GDPR-compliant Data Processing Agreement for enterprise customers protecting your data rights.
1. Introduction and Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CognexiaAI ("Processor" or "we") and the customer ("Controller" or "you") for the provision of the Services. This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with the requirements of applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR) 2016/679.
GDPR Compliance Statement
This DPA ensures compliance with GDPR Articles 28, 32, 33, and 34, establishing clear responsibilities for data processing activities.
2. Definitions
In this DPA, the following terms have the meanings set out below:
"Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Services.
"Data Protection Laws" means all applicable laws relating to privacy, data protection, and data security, including GDPR, CCPA, and any implementing or supplementary legislation.
"Data Subject" means the individual to whom Personal Data relates.
"Sub-processor" means any third-party processor engaged by Processor to process Personal Data on behalf of Controller.
3. Scope and Details of Processing
3.1 Subject Matter and Duration
The subject matter of the processing is the provision of the Services in accordance with the Terms of Service. The duration of processing shall be for the term of the Services agreement.
3.2 Nature and Purpose of Processing
Processor will process Personal Data for the following purposes:
Provision and maintenance of the ERP Services
Customer support and technical assistance
Service improvement and analytics (anonymized)
Security monitoring and incident response
3.3 Types of Personal Data
Contact information (names, email addresses, phone numbers)
Employment information (job titles, department, employee IDs)
Financial information (billing details, transaction records)
Technical data (IP addresses, device information, usage logs)
3.4 Categories of Data Subjects
Controller's employees and contractors
Controller's customers and clients
Controller's suppliers and partners
4. Processor's Obligations
4.1 Processing Instructions
Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by applicable law. Controller instructs Processor to process Personal Data for the purposes described in this DPA and the Terms of Service.
4.2 Confidentiality
Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All employees with access to Personal Data are bound by strict confidentiality agreements.
4.3 Security Measures
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Pseudonymization and encryption of Personal Data
Ongoing confidentiality, integrity, availability, and resilience of systems
Ability to restore availability and access to data in a timely manner
Regular testing, assessment, and evaluation of security effectiveness
5. Sub-processors
5.1 General Authorization
Controller provides general authorization for Processor to engage Sub-processors. Processor shall:
Maintain a list of Sub-processors on our website
Provide 30 days' notice of any new Sub-processor
Ensure Sub-processors are bound by written agreements with equivalent obligations
Remain fully liable for Sub-processor performance
5.2 Current Sub-processors
Amazon Web Services (AWS)
Cloud infrastructure and hosting services
Stripe, Inc.
Payment processing services
SendGrid (Twilio)
Email delivery services
6. Data Subject Rights
Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise their rights under Data Protection Laws. Processor shall:
Assist Controller in responding to Data Subject requests
Provide technical and organizational measures to facilitate such requests
Not respond directly to Data Subjects without Controller's authorization
7. Data Breach Notification
Processor shall notify Controller without undue delay (and in any event within 24 hours) after becoming aware of a Personal Data breach. The notification shall include:
Description of the nature of the breach
Categories and approximate number of Data Subjects and records concerned
Likely consequences of the breach
Measures taken or proposed to address the breach
8. International Data Transfers
Where Processor transfers Personal Data outside the European Economic Area (EEA), Processor shall ensure that:
Transfers are to countries with adequate data protection (as determined by the European Commission)
Standard Contractual Clauses (SCCs) approved by the European Commission are implemented
Appropriate safeguards and supplementary measures are in place
9. Audits and Compliance
Processor shall make available to Controller information necessary to demonstrate compliance with this DPA and allow for audits:
Annual SOC 2 Type II audit reports
ISO 27001 certification documentation
Security questionnaires and compliance documentation
On-site audits with reasonable notice (subject to confidentiality)
10. Data Deletion and Return
Upon termination or expiration of the Services, Processor shall, at Controller's choice:
Return all Personal Data to Controller in a structured, commonly used format
Delete all Personal Data and certify in writing to Controller
Deletion occurs within 90 days unless legal requirements mandate retention
11. Liability
Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for breaches of its obligations under applicable Data Protection Laws.
12. Contact for DPA Matters
For questions or concerns related to this Data Processing Agreement: