Data Protection Agreement

1. Subject matter and roles

This Data Protection Agreement ("DPA") forms part of the Terms and applies where Renaiss processes personal data on behalf of the Customer in connection with the Services. For such data, the Customer acts as controller and Renaiss acts as processor, each as defined in the GDPR.

2. Processing instructions

Renaiss processes personal data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by EU or member-state law. The subject matter, duration, nature and purpose of processing, and the categories of data subjects and personal data, are described in the order form and product documentation.

3. Confidentiality

Renaiss ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and have received data protection training.

4. Security measures

Renaiss implements appropriate technical and organisational measures, including:

• Encryption of personal data in transit and at rest.
• Role-based access control, SSO and the principle of least privilege.
• Deployment within the Customer's environment where required, keeping data resident in the chosen region.
• Regular testing, monitoring and evaluation of the effectiveness of these measures.

5. Sub-processors

The Customer authorises Renaiss to engage sub-processors to support the Services. Renaiss imposes data protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for their performance. We maintain a current list of sub-processors and give notice of intended changes so the Customer can object on reasonable grounds.

6. Data subject rights

Taking into account the nature of the processing, Renaiss assists the Customer with appropriate technical and organisational measures to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection.

7. International transfers

Where personal data is transferred outside the European Economic Area, Renaiss ensures an appropriate safeguard is in place, such as an adequacy decision or the European Commission's Standard Contractual Clauses, together with supplementary measures where required.

8. Personal data breaches

Renaiss notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provides the information reasonably required for the Customer to meet its own notification obligations.

9. Audits

Renaiss makes available the information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and security conditions.

10. Return and deletion

On termination of the Services, Renaiss deletes or returns all personal data to the Customer, and deletes existing copies, unless retention is required by law.

11. Contact

Our Data Protection Officer can be reached at dpo@renaiss.ai.