Applicable to Order Forms signed on or after 22 December 2024
AUTOGENAI DATA PROCESSING ADDENDUM
- This Data Processing Addendum (“DPA”), and its schedules and annexes, forms part of the Agreement. Any terms used but not defined in this DPA will have the same meaning as set out in the Agreement.
- For the purposes of the Agreement and the delivery of the Services, the Customer is the data controller and AutogenAI is the data processor. Each party shall, in connection with the exercise of its rights and the performance of its obligations under the Agreement, comply with the Applicable Data Protection Laws. The type of personal data processed by AutogenAI under this Agreement and the duration and purpose of such processing is set forth in Annex A. In respect of its access to and/or processing of any such personal data of Customer in the provision of the Services, AutogenAI shall:
a. to protect Customer’s personal data AutogenAI shall implement and maintain appropriate technical and organisational safeguards that are no less rigorous than accepted industry standards for information security and shall ensure that all such safeguards comply with Applicable Data Protection Laws. In assessing the appropriate level of security, AutogenAI shall take into account the risks that are presented by processing, in particular from accidental, unauthorised, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Customer’s personal data that is transmitted, stored, or otherwise processed by AutogenAI.b. preserve the integrity of such personal data of Customer and prevent the loss or corruption of such personal data;
c. only process such personal data in accordance with the Agreement and any other written instructions and directions of Customer and not for its own purpose and ensure that anyone in its organisation processing personal data of Customer is subject to the same duties of confidence as set out in this DPA;
d. notify Customer without undue delay if it becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to Customer’s personal data (a “Security Incident”) and provide sufficient detail of the Security Incident for Customer to take action to remedy the Security Incident to the extent required by Applicable Data Protection Laws;
e. notify Customer without undue delay if AutogenAI receives a request from a data subject regarding its personal data or to exercise a right under Applicable Data Protection Laws;f. provide such reasonable assistance and information to Customer as it may reasonably require to allow the Customer to comply with its obligations under the Applicable Data Protection Laws;
g. upon termination of the Agreement at the direction of Customer either return such personal data to Customer or securely destroy such personal data and delete any copies, except where AutogenAI is required by applicable law to retain the personal data or copies of the personal data;
h. where required under Applicable Data Protection Laws, allow Customer and its auditors, at Customer’s own cost and expense and upon reasonable prior written notice, to conduct audits or inspections during the Term and for 12 months thereafter, in connection with the processing of any such personal data to ensure any personal data processing by AutogenAI is in accordance with Applicable Data Protection Laws;
i. maintain complete and accurate records to demonstrate its compliance with this DPA; and
j. not transmit any personal data of Customer or otherwise process it outside the European Economic Area, United Kingdom or Australia unless it has complied with its applicable obligations under Applicable Data Protection Laws including by ensuring adequate safeguards in relation to such transfer. - Customer authorises AutogenAI to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Annex A. In relation to the processing of Customer’s personal data under the Agreement, AutogenAI has entered or (as the case may be) will enter with such third party sub-processors into a written agreement incorporating terms which are the same as or substantially similar to those set out in this DPA. As between Customer and AutogenAI, AutogenAI shall remain fully liable for all acts or omissions of any third party sub-processor appointed by AutogenAI pursuant to the Agreement and this DPA.
- Processor may appoint new sub-processors provided that they notify Controller in writing 14 days before the new sub-processor is granted access to Personal Data.
- Nothing in the Agreement shall relieve AutogenAI of its own direct responsibilities and liabilities under Applicable Data Protection Laws.
- For the purposes of this DPA the terms “data controller”, “data processor”, “personal data”, “process” “processing” and “data subject” shall have the meaning set out in the Applicable Data Protection Laws and “subprocessor” means any third party appointed by or on behalf of AutogenAI to process Customer’s personal data in connection with this Agreement. References to “personal data” include references to “personal information” under Applicable Data Protection Law.
Annex A
PARTICULARS OF PROCESSING
Scope
AutogenAI will process the types of personal data listed below in order to provide its services to Customer.
Nature & Purpose of processing
In relation to Authorised users, to allow the following activities:
- access to the Services
- use of the Services
- access and use of the Support Services
- training and development services
- user administration
- usage reporting to Customer
- provision of internet based searching
Duration of the processing
For the duration of the Agreement.
Types of personal data
For Authorised Users the following personal data is processed:
- Login details
- System usage details
- Employer details
- Job title
- And any other personal data that Authorised Users input into the AutogenAI Application (which may include Special Categories of personal data)
Categories of data subject
- Authorised Users of the Customer
- Data subjects of any personal data uploaded by Authorised Users into the AutogenAI Application
Subprocessors **
Name | Location of Processing | Purpose | Transfer mechanism relied upon (if applicable) |
AWS | UK | Hosting & Infrastructure, LLM provider (for UK & EU Customers only) | Not applicable (for London), adequacy decision for EU |
AWS | US | Hosting & Infrastructure, LLM provider (for US Customers only) | Not applicable |
AWS | Australia | Hosting & Infrastructure, LLM provider (for Australian Customers only) | Not applicable |
AWS | Canada | Hosting & Infrastructure, LLM provider (for Canadian Customers only) | Not applicable |
Docebo | Italy | Learning Management Services | Adequacy decision for EU |
OpenAI | US | LLM provider | UK Addendum to the SCCs and Transfer Impact Assessment (TIA) |
Microsoft Azure | UK | Hosting and LLM provider (for UK & EU Customers only) | Not applicable (for UK), adequacy decision for EU |
Microsoft Azure | US | Hosting & Infrastructure, LLM provider (for US Customers only) | Not applicable |
Microsoft Azure | Australia | Hosting & Infrastructure, LLM provider (for Australian Customers only) | Not applicable |
Microsoft Azure | Canada | Hosting & Infrastructure, LLM provider (for Canadian Customers only) | Not applicable |
AutogenAI | US* | Subprocessor for UK & Australia customers | UK Addendum and TIA |
AutogenAI | UK* | Subprocessor for US & Australia customers | Not applicable |
AutogenAI | Australia* | Subprocessor for UK & US | UK Addendum and TIA |
Mistral | Sweden, EU | LLM Provider (for non-region-exclusive customers only) | Not applicable |
* = Data Access and Regional Restrictions
- Regional Data Boundaries: Where clients have agreed terms specifying that their data must not leave a particular region (e.g., the UK), AutogenAI will ensure that such data remains stored and processed exclusively within the designated region.
- Access Restrictions: In such cases, only authorized staff located within the corresponding regional company (e.g., UK-based staff for UK data) will have access to the data. Staff from AutogenAI’s associated companies in AUS and US would not access such data, ensuring compliance with regional data handling agreements.
** = Changes to Data Processors and Third-Party Providers
AutogenAI will notify affected customers in advance if it appoints new sub-processors or makes significant changes to existing ones, as required under this DPA.