Data Processing Agreement

Effective Date: Monday, October 21st, 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between VeriGenAI ("Processor") and you ("Controller") for the purchase of services (collectively, the "Agreement"). This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with applicable Data Protection Laws.

2. Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "Controller": The entity that determines the purposes and means of the processing of Personal Data.
  • "Processor": VeriGenAI, which processes Personal Data on behalf of the Controller.
  • "Personal Data": Any information relating to an identified or identifiable natural person.
  • "Data Protection Laws": All applicable laws and regulations relating to the processing of Personal Data, including GDPR and any national implementing laws.
  • "GDPR": The General Data Protection Regulation (EU) 2016/679.
  • "Sub-processor": Any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller.

3. Subject Matter and Duration

The Processor shall process Personal Data as necessary to perform the Services pursuant to the Agreement. This DPA shall remain in effect for the duration of the Agreement unless otherwise agreed in writing.

4. Obligations of the Processor

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in fulfilling its obligations to respond to data subject requests.
  • Assist the Controller in ensuring compliance with obligations related to security, breach notifications, impact assessments, and consultations with supervisory authorities.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services.
  • Make available to the Controller all information necessary to demonstrate compliance with obligations under Data Protection Laws.

5. Obligations of the Controller

The Controller agrees to:

  • Comply with all applicable Data Protection Laws in the processing of Personal Data.
  • Provide documented instructions to the Processor regarding the processing of Personal Data.
  • Ensure that it has the lawful basis for processing Personal Data and transferring it to the Processor.

6. Sub-processing

The Controller authorizes the Processor to engage Sub-processors for carrying out specific processing activities. The Processor shall ensure that Sub-processors are bound by data protection obligations consistent with those of the Processor under this DPA.

7. Security Measures

The Processor shall implement appropriate technical and organizational security measures, including but not limited to:

  • Encryption of Personal Data in transit and at rest.
  • Access controls to restrict access to Personal Data.
  • Regular testing and evaluation of security measures.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach. The notification shall include sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the Personal Data Breach.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

10. Return or Deletion of Personal Data

Upon termination of the Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.

11. Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA shall limit the liability of either party in respect of data protection obligations under applicable law.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of law provisions. You agree that any legal action or proceeding arising out of or relating to these Terms or your use of the Services shall be brought exclusively in the state or federal courts located in Plano, Texas. You hereby consent to the personal jurisdiction and venue of such courts.

13. Miscellaneous

In the event of any conflict between this DPA and any other agreements between the parties, the provisions of this DPA shall prevail with regard to data protection matters.

14. Contact Information

For any questions or requests related to this DPA, please contact:

16. Signatures

This DPA is entered into and becomes a binding part of the Agreement upon the Controller's acceptance of the Terms of Service.