Data Processing Addendum

Last modified 28.08.2024

This Data Processing Addendum (“DPA”) constitutes a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and Acuvity (“Acuvity”, “we,” “us” or “our”) (each a “Party” and together, the “Parties”), which sets forth the duties and obligations of the Parties concerning the protection, security, processing, and privacy of personal data provided or made available to Acuvity by you as part of the Services provided by Acuvity to you under this DPA.

In the course of providing the Services to you under this DPA, Acuvity may Process certain Personal Data provided or made available to Acuvity by you, and the Parties agree to comply with the following provisions concerning any such Personal Data, each acting reasonably and in good faith.

In the event of a conflict or inconsistency between the Agreement, this DPA, and any applicable Standard Contractual Clauses (“SCCs”), the terms of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement.

Acuvity may make changes to this DPA where (a) the change is required to comply with an applicable Data Protection Law and Regulation; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of Acuvity’s processing of your Personal Data, and does not have a material adverse impact on your rights under this DPA.

1. Definitions

1.1 “Agreement” means the written or electronic agreement between you and Acuvity for the provision of the Services.

1.2 “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §1798.100 to §1798.199) as amended by the California Privacy Rights Act (“CPRA”), and any related regulations or guidance provided by the California Attorney General.

1.3 “Controller” means an entity that determines the purposes and means of the processing of Personal Data. It shall have the same meaning ascribed to “controller” under applicable Data Protection Laws (e.g., “Business” as defined under the CCPA).

1.4 “Data” means data provided by you to Acuvity to enable the provision of the Services.

1.5 “Data Protection Laws” means all applicable data privacy and security laws and regulations of any jurisdiction (including, without limitation, laws and regulations of the United States) applicable to the Processing of Personal Data under this DPA that is already in force or that will come into force during the term of this DPA.

1.6 “Data Subject” means the individual to whom Personal Data relates (e.g., “Consumer” as defined under the CCPA).

1.7 “Personal Data” means nonpublic personal information, personally identifiable information, personal data (as defined in the Data Protection Laws), or similar term under Data Protection Laws that is uploaded or submitted by you to Acuvity for the performance of the Services.

1.8 “Processing” means any operation or set of operations that are performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. “Processes” and “Process” shall be construed accordingly.

1.9 “Processor” means an entity that processes Personal Data on behalf of a Controller. It shall have the same meaning ascribed to “processor” under applicable Data Protection Laws (e.g., “Service Provider” as defined under the CCPA).

1.10 “Security Documentation” means Acuvity’s security documentation applicable to the Services, as made reasonably available by Acuvity.

1.11 “Services” means Acuvity’s provision of software and/or services as defined in the Agreement.

1.12 “Subprocessor” means another Processor engaged by Acuvity to carry out the Processing of your Personal Data.

1.13 “Supervisory Authority” means an independent public authority that is established by an applicable law to oversee data protection laws.

2. Obligations Of The Parties

2.1 Role of the Parties. You are the Controller and Acuvity is the Processor concerning the Processing of Personal Data under the DPA.

2.2 Your obligations. You shall:

  • (a) Ensure all Personal Data provided to Acuvity has been collected following applicable Data Protection Laws and that you have all authorizations and/or consents necessary to provide such Personal Data to Acuvity;

  • (b) Use the Services in compliance with Data Protection Laws;

  • (c) Provide Acuvity with instructions regarding the Processing of Personal Data for you, following all applicable laws, rules, and regulations, including the Data Protection Laws.

2.3 Acuvity’s obligations. Acuvity shall:

  • (a) Only Process Personal Data in accordance with (i) the requirements of Data Protection Laws directly applicable to Acuvity’s provision of its Services, (ii) your documented instructions, and (iii) this DPA. Acuvity will promptly notify you if it reasonably believes that your instructions are inconsistent with applicable Data Protection Laws;

  • (b) Maintain records of the Processing of any Personal Data received from you during the provision of the Services;

  • (c) Not sell, lease, or distribute Personal Data unless mutually agreed to by the Parties in a separate agreement;

  • (d) Provide such assistance as you reasonably require, and Acuvity is able to provide, to meet any applicable filing, approval, or similar requirements under Data Protection Laws.

3. Rights Of Data Subjects

Acuvity shall, to the extent legally permitted, promptly notify you if it receives a request from a Data Subject to exercise the Data Subject’s rights under applicable Data Protection Laws (“Data Subject Request”). Unless required by applicable Data Protection Laws, Acuvity shall not respond to any such Data Subject Request without your prior written consent, except to redirect the Data Subject to you. Acuvity shall assist you with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to a Data Subject Request under Data Protection Laws.

4. Subprocessors

You acknowledge and agree that Acuvity may engage third-party Subprocessors in connection with the provision of the Services. Acuvity shall enter into written agreements with each Subprocessor containing data protection obligations not less protective than those in this DPA concerning the protection of your Data to the extent applicable to the nature of the Services provided by such Subprocessor. Acuvity shall provide you with notice of any new Subprocessors and give you an opportunity to object before authorizing new Sub Processors to process Personal Data. If you object in writing within ten (10) days on reasonable grounds relating to the protection of the Personal Data and the Parties cannot resolve the objection, you may terminate the applicable part of the Agreement with respect to those Services which cannot be provided by Acuvity without the use of the objected Subprocessors by giving written notice to Acuvity. Acuvity shall be liable for the acts or omissions of Subprocessors to the same extent it is liable for its own actions or omissions under this DPA.

5. Security

Acuvity shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing. Acuvity regularly monitors compliance with these measures.

6. Data Incident Management And Notification

Acuvity shall notify you without undue delay, but in no event in more than 72 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored, or otherwise Processed by Acuvity or its Subprocessors (“Incident”). Such notice shall summarize in reasonable detail the timing and nature of the Incident, the impact on you, and/or the Data Subjects affected by such Incident, and the corrective action taken or proposed to be taken by Acuvity. The obligations herein shall not apply to Incidents that are caused by you. The notification of or response to an Incident under this DPA will not be construed as an acknowledgment by Acuvity of any fault or liability with respect to the Incident.

7. Return And Deletion Of Your Data

Upon termination of the Agreement, or upon your written request, Acuvity shall return or delete your Data in accordance with the procedures and timeframes specified in its Security Documentation or as otherwise agreed in writing.

8. Audit Rights

You may, at your sole expense and no more than once per calendar year, request to audit Acuvity to verify compliance with the terms and conditions of this DPA and all applicable Data Protection Laws, upon sixty (60) days’ written notice. The audit shall be conducted under reasonable conditions, without disrupting Acuvity’s operations, and in a manner that does not compromise the confidentiality of other customers’ information. You and Acuvity shall mutually agree upon the scope, timing, and duration of the audit.

9. Governing Law And Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the state of California, without regard to its conflicts of law principles. Any legal action or proceeding arising under this DPA shall be brought exclusively in the courts located in [City], California.

10. Miscellaneous

10.1 Entire Agreement. This DPA constitutes the entire agreement between the Parties relating to its subject matter and supersedes all prior agreements and understandings, whether written or oral.

10.2 Amendments. No amendment or modification of this DPA shall be effective unless it is in writing and signed by both Parties.

10.3 Severability. If any provision of this DPA is held invalid or unenforceable by any court of competent jurisdiction, the other provisions of this DPA will remain in full force and effect.

10.4 Waiver. No waiver of any provision of this DPA, nor consent by a Party to the breach of or departure from any provision of this DPA, shall in any event be binding on or effective against such Party unless it is in writing and signed by such Party, and then such waiver will be effective only in the specific instance and for the purpose for which given.

10.5 Assignment. Neither Party may assign or otherwise transfer this DPA, or any of its rights or obligations hereunder, without the prior written consent of the other Party.

10.6 Counterparts. This DPA may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument.

IN WITNESS WHEREOF, the Parties hereto have caused this DPA to be executed by their duly authorized representatives.

Acuvity has designated a data protection representative for this DPA: legal@acuvity.ai

About Acuvity

At Acuvity, our mission is to help enterprises accelerate their Gen AI adoption with confidence. Our comprehensive Gen AI Security and Governance solution is designed to secure, safeguard, and protect both enterprises and employees using AI and builders creating AI/ML apps. Without compromising on the end-user experience, our solution allows you to unlock the full potential of Gen AI, turbocharging productivity and efficiency. With Acuvity, enterprises can monitor, govern, and enforce safe Gen AI use with complete observability and control over all Gen AI apps, plugins, services, and user behavior.

To learn more, visit https://www.acuvity.ai

The content provided is for informational purposes only and subject to changes.

Copyright 2024 Acuvity Inc. All rights reserved.

Phone: +1 (408) 901 0150

Website: https://www.acuvity.ai

LinkedIn: https://www.linkedin.com/company/acuvity

Book a Demo