This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Basad, s.r.o. ("Provider" or "Processor") and the user of the Service ("Customer" or "Controller").
1. Preamble & Scope
This DPA applies to the extent that the Provider processes Personal Data on behalf of the Customer in the course of providing the Service. It sets out the rights and obligations of the parties pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR).
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by the Provider on behalf of the Customer.
- "Processing" means any operation performed on Personal Data, such as collection, storage, use, or erasure.
- "Sub-processor" means any third party engaged by the Provider to assist in fulfilling its obligations.
3. Details of Processing
3.1 Subject Matter and Duration
The subject matter of the processing is the provision of the AI legal assistant Service. The duration corresponds to the term of the Agreement.
3.2 Nature and Purpose
The Provider processes Personal Data to provide, maintain, and secure the Service (SaaS), including document analysis and generation of AI outputs.
3.3 Types of Personal Data
Data contained in documents and text prompts uploaded by the Customer (e.g. names, addresses, case details) and account data.
3.4 Categories of Data Subjects
Customer's clients, employees, counterparties, or other individuals mentioned in the Customer's documents.
4. Customer Obligations (Controller)
The Customer is responsible for the lawfulness of the processing and warrants that it has a legal basis to process the Personal Data and to instruct the Provider to process it.
5. Provider Obligations (Processor)
- Instructions: Process Personal Data only on documented instructions from the Customer (including this DPA and the Service features), unless required otherwise by EU or Member State law.
- Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
- Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR).
- No Training: The Provider explicitly agrees NOT to use Customer's Personal Data to train its general AI models or Large Language Models (LLMs) for the benefit of other customers.
6. Sub-processing
The Customer grants general authorization to the Provider to engage Sub-processors. Current Sub-processors include:
- OpenAI, L.L.C. (AI Models, USA)
- Anthropic, PBC (AI Models, USA)
- Vercel Inc. (Hosting, USA)
- Amazon Web Services (AWS) (Cloud Infrastructure, EU/USA)
- Pinecone Systems Inc. (Vector Database, USA)
The Provider shall enter into written agreements with Sub-processors providing at least the same level of data protection as this DPA. Transfers to the USA are safeguarded by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs).
7. Data Subject Rights
Taking into account the nature of the processing, the Provider shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights.
8. Security Incidents
The Provider shall notify the Customer without undue delay after becoming aware of a Personal Data Breach. The notification shall contain at least the information required by Art. 33(3) GDPR.
9. Audit Rights
The Provider shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
10. Termination and Deletion
Upon termination of the Service, the Provider shall, at the choice of the Customer, delete or return all Personal Data to the Customer, unless EU or Member State law requires storage of the Personal Data.