This Data Processing Agreement forms part of the Vesence agreement together with the applicable Order Form, the General Terms and Conditions, the Service Description, and Vesence's Security Requirements. The current list of sub-processors engaged under this DPA is published at vesence.com/subprocessors.
1. Background and objective
1.1This data processing agreement ("DPA") is applicable between the Customer and Vesence in relation to Vesence's processing of personal data within the scope of the provision of the Services, as ordered by the Customer under an Order Form.
1.2By executing an Order Form that references this DPA, the Customer agrees to the terms and conditions set out herein and that this DPA shall form an integrated part of the Agreement.
1.3If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all provisions not affected by such invalidity shall remain in full force and effect.
1.4The Customer acknowledges that Vesence, in its capacity as an EU-based processor of personal data, is required to enter into data processing agreements with data controllers on whose behalf Vesence processes personal data within the provision of the Services. Thus, the provision in this DPA applies between the Parties even if the GDPR is not applicable to the Customer.
1.5It is acknowledged and agreed that with regard to the processing of personal data under this DPA, the Customer is the controller and Vesence is the processor for such processing, even if Customer, in practice, is processing personal data on behalf of its Affiliates (i.e. is acting as a data processor to its Affiliates and Vesence thereby is a so-called sub-processor).
1.6The duration, nature and purpose of the processing, the types of personal data and categories of data subjects processed under this DPA are specified in Annex 1 hereto, as may be updated by the Parties as applicable from time to time.
2. Definitions
Capitalized terms used in this DPA shall have the meaning assigned to them in the Vesence General Terms and Conditions, unless the context requires otherwise. In addition to the definitions under the Vesence General Terms and Conditions, the below terms shall have the following meanings:
"Data Protection Legislation" means all EU and relevant member state legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to Vesence and the Customer, including without limitation the GDPR, including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority.
"DPA" means this data processing agreement and the appendices attached hereto (as amended from time to time in accordance herewith).
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Sub-processor" means any processor engaged by Vesence, by an Affiliate of Vesence or by another Sub-processor, including Affiliates of Vesence acting as processors (as the case may be).
"Standard Contractual Clauses" or sometimes also referred to as the "EU Model Clauses" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the Commission Decision (EU) 2021/914 of 4th June 2021.
The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in article 4 of the GDPR.
3. Customer obligations
3.1Except as may be otherwise required under the Data Protection Legislation, the Customer shall, on behalf of any Affiliate, serve as a single point of contact for Vesence in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to Vesence as well as the onward distribution of any information, notifications and reports provided by Vesence hereunder.
3.2In its capacity as controller the Customer confirms (for its own part and/or on behalf of its Affiliates, as the case may be) that it is entitled to provide access to personal data to Vesence for the purposes hereof and, consequently, that it has a lawful basis and any necessary approvals from any relevant data subjects for Vesence's performance of the Services.
3.3The Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which the Customer acquired personal data.
4. Vesence undertaking and instruction
4.1Vesence undertakes to process the personal data that it has access to under the Agreement only on behalf of Customer, for the purpose of fulfilling the Agreement and during the term of the Agreement. Vesence further undertakes:
(a)To process the personal data in accordance with the Data Protection Legislation, the Agreement and any additional documented instructions from Customer. Vesence may, however, without instructions, process information required by the laws of the European Union or national legislation in a member state to which Vesence is subject, but shall inform Customer of such requirement prior to processing, provided that Vesence is not prohibited from giving such information with reference to important grounds of public interest;
(b)To keep the personal data confidential and not to disclose the personal data to any third party or in any other way use the personal data in contradiction with the Agreement and the DPA. Vesence shall also ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c)To implement all appropriate technical and organisational measures necessary in order to ensure a level of security, as required pursuant to the Data Protection Legislation (Article 32 of the GDPR), including complying with the security requirements set out in Annex 1 to this DPA and in Appendix 4 to the Agreement;
(d)To inform Customer of the technical and organisational measures it will implement in order to protect the personal data, processed on behalf of Customer. If Vesence makes changes that could affect the protection of personal data, Customer shall be informed of this well in advance before such changes are implemented in accordance with the routine set out in Annex 1 to this DPA;
(e)To assist Customer, taking into account the nature of the processing, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests from data subjects exercising their rights laid down in Chapter III of the GDPR;
(f)To assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (implement security measures, manage personal data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the processing and the information available to Vesence, including complying with the requirements in relation to personal data breaches set out in section 5 below; and
(g)To immediately inform Customer if, in its opinion, an instruction infringes the Data Protection Legislation.
5. Personal data breach
5.1Vesence will inform the Customer without undue delay after it becomes aware of any personal data breach in connection with the processing of personal data under this DPA, observing the following process:
(a)Vesence will investigate the personal data breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by Vesence or a Vesence Sub-processor;
(b)as information is collected or otherwise becomes available, to the extent legally permitted, Vesence will provide the Customer with a description of the personal data breach, the type of data to which the breach relates, and other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to Vesence; and
(c)the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected data subject(s) and/or the competent supervisory authorities.
5.2The obligations set out above will not apply, to the extent that the personal data breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer, save that Vesence will inform the Customer of the personal data breach and provide information it discovers up to the stage it identifies the breach as caused by the Customer, the Customer's Affiliate or anyone acting for the Customer. Vesence may charge the Customer for any assistance that the Customer may request when a personal data breach is attributable to or caused by the Customer.
6. Audits
Vesence shall upon the Customer's request, make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by the Customer (or an independent third-party auditor mandated by the Customer that is reasonably acceptable to Vesence and subject to signature of a confidentiality agreement with Vesence) of Vesence relevant to the personal data processed under this DPA.
7. Sub-processors
7.1Vesence may delegate the processing of personal data to a Sub-processor. Vesence shall ensure that it has concluded a data processing agreement with such Sub-processor on terms equivalent to and not less restrictive than the provisions in this DPA. Where a Sub-processor fails to fulfil its data protection obligations, Vesence shall remain liable for the performance of such Sub-processor's obligations.
7.2Subject to section 7.3 below, the Customer hereby gives its general written consent and authorization to Vesence to use Sub-processors for the processing of personal data solely for the purposes set forth in this DPA. The current list of Vesence Sub-processors is available at
https://www.vesence.com/subprocessors ("
Sub-processor List"). Vesence will keep the Customer informed of any new appointments or replacement by updating the Sub-processor List before authorizing any new Sub-processor(s) to process personal data in connection with the provision of the Services. In order for the Customer to receive notifications of updates to the list of sub processors, the Customer shall use a URL tracking service. Certain Sub-processors are optional for the Customer as indicated in the Sub-processor List where personnel with administrative privileges can chooses between AI model providers.
7.3The Customer may object to Vesence's use of a new Sub-processor by notifying Vesence in writing within ten (10) business days from when the Sub-processor List was updated. In the event that the Customer objects to a new Sub-processor, Vesence will use commercially reasonable efforts to provide the Services without engaging the Sub-processor subject to the objection. If such a work-around is not possible, the Customer shall be entitled to terminate the subscription of the relevant Vesence Service. In the event of such termination, the Customer shall not be entitled to any refund of any fees paid to Vesence within the scope of the Agreement.
8. Limitation of liability
8.1The Parties' liability with respect to data subjects' claims for compensation shall be handled in accordance with article 82 of the GDPR.
8.2The Parties acknowledge and agree that, as administrative fines are imposed on the party in breach of its obligations, neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under the Data Protection Legislation.
8.3Without prejudice to the foregoing, the Parties' liability under this DPA shall be limited in accordance with the provisions of the Vesence General Terms and Conditions.
9. Term
9.1The DPA is effective from the effective date of the Agreement or, where this DPA is entered into on a standalone basis, from the date on which the Parties sign or otherwise agree to this DPA, and in each case for as long as Vesence processes personal data on Customer's behalf.
9.2In the event that Vesence is in breach of its obligations under the DPA, Vesence must remedy the deficiency within thirty (30) days of Vesence being notified of the breach, or within the time period agreed between the Parties. If Vesence fails to remedy a material deficiency within the agreed time period, Customer has the right to terminate the subscription of the Services (and thereby the Agreement) with immediate effect or the longer period of notice notified by Customer.
9.3When the Agreement expires or terminates, Vesence shall, based on Customer's instructions, delete or return to Customer, in a manner acceptable to Customer, all personal data, and delete existing copies unless storage of personal data is required pursuant to European Union law or the Member State's national law. Vesence undertakes to actively seek instructions from Customer without delay.
10. Governing law and Dispute resolution
10.1The DPA shall be governed by the substantive laws of Sweden.
10.2Disputes regarding the interpretation and application of the DPA shall be settled in accordance with the provisions in the Vesence General Terms and Conditions regarding dispute resolution.
Annex 1
Instructions for the processing of personal data
1. Purposes of processing
Personal data is processed by Vesence to provide the Services to Customer in the manner described in the Agreement.
2. Categories of processing
The processing of personal data includes processing with regard to the following categories of processing:
- Data Collection: The text provided by the user (documents, agreements, questions, answers, conversations) may contain personal data. This data is collected to generate responses.
- Analysis: The collected data is used to analyze the user's needs and intentions. Machine learning algorithms process this information to generate appropriate responses and insights.
3. Categories of data subjects
The categories of data subjects that will be processed are all those appearing in the agreements, documents, etc. uploaded to the Services provided under the Agreement, which may include, for example:
- Customer's employees and hired consultants.
- Contact persons and other representatives who sign/appear in agreements, documents, correspondence, etc.
- Others who appear in the data that Customer inputs into the Services.
4. Categories of personal data
The categories of personal data that will be processed include all those appearing in the agreements, documents, information etc. uploaded to the Services provided under the Agreement, which may include names, personal identification numbers, signatures, professions, shareholdings, etc.
5. Location of processing
Personal data processing is performed exclusively within the EU/EEA.
6. Retention
Considering the nature and purpose of the personal data processing, i.e., that each processing is instantaneous, no personal data is stored, resulting in no retention beyond the ongoing deletion performed within the Services, except for personal data included in prompts so called "agents" created by the Customer (only applicable for the Vesence Web Application), which will be retained until deleted by the Customer.
7. Technical and organizational security measures
Vesence shall process personal data in accordance with the provisions of the Agreement, including the Security Requirements in Appendix 4.
