This Data Processing Agreement ("DPA") according to Art 28 GDPR is concluded between:
CLIENT
in the following „CONTROLLER”
and the
Cortecs GmbH
Althanstraße 4
1090 Vienna
Austria
in the following „PROCESSOR”.
PROCESSOR refers to a processor within the meaning of Art. 4 No. 8 of the General Data Protection Regulation.
DATA refers to personal data within the meaning of Art. 4 No. 1 of the General Data Protection Regulation.
GDPR refers to the General Data Protection Regulation in its current version.
CONTROLLER refers to a controller within the meaning of Art. 4 No. 7 of the General Data Protection Regulation.
CONTRACTING PARTIES include the contractor and the client.
SUB-PROCESSOR refers to another processor whose services the PROCESSOR uses to carry out certain processing activities.
According to Art. 4 No. 8 GDPR, a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller is to be qualified as a processor. In this case, the contracting parties are obliged to conclude a data processing agreement in accordance with Art. 28 GDPR. By signing this DPA, the contracting parties comply with this obligation. The processor provides sufficient guarantees that appropriate technical and organizational measures will be implemented in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects (Art. 28 para. 1 GDPR).
This contract is concluded for an indefinite period. It ends as soon as the provision of the commissioned service ends. The subject and nature of this DPA can be described as follows:
Types of DATA: Any personal data submitted via prompts, authentication data, usage metadata and user identifiers
Categories of data subjects: End users of controller, Employees, Customers, Individuals whose personal data is entered into the routing system
The PROCESSOR will process DATA only on documented instruction from the CONTROLLER within the framework of the agreement made – including with regard to the transfer of DATA to a third country or an international organization – unless the PROCESSOR is obliged to do so by the law of the European Union or the Member States to which the PROCESSOR is subject; in such a case, the PROCESSOR will inform the CONTROLLER of these legal requirements before processing, unless the relevant law prohibits such notification due to an important public interest.
The PROCESSOR ensures that persons authorized to process the DATA have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy. This obligation continues even after the contractual relationship has ended.
The PROCESSOR ensures that all measures required under Article 32 GDPR are taken.
The PROCESSOR has provided the CONTROLLER with a list of the specific technical and organizational measures (hereinafter referred to as "TOMs") that have been taken or are being implemented on an ongoing basis before the conclusion of this data processing agreement. This list of TOMs is attached to this contract as Annex I and is to be regularly re-evaluated and adjusted by the PROCESSOR.
The PROCESSOR will assist the CONTROLLER, considering the nature of the processing, with appropriate technical and organizational measures to the extent possible, in fulfilling the CONTROLLER's obligation to respond to requests for exercising the rights of the data subject as set out in Chapter III of the GDPR. The PROCESSOR will only provide information to third parties or data subjects upon instruction from the CONTROLLER.
The PROCESSOR will assist the CONTROLLER, considering the nature of the processing and the technical information available to them, in complying with the obligations set out in Articles 32 to 36 of the GDPR.
The PROCESSOR will, after the completion of the processing services, either delete or return all DATA at the choice of the CONTROLLER, unless there is an obligation to store the DATA under Union law or the law of the Member States.
The PROCESSOR will provide the CONTROLLER with all necessary information to demonstrate compliance with the obligations laid down in Art. 28 GDPR and will allow for and contribute to audits – including inspections – conducted by the CONTROLLER or another auditor mandated by the CONTROLLER.
The PROCESSOR will inform the CONTROLLER without delay if they believe that an instruction violates the GDPR or other data protection provisions of the Union or Member States.
If the PROCESSOR engages the services of another processor (hereinafter referred to as SUB-PROCESSOR) to carry out certain processing activities on behalf of the CONTROLLER, the same data protection obligations as set out in the contract or other legal instruments between the CONTROLLER and the PROCESSOR will be imposed on this SUB-PROCESSOR by means of a contract or other legal instrument under Union law or the law of the relevant Member States. In particular, sufficient guarantees must be provided that the appropriate technical and organizational measures will be implemented in such a manner that the processing will meet the requirements of the GDPR. If the SUB-PROCESSOR fails to fulfill its data protection obligations, the PROCESSOR will be liable to the CONTROLLER for the compliance with the obligations of that SUB-PROCESSOR.
| Recipients of the data | Purpose of the data processing | Legal justification | Headquarter | Processing location(s) | Basis for transfer to a third country [1] |
|---|---|---|---|---|---|
| Scaleway SAS | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | France | France, Poland | Within the EU |
| DataCrunch Oy | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | Finland | Finland | Within the EU |
| Nebius B.V. | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | Finland | Finland | Within the EU |
| Mistral AI SAS | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | France | France | Within the EU |
| OVH SA | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | France | France | Within the EU |
| STACKIT GmbH & Co. KG | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | Germany | Germany | Within the EU |
| IONOS SE | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | Germany | Germany | Within the EU |
| T-Systems International GmbH | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | Germany | Germany | Within the EU |
| Microsoft Ireland Operations Limited | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | US | Spain, Sweden | EU-US Data Privacy Framework |
| Google Cloud EMEA Limited | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | US | Poland, Finland, Sweden, Spain, Belgium, Germany, Netherlands, France, Italy | EU-US Data Privacy Framework |
| Amazon Web Services EMEA SARL | Generative AI inference | Legitimate Interest (Art 6 para 1 lit f GDPR); contractual obligation (Art 6 para 1 lit b GDPR) | US | Ireland, France | EU-US Data Privacy Framework |
| Auth0, Inc. | User authentication | Contractual necessity (Art 6 para 1 lit b GDPR) | US | EEA | EU-US Data Privacy Framework (regarding Non-HR Data) |
| Stripe, Inc. | Payment processing | Contractual necessity (Art 6 para 1 lit b GDPR) | US | EEA | EU-US Data Privacy Framework |
The CONTROLLER agrees to the engagement of the mentioned SUB-PROCESSORS. The CONTROLLER grants a general authorization for the PROCESSOR to engage other SUB-PROCESSORS. However, the PROCESSOR must always inform the CONTROLLER of any intended changes regarding the engagement or replacement of other SUB-PROCESSORS. The CONTROLLER has the right to object to such changes within 14 days (Art. 28 para. 2 GDPR), otherwise, consent is assumed. The PROCESSOR undertakes to comply with the conditions set out in Art. 28 para. 2 and 4 GDPR for the engagement of another SUB-PROCESSOR (Art. 28 para. 3 lit d GDPR).
Invalid provisions of individual contractual components of this DPA do not affect the validity of the remaining provisions. Instead of the invalid provisions, appropriate replacement provisions shall apply, which, in light of the purpose of the contract, come closest to what the CONTRACTING PARTIES would have intended if they had known about the invalidity. The same applies to contractual gaps. In case of doubt, the rules of Art. 28 GDPR shall apply.
This agreement (and all contractual components related to it) is governed by Austrian law and is deemed to be validly agreed upon. The application of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is excluded.
For the resolution of disputes regarding the validity of this agreement (and all contractual components related to it), arising from the contract and after the termination of this contract, the court with jurisdiction over the 9th district of Vienna is exclusively declared competent.
The PROCESSOR is entitled to a separate reimbursement of costs for the cooperation required by law and contract (especially in the course of an audit or the exercise of data subject rights). However, there is no claim for reimbursement of costs if the effort in this context is very low (effort of less than one hour per month).
All personal data is transmitted over secure communication channels. Encryption in transit is ensured using Transport Layer Security (TLS). This protects data from unauthorized access, manipulation, or disclosure. All APIs and web interfaces are accessible only via HTTPS, with strict enforcement of secure connections.
Access to systems and data is restricted to authorized users through robust authentication and authorization measures. Authentication is enforced using mechanisms such as passwords, API keys, and Bearer Tokens. Access rights are assigned based on user roles and responsibilities, following the principle of least privilege. Authorization mechanisms are implemented to ensure users can only access functions necessary for their tasks.
The collection and processing of personal data is strictly limited to what is necessary for the intended purpose, such as short-term caching. No data is used for training underlying AI models, thereby eliminating risks of conversational data leakage. Mechanisms are in place to allow users to configure data retention settings and ensure that data is deleted as soon as it is no longer required.
Data is backed up regularly and stored in secure, access-controlled locations. System integrity checks are routinely performed to ensure the reliability of backups. Critical system components are deployed with redundancy and monitored continuously to minimize downtime. A multi-cloud recovery strategy is implemented, enabling continued operation even in the event of failure of an underlying cloud provider.
Integration of data protection principles into the development of systems, products, and services to ensure compliance with the GDPR from the outset.
Creation of clear data protection policies and procedures to ensure compliance with the GDPR and clearly define the responsibilities of employees. Ensuring that data protection policies are regularly reviewed, updated, and understood and followed by all employees.
Regular training sessions and training materials for employees to raise their awareness of data protection regulations and keep them up to date with best data protection practices.
Employees are obligated to maintain data confidentiality.
Conclusion of written contracts with processors that regulate the processing of personal data in accordance with the requirements of the GDPR and ensure that processors implement appropriate security measures.
Development of a clear plan for responding to data breaches, which includes procedures for reporting incidents, investigating data breaches, and notifying affected individuals.
The need-to-know principle is strictly implemented and technically supported by appropriate authorization concepts.