Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the service agreement between OperatiqAI (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) for the provision of AI-powered business intelligence services. This DPA sets out the terms under which we will process personal data on your behalf, in accordance with applicable data protection laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Definitions

• Personal Data — Any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, and any data contained within uploaded documents or chat messages.
• Processing — Any operation or set of operations performed on personal data, including collection, storage, retrieval, use, transmission, analysis by AI models, and deletion.
• Sub-processor — A third-party entity engaged by the Processor to assist in fulfilling its obligations under this agreement, including infrastructure providers and AI model providers.
• Data Subject — The identified or identifiable natural person to whom the personal data relates, including your employees, customers, or other individuals whose data you upload to the platform.

3. Scope of Processing

The Processor shall process personal data only to the extent necessary to provide the OperatiqAI platform services. The categories of data processed include:

• Account Information — Names, email addresses, company names, and authentication credentials required for platform access
• Document Content — Files and documents uploaded by the Controller for AI-powered analysis, which may contain personal data of third parties
• Chat Messages — Conversational data exchanged between users and the AI assistant, including queries, responses, and session metadata
• Usage Data — Platform interaction logs, feature usage metrics, API call records, and performance data used to maintain and improve the service

4. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by applicable law to do otherwise
• Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction
• Assist the Controller in responding to data subject requests, including access, rectification, erasure, data portability, and objection requests, within commercially reasonable timeframes
• Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities
• At the Controller's choice, delete or return all personal data upon termination of the service agreement, and delete existing copies unless applicable law requires further storage
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and applicable data protection laws

5. Sub-processors

The Controller acknowledges and agrees that the Processor may engage the following sub-processors to assist in providing the services:

The Processor shall notify the Controller of any intended changes to its sub-processors, giving the Controller the opportunity to object to such changes. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, the Processor shall ensure that appropriate safeguards are in place. These safeguards include:

• Standard Contractual Clauses (SCCs) as approved by the European Commission for international data transfers
• Adequacy decisions by the European Commission where applicable
• Binding Corporate Rules where approved by relevant supervisory authorities
• Additional supplementary measures such as encryption and pseudonymization where required by the circumstances of the transfer

7. Security Measures

The Processor implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk:

• Encryption at Rest — All data stored in databases and file storage is encrypted using AES-256 encryption
• Encryption in Transit — All network communication is encrypted using TLS 1.3, ensuring data integrity and confidentiality during transmission
• Access Controls — Role-based access control (RBAC) with the principle of least privilege, multi-factor authentication for internal systems, and regular access reviews
• Audit Logging — Comprehensive logging of all access and modifications to personal data, with logs retained for a minimum of 12 months
• Incident Response — A documented incident response plan with defined roles, communication procedures, and remediation processes, tested at least annually
• Vulnerability Management — Regular vulnerability scanning, penetration testing, and timely patching of identified security issues

8. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any data breach.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law, including:

• Right of Access — The right to obtain confirmation of whether personal data is being processed and to access that data
• Right to Rectification — The right to have inaccurate personal data corrected without undue delay
• Right to Erasure — The right to have personal data deleted when it is no longer necessary for the purpose for which it was collected
• Right to Data Portability — The right to receive personal data in a structured, commonly used, and machine-readable format
• Right to Restriction — The right to restrict processing in certain circumstances, such as when accuracy is contested
• Right to Object — The right to object to processing based on legitimate interests or for direct marketing purposes

10. Term and Termination

This DPA shall be effective for the duration of the underlying service agreement between the Processor and the Controller. Upon termination of the service agreement:

• The Processor shall cease all processing of personal data on behalf of the Controller
• At the Controller's election, the Processor shall return all personal data in a commonly used format or securely delete all personal data within 30 days
• The Processor shall provide written certification of deletion upon the Controller's request
• Provisions of this DPA that by their nature should survive termination shall continue to apply, including confidentiality obligations and liability provisions

11. Contact

For questions or requests regarding this Data Processing Agreement, please contact our data protection team at dpa@operatiqai.com.