Data Processing Agreement
DATA PROCESSING AGREEMENT (DPA)
Between:
Customer (as defined in the Terms and Conditions) ("Data Controller" or "Controller")
and
LEIDA TECH
Business ID: 3538835-9
Email: info@leida.ai
("Data Processor" or "Processor")
Effective Date: The date of acceptance of the Terms and Conditions
1. DEFINITIONS AND INTERPRETATION
1.1 Terms used in this Data Processing Agreement ("DPA") have the meanings set out in Regulation (EU) 2016/679 ("GDPR") unless otherwise defined herein.
1.2 Key definitions:
"Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service.
"Processing" has the meaning set out in Article 4(2) GDPR.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Sub-processor" means any third party engaged by the Processor to process Personal Data.
"Service" means the LEIDA cloud-based SaaS platform as described in the Terms and Conditions.
"Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
1.3 This DPA forms an integral part of the Terms and Conditions. In case of conflict, this DPA prevails with respect to data protection matters.
2. SCOPE AND APPLICABILITY
2.1 Scope of Processing
The Processor shall process Personal Data only:
on documented instructions from the Controller;
for the purpose of providing the Service;
in accordance with this DPA and applicable data protection laws.
2.2 Subject Matter and Duration
Subject matter: Provision of AI-powered regulatory compliance SaaS platform
Duration: For the term of the subscription as set out in the Terms and Conditions
Nature and purpose: Processing necessary to provide regulatory roadmaps, compliance documentation, and regulatory intelligence services
Type of Personal Data: As specified in Annex 1
Categories of Data Subjects: As specified in Annex 1
2.3 Controller's Instructions
The Controller instructs the Processor to process Personal Data:
to provide, maintain, and support the Service;
to comply with the Controller's documented instructions via the Service interface;
as otherwise agreed in writing between the parties.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection law.
3. PROCESSOR'S OBLIGATIONS
3.1 Compliance with Laws
The Processor shall process Personal Data in compliance with:
GDPR and other applicable EU and national data protection laws;
this DPA and the Controller's documented instructions;
industry best practices for data security.
3.2 Confidentiality
The Processor shall ensure that persons authorised to process Personal Data:
are bound by confidentiality obligations;
have received appropriate training on data protection;
process Personal Data only as instructed by the Controller.
3.3 Prohibition on Unauthorised Processing
The Processor shall not:
process Personal Data for its own purposes;
disclose Personal Data to third parties without the Controller's prior written consent, except as required by law;
transfer Personal Data outside the European Economic Area (EEA) without appropriate safeguards as set out in Section 6.
4. TECHNICAL AND ORGANISATIONAL MEASURES
4.1 Security Measures
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Pseudonymisation and encryption of Personal Data where appropriate;
Confidentiality: measures to ensure ongoing confidentiality of processing systems;
Integrity: measures to ensure ongoing integrity of processing systems;
Availability and resilience: measures to ensure availability and resilience of processing systems;
Restoration: ability to restore availability and access to Personal Data in a timely manner in the event of incident;
Testing and evaluation: regular testing, assessment and evaluation of effectiveness of security measures.
4.2 Current Security Measures
The Processor's current technical and organisational measures are described in Annex 2. The Processor may update these measures provided that the level of security is not reduced.
4.3 Security Incident Management
In the event of a Security Incident, the Processor shall:
notify the Controller without undue delay and in any event within 24 hours of becoming aware;
provide the Controller with sufficient information to enable the Controller to meet its obligations under Article 33 GDPR (notification to supervisory authority);
cooperate with the Controller and take reasonable steps to mitigate the effects of the Security Incident;
document the Security Incident, its effects, and remedial action taken.
The notification shall include, to the extent possible:
description of the nature of the Security Incident;
categories and approximate number of Data Subjects and Personal Data records concerned;
likely consequences of the Security Incident;
measures taken or proposed to address the Security Incident.
5. SUB-PROCESSING
5.1 General Authorisation
The Controller grants general authorisation to the Processor to engage Sub-processors, subject to the conditions set out in this Section 5.
5.2 Current Sub-processors
The Processor's current Sub-processors are listed in Annex 3. The Processor shall maintain an up-to-date list of Sub-processors, accessible to the Controller upon request.
5.3 New Sub-processors
The Processor shall:
inform the Controller of any intended changes concerning addition or replacement of Sub-processors at least thirty (30) days in advance;
provide the Controller with sufficient information to enable assessment of the Sub-processor;
give the Controller the opportunity to object to such changes on reasonable data protection grounds.
If the Controller objects within fourteen (14) days of notification, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected part of the Service without penalty.
5.4 Sub-processor Obligations
The Processor shall:
impose data protection obligations on Sub-processors that are substantially equivalent to those set out in this DPA;
ensure Sub-processors comply with GDPR obligations equivalent to those of the Processor;
remain fully liable to the Controller for the performance of Sub-processors' obligations.
6. INTERNATIONAL DATA TRANSFERS
6.1 Transfers Outside EEA
The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless:
the transfer is to a country subject to an adequacy decision under Article 45 GDPR; or
appropriate safeguards are in place pursuant to Article 46 GDPR (such as Standard Contractual Clauses); or
the Controller has provided explicit consent to the transfer.
6.2 Standard Contractual Clauses
Where Personal Data is transferred to a Sub-processor located outside the EEA, the Processor shall ensure that:
the EU Standard Contractual Clauses (SCCs) approved by the European Commission are in place; or
other appropriate safeguards under Article 46 GDPR are implemented.
6.3 Current Transfer Mechanisms
Details of current international data transfers and applicable safeguards are set out in Annex 3.
7. DATA SUBJECT RIGHTS
7.1 Assistance with Data Subject Requests
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR, including:
Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure ("right to be forgotten") (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
7.2 Procedure
If the Processor receives a request from a Data Subject:
the Processor shall not respond directly to the Data Subject without the Controller's prior written authorisation;
the Processor shall promptly forward the request to the Controller;
the Processor shall, upon the Controller's request, provide reasonable assistance to enable the Controller to respond.
7.3 Fees
Assistance provided under this Section 7 that requires significant effort beyond the scope of the Service may be subject to additional fees at the Processor's standard rates, to be agreed in advance.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 Assistance with DPIA
The Processor shall, taking into account the nature of processing and information available to the Processor, provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIA) under Article 35 GDPR.
8.2 Prior Consultation
The Processor shall provide reasonable assistance to the Controller in relation to prior consultation with supervisory authorities under Article 36 GDPR, where required.
9. DELETION AND RETURN OF DATA
9.1 Upon Termination
Upon termination or expiry of the Service, the Processor shall, at the Controller's choice:
delete all Personal Data; or
return all Personal Data to the Controller in a commonly used, machine-readable format.
9.2 Retention Period
The Controller may request deletion or return of Personal Data within thirty (30) days of termination. After this period, the Processor may delete all Personal Data unless retention is required by applicable law.
9.3 Certification
Upon request, the Processor shall provide written certification that all Personal Data has been deleted or returned in accordance with this Section 9.
9.4 Legal Retention
The Processor may retain Personal Data to the extent and for such period as required by applicable law, provided that the Processor ensures the confidentiality of such Personal Data and processes it only as necessary for the purpose(s) specified in the applicable law.
10. AUDIT RIGHTS
10.1 Controller's Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28.
10.2 Audits and Inspections
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:
reasonable advance notice of at least thirty (30) days;
audits being conducted during normal business hours;
audits not unreasonably interfering with the Processor's business operations;
the auditor being bound by confidentiality obligations.
10.3 Frequency
The Controller may conduct audits no more than once per year, unless:
required by a supervisory authority;
there is reasonable suspicion of non-compliance; or
a Security Incident has occurred.
10.4 Costs
The Controller shall bear the costs of audits, except where the audit reveals material non-compliance, in which case the Processor shall bear reasonable costs.
10.5 Third-Party Certifications
The Processor may provide third-party audit reports or certifications (e.g., ISO 27001, SOC 2) in lieu of on-site audits, subject to the Controller's reasonable acceptance.
11. LIABILITY AND INDEMNIFICATION
11.1 Liability Under GDPR
Each party's liability under this DPA is subject to GDPR Article 82 (Right to compensation and liability).
11.2 Limitation of Liability
Subject to Section 11.3, the Processor's total liability under this DPA shall be limited as set out in the Terms and Conditions.
11.3 Unlimited Liability
The limitation in Section 11.2 does not apply to:
liability under GDPR Article 82;
liability arising from gross negligence or willful misconduct;
liability that cannot be limited under applicable law.
11.4 Indemnification
The Processor shall indemnify and hold harmless the Controller against claims, fines, and damages arising from the Processor's breach of this DPA or GDPR, except to the extent caused by the Controller's instructions or actions.
12. TERM AND TERMINATION
12.1 Term
This DPA enters into force on the Effective Date and remains in force for as long as the Processor processes Personal Data on behalf of the Controller.
12.2 Termination
This DPA terminates automatically upon termination of the Terms and Conditions, subject to Section 9 (Deletion and Return of Data).
12.3 Survival
Sections 9 (Deletion and Return of Data), 10 (Audit Rights), and 11 (Liability and Indemnification) survive termination.
13. GENERAL PROVISIONS
13.1 Amendments
This DPA may only be amended by written agreement signed by both parties, except that the Processor may update the Annexes to reflect changes in Sub-processors or security measures, provided the level of protection is not reduced.
13.2 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.
13.3 Governing Law
This DPA is governed by the laws of Finland, without regard to conflict of law principles.
13.4 Supervisory Authority
The competent supervisory authority for the purposes of this DPA is the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu).
13.5 Order of Precedence
In case of conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to data protection matters.
ANNEX 1: DETAILS OF PROCESSING
A. Subject Matter and Duration
Subject matter: Provision of cloud-based AI-powered regulatory compliance platform
Duration: For the term of the subscription
B. Nature and Purpose of Processing
Nature: Automated processing, storage, and analysis of regulatory compliance data
Purpose:
Generate regulatory roadmaps and compliance documentation
Provide regulatory intelligence and monitoring
Support CE marking and notified body submissions
Centralise compliance evidence and risk management
C. Categories of Personal Data
The Service may process the following categories of Personal Data uploaded by the Controller:
User account data: Names, email addresses, job titles, employer information
Authentication data: Login credentials, access logs, IP addresses
Professional data: Regulatory roles, certifications, professional qualifications
Communication data: Support requests, feedback, correspondence
Usage data: Service usage patterns, feature interactions, timestamps
Business data: Company information, project data, regulatory submissions
Note: The Controller determines what Personal Data is uploaded to the Service. The Processor does not require or request special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR).
D. Categories of Data Subjects
Employees and contractors of the Controller
Employees and contractors of the Controller's clients (where applicable)
Regulatory affairs professionals
Quality assurance personnel
Compliance officers
Other authorised users designated by the Controller
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
The Processor implements the following technical and organisational measures:
1. Access Control
Physical access control:
Data centers operated by certified third-party providers (see Annex 3)
Physical access restricted to authorized personnel
Access logging
System access control:
Multi-factor authentication (MFA) available
Role-based access control (RBAC)
Unique user credentials
Automatic session timeout
Access logging and monitoring
Data access control:
Encryption of data at rest (AES-256)
Encryption of data in transit (TLS 1.2 or higher)
Segregation of customer data (multi-tenancy isolation)
Need-to-know principle for Processor personnel
2. Transmission Control
Encrypted data transmission (HTTPS/TLS)
Secure API endpoints
Logging of data transfers
Secure file upload/download mechanisms
3. Input Control
Audit logging of data creation, modification, and deletion
User activity tracking
Timestamping of all transactions
Version control for documents
4. Availability Control
Regular automated backups
Redundant infrastructure
Disaster recovery procedures
Business continuity planning
99.5% uptime target (subject to Service Level Agreement)
5. Separation Control
Logical separation of customer data
Database-level isolation
Separate processing environments (production, testing, development)
6. Pseudonymisation and Encryption
Encryption at rest and in transit
Hashing of passwords (bcrypt or equivalent)
Tokenization where applicable
7. Incident Response
Security incident response plan
24-hour notification to Controller
Incident documentation and root cause analysis
Remediation and prevention measures
8. Data Protection by Design and Default
Privacy-first architecture
Minimal data collection principle
Data minimization in AI model training
Regular security assessments
9. Organizational Measures
Designated Data Protection Officer (contact: info@leida.ai)
Employee training on data protection
Confidentiality agreements with personnel
Background checks for personnel with data access
Regular security awareness training
10. Compliance and Certification
ISO 27001 certification (in progress/planned)
Regular penetration testing
Vulnerability scanning
Third-party security audits
Note: The Processor reserves the right to update these measures to maintain or improve security, provided the overall level of protection is not reduced.
ANNEX 3: SUB-PROCESSORS AND INTERNATIONAL TRANSFERS
Current Sub-Processors
The Processor currently engages the following Sub-processors:
| Sub-processor | Service Provided | Location | Transfer Mechanism |
|---|---|---|---|
| Cloud Infrastructure Provider | OVH Cloud, Supabase | [EU | EU/EEA, no transfer needed |
| AI Model Provider | OpenAI, Mistral, Anthropic | [EU, US | [Standard Contractual Clauses required |
| Email Service Provider | Brevo | EU | EU/EEA, no transfer needed |
| Analytics Provider | Google Analytics, Posthog | [EU, US | [Standard Contractual Clauses required |
| Payment Processing | Stripe | US | Standard Contractual Clauses required |
Note to LEIDA TECH: Please complete this table with actual Sub-processor details. Common examples:
AWS (Ireland) - EU/EEA, no transfer needed
Google Cloud Platform (EU regions) - EU/EEA, no transfer needed
OpenAI (USA) - Standard Contractual Clauses required
Microsoft Azure (EU regions) - EU/EEA, no transfer needed
International Data Transfers
Transfers outside EEA:
Where Personal Data is transferred to Sub-processors located outside the EEA, the following safeguards are in place:
Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021/914) are executed with all Sub-processors in third countries.
Supplementary Measures: In addition to SCCs, the Processor implements supplementary technical and organizational measures, including:
Encryption of data in transit and at rest
Pseudonymization where feasible
Contractual restrictions on Sub-processor access to data
Regular audits of Sub-processor compliance
Transfer Impact Assessment: The Processor has conducted a transfer impact assessment (TIA) for each third-country transfer to ensure adequate protection.
Controller's Rights:
The Controller may request:
Copies of SCCs with Sub-processors (with confidential commercial terms redacted)
Information about supplementary measures
Transfer impact assessment summaries
ACCEPTANCE
This Data Processing Agreement is incorporated into and forms part of the Terms and Conditions accepted by the Controller.
By accepting the Terms and Conditions, the Controller accepts this DPA.
CONTACT INFORMATION
Data Protection Officer:
Email: laura@leida.ai
For data protection inquiries:
Email: info@leida.ai
Finnish Data Protection Ombudsman:
Website: https://tietosuoja.fi
Email: tietosuoja@om.fi