Data Processing Agreement

between user (Company) (hereinafter referred to as "Controller") and AKI.IO GmbH, Marienburger Straße 1, 10405 Berlin, Germany, the Data Processor (hereinafter referred to as "Processor").

1. Subject-matter and duration of the Agreement

(1) Company entered into an agreement with Processor regarding the use of artificial intelligence models offered by Processor (Service Agreement). To this extent Company created a company account within Processor’s service. It is conceivable that Company may enter personal data when using the services of Processor, which will then be processed by Processor. The subject-matter of this Agreement regarding the processing of data is the execution of the AKI.IO services as agreed within the Service Agreement.

(2) The duration of this Agreement corresponds to the duration of the Service Agreement.

(3) This Agreement shall apply without prejudice to the preceding paragraph for as long as the Processor processes personal data of the Controller (including backups).

(4) Insofar as other arrangements on the protection of personal data arise from other agreements between the Controller and the Processor, this Agreement regarding the processing of personal data shall take precedence, unless the parties expressly agree otherwise.

2. Specification of the Agreement Details

(1) Nature and purpose of the intended processing of Data

Nature and purpose of Processing of personal data by the Processor for the Controller are the provision of the AKI.IO service. This includes the processing of requests to the API. The purpose of the analysis and processing is to provide API services within the AKI.IO service and to ensure billing modalities (e.g., token-based billing). API services are optimised exclusively on the basis of anonymised or purely technical metadata; content data is not used for this purpose.

Personal data is processed exclusively in data centers within the European Union, mostly in Germany. Personal data is not processed in third countries within the meaning of the GDPR.

Content data (in particular prompts, text entries, documents, or generated responses) is not logged, stored, or evaluated. Only purely technical metadata that does not allow any conclusions to be drawn about content or affected persons may be processed.

(2) Type of Data

The subject-matter of the processing of personal data comprises all personal data entered by Company or Company’s users into the artificial intelligence models offered by Processor. This could comprise the following data types/categories (list/description of the data categories)

  • User IDs
  • Usage Data (e.g., API accesses, log data without content of requests and responses)
  • Contact Details (Name, Email address)
  • Contract and Billing Data (Contractual/Legal Relationships, Contractual or Product Interest)
  • Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories...)

(3) Categories of data subjects

The categories of data subjects are customers of Controller including its affiliated companies, employees of the Controller, service users, communicational partners, end customers (customers or users of the controller) or users of the API services, further data subjects.

3. Technical and organisational measures

(1) The Processor shall take all necessary technical and organizational measures in its area of responsibility in accordance with Article 32 GDPR to protect personal data as more specified in and shall provide the Controller the documentation Technical and Organizational Measures (TOM) for inspection upon request. If approved by the Controller, the documented measures become the basis of the Agreement.

(2) Insofar as the inspection/audit by the Controller reveals the need for amendments, such amendments shall be implemented by mutual agreement.

(3) The agreed technical and organizational Measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures in the future. In so doing, the security level of the defined measures must not be reduced. The Controller shall be informed immediately of any significant changes which have to be documented by the Processor without delay.

4. Rights of the data subject

(1) The Processor shall support the Controller within its area of responsibility and as far as possible by means of appropriate technical and organizational measures in responding to requests from data subjects. The Processor must not on its own discretion respond to data subject requests concerning access to data, portability, rectification, erasure or the restriction of processing of data being processed on behalf of the Controller, but only on documented instructions from the Controller. Insofar as the Data Subject contacts the Processor directly, the Processor will immediately forward the Data Subject’s request to the Controller.

(2) Insofar as it is included in the scope of services, the right of access, to rectification, to restriction of processing, to erasure and to data portability shall be ensured directly by the Processor in accordance with documented instructions from the Controller.

5. Quality assurance and other duties of the Processor

(1) In addition to complying with the rules of this Agreement, the Processor shall comply with its own legal obligations under the GDPR; accordingly, the Processor ensures compliance with the following requirements in particular:

  1. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Processor entrusts only such employees with the data processing outlined in this Agreement who have been bound to confidentiality and have previously been made aware of the data protection provisions relevant to their work. The Processor and any person acting under its authority who has authorised access to personal data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this Agreement, unless required to do so by law.
  2. The Controller and the Processor shall cooperate, on request, with the supervisory authority in performance of its tasks.
  3. The Controller shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Agreement. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with this Agreement.
  4. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim or information request in connection with the processing by the Processor under this Agreement, the Processor shall make every effort to support the Controller.
  5. The Processor shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within its area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
  6. Verifiability of the Technical and Organizational Measures conducted by the Controller as part of the Controller’s inspection powers referred to in item 8 of this Agreement.
  7. The Processor shall report breaches of the protection of personal data to the Controller without delay in such a way that the Controller can fulfil its legal obligations, in particular in accordance with Articles 33 and 34 of the GDPR. It shall prepare documentation on the entire breach, which shall be made available to the Controller for further measures.
  8. The Processor shall support the Controller in its area of responsibility and, as far as possible, to provide information to supervisory authorities and data subjects and shall make all relevant information available immediately to the Controller in this regard.
  9. Insofar as the Controller is obliged to carry out a data protection impact assessment, the Processor shall support the Controller taking into account the type of processing and the information available to it. The same applies to any existing obligation to consult the competent data protection supervisory authority.

6. Subcontracting

(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services commissioned by the Processor, such as telecommunication services, postal / transport services, cleaning or guarding services. IT services shall constitute a subcontracting relationship if they are provided for IT systems which are used for this Agreement. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements including technical and organizational measures and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services.

(2) At the time of conclusion of the contract, the Processor engages the following subcontractors:

  1. AIME GmbH, Marienburger Straße 1, 10405 Berlin, Germany, Phone +49 30 459 54 380, Email: hello@aime.info. Service: Provision of preconfigured high-performance computing hardware, which is provided in the form of cloud GPU instances hosted in European data centers.

Processor shall not engage any further sub-processors to process personal data on behalf of the Controller except for the service providers expressly named to the Controller. The Processor may commission subcontractors (additional Processors) only after prior explicit written or documented authorisation from the Controller.

(3) The transfer of personal data from the Controller to the subcontractor and the subcontractor’s commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved. Compliance with and implementation of the technical and organizational measures at the subcontractor shall be inspected by the Processor in advance of the processing of personal data, taking into account the risk at the subcontractor, and then on a regular basis. The Processor shall make the inspections results available to the Controller upon request. The Processor shall also ensure that the Controller can exercise its rights under this contract (in particular its inspection rights) directly against the subcontractors.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the Processor shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.

(5) Further outsourcing by the subcontractor requires the express consent of the main Controller (at the minimum in text form).

7. International data transfers

(1) Any transfer of personal data to a third country or to an international organization requires documented instructions from the Controller and compliance with the requirements for the transfer of personal data to third countries pursuant to Chapter V of the GDPR.

The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA).

(2) Insofar as the Controller instructs a data transfer to third parties in a third country, the Controller shall be responsible for compliance with Chapter V of the GDPR.

8. Supervisory powers of the Controller

(1) The Controller has the right, after consultation with the Processor, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this Agreement by the Processor in its business operations during normal business hours by means of random checks, which are ordinarily to be announced in good time.

(2) The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with Article 28 GDPR. The Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

9. Authority of the Controller to issue instructions

(1) The Processor shall process personal data only on the basis of documented instructions from the Controller, unless it is obliged to process such data under the law of the Member State or under Union law. The Controller shall immediately confirm oral instructions (at the minimum in text form). The Controller's initial instructions shall be determined by this Agreement.

(2) The Processor shall inform the Controller immediately if he considers that an instruction violates Data Protection Regulations. The Processor shall then be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Controller, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

(2) After conclusion of the contracted work, or earlier upon request by the Controller, at the latest upon termination of the Service Agreement, the Processor shall hand over to the Controller or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the Agreement that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.