Terms & Conditions
Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement ("Agreement") between Gimlet Labs, Inc. ("Company", "we", "us", or "our") and the Customer ("Customer") for the processing of personal data in connection with the services provided by Gimlet Labs, Inc. ("Services"). This DPA is subject to the terms and conditions of the Agreement.

1. Definitions

  1. "Personal Data" means any information relating to an identified or identifiable natural person.
  2. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, use, storage, or deletion.
  3. "Subprocessor" means any third party engaged by the Company that processes Personal Data on behalf of the Company.
  4. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

2. Details of Data Processing

2.1 Subject Matter

The subject matter of the data processing under this DPA is the Personal Data provided by the Customer in connection with the use of the Services.

2.2 Duration

The duration of the data processing under this DPA is for the term of the Agreement.

2.3 Nature and Purpose

The nature and purpose of the data processing under this DPA is to provide the Services, which include building, deploying, and managing AI models on the edge.

2.4 Categories of Data Subjects

The categories of Data Subjects whose Personal Data is processed include:

  • Customers
  • End-users

2.5 Types of Personal Data

The types of Personal Data processed include:

  • Names
  • Billing information
  • Email addresses
  • IP addresses
  • Telemetry data
  • Sensor data from edge devices

3. Data Protection

3.1 Compliance

Both parties will comply with their respective obligations under applicable data protection laws. The Customer's instructions for the processing of Personal Data will comply with applicable data protection laws. The Customer will ensure that it has obtained all necessary consents and rights and has provided all necessary notices to Data Subjects for the lawful processing of Personal Data by the Company in accordance with the Agreement.

3.2 Company Obligations

The Company will:

  • Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security Portal.
  • Assist the Customer, taking into account the nature of the processing, with responding to requests from Data Subjects exercising their rights.
  • Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Company.
  • At the choice of the Customer, delete or return all the Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

3.3 Subprocessors

The Company may engage Subprocessors to process Personal Data on behalf of the Customer. The Company will inform the Customer of any intended changes concerning the addition or replacement of Subprocessors, giving the Customer the opportunity to object to such changes. The Company will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA. The list of Subprocessors is available here.

3.4 International Data Transfers

Personal Data may be transferred to, and processed in, countries other than the country in which the Data Subject is located. The Customer consents to the transfer of Personal Data to the United States and other countries where the Company or its Subprocessors operate. The Company will ensure that such transfers are made in compliance with applicable data protection laws and appropriate safeguards.

3.5 Data Subject Rights

Taking into account the nature of the processing, the Company will assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject's rights under applicable data protection laws.

3.6 Security Measures

The Company has implemented appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. For more information, please refer to our Security Portal.

4. Liability

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. The Customer agrees that any regulatory penalties incurred by the Company in relation to the Customer's Personal Data that arise as a result of, or in connection with, the Customer's failure to comply with its obligations under this DPA or applicable data protection laws will count towards and reduce the Company's liability under the Agreement as if it were liability to the Customer under the Agreement.

5. Miscellaneous

5.1 Governing Law

This DPA is governed by the laws of the State of California.

5.2 Amendments

This DPA may only be amended by a written agreement signed by both parties.

5.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

5.4 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral, with respect to such subject matter.


Gimlet Labs, Inc.
Address: 1550 Bryant St. Suite 740, San Francisco, CA 94103
Email: legal@gimletlabs.ai

Customer
[Customer Name]
[Customer Address]
[Customer Email]