Data Processing Agreement.

Definitions

Capitalized terms in this DPA have the meanings set forth in the GDPR unless defined here. Specifically:

• “Controller”, “Processor”, “Personal Data”, “Processing” have the meanings in GDPR Article 4.
• “Customer” means the entity that has accepted DEINO’s Terms of Service and is acting as Controller.
• “DEINO” means DEINO acting as Processor under this DPA.
• “Sub-processor” means any third-party Processor engaged by DEINO to assist with Processing.
• “Customer Personal Data” means Personal Data submitted to DEINO by or on behalf of Customer.

Roles and processing scope

The parties agree that Customer is the Controller of Customer Personal Data and DEINO is the Processor. DEINO Processes Customer Personal Data only:

• On Customer’s documented instructions (the Terms of Service, this DPA, and any written instructions).
• To provide the contracted service.
• To comply with applicable law (in which case DEINO will inform Customer unless prohibited).

The subject matter, duration, nature, purpose of Processing, and types of data are set forth in Annex I (available with executed DPA).

Customer obligations

Customer represents and warrants that:

• It has all necessary rights and consents to Process Customer Personal Data and to authorize DEINO to Process it.
• Its Processing instructions to DEINO comply with applicable law.
• It will not provide Personal Data to DEINO that requires consent it has not obtained.
• It is responsible for the accuracy, quality, and legality of Customer Personal Data.

DEINO obligations

DEINO undertakes to:

• Process Customer Personal Data only on documented instructions.
• Ensure persons authorized to Process Customer Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures under GDPR Article 32 (see Annex II).
• Assist Customer in responding to data subject requests (Article 15–22 rights).
• Assist Customer with Data Protection Impact Assessments and consultations with supervisory authorities.
• Notify Customer of any Personal Data Breach without undue delay (target: within 24 hours of confirmation).
• Delete or return Customer Personal Data upon termination, per Customer’s election.
• Make available all information necessary to demonstrate compliance with Article 28 and allow for audits.

Sub-processors

Customer authorizes DEINO to engage Sub-processors. DEINO maintains a current list at /trust. DEINO will:

• Notify Customer at least 30 days before adding or replacing a Sub-processor.
• Impose data protection terms on Sub-processors that are no less protective than this DPA.
• Remain liable to Customer for the acts and omissions of its Sub-processors.

Customer may object to a new Sub-processor within 30 days on reasonable data protection grounds. If the parties cannot agree on a resolution, Customer may terminate the affected service with refund of prepaid unused fees.

International transfers

For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a third country without an adequacy decision, the parties enter into the relevant Standard Contractual Clauses (2021 EU SCCs, UK Addendum, Swiss Annex as applicable).

DEINO offers sovereign deployment options (EU-only, LATAM-only, on-prem) to eliminate cross-border transfers entirely. These are available to Enterprise customers as part of standard pricing.

Where required, DEINO will conduct transfer impact assessments and apply supplementary technical, contractual, or organizational measures.

Security measures (Annex II summary)

DEINO implements the following technical and organizational security measures:

• Encryption: TLS 1.3 in transit; AES-256 at rest. Customer-managed keys available for Enterprise.
• Access control: SSO via SAML/OIDC; SCIM provisioning; role-based access control; audit log of administrative actions.
• Network security: WAF, DDoS protection, intrusion detection, network segmentation.
• Personnel security: background checks; mandatory security training; signed confidentiality agreements.
• Incident response: 24/7 monitoring; documented response procedures; customer notification within 24 hours.
• Business continuity: regional redundancy; documented disaster recovery; quarterly DR tests.
• Vendor management: annual security review of all Sub-processors; contractual flow-down of obligations.
• Compliance audits: SOC 2 Type I Q1 2027; Type II Q3 2027; annual third-party penetration testing.

Data subject rights

DEINO will provide reasonable assistance to Customer in fulfilling Customer’s obligation to respond to data subject requests under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making).

DEINO will not respond directly to data subject requests addressed to it without Customer’s documented instruction, except where required by law.

Personal Data Breaches

DEINO will notify Customer without undue delay (target: within 24 hours of confirmation) of any Personal Data Breach affecting Customer Personal Data. The notification will include:

• Description of the breach (nature, categories and approximate numbers of affected data subjects and records).
• Name and contact of DPO or other contact point.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate harm.

DEINO will cooperate with Customer to investigate, document, and remediate any breach, and to support Customer’s notification obligations to supervisory authorities and data subjects.

Audit rights

Customer may audit DEINO’s compliance with this DPA once per year on 30 days written notice (or more frequently if required by supervisory authority or following a Personal Data Breach). Audits will:

• Be conducted during business hours.
• Not unreasonably interfere with operations.
• Be subject to confidentiality obligations.
• Be performed by Customer’s qualified personnel or independent auditor (excluding DEINO competitors).

DEINO may satisfy audit obligations by providing SOC 2 reports, ISO 27001 certifications, and other relevant third-party assessments. Customer-specific audits beyond these are reserved for material concerns.

Term and termination

This DPA remains in effect for the duration of the Terms of Service or until termination of the underlying service, whichever is later. Upon termination:

• DEINO will delete or return Customer Personal Data per Customer’s election within 60 days.
• DEINO may retain Customer Personal Data to the extent required by applicable law, subject to continued protection under this DPA.
• Sections that by nature survive (confidentiality, liability, dispute resolution) remain in effect.

Liability and governing law

Liability arising from breach of this DPA is governed by the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits liability where prohibited by GDPR Article 82 or other applicable law.

This DPA is governed by the same law as the Terms of Service. For executable DPA copies suitable for procurement, vendor management, and customer audit requirements, contact legal@deino.ai.