ANNEX NO. 1 TO THE TERMS AND CONDITIONS

DATA PROCESSING AGREEMENT (DPA)

PREAMBLE

This Data Processing Agreement (hereinafter: "Agreement" or "DPA") constitutes an integral part of the Terms and Conditions for the provision of electronic services via the "Dokum.ai" platform.

The Agreement regulates the rules for the processing of personal data in accordance with Art. 28 of Regulation (EU) 2016/679 (hereinafter: "GDPR").

The Parties to this Agreement are:

  1. The Client – hereinafter referred to as the "Controller".
  2. The Provider (Dokumind sp. z o.o.) – hereinafter referred to as the "Processor".

§ 1. SUBJECT MATTER OF THE AGREEMENT

  1. The Controller entrusts the Processor with the processing of personal data pursuant to Art. 28 GDPR, and the Processor undertakes to process such data in accordance with the law and this Agreement.
  2. The entrustment covers personal data contained in files, documents, and content uploaded by the Controller to the Dokum.ai system (hereinafter: "Entrusted Data").

§ 2. PURPOSE, SCOPE AND DURATION OF PROCESSING

  1. Purpose of processing: The Entrusted Data will be processed solely for the purpose of performing the Service specified in the Terms, i.e., providing a SaaS service consisting of automatic processing, OCR, analysis of documents, and their secure storage.
  2. Duration: Processing lasts for the duration of the Service Agreement, extended by the migration period (Transition Period) specified in the Terms.
  3. Nature of data: Ordinary personal data and (depending on the content of documents uploaded by the Controller) other categories of data.
  4. Categories of data subjects: Contractors, employees, associates of the Controller, and other natural persons whose data is contained in documents processed within the Service.

§ 3. OBLIGATIONS OF THE PROCESSOR

The Processor undertakes to:

  1. Process the Entrusted Data solely on the documented instructions of the Controller. Acceptance of the Terms and the Controller's actions within the application (e.g., uploading a file, requesting an export) are considered documented instructions.
  2. Ensure that persons authorized to process the data have committed themselves to confidentiality.
  3. Take all measures required pursuant to Art. 32 GDPR (security of processing), including encryption of data in transit and at rest.
  4. Assist the Controller in fulfilling the obligation to respond to requests for exercising the data subject's rights (GDPR).
  5. Assist the Controller in reporting personal data breaches to the supervisory authority.
  6. Notify the Controller without undue delay, and no later than within 48 hours, after becoming aware of a personal data breach concerning the Entrusted Data.
  7. **** The Processor undertakes that the Entrusted Data (including personal data contained in documents) will not be used for training, machine learning, or improving the global AI models of the Processor or its sub-processors, unless the Controller expresses separate consent (in accordance with the anonymization principles described in the Terms).

§ 4. SUB-PROCESSING (SUB-PROCESSORS)

  1. The Controller grants general authorization for the Processor to engage further processors (sub-processors), in particular providers of cloud infrastructure and OCR/AI tools.
  2. The current list of key sub-processors is available in the Processor's Privacy Policy.
  3. The Processor ensures that it imposes the same data protection obligations on sub-processors as those incumbent on the Processor.
  4. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors. The Controller has the right to object to such changes within 14 days.

§ 5. RIGHT TO AUDIT

  1. In accordance with Art. 28(3)(h) GDPR, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement.
  2. Due to the cloud-based nature of the service (SaaS), the right to audit is primarily exercised by providing security documentation and certificates.
  3. A direct inspection is possible in the event of a justified suspicion of a breach of regulations, following prior agreement on the date and signing of a non-disclosure agreement.

§ 6. DATA TRANSFERS OUTSIDE THE EEA

  1. The Processor stores data on servers located within the European Economic Area (EEA).
  2. In the event that data needs to be transferred to a third country (e.g., USA), such transfer will occur exclusively on the basis of:
    a) An adequacy decision by the European Commission (e.g., EU-US Data Privacy Framework); or
    b) Standard Contractual Clauses (SCCs).

§ 7. DELETION OF DATA

  1. The Processor shall delete all personal data immediately after the end of the provision of services.
  2. The Parties agree that data deletion occurs after the expiry of the 30-day Transition Period described in the Terms (unless the Controller requests their immediate deletion earlier). After this date, data is permanently and irreversibly deleted.

§ 8. FINAL PROVISIONS

  1. In matters not regulated by this Agreement, the provisions of the GDPR and the Terms shall apply.
  2. The Processor's liability under this Agreement is limited in accordance with the principles set out in Chapter V of the Terms.
  3. This Agreement is effective from the moment of acceptance of the Terms by the Client until the completion of data processing.