Data Processing Agreement

For personal data submitted by the Controller into business memory and processed by CORA agents on the Controller’s instructions: the Controller is the data controller and Artificial Innovations Oy (CORA) is the data processor under Article 28 GDPR.

The subject matter of processing is the provision of the CORA service: company memory, AI agent execution, and related platform features.

This DPA applies for the duration of the subscription and continues until all customer personal data has been deleted or returned in accordance with the section below.

The Processor processes customer personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member State law.

The instructions consist of (a) the Terms of Service, (b) this DPA, (c) the in-product configuration of the workspace and its agents, and (d) any further written instructions agreed between the parties.

The Processor shall:

1. Ensure that persons authorised to process customer personal data are bound by confidentiality and trained appropriately.
2. Implement appropriate technical and organisational measures as described in Annex II.
3. Assist the Controller, by appropriate measures, in responding to data subject requests under Chapter III of the GDPR.
4. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation).
5. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.

The Controller grants the Processor a general authorisation to engage sub-processors. A current list of sub-processors is published in Annex III. The Processor shall:

• Impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
• Remain liable to the Controller for the performance of sub-processors.
• Notify the Controller of any intended changes to the list of sub-processors at least 30 days in advance, giving the Controller the right to object on reasonable data-protection grounds.

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures to fulfil the Controller’s obligation to respond to requests for the exercise of data subject rights (access, rectification, erasure, restriction, portability, objection, and automated decision-making).

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach affecting customer data. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

The Processor shall make available to the Controller, on reasonable written request, the information necessary to demonstrate compliance with this DPA. The Controller may, no more than once per calendar year and at its own cost, audit compliance — either through a mutually agreed independent auditor under appropriate confidentiality, or by reviewing a recent third-party audit report (e.g. SOC 2 Type II or ISO/IEC 27001) where available.

Full EU data residency is available. Where any transfer of customer personal data outside the European Economic Area is necessary for the provision of the service, the Processor shall rely on a valid transfer mechanism under Chapter V of the GDPR — typically the Standard Contractual Clauses (Module 3, processor-to-processor) together with supplementary measures as required.

On termination of the subscription, the Controller has 30 days to export business memory and customer personal data from the workspace. After that period, the Processor will permanently delete customer personal data within a reasonable timeframe, except where retention is required by EU or Finnish law (e.g. invoicing records).

Liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits a party’s obligations or liability to data subjects under the GDPR or other mandatory law.

Annex I — Description of processing. Categories of data subjects: customer employees and contacts, end-users represented in customer-provided content. Categories of personal data: names, business email, role/title, communication content, calendar metadata, document content uploaded into memory. Nature and purpose: provision of company-memory storage, agent execution, support. Duration: the term of the subscription.

Annex II — Technical and organisational measures. Workspace-isolated data at the database level via row-level security; encryption in transit (TLS 1.2+) and at rest (AES-256); access controls and least-privilege role-based access for Processor staff; audit logging of administrative actions; regular backups; incident-response procedures; secure software development practices including dependency scanning; staff confidentiality and training. Specific measures are reviewed and updated as the security landscape evolves.

Annex III — Sub-processors.The Processor relies on a small number of vendors for hosting, AI model inference, monitoring, and customer communications. The current list, including each vendor’s role and processing location, is available on request from support@hellocora.co.