Data Processing Agreement V1.0
This Data Processing Agreement (“DPA”) supplements the Cortical.io “Terms and Conditions” available at https://api.cortical.io governing Customer’s use of the Cortical.io API when the GDPR applies to your use of the Cortical.io Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Cortical.io AG.
1. General
Cortical.io processes personal data on behalf of the Customer within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 - General Data Protection Regulation. (GDPR). This agreement regulates the rights and obligations of the Customer and Cortical.io in connection with the processing of personal data.
Terms used in this agreement are to be understood in accordance with their definition in the GDPR. In this sense, the Customer is the "controller" and Cortical.io is the "processor".
This agreement only regulates the data processing from a data protection perspective; all other aspects (in particular commercial aspects such as scope of services and remuneration) are regulated in a separate contract that refers to this agreement.
2. Subject Matter, Nature and Purpose of the Agreement
The subject of this contract is the performance of the following processing:
Provision of the Cortical.io Software (Cortical.io API) (including implementation of updates for error detection and maintenance work) for Natural Language Processing (NLP) operations with text data of the Customer, which may also contain personal data.
The processing is as follows:
The Customer sends texts, which may also contain personal data, to the Cortical.io API using various endpoints. The content of these texts is processed, and a processing result is generated and transmitted to the client. The processing result may also contain personal data. Master data and statistical data in connection with the original texts or the generated processing result are temporarily processed for the purpose and duration of carrying out updates for error detection and maintenance work and then deleted.
The processing serves the following purpose:
Increasing the efficiency (in particular acceleration, resource optimization) of the Customer’s work processes through automated processing of unstructured text data.
3. CATEGORIES OF DATA AND PERSONS CONCERNED
The following categories of data are processed: personal data that may be contained in the texts uploaded by the client (e.g. names, contact details, communication data, data relating to the data subject's concerns, etc.).
The following categories of data subjects are subject to processing: data subjects whose personal data may be contained in the texts uploaded by the client (e.g. customers, interested parties, suppliers, other business contacts, employees, applicants, etc.).
4. DURATION OF THE AGREEMENT
The duration of data processing under this DPA is determined by the Customer.
5. RIGHTS AND OBLIGATIONS OF THE CLIENT
The Customer shall inform Cortical.io immediately if it discovers errors or irregularities in connection with the processing of personal data by Cortical.io.
The Customer may designate persons authorized to issue instructions. If persons authorized to issue instructions are to be named, they shall be named in Annex 1. In the event that the persons authorized to issue instructions at the Customer change, the Customer shall inform Cortical.io of this in text form.
6. RIGHTS AND OBLIGATIONS OF CORTICAL.IO
Cortical.io undertakes to process personal data exclusively within the scope of the agreement made and in compliance with any supplementary instructions issued by the Customer. Excluded from this are statutory regulations which may oblige Cortical.io to process the data otherwise. If Cortical.io receives an official order to hand over the Customer’s data, it must - insofar as legally permissible - inform Customer of this immediately.
Cortical.io shall inform Customer immediately if it believes that an instruction from the Customer violates data protection regulations of the European Union or the Member States.
Cortical.io declares in a legally binding manner that it has obligated all persons entrusted with data processing to maintain confidentiality before commencing their activities or that they are subject to an appropriate statutory confidentiality obligation. In particular, the confidentiality obligation of the persons entrusted with data processing shall remain in force even after termination of their activity and departure from Cortical.io.
Cortical.io declares in a legally binding manner that it has taken all necessary measures to ensure the security of processing in accordance with Art. 32 GDRP (details can be found in Annex 2).
Cortical.io shall support the Customer – taking into account the type of processing and as far as possible – through technical and organizational measures, in fulfilling the Customer’s obligation to respond to requests from data subjects to exercise their rights under Chapter III of the GDRP (information, access, rectification and erasure, data portability, objection, and automated decision-making in individual cases). If a corresponding request is sent to Cortical.io and it turns out that the applicant mistakenly believes it to be the Customer of the data processing it is carrying out, Cortical.io must forward the request to the Customer immediately and inform the requestor of this.
Cortical.io shall support the Customer in complying with the Customer’s obligations set out in Art. 32 to 36 GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation).
Cortical.io shall provide the Customer with all information necessary to demonstrate compliance with this agreement or the obligations arising from Art. 28 GDPR. At the request of the Customer, Cortical.io shall allow the processing activities covered by this agreement to be audited at appropriate intervals or if there are indications of non-compliance and shall contribute to such an audit. The Customer may carry out the audit itself or commission an independent auditor. Audits may include inspections of Cortical.io’s premises or physical facilities and shall be conducted with reasonable advance notice where appropriate.
After termination of this agreement, Cortical.io is obligated to delete the personal data processed on behalf of the client (insofar as this has not already been deleted in accordance with the agreement).
Cortical.io may name to the Customer the person(s) authorized to receive instructions from the Customer. If persons authorized to receive instructions are to be named, they shall be named in Annex 1. In the event that the persons authorized to receive instructions at Cortical.io change, Cortical.io shall inform the Customer of this in text form.
7. PLACE WHERE THE DATA PROCESSING IS CARRIED OUT
In principle, data processing must be carried out within the EU or the EEA. Any relocation to a third country may only take place with the consent of the client and under the conditions contained in Chapter V of the GDPR (General Data Protection Regulation) and in compliance with the provisions of this agreement. Consent is deemed to have been granted for the sub-processors mentioned below.
8. SUB-PROCESSORS
The Contractor is authorized to engage the following SaaS sub-processors:
Amazon Web Services, Inc. („AWS”), 410 Terry Avenue North, Seattle, WA 98109-5210, USA and
Tyk Technologies Ltd, 87a Worship Street, London, EC2A 2BE, UK
Type of activities of the sub-processors: Provision of the software in the cloud using a SaaS management platform.
The Customer shall be notified in writing of any intended changes to the sub-processor in good time so that it can prohibit them if necessary. Cortical.io shall conclude the necessary agreements within the meaning of Art. 28 (4) GDPR with the sub-processor. It must be ensured that the sub-processor enters into the same obligations that are incumbent on Cortical.io on the basis of this agreement. If the sub-processor does not comply with its data protection obligations, Cortical.io shall be liable to the Customer for compliance with the obligations of the sub-processor.
9. FINAL PROVISIONS
Additional agreements must be made in writing.
Should individual parts of this agreement become invalid, this shall not affect the validity of the remaining provisions of the agreement.