Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between MAS Digital Labs FZ-LLC (“OBJEKT”, acting as processor) and the OBJEKT customer named on the account (“Customer”, acting as controller). It applies whenever OBJEKT processes personal data on behalf of Customer under the OBJEKT Terms of Service (the “Agreement”).

If there is a conflict between this DPA and the Agreement, this DPA governs the processing of personal data. The Standard Contractual Clauses (SCCs), where they apply, prevail over both.

• Subject matter. Processing of personal data necessary to provide the OBJEKT service to Customer under the Agreement.
• Duration. For the term of the Agreement, plus any limited post-termination period required to delete or return personal data.
• Nature of processing. Hosting, storage, transmission, organisation, retrieval, generation, and deletion of personal data as required to deliver the OBJEKT service.
• Purpose. Solely to provide and support the OBJEKT service in accordance with the Customer’s documented instructions.
• Categories of data subjects. Customer’s authorised users; any natural persons whose personal data is contained in Customer-supplied Inputs or Customer-instructed Outputs.
• Categories of personal data. Account identifiers, contact details, IP addresses, content uploaded by Customer, content generated for Customer, usage metadata.
• Sensitive data. Customer agrees not to upload special-category data (Article 9 GDPR) or other sensitive data to OBJEKT unless we have agreed in writing.

OBJEKT will:

• Process personal data only on Customer’s documented instructions, including those embodied in the Agreement, this DPA, and the configuration choices Customer makes in-product;
• Ensure that personnel authorised to process personal data are bound by confidentiality obligations;
• Implement appropriate technical and organisational measures (see Privacy Policy §9) and update them as risks evolve;
• Assist Customer in fulfilling its obligations to respond to data subject requests (Chapter III GDPR), including by providing self-service tooling and, where the tooling does not suffice, by responding to a reasonable volume of manual requests at no extra charge;
• Assist Customer with data protection impact assessments and prior consultations with supervisory authorities, where required;
• Notify Customer without undue delay (and in any event within 48 hours of becoming aware) of any personal data breach affecting Customer’s data, and provide all information Customer reasonably needs to meet its own notification obligations;
• On termination of the Agreement, at Customer’s choice, delete or return all personal data, save where retention is required by law.

• Customer grants general authorisation for OBJEKT to engage the sub-processors listed at /sub-processors.
• OBJEKT will give 30 days’ written notice of any new sub-processor that will process Customer’s personal data (see sub-processor notice procedure).
• Customer may object on reasonable data-protection grounds. If the parties cannot agree on a solution, Customer may terminate the affected service at no cost and OBJEKT will refund any unused pre-paid fees.
• OBJEKT remains liable for the acts and omissions of its sub-processors with respect to the obligations in this DPA.

Where the processing involves a transfer of personal data of EEA, UK, or Swiss data subjects to a country that has not been deemed adequate by the European Commission (including the United Arab Emirates and the United States as of the effective date), the following apply:

• The parties incorporate by reference the EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor) or Module 3 (processor-to-processor), as appropriate to the transfer;
• For UK personal data, the parties incorporate the UK International Data Transfer Addendum (issued by the UK ICO);
• For Swiss personal data, the SCCs apply with references to the Swiss FADP read in place of GDPR references where appropriate;
• OBJEKT will, at Customer’s reasonable request, provide a redacted copy of any onward-transfer SCC entered into with a sub-processor.

• OBJEKT will make available all information reasonably necessary to demonstrate compliance with this DPA, including current third-party audit reports (SOC 2 / ISO 27001) of our key sub-processors as they become available.
• Customer may audit OBJEKT’s compliance once per twelve- month period on at least 30 days’ written notice, during business hours, in a manner that does not unreasonably disrupt the service. Audits must be conducted by Customer or an independent qualified auditor bound to confidentiality.
• Where a regulator requires a different scope or cadence of audit, OBJEKT will cooperate to satisfy that requirement.

The limitation of liability provisions in the Agreement apply to this DPA. They do not limit liability of a party to a data subject where such limitation is prohibited by applicable law.

By accepting the OBJEKT Terms of Service on a paid business plan, Customer is deemed to have entered into this DPA as the data controller. If your procurement or compliance team requires a counter-signed copy on company letterhead, email legal@objekt-ai.com with the entity name, registered address, and signatory details. We will return a counter-signed PDF within 5 business days.