Customer Terms & Conditions

Updated: 27 November 2023


  1. This Data Processing Addendum (“DPA”), and its schedules and annexes, forms part of the Agreement. Any terms used but not defined in this DPA will have the same meaning as set out in the Agreement.
  2. For the purposes of the Agreement and the delivery of the Services, the Customer is the data controller and AutogenAI is the data processor. Each party shall, in connection with the exercise of its rights and the performance of its obligations under the Agreement, comply with the Applicable Data Protection Laws. The type of personal data processed by AutogenAI under this Agreement and the duration and purpose of such processing is set forth in Annex A. In respect of its access to and/or processing of any such personal data of Customer in the provision of the Services, AutogenAI shall: 

    a. have in place appropriate technical and organisational measures to ensure an appropriate level of security for the processing of such personal data of Customer and to protect such personal data against unauthorised or unlawful processing or accidental loss, destruction or damage; 

    b. preserve the integrity of such personal data of Customer and prevent the loss or corruption of such personal data;  
    c. only process such personal data in accordance with the Agreement and any other written instructions and directions of Customer and not for its own purpose and ensure that anyone in its organisation processing personal data of Customer is subject to the same duties of confidence as set out in this DPA;  
    d. notify Customer without undue delay if it becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to Customer’s personal data (a “Security Incident”) and provide sufficient detail of the Security Incident for Customer to take action to remedy the Security Incident;

    e. provide such reasonable assistance and information to  Customer as it may reasonably require to allow the Customer to comply with its obligations under the Applicable Data Protection Laws;  

    f. upon termination of the Agreement at the direction of Customer either return to Customer or securely destroy such data and delete any copies, except where AutogenAI is required by applicable law to retain copies; 

    allow Customer and its auditors, at Customer’s own cost and expense and upon reasonable prior written notice, to conduct audits or inspections during the Term and for 12 months thereafter, in connection with the processing of any such data to ensure any data processing by AutogenAI is in accordance with Applicable Data Protection Laws;  

    maintain complete and accurate records to demonstrate its compliance with this DPA; and 

    i. not transmit any personal data of Customer or otherwise process it outside the European Economic Area unless it has complied with its applicable obligations under Applicable Data Protection Laws in ensuring adequate safeguards in relation to such transfer.

  3. Customer authorises AutogenAI to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Annex A. In relation to the processing of Customer’s personal data under the Agreement, AutogenAI has entered or (as the case may be) will enter with such third party sub-processors into a written agreement incorporating terms which are the same as or substantially similar to those set out in this DPA.  As between Customer and AutogenAI, AutogenAI shall remain fully liable for all acts or omissions of any third party sub-processor appointed by AutogenAI pursuant to the Agreement and this DPA.
  4. Processor may appoint new sub-processors provided that they notify Controller in writing 14 days before the new sub-processor is granted access to Personal Data.
  5. Nothing in the Agreement shall relieve AutogenAI of its own direct responsibilities and liabilities under Applicable Data Protection Laws.
  6. For the purposes of this DPA the terms “data controller”, “data processor”, “personal data”, “process” and “processing” shall have the meaning set out in the Applicable Data Protection Laws and “subprocessor” means any third party appointed by or on behalf of AutogenAI to process Customer’s personal data in connection with this Agreement. 

Annex A 



AutogenAI will process the types of personal data listed below in order to provide its services to Customer. 

Nature & Purpose of processing 

In relation to Authorised users, to allow the following activities: 

access to the Services 

  • use of the Services 
  • access and use of the Support Services 
  • training and development services 
  • user administration  
  • reporting 

For any other purposes, AutogenAI must anonymise the data. 

Duration of the processing 

For the duration of the contract 

Types of personal data 

For Authorised Users the following data is processed: 

  • Login details 
  • System usage details 
  • Employer details 
  • Job title  
  • And any other data that Authorised Users input into the system 

Categories of data subject 

Authorised Users of the Customer


Name Country Purpose Transfer mechanism relied upon  

(if applicable) 

AWS London/EU Hosting & Infrastructure (for UK & EU Customers only) Not applicable (for London), adequacy decision for EU 
AWS US Hosting & Infrastructure (for US Customers only)  Not applicable
AWS Australia Hosting & Infrastructure (for Australian Customers only)  Not applicable
Docebo Italy Learning Management Services adequacy decision for EU