Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Digital Peax OÜ ("Odaq", "Processor", "we") and the customer agreeing to those Terms ("Customer", "Controller", "you"). It governs our processing of personal data on your behalf under Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

Odaq acts in two roles, as explained in our Privacy Policy. We are an independent controller for the data we collect to run our business (your account, billing, support, and security data). We act as your processor for the personal data contained in the marketing data you connect or upload, where you remain the controller. This DPA applies only to the data for which we act as your processor.

1. Roles & Scope

You are the controller (or, where you act on behalf of a third party, the processor) and Odaq is your processor (or sub-processor). Each party will comply with its obligations under applicable data-protection law. We process personal data only to provide the Service and only on your documented instructions, which consist of these Terms, this DPA, your configuration of the Service, and your use of its features.

2. Subject Matter, Duration, Nature & Purpose

• Subject matter: our processing of personal data within Customer Content to provide the Odaq platform.
• Duration: for the term of your subscription and until deletion of Customer Content in accordance with Section 10.
• Nature: collection, storage, organisation, retrieval, analysis, generation of insights and content, and deletion, by automated means including AI processing.
• Purpose: to deliver the analytical and content-generation features you request — Insight, Canvas, Scribe, and the Hive Mind memory layer.

3. Categories of Data Subjects & Personal Data

The processing concerns the categories of data subjects and personal data described in Annex I below, summarised here:

We do not request special categories of personal data (Art. 9). You are responsible for not submitting special-category data through the Service unless you have established a lawful basis and instructed us accordingly in writing.

4. Our Obligations as Processor

In line with Art. 28(3) GDPR, Odaq will:

• process personal data only on your documented instructions, including for international transfers, unless required to do otherwise by EU or Member-State law (in which case we will inform you, unless that law prohibits it);
• ensure persons authorised to process the data are bound by confidentiality;
• implement appropriate technical and organisational measures under Art. 32 (see Annex II);
• respect the conditions for engaging sub-processors in Section 5;
• assist you, by appropriate measures, in responding to data-subject requests (Section 6);
• assist you in ensuring compliance with Art. 32–36 (security, breach notification, data-protection impact assessments, prior consultation), taking into account the information available to us;
• at your choice, delete or return personal data at the end of the services (Section 10); and
• make available the information necessary to demonstrate compliance and allow for and contribute to audits (Section 9).

If we believe an instruction infringes the GDPR or other data-protection law, we will inform you without undue delay.

5. Sub-processors

You provide a general authorisation for Odaq to engage sub-processors to provide the Service. Our current sub-processors are listed on our Sub-processors page. Each sub-processor is bound by a written agreement imposing data-protection obligations no less protective than those in this DPA, and we remain liable for their performance.

Before adding or replacing a sub-processor, we will give at least 30 days' advance notice (by email or in-app notice). You may object on reasonable data-protection grounds within that period; if we cannot reasonably accommodate your objection, you may terminate the affected part of the Service as your exclusive remedy.

6. Assistance with Data Subject Requests

The Service provides self-service controls that let you access, correct, export, and delete Customer Content. If we receive a request from one of your data subjects relating to data we process on your behalf, we will not respond directly (except to confirm the request should be directed to you) and will forward it to you without undue delay. Taking into account the nature of the processing, we will assist you with appropriate technical and organisational measures, insofar as possible, to fulfil your obligation to respond to data-subject requests under Chapter III GDPR.

7. Personal Data Breach Notification

We will notify you without undue delay, and as a target within 72 hours, after becoming aware of a personal data breach affecting the personal data we process on your behalf. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. We will send the notice to the contact you have nominated for security notices (or, absent a nominated contact, the email on your Account) and will cooperate with you to investigate and mitigate. Our notification is not an acknowledgement of fault or liability.

8. Confidentiality & Security

We keep Customer Content confidential and apply the technical and organisational measures set out in Annex II, which we may update over time provided the level of protection is not materially decreased. Personnel with access to personal data are subject to confidentiality obligations and least-privilege access controls.

9. Audit Rights

We will make available the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To respect the confidentiality and security of all customers, audits are limited to once per year (unless required by a supervisory authority or following a breach), require at least 30 days' written notice, are conducted under a non-disclosure agreement during business hours without unreasonably disrupting operations, and are limited in scope to systems and records relevant to the processing under this DPA. Where available, we may satisfy audit requests by providing relevant third-party certifications or reports (for example SOC 2 or ISO/IEC 27001) in lieu of an on-site inspection.

10. Return & Deletion

On termination or expiry of the Service, we will, at your choice, return or delete the personal data we process on your behalf, and delete existing copies, unless EU or Member-State law requires storage. Customer Content remains available for export for a limited period after termination and is then deleted in the ordinary course, by default within 30 days. You may request an extension of the export window in writing before deletion. Residual copies in routine encrypted backups are overwritten on the standard backup cycle.

11. International Transfers & Standard Contractual Clauses

Where providing the Service involves transferring personal data outside the European Economic Area to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Module Two: controller-to-processor) set out in Commission Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference and completed by the Annexes below:

• the optional docking clause (Clause 7) applies;
• for Clause 9, Option 2 (general written authorisation) applies, with the 30-day notice period in Section 5;
• for Clause 11, the optional independent-dispute-resolution body is not used;
• for Clause 17, the clauses are governed by the law of Estonia; for Clause 18, the courts of Estonia resolve disputes;
• Annex I, II, and III of the SCCs are completed by Annexes I, II, and III of this DPA.

Where a sub-processor is certified under the EU–US Data Privacy Framework, that adequacy mechanism applies and the SCCs serve as a fallback. For transfers subject to UK or Swiss law, the UK International Data Transfer Addendum and the Swiss amendments apply to the SCCs, with references read as the equivalent UK/Swiss authorities and laws. The official SCC text is available at eur-lex.europa.eu.

12. Liability & Order of Precedence

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Use. In case of conflict, the order of precedence is: (1) the Standard Contractual Clauses; (2) this DPA; (3) the Terms of Use. Otherwise the Terms of Use remain in full force.

13. How This DPA Is Accepted

This DPA takes effect when you accept the Terms of Use and applies automatically whenever we act as your processor. For paid plans, acceptance is confirmed at checkout. Enterprise customers who require a counter-signed copy or negotiated terms may request a signed DPA by contacting info@odaq.ai. The person accepting represents that they are authorised to bind the Controller.

Annex I — Description of Processing

A. List of parties. Data exporter: the Customer (Controller), as identified in its Account. Data importer: Digital Peax OÜ (Processor), Sepapaja tn 6, 15551 Tallinn, Estonia; contact info@odaq.ai.

B. Description of transfer.

• Frequency: continuous, for the duration of the subscription.
• Nature & purpose: as described in Section 2.
• Retention: as described in Section 10 and the Privacy Policy retention table.

C. Competent supervisory authority. Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate), Tatari 39, 10134 Tallinn, Estonia.

Annex II — Technical & Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Odaq implements the following measures under Art. 32 GDPR:

Annex III — Sub-processors

The list of authorised sub-processors, including each provider's purpose, location, and transfer mechanism, is maintained on our Sub-processors page and forms part of this DPA. Changes are notified as described in Section 5.

Contact