Products
Plugins
Open Source
This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (âDPAâ), forms an integral part of the NeuralTrust Terms of Service Agreement, or any other written agreement that governs Customer's use of the NeuralTrust Services entered into between the entity identified as the âCustomerâ in the signature block below (âCustomerâ) and Singularly, S.L. (âNeuralTrustâ) (the âAgreementâ), and applies solely to the extent that NeuralTrust processes any Customer Personal Data in connection with the NeuralTrust Services. By signing this DPA, Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. For the purposes of the DPA only, and except where otherwise indicated, the term âCustomerâ shall include Customer and its Authorized Affiliates.
1.1 âApplicable Data Protection Lawsâ means all data protection and privacy laws and regulations applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA
1.2 âAuthorized Affiliateâ means a Customer Affiliate who is authorized to use the NeuralTrust Services under the Agreement and who has not signed their own separate "Agreement" with NeuralTrust.
1.3 âCCPAâ means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time.
1.4âCustomer Contentâ means, if not defined within the Agreement, all data processed by NeuralTrust on your behalf in the course of providing the NeuralTrust Services.
1.5 âCustomer Personal Dataâ means any âpersonal dataâ or âpersonal informationâ contained within Customer Content.
1.6 âNeuralTrust Servicesâ means the Services as defined in the Terms of Service and/or any other services provided directly by NeuralTrust to Customer under the Agreement.
1.7 âEuropean Data Protection Lawsâ means (a) Regulation 2016/679 (General Data Protection Regulation) (âEU GDPRâ); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (âUK GDPRâ); and (c) the Swiss Federal Data Protection Act and its implementing regulations (âSwiss Data Protection Actâ); in each case as may be amended, superseded or replaced from time to time.
1.8 âRestricted Transferâ means a transfer of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
1.9 âSecurity Breachâ means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
1.10 âStandard Contractual Clausesâ or âSCCsâ means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
1.11 âSubprocessorâ means any other processor engaged by NeuralTrust to process Customer Personal Data.
1.12 âUK Addendumâ means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
1.13 The terms âcontrollerâ, âdata subjectâ, âsupervisory authorityâ, âprocessorâ, âprocessâ, âprocessingâ, âpersonal dataâ, and âpersonal informationâ shall have the meanings given to them in Applicable Data Protection Laws. The term âcontrollerâ includes âbusinessâ, the term âdata subjectâ includes âconsumersâ, and the term âprocessorâ includes âservice providerâ (in each case, as defined by the CCPA).
2.1 Scope and Roles of the Parties This DPA applies when Customer Personal Data is processed by NeuralTrust as a processor in its provision of the NeuralTrust Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data.
2.2 Customer Processing Customer agrees that: (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to NeuralTrust, and (ii) it has provided notice and obtained or will obtain all consents and rights necessary under Applicable Data Protection Laws for NeuralTrust to process Customer Personal Data and provide the NeuralTrust Services pursuant to the Agreement (including this DPA).
2.3 NeuralTrust Processing NeuralTrust agrees that: (a) when NeuralTrust processes Customer Personal Data in its capacity as a processor on behalf of the Customer, NeuralTrust will: (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customerâs documented instructions (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customerâs Authorized Users through the NeuralTrust Services). NeuralTrust is not responsible for determining if Customer's processing instructions are compliant with applicable law. However, NeuralTrust shall notify Customer in writing if, in its reasonable opinion, the Customer's processing instructions infringe Applicable Data Protection Laws, provided that Customer acknowledges that Customer Personal Data may be processed on an automated basis in accordance with Customer's use of the NeuralTrust Services.
2.4 Details of Processing The details of the processing of Customer Personal Data by NeuralTrust are set out in Annex A to the DPA.
3.1 Personnel. NeuralTrust shall ensure that any employees or personnel it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.
4.1 Authorization Customer provides a general authorization to NeuralTrust use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at https://neuraltrust.ai/subprocessors (âSubprocessor Listâ).
4.2 Subprocessor Obligations NeuralTrust shall (i) enter into a written agreement with its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain fully liable for any breach of the Agreement and this DPA that is caused by an act, error or omission of its Subprocessors to the extent that NeuralTrust would have been liable for such act, error or omission had it been caused by NeuralTrust.
4.3 Subprocessor Changes NeuralTrust will update the Subprocessor List at least thirty (30) calendar days before any new Subprocessor is permitted to process Customer Personal Data. Updates will be published at https://neuraltrust.ai/subprocessors, and NeuralTrust will notify Customers of such changes by other reasonable means, which may include email or in-product notifications.
4.4 Subprocessor Objections Customer may object to NeuralTrustâs appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying NeuralTrust in writing at dpo@neuraltrust.ai within ten (10) calendar days after receiving notice pursuant to Section 4.3. In such an event, NeuralTrust and Customer will discuss those objections in good faith with a view to achieving resolution. If the parties are not able to achieve resolution, within ten (10) calendar days from NeuralTrustâs written notification, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) with respect to only those aspects which cannot be provided by NeuralTrust without the use of the new Subprocessor.
5.1 Data Subject Requests Customer is responsible for responding to and complying with data subject requests (âDSRâ). The NeuralTrust Services include controls that Customer may use to assist it to respond to DSR. If Customer is unable to access or delete any Customer Personal Data using such controls, NeuralTrust shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to the DSR. If a data subject sends a DSR to NeuralTrust directly and where Customer is identified or identifiable from the request, NeuralTrust will promptly forward such DSR to Customer and NeuralTrust shall not, unless legally compelled to do so, respond directly to the data subject except to refer them to the Customer to allow Customer to respond as appropriate.
5.2 Data Protection Impact Assessments NeuralTrust will provide reasonably requested information regarding the NeuralTrust Services to Customer to carry out data protection impact assessments relating to the processing of Customer Personal Data and any related required consultation with supervisory authorities as required by Applicable Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
5.3 Legal Requests If NeuralTrust receives a subpoena, court order, warrant or other legal demand from law enforcement or any public or judicial authority seeking the disclosure of Customer Personal Data, NeuralTrust will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. As part of this effort, NeuralTrust may provide Customerâs basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, NeuralTrust will give Customer reasonable notice of the legal demand to allow Customer to seek a protective order or other appropriate remedy, unless
6.1 Security Measures. NeuralTrust has implemented and will maintain appropriate technical and organizational security measures as set forth in the Information Security Policy (âSecurity Measuresâ). The Security Measures are subject to technical progress and development and NeuralTrust may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data or the NeuralTrust Services. NeuralTrust may make available certain security controls within the NeuralTrust Services that Customer may use in accordance with the Documentation.
6.2 Security Breach Notification. In the event of a Security Breach, NeuralTrust will (a) notify Customer in writing without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach. NeuralTrust will reasonably cooperate with and assist Customer with respect to any required notification to supervisory authorities or data subjects (as applicable), taking into account the nature of the processing, the information available to NeuralTrust, and any restrictions on disclosing the information (such as confidentiality).
7.1 Audit. Only to the extent Customer cannot reasonably satisfy NeuralTrust compliance with this DPA through the Audit Reports, or where required by Applicable Data Protection Laws, Customer may send a written request to conduct an audit of NeuralTrust applicable controls on an annual basis. NeuralTrust and Customer shall mutually agree on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit.
7.2 Confidentiality of Audit Report. The Audit Report, audit, and any information arising therefrom shall be considered NeuralTrust Confidential Information and may only be shared with a third party (including a third party controller) with NeuralTrust prior written agreement.
8.1 Restricted Transfers. If NeuralTrust processes Customer Personal Data in a country outside the European Economic Area, the United Kingdom, or Switzerland that is not subject to an adequacy decision under applicable data protection laws, NeuralTrust shall ensure that appropriate safeguards are in place to lawfully transfer such data, in accordance with Applicable Data Protection Laws.
8.2 Alternative Transfer Mechanisms. If a competent court or authority determines that the safeguards used for such transfers are no longer valid, the parties will work together in good faith to implement alternative, legally compliant transfer mechanisms or additional protective measures, as needed.
9.1 Backups. NeuralTrust performs regular backups of its systems for internal operational and security purposes. However, these backups are not intended to serve as a backup or disaster recovery solution for Customer Personal Data. NeuralTrust provides functionality within the NeuralTrust Services that may permit Customer to back up certain Customer Personal Data on its own. It is the Customer's obligation to backup any Customer Personal Data if desired. NeuralTrust makes no representations, warranties, or guarantees regarding the availability, integrity, or restorability of Customer Personal Data from its internal backups.
9.2 Deletion. The NeuralTrust Services include controls that Customer may use at any time during the term of the Agreement to retrieve or delete Customer Personal Data. Subject to the terms of the Agreement, NeuralTrust will delete Customer Personal Data from the NeuralTrust Services when Customer uses such controls to send an instruction to delete.
9.3 Termination. Upon termination or expiration of the Agreement and following Customerâs written request, NeuralTrust will delete or assist Customer in deleting any Customer Personal Data within its possession or control within thirty (30) days following such request.
10.1 Use of Customer Personal Data. NeuralTrust shall not process, retain, use, or disclose Customer Personal Data for any purpose other than for the purposes set out in the Agreement, DPA and as permitted under the CCPA. NeuralTrust shall not sell or share information as those terms are defined under the CCPA.
11.1 Entire Agreement. The parties agree that this DPA shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the NeuralTrust Services. NeuralTrust may update this DPA from time to time, with such updated version posted to http://neuraltrust.ai/dpa or a successor website designated by NeuralTrust; provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
11.2 Severability. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
11.3 Application to Authorized Affiliates. NeuralTrustâs obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is responsible for sharing any specific processing instructions from its Authorized Affiliates; (b) Customer remains responsible for ensuring those Affiliates comply with this DPA; and (c) if an Authorized Affiliate wishes to make a claim related to this DPA, Customer must bring that claim on their behalf, unless required otherwise by applicable law. Any such claims will be treated as if made by Customer and subject to the liability limits set out in the Agreement. Nothing in this DPA limits the rights of data subjects or supervisory authorities.
11.4 Precedence. In the event of any conflict between this DPA and any data privacy provisions set out in any agreements between the parties relating to the NeuralTrust Services, the parties agree that the terms of this DPA shall prevail.
11.5 Liability. To the fullest extent allowed by law, each partyâs total liability under this DPA and any related data protection terms will be governed by the limitation of liability section in the main Agreement.
11.6 Governing Law. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
11.7 Survival. The obligations placed upon each party under this DPA shall survive so long as NeuralTrust processes Customer Personal Data on behalf of Customer.
| LIST OF PARTIES | ||
|---|---|---|
| Data exporter | Name of the data exporter: The entity identified as the âCustomerâ in the Agreement and this DPA. Contact personâs name, position and contact details: The address and contact details associated with Customer's NeuralTrust account, or as otherwise specified in this DPA or the Agreement. Activities relevant to the data transferred: The activities specified in Annex 1(B)below. Signature and date: See front end of the DPA. Role (Controller/Processor): Controller or Processor | |
| Data importer | Name of the data importer: Singularly, S.L. Contact personâs name, position and contact details: Victor Garcia, CTO, dpo@neuraltrust.ai Activities relevant to the data transferred: The activities specified in Annex 1.B below. Signature and date: See front end of the DPA. Role (Controller/Processor): Processor |
| ANNEX 1(B): DESCRIPTION OF THE PROCESSING / TRANSFER | |
|---|---|
| Categories of data subjects whose personal data is transferred | Data subjects include individuals about whom data is provided to NeuralTrust via the NeuralTrust Services (by or at the direction of Customer), which shall include: IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that the categories of data subjects include: (a) individual contacts, prospects, customers, business partners and vendors of Customer (who are natural persons); (b) employees or contact persons of Customerâs prospects, customers, business partners and vendors; (c) employees, agents, advisors, freelancers of Customer (who are natural persons); (d) Customerâs Authorized Users; (e) Customerâs customers or users of Customerâs systems; or (e) other individuals whose personal data is included in Customer Content. |
| Categories of personal data transferred | The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that the types of Customer Personal Data may include but are not limited to the following types of Customer Personal Data: (a) name, address, title, contact details; (b) conversational data such as chat logs; (c) technical information such as IP addresses and other metadata; and/or (d) any other personal data processed in the course of the Services as Customer Content. |
| Categories of personal data transferred | The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that the types of Customer Personal Data may include but are not limited to the following types of Customer Personal Data: (a) name, address, title, contact details; (b) conversational data such as chat logs; (c) technical information such as IP addresses and other metadata; and/or (d) any other personal data processed in the course of the Services as Customer Content. |
| Sensitive data transferred (if appropriate) | The NeuralTrust Services are not designed for the intentional collection or processing of special categories of sensitive personal data as defined under Applicable Data Protection Laws (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a natural person's sex life or sexual orientation). NeuralTrust does not intentionally collect such data, and any such processing would occur only if Customer includes such data in Customer Content. |
| Frequency of the Transfer | Continuous or one-off depending on the services being provided by NeuralTrust. |
| Nature, subject matter and duration of the processing | Nature: NeuralTrust provides an AI security and observability platform and related services, as further described in the Agreement. Subject Matter: Customer Personal Data. Duration: The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which NeuralTrust processes Customer Personal Data. |
| Purpose(s) of the data transfer and further processing | NeuralTrust shall process Customer Personal Data for the following purposes: (a) as necessary for the performance of the NeuralTrust Services and NeuralTrust's obligations under the Agreement (including the DPA), including processing initiated by Authorized Users in their use and configuration of the NeuralTrust Services; and (b) further documented, reasonable instructions from Customer agreed upon by the parties (the âPurposesâ). |
| Period for which the personal data will be retained | NeuralTrust will retain Customer Personal Data for the term of the Agreement and any period after the termination or expiry of the Agreement during which NeuralTrust processes Customer Personal Data in accordance with the Agreement. |
| ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY | ||
|---|---|---|
| Content supervisory authority | The data exporter's competent supervisory authority will be determined in accordance with the EU GDPR. |
