Data Processing Agreement

1. Definitions

1.1 "Applicable Laws" means (a) European Union or Member‑State laws concerning any Controller Personal Data to which a Controller Group Member is subject and (b) all other data‑protection or privacy laws applicable to the Processing of Controller Personal Data.

1.2 "Controller Personal Data" means Personal Data Processed by Processor on behalf of Controller under the Principal Agreement.

1.3 "Data Protection Laws" means Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the CCPA/CPRA, and any other applicable data‑protection or privacy legislation.

1.4 "EEA" means the European Economic Area.

1.5 "Personal Data" has the meaning given in Applicable Laws and, for clarity, includes "personal information" as defined in the CCPA/CPRA.

1.6 "Subprocessor" means any third party engaged by Processor to Process Controller Personal Data.

2. Scope & Instructions

2.1 Roles. Controller is the data controller and determines the purposes and means of Processing Controller Personal Data. Processor Processes Controller Personal Data on Controller's documented instructions.

2.2 Instructions. Processor will Process Controller Personal Data solely: (a) to provide the Services described in the Principal Agreement; (b) as documented in this DPA and the Principal Agreement; or (c) as required by Applicable Laws. Processor will inform Controller if, in its opinion, an instruction violates Applicable Laws (unless such notification is prohibited by law).

3. Processor Personnel

Processor will ensure that its employees, agents, and contractors who have access to Controller Personal Data are bound by confidentiality obligations, receive appropriate training, and access such data only to the extent strictly necessary for the performance of the Services.

4. Security

4.1 Security Measures. Processor will implement and maintain appropriate technical and organisational measures designed to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as required by Article 32 GDPR.

4.2 Risk Assessment. In determining appropriate measures, Processor will consider the nature, scope, context, and purposes of Processing, the costs of implementation, and the risk to Data Subjects.

5. Subprocessing

5.1 Controller authorises Processor to engage Subprocessors to Process Controller Personal Data, provided that Processor enters into a written agreement with each Subprocessor imposing data‑protection obligations substantially similar to those in this DPA.

5.2 Current Subprocessors. A list of current Subprocessors (e.g., AWS, Google Cloud, Stripe, OpenAI) is available upon request. Processor will notify Controller of any intended addition or replacement of Subprocessors at least fourteen (14) days in advance, giving Controller the opportunity to object on reasonable grounds.

5.3 Processor remains liable for any Subprocessor's performance of its obligations under this DPA.

6. Data Subject Rights

Processor will assist Controller, insofar as practicable, in responding to Data Subject requests under Applicable Laws (e.g., rights of access, deletion, correction, portability, restriction, objection). If Processor receives a request directly from a Data Subject, Processor will promptly forward the request to Controller and will not respond except as required by law.

7. Personal Data Breach

7.1 Processor will notify Controller without undue delay (and in any event within seventy‑two (72) hours) after becoming aware of a Personal Data Breach affecting Controller Personal Data. The notification will include relevant details to enable Controller to comply with its breach‑reporting obligations.

7.2 Processor will cooperate with Controller and take reasonable steps to mitigate and remediate the Breach.

8. Data Protection Impact Assessments & Consultation

Upon reasonable request, Processor will provide assistance to Controller in conducting data‑protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Laws and related to Processor's Processing of Controller Personal Data.

9. Return & Deletion of Data

Upon termination or expiry of the Principal Agreement, Processor will, at Controller's option, delete or return all Controller Personal Data (including copies) within thirty (30) days, unless Applicable Laws require storage of the data. Processor will certify deletion upon Controller's written request.

10. Audit Rights

10.1 Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for audits (including inspections) by Controller or its chosen auditor, no more than once per twelve‑month period, on at least thirty (30) days' written notice.

10.2 Audits will be conducted during normal business hours, in a manner that minimises disruption, and subject to Processor's reasonable confidentiality and security procedures.

11. International Transfers

Processor will ensure that any transfer of Controller Personal Data outside the EEA, the UK, or another jurisdiction requiring data‑transfer safeguards is made in compliance with Data Protection Laws, using appropriate safeguards such as Standard Contractual Clauses, UK IDTA, or an adequacy decision.

12. General

12.1 Governing Law & Jurisdiction. This DPA is governed by the law governing the Principal Agreement and disputes will be resolved in the forum stipulated in the Principal Agreement.

12.2 Order of Precedence. In the event of conflict between this DPA and any other part of the Principal Agreement, this DPA prevails to the extent of the conflict with respect to data‑protection matters.

12.3 Severability. If any provision of this DPA is held unenforceable, the remaining provisions will remain in full force.

12.4 Changes to Applicable Laws. Processor may amend this DPA as necessary to comply with changes in Data Protection Laws. Material changes will be notified in writing. Continued use of the Services constitutes acceptance of the amended DPA.

13. Acceptance & Contact

By executing the Principal Agreement or using the Services, Controller acknowledges and agrees to this DPA.

Contact for Privacy Matters
Email: dataprivacy@alcheme.ai
Postal: Renn Labs LLC d/b/a Alcheme, 901 Yamato Road, Suite 260, Boca Raton, FL 33431 USA