Data Processing Agreement

Between the Processor and the Controller as defined below.

(hereinafter jointly: the “Parties” and individually: a “Party”)

1. Introductory provisions

The Parties acknowledge that:

• The Controller has accepted the ClicheFactory Terms of Service, establishing a contractual relationship (the “Master Agreement”).
• Under the Master Agreement, the Controller utilizes the Processor’s platform, ClicheFactory (the “System”).
• The Controller may upload, transmit, or process various documents (PDFs, EMLs, DOCX, images) via the System’s API, CLI, SDK, or Web UI.
• These documents may contain personal data (the “Personal Data”).
• The processing of Personal Data within the System constitutes data processing under Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
• This Agreement ensures GDPR compliance and governs the processing of Personal Data.

2. Subject matter

This Agreement regulates the mutual rights and obligations of the Parties regarding the protection of Personal Data processed on behalf of the Controller while providing the ClicheFactory services.

3. Purpose of processing

• The Controller authorizes the Processor to process Personal Data solely to the extent necessary to fulfill obligations under the Master Agreement.
• The Processor shall process Personal Data strictly on behalf of the Controller. The Processor shall not process Personal Data for its own purposes or for third parties.
• Notwithstanding the above, the Processor may process Personal Data if required to do so by European Union or Member State law to which the Processor is subject.

4. Categories of Personal Data and data subjects

Given the nature of unstructured document extraction, the specific types of Personal Data cannot be exhaustively defined. They depend entirely on the documents submitted by the Controller.

5. Obligations of the Controller

The Controller guarantees that all Personal Data provided to the Processor has been collected and processed lawfully. The Controller bears full responsibility for maintaining a valid legal basis for processing throughout the duration of this Agreement.

6. Audits and inspections

• The Controller has the right to conduct an audit of the Processor’s compliance with this Agreement once per year, at their own expense.
• The Controller must provide at least 15 business days’ notice prior to the audit.
• The Processor will actively cooperate. Time spent by the Processor or its staff assisting with the audit will be billed at an hourly rate of €150.00 + VAT, billed in 30-minute increments.
• The Processor will make available all information necessary to demonstrate compliance with the obligations laid down in this Agreement and the GDPR.

7. Security measures

• Both Parties commit to implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• The Processor shall protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• The Processor guarantees that Personal Data will not be transferred outside the European Economic Area (EEA) unless the destination country holds an adequacy decision from the European Commission, or appropriate safeguards (such as Standard Contractual Clauses) are in place.

8. Obligations of the Processor

• No AI training: The Processor strictly guarantees that it will not use the Controller’s Personal Data or uploaded documents to train, fine-tune, or improve its own systems or any underlying foundational models.
• The Processor shall ensure that persons authorized to process the Personal Data (employees, contractors) have committed themselves to confidentiality.
• The Processor shall notify the Controller without undue delay—and no later than 48 hours—after becoming aware of a personal data breach.

9. Sub-processing

The Controller consents to the Processor engaging third-party sub-processors to fulfill its obligations. The Processor maintains a general authorization for the following categories of sub-processors:

• Bring Your Own Key (BYOK) & Local Mode: If the Controller utilizes the “Local Mode” (via Ollama) or supplies their own API keys (BYOK) for external LLMs (e.g., OpenAI, Anthropic), the Controller acknowledges that they are transmitting data directly to those entities. In these configurations, those entities are not sub-processors of ClicheFactory, and the Controller is responsible for maintaining their own DPAs with those providers.
• The Processor guarantees that authorized LLM sub-processors (like Google Gemini) are configured strictly via enterprise/API tiers that prohibit the use of data for model training.
• The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 8 days in advance.

10. Data subject rights

Given that the Processor does not proactively monitor or index the contents of the unstructured data uploaded for extraction, the Processor’s ability to assist with specific data subject requests (e.g., “Delete John Doe’s data”) is limited. However, the Processor will promptly notify the Controller of any direct requests received from data subjects and provide general system tools (e.g., document deletion capabilities) to allow the Controller to fulfill these obligations.

11. Duration and deletion

• This Agreement is valid for the duration of the Master Agreement.
• The Processor provides the Controller with the ability to delete documents containing Personal Data at any time via the System. Upon termination of the Master Agreement, the Processor will securely delete all Personal Data, unless Union or Member State law requires storage.

12. Final provisions

• Disputes arising from this Agreement shall be settled amicably. If no resolution is reached, the competent courts in Ljubljana, Slovenia, shall have jurisdiction.
• This Agreement is governed by the laws of the Republic of Slovenia.
• This Agreement is considered executed when the Controller accepts the Terms of Service and begins using the System.