This Data Processing Agreement (the “DPA
”) constitutes a
legally binding agreement between Humantic Inc (“Company
the entity (“Customer
”) on whose behalf Company Processes
Personal Data under the Terms and Conditions available at
”). The Company and the Customer are hereinafter
referred to individually as a “Party
” and collectively as the
This DPA forms an integral part of the Terms and is applicable where
the Company Processes Customer’s Personal Data originating from the
European Economic Area (“EEA
”), United Kingdom (“UK
Capitalised terms not specifically defined herein shall have the
meaning ascribed thereto in the Terms.
In this DPA, the following terms shall have the following
“Data Protection Laws” shall mean (a) the GDPR; (b) in
respect of the UK, the GDPR as saved into United Kingdom by virtue
of section 3 of the United Kingdom European Union (Withdrawal) Act
2018 (“UK GDPR”) and the Data Protection Act, 2019
(together, “UK Data Protection Laws”); (c) the Swiss
Federal Data Protection Act and its implementing regulations (“Swiss DPA”); in each case, as may be amended, superseded or replaced.
“GDPR” shall mean the Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the Processing of
personal data and on the free movement of such data and repealing
Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” shall mean any information relating to an
identified or identifiable natural person; an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to
one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that
natural person forming a part of Customer Data.
“Restricted Transfer” means: (i) where the GDPR applies, a
transfer of Personal Data from the EEA to a country outside the
EEA which is not subject to an adequacy determination by the
European Commission; (ii) where the UK GDPR applies, a transfer of
Personal Data from the UK to any other country which is not based
on adequacy regulations pursuant to Section 17A of the Data
Protection Act 2018; and (iii) where the Swiss DPA applies, a
transfer of Personal Data to a country outside of Switzerland
which is not included on the list of adequate jurisdictions
published by the Swiss Federal Data Protection and Information
“Sensitive Personal Information” shall mean information
that relates to an individual’s racial or ethnic origin, political
opinions, religious or philosophical beliefs, trade union
membership, genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health, or
data concerning a natural person's sex life or sexual orientation.
It also includes information about an individual's criminal
offences or convictions, as well as any other information deemed
sensitive under applicable data protection laws.
“Standard Contractual Clauses” or “SCCs” means (i)
where the GDPR applies, the standard contractual clauses as
approved by the European Commission (Implementing Decision (EU)
2021/914 of 04 June 2021) Implementing Decision (EU) 2021/914 of
04 June 2021) and available at
(“EU SCCs”); (ii) where the UK GDPR applies, the
International Data Transfer Addendum to the EU SCCs issued by the
UK Information Commissioner, Version B1.0, in force from 21 March
2022 set forth as Schedule D (“UK SCCs”) and (iii) where
the Swiss DPA applies, the applicable standard data protection
clauses issued, approved or recognized by the Swiss Federal Data
Protection and Information Commissioner (the “Swiss SCCs”)
(in each case, as updated, amended or superseded from time to
“Controller”, “Data Subject”, “Personal Data Breach”, “Processor” and “Process(ing)” shall have the
meaning given to them in the GDPR.
Scope and Responsibilities
This DPA applies to Processing of Personal Data originating
from the UK, EEA and/or Switzerland.
The Company shall Process Personal Data only on the Customer’s
behalf and at all times only in accordance with this DPA. For
the avoidance of doubt, the Company shall be the Processor
where Customer is the Controller of the Personal Data and
where Customer is the Processor, the Company shall be the
sub-processor of Personal Data.
Within the scope of the Terms, each Party shall be responsible
for complying with its respective obligations as Controller
and Processor under Data Protection Laws.
Term and Termination
This DPA becomes effective upon the Customer subscribing to
the Service(s) by agreeing to the Terms. It shall continue to
be in force and effect as long as the Company is Processing
Personal Data pursuant to the Terms and shall terminate
Where amendments are required to ensure compliance of this DPA
or a Schedule with Data Protection Laws, the Parties shall
make reasonable efforts to agree on such amendments upon the
Customer’s request. Where the Parties are unable to agree upon
such amendments, either Party may terminate the Terms in
accordance with the termination procedure contained therein.
The Company will Process Personal Data in accordance with the
Customer’s instructions. This DPA contains the Customer’s
initial instructions to the Company. The Parties agree that
the Customer may communicate any change in its initial
instructions to the Company by way of amendment to this DPA,
which shall be signed by the Parties.
For the avoidance of doubt, any instructions that would lead
to Processing outside the scope of this DPA (e.g., because a
new Processing purpose is introduced) will require a prior
agreement between the Parties and, where applicable, shall be
subject to the contract change procedure under the respective
The Company shall without undue delay inform the Customer in
writing if, in its opinion, an instruction infringes Data
Protection Laws, and provide a detailed explanation of the
reasons for its opinion in writing.
The Company will restrict its personnel from Processing Personal
Data without authorization. The Company will impose appropriate
contractual obligations upon its personnel, including relevant
obligations regarding confidentiality, data protection and data
Disclosure to Third Parties; Data Subjects Rights
The Company will not disclose Personal Data to any government
agency, court, or law enforcement except with the Customer’s
written consent or as necessary to comply with applicable
mandatory laws. If the Company is obliged to disclose Personal
Data to a law enforcement agency, the Company agrees to give
the Customer reasonable notice of the access request prior to
granting such access, to allow the Customer to seek a
protective order or other appropriate remedy. If such notice
is legally prohibited, the Company will take reasonable
measures to protect the Personal Data from undue disclosure as
if it were the Company’s own confidential information being
requested and shall inform the Customer promptly as soon as
possible if and when such legal prohibition ceases to apply.
In case the Customer receives any request or communication
from Data Subjects which relate to the Processing of Personal
Data ("Request"), the Company shall reasonably provide
the Customer with full cooperation, information and assistance
("Assistance") in relation to any such Request where
instructed by Customer.
Where the Company receives a Request, it shall (i) not
directly respond to such Request, (ii) forward the Request to
the Customer within five (5) business days of identifying the
Request as being related to the Customer and (iii) provide
Assistance according to further instructions from Customer.
Technical and Organizational Measures
The Company shall implement and maintain appropriate technical and
organizational security measures to ensure that Personal Data is
Processed according to this DPA, to provide assistance and protect
Personal Data against a Personal Data Breach ("TOMs"). Such
measures shall include the measures set out in Schedule B.
Assistance with Data Protection Impact Assessment
Where a Data Protection Impact Assessment ("DPIA") is
required under applicable Data Protection Laws for the
Processing of Personal Data, the Company shall provide, upon
request, to the Customer any information and assistance
reasonably required for the DPIA including assistance for any
communication with data protection authorities, where
required, unless the requested information or assistance is
not pertaining to the Company’s obligations under this DPA.
The Customer shall pay the Company reasonable charges for
providing the assistance in Clause 8, to the extent that such
assistance cannot be reasonably accommodated within the normal
provision of the Service(s).
Information Rights and Audit
The Company shall, in accordance with Data Protection Laws,
make available to the Customer on request in a timely manner
such information as is necessary to demonstrate compliance by
the Company with its obligations under the Data Protection
The Company shall, upon reasonable notice, allow for and
contribute to audits of its Processing of Personal Data, as
well as the TOMs (including data Processing systems, policies,
procedures and records), during regular business hours and
with minimal interruption to its business operations. Upon
Customer’s written request at reasonable intervals, Company
shall make available to Customer relevant information
regarding Company’s Processing of Personal Data in the form of
Company’s most recent third party audits and certifications,
which may include audit reports such as SOC 2, to ensure
compliance with Company’s obligations set out in this DPA.
Customer agrees that such third party audits and
certifications are sufficient to demonstrate Company’s
compliance with the obligations set out in this DPA.
The Customer shall pay the Company reasonable costs of
allowing or contributing to audits or inspections in
accordance with Clause 9.2 where the Customer wishes to
conduct more than one audit or inspection every twelve (12)
The Company will immediately refer to the Customer any
requests received from national data protection authorities
that relate to its Processing of Personal Data.
The Company undertakes to reasonably cooperate with the
Customer in its dealings with national data protection
authorities and with any audit requests received from national
data protection authorities.
Personal Data Breach Notification
In respect of any Personal Data Breach (actual or reasonably
suspected), the Company shall:
notify the Customer of a Personal Data Breach involving the
Company or a subcontractor without undue delay.
provide reasonable information, cooperation and assistance to
the Customer in relation to any action to be taken in response
to a Personal Data Breach under Data Protection Laws,
including regarding any communication of the Personal Data
Breach to Data Subjects and national data protection
Use of sub-processors
The Company has the Customer’s general authorisation for the
engagement of third-party sub-processors from an agreed list,
as set forth in Schedule A. The Company will notify the
Customer’s account administrator of any intended changes to
that list through the appointment or replacement of any
sub-processor at least fifteen (15) days in advance. The
Customer may object to the Company’s appointment or
replacement of a sub-processor prior to its appointment or
replacement, provided such objection is based on reasonable
grounds relating to data protection. In such an event, the
Company will either not appoint or replace the sub-processor
or, if this is not possible, the Company may suspend or
terminate the Service(s) (without prejudice to any fees
accrued prior to such suspension or termination).
Where the Company, with the Customer’s authorisation, engages
a sub-processor, it shall do so only by way of a binding
written contract which imposes on the sub-processor
essentially the same data protection obligations as the ones
imposed on the Company under this DPA and in accordance with
Art. 28 of the GDPR.
Where the sub-processor fails to fulfil its data protection
obligations under the subcontracting agreement, the Company
shall remain fully liable to the Customer for the fulfilment
of its obligations under this DPA and for the performance of
the sub-processor’s obligations.
International Data Transfers
The Parties agree that when the transfer of Personal Data from
the Customer to the Company is a Restricted Transfer and
applicable Data Protection Laws require that appropriate
safeguards are put in place, such transfer shall be subject to
the appropriate Standard Contractual Clauses, which shall be
deemed incorporated into and form part of this DPA as follows:
In relation to transfers of Personal Data originating from
the EEA and subject to the EU GDPR, the SCCs shall apply,
completed as follows:
Module 2 (Controller to Processor) shall apply where
the Customer is a Controller and the Company is a
Processor. Module 3 (Processor to Processor) shall
apply where the Customer is a Processor and the
Company is a sub-processor;
in Clause 7, the optional docking clause will apply;
- in Clause 9(a), Option 2 shall apply;
in Clause 11, the optional language will not apply;
in Clause 17, Option 1 will apply, and the EU SCCs
will be governed by the law of Ireland;
in Clause 18(b), disputes shall be resolved before the
courts of Ireland;
Annex I, II and III of the EU SCCs shall be deemed
completed with the information set out in Schedule A,
B and C to this DPA respectively; and
In relation to transfers of Personal Data originating from
Switzerland and subject to the Swiss DPA, the EU SCCs as
implemented under sub-paragraph (a) above will apply with
the following modifications and shall constitute the Swiss
references to Regulation (EU) 2016/679; shall be
interpreted as references to the Swiss DPA;
references to specific Articles of Regulation (EU)
2016/679; shall be replaced with the equivalent
article or section of the Swiss DPA;
references to “EU”, “Union”, “Member State”, and
“Member State law” shall be replaced with references
to “Switzerland” or “Swiss law”;
the term “member state” shall not be interpreted in
such a way as to exclude Data Subjects in Switzerland
from the possibility of suing for their rights in
their place of habitual residence (i.e., Switzerland);
Clause 13(a) and Part C of Annex I are not used and
the “competent supervisory” is the Swiss Federal Data
Protection Information Commissioner;
references to the “competent supervisory authority”
and “competent courts” shall be replaced with
references to the “Swiss Federal Data Protection
Information Commissioner” and “applicable courts of
in Clause 17, the Standard Contractual Clauses shall
be governed by the laws of Switzerland; and
With respect to transfers to which the Swiss DPA
applies, Clause 18(b) shall state that disputes shall
be resolved before the applicable courts of
Where the UK GDPR applies, the UK SCCs shall apply to
transfers of Personal Data originating in the UK to any
other country not recognized by the competent United
Kingdom regulatory authority or governmental body for the
United Kingdom as providing an adequate level of
protection for Personal Data.
For the purposes of descriptions in the SCCs, the Customer
agrees that it is the “data exporter” and the Company is the
The Parties agree that if the Standard Contractual Clauses are
replaced, amended or no longer recognized as valid under Data
Protection Laws, or if a Supervisory Authority and/or Data
Protection Law requires the adoption of an alternative
transfer solution, the data exporter and data importer will:
(i) promptly take such steps requested including putting an
alternative transfer mechanism in place to ensure the
processing continues to comply with Data Protection Laws; or
(ii) cease the transfer of Personal Data and at the data
exporter’s option, delete or return the Personal Data to the
Deletion or Return of Personal Data
Upon termination of the Customer’s account, the Company will
delete all Customer Data in accordance with the Data Retention
Period set forth in the Terms. This requirement shall not apply to
the extent that the Company is permitted by applicable law to
retain some or all of the Personal Data, in which event the
Company shall isolate and protect the Personal Data from any
In case of any conflict, the provisions of this DPA shall take
precedence over the Terms or provisions of any other agreement
with the Company.
No Party shall receive any remuneration for performing its
obligations under this DPA except as explicitly set out herein
or in another agreement.
Where this DPA requires a “written notice” or “written
request”, such notice or request can also be communicated per
email to the other Party. Notices shall be sent to the contact
persons set out in Schedule A.
Any supplementary agreements or amendments to this DPA must be
made in writing and signed by both Parties.
Should individual provisions of this DPA become void, invalid
or non-viable, this shall not affect the validity of the
remaining conditions of this DPA.
The following Schedules forms an integral part of this DPA:
LIST OF PARTIES UNDER THE SCCs
The data exporter is the entity that has subscribed to the Terms
and their contact details are as provided by them while
subscribing to the Terms.
Signature & Date: By entering into the Terms, data exporter is
deemed to have signed these SCCs incorporated herein, including
their Annexes, as of the Effective Date of the DPA.
1. Name: Humantic AI, Inc.
Address:16192 Coastal Highway, Lewes, Delaware 19958
Contact person’s name, position and contact details:
Name: Amarpreet Kalkat
Activities relevant to the data transferred under these Clauses:
As specified in Part B of Schedule A
Signature & Date: By entering into the Terms, Data Importer is
deemed to have signed these SCCs incorporated herein, including
their Annexes, as of the Effective Date of the DPA.
Role (controller/processor): Processor/sub-processor of data
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is
Unless provided otherwise by the data exporter, transferred
Personal Data relates to the following categories of Data
Subjects: data exporter’s current or potential customers, data
exporter’s potential employees, data exporter’s employees,
admins or other individuals whose Personal Data is transmitted
or made available to the data importer by the data exporter in
the course of data exporter’s use of Services.
Categories of personal data transferred
The transferred Personal Data concerns the following categories
The data exporter determines the categories of Personal Data
which could be transferred per the Service(s) as stated in the
Terms. Such categories may include the following categories of
data: name, designation, phone number, e-mail address, social
profiles and associated data, educational and employment
history, IP address, and any application-specific data
transferred by authorized personnel of the data exporter.
Sensitive data transferred (if applicable) and applied
restrictions or safeguards that fully take into consideration
the nature of the data and the risks involved, such as for
instance strict purpose limitation, access restrictions
(including access only for staff having followed specialised
training), keeping a record of access to the data,
restrictions for onward transfers or additional security
No sensitive data transferred. The data exporter shall not
disclose (and shall not permit any individual to disclose) any
Sensitive Personal Information to the data importer for
The frequency of the transfer (e.g., whether the data is
transferred on a one-off or continuous basis)
Personal Data is transferred on a continuous basis during the
term of the Customer’s account.
Nature of the processing
Collection, organisation, structuring, storage, consultation,
use, disclosure by transmission or otherwise making available,
erasure (whether or not by automated means).
Purpose(s) of the data transfer and further processing
Personal Data is transferred in the course of access and use by
the data exporter of the Services so that the data importer may
provide, support, maintain and improve the Services.
The data importer may further transfer Personal Data to
third-party service providers that host and maintain the data
importer’s applications, backup, storage, and other services as
specified in the section on sub-processors below. These
third-party service providers may have access to or Process
Personal Data for the purpose of providing these services to the
The period for which the personal data will be retained, or,
if that is not possible, the criteria used to determine that
Upon termination of the data exporter’s account, the data
importer will delete all Personal Data in accordance with clause
13 of the DPA.
For transfers to (sub-) processors, also specify subject
matter, nature and duration of the processing
|Name of the Sub-processor
|Amazon Web Services
||Hosting, infra services
||Text generation and modification
COMPETENT SUPERVISORY AUTHORITY
In respect of the SCCs:
Module 2: Transfer Controller to Processor
Module 3: Transfer Processor to Processor
Where the Customer is the data exporter, the supervisory
authority shall be the competent supervisory authority that has
over the Customer in accordance with Clause 13 of the SCCs.
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE
The technical and organisational measures to ensure the security of
Personal Data shall be as per the SOC 2 audit report of the Company
. A copy of the Company’s SOC 2 audit report may be provided at
Customer’s request. Customer may request such copy by writing to the
Company at firstname.lastname@example.org.
LIST OF SUB-PROCESSORS
As specified in Schedule A.B.
This UK SCCs shall stand included as an addendum to the EU SCCs set
implemented under Clause 12.1 (a) of this DPA.
Part 1: Tables
For data transfers from the United Kingdom that are subject to the
UK SCCs, the UK SCCs will be deemed entered into (and incorporated
into this Data Processing Addendum by this reference) and completed
Part 2: Mandatory Clauses
In Table 1 of the UK SCCs, the Parties’ details and key contact
information shall be as set forth in Schedule A.A.
In Table 2 of the UK SCCs, information about the version of the
Approved EU SCCs, modules and selected clauses which this UK SCC
is appended to shall be as set forth in Clauses 11.1 and
12.1(a)(i), (ii), (iii), (iv) of this DPA.
In Table 3 of the UK SCCs:
Annex 1A: List of Parties: Parties are as set forth in
Annex 1B: Description of Transfer: Description of Transfer
is as set forth in Schedule A.B.
Annex II: Technical and organisational measures including
technical and organisational measures to ensure the security
of the data: TOMs are as set forth in Schedule B.
Annex III: List of Sub processors: Sub processors are as set
forth in Schedule A.B.
In Table 4 of the UK SCCs, both the data importer and the data
exporter may end the UK SCCs in accordance with the terms of the
Mandatory Clauses of the Approved Addendum, being the template
Addendum B.1.0 issued by the ICO and laid before Parliament in
accordance with s119A of the Data Protection Act 2018 on 2 February
2022, as it is revised under Section 18 of those Mandatory