Data Processing Agreement (DPA)

Template for Adict.ai customers (Art. 28 GDPR). This page provides standard terms. Execution can be done via order form, email, or a signed addendum.

1. Parties

Processor:
The respective contracting entity as defined in the Adict.ai Terms and Conditions:

• For customers located in the European Union (EU/EEA):
digitLabs Battery Consulting GmbH, Germany

• For customers located in the United Arab Emirates (UAE):
digitlabs Battery Consulting Middle East FZ-LLC, United Arab Emirates

Controller:
The Adict.ai customer.

2. Subject matter & duration

digitLabs processes personal data on behalf of the Customer for the provision of Adict.ai. The duration of processing is the term of the subscription, including any retention periods required by law or contract.

3. Nature & purpose of processing

  • Hosting, storage, retrieval and organization of Customer data
  • Authentication, authorization, user/account administration
  • Billing workflows and related processing (e.g., invoices, usage-based billing records)
  • Security logging, monitoring and incident handling
  • Support requests initiated by the Customer

4. Categories of data & data subjects

  • Data subjects: Customer’s users, leads, contacts, customers, suppliers and other individuals stored in the CRM
  • Data: account identifiers, contact details, CRM entries, invoices/payment references, usage data, logs and metadata

5. Customer obligations

  • Ensure a lawful basis for processing and provide required notices to data subjects
  • Provide documented instructions to digitLabs
  • Handle requests from data subjects and supervisory authorities
  • Ensure appropriate access control and user management within its organization

6. Processor obligations

  • Process personal data only on documented instructions from the Customer, unless required by applicable law
  • Ensure persons authorized to process personal data are bound by confidentiality
  • Implement appropriate technical and organizational measures (TOMs)
  • Assist the Customer with data subject requests and compliance obligations (Art. 28(3)(e)-(f) GDPR), within reasonable limits
  • Upon termination, delete or return personal data, unless retention is required by law
  • Maintain records of processing activities to the extent required by law

7. Subprocessors

digitLabs may engage subprocessors to deliver the service. The current list is published at /subprocessors.

digitLabs will ensure that subprocessors are bound by contractual obligations substantially similar to this DPA. Customer is notified of material changes via the subprocessor page and/or release notes.

8. International transfers

Core services are intended to be operated within the European Union. Where a customer explicitly configures external providers (e.g., AI model providers), cross-border transfers may occur.

In such cases, the Processor will ensure appropriate safeguards, including the use of Standard Contractual Clauses where required.

9. Technical and Organizational Measures (TOMs) — summary

  • Encryption in transit (TLS)
  • Role-based access control (RBAC) and least-privilege administration
  • Administrative access protection (e.g., MFA for privileged access where available)
  • Operational logging and monitoring
  • Regular backups and recovery procedures
  • Secure development practices and controlled deployment processes
  • Incident response procedures

Note: This is a high-level summary. Detailed TOMs (including retention windows, access logging scope, and backup cadence) can be provided on request.

10. Audit and information rights

Upon reasonable notice and subject to confidentiality obligations, the Customer may request information necessary to demonstrate compliance with this DPA. Where available, digitLabs may provide security documentation, summaries, and written attestations. On-site audits may be agreed on a case-by-case basis, taking into account security and operational constraints.

11. Personal data breach notification

digitLabs will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data and will provide information reasonably necessary for the Customer to comply with applicable breach notification obligations.

12. Contact

DPA requests: