Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between a37 Inc. ("Processor" or "a37") and the entity agreeing to these terms ("Controller" or "Customer") for the provision of our process intelligence platform and related services (the "Services").

This DPA applies where and only to the extent that a37 processes Personal Data on behalf of the Customer in the course of providing the Services, and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area, the United Kingdom, or Switzerland.

Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by a37 on behalf of the Customer.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR (EU 2016/679), the UK GDPR, and the Swiss Federal Act on Data Protection.
• "Sub-processor" means any third party engaged by a37 to process Personal Data on behalf of the Customer.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

Scope and Purpose of Processing

a37 will process Personal Data only as necessary to provide the Services to the Customer and in accordance with the Customer's documented instructions. The details of the processing are as follows:

Obligations of the Processor

a37 shall:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Not engage another processor without prior specific or general written authorization of the Customer
• Assist the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws
• Assist the Customer in ensuring compliance with obligations related to security of processing, data protection impact assessments, and prior consultation with supervisory authorities
• At the choice of the Customer, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless storage is required by law
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits

Security Measures

a37 implements and maintains appropriate technical and organizational security measures, including:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• Regular testing, assessing, and evaluating the effectiveness of security measures
• SOC 2 Type II certified infrastructure and processes
• Role-based access controls and multi-factor authentication
• Regular security training for all personnel with access to Personal Data

Sub-processors

The Customer provides general authorization for a37 to engage sub-processors. a37 maintains a current list of sub-processors at a37.ai/subprocessors.

a37 will notify the Customer of any intended changes to the list of sub-processors at least 30 days in advance, giving the Customer the opportunity to object. If the Customer objects, a37 will make reasonable efforts to provide an alternative or the Customer may terminate the affected Services.

Where a37 engages a sub-processor, it shall impose data protection obligations no less protective than those set out in this DPA by way of a contract. a37 remains fully liable for the performance of its sub-processors.

International Data Transfers

a37 will not transfer Personal Data to a country outside the European Economic Area, the United Kingdom, or Switzerland unless appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• An adequacy decision by the relevant authority
• The EU-U.S. Data Privacy Framework, where applicable

Data Breach Notification

a37 will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification will include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
• The name and contact details of a37's contact point for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

Data Subject Rights

a37 will assist the Customer in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. a37 will promptly notify the Customer if it receives a request directly from a Data Subject and will not respond to such request unless authorized by the Customer or required by applicable law.

Audit Rights

a37 will make available to the Customer on request all information reasonably necessary to demonstrate compliance with this DPA. The Customer may conduct an audit, either itself or through an appointed third-party auditor, with reasonable advance notice and during normal business hours. a37 will cooperate with such audits and provide reasonable assistance.

Term and Termination

This DPA shall remain in effect for the duration of a37's processing of Personal Data on behalf of the Customer. Upon termination of the Services, a37 will, at the Customer's choice, delete or return all Personal Data within 90 days, except where retention is required by applicable law.

Contact Us

For questions about this DPA or to request a signed copy, please contact us: