Customer Terms & Conditions

Applicable to Order Forms signed on or after 27 March 2024


  1. This Data Processing Addendum (“DPA”), and its schedules and annexes, forms part of the Agreement. Any terms used but not defined in this DPA will have the same meaning as set out in the Agreement.
  2. For the purposes of the Agreement and the delivery of the Services, the Customer is the data controller and AutogenAI is the data processor. Each party shall, in connection with the exercise of its rights and the performance of its obligations under the Agreement, comply with the Applicable Data Protection Laws. The type of personal data processed by AutogenAI under this Agreement and the duration and purpose of such processing is set forth in Annex A. In respect of its access to and/or processing of any such personal data of Customer in the provision of the Services, AutogenAI shall:a. have in place appropriate technical and organisational measures to ensure an appropriate level of security for the processing of such personal data of Customer and to protect such personal data against unauthorised or unlawful processing or accidental loss, destruction or damage;b. preserve the integrity of such personal data of Customer and prevent the loss or corruption of such personal data;  
    c. only process such personal data in accordance with the Agreement and any other written instructions and directions of Customer and not for its own purpose and ensure that anyone in its organisation processing personal data of Customer is subject to the same duties of confidence as set out in this DPA;  
    d. notify Customer without undue delay if it becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to Customer’s personal data (a “Security Incident”) and provide sufficient detail of the Security Incident for Customer to take action to remedy the Security Incident to the extent required by Applicable Data Protection Laws;

    e. provide such reasonable assistance and information to  Customer as it may reasonably require to allow the Customer to comply with its obligations under the Applicable Data Protection Laws;  

    f. upon termination of the Agreement at the direction of Customer either return such personal data to Customer or securely destroy such personal data and delete any copies, except where AutogenAI is required by applicable law to retain the personal data or copies of the personal data; 

    g. where required under Applicable Data Protection Laws,
    allow Customer and its auditors, at Customer’s own cost and expense and upon reasonable prior written notice, to conduct audits or inspections during the Term and for 12 months thereafter, in connection with the processing of any such personal data to ensure any personal data processing by AutogenAI is in accordance with Applicable Data Protection Laws;  

    maintain complete and accurate records to demonstrate its compliance with this DPA; and 

    i. not transmit any personal data of Customer or otherwise process it outside the European Economic Area or Australia unless it has complied with its applicable obligations under Applicable Data Protection Laws including by ensuring adequate safeguards in relation to such transfer.
  3. Customer authorises AutogenAI to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Annex A. In relation to the processing of Customer’s personal data under the Agreement, AutogenAI has entered or (as the case may be) will enter with such third party sub-processors into a written agreement incorporating terms which are the same as or substantially similar to those set out in this DPA.  As between Customer and AutogenAI, AutogenAI shall remain fully liable for all acts or omissions of any third party sub-processor appointed by AutogenAI pursuant to the Agreement and this DPA.
  4. Processor may appoint new sub-processors provided that they notify Controller in writing 14 days before the new sub-processor is granted access to Personal Data.
  5. Nothing in the Agreement shall relieve AutogenAI of its own direct responsibilities and liabilities under Applicable Data Protection Laws.
  6. For the purposes of this DPA the terms “data controller”, “data processor”, “personal data”, “process” and “processing” shall have the meaning set out in the Applicable Data Protection Laws and “subprocessor” means any third party appointed by or on behalf of AutogenAI to process Customer’s personal data in connection with this Agreement. For the purpose of this DPA, AutogenAI is considered a “processor” and the Customer is a “controller”, and references to personal data include references to “personal information” under Applicable Data Protection Law. 

Annex A 



AutogenAI will process the types of personal data listed below in order to provide its services to Customer. 

Nature & Purpose of processing 

In relation to Authorised users, to allow the following activities: 

access to the Services 

  • use of the Services 
  • access and use of the Support Services 
  • training and development services 
  • user administration  
  • reporting 
  • provision of internet based searching

For any other purposes, AutogenAI must anonymise the data. 

Duration of the processing 

For the duration of the Agreement.

Types of personal data 

For Authorised Users the following personal data is processed: 

  • Login details 
  • System usage details 
  • Employer details 
  • Job title  
  • And any other personal data that Authorised Users input into the system 

Categories of data subject 

Authorised Users of the Customer


Name  Country  Purpose  Transfer mechanism relied upon  

(if applicable) 

AWS  London/EU  Hosting & Infrastructure (for UK & EU Customers only)  Not applicable (for London), adequacy decision for EU 
AWS  US  Hosting & Infrastructure (for US Customers only)   Not applicable
AWS  Australia  Hosting & Infrastructure (for Australian Customers only)   Not applicable
Docebo  Italy  Learning Management Services  adequacy decision for EU