1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

“Sub-Processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the ProcessPlan platform services as described in the Agreement. This includes:

• Storing and managing business process data as directed by the Controller.
• Automating business processes configured by the Controller.
• Providing AI-powered features (ProSeer) when initiated by the Controller, using data included in prompts at the Controller’s discretion.
• Maintaining account information and processing billing.

The Processor shall not process Personal Data for any purpose other than as instructed by the Controller, unless required by applicable law.

3. Controller Obligations

The Controller warrants that:

1. It has a lawful basis under GDPR for collecting and processing all Personal Data stored in the ProcessPlan platform.
2. It has provided appropriate notices to, and obtained any necessary consents from, Data Subjects.
3. It shall not store Special Category Data (Article 9) or criminal conviction data (Article 10) in the platform unless expressly agreed in writing with the Processor.
4. It is responsible for configuring appropriate data retention periods within the platform.

4. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II.
4. Not engage another processor (sub-processor) without prior general or specific written authorization of the Controller, subject to Section 6.
5. Assist the Controller, taking into account the nature of processing, in responding to requests from Data Subjects exercising their rights under GDPR.
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation).
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Data Subject Rights

The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise any right under GDPR (access, rectification, erasure, restriction, portability, or objection). The Processor shall not respond to such requests directly unless authorized by the Controller.

The Processor shall provide reasonable technical and organizational assistance to enable the Controller to fulfill Data Subject requests. The ProcessPlan platform provides the following capabilities:

• Data export functionality for access and portability requests.
• Record-level deletion capabilities for erasure requests.
• Customer-configurable retention periods.

6. Sub-Processors

The Controller provides general authorization for the Processor to engage the sub-processors listed in Annex III. The Processor shall:

1. Inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.
2. Impose on each sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA.
3. Remain fully liable to the Controller for the performance of each sub-processor’s obligations.

7. International Data Transfers

The Controller acknowledges that Personal Data will be transferred to and processed in the United States. To ensure an adequate level of protection for such transfers, the Parties agree to the following:

1. The Standard Contractual Clauses (Module Two: Controller to Processor) adopted by European Commission Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA and shall apply to all transfers of Personal Data from the EEA to the United States.
2. For the purposes of the SCCs: the Controller is the “data exporter” and the Processor is the “data importer.”
3. The Processor shall comply with the obligations of the data importer under the SCCs.
4. EU hosting is available upon request for an additional fee, which would eliminate the need for cross-border transfer mechanisms for data at rest.

If the Processor becomes certified under the EU-US Data Privacy Framework in the future, this DPA shall be updated accordingly.

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller’s data. The notification shall include:

1. A description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned.
2. The name and contact details of the Processor’s contact point for further information.
3. A description of the likely consequences of the breach.
4. A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

9. Data Retention and Deletion

The Controller may configure data retention periods within the ProcessPlan platform and may delete records at any time. Upon termination or expiration of the Agreement:

1. The Controller may request return or deletion of all Personal Data prior to the end of a 90-day grace period.
2. If no request is received, all Personal Data shall be securely deleted at the end of the 90-day grace period.
3. Backup copies shall be deleted within 7 days of the primary data deletion.
4. The Processor may retain data where required by applicable law, in which case it shall inform the Controller and ensure continued protection of such data.

10. Audit Rights

The Processor shall make available to the Controller, upon reasonable request and at reasonable intervals, all information necessary to demonstrate compliance with this DPA. The Controller (or an independent third-party auditor appointed by the Controller) may conduct an audit, subject to:

1. Reasonable advance notice of at least 30 days.
2. The audit being conducted during normal business hours and in a manner that minimizes disruption.
3. The auditor agreeing to reasonable confidentiality obligations.

11. Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either Party’s liability to Data Subjects under GDPR.

12. Term and Termination

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate when the Agreement terminates, subject to the Processor’s obligation to delete or return Personal Data as described in Section 9.

13. Governing Law

This DPA shall be governed by the laws of the State of Georgia, USA, except to the extent that GDPR or applicable EU Member State law mandates otherwise. For disputes relating to the SCCs, the governing law shall be that of the EU Member State in which the data exporter is established.

Questions About This DPA