Data Processing Agreement

Customer is the controller of Customer Personal Data. Unbrained is the processor and processes Customer Personal Data on behalf of Customer within the meaning of Article 4 No. 8 and Article 28 GDPR.

The terms processing, personal data, controller, processor, data subject, and personal data breach have the meanings given to them in the GDPR.

This DPA covers B2B Pluno products, including the Support product, Troubleshooting Agent, embedded B2B Product Agent, and Community product. Direct consumer use of Product Agent is not processing on behalf of a business customer and is not covered by this DPA.

The subject matter, nature, purpose, data categories, and data subject categories are described in the processing schedule below. The duration of processing is the term of the relevant agreement, plus any legally required retention period, backup period, or deletion period.

Unbrained will not sell Customer Personal Data and does not train, retrain, or fine-tune AI or machine-learning models on Customer Personal Data.

Customer's documented instructions are set out in the agreement, product configuration, connected-system settings, and any written instructions Customer gives to Unbrained. Additional instructions must be given in text form, including by email.

Customer may name persons authorized to issue instructions in an Order Form or by text-form notice. Customer must notify Unbrained in text form of changes to those persons. Unbrained may name persons authorized to receive instructions in an Order Form or by text-form notice.

Rules on remuneration for additional work caused by supplementary instructions remain unaffected. Instructions required under data protection law do not constitute additional work.

Customer is responsible for the lawfulness of its instructions, notices, legal basis, connected-system permissions, and handling of data subject requests. Customer must inform Unbrained without undue delay if it identifies errors or irregularities in Unbrained's processing. Customer is responsible for notifications to supervisory authorities and data subjects under Articles 33 and 34 GDPR or other laws applicable to Customer.

Unbrained processes Customer Personal Data only under the agreement, Customer's documented instructions, or legal requirements. If law requires other processing, Unbrained will inform Customer before processing unless the law prohibits such information for important public-interest reasons.

Unbrained generally processes Customer Personal Data in the European Union or European Economic Area. Processing in a third country is permitted only if the requirements of Articles 44 to 49 GDPR are met.

Unbrained will organize its business and operations so that Customer Personal Data is secured as required and protected from unauthorized third-party access. Unbrained will coordinate significant organizational changes that materially affect the security of processing with Customer in advance.

Unbrained will inform Customer without undue delay if Unbrained believes an instruction violates applicable law. Unbrained may suspend the instruction until Customer confirms or changes it. If Unbrained can show that processing under an instruction may lead to liability under Article 82 GDPR, Unbrained may suspend the affected processing until liability is clarified between the parties.

Unbrained will process Customer Personal Data separately from other data. Physical separation is not mandatory.

Unbrained will maintain appropriate technical and organizational measures under Article 32 GDPR. The measures include access controls, system access controls, authorization controls, separation controls, pseudonymization or anonymization where appropriate, transfer controls, input controls, availability and resilience measures, incident-response processes, privacy-by-design and privacy-by-default measures, employee training, confidentiality obligations, and supplier control.

Current measures include role-based access, minimized privileges, access-right reviews, encrypted connections such as HTTPS or SFTP, encryption of devices and storage media where appropriate, automatic device locking, firewalls, intrusion detection where appropriate, logging of access, creation, modification, and deletion events, separation of production and test environments, multi-tenant separation, secure deletion of storage media, automatic backups, documented incident handling, and regular review of measures.

Unbrained may update these measures as technology, legal requirements, and risks change, provided the overall level of protection is not materially reduced. Unbrained will notify Customer in advance of material changes that may negatively affect integrity, confidentiality, or availability of Customer Personal Data. Customer may request the current measures at any time.

Unbrained takes appropriate measures to protect personal data in remote-work settings and requires employees to follow mobile-working policies and participate in regular security and privacy training.

Unbrained will notify Customer without undue delay of violations of data protection law, the agreement, or Customer's instructions that occur in connection with processing by Unbrained or persons involved in processing.

Unbrained will notify Customer without undue delay if a supervisory authority acts against Unbrained under Article 58 GDPR and the action may concern processing performed for Customer.

Unbrained will support Customer with breach notification obligations. Unbrained will notify Customer without undue delay, and at the latest within 48 hours after becoming aware, of unauthorized access to Customer Personal Data processed on behalf of Customer.

The notice will include, where possible, a description of the breach, categories and approximate number of affected data subjects, categories and approximate number of affected records, and measures taken or proposed to address and mitigate the breach.

Unbrained will reasonably assist Customer with data subject requests under Articles 12 to 23 GDPR and with obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and information available to Unbrained. Assistance beyond a reasonable scope may be charged separately.

If a data subject contacts Unbrained regarding processing for which Customer is responsible, Unbrained may inform the data subject that Customer is the controller and may provide Customer's contact details.

Unbrained will inform Customer without undue delay if data subjects assert rights against Unbrained in connection with processing under this DPA, so that Customer can respond as controller.

Customer may verify compliance using available security documentation, certifications, reports, and reasonable written requests. Unbrained will provide Customer with information necessary for such verification to the reasonable extent required by Article 28 GDPR. Customer or an appointed third party may inspect processing systems and data to the necessary extent. On-site audits require reasonable prior notice, normal business hours, and measures to avoid disproportionate disruption. Unbrained may reject auditors that are competitors or present similarly serious reasons. Audit and control support beyond a reasonable scope may be charged separately.

Unbrained will provide necessary information and enable the competent supervisory authority to perform on-site inspections where required in connection with measures under Article 58 GDPR.

Customer authorizes Unbrained to use subprocessors to provide Pluno. Current subprocessors are listed in the Pluno Trust Center at app.drata.com/trust/933f211c-9796-4f96-a6e2-96c4a283eba7.

Unbrained may add or replace subprocessors by giving prior notice through the Trust Center, email, changelog, or another reasonable channel. Customer may object on reasonable data protection grounds within two weeks after notice. If Customer does not object within that period, the subprocessor is deemed approved, provided the notice identifies this consequence.

Unbrained will impose data protection obligations on subprocessors that are substantially equivalent to this DPA and will carefully select subprocessors, review their technical and organizational measures, and remain responsible for subprocessor performance as required by GDPR.

Ancillary services without concrete access to Customer Personal Data, such as cleaning, pure telecommunications, postal, courier, transport, or guarding services, are not subprocessors. Unbrained will nevertheless use appropriate contractual and technical safeguards for such services where they may affect the security of processing. Maintenance or support of IT systems is a subprocessor relationship if personal data processed on behalf of Customer may be accessed.

Unbrained is obliged to maintain confidentiality regarding data received in connection with processing for Customer. Unbrained will ensure that employees involved in processing are familiar with applicable data protection rules and are bound by confidentiality unless already subject to an appropriate statutory duty.

Employee confidentiality obligations continue after the employment relationship where legally and contractually possible. Unbrained will provide proof of confidentiality obligations upon request.

Both parties will treat all information received in connection with this DPA as confidential for an unlimited period and use it only to perform the agreement, unless the information is public or was lawfully received from a third party without confidentiality obligation.

After the agreement ends, Unbrained will return or delete all documents, data, and processing or use results related to the processing relationship according to Customer's choice and product capabilities. Deletion will be documented appropriately.

If Customer does not instruct otherwise, Unbrained will delete Customer Data within 30 days after termination, subject to legal retention duties, backups, security logs, and documentation needed to prove compliance. Data retained under legal duties may be processed only for the relevant retention purpose and must be deleted without undue delay after the retention duty expires.

This DPA begins when the underlying agreement incorporating it becomes effective and is concluded for the term of that agreement. If the underlying service agreement ends, this DPA ends at the same time. Isolated termination of this DPA without termination of the main agreement is excluded.

If Customer's data is endangered by third-party measures, such as seizure or confiscation, insolvency proceedings, or other events, Unbrained will inform Customer without undue delay and inform creditors that the data is processed on behalf of Customer.

Additional agreements require written form. If any part of this DPA is invalid, the remaining provisions remain effective. The German version controls over the English version unless the parties expressly agree otherwise in an Order Form or signed agreement.