Annex to the PrivatAI Terms of Service
This Data Processing Agreement regulates the rules under which the Service Provider (hereinafter: "Processor") processes personal data for which the Client is the controller (hereinafter: "Controller"), in connection with the provision of the Service (Access to AI cluster).
1. The Controller entrusts the Processor with the processing of personal data pursuant to Art. 28 GDPR.
2. Processing takes place exclusively for the purpose and scope necessary for the performance of the Main Agreement (provision of SaaS Service).
3. This Agreement is concluded for the duration of the Main Agreement.
1. Nature of processing: Processing in IT systems (collection, recording, storage, deletion) within the Processor's local server infrastructure.
2. Type of data: Personal data that may be contained in documents (e.g., PDF, DOCX files) or queries (prompts) entered by the Controller into the Service.
3. Categories of data subjects: Persons whose data concern, and which have been placed by the Controller in the processed documents (e.g., employees, contractors of the Controller).
1. The Processor undertakes to process the entrusted data solely on the documented instruction of the Controller (using the Service functions by the Controller is considered such instruction).
2. The Processor declares that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular through: encryption of connections (SSL/TLS), physical security of the server room, access control systems.
3. The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality.
4. The Processor does not use the services of other processors (sub-processors) for the main AI processing service (the entirety takes place on own infrastructure).
Upon termination of the provision of services related to processing, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless Union or Member State law requires storage of the personal data.