Data Processing Agreement
Preamble:
This data processing agreement (hereinafter the “DPA”) specifies the data protection obligations of the parties, which arise from data processing on behalf of the Customer, as stipulated in the Terms and Conditions available at https://adminza.ai/ or other agreement between the Customer and the Service Provider governing the Customer’s access to, and use of, the System and the Services (hereinafter the “Terms and Conditions”). It applies to all activities performed in connection with the Terms and Conditions in which the Service Provider’s staff or a third party acting on behalf of the Service Provider may come into contact with Personal Data.
The Service Provider is a Processor with respect to the “Personal Data” (as defined under the GDPR) provided to or submitted to the Service Provider in the context of using the Service and through the use of the Service by, or on behalf of, the Customer under the Terms and Conditions. The Customer is a Controller (as defined in GDPR). The Customer is also a Processor, in which case the Customer appoints the Service Provider as the Customer’s Sub-processor, which shall not change the obligations of either the Customer or the Service Provider under the DPA, as the Service Provider will always remain a Processor with respect to the Customer in such event. A description of Personal Data elements is provided in Annex A hereto.
1. Definitions
1.1 “Controller” has the same meaning under the Data Protection Laws;
1.2 “Data Protection Laws” any applicable law or regulation concerning the protection of privacy and Personal Data that may apply to the processing of Personal Data under the Terms and Conditions and this DPA, including:
i. Regulation (EE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), which applies as of 25 May 2018 (hereinafter the “GDPR”); and
ii. Law 125(I)/2018 providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 of the Republic of Cyprus;
1.3 “Processing” means processing of Personal Data as defined under the Data Protection Laws, including the storage, amendment, transfer, blocking or erasure of personal data by the Service Provider acting on behalf of the Customer;
1.4 “Processor” has the same meaning under the Data Protection Laws;
1.5 “Instruction” means the written instruction, issued by Customer to the Service Provider, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instructions shall initially be specified in this DPA and may, from time to time thereafter, be amended, amplified or replaced by Customer in separate written instructions (individual instructions); and
1.6 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.7 The annexes to this DPA form an integral part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes also a reference to its annexes.
1.8 A reference to writing or written includes faxes and email.
1.9 In the case of conflict or ambiguity between:
a) any provision contained in the body of this DPA and any provision contained in the annexes hereto, the provision in the body of this DPA will prevail; and
b) any of the provisions of this DPA and the provisions of the Terms and Conditions, the provisions of this DPA will prevail.
1.10 All capitalized terms used herein and not otherwise defined herein shall have the meanings ascribed to such terms in the Terms and Conditions and the Privacy Policy available on the Website.
2. Scope and Responsibility
2.1 The Customer and the Service Provider acknowledge that for the purpose of the Data Protection Laws, the Customer is the Controller, and the Service Provider is the Processor. In some circumstances, Customer may be a Processor, in which case Customer appoints the Service Provider as Customer’s Sub-processor, which shall not change the obligations of either the Customer or the Service Provider under this DPA, as the Service Provider will always remain a Processor with respect to the Customer in such event.
2.2 The Customer retains control of the Personal Data and remains responsible for its compliance with its obligations under the Data Protection Laws, including providing any required notices and obtaining any required consents for the lawful Processing of Personal Data made available to or otherwise transferred to the Service Provider, and for the processing instructions it gives to the Service Provider.
2.3 The Service Provider shall process Personal Data on behalf of the Customer. Processing shall include such actions as may be specified in the Terms and Conditions and in the scope of work. Within the scope of the Terms and Conditions, the Customer shall be solely responsible for complying with the statutory requirements relating to the lawfulness of data Processing.
2.4 AI-assisted processing. The Customer acknowledges that the provision of the Services may involve automated and artificial intelligence-assisted processing technologies used by the Service Provider or its Sub-processors to process Personal Data on behalf of the Customer. Such processing is carried out solely in accordance with the Customer’s documented instructions and for the purposes defined in the Terms and Conditions and this Data Processing Agreement.
The Service Provider shall not use Personal Data processed under this Data Processing Agreement to train, develop, or improve general-purpose artificial intelligence models for use outside the provision of the Services.
2.5 The Customer represents and warrants that it has a valid lawful basis under applicable Data Protection Laws, including the performance of a contract, to make Personal Data available to the Service Provider for Processing in accordance with this DPA and the Terms and Conditions, and that it has provided all required notices to Data Subjects.
2.6 The Service Provider hereby further represents and confirms that it has been informed that its Personal Data or those of its End Users may or will be retained and stored by the Service Provider, or any of its affiliates or Sub-processors and will be permanently destroyed based on the Customer’s instructions when the Customer’s initial purpose and/or retention period prescribed by applicable law expires.
2.7 Based on this responsibility, the Customer shall be entitled to request that the Service Provider, subject to and under the Data Protection Laws, rectifies, deletes, blocks and makes available Personal Data during and after the term of the Terms and Conditions at the Customer’s cost. The Service Provider shall promptly comply with any of the Customer’s request or instruction requiring the Service Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing. More information on these rights is provided in the Privacy Policy available on the Website.
2.8 The provisions of this DPA shall also apply if testing or maintenance of automatic processes or of Processing equipment is performed on behalf of the Customer.
3. Service Provider’s obligations
3.1 The Service Provider shall process Personal Data only within the scope of the Customer’s Instructions as set-out in this DPA, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by the European Union or local laws to which the Service Provider is subject. In this case, the Service Provider shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2 The Service Provider will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist the Customer with meeting the Customer’s compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Laws (particularly the Data Subject’s Rights stated in Chapter 3 of the GDPR and related to Data Subject’s requests), taking into account the nature of the data Processing. Taking into account the nature of Processing and any information available to the Service Provider, the Service Provider will further assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Data Protection Laws. In a situation where requested level of assistance will be excessive or unreasonably burdensome for the Service Provider, any such assistance will be exercised at the Customer’s cost.
3.3 The Service Provider shall implement appropriate technical and organizational measures required pursuant to Article 32 of the GDPR with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use.
3.4 For the purposes described above and in compliance with the Data Protection Laws, the Service Provider has contracted with Amazon Web Services (hereinafter “AWS”), who acts as a Sub-contractor to the Service Provider. Please refer to https://aws.amazon.com/compliance/gdpr-center/ for more information on the compliance of AWS with the GDPR.
3.5 Contact information:
ADMINZA LTD
John Kennedy, 8, IRIS BUILDING, 7th floor, Office 740B, 3106, Limassol, the Republic of Cyprus
Email: dpo@adminza.ai
3.6 The Customer’s notification email address is the same address that is used by the Customer for Registration to the System and/or the Services or such other email address designated by the Customer in writing to receive certain notifications from the Service Provider relating to this DPA.
3.7 If applicable, the Customer shall retain title as to any carrier media provided to the Service Provider as well as any copies or reproductions thereof. The Service Provider shall store such media safely and protect them against unauthorized access by third parties. The Service Provider shall, upon the Customer’s request, provide to the Customer all information on the Customer’s Personal Data and information. The Service Provider shall be obliged to securely delete any test and scrap material based on an Instruction issued by the Customer on a case-by-case basis. Where Customer so decides, the Service Provider shall hand over such material to the Customer or store it on the Customer’s behalf.
3.8 The Service Provider shall provide reasonable assistance to the Customer with any data protection impact assessment which the Customer is required to undertake in order to comply with Articles 35 and 36 of GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the Processing and information available to the Service Provider and shall make available to Customer on request such information as is reasonably necessary to demonstrate its compliance with this DPA and its obligations under Article 28 of GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer for the purpose of demonstrating compliance by the Service Provider with its obligations under Data Protection Laws in respect of the Personal Data. The Service Provider may object to the deployment of a specific auditor if such auditor (i) is not subject to confidentiality regarding the results of such audit (except vis-à-vis the Service Provider and the Customer), or (ii) is a competitor of the Service Provider, or (iii) is affiliated with a competitor of the Service Provider.
3.9 The Service Provider shall not store or use the Personal Data provided to and/or submitted by the Customer to the Service Provider through the System and/or the Services, for a purpose other than the provision of the Services to the Customer.
4. Customer’s obligations
4.1 The Customer shall be separately responsible for conforming with such statutory data protection regulations including the Data Protection Laws as are applicable to it and shall ensure that the Personal Data may lawfully be Processed by the Service Provider under the Terms and Conditions. The Customer agrees to comply with additional terms set out in the Terms and Conditions in relation to Authorized User and/or End User consent for data Processing in the Service Provider’s Proof of Identity.
4.2 Customer shall inform the Service Provider without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data detected during a verification of the results of such Processing or otherwise arising following the date of this DPA.
4.3 The Customer shall be obliged to maintain the register as defined in Article 30 of GDPR. The Customer shall promptly notify the Service Provider of the exercise of any rights by Data Subjects affecting the Processing of Personal Data by the Service Provider.
4.4 The Customer shall, upon termination or expiration of the Term and by way of issuing an Instruction, stipulate, within a period set by the Service Provider, the measures to return data carrier media or to delete stored Personal Data.
4.5 Any additional cost arising out of the Service Provider’s performance under Instructions outside the Terms and Conditions, or otherwise not contemplated by this DPA, shall be borne by the Customer.
4.6 The Customer hereby warrants and covenants to the Service Provider, that the Customer has the right, and has obtained the required written consent of the End User and/or the Authorized User, to provide and/or submit their Personal Data to the Service Provider for Processing.
4.7 The Customer hereby agrees and covenants to incorporate any other necessary terms, notices, documents or consents (if applicable) into its own policies and legal agreements with Data Subjects, which meet the requirements applicable to the Customer under the data protections laws applicable to it.
5. Audit Obligations
5.1 The Service Provider shall provide a copy of its most current security report upon Customer’s written request and subject to the confidentiality provisions of the Terms and Conditions. If Customer requires additional information beyond that which is stated in the report provided by the Service Provider to this respect, Customer may contact the Service Provider at dpo@adminza.ai , in order to request an on-site audit of the architecture, systems and procedures relevant to the protection of Customer’s Personal Data that are Processed/controlled by the Service Provider. Notwithstanding the above, if an audit is excessive or unreasonably burdensome for the Service Provider, then the Customer shall reimburse the Service Provider for such excessive or unreasonably burdensome audit at the Service Provider's then-current professional services rates, which shall be made available to the Customer upon request. Before the commencement of any such audit, the Customer and the Service Provider will mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer shall be responsible. The Customer shall promptly notify the Service Provider with information regarding any non-compliance discovered during the course of an audit.
6. Sub-processing
6.1 The Customer agrees and accepts that the Service Provider may engage the Service Provider’s affiliates and third-party sub-processors (hereinafter collectively the “Sub-processors”) to Process the Customer’s Personal Data on the Service Provider’s behalf. The Customer acknowledges that the Service Provider’s contractual obligations hereunder, or the parts of the services, will be performed by a Sub-processor and consents to use of Sub-processors by the Service Provider as described in this Section 6 to fulfil its contractual obligations under the Terms and Conditions and to provide certain services on the Service Provider’s behalf such as support services. The list of the Sub-processors currently contracted by the Service Provider is provided in Annex B hereto.
6.2 The Customer undertakes to secure and obtain from the End Users providing their Personal Data to the Customer, a sufficient written consent and authorization with respect to the Processing and retention of the End Users’ Personal Data by the Service Provider, or any of its Sub-processors, in the form, or substantially in the form, attached as Annex C hereto.
6.3 The Service Provider undertakes to enter into a written agreement with any applicable Sub-processors and such agreement will contain the same level of obligations as set out in this DPA. The Service Provider will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the Sub-processors.
6.4 The Service Provider may, by giving no less than 10 (ten) calendar days’ notice to Customer, add or make changes to its Sub-processors. Customer may object to the appointment of an additional Sub-processor within such 10 (ten) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case the Service Provider shall have the right to cure the objection through one of the following options (to be selected at the Service Provider’s sole discretion):
a) the Service Provider will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Services without such Sub-processor; or
b) the Service Provider will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Sub-processor with regard to Personal Data; or
c) the Service Provider may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Sub-processor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Services considering the reduced scope of the Services.
6.5 If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 (thirty) calendar days after the Service Provider’s receipt of Customer’s objection, either party may terminate the Terms and Conditions and Customer will be entitled to a pro-rata refund of the non-consumed amount of Subscription, as of the date of termination.
6.6 The Customer hereby acknowledges and authorizes the Service Provider, for the Customer’s Personal Data to be processed by ABBYY Europe GmbH, in the course of using ABBYY Vantage Cloud by the Service Provider in providing the System and/or the Services to the Customer.
6.7 The Customer hereby confirms and accepts that ABBYY Europe GmbH is not responsible for compliance with the particular data protection laws applicable to the Customer or its industry, or to providers using critical infrastructure (e.g., financial or credit institutions, health and safety institutions, professional unions or associations, religious organizations).
6.8 The Customer hereby undertakes and covenants to include in its privacy policy and data processing agreement, also hyperlinks to this DPA and the Privacy Policy, as available at https://adminza.ai/.
7. Data Breach
7.1 The Service Provider will notify the Customer in the event of a confirmed Personal Data Breach, unless legally restricted. Any delay in notification, as required by law enforcement or due to the Service Provider’s legitimate need to thoroughly investigate or address the issue before notifying, shall not be deemed an undue delay.
7.2 Immediately following any Personal Data Breach, the parties will coordinate with each other to investigate the matter. The Service Provider will reasonably co-operate with Customer in Customer's handling of the matter.
7.3 The Service Provider will not inform any third party of any Personal Data Breach without first obtaining Customer's prior written consent, except when required to do so by Data Protection Laws or any other applicable Union or Member State laws.
7.4 The Service Provider will cover all reasonable expenses associated with the performance of the obligations under this Clause 7 unless the matter arose from Customer's specific instructions, negligence, willful default or breach of the Terms and Conditions, in which case Customer will cover all reasonable expenses.
8. Duties to Inform, Mandatory Written Form, Choice of Law, Duration
8.1 Where Customer’s Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed, the Service Provider shall inform Customer without undue delay. The Service Provider shall, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in Customer’s sole property and area of responsibility that Personal Data is at Customer’s sole disposition.
8.2 This DPA shall be governed by and construed in accordance with the laws of the Republic of Cyprus.
Any disputes arising between the Parties under this DPA shall be settled through negotiations between them. In case a dispute cannot be resolved through negotiations of the Parties within 40 (forty) calendar days, the Parties agree that their dispute will be subject to the sole and exclusive jurisdiction of the courts located in the Republic of Cyprus.
8.3 The term of this DPA shall follow the term of the Terms and Conditions. Upon termination or expiration of the Terms and Conditions, the Service Provider shall, in accordance with the Terms and Conditions, delete or make available to Customer for retrieval all relevant Personal Data (including copies) in the Service Provider’s possession, save to the extent that the Service Provider is required by applicable Data Protection Laws or any applicable Union or Member State law, to retain some or all of the Personal Data. In such event, the Service Provider shall extend the protections of the Terms and Conditions and this DPA to such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention, for so long as the Service Provider maintains the Personal Data.
8.4 The Service Provider may update this DPA occasionally from time to time at its sole discretion. The Service Provider shall use reasonable endeavors to notify the Customer of such updates through the email provided by the Customer during the Registration. The Customer is solely responsible for ensuring it has read, acknowledged, and agreed to the updated version of this DPA. For the avoidance of doubt, the Customer’s continued usage of the System and/or the Services or the fact that the Customer had not objected to the updates made to this DPA before it becomes effective shall be regarded as acceptance of the updates thereto.
Annex A
Personal Data Elements
1. Purpose of the Personal Data Processing: Provision of the Services and access to the System to the Customer under and in accordance with the Terms and Conditions.
2. The following categories of Personal Data are Processed: Any Personal Data provided by the Customer in the process of Registration, as well as any Personal Data included in the source documents uploaded to the System, including, but not limited to:
i. Data about the Customer’s use of the Website and the System, e.g. IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, website navigation paths, timing, frequency, pattern of the Customer’s service use;
ii. Personal characteristics, e.g. name, gender, age;
iii. Identification documentation, e.g. passport, ID card;
iv. Corporate information: e.g. entity name, registration number, registered office, company details, management information, ownership information, personal details of owners and senior management, website address;
v. Contact information, e.g. address, email, telephone number;
vi. Online identifiers, e.g. username, IP address;
vii. Banking information, e.g. card number, beneficial owner’s name, expiry date;
viii. News and marketing information;
ix. Information included in source documents uploaded in the System by the Customer; and/or
x. Information that the Service Provider receives from the Customer’s use of the System and/or the Services.
3. The Customer should not instruct the Service Provider to process any Special Categories of Personal Data. These categories include details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health, genetic and biometric data. The Customer shall be liable for any Special Categories of Personal Data provided or otherwise made available to the Service Provider. The Service Provider's obligations under the Terms and Conditions and DPA shall not apply to any such data unless otherwise agreed between the Service Provider and the Customer in writing. In that case, the Customer shall safeguard the mandatory prerequisites in its jurisdiction (e.g., consent, approval, or other appropriate measures) for such data Processing. Nor will Customer process or give instructions to Process any information about criminal convictions and offences.
4. The Customer is liable for any Personal Data that is provided or otherwise made available to the Service Provider, in excess of the categories of data described above (hereinafter "Excess Data"). The Service Provider’s obligations under this DPA shall not apply to any such Excess Data.
5. Special provision concerning data processing of Special Categories of Personal Data: If Customer uses the Service to process Special Categories of Personal Data (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), it shall safeguard the mandatory prerequisites in its jurisdiction (e.g., consent, approval or other appropriate measures) for such data Processing.
6. Data Subjects may be:
i. The Customer;
ii. The Customer’s Employees;
iii. The Authorized Users;
iv. The End Users; and/or
v. Other Data Subjects about whom Personal Data was provided by the Customer / Authorized Users through source documents uploaded in the System.
7. Nature of the data Processing:
i. Recognition;
ii. Conversion;
iii. Extraction;
iv. Classification; and/or
v. Deletion;
vi. Automated and AI-assisted document analysis;
vii. Automated classification of documents and document content;
viii. Automated extraction and structuring of data from documents;
ix. Contextual analysis of document content for service delivery purposes.
Annex B
List of the Service Provider’s current Sub-processors
| Sub-processor | Description of Processing | Country of sub-processing/data storage |
| ABBYY Europe GmbH | Various documents processing scenarios | European Union |
| Amazon Web Services (EU Zone) | Cloud Provider | European Union |
| AI Processing Service Providers | Provision of artificial intelligence and machine learning technologies used for automated text analysis, classification, and data extraction in the context of document processing services. | Processing may take place within or outside the European Economic Area, including in third countries. |
|
|
|
|
Safeguards: Appropriate safeguards are implemented in accordance with applicable Data Protection Laws, including standard contractual clauses or other lawful transfer mechanisms recognised under the GDPR.
Annex C
Written Consent and Authorization
This Annex C applies only where and to the extent required by applicable Data Protection Laws.
The Customer shall ensure that, during the process of onboarding of an End User, for the use of the Customer’s services, the following written consent and authorization should be obtained by the Customer from the End User:
“I/We hereby agree and express my/our free, specific, explicit, voluntary, unequivocal and informed consent and authorisation to [insert name of Customer] for my Personal Data to be processed by ADMINZA LTD, a private limited liability company by shares, incorporated and existing under the laws of the Republic of Cyprus, registered with the Registrar of Companies of the Republic of Cyprus under number HE 459075, with its registered office located at John Kennedy, 8, IRIS BUILDING, 7th floor, Office 740B, 3106, Limassol, the Republic of Cyprus (hereinafter the “Service Provider”), or any of its affiliates or sub-processors, in the process of providing their services to [insert name of Customer] and the Service Provider, accordingly, in accordance with their internal policies and/or regulations and/or applicable laws.
I/We hereby further represent and confirm that I/We have been informed that my/our Personal Data may or will be retained and stored by [insert name of Customer] and the Service Provider, or any of its affiliates or sub-processors, and will be permanently destroyed based on the [insert name of Customer]’s instructions when the [insert name of Customer]’s initial purpose and/or retention period prescribed by their internal policies and/or their regulations and/or applicable law expires.
I hereby represent that I/We have carefully read all of the above provisions and do voluntarily and unequivocally agree with them.”