Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Azinove SAS ("Processor", "we", "us", or "our") and the Customer ("Controller") and applies to the extent that we process Personal Data on behalf of the Controller in the course of providing the CleverAI services.

2. Definitions

Terms used in this DPA shall have the meanings given to them in the GDPR. For clarity:

• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, etc.
• Controller: The entity that determines the purposes and means of the Processing of Personal Data.
• Processor: The entity that Processes Personal Data on behalf of the Controller.
• Sub-processor: Any Processor engaged by the Processor.

3. Processing of Personal Data

We shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or an international organization.
• Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Respect the conditions for engaging another Processor (Sub-processor).
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors, provided that:

• The Processor informs the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.
• The Processor imposes the same data protection obligations as set out in this DPA on any Sub-processor.
• The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations.

Current Sub-processors include:

• Cloud infrastructure providers (e.g., Vercel, AWS)
• Analytics providers (e.g., Google Analytics, Vercel Analytics)
• Customer support tools
• AI model providers

5. Data Subject Rights

We shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR.

6. Data Breach Notification

We shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Such notification will include at least:

• A description of the nature of the Personal Data breach
• The name and contact details of the data protection contact point
• A description of the likely consequences of the Personal Data breach
• A description of the measures taken or proposed to address the Personal Data breach

7. Audit Rights

We shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8. International Transfers

We shall not transfer Personal Data to a third country or an international organization unless required to do so by Union or Member State law. In such a case, we shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Where we transfer Personal Data to a third country or an international organization, we shall ensure that appropriate safeguards are in place, such as:

• A decision by the European Commission that the third country, territory, or organization ensures an adequate level of protection
• Standard data protection clauses adopted by the European Commission
• Binding corporate rules
• Any other appropriate safeguards as defined in Article 46 of the GDPR

9. Term and Termination

This DPA shall remain in effect for as long as we process Personal Data on behalf of the Controller under the Terms of Service. Upon termination of the Terms of Service, we shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

10. Governing Law

This DPA shall be governed by the laws of France, without regard to its conflict of law principles. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Strasbourg, France.