Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:
‍
1.1. "Data Transfer" means a transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub-processor by the Processor.


1.2. “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).


1.3. “Standard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.


1.4. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.


1.5. “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.


1.6. “Sub-processor” means a processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and processes the Personal Data as provided by the Controller.

This DPA sets out various obligations of the Processor in relation to the processing of Personal Data and shall be limited to the Processor’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

The Controller authorizes permission to the Processor to process Personal Data to the extent determined and regulated by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 of this DPA.

The objective of processing Personal Data by the Processor shall be limited to the Processor’s provision of the Services to the Controller pursuant to the Agreement.

The Processor will process Personal Data for the duration of the Agreement unless otherwise agreed upon in writing by the Controller.

The Data Controller shall:
- Ensure it has all necessary rights to provide the Personal Data to the Data Processor.
- Inform Data Subjects about the processing of their Personal Data.
- Communicate revocations of consent by Data Subjects to the Processor.
- Advise the Processor of any complaints, regulatory requests, or legal notices related to Personal Data.

The Processor will:
- Follow documented instructions from the Controller.
- Assist the Controller in responding to Data Subject requests.
- Maintain data security measures as per industry standards.
- Ensure Sub-processors meet equivalent data protection obligations.

The Processor may engage Sub-processors as listed in Annex III to Schedule 1. New Sub-processors require written notification to the Controller.

The Processor will notify the Controller without undue delay of any data breach and assist in mitigating risks and addressing regulatory requirements.

The Processor will maintain robust technical and organizational measures to ensure data security as outlined in Annex II to Schedule 1.

Upon termination of the Agreement, the Processor will return or delete all Personal Data unless retention is required by law.

Data importer(s):
- Name: OptIQ.AI
- Address: US HQ and India HQ
- Role: Processor

OptIQ.AI implements:
- Encryption of data in transit and at rest.
- Multi-factor authentication.
- Regular vulnerability assessments and penetration testing.
- Incident management and response systems.