Data processing agreement (DPA)

1. the user and/or customer and/or partner specified in any concluded Giotto Agreements, as defined below (“DC”), and


2. Giotto.ai SA, a company incorporated under the laws of Switzerland, with business registration number CHE-300.132.471, c/o Fiduconsult Lausanne SA, Place de la Gare 4, 1003 Lausanne, Switzerland, as represented by Aldo Podestà in his capacity of Founder & CEO (“Giotto.ai” or “DP”)


(each referred to as a "Party" and together as the "Parties")

WHEREAS

(A) Pursuant to the relevant agreement(s) entered into between the Parties (the “Giotto Agreements”), DP has accepted to provide a license to use Giotto.ai’s proprietary AI model and software, consisting of a containerised intelligence designed to integrate advanced reasoning capabilities into artificial intelligence systems, including the related official documentation and training materials, together with its continuous upgrades. The Giotto Agreements might also govern the possibility for the DC to resale or distribute the Model, the sale of AI-configured appliances, and/or the provision by Giotto.ai to DC of some additional cloud hosting or premium support services (collectively, the “Services”). To the extent that, as part of executing the Giotto Agreements and/or delivering of the Services, DP shall require, and DC shall grant, access to certain personal data in relation to which DC is regarded as the Data Controller so that such Controller Personal Data is processed on behalf of DC.


(B) According to Article 28 of the GDPR (as defined in Clause 1 below) "processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller".


(C) It is understood that when the DC acts on behalf of a third party acting as data controller, the DC shall be intended as data processor and the DP shall be intended as a sub-processor of the DC, for the purpose of this DPA.


(D) In view of the above, the Parties, by mutually recognizing each other´s capacity to formalize and be bound by this Data Processing Agreement (hereinafter the “DPA”), which will form part of the relevant Giotto Agreement upon execution, agree on the following:

1. DEFINITIONS

Without prejudice to other terms that may be defined in the relevant Giotto Agreement, capitalized terms in this DPA shall have the meaning given to them below:

“Controller Personal Data”

means Personal Data in respect of which the DC is regarded as a Data Controller under the applicable Data Protection Framework, which is accessed and/or processed by either the DP and/or its Subprocessors;

“Data Protection Framework”

shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), together with any national implementation acts passed in any EU Member State where the DC is located and, for non-EU based DCs, Swiss Federal Act on Data Protection (FADP), as revised and in force since 1 September 2023;

“Personal Data” / “Processing”“Data Subject(s)” / “Sensitive/Special categories of data” / “Data Controller”/ “Data Processor” / “Supervisory Authority”

shall have the meaning set out in the GDPR;

“Subprocessor”

means any subcontractor engaged either by the DP, or by any other subcontractor of the DP, who agrees to receive Controller Personal Data exclusively intended for processing activities to be carried out on behalf of the DC, and in accordance with the instructions received either directly from DC as Data Controller, or through the DP acting on behalf of the DC, the terms of this DPA and the terms of the relevant written subcontract.

2. PURPOSE - OBJECT

This DPA regulates the conditions for the Processing of Controller Personal Data to be carried out by the DP (as Data Processor) on behalf of the DC (as Data Controller) in the context of the provision of the Services, to the extent the DC is based in any Member States of the European Union, as required by Article 28 of the GDPR, and mutatis mutandis in all other cases, under the Swiss Federal Act on Data Protection (FADP), as revised and in force since 1 September 2023.


3. DETAILS OF THE PROCESSING ACTIVITIES

The details of the data processing activities to be carried out by DP in the name and on behalf of DC under this DPA, with a reference to the Special Categories of Personal Data (if applicable), are further specified in APPENDIX 1, which forms an integral part of this DPA.


4. UNDERTAKINGS OF DP AS DATA PROCESSOR IN RESPECT OF THE CONTROLLER PERSONAL DATA

4.1. DP, as Data Processor, acknowledges that DC is the Data Controller in respect of any Controller Personal Data that DP shall process on behalf of DC in the course and for the purposes of providing the Services. In this context, DP agrees and warrants:

a. to process Controller Personal Data only:


i. for the purpose of carrying out the Services on behalf of the DC and in accordance with its documented instructions; and
ii. in compliance with this DPA and for the purposes specified herein.

b. notify the DC if it is legally required to Process Controller Personal Data otherwise than in accordance with (a) above, before such Processing occurs, unless the law applicable to DP requiring such Processing would prohibit it from performing such notification on an important ground of public interest, in which case it shall notify as soon as that law permits it to do so;


c. not determine the purposes for which, nor the manner in which, Controller Personal Data is processed;


d. notify the DC if it has any reason to believe that any legislation applicable to it prevents it from fulfilling the instructions received or its obligations under this DPA;


e. implement and maintain appropriate technical and organisational measures, as set out in the applicable Data Protection Framework, to protect Controller Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and, in particular, where the processing involves the transmission of data over a network, against all other unlawful forms of processing. Having regard to the state of the art and cost of their implementation, DP agrees that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of Controller Personal Data to be protected;


f. treat all Controller Personal Data as confidential information and refrain from disclosing such confidential information without the Data Controller’s prior written consent except:

i. to those of its personnel who need to know the confidential information in order to provide the Services; and
ii. where it is required by a court to disclose Controller Personal Data, but only to the minimum extent necessary to comply with such court order;

g. take reasonable steps to ensure that the personnel being granted access to the Controller Personal Data:

i. is informed of both the confidential nature of the Controller Personal Data and the obligation to keep such Controller Personal Data confidential;
ii. has been duly appointed and instructed as person in charge for the processing, operating under its direct authority, in compliance with Data Protection Framework, as well as with the instructions; and
iii. is aware of and complies with DP´s duties and their own personal duties and obligations under this DPA.

h. Notify in writing (e.g. via email) to the DC about:

i. any instruction which, in its opinion, infringes applicable law;
ii. any actual or suspected security breach, unauthorised access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Controller Personal Data processed by DP (“Security Breach”);
iii. any notice, complaint, communication or request received from either a Data Subject, the Supervisory Authority, or any other public body relating to any Controller Personal Data processed in accordance with the terms of this DPA, and refrain from responding to such requests or notices unless otherwise expressly authorized to do so by the DC; and
iv. any change in legislation applicable to DP, or its Subprocessors, which is likely to have a substantial adverse effect on the warranties and obligations set forth in this DPA.


i. upon discovery of any Security Breach, DP shall:
i. take action to prevent any further Security Breach and mitigate any adverse effects that may have been identified as a consequence of such Security Breach; and
ii. provide the DC with cooperation and assistance in relation to any notifications that may be required as a consequence of the Security Breach.
iii. at the expense of the DC, provide the DC with cooperation and assistance in relation to any complaint, communication or request received from a Data Subject, including by providing the DC with details of the complaint, communication or request;

j. providing the DC with assistance in fulfilling Data Subjects’ exercise of rights also by implementing appropriate technical and organisational measures that enable it to comply with this paragraph (j).


k. at the expense of the DC, provide the DC with cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that may be legally required in respect of the Controller Personal Data.


l. make available to the DC the information necessary to support compliance with its obligations under the Data Protection Framework and at the request of the DC and at its expense, submit its data processing facilities for audits and inspections of the processing activities covered by this DPA, which shall be carried out either directly by the DC or by any independent or impartial inspection agents or auditors not reasonably objected to by DP. The Parties agree that any audit and inspection shall be requested with a prior notice of at least seven (7) days and shall be carried out in such a way not to prevent ordinary business activity of the DP.


m. provide the DC with the necessary support in monitoring compliance with this DPA and the applicable Data Protection Framework, and to make available upon request all information and evidence necessary to demonstrate that DC is complying with its obligations under this DPA.


n. refrain from subcontracting any of its processing operations under this DPA unless:

i. it has given prior notice to the DC of the identity of the Subprocessor, its location and a description of the processing it will carry out including the specific Services to be subcontracted and, within fifteen (15) days after receipt of the notification by the DC it has not objected in writing to the appointment; and
ii. the Subprocessor is subject to a written agreement which imposes the same obligations as are imposed on DP under this DPA.

Should DP be entitled to subcontract any of its obligations under this DPA to any Subprocessor, it will still be liable for any of the Subprocessors´ acts and omissions, to the same extent as if it had performed itself those obligations pursuant to the DPA.

4.2. For the purposes of Clause 4.1(n) DC expressly authorizes DP to engage Subprocessors listed in APPENDIX I for the purposes of providing the Services in accordance with this DPA and the relevant Giotto Agreement.


4.3. The Parties agree that upon termination of this DPA, the DP shall, and shall procure that its Subprocessors shall, at the choice of the DC in writing, return all Controller Personal Data and any copies thereof or securely destroy all Controller Personal Data and certify to the DC that it/they has/have done so, unless a law to which DP, or a Subprocessor, is subject to prevents it from returning or destroying all or part of the Controller Personal Data. In such a case, DP warrants that it will, and that its Subprocessors will, guarantee the confidentiality of the Controller Personal Data and will refrain from actively processing the Controller Personal Data, and will guarantee the return and/or destruction of the Controller Personal Data as requested by the DC as soon as the legal obligation to not return or destroy the information is no longer in effect.

5. INTERNATIONAL DATA TRANSFERS

To the extent that the provision of the Services may require the performance of an international transfer of the Controller Personal Data to a third country outside the European Union (“EU”), which has not been found to provide an adequate level of protection by the European Commission (an “International Data Transfer”), DC hereby authorizes DP to carry out International Transfers of Personal Data of Controller Personal Data in order for authorized Subprocessors to provide the Services and the subcontracted services.

6. ALLOCATION OF COSTS

Each Party shall perform its obligations under this DPA at its own cost.

7. TERM

This DPA shall remain in force for the duration of the Services.

8. MISCELLANEOUS

8.1. In the event of inconsistencies between the provisions of this DPA and other agreements between the Parties impacting on the processing of Controller Personal Data, including the relevant Giotto Agreement, the provisions of this DPA shall prevail with regard to the Parties’ data protection obligations relating to Controller Personal Data. In cases of doubt, this DPA shall prevail, in particular, where it cannot be clearly established whether a clause relates to a Party’s data protection obligations.


8.2. Should any provision or condition of this DPA be held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. Such an invalidity, unlawfulness or unenforceability shall have no effect on the other provisions and conditions of this DPA to the maximum extent permitted by law. The provision or condition affected shall be construed either:


a. to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the Parties’ intentions, or if that is not possible,
b. as if the invalid, unlawful or unenforceable part had never been contained in this DPA.

8.3. Any amendments to this DPA shall be in writing and duly signed by authorized representatives of the Parties hereto.

9. GOVERNING LAW AND JURISDICTION

9.1. This DPA shall be governed by and construed in accordance with the laws of Switzerland. The Parties expressly agree to exclude the application of the United Nations Convention on Contracts for the International Sale of Goods (1980) to the extent that such Convention might otherwise be applicable.


9.2. Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts at the registered office of Giotto.ai.

APPENDIX 1 – DETAILS OF THE PROCESSING ACTIVITIES

This Appendix forms part of the DPA and must be completed and signed by the Parties.


Data subjects
The Controller Personal Data concerns the following categories of Data Subjects: employees, customers, clients of DC’s customers, suppliers, suppliers of DC’s customers.


Categories of data
The Controller Personal Data concerns the following categories of Personal Data: identification data, contact data, traffic data.


Special Categories of data (if appropriate)
The Controller Personal Data concerns the following special Categories of data: N/A.


Processing operations
The Controller Personal Data will be subject to the following basic processing activities: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment combination, restriction, erasure, destruction.


Duration
The Controller Personal Data will be processed by DP for the duration of the Services.


Subprocessor
The DP is hereby authorized to engage the following Subprocessors: DP’s authorized contractors, Slack Technologies, LLC, Zendesk, Inc., Microsoft Corporation, Verda Cloud Oy.

ISO certification badge

© 2026 Giotto.ai SA - All rights reserved