Data Processing Agreement

Last updated:

This Data Processing Agreement (DPA) applies where SIA "ReIntellex" processes personal data on behalf of a business client in connection with our services. It forms part of our Terms of Service and reflects our obligations under Article 28 of the GDPR. It applies to business clients, not to consumers.

1. Definitions

  • GDPR: the EU General Data Protection Regulation (2016/679).

  • Controller, Processor, Sub-processor, Personal Data, Processing, and Data Subject have the meanings given in the GDPR.

  • Client, or you: the business we provide services to.

  • Services: the automations, custom work, training, and support we provide to you.

  • Client-Controlled Tools: tools and systems that you own or operate under your own accounts, credentials, or API keys, for example a self-hosted n8n instance, your own Claude or Claude Cowork account, or your own OpenAI or Google keys.

2. Roles and scope

What each of us is responsible for depends on who actually carries out the processing, and on whose behalf. This is judged on the real facts of each engagement, not only on labels.

(a) Processing on your own tools and accounts. Where an automation runs on Client-Controlled Tools, you are the controller and the operator of that processing. The third-party tools used in that flow, such as your AI providers or your own hosting, are your sub-processors. You hold those agreements and the responsibility for any international transfer in that flow. We are not a processor for that ongoing processing, and we are not responsible for the operation of those tools or for any data leak, breach, or error that arises from them.

(b) Processing we run for you. Where we run processing under our own accounts, infrastructure, or sub-processors, we act as your processor for that processing, and the rest of this DPA applies. The vendors we use in that case are our sub-processors.

(c) Build, testing, and support. When we build, test, or support a Service, we prefer to use test or synthetic data. Where we need to access real personal data during that work, we act as your processor for that limited processing, and this DPA applies to it.

We do not decide the purposes of the processing or its essential means. If we did, we could become a controller for that processing, which we both want to avoid.

3. Our obligations as your processor

Where we act as your processor, we will:

  • process personal data only on your documented instructions, including for any transfer outside the EEA. Where a law we are subject to requires us to process the data otherwise, we will inform you of that legal requirement before processing, unless that law prohibits us from telling you on important grounds of public interest,

  • make sure the people we authorise to process the data are bound by confidentiality,

  • apply appropriate technical and organisational security measures in line with Article 32 of the GDPR, as described in section 4,

  • engage sub-processors only as set out in section 5,

  • help you respond to data subject requests, by appropriate measures and so far as possible,

  • help you meet your own duties on security, breach notification, and data protection impact assessments,

  • at the end of the Services, delete or return the personal data, as you choose, unless the law requires us to keep it, and

  • make available the information you reasonably need to show compliance, allow and contribute to audits, and tell you if we believe an instruction breaches data protection law.

4. Security measures

Where we act as your processor, we apply technical and organisational measures appropriate to the risk, including:

  • access control: access to personal data is limited to authorised people on a need-to-know basis and protected by strong authentication,

  • encryption: personal data is encrypted in transit, and at rest where the systems we use support it,

  • confidentiality: the people we authorise are bound by confidentiality obligations,

  • logging and monitoring: we keep access logs for the systems we operate and watch for unusual activity,

  • backup and recovery: we keep backups where appropriate and can restore data after an incident,

  • segregation: where we host your data, it is kept separate from other clients' data, and

  • vendor security: we use reputable providers and pass these obligations down to our sub-processors.

We may update these measures over time, provided the level of protection is not reduced. A fuller description is available on request. For Client-Controlled Tools, the security of those tools and of your own environment is your responsibility.

5. Sub-processors

Where we act as your processor, you give us general written authorisation to engage sub-processors. We keep a list of our sub-processors and will tell you in advance of any intended change, so that you can object on reasonable data protection grounds.

We place the same data protection obligations on each of our sub-processors. We remain responsible to you for our sub-processors' performance, as required by Article 28(4) of the GDPR, and we do not exclude that responsibility.

This does not apply to Client-Controlled Tools, which are not our sub-processors. You hold those relationships and are responsible for them.

6. Responsibility for third-party tools

We are responsible for the personal data we directly handle as your processor, and for our own sub-processors as set out above.

We are not responsible for Client-Controlled Tools, or for any third-party tool that operates under your accounts, credentials, or keys. This includes any data leak, breach, downtime, or error that comes from how those tools operate or how you use them. Each such tool is governed by its own terms and privacy policy, and is your responsibility as the controller and operator.

7. International transfers

Where we are your processor and a transfer outside the EEA is involved, we transfer personal data only on your instruction, and we rely on a valid safeguard, such as the EU-US Data Privacy Framework where the recipient is certified, or Standard Contractual Clauses.

Where a tool runs under your own accounts and keys, any transfer in that flow is your responsibility as the controller.

8. Personal data breaches

Where we act as your processor and become aware of a personal data breach affecting the data we process for you, we will notify you without undue delay, and we aim to do so within 48 hours of becoming aware. We will give you the information you reasonably need to meet your own notification duties, including any duty to notify the supervisory authority within 72 hours.

9. Liability

We remain liable to you for our own processing and for our own sub-processors, as required by the GDPR, and we do not limit that.

You are responsible for the tools you control, for the instructions you give us, and for the lawfulness of the data you ask us to process. The liability limits in our Terms of Service apply to this DPA, except where the law does not allow them.

Nothing in this DPA affects a data subject's rights, or the allocation of liability between controllers and processors under Article 82 of the GDPR.

10. Term and deletion

This DPA applies for as long as we process personal data on your behalf. When that ends, we delete or return the personal data, as you choose, unless we are required by law to keep it.

11. Details of the processing

Where we act as your processor for an engagement, we complete and agree with you a schedule that sets out the details of that processing: the subject matter, the duration, the nature and purpose, the types of personal data, the categories of data subjects, and our sub-processors. This DPA applies to an engagement once the schedule for it has been agreed between us.

12. Governing law

This DPA is governed by Latvian law and the GDPR, and forms part of our Terms of Service.

13. Contact

For data protection and DPA matters: reinis.umbrasko@reintellex.com

Create a free website with Framer, the website builder loved by startups, designers and agencies.