Service provider

Viittoen Oy (2796991-1), Silkkitie 5, 67300 Kokkola (”Supplier”)

The EGALA AI end-user (hereinafter "Customer") must read and accept these terms of use (hereinafter "Terms of Use") in their entirety. Customer refers hereafter, depending on the case, to either an individual, a community, or another operator. The Terms of Use constitute an agreement that the User and Viittoen Oy (hereinafter "Supplier"), which is responsible for providing the service, commit to follow in the customer relationship.

Viittoen Oy is registered in the trade register maintained by the Finnish Patent and Registration Office, Business ID: 2796991-1.

1. GENERAL REGARDING THE USE OF THE SERVICE

1.1. These Terms of Use apply to the use of Viittoen Oy's EGALA AI service (hereinafter "Service"). However, if a separate service agreement has been made between the Customer and the Supplier, or if the Customer has accepted a separate offer made by the Supplier containing terms that deviate from these Terms of Use, the terms of that service agreement or offer shall take precedence. These Terms of Use supplement such separately agreed terms.

1.2. The Supplier has developed a software-based service platform for remote transcription and the EGALA AI Service, which utilizes artificial intelligence in its operations. A more detailed Service Description can be found in Appendix 1.

1.3. Registering as a Customer is a technical stage in the formation of the agreement. If the Customer has entered incorrect information into the Service, the information will be corrected by the register holder upon separate notice within 30 days.

1.4. The Supplier does not inspect or edit data on Accounts without the User's separate authorization or a legal obligation.

1.5. The Customer must not act in a way that causes the Service to stop functioning, become overloaded, damaged, or impaired, or that causes obvious harm to the Service Provider. The Customer must also not adversely affect another User's use of the Service.

1.6. The Customer is personally responsible for the costs arising from the acquisition, functionality, and proper protection of the connections and equipment required to use the Service.

2. DEFINITIONS

2.1. ”Customer Data” means information or material transferred by the Customer to the software service, or otherwise handed over or made available to the Supplier for the software service on behalf of the customer, as well as other information or material defined by the Parties as Customer Data.

2.2. ”Service” means the EGALA AI service in accordance with the Service Description.

2.3. ”Supplier Material” means material handed over or made available to the Customer by the supplier for the use of the Service,as well as other information or material defined by the Parties as Supplier Material.

2.4. ”Identifier” means a device- or customer-specific identifier, such as an identifier installed on a device, a user ID, a password, or another method by which the Customer using the Service and the Customer's device from which the Service is used can be reliably identified.

3. RIGHT OF USE AND USER INFORMATION

3.1. A natural person or a legal entity registered in the trade register or register of associations may register as a Customer for the Service. A natural person refers to an individual. A legal entity can be a community, company, association, public legal operator, or other legal entity. When these Terms of Use speak of communities, all legal entities are generally equated with communities.

3.2. Upon registration, the Customer must provide the required registration information by which the Customer can be identified and individualized, and select a password-protected user-specific ID for using the Service.

3.3. Personal data entered by the Customer during registration must be the Customer's own, and address information must be correct and up-to-date. The Customer must have the right to represent the community they register for the Service. The Customer is obligated to update the information as it changes and/or to notify of changes in the information.

3.4. Handing over a personal user ID to another individual for the purpose of using the Service is prohibited.

3.5. The right to use the Service continues as long as the Customer pays the Payments related to the Service, unless the Supplier has a reason according to this Agreement to prevent the Customer from using the Service. The right of use ceases immediately if the Customer does not make the Payments.

4. OBLIGATIONS OF THE SUPPLIER

4.1. The Supplier is responsible for ensuring that the Service and the Service Platform comply with this Agreement and the Service Description (Appendix 1).

4.2. The Supplier is responsible for ensuring that the tasks under its responsibility are performed in accordance with the Agreement, carefully, and with the professional skill required by the tasks.

4.3. The Supplier is responsible for ensuring that the use of artificial intelligence takes into account applicable legislation, such as the EU Artificial Intelligence Act (AI Act) and data protection regulation (GDPR). The Supplier is responsible for ensuring that the role of AI is known to the Customer and that the use of AI does not replace human interpretation in situations where error-free performance or legislation requires it.

4.4. The Supplier is responsible for ensuring that sufficient instructions for using the Service and the Service Platform, as well as up-to-date operating environment requirements, are available to the Customer. The Supplier provides the Customer with other support related to the implementation of the Service and the Service Platform if separately agreed upon, excluding necessary measures that must be taken so the Customer can begin using the Service and which are specified in the Offer.

4.5. The implementation of the Service and the Service Platform includes tasks related to the training of the Customer's personnel only to the extent that they have been agreed upon in writing.

4.6. The Supplier uses the Microsoft Azure cloud service to produce the Service. Microsoft acts as a personal data processor on behalf of the Supplier and does not have the right to use the Customer's material for its own purposes. The Supplier is responsible for the Service's content, functionality, artificial intelligence guidance, informing the Customer about AI use, and ensuring that data protection and security obligations are met. Microsoft Azure is responsible for platform-level availability, data security, backups, and the fulfillment of its own Service Level Agreements (SLA). The Supplier is responsible for the work of the subcontractor as if it were its own but is not responsible for Microsoft Azure delivery interruptions or deviations from the Microsoft Azure SLA. The Microsoft Azure SLA is available at: https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1.

5. CUSTOMER OBLIGATIONS

5.1. The Customer is responsible for ensuring that the tasks under the Customer's responsibility are performed in accordance with this Agreement and carefully.

5.2. The Customer is responsible for the acquisition and operational status of the equipment, telecommunication connections, and possible other software required to use the Service Platform. The Customer is responsible for ensuring that the Customer's equipment, telecommunication connections, software, and information systems are brought into compliance with the operating environment requirements provided by the Supplier. The Customer is also responsible for telecommunication and other similar costs related to the use of the Service Platform.

5.3. The Customer must provide the Supplier with sufficient and correct information for the delivery of the Service Platform and the Service and otherwise contribute reasonably to the delivery of the Service and the Service Platform. The Customer is responsible for the information and instructions given to the Supplier, as well as for updating them during the use of the Service Platform.

5.4. The Customer is responsible for the careful storage of the Identifiers required for the use of the Service Platform and the Service and shall not hand over Identifiers to third parties, unless it is a subcontractor of the Customer or another third party acting on behalf of the Customer of which the Supplier is aware. The Customer is responsible on behalf of the Customer for the activities of the personnel using the Service Platform and ensures that there is at least one Identifier for each of the Customer's employees using the Service Platform. This also applies if the Identifiers are device-specific, unless otherwise separately agreed. The Customer is responsible for the use of the Service and the Service Platform that occurs with the Identifiers.

5.5. The Customer commits to immediately notifying the Supplier if an Identifier is lost, if misuse of an Identifier is suspected, or if an Identifier has come to the knowledge of an unauthorized third party who should not have access to it. The Customer's responsibility for the use of the software service with the Identifiers ends once the Supplier has received the Customer's notification or the Supplier has otherwise observed misuse.

5.6. At the Supplier's request, the Customer is obligated to change the Identifier required for using the Service and the Service Platform, or to follow other instructions from the Supplier to change the Identifier, if necessary, for example, due to a serious information security threat directed at the Service Platform.

5.7. The Service utilizes artificial intelligence solutions, due to which the Customer acknowledges that AI-based subtitling/transcription may contain inaccuracies and should not be used in situations where error-free performance or legislation requires the use of a human interpreter (for example, official matters, court proceedings, or certain healthcare situations). The Customer is responsible for ensuring they do not input data into the Service for which they do not have processing rights, and that they comply with valid data protection legislation in the processing of personal data.

5.8. The Customer must use the Service and the Service Platform in accordance with this Agreement. Unless otherwise agreed in writing, the Customer and third parties acting on behalf of the Customer have the right to use the Service, the Service Platform, and the Supplier's material during the validity of this Agreement in the Customer's business operations. However, the Customer and third parties acting on behalf of the Customer have the right to use material containing the Customer's data obtained through the Service and the Service Platform, as well as material created for the Customer, in the Customer's business operations even after the termination of the Agreement.

6. ARTIFICIAL INTELLIGENCE COMPLIANCE

6.1. The Supplier implements the Service in accordance with the EU Artificial Intelligence Act (AI Act) and classifies the AI system into the appropriate risk category. The Supplier ensures that the service meets the requirements of the regulation, including risk management, data security, transparency, and user protection.

6.2. The Customer acknowledges and accepts that the service is based on artificial intelligence and that the content produced by the AI may contain errors. The Supplier ensures that the Customer is provided with sufficient information regarding the AI's operation, its limitations, and its purpose of use. The service does not replace human interpretation in situations where error-free performance, legal obligations, or a specific customer situation require it.

6.3. The Supplier implements regular risk management measures in the use of AI, including error monitoring, prevention of misuse, and evaluation of system performance. The Supplier shall notify the Customer of significant risks, changes to the AI model, or its operating principles that may affect the use of the service.

7. CONTENT OF THE SERVICE

7.1. The Supplier makes the Service and the Service Platform available to the Customer "as is" in accordance with the Service Description (Appendix 1). The Supplier strives to keep the Service available 24/7, but cannot guarantee that the Service will be free of service interruptions.

7.2. The Customer is responsible for ensuring that the Service and Service Platform under this Agreement are suitable for the Customer's intended use.

7.3. While using the Service, the Customer can initiate an AI interpretation event on the Service Platform. Interpretation occurs in real-time within the limits of the Service Platform's availability. The Supplier does not guarantee the complete correctness of the interpretation result nor the suitability of the Service for the Customer's individual purpose of use. Section 7.3 and practical procedures are further specified in the Service Description.

7.4. The Supplier is not liable for interruptions or disturbances caused by the Microsoft Azure service more extensively than what Microsoft itself commits to providing in its own service level agreements.

7.5. The Supplier has the right, without consulting the Customer, to block the Customer's access to the Service Platform if the Supplier has justified reason to suspect that the Customer is using the Service or Service Platform in a way that endangers the provision of the Service or Service Platform to other users or is otherwise in violation of the Service Agreement. The Supplier must notify the Customer of the reasons for blocking access without undue delay.

8. CHANGES TO THE SERVICE AND FROM THE SERVICE

8.1. The Supplier has the right to make a change to the Service or the Service Platform that: a) is directed at the production environment of the Service Platform and does not affect the content of the Service or the Service Level in accordance with section 7, b) is necessary to prevent a serious information security threat directed at the Service Platform, or c) results from law or an official regulation. If a change in accordance with this section has an impact on the Service available to the Customer such that it could hinder the Customer's operations and the use of the Service, the Supplier shall notify the customer of the change well in advance, or if this is not reasonably possible, without delay after the Supplier has received information about the need for the change.

9. SERVICE DELIVERY AND IMPLEMENTATION

9.1. The Supplier begins providing the Service to the Customer on the agreed implementation date or within the agreed timeframe. Delivery of the Service is considered to have started when the Supplier notifies the Customer that the Service is available to them and the Customer has access to the Service Platform. Unless otherwise agreed in writing, the Supplier's right to bill for the Service begins when the Service and the Service Platform are available to the Customer.

9.2. If the implementation of the Service is delayed due to a factor caused by the Customer, the delivery time shall be extended until the factor preventing the start of delivery has been corrected or removed, but the Supplier retains the right to bill for the Service.

9.3. The Supplier provides technical support and consultation regarding technical problems related to the use of the Service and the Service Platform. Details regarding the availability of support are provided in more depth in the Service Description. The Supplier has the right to charge fees in accordance with its price list in effect at any given time.

10. INTELLECTUAL PROPERTY RIGHTS AND RIGHTS REGARDING MATERIALS

10.1. Intellectual property rights in this Agreement refer to trademarks, product names, copyrights, designs, patents, domain names, trade secrets, know-how, expertise, and rights related to the software and its source code, interfaces, and user interface, whether registered or unregistered.

10.2. This Agreement does not transfer any pre-existing intellectual property rights between the Parties.

10.3. For the sake of clarity, it is stated that all intellectual property rights related to the Service, the Service Platform, and the Supplier's material, as well as modifications made to them, belong to the Supplier and its partners or licensors. The Customer has a right of use to the Supplier's intellectual property rights and material to the extent necessary and essential for using the Service and the Service Platform. Also, all intellectual property rights created during the use of the Service that concern the Service or the Service Platform belong to the Supplier.

10.4. The modification, editing, recompilation, reproduction, and imitation of the software, source code, user interface, and other parts of the software concerning the Service and the Service Platform is prohibited. Clarifying the Service's functions and operating principles (so-called reverse engineering) in any extent other than what is essential for the use of the Service and the Service Platform is prohibited.

10.5. Ownership and intellectual property rights to the Customer's material belong to the Customer or its partners.

10.6. The Supplier has the right to use the Customer's material only to the extent essentially required for providing or maintaining the Service or the Service Platform. The Supplier may not utilize the Customer's material in its own business operations, offer it for use in the business of other customers, partners, or third parties, or otherwise utilize it in a manner contrary to the Trade Secrets Act. The Supplier shall not unnecessarily inspect the Customer's material, such as reports.

10.7. The Supplier has the right to use the Customer's material for the continuous training and development of AI models, provided that the material is first anonymized or otherwise processed so that the Customer or its end users are not identifiable from it. The Supplier does not use material identifiable to the Customer for training models without the Customer's separate written consent. Material is processed in accordance with valid data protection regulations, and the Supplier ensures that material is not utilized in a manner identifiable to the Customer in external services.

10.8. During and at the end of this Agreement, the Customer may save for themselves any possible copies of the Customer's material from the Service. Recordings created with the help of AI (e.g., interpretation transcripts and translations) are available to the Customer for 30 days from their creation, provided the Customer saves the recordings. Otherwise, recordings created with the help of AI are deleted automatically.

11. PAYMENTS AND PAYMENT TERMS

11.1. The prices and fees for the Service are detailed in the Supplier's price list, which shall be applied unless otherwise agreed in the Offer or Order. Fees are charged monthly, unless the fee is a one-time payment. Payment methods, payment options, and payment terms are available for review within the Service.

12. CONFIDENTIALITY

12.1. This Agreement is confidential.

12.2. Confidential Information refers to any financial, technical, business, or Party-related expertise, know-how, resources, markets, products, services, or capability information that is not generally available, regardless of the form or manner in which the information is presented. Information is specifically not considered confidential if it is: a) generally known at the time of disclosure; b) available from public sources; c) becomes generally known or available from public sources after the time of disclosure through no act or omission of the recipient; d) in the recipient's possession prior to disclosure without being obtained directly or indirectly from the disclosing party; e) received by the recipient from a third party after disclosure who obtained the information other than directly or indirectly from the disclosing party; or f) self-evident to an expert familiar with the specific field in question. Information that has become public or is publicly available is not confidential.

12.3. Legislation concerning trade secrets in force in Finland shall apply to the Confidential Information and its use in accordance with Section 12.2. A Party is obligated to keep Confidential Information received from the other Party secret and to refrain from using it for any purpose other than what the delivery or use of the Service under this Agreement essentially requires.

12.4. Any kind of disclosure, transfer, or expression of Confidential Information to a third party without the permission of the Party that disclosed the information is prohibited.

13. LIMITATION OF LIABILITY

13.1. A Party shall not be liable to the other Party for any indirect damage, with the exception of damages concerning a breach of confidentiality obligations or infringements of intellectual property rights or breaches of contract terms concerning them.

13.2. The liability of the Parties for all damages is limited to an amount corresponding to a maximum of 12 months of fees under this Agreement.

14. PROCESSING OF PERSONAL DATA

14.1. If the Customer is a legal entity, the Parties agree on the terms regarding the Processing of personal data in a separate Personal Data Processing Agreement, which is an appendix to this Agreement (Appendix 2). If there is a conflict between this Agreement and the Personal Data Processing Agreement, the Personal Data Processing Agreement shall apply.

15. VALIDITY OF TERMS OF USE AND CHANGES TO SERVICE AND PRICING

15.1. The Terms of Use bind the Supplier and the Customer from the moment the Supplier grants the Customer the right to use the EGALA AI service.

15.2. The Supplier has the right to cancel or deny the right to use the Service and the customer relationship for a Customer who has not complied with these Terms of Use during the customer relationship.

15.3. The Terms of Use cease to bind the Customer and the Supplier at the end of the Customer's right-of-use period, with the exception of those obligations that have arisen before said time.

15.4. The Supplier and the Customer are released from obligations under the Terms of Use for such time and to such extent as the failure to fulfill contractual obligations is due to force majeure (an overwhelming obstacle). Such an event is, for example, war, general interruption of traffic, energy distribution interruption or disturbance, widespread labor dispute, fire, exceptional natural phenomenon, or other similar and unusual cause independent of the User or the Service Provider.

15.5. If any point of these Terms of Use is now or at a later stage contrary to the law or for another reason invalid, it does not affect the validity and applicability of other points regarding the use of the Service.

16. OTHER TERMS

16.1. These Terms of Use are governed by the laws of Finland. All disputes, disagreements, and claims regarding them shall primarily be sought to be resolved through mutual negotiations between the parties. If the parties are unable to find a solution through mutual negotiations, disputes shall be settled in the District Court of Ostrobothnia if a legal entity is involved. If a consumer is involved, the district court of their place of residence is the competent jurisdiction.

16.2. The Supplier has the right to unilaterally change, add, or remove parts of these terms at any time by publishing the changes on its website or in the Service. If the Customer continues to use the Service after the changes have been published, they commit to these changes. Such modified terms will automatically come into effect at the latest (i) when the Customer continues to use the Service or (ii) 30 days after the publication of the modified terms on the website or in the Service. Regardless of this, all disputes arising between the Customer and the Supplier shall be resolved according to the terms in force at the time the dispute began.

16.3. The Supplier has the right to transfer the rights and obligations defined for it in these Terms of Use to a third party without the Customer's separate consent, such that another entity besides Viittoen Oy becomes the new Supplier. Such a situation may occur, for example, in a situation where the Service or part of it is transferred via sale to another professional operator.

17. APPENDICES AND ORDER OF PRECEDENCE

The following documents are appendices to this Agreement, and if there is a conflict between the Agreement and its appendices, this Agreement shall be applied primarily, followed by the appendices and any possible tender and order documents in the order of the list below, except for what has been agreed in section 12 regarding the Personal Data Processing Agreement:

1. Service Description
2. Agreement on the processing of personal data

APPENDIX 1: SERVICE DESCRIPTION

1. CONTENT OF THE SERVICE

The EGALA AI service platform is a software-based solution developed by Viittoen Oy for an automatic, AI-based speech-to-text service. The service converts speech into text in real-time without the help of human interpreters.

The service is particularly suitable for situations where speech needs to be converted into a readable format, such as conversations at home, at work, in service situations, in group discussions, or, for example, during car and public transport trips.

The service includes the following functions:

1. Automatic subtitling: AI-based speech recognition that produces real-time subtitling.
2. Text support: the user can follow the conversation or speech in text form. The AI model adapts to different speech and usage environments, and the subtitling improves as the AI understands the context.
3. Saving text: After the conversation, you can save the text generated by the AI (max. 30 days) or delete the text immediately after the conversation.

When using the service, the Customer starts a translation event on the Service Platform. The service operates 24/7 as a starting point, but its availability may be affected by technical limitations, disturbances, or service outages. The Supplier shall notify the Customer of any possible planned maintenance breaks.

Due to the limitations of the service, the Supplier cannot guarantee the perfect accuracy of the interpretation in all situations. The quality of recognition is affected by, among other things, environmental sounds, the clarity of speech, and the equipment used.

The Service Platform is available primarily 24 hours a day on all days of the week. The Supplier shall notify the Customer if there are planned maintenance breaks on the Service Platform due to maintenance or other reasons. Primarily, maintenance breaks are sought to be scheduled outside of normal office hours (weekdays from 8 AM to 6 PM).

2. EGALA AI SERVICE PLATFORM TECHNICAL REQUIREMENTS AND DATA SECURITY

1. In Egala services, you need a phone, tablet, or computer with a microphone and internet connection.
2. Egala services work best on the latest versions of Chrome or Firefox.
3. The text from Egala services can be read in real-time from the screen of a phone, tablet, or computer.
4. The Egala® software runs on a Linux server that is kept up to date. The server service provider is secure and has, among others, the following data security certificates: ISO/IEC 27001:2013 and EU-U.S. and Swiss-U.S. Privacy Shield certificates.
5. A secure service provider is used for audio data transfer, which has, among others, the following certificates: ISO 27001/27017/27018, PCI DSS for Voice, Privacy Shield, and Cloud Security Alliance certificates.
6. The connection to the server is always HTTPS protected with an SSL certificate. Known security vulnerabilities in the protected connection have been closed.

3. REQUIREMENTS CONCERNING ARTIFICIAL INTELLIGENCE

Egala AI is based on AI technology developed by Viittoen Oy and operates using the Microsoft Azure cloud service. The following requirements and principles apply to the service:

1. The AI has an absolute obligation to process data only to the extent required for the implementation of the service.
2. The AI may not utilize Customer material for other purposes without the Customer's consent.
3. The AI and its background systems (including Microsoft Azure) may not utilize Customer material for other purposes without the Customer's express consent.
4. The service is based on continuous machine learning; despite this, Customer material can be used for model development only in anonymized form or as separately agreed.
5. Service users must be aware that errors may occur in the text produced by the AI, and that responsibility for the correct interpretation of the message remains with the Customer.

4. CONTACTS, NOTIFICATIONS, AND TECHNICAL SUPPORT

Technical support, notifications of faults and problems, and other contacts by email to the address: info@egala.fi

APPENDIX 2: PERSONAL DATA PROCESSING AGREEMENT

AGREEMENT ON THE PROCESSING OF PERSONAL DATA

Parties

[Company name and address] ("Customer" or "Controller"); Viittoen Oy, Silkkite 5, 67300 Kokkola ("Company" or "Processor"), and both hereafter together "Parties" or either separately "Party".

Background and Purpose

This agreement on the processing of personal data is an appendix to the general terms and conditions and applies only when the Customer is a legal entity. If the Customer is a private individual, this appendix does not apply. The operator commits to this agreement on the processing of personal data by accepting the general terms and conditions of the EGALA AI service.

The Company provides the Customer with a software-based service platform where speech is converted to text using AI technology, in accordance with the valid service agreement made between the Parties until further notice.

The Customer is the Controller of the Personal Data that the Company Processes on behalf of the Customer while providing the service platform to the Customer.

The Company is a Processor of Personal Data in relation to the Customer and Processes such Personal Data that the Customer has instructed the Company to Process and which is necessary for the delivery of the software-based service platform for the Customer's intended use.

The purpose of this agreement is to implement the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 ("General Data Protection Regulation" or "GDPR") and the requirements resulting therefrom.

1. Definitions

Personal Data: Information concerning an individual or their family that is sufficient to identify said person; "Processing" is interpreted in accordance with GDPR Article 4.

Customer's Personal Data: Personal data for which the Customer is responsible as the Controller.

Processor: An entity defined in data protection legislation that processes Personal Data on behalf of the Controller; "Processing" is interpreted in accordance with GDPR Article 4.

Controller: An entity defined in data protection legislation that processes Personal Data on behalf of the Controller; "Processing" is interpreted in accordance with GDPR Article 4.

Data Subject: A person whose Personal Data has been stored in a personal data register; "Processing" is interpreted in accordance with GDPR Article 4.

Unless a specific definition is provided above for a term related to the Processing of Personal Data in this Agreement, the definitions set forth in the GDPR shall apply.

2. Purpose of Processing Personal Data and Personal Data to be Processed

Purpose of Processing Personal Data. The purpose of processing personal data is to ensure the delivery and maintenance of the services and service platform described in the Background, to keep them available, and to investigate and resolve potential problem and error situations.

Personal Data to be Processed. The Customer's Personal Data to be processed includes:

1. The name and potential contact details (such as phone number and email address) of the Controller's customer.
2. The name, username, and contact details (such as phone number and email address) of the Controller's employee.
3. Text transcripts of conversations held between the Controller's employee and the Controller's customer.
4. Audio and video messages from the Controller's customer, as well as subtitles generated from speech.

Restrictions regarding processing. If personal data is used for the development of AI models, the Provider commits to processing the data only in an anonymized form, unless the Customer has given separate written consent for other use.

3. General Obligations of the Processor

The Processor complies with the requirements of current data protection and personal data processing legislation, following good data processing practices and regulations regarding the protection of personal data. The Processor is responsible for ensuring that the service and service platform provided—in accordance with the Background and Purpose of this Agreement—comply with the data protection and personal data processing laws and official guidelines in force at any given time.

The Processor implements the necessary technical and organizational measures to ensure that the Customer's Personal Data it processes is appropriately protected in accordance with the Processor's practices. The Processor maintains processes and documentation that comply with current legislation and official guidelines for the implementation of data protection. These measures are based on a risk assessment conducted by the Processor and the Controller, and they ensure the confidentiality, integrity, availability, and fault tolerance of the Personal Data.

The Processor processes Personal Data only in accordance with the Customer's specific instructions and to the extent necessary for the delivery of the service and service platform. The Processor does not use or otherwise exploit the Customer's Personal Data that it processes.

The Processor shall name a data protection contact person for the processing of the Customer's Personal Data.

The Processor may make available to the Customer all information necessary to demonstrate compliance with the obligations laid down for the Controller and the Processor and to assess the implementation of data protection. Upon request, the Processor participates in the preparation and maintenance of descriptions and other documents under the Controller's responsibility in an agreed manner, against reasonable compensation according to the current price list. The Processor assists the Customer in fulfilling official requirements and data requests directed at the Controller.

The Data Subject has the right to inspect Personal Data concerning themselves. The Customer shall notify the Processor without undue delay of all requests from Data Subjects regarding the exercise of the Data Subject's rights and shall not respond to Data Subject requests without instructions provided by the Customer. The Processor assists the Customer so that the Customer can fulfill its obligation to respond to these requests. Requests may require the Processor to assist, for example, in informing and communicating with the Data Subject, implementing the Data Subject's right of access, correcting or deleting personal data, implementing restrictions on processing, or transferring the Data Subject's own personal data from one system to another. If a data request is made directly to the Processor, the Processor shall not take action to fulfill the data request before it has informed the Customer of the request and the Customer has given instructions on handling the data request. Primarily, the Customer handles the data request themselves. Regarding deletion requests, the Customer and the Processor shall consult separately on whether the data can be deleted. Unless otherwise agreed, the Processor has the right to charge the Customer reasonable compensation according to its price list if the assistance causes additional costs to the Processor.

Unless otherwise agreed regarding the delivery, destruction, and return of Personal Data to the Customer, the Processor is obligated to delete the Customer's Personal Data at the latest upon termination of the customer relationship, and the Customer may save a copy of the Personal Data.

4. Obligations of the Controller

The Customer, as the Controller, is responsible for ensuring that it has the right to Process Personal Data and to disclose it to the Processor for Processing for the purposes and to the extent agreed upon in this Agreement.

The Customer, as the Controller, is responsible for ensuring that, regarding the Processing of Personal Data, a data protection impact assessment has been conducted if required, and that the possible prior consultation with the data protection authority has been carried out, if the data protection regulation or other legislation so requires.

The Customer, as the Controller, is responsible for informing Data Subjects about the Processing of Personal Data, its purpose, and legal grounds, as well as matters related to the storage of Personal Data, transfers, and the rights of Data Subjects in the manner required by the data protection regulation.

5. Processor's Personnel

The Processor observes confidentiality regarding the Customer's Personal Data to be processed.

The Processor ensures that every person acting under its authority who has access to the Personal Data of Data Subjects or the Customer processes them only in accordance with this Agreement, the Customer's specific instructions, and applicable legislation, and is subject to a written confidentiality obligation.

6. Subcontractors Processing Personal Data

The Processor uses the Microsoft Azure cloud service for the delivery of the Service, which acts as a subcontractor processor of personal data.

The Processor maintains a list of the subcontractors it uses and shall inform the Customer of any significant changes.

The Processor is responsible for the work of subcontractors as for its own and shall enter into a personal data processing agreement with the subcontractor in accordance with the Data Protection Regulation, which is at most equal in scope to the scope of this Agreement.

7. Place of Service

Unless otherwise agreed, the Processor has the right to process the Customer's Personal Data only within the EU and EEA area.

Personal data of Data Subjects or the Customer shall not be transferred outside the EU/EEA area unless separately permitted in applicable legislation without separate notification.

8. Security Requirements and Security Breaches

The Processor is responsible for implementing the service platform described in the Background at a sufficiently high level, considering its nature and quality, and in a manner that is consistently up-to-date and compliant with this Agreement and applicable legislation.

The Processor shall notify the Customer in writing of any personal data security breach that comes to its attention without undue delay and immediately upon receiving information about it, with the accuracy required by current legislation and relevant official guidelines, and shall assist the Customer in investigating the matter.

The Processor shall investigate and document the causes of the detected security breach, inform the Customer of the verified causes of the security breach, and implement such technical and organizational measures that can reasonably be considered to prevent a similar breach in the future.

9. Audit Rights

The Processor provides the Customer with all information necessary to demonstrate that the processing of Personal Data carried out by the Processor complies with the regulations concerning such processing. The Processor allows audits conducted by the Customer or its authorized representatives. The Customer must notify the Processor of the intended audit at least fourteen (14) business days in advance.

All audits must be carried out as efficiently as possible, both in terms of time and costs, and must not cause unreasonable disruption to the Processor’s daily business operations or the Processor’s obligation to maintain confidentiality toward its other customers and third parties.

The Processor has the right to charge the Customer for the time spent on the audit and for the costs incurred. The Processor may also provide the Customer with an audit report issued by an external party (potentially for a separate fee).

10. Compensation for Damages

The provisions set forth in the EU General Data Protection Regulation regarding compensation for damages shall apply.

11. Entry into Force

This agreement on the processing of personal data enters into force when the Customer accepts the general terms of use for the EGALA AI service. This agreement does not require a separate signature.