR), the ePrivacy Directive 2002/58/EC as implemented in EU/EEA Member States, the UK GDPR and Data Protection Act 2018, and the Swiss Federal Act on Data Protection (FADP) and related ordinances, in each case as amended, replaced, or superseded. This DPA will be governed by the laws as outlined in the Governing Law and Jurisdiction sections of the main Agreement.
  • Personal Data has the meaning given in Applicable Data Protection Laws and includes any information relating to an identified or identifiable natural person.
  • Customer Personal Data means Personal Data processed by Provider on behalf of Customer under the Agreement.
  • Controller, Processor, Data Subject, and Supervisory Authority have the definitions provided in applicable Data Protection Laws.
  • Subprocessor means any Processor engaged by Provider to process Customer Personal Data.
  • Services means Provider’s SaaS generative AI solution and related support and professional services.
  • Standard Contractual Clauses, or SCCs, means the European Commission’s standard contractual clauses for the transfer of personal data to third countries, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (and any subsequent updates), including the applicable module(s).
  • UK Addendum means the UK Information Commissioner’s Office International Data Transfer Addendum to the EU SCCs (version B1.0, in force 21 March 2022), or the International Data Transfer Agreement (IDTA), as designated by Provider.
  • Swiss Addendum means the provisions required to align the SCCs with the Swiss FADP and FDPIC guidance.

2. Scope and Roles

  • Customer is the Controller (or a Processor acting on behalf of a third-party Controller), and Provider is the Processor in relation to Customer Personal Data processed under the Agreement.
  • Provider may act as an independent Controller for limited Service Data needed to administer accounts, process billing, prevent fraud, and comply with the law. Such Service Data is processed in accordance with the Provider’s Privacy Notice and is outside the scope of this DPA.

3. Customer Instructions

  • Provider will process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement and this DPA, and for the purposes described in Annex A.
  • Customer is responsible for ensuring its instructions comply with Applicable Data Protection Laws, for having a lawful basis for processing, for providing required notices to Data Subjects, and for obtaining and documenting consents where required (including for any processing of special categories of data or children’s data).
  • Customer must not intentionally submit special categories of data unless the Services are configured to process such data and Customer has provided all legally required notices and consents.

4. AI-Specific Use of Data

  • Provider will use Customer Personal Data to train or improve foundation or general-purpose models. Customer must expressly opt out as described in the Agreement. To opt out, the Customer must send an email to optout@intelligenic.ai with “OPT OUT” in the subject line. Provider may use de-identified, aggregated metrics derived from Customer’s use of the Services to maintain, secure, and improve the Services.
  • Provider may process prompts, inputs, files, and outputs to deliver the Services, perform content moderation or filtering, quality assurance, support, incident response, fraud and abuse detection, and to comply with law.
  • Customer remains responsible for reviewing and validating model outputs. Customer will not use outputs as the sole basis for decisions that produce legal or similarly significant effects on individuals without appropriate human oversight.

5. Confidentiality

  • Provider will ensure persons authorized to process Customer Personal Data are subject to confidentiality obligations and receive appropriate training.

6. Security

  • Provider will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex B and consistent with Article 32 of the GDPR and analogous requirements under UK and Swiss law.
  • Provider will implement encryption in transit and at rest, access controls, vulnerability management, secure development practices, logging and monitoring, incident response, and regular assessments of the effectiveness of security measures.

7. Subprocesses

  • Customer grants Provider a general authorization to engage Subprocessors to support the delivery of the Services. A current list or mechanism for obtaining an up-to-date list of Subprocessors will be maintained by Provider (see Annex C).
  • Provider will impose on Subprocessors data protection obligations at least as protective as those in this DPA, including obligations under the SCCs where applicable, and will remain responsible for Subprocessor acts and omissions.
  • Provider will provide prior notice of new Subprocessors of at least 30 days and offer Customer a reasonable opportunity to object on justified grounds. If Customer objects, the parties will work in good faith to find a commercially reasonable alternative; if none is found, Customer may suspend or terminate the affected Services without penalty.

8. Assistance and Cooperation

  • Provider will assist Customer with Data Subject requests to exercise rights under Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection) by providing appropriate technical and organizational measures and information.
  • Provider will assist Customer with data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of the processing and information available to Provider.
  • Provider will maintain records of processing activities as required by Applicable Data Protection Laws.

9. Personal Data Breach

  • Provider will notify Customer without undue delay, and in any event within 72 hours after becoming aware, of a Personal Data Breach affecting Customer Personal Data.
  • Such notice will include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, the measures taken or proposed, and a point of contact for further information. Provider will cooperate with Customer to remediate and meet notification obligations.

10. Audits and Information

  • Provider will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including independent audit reports or certifications (e.g., ISO/IEC 27001 or SOC 2).
  • Upon reasonable prior written notice and not more than once annually, Customer or an independent auditor subject to confidentiality obligations may audit Provider’s compliance with this DPA. Audits will be conducted during regular business hours in a manner that avoids disruption, with a maximum duration of 5 days and a limited scope to areas where Customer Personal Data is processed.. Customer will bear its own audit costs; Provider may charge reasonable fees for audit support.

11. Data Retention, Return, and Deletion

  • Provider will retain Customer Personal Data for no longer than necessary for the purposes described in Annex A or as required by law or the Agreement.
  • Upon termination or expiry of the Services, and upon Customer’s written request, Provider will delete or return all Customer Personal Data (at Customer’s option), unless retention is required by law. Deletion will be performed within a commercially reasonable period and confirmed to Customer upon request.

12. International Data Transfers

  • Restricted transfers. If Provider processes Customer Personal Data subject to EU/EEA, UK, or Swiss law in a country not recognized as adequate, the Parties agree the appropriate transfer mechanism applies as follows:
    • EU/EEA data: The SCCs are incorporated into this DPA by reference and apply with Module Two (Controller to Processor) and, for onward transfers to Subprocessors, Module Three (Processor to Processor). The full text of the SCCs is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
    • UK data: The UK Addendum to the EU SCCs (or IDTA, if designated) is incorporated and applies to transfers subject to UK law. The full text of the UK Addendum is available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
    • Swiss data: The Swiss Addendum applies to transfers subject to the FADP. References in the SCCs to GDPR are understood to include the FADP; references to Supervisory Authority mean the FDPIC; references to Member State law and jurisdiction mean Swiss law and Swiss courts.
  • Supplementary measures. Provider will implement supplementary technical, contractual, and organizational measures designed to address the requirements of Schrems II, including:
    • Encryption in transit and at rest, with keys controlled by the Provider or a trusted key management system;
    • Access controls and least-privilege access; robust audit logging and monitoring;
    • Data minimization and pseudonymization where appropriate;
    • Policies to assess, challenge, and narrowly respond to government access requests; and Customer notification to the extent legally permitted.
  • Precedence. In the event of a conflict, the SCCs (and the UK/Swiss Addenda) prevail over the Agreement and this DPA.
  • Provider will not voluntarily disclose Customer Personal Data to public authorities. If Provider receives a legally binding request, it will, to the extent permitted by law, promptly notify Customer and will challenge unlawful or overbroad requests. Provider will disclose only the minimum data necessary to comply and will document the legal basis.

14. Compliance and Changes

  • Provider may update this DPA to reflect changes in law or services, provided such updates do not reduce the protection of Customer Personal Data. Material changes will be notified to the Customer.

15. Liability and Remedies

  • Liability for each party under this DPA is subject to the limitations and exclusions of liability in the Agreement.

16. Term and Termination

  • This DPA becomes effective on the effective date of the Agreement and remains in force for the duration of Provider’s processing of Customer Personal Data under the Agreement.

17. Order of Precedence

  • In the event of a conflict among documents: SCCs (and UK/Swiss Addenda) take precedence, then this DPA, then the Agreement.

Annex A: Description of Processing

  • Nature and purpose
    • Provision of the generative AI Services, including ingestion and processing of prompts, inputs, files, and context; generation and delivery of outputs; content filtering and moderation; quality assurance; analytics for service performance and reliability; support; billing; security, fraud, and abuse prevention; compliance with law; and optional fine-tuning or customization when expressly instructed by Customer..
  • Categories of Data Subjects
    • Customer’s employees and contractors; Customer’s end users; Customer’s customers; individuals whose data appears in Customer-provided content; website or application users interacting with the Services.
  • Categories of Personal Data
    • Identification and contact data (for example, name, email, user ID);
    • Account and profile data;
    • Prompts, inputs, files, and generated outputs;
    • Device, system, and network information (for example, IP address, user agent, identifiers, telemetry);
    • Usage and event logs, feedback, support communications;
    • Optional categories expressly submitted by Customer, including special categories of data, where permitted and instructed by Customer.
  • Sensitive data
    • The Services are not designed to intentionally process special categories of data unless expressly enabled and instructed by Customer with a lawful basis. Customer is responsible for lawfully submitting any such data.
  • Processing operations
    • Collection, storage, retrieval, parsing, transformation, generation, classification, summarization, translation, moderation, encryption, transmission, deletion.
  • Retention period
    • For the duration of the Agreement and as otherwise instructed by Customer or required by law. In no event will data be retained for longer than one hundred (100) years following termination of the Services. Provider will apply data minimization and retention controls and will delete or return data upon termination per Section 11.
  • Processing locations
    • Primary processing occurs in the regions disclosed by Provider. Cross-border transfers may occur to countries where Subprocessors are located, subject to Section 12.

Annex B: Technical and Organizational Measures

  • Governance and risk management: documented information security program; roles and responsibilities; regular risk assessments; policies; employee screening and training.
  • Access control: role-based access; authentication; least privilege; periodic access reviews; multi-factor authentication for privileged access.
  • Data security: encryption in transit (TLS) and at rest; key management; data segregation; secure backups; pseudonymization where appropriate.
  • Application and infrastructure security: secure SDLC; code review; dependency management; vulnerability scanning and patching; penetration testing; network segmentation; firewalling; DDoS protection.
  • Monitoring and logging: centralized logging; anomaly detection; alerting; audit trails for access to Customer Personal Data.
  • Incident response and business continuity: documented incident response plan; tabletop exercises; disaster recovery and business continuity planning and testing.
  • Supplier management: security due diligence of Subprocessors; contractual security and privacy obligations; continuous monitoring.
  • Physical security: data center controls in accordance with industry standards (e.g., ISO/IEC 27001-certified facilities).
  • Data subject rights tooling: capabilities to search, export, rectify, and delete Customer Personal Data as instructed by Customer.

Annex C: Subprocesses

  • Provider uses Subprocessors to deliver infrastructure, storage, compute, content delivery, email/SMS, logging/monitoring, customer support, and model inference or training services. A current list and notification mechanism will be made available to Customer upon request via a dedicated URL or an administrative console.
  • Typical categories may include cloud infrastructure providers, model providers, content moderation services, support ticketing systems, analytics and observability platforms, and communication service providers.

Annex D: EU Standard Contractual Clauses (SCCs)

  • Incorporation
    • The Parties incorporate by reference the SCCs adopted by the European Commission in Decision (EU) 2021/914, with Module Two (Controller to Processor) between Customer (data exporter) and Provider (data importer), and Module Three (Processor to Processor) for onward transfers from Provider to Subprocessors.
  • Annex I to SCCs (details of the transfer)
    • Data exporter: Customer; contact details: as per Agreement; role: Controller.
    • Data importer: Provider; contact details: as per Agreement; role: Processor.
    • Description of transfer: as set out in Annex A; frequency: continuous and/or as instructed; retention: as set out in Annex A.
    • Competent Supervisory Authority: determined per Clause 13 of the SCCs (generally the authority of the Customer’s Member State).
  • Annex II to SCCs (technical and organizational measures)
    • As set out in Annex B.
  • Annex III to SCCs (list of Subprocessors)
    • As set out in Annex C and updated in accordance with Section 7.
  • Precedence
    • The SCCs prevail over conflicting terms in this DPA or the Agreement.

Annex E: UK Addendum

  • The Parties incorporate the UK Addendum to the EU SCCs (version B1.0) or the IDTA as designated by Provider.
  • Tables completed as follows:
    • Table 1 (Parties): Data exporter is Customer; data importer is Provider; details as per Agreement.
    • Table 2 (Selected SCCs): EU SCCs per Annex D.
    • Table 3 (Appendix Information): Annexes I, II, III correspond to Annex A, B, C of this DPA.
    • Table 4 (Additional Terms): none or as agreed in writing.
  • If the UK Addendum conflicts with this DPA or Agreement, the UK Addendum prevails for UK transfers.

Annex F: Swiss Addendum

Where the SCCs refer to the EU, they interpret such references to include Switzerland to the extent required by the FADP.

The SCCs apply to transfers subject to Swiss FADP with the following modifications:

References to GDPR include the FADP; references to Supervisory Authority mean the FDPIC; references to Member State and jurisdiction mean Switzerland and Swiss courts.

The governing law for the SCCs is Swiss law; the place of jurisdiction is Switzerland.