Data Processing Agreement

Effective: [DATE]

This Data Processing Agreement ("DPA") forms part of the Agreement between the Customer ("Controller") and DBR77 Sp. z o.o. ("Processor") for the provision of the IRIS AI-Native Plant Operating System ("Services"). This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) and supplements the Terms of Service and Privacy Policy.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service or the GDPR.

  • "Controller" means the Customer, who determines the purposes and means of processing Personal Data through the Services.
  • "Processor" means DBR77 Sp. z o.o., which processes Personal Data on behalf of the Controller in connection with the Services.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller through the Services.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.

2. Scope of Processing

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Services as described in the Agreement. The details of processing are as follows:

  • Subject matter: provision of the IRIS AI-Native Plant Operating System, including data ingestion, processing, storage, analytics, and visualization of Customer Data.
  • Duration: the Subscription Term as defined in the Agreement, plus any post-termination data retention period.
  • Nature and purpose: hosting, processing, and analyzing Customer Data to provide the Services, including AI-driven analytics, alerting, and reporting.
  • Categories of Data Subjects: the Controller's employees, contractors, operators, plant personnel, and other individuals whose data is submitted to the Services.
  • Types of Personal Data: names, email addresses, job titles, employee identifiers, access logs, activity logs, and any other personal data the Controller submits to the Services.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law — in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 8 of this DPA and our Security Policy.
  • Respect the conditions for engaging Sub-processors as set out in Section 4.
  • Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to Data Subject requests.
  • Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage of the Personal Data.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits and inspections as set out in Section 9.
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

4. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors to assist in providing the Services, subject to the following conditions:

  • The Processor shall maintain a current list of Sub-processors, which is available upon request by contacting dpo@dbr77.com.
  • The Processor shall notify the Controller at least thirty (30) days in advance of any intended addition or replacement of Sub-processors, giving the Controller the opportunity to object.
  • If the Controller objects to a new Sub-processor on reasonable grounds related to data protection, the parties shall discuss the objection in good faith. If no resolution is reached within thirty (30) days, the Controller may terminate the affected Services without penalty.
  • The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, by way of a written contract.
  • The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

5. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection):

  • The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to such request except on the Controller's documented instructions or as required by applicable law.
  • The Processor shall provide the Controller with self-service tools within the Services to facilitate Data Subject requests where technically feasible (e.g., data export, account deletion).
  • Where self-service tools are insufficient, the Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests within the timeframes required by the GDPR (typically one month).
  • The Controller is responsible for the costs of any assistance beyond what is provided through standard self-service tools, unless the assistance is required due to the Processor's breach of this DPA.

6. Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless appropriate safeguards are in place:

  • Adequacy decisions: transfers to countries that have received an adequacy decision from the European Commission (Art. 45 GDPR).
  • Standard Contractual Clauses: where no adequacy decision exists, the Processor shall enter into SCCs (Module 2: Controller to Processor or Module 3: Processor to Processor, as applicable) with the data importer.
  • Supplementary measures: where required by the Schrems II decision or subsequent guidance, the Processor shall implement supplementary technical and organizational measures to ensure an essentially equivalent level of protection.
  • EU-US Data Privacy Framework: for transfers to the United States, the Processor may rely on the EU-US Data Privacy Framework where the data importer is certified.

The Processor shall inform the Controller of the legal basis for any transfer and provide copies of relevant safeguards upon request.

7. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach. The notification shall include, to the extent known at the time:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
  • The name and contact details of the Processor's point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall document all Personal Data Breaches, including the facts, effects, and remedial actions taken.

8. Security Measures

The Processor implements and maintains the following technical and organizational security measures in accordance with Article 32 of the GDPR:

  • Encryption: AES-256 encryption at rest; TLS 1.2+ (TLS 1.3 preferred) in transit.
  • Access control: role-based access control (RBAC), multi-factor authentication (MFA), and single sign-on (SSO).
  • Tenant isolation: row-level security ensuring logical separation of each Controller's data.
  • Network security: firewalls, intrusion detection, DDoS protection, and network segmentation.
  • Backup and recovery: automated encrypted backups with point-in-time recovery, stored in geographically separate locations.
  • Monitoring: continuous monitoring, audit logging, and SIEM-based threat detection.
  • Vulnerability management: regular penetration testing, automated vulnerability scanning, and timely patching.
  • Personnel: background checks for employees with access to Personal Data, mandatory security awareness training, and confidentiality agreements.

Full details are available in our Security Policy.

9. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

  • The Controller shall provide at least thirty (30) days' written notice of an audit request.
  • Audits shall be conducted no more than once per twelve (12) month period, unless required by a supervisory authority or following a Personal Data Breach.
  • The Processor may satisfy audit requests by providing: (a) copies of relevant third-party audit reports or certifications (e.g., SOC 2 Type II, ISO 27001); (b) responses to reasonable written questionnaires; or (c) access to the Processor's premises and systems during normal business hours.
  • Audits shall be conducted in a manner that minimizes disruption to the Processor's operations and protects the confidentiality of other customers' data.
  • The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
  • Audit findings and reports shall be treated as Confidential Information of the Processor.

10. Termination and Data Deletion

Upon termination or expiration of the Agreement:

  • The Processor shall, at the Controller's choice, return all Personal Data to the Controller in a standard, machine-readable format or delete all Personal Data, including all existing copies, within thirty (30) days of receiving the Controller's written instructions.
  • If the Controller does not provide instructions within thirty (30) days of termination, the Processor shall delete all Personal Data and certify deletion in writing upon request.
  • The Processor may retain Personal Data to the extent required by applicable EU or Member State law, in which case the Processor shall inform the Controller of the legal requirement and continue to protect the data in accordance with this DPA.
  • The obligations under this DPA shall continue to apply to any Personal Data retained after termination.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement (Terms of Service), except that:

  • Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted under applicable law.
  • The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.
  • Each party shall indemnify the other for any fines, penalties, or damages arising from the indemnifying party's breach of this DPA or applicable data protection law.

12. Contact

For questions about this DPA, to request the Sub-processor list, or to exercise audit rights:

Data Protection Officer
DBR77 Sp. z o.o.
ul. Legnicka 55, 54-203 Wrocław, Poland
Email: dpo@dbr77.com

Legal inquiries: legal@dbr77.com