Data Processing Agreement (Template)

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

(1) The Customer, acting as data controller under the GDPR ("Controller"); and
(2) Droidtech 42 AI Labs AB, Organisation number 559534-0745, having its registered address at Co. Sandberg, Dannemoragatan 4, 4 tr, 113 44 Stockholm, Sweden ("Processor" or "Droidtech").

This DPA forms part of the underlying license or services agreement (the "Agreement") between the parties.

2. Background and Scope

(a) The Customer uses the software product Agentic Embedded Debugger and may, now or in the future, engage Droidtech to process personal data on the Customer's behalf in connection with support, hosted services or other optional features (the "Services").

(b) As of today, the standard version of Agentic Embedded Debugger is designed so that customer data processed within the Customer's environment is not transmitted to Droidtech's servers. In that case, Droidtech acts as an independent controller only for limited data such as licensing and billing (covered by Droidtech's Privacy Policy), and no processor relationship arises for Customer's end-user data.

(c) This DPA applies only to the extent that Droidtech processes personal data as a processor on behalf of the Customer. Where no such processing occurs, this DPA is dormant but may remain signed for future use.

3. Definitions

Terms such as "personal data", "processing", "controller", "processor" and "data subject" shall have the meaning given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

4. Subject Matter, Duration and Nature of Processing

4.1 Subject matter: The subject matter of the processing is limited to the personal data described in Annex 1 of this DPA.

4.2 Duration: This DPA applies for the duration of the Agreement and as long as the Processor processes personal data on behalf of the Controller.

4.3 Nature and purpose: The nature and purpose of the processing are described in Annex 1. This may include, for example, optional hosted logging, monitoring, or support troubleshooting where personal data is included in logs or files provided by the Controller.

5. Instructions

5.1 The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law. In such case, the Processor will inform the Controller (unless legally prohibited).

5.2 The Agreement and this DPA constitute the Controller's initial instructions. Additional instructions must be agreed in writing (including email).

6. Confidentiality

The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to data subjects, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR.

8. Subprocessors

8.1 The Controller authorises the Processor to engage subprocessors listed in Annex 2 and to add or replace subprocessors, provided that:

• The Processor imposes data protection obligations on the subprocessor equivalent to those in this DPA.
• The Processor remains fully liable for the subprocessor's acts and omissions.
• The Processor informs the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller an opportunity to object on reasonable grounds.

9. Assistance to the Controller

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subjects' rights under GDPR.

The Processor shall also assist the Controller in ensuring compliance with obligations relating to security of processing, data breach notifications, data protection impact assessments and prior consultations, taking into account the nature of processing and the information available to the Processor.

10. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed under this DPA. The notification shall contain information reasonably required for the Controller to comply with its obligations under GDPR.

11. Audit and Inspection

The Controller has the right to carry out audits or inspections, directly or via an independent auditor mandated by the Controller, to verify the Processor's compliance with this DPA and applicable data protection law.

The Processor may charge reasonable costs for audits requiring significant time or resources, subject to prior agreement with the Controller.

12. International Transfers

The Processor shall not transfer personal data outside the EU/EEA unless such transfer is made in compliance with Chapter V GDPR (e.g., based on Standard Contractual Clauses or an adequacy decision) and as described in Annex 2.

13. Return and Deletion of Data

Upon termination of the Services relating to processing, the Processor shall, at the choice of the Controller, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage of the personal data.

14. Liability

The parties' liability under this DPA shall follow the allocation of liability set out in the Agreement, unless otherwise required by mandatory law.

15. Order of Precedence

In the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of the conflict and in relation to data protection matters.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of Sweden. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution clause in the Agreement.

Signatures

Signed on behalf of the Controller:

Name: ___________________________
Title: ___________________________
Date: ____________________________

Signed on behalf of Droidtech 42 AI Labs AB:

Name: ___________________________
Title: ___________________________
Date: ____________________________

Annex 1 – Details of Processing

(To be completed with each customer if/when you actually process their data.)

1. Categories of Data Subjects

• Customer's employees and contractors
• Other users designated by the Customer

2. Categories of Personal Data

May include, depending on configuration and use:

• Contact details (name, email)
• User identifiers and technical identifiers
• Log data and diagnostic data submitted for support
• Any other personal data included in files or logs the Customer shares with Droidtech for troubleshooting

3. Special Categories of Data

The Services are not intended to process special categories of personal data (sensitive data). The Controller shall ensure that such data is not submitted to the Processor, unless explicitly agreed in writing.

4. Purpose of Processing

• To provide support and troubleshooting services related to the Software.
• To provide any optional hosted components or logging services, if purchased.

5. Duration of Processing

For the term of the Agreement and for as long as the Processor provides the Services, unless otherwise agreed or required by law.

Annex 2 – Subprocessors and Transfers

The Processor may use the following subprocessors when acting as a processor:

• Hetzner Online GmbH (Germany) – hosting infrastructure
• Google Cloud / Google Workspace – email and collaboration tools
• Resend – email delivery infrastructure
• Other subprocessors as notified in writing to the Controller

Where subprocessors transfer personal data outside the EU/EEA, they shall do so in compliance with GDPR Chapter V, using Standard Contractual Clauses or other approved mechanisms.