Data Processing Agreement

This DPA reflects the parties’ agreement on the processing of Personal Data by OurAI on Customer’s behalf in the course of providing the OurAI service, in compliance with the EU General Data Protection Regulation (“GDPR”) and the Danish Data Protection Act.

By accepting the Agreement, the Business Customer enters into this DPA on its own behalf and, to the extent required, on behalf of its affiliates that use the service. No separate signature is required.

Capitalized terms not defined here have the meaning given in the Agreement or in the GDPR. “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, “Sub-processor”, and “Personal Data Breach” have the meanings given in the GDPR.

“Customer Personal Data” means Personal Data that Customer or its authorized users submit to the service and that OurAI processes on Customer’s behalf.

• —Customer is the Controller of Customer Personal Data.
• —OurAI is the Processor, acting only on Customer’s documented instructions.
• —Where OurAI processes Personal Data for its own purposes — for example, account billing data and the contact details of Customer’s administrators — OurAI is an independent Controller and the Privacy Policy applies, not this DPA.

OurAI processes Customer Personal Data for the duration of the Agreement, plus any post-termination period needed to return or delete it under the Return or deletion section.

Subject matter. Provision of the OurAI service: a controlled, audited workspace for using large language models.

Nature and purpose.Hosting, transmitting, and processing prompts, conversations, files, and usage metadata on Customer’s instructions so that Customer’s authorized users can use AI models. Generating audit logs, billing data, and aggregated workspace insights.

Categories of Data Subjects.Customer’s authorized users (employees, contractors); and any individuals whose personal data is included in the content Customer’s users submit.

Categories of Personal Data.Identifiers (name, work email, user ID); authentication and session data; the content of prompts, conversations, and uploaded files, which may contain personal data chosen by Customer’s users; and usage metadata (model, token counts, timestamps, conversation ID).

Special-category data. Not requested by, and not required for, the service. Customer is responsible for ensuring that its users do not submit special-category data without an appropriate lawful basis.

Frequency of processing. Continuous, for as long as Customer uses the service.

OurAI will process Customer Personal Data only on Customer’s documented instructions, including for transfers to a third country. The Agreement, this DPA, and Customer’s use of the product’s configuration controls (model permissions, retention settings, workspace policies) together constitute Customer’s documented instructions.

OurAI ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations (contractual or statutory) and are trained on data-protection requirements.

OurAI implements appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. OurAI may update them from time to time, provided the level of security is not reduced. These measures include at least:

• —Encryption in transit — TLS 1.2 or higher for all customer-facing endpoints and inter-service traffic.
• —Encryption at rest — for databases, backups, and storage volumes holding Customer Personal Data.
• —Access control — role-based access; least-privilege defaults; multi-factor authentication required for production access.
• —Audit logging — administrative actions on production systems are logged and reviewed.
• —Network segmentation — production environments are isolated from development and staging.
• —Backups — daily backups stored within the EU; tested restores at least annually.
• —Vulnerability management — dependency scanning, regular patching, periodic penetration testing.
• —Incident response — documented playbook, defined on-call rotation, post-incident review.
• —Personnel — confidentiality agreements; data-protection and security training; background checks where lawful and proportionate.
• —Vendor management — written contracts with Sub-processors imposing equivalent protections.
• —Data minimization and retention — retention limits configurable by Customer in the product, with default and maximum periods documented.

Detailed evidence of these measures (e.g. certifications, audit reports) is available to Customer on reasonable request under the Audit section.

Customer Personal Data is hosted in Helsinki, Finland (EU/EEA)by default. Where the Customer’s workspace configuration permits inference on AI models hosted outside the EU/EEA, the corresponding prompts and responses are transferred to the relevant provider for the duration of the inference call.

For transfers outside the EU/EEA, OurAI relies on:

• —the EU–US Data Privacy Framework adequacy decision where the recipient is certified; or
• —the European Commission’s Standard Contractual Clauses (SCCs), incorporated by reference into the agreement with the relevant Sub-processor; and
• —supplementary technical and organizational measures (encryption in transit, contractual prohibitions on training, audit rights).

Customer authorizes OurAI to enter into the SCCs (and any successor mechanism) with Sub-processors on Customer’s behalf.

Taking into account the nature of the processing and the information available, OurAI will provide reasonable assistance to Customer to:

• —respond to requests from Data Subjects exercising their rights under the GDPR;
• —comply with its security, breach notification, data protection impact assessment (DPIA), and prior consultation obligations under the GDPR.

OurAI will pass on Data Subject requests it receives directly to Customer without responding to them itself (unless Customer instructs otherwise).

OurAI will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information the GDPR requires, to the extent then known, and will be supplemented as more information becomes available.

On termination of the Agreement or on Customer’s written request, OurAI will, at Customer’s choice, return Customer Personal Data in a structured, machine-readable format, or delete it. Deletion will be completed within 30 days of the request or termination date, except where Union or Member State law requires longer retention (for example, Danish bookkeeping law for financial records — kept up to 5 years).

OurAI will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for audits — including inspections — conducted by Customer or an independent auditor mandated by Customer, subject to reasonable confidentiality and operational safeguards.

To minimize disruption, OurAI may satisfy an audit request by providing recent third-party certifications (e.g. ISO 27001), penetration-test summaries, or completed security questionnaires, where these reasonably address Customer’s concerns. On-site audits are limited to once per year, conducted during business hours, with at least 30 days’ notice, and at Customer’s expense, except when prompted by a confirmed Personal Data Breach.

The liability provisions of the Agreement apply to this DPA. The total combined liability of the parties under the Agreement and this DPA, taken together, is subject to the limitations in the Agreement.

If there is a conflict between this DPA and the Agreement on the subject of personal data processing, this DPA controls. If there is a conflict between this DPA and the SCCs incorporated under International transfers, the SCCs control.

This DPA is governed by the law specified in the Agreement (Danish law), without prejudice to mandatory provisions of the GDPR and any applicable Member State law.