Data Processing Agreement

1Definitions

Terms such as "controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "sub-processor" have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). "SCCs" means the Standard Contractual Clauses in Commission Decision (EU) 2021/914.

2Roles & scope

This DPA applies where ekory S.r.l. ("Processor") processes personal data on behalf of the Customer ("Controller") in the course of providing the ekory service. The Customer is the controller and ekory is the processor. The subject matter, duration, nature and purpose of the processing, the types of personal data and categories of data subjects are set out in Annex I.

3Processing instructions

ekory will process personal data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law (in which case ekory will inform the Controller, unless that law prohibits it). ekory will promptly inform the Controller if, in its opinion, an instruction infringes the GDPR.

4Confidentiality

ekory ensures that persons authorised to process the personal data are bound by appropriate obligations of confidentiality and are trained on their data-protection responsibilities.

5Security

ekory implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures are described in Annex II.

6Sub-processors

The Controller grants a general authorisation for ekory to engage sub-processors, listed in Annex III. ekory imposes data-protection obligations on each sub-processor equivalent to those in this DPA, and remains fully liable for their performance. ekory will give the Controller at least [e.g. 30] days' notice of any intended change, during which the Controller may object on reasonable data-protection grounds.

7International transfers

Where processing involves a transfer of personal data outside the EEA, ekory ensures an appropriate safeguard is in place, normally the SCCs together with any required supplementary measures.

8Assistance to the controller

Taking into account the nature of the processing, ekory assists the Controller by appropriate technical and organisational measures in responding to data-subject requests (Articles 12–23) and in meeting its obligations under Articles 32–36 (security, breach notification, data-protection impact assessments and prior consultation).

9Personal data breach notification

ekory will notify the Controller without undue delay, and in any event within [e.g. 48 hours] of becoming aware of a personal data breach affecting the Controller's data, and will provide the information reasonably required for the Controller to meet its own notification obligations.

10Audits

ekory makes available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and security arrangements.

11Return & deletion

On termination of the service, and at the Controller's choice, ekory will delete or return all personal data and delete existing copies, unless EU or Member State law requires storage.

12Annexes

Annex I — Details of processing

• Subject matter: provision of the ekory "company brain" service.
• Duration: the term of the Agreement.
• Nature & purpose: hosting, indexing, retrieval and AI-assisted processing of the Controller's content to deliver the service.
• Types of personal data: [e.g. names, business contact details, content of documents and messages uploaded by the Customer].
• Categories of data subjects: [e.g. the Customer's employees, contractors, customers and contacts].

Annex II — Technical & organisational measures

• Encryption of data in transit and at rest;
• Role-based access control and least-privilege access;
• Per-organisation data isolation;
• Audit logging and monitoring;
• Regular backups and tested restoration;
• Secure software-development and vulnerability-management practices.

Annex III — Authorised sub-processors