This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Visera P.S.A. ("Processor") for the provision of the Obsigen AI platform ("Service"). This DPA is entered into pursuant to Article 28 of the GDPR.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, retrieval, transmission, erasure, or destruction.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose
The Processor shall process Personal Data only on behalf of the Controller and in accordance with the Controller's documented instructions. The processing is limited to:
- Providing the Obsigen AI platform and related services
- Processing conversational queries and generating AI-assisted outputs
- Account management, authentication, and billing
- Service monitoring, analytics, and security operations
3. Categories of Data Subjects and Data
Data subjects: Controller's employees, contractors, and authorized end users of the Service.
Categories of Personal Data:
- Identification data (name, email, job title)
- Account and authentication data
- Usage and session metadata
- Content submitted in conversational queries (processed transiently)
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-processors
The Processor shall not engage another processor without prior specific or general written authorization of the Controller. Where general written authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
Current sub-processors are listed in Annex B (available upon request). The Processor shall impose the same data protection obligations on sub-processors as set out in this DPA.
6. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access control: Role-based access, multi-factor authentication, least-privilege principle
- Network security: Firewall rules, intrusion detection, DDoS protection
- Data isolation: Tenant-level logical separation of Customer Data
- Logging and monitoring: Comprehensive audit trails, anomaly detection, SIEM integration
- Backup and recovery: Automated backups with encryption, tested recovery procedures
- Personnel: Background checks, security training, NDA requirements
- Vulnerability management: Regular penetration testing, patch management, dependency scanning
7. Data Transfers
The Processor follows an EEA-first architecture. All persistent storage of Personal Data is within the European Economic Area. Where transfers outside the EEA are necessary (e.g., transient inference processing), appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Transfer Impact Assessments where required
- Supplementary technical measures (encryption, pseudonymization)
8. Data Breach Notification
In the event of a Data Breach, the Processor shall:
- Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach
- Provide details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller in investigating and remediating the breach
- Document all breaches in accordance with Article 33(5) GDPR
9. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly redirect any data subject requests received directly to the Controller.
10. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Audits shall be conducted with reasonable prior notice (minimum 30 days) and during normal business hours.
11. Duration and Termination
This DPA shall remain in effect for the duration of the Service agreement. Upon termination:
- The Processor shall, at the Controller's election, delete or return all Personal Data within 30 days
- The Processor shall provide certification of deletion upon request
- Obligations regarding confidentiality and data protection shall survive termination
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main Service agreement. The Processor shall be liable for damages caused by processing that does not comply with the GDPR or this DPA.
13. Governing Law
This DPA is governed by the laws of the Republic of Poland. Any disputes shall be subject to the exclusive jurisdiction of the courts in Gdańsk, Poland.
14. Contact
For DPA-related inquiries or to request Annex documents:
Visera P.S.A.
Grunwaldzka Ave. 472 (Olivia Gate A)
80-309 Gdańsk, Poland
office@visera.digital
