The Customer consenting to these terms (“Customer”, “Data Controller” or “Controller”) and the entity responsible for providing Done.ai Services in your region or country (or any entities owned by Done.ai) (“Supplier”, “Data Processor” or “Processor”) have entered into this Data Processor Agreement (“DPA” or “Agreement”). This Agreement replaces any previously applicable data processor agreements or terms related to privacy, data processing, and/or data security. Customer and Supplier are referred to collectively as the “Parties” and individually as a “Party”.
The Customer is the data controller with respect to personal data it controls, including data relating to its customers, employees, or other individuals processed by Done.ai (“Customer Personal Data”) under the Customer License Agreement (“CLA”). The Controller is responsible for ensuring that the processing of Customer Personal Data is lawful and has obtained all required rights, consents, and authorizations for the Processor to process such data in accordance with this DPA.
The Controller may choose to connect Done.ai Services to external systems through Done.ai’s connectors, APIs, or integrations (“Connectors”). When the Controller activates such a connection, Done.ai will retrieve and process data from the external system solely on behalf of the Controller and according to the Controller’s documented instructions.
The Processor guarantees that it will process Customer Personal Data on behalf of Data Controller in accordance with the applicable data protection laws and as is necessary for Data Processor to provide the Service as provided in the CLA. Customer Personal Data will be processed in accordance with Data Controller’s documented and reasonable instructions, which Data Controller confirms are set out herein.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection laws.
The Supplier may use aggregated, de-identified, or anonymized data for improving and developing its services, including the training and optimization of AI models, analytics, and automations, provided that no individual natural person can be identified and that such usage complies with the Supplier’s confidentiality obligations.
The Processor shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The Processor shall notify the Controller in writing without undue delay after becoming aware of Customer Personal Data breach. It shall provide the Controller with relevant information such as a description of nature and likely consequences of the breach as well as the measures taken or proposed to be taken to address the breach. Such information will be provided to the extent it is in the possession and awareness of the Processor. The Data Processor will use its reasonable best efforts to repair and mitigate the effects of the breach.
To the extent feasible, and subject to the terms mutually agreed in the CLA, the Processor shall assist (i) the Controller by appropriate technical and organizational measures for the fulfilment of data subjects’ rights under the applicable data protection laws; and (ii) with obligations set for the Controller in the applicable data protection laws such as performance of data protection impact assessment and consultation with the supervisory authority taking into account the nature of processing and the information available to the Processor. At request, the Processor will provide necessary information and documentation for the demonstration of compliance with the applicable data protection laws. The Supplier has the right to invoice the Customer for the abovementioned assistance.
When processing of Customer Personal Data is no longer required, the Processor shall, at the choice of the Data Controller either return the Customer Personal Data to the Controller or destroy all Customer Personal Data and any copies thereof. Notwithstanding the foregoing, the Processor shall have the right to keep Customer Personal Data in order to comply with applicable legislation and to implement its legitimate interest, such as to demonstrate that the Services have been provided in accordance with the CLA.
Categories of Customer Personal Data may include account information, user data, contact data, activity logs, communication data, usage data, metadata, and any data retrieved from external systems connected through Done.ai Connectors, including but not limited to financial data, transactional data, customer records, and organizational metadata.
Done.ai shall not access or retrieve data from any external system unless explicitly authorized by the Controller through the activation of a Connector or other documented instruction.
The Customer acknowledges and agrees that the Supplier’s affiliates may process Customer Personal Data under the obligations of this DPA for the provision of Services, and that Supplier and Supplier’s affiliates respectively may engage third-party sub-processors (“Sub-processor”) in connection with the provision of the Services. Supplier or a Supplier’s affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the processing carried out by such Sub-processor. The Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such Sub-processor that fails to fulfil its data protection obligations.
Current Sub-processors and their locations are listed in our online overview of Sub-processors: (LINK TO SUBPROCESSORS)
The Processor shall notify the Controller in writing of any intended changes of that list through the addition or replacement of sub-processors at least 30 (thirty) days in advance, given that the changes are relevant to the Services provided to the Controller.
The Controller may object to the addition or replacement of a Sub-processor in writing within 2 weeks after having received the notification with reasons relevant for data protection. In such case, the Processor shall continue the processing on the terms agreed until the earliest of the following event (i) the Parties have agreed that the processing will be terminated and Customer Personal Data returned to the Data Controller or to a new service provider, or (ii) the Parties have agreed on how the continued processing will be carried out, including relevant costs.
The Processor shall process Customer Personal Data within the European Economic Area (EEA) or in another country where such processing is lawful under applicable data protection laws and subject to appropriate safeguards. The Controller instructs the Processor to transfer personal data only to the jurisdictions where the Processor’s authorized Sub-processors are located, as listed in this DPA. All transfers of personal data outside the EEA shall be based on appropriate safeguards in accordance with Chapter V of the GDPR, including Standard Contractual Clauses or the EU-U.S. Data Privacy Framework where applicable.
The Processor has no obligation to assess the adequacy of the safeguards or to conduct a data transfer impact assessment if and to the extent that the Processor is not directly involved in the transfer of Customer Personal Data (as may be the case, e.g. when the Controller uses third party services available through an API as described in section 7.1 below). However, the Processor shall assist the Controller, upon request, in fulfilling the Controller’s obligations related to international data transfers. Such assistance may include, for example, providing the Data Controller with information that has been made available to the Processor by the parties actually transferring the Personal Data (data exporters).
Notwithstanding any other provision of this DPA, all accounting-related personal data retrieved via any Done.ai Connector shall be stored and processed exclusively within data centers located in Norway, if required by applicable Norwegian accounting legislation. Other categories of Customer Personal Data may be processed within the EU/EEA.
The Controller and the relevant supervising authority shall be entitled to conduct audits to ensure the Processor’s compliance with the obligations defined herein in accordance with applicable data protection laws as regards processing of Customer Personal Data. Such an audit may be conducted by the Controller once a year. An external auditor may be appointed to perform the audit, subject to confidentiality obligations reasonable acceptable to the Processor. The Controller shall give at least 30 days’ notice to the Processor prior to carrying out an audit. The Parties shall agree well in advance on the time, scope, duration and other details relating to such audits. The audit shall be conducted in a manner that it does not intervene the Processor’s business or that Processor's undertakings towards third parties (including but not limited to Processor’s customers, partners, and vendors) are in no way jeopardized.
The Controller shall compensate possible costs to the Processor accrued due to an audit initiated by it in accordance with the CLA unless the audit reveals material non-compliance with this DPA or the applicable data protection laws.
The limitations of liability set out under the CLA shall apply also to this DPA.
The Processor is not responsible for Customer Personal Data processed by third parties through the Processor’s Application Programming Interface (API). The Controller is obligated to review and consider any terms or consents made available by any such third party. The Controller accepts and understands that the Processor is not involved in any personal data processing occurring because of the Controller’s use of third-party services available through the APIs made available by the Data Processor.
Other duties and rights between the Parties may be subject to the CLA or other agreements between the Data Controller and the Data Processor. If the CLA is transferred, this DPA shall be transferred accordingly.
This DPA remains valid until the CLA expires or until the DPA is terminated or replaced by another data processing agreement.
In the event of any inconsistency between the provisions of this DPA and the provisions of the CLA, the provisions of this DPA shall prevail.
All disputes arising out of or in connection with this DPA shall be finally settled in accordance with any applicable dispute resolution clause in the CLA.
The Processor is not responsible for personal data processed by third-party systems connected by the Controller, including any accounting systems, authentication providers, payment providers, or other external services integrated via Done.ai Connectors or APIs. The Controller is solely responsible for ensuring that it has the lawful basis and all required rights to instruct the Processor to retrieve and process such data.
This DPA is accepted electronically upon creation of a Done ID account or activation of the Done.ai Services. Such acceptance constitutes the Controller’s documented instructions for Done.ai to process Customer Personal Data as described herein.
