Data Processing Agreement (DPA)

The Customer consenting to these terms (“Data Controller”) and the entity responsible for providing the Done.ai Services (or any entities owned by Done.ai Group) (“Data Processor”) have entered into this Data Processing Agreement (“DPA”). Data Controller and Data Processor are referred to collectively as the “Parties” and individually as a “Party”.

This DPA sets out the rights and obligations of the Data Controller and the Data Processor when processing Personal Data on behalf of the Data Controller. Personal Data shall have the same definition as in the General Data Protection Regulation (GDPR), article 4.1.

This DPA shall take priority over any similar provisions contained in other agreements between the Parties.

1. Background and Subject Matter

1.1 Subject Matter

This DPA forms part of the Customer License Agreement (“CLA”).

The subject matter, duration, nature and purpose of processing, types of Personal Data and categories of data subjects are described in Appendix 2 and may be further specified in the CLA or related service documentation.

The Data Controller is responsible for Personal Data and the lawfulness of the processing thereof in accordance with the applicable data protection laws. Data Controller shall perform all necessary activities as well as acquire, secure, and maintain all rights, consents and authorizations necessary for the Data Processor to comply with this DPA without violating laws or rights of any third party.

2. Processing of Personal Data

2.1 Instructions

The Data Processor shall process Personal Data only on documented instructions from the Data Controller, including with regard to transfers to third countries, unless required by law. Instructions can be found ongoing in this DPA and in Annex 3. The Data Processor shall inform the Data Controller if any instruction infringes applicable law and may suspend processing until confirmed.

2.3 Use of derived Personal Data

The Data Processor and its affiliates may use data derived from the Services in anonymized form, meaning data that cannot be linked to an identified or identifiable individual using reasonably available means. The derived data can be used for the Data Processors’ own purposes, such as enhancing and providing the Service, developing new services or product offerings, identifying business trends and for other purposes, including AI.

2.4 Confidentiality

The Data Processor shall ensure that persons authorized to process Personal Data shall be bound by confidentiality obligations.

2.5 Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Such measures shall include, where relevant: access control, logging, encryption, incident management, and supplier risk management.

2.6 Personal Data breaches

The Data Processor shall notify the Data Controller in writing without undue delay after becoming aware of a Personal Data breach.

The Data Processor shall provide the Data Controller with relevant information to support the obligations in GDPR Articles 33 and 34. Such information will be provided to the extent it is in the possession and awareness of the Data Processor. The Data Processor will use its reasonable best efforts to repair and mitigate the effects of the breach.

2.7 Assistance

The Data Processor shall assist the Data Controller to fulfil their obligations according to GDPR:

• the Data Processor shall implement appropriate technical and organizational measures for the fulfilment of data subjects’ rights under the applicable data protection laws;
• the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
• the Data Processor shall assist the Data Controller by providing all necessary information to enable the Data Controller to notify the supervisory authority of a Personal Data breach;
• the Data Processor shall assist the Data Controller by providing all necessary information to enable the Data Controller to notify the data subject of a Personal Data breach;
• the Data Processor shall assist the Data Controller with data protection impact assessments and consultation with the supervisory authority, taking into account the nature of processing and the information available to the Data Processor.

At request, the Data Processor will provide necessary information and documentation for the demonstration of compliance with the applicable data protection laws.

Assistance shall be proportionate, and any costs shall be reasonable and, where possible, pre-agreed.

2.8 Deletion or return of Personal Data

The Data Processor shall delete or return Personal Data upon termination of the CLA at the choice of the Data Controller. Within thirty (30) days following the termination period of the CLA, the Data Controller shall provide the Data Processor with written instructions specifying whether the Personal Data shall be deleted or returned. If the Data Processor does not receive any instruction from the Data Controller, the Personal Data will be deleted in accordance with the Data Processor’s internal procedures.

The Data Processor shall start a process for returning the Personal Data upon receipt of valid instruction from the Data Controller. The Data Processor will take reasonable steps to ensure that such Personal Data is returned to the Data Controller as soon as possible. Returned Personal Data shall be in a readable format on a durable digital medium.

The Data Processor shall initiate a process for deletion of Personal Data upon receipt of a valid instruction from the Data Controller. The Data Processor will take reasonable steps to ensure that such Personal Data is deleted from active systems promptly.

Notwithstanding the above, due to standard backup and disaster recovery processes, residual copies of Personal Data may remain in backup systems for a limited period. Such data will be isolated from active use.

The Data Processor shall have the right to keep Personal Data in order to comply with applicable legislation and to implement its legitimate interest, such as to demonstrate that the Services have been provided in accordance with the CLA.

Personal Data may be retained after termination of the CLA to the extent necessary to establish, exercise, or defend legal claims. Such retention shall be limited to what is necessary and shall not exceed applicable statutory limitation periods. During this period, the data shall be subject to appropriate technical and organizational safeguards, including restricted access and secure storage.

3. Sub-processing

3.1 Use of Sub-processors

The Data Controller acknowledges and agrees that the Data Processor’s affiliates may process Personal Data under the obligations of this DPA for the provision of Services, and that the Data Processor and the Data Processor’s affiliates respectively may engage third-party sub-processors (“Sub-processor”) in connection with the provision of the Services. The Data Controller hereby grants the Data Processor a general written authorization to engage Sub-processors for the processing of Personal Data under this DPA. The Data Processor or the Data Processor’s affiliates have entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the processing carried out by such Sub-processor. The Data Processor shall remain fully liable vis- à-vis the Data Controller for the performance of any such Sub-processor that fails to fulfil its data protection obligations.

3.2 List of Sub-processors

Current Sub-processors are listed in our online overview of Sub-processors: Sub-processors overview. The Data Processor shall notify the Data Controller in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, given that the changes are relevant to the Services provided to the Data Controller.

3.3 Objection to Sub-processors

The Data Controller may object to the addition or replacement of a Sub-processor in writing within two (2) weeks after having received the notification, with reasons relevant for data protection. In such case, the Data Processor shall continue the processing on the terms agreed until the earliest of the following events: (i) the Data Controller decides to terminate the CLA and Personal Data is returned or deleted, or (ii) the Parties have agreed on how the continued processing will be carried out, including relevant costs.

4. Transfer of Personal Data

4.1 Location of processing and transfer of data

The Data Processor shall process Personal Data mainly in the European Economic Area (EEA). However, it may occur that Personal Data is processed in another country where the processing may be lawfully conducted according to the applicable data protection laws or based on appropriate safeguards.

Taking into account such safeguards, the Data Controller instructs the Data Processor to transfer Personal Data to the jurisdictions where the Data Controller’s Sub-processors are located according to this DPA, including the United States. If Personal Data is transferred outside the EEA to a country not subject to an adequacy decision by the European Commission, such transfers shall be governed by Standard Contractual Clauses adopted by the European Commission, supplemented where required. For transfers to the United States, the Data Processor may rely on Standard Contractual Clauses or the EU-U.S. Data Privacy Framework, as long as they remain valid bases for such transfers pursuant to applicable data protection laws and shall comply with the obligations they entail. The Data Processor shall promptly inform the Data Controller if, in its opinion, it is unable to comply with the requirements of applicable data protection laws or the agreed transfer mechanisms and shall suspend the relevant transfers until compliance can be ensured or the Data Controller provides further instructions.

4.2 Transfer impact assessment

Where required under applicable law, the Data Processor shall conduct and document transfer impact assessments and make them available to the Data Controller upon request.

5. Use of Artificial Intelligence

5.1 The Data Processor’s right to use Artificial Intelligence (AI)

The Data Processor has the right to use AI-based systems, including systems provided by Sub-processors, to perform Services under this Agreement.

AI systems can also be used to optimize, develop, test and improve its services, products and internal processes, in accordance with applicable data protection laws and based on a valid legal basis.

AI systems shall not be used to make solely automated decisions that produce legal effects or similarly significant impacts on individuals within the meaning of Article 22 GDPR.

5.2 Types of Personal Data in AI-based systems

When using AI systems, Personal Data may be processed, including but not limited to identification data, contact data, financial/ transaction data and usage data. Where AI involves the processing of personal data, such processing is carried out in accordance with applicable data protection laws and based on a valid legal basis, such as our legitimate interest in improving our services or fulfilling our contractual obligations.

The Data Processor can also use aggregated and anonymized data in AI systems to test and improve the Service and the Data Processor’s systems in general.

5.3 Training of AI models

Personal Data may not be used to train AI models, unless the Personal Data is in anonymized form.

5.4 Security measures for AI-based systems

The Data Processor shall ensure that AI-based systems treat data confidentially, have appropriate technical and organizational safeguards, do not store data for longer than necessary and where possible use pseudonymization or anonymization.

5.5 Transparency

The Data Processor shall, upon request, provide information on how AI-based systems process Personal Data and assist the Data Controller in fulfilling the rights of data subjects.

6. Audit rights

6.1 The Data Controller’s right to audit

The Data Controller and the relevant supervising authority shall be entitled to conduct audits in accordance with the audit section in the CLA.

7. Liability

7.1 Limitations of liability

The limitations of liability set out under the CLA shall apply also to this DPA. In addition to what is stated regarding liability in the CLA, the Data Processor shall be liable for damage arising from the processing only if it has not complied with the obligations of GDPR specifically addressed to data processors or has acted outside or contrary to the Data Controller’s lawful instructions.

8. Miscellaneous

8.1 Third-party services

The Data Processor is not responsible for independent third-party processing where such services are selected and controlled by the Data Controller, for example through the Data Processor’s Application Programming Interface (API). The Data Controller is obligated to review and consider any terms or consents made available by any such third party. The Data Controller accepts and understands that the Data Processor is not involved in any Personal Data processing occurring because of the Data Controller’s use of third-party services available through the APIs made available by the Data Processor.

8.2 Other duties and rights

Other duties and rights between the Parties may be subject to the CLA or other agreements between the Data Controller and the Data Processor. If the CLA is transferred, this DPA shall be transferred accordingly.

8.3 Duration

This DPA remains valid until the CLA expires or until the DPA is terminated or replaced by another data processing agreement.

8.4 DPA takes precedence

In the event of any inconsistency between the provisions of this DPA and the provisions of the CLA, the provisions of this DPA shall prevail.

8.5 Disputes

All disputes arising out of or in connection with this DPA shall be finally settled in accordance with any applicable dispute resolution clause in the CLA.

8.6 Acceptance of DPA

This DPA is accepted electronically upon creation of a Done ID account or activation of the Services. Such acceptance constitutes the Data Controller’s documented instructions for the Data Processor to process Personal Data as described herein.

9. Amendments to the DPA

9.1 The Data Processor’s right to amend the DPA

The Data Processor may amend this DPA from time to time to reflect changes in applicable regulations, guidance from supervisory authorities, or changes in the Services.

9.2 Non-Material Changes and Material Changes

Where such amendments do not materially reduce the level of protection afforded to Personal Data or materially alter the Parties’ rights and obligations under this DPA (“Non-Material Changes”), such changes may become effective upon publication in the DPA. Where an amendment materially affects the Data Controller’s rights, obligations or materially reduces the level of protection of Personal Data (“Material Changes”), the Data Processor shall provide the Data Controller with thirty (30) days’ prior notice of such changes.

9.3 The Data Controller’s right to object

If the Data Controller reasonably objects to any Material Change within two (2) weeks from receiving information on the Material Change, the Data Controller may terminate the CLA and this DPA by providing written notice to the Data Processor. In the absence of such objection, the Data Controller’s continued use of the Services after the effective date of the amendment shall constitute acceptance of the updated DPA.

10. Change log

• 2026-04-16: Second version contains updates due to launches of Services on the Data Controller’s webpage.

Appendix 1 – Governance

• Privacy contact: privacy@done.ai
• Sub-processor list: Sub-processors overview
• Security documentation or reports: available upon request

Appendix 2 – Information about the processing

The purpose and nature of the Data Processor’s processing of Personal Data on behalf of the Data Controller is to provide, operate, maintain, and support the Service. This can include, for example, storing, organizing, and analyzing Personal Data or handling financial data.

Categories of data

• Identification data
• Contact data
• Financial/transaction data
• Usage data

Categories of data subjects

• Data Controller’s personnel
• End-users
• Other individuals determined by the Data Controller

Further details may be specified in the CLA or service documentation.

Appendix 3 – Instructions on the processing

The Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Depending on their relevance, the measures may include the following:

• Pseudonymisation and encryption of Personal Data;
• the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.