Data Processing Agreement

1.1 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.2 "Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Applied AI AS is the Processor.

1.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

1.4 "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

1.5 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.6 "Sub-processor" means any Processor engaged by the Processor to carry out processing activities on behalf of the Controller.

1.7 "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission in Implementing Decision (EU) 2021/914.

1.8 "Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 of the GDPR.

1.9 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, as implemented in Norwegian law through the Personal Data Act (personopplysningsloven).

2.1 This DPA applies where and to the extent that Applied AI AS processes Personal Data on behalf of the Customer in its capacity as a Processor under the GDPR in connection with the provision of the Zedoc platform.

2.2 This DPA supplements the Zedoc Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, the terms of this DPA shall prevail.

2.3 This DPA applies automatically to all customers whose Personal Data is subject to the GDPR, regardless of where the Customer is established. No separate signature or acceptance is required beyond acceptance of the Zedoc Terms of Service.

3.1 Subject matter: Provision of the Zedoc platform, a B2B SaaS product for the book publishing industry.

3.2 Duration: For the term of the service agreement between the parties, subject to the provisions of Section 12 (Term and Termination).

3.3 Nature and purpose of processing: Storage and processing of customer account data to provide and operate the Zedoc SaaS platform, including authentication, pipeline execution, usage tracking, and customer support.

3.4 Types of Personal Data processed:

• Name and email address
• Hashed passwords
• Organisation membership and role information
• Session tokens and authentication credentials
• IP addresses
• Usage logs and activity records

3.5 Categories of Data Subjects: The Customer's authorised users, including employees and contractors who have been granted access to the Zedoc platform by the Customer.

4.1 Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on grounds of public interest. The Customer's use of the Zedoc platform in accordance with the Terms of Service constitutes the Customer's documented instructions to the Processor for the processing of Personal Data.

4.2 Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, as further described in Section 7 of this DPA.

4.4 Engage Sub-processors only with the prior specific or general written authorisation of the Controller, and only under a contract that imposes equivalent data protection obligations to those set out in this DPA.

4.5 Assist the Controller, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligations to respond to requests for exercising Data Subjects' rights laid down in Chapter III of the GDPR.

4.6 Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, including assistance with data protection impact assessments (DPIAs) where required.

4.7 At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies, unless applicable law requires storage of the Personal Data.

4.8 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the provisions of Section 11.

5.1 The Controller grants the Processor general authorisation to engage Sub-processors. The current list of approved Sub-processors is available at subprocessors page.

5.2 The Processor shall provide the Controller with at least 30 days' prior written notice of any intended changes concerning the addition or replacement of Sub-processors. Such notice shall be provided by email to the account owner registered with the Processor.

5.3 The Controller may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying the Processor in writing within the 30-day notice period. If the parties cannot resolve the objection within a reasonable time, either party may terminate the service agreement upon written notice.

5.4 The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations, to the extent that the Sub-processor fails to fulfil its data protection obligations.

6.1 Personal Data is primarily stored and processed within the European Union and European Economic Area. The Processor's primary infrastructure is hosted on OVHCloud SAS, with data centres located in Gravelines, France (EU).

6.2 Where Personal Data is transferred to Sub-processors located outside the EEA (including OpenRouter, Inc., located in the United States), the Processor ensures that such transfers are carried out in accordance with Chapter V of the GDPR. The legal basis for such transfers is the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.

6.3 The Processor has conducted or obtained transfer impact assessments for transfers to Sub-processors outside the EEA to assess the level of protection afforded to Personal Data in the recipient country and to confirm that the SCCs provide effective protection in the circumstances of the transfer.

7.1 Encryption: All Personal Data is encrypted in transit using TLS 1.2 or higher. Personal Data stored at rest is encrypted using industry-standard encryption algorithms.

7.2 Access control: Access to Personal Data is restricted to authorised personnel on a need-to-know basis. Role-based access control is implemented across the platform to enforce least-privilege principles.

7.3 Security assessments: The Processor conducts regular security assessments and reviews of its systems, processes, and infrastructure to identify and remediate vulnerabilities.

7.4 Secure development: The Processor follows secure software development practices, including code review, dependency management, and testing, to minimise the risk of introducing vulnerabilities into the platform.

7.5 Logging and monitoring: The Processor maintains audit logs and operates monitoring systems to detect, investigate, and respond to security incidents in a timely manner.

8.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Personal Data processed on behalf of the Controller.

8.2 Such notification shall, to the extent then known, include the following information:

• The nature of the personal data breach, including the categories and approximate number of Data Subjects and personal data records concerned
• The likely consequences of the personal data breach
• The measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

8.3 Where it is not possible to provide all information simultaneously, the Processor may provide the information in phases without undue further delay.

8.4 Notifications shall be sent to the email address registered by the Controller as the account owner, and to hi@zedoc.ai.

9.1 The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing.

9.2 If the Processor receives a direct request from a Data Subject relating to the processing of Personal Data on behalf of the Controller, the Processor shall promptly notify the Controller of such request and shall not respond to the Data Subject directly unless instructed to do so by the Controller or required by applicable law.

10.1 Where required by Article 35 of the GDPR, the Processor shall assist the Controller in carrying out data protection impact assessments (DPIAs) relating to processing activities carried out by the Processor on behalf of the Controller.

10.2 Where required, the Processor shall also assist the Controller in carrying out prior consultations with the relevant Supervisory Authority in accordance with Article 36 of the GDPR.

11.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.

11.2 The Controller may conduct audits, including inspections, of the Processor's data processing facilities and practices, subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of any intended audit
• Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations
• The Controller and any appointed auditors shall comply with the Processor's reasonable security and confidentiality requirements

11.3 The Processor may, at its discretion, satisfy the Controller's audit rights by providing relevant third-party audit reports, certifications, or attestations (such as SOC 2 Type II reports or ISO 27001 certificates) as evidence of compliance, provided that such documentation covers the relevant processing activities.

12.1 This DPA is effective for the duration of the service agreement between the Controller and the Processor and shall automatically terminate upon termination or expiry of that agreement, subject to the provisions of this Section 12.

12.2 Upon termination or expiry of the service agreement, the Processor shall, at the Controller's election, delete or return all Personal Data processed on behalf of the Controller within 30 days of the effective date of termination, unless applicable law requires the Processor to retain the Personal Data for a longer period.

12.3 The Processor shall, upon written request from the Controller, provide written confirmation that all Personal Data has been deleted or returned in accordance with this Section.

12.4 Obligations under this DPA that by their nature survive termination shall continue to apply after the termination or expiry of the service agreement, including obligations relating to confidentiality and the security of any Personal Data retained pursuant to applicable law.

13.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties, to the extent permitted by applicable law.

13.2 Each party shall be liable for damages caused by processing that infringes the GDPR to the extent that it has not complied with its obligations under the GDPR specifically directed at Processors or Controllers, respectively.

13.3 The Processor shall be exempt from liability under clause 13.2 if it proves that it is not in any way responsible for the event giving rise to the damage.

14.1 This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of Norway, without regard to its conflict of law provisions.

14.2 The parties submit to the exclusive jurisdiction of the Norwegian courts to settle any dispute or claim arising out of or in connection with this DPA.