Data Processing Agreement

The parties agree that this Data Processing Agreement (“DPA”) sets forth their obligations with respect to the processing and security of Customer Data and Personal Data. This DPA is incorporated by reference into the Product Terms or Service agreement in place between the parties relating to the provision of Vorkee services or products. 

Agmis, UAB, (company code 301425669) (“Agmis”) is the Data Processor, and Customer is the Data Controller. 

This DPA governs the processing of Personal Data (as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”)) by the Data Processor in connection with the provision of the services to Customer.

This DPA is effective as of the Effective Date of the Agreement or such later date as set forth below. When Customer renews or purchases a new subscription for services, the then-current DPA Terms will apply and will not change during the term of Customer’s subscription.

  1. Definitions

For the purposes of this Appendix, the terms used shall have the following meanings:

“Data Controller”: The entity that determines the purposes and means of processing Personal Data.

“Data Processor”: The entity that processes Personal Data on behalf of the Data Controller.

“Personal Data”: Any information relating to an identified or identifiable natural person, as defined in the GDPR.

“Processing”: Any operation performed on Personal Data, including collection, recording, storage, use, and deletion.

“Sub-Processor”: Any third party engaged by the Data Processor to process Personal Data.

“Services”: The software-as-a-service solution provided by the Data Processor, including the AI program “Vorkee” running on cloud infrastructure (e.g., Amazon Web Services).

  1. Scope and Purpose of Processing

The Data Processor shall process Personal Data only for the purpose of performing the Services as outlined in the Agreement. 

  • For purposes of this DPA, “to perform” a Service consists of:  
  • Delivering functional capabilities as licensed, configured, and used by Customer and its users, including providing personalized user experiences; 
  • Troubleshooting (preventing, detecting, and repairing problems); and 
  • Keeping programs provided as services (SaaS) up to date and performant, and enhancing user productivity, reliability, efficacy, quality, and security.

Specific examples of processing in the performance of the Services include, but are not limited to:

  • Storing and hosting Personal Data on cloud infrastructure (Amazon Web Services).
  • Running AI processing and analysis on Personal Data to deliver the Services.
  • Transmitting Personal Data as required to deliver the Services to the Data Controller.

The Data Processor shall process Personal Data only as instructed by the Data Controller and for the duration of the Agreement. The Data Processor shall not process Personal Data for any other purpose unless explicitly required by law.

  1. Processing Incident to Providing Services to Customer

For purposes of this DPA, “business operations” means the processing operations authorized by Customer in this section.

Customer authorizes the Data Processor:

  • to create aggregated statistical, non-personal data from data containing pseudonymized identifiers (such as usage logs containing unique, pseudonymized identifiers); and
  • to calculate statistics related to Personal Data
  • in each case without accessing or analyzing the content of the Personal Data and limited to achieving the purposes below, each as incident to providing the Services to Customer.

Those purposes are:

  • billing and account management; 
  • compensation such as calculating employee commissions and partner incentives; 
  • internal reporting and business modeling, such as forecasting, revenue, capacity planning, and product strategy; and 
  • financial reporting.

When processing for these business operations, Data Processor will apply principles of data minimization and will not use or otherwise process the data for: (a) user profiling, (b) advertising or similar commercial purposes, or (c) any other purpose, other than for the purposes set out in this section. In addition, as with all processing under this DPA, processing for business operations remains subject to the Data Processor’s confidentiality obligations. 

  1. Categories of Personal Data and Data Subjects

The following categories of Personal Data and data subjects are relevant for the processing activities under the Agreement:

Types of Personal Data: The types of Personal Data processed by the Data Processor when providing the Services include: (i) Personal Data that Customer elects to include in its use of the provided SaaS program (Voorkee); and (ii) those expressly identified in Article 4 of the GDPR that may be generated, derived or collected by the Data Processor. The types of Personal Data that Customer elects to include may be any categories of Personal Data identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR.

Categories of Data Subjects: The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and may include any other categories of data subjects as identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR.

  1. Data Processor Obligations

The Data Processor agrees to:

  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures to protect Personal Data.
  • Assist the Data Controller in complying with its obligations under the GDPR, including responding to requests from data subjects exercising their rights (e.g., access, rectification, erasure).
  • Notify the Data Controller without undue delay if it becomes aware of any data breach or security incident affecting Personal Data.

The Data Processor will not disclose or provide access to any Personal Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law.

  1. Sub-Processors

The Data Controller authorizes the Data Processor to use Sub-Processors for the processing of Personal Data. The Data Processor shall:

  • Ensure that any Sub-Processor engaged is bound by contractual obligations that are at least as protective of Personal Data as those in this DPA.
  • Provide the Data Controller with a list of Sub-Processors used to process Personal Data (if applicable) and inform the Data Controller of any new Sub-Processors.
  • Ensure that Sub-Processors enter into written agreements with terms that comply with the GDPR.
  1. Security Measures

The Data Processor shall implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risks involved in processing Personal Data. These measures shall include:

  • Encryption of Personal Data during transmission and at rest.
  • Access control policies, including user authentication and role-based access.
  • Regular security assessments and vulnerability scans.
  • Data backup and recovery procedures.
  1. Data Subject Rights

The Data Processor shall, to the extent possible, assist the Data Controller in responding to requests from data subjects exercising their rights under the GDPR, including:

  • Right of access to Personal Data.
  • Right to rectification of inaccurate Personal Data.
  • Right to erasure of Personal Data (the “right to be forgotten”).
  • Right to restriction of processing.
  • Right to portability of Personal Data.
  • Right to object to processing.

If the Data Processor receives a request from a data subject regarding their Personal Data, it shall promptly forward such requests to the Data Controller.

  1. Data Location

Personal data and other data, if any, provided by the Data Controller in regard to its use of the Services (Software provided as a Service), are located

  • In Amazon Web Services provided servers, and
  • In servers belonging to the Data Provider.
  1. Data Transfers

If the Data Processor transfers Personal Data outside the European Economic Area (EEA), the Data Processor shall ensure that such transfers are in compliance with Chapter V of the GDPR, including using appropriate safeguards (e.g., Standard Contractual Clauses or Binding Corporate Rules) where necessary.

  1. Retention and Deletion of Personal Data

The Data Processor shall retain Personal Data only for as long as necessary to fulfill its obligations under the Agreement or as required by law. Upon termination or expiration of the Agreement, the Data Processor shall:

  • Return or securely delete all Personal Data, at the Data Controller’s election, unless required by applicable law to retain it.
  • Provide a written certification to the Data Controller confirming that all Personal Data has been returned or deleted.
  1. Audit and Inspection Rights

To the extent the Data Controller’s audit requirements under the Data Protection Requirements cannot reasonably be satisfied through audit reports, documentation or compliance information the Data Processor makes generally available to its customers, the Data Processor will promptly respond to Data Controller’s additional audit instructions. Before the commencement of an audit, Data Controller’s and the Data Processor will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit the Data Processor to unreasonably delay performance of the audit. To the extent needed to perform the audit, the Data Processor will make the processing systems, facilities and supporting documentation relevant to the processing of the data by the Data Processor, its Affiliates, and its Subprocessors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to the Data Processor, and subject to reasonable confidentiality procedures. 

  1. Liability

Each Party’s liability for breaches of this DPA shall be governed by the terms of the Services Agreement. The Data Processor shall indemnify and hold harmless the Data Controller against any damages, fines, or liabilities resulting from the Data Processor’s failure to comply with the obligations under this DPA or the GDPR.

  1. Governing Law

This DPA shall be governed in accordance with the governing law provisions set out in the Agreement.

  1. Miscellaneous

Amendments: Any changes or amendments to this Appendix shall be in writing and signed by both Parties.

Entire Agreement: This DPA, together with the Services Agreement, constitutes the entire agreement between the Parties regarding the processing of Personal Data.

  1. Acceptance and Incorporation into Main Services Agreement

The parties agree that this Data Processing Agreement (DPA) is an integral part of the main Services Agreement between the parties. This DPA will not require separate signatures but will be considered accepted by the parties upon their acceptance of the main Services Agreement. The DPA will be made available on Agmis’s website at https://agmis.com and can be reviewed by the Data Controller at any time. By entering into the Services Agreement, the parties acknowledge and agree that they have read, understood, and accepted the terms of this DPA.

In the event of any conflict between the terms of this DPA and the main Services Agreement, the terms of the Services Agreement shall prevail, unless expressly stated otherwise.

Scroll to Top