Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Aurora Coach ("Processor," "we," "us," or "our") and the customer organization ("Controller," "Customer," "you," or "your") that has agreed to the Terms of Service.

This DPA applies where and only to the extent that Aurora Coach processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, or other applicable data protection laws.

This DPA is designed to ensure compliance with Article 28 of the GDPR, which requires a written contract between Controllers and Processors governing the processing of Personal Data.

2. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined herein have the meanings given to them in the GDPR or the Agreement.

• "Controller" means the Customer organization that determines the purposes and means of processing Personal Data and has entered into the Agreement with Aurora Coach.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including Customer's employees and authorized users.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Processor" means Aurora Coach, which processes Personal Data on behalf of the Controller.
• "Service" means the Aurora Coach AI-powered team coaching platform as described in the Agreement.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law, such as the Swedish Authority for Privacy Protection (IMY).

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Customer is the Controller of Personal Data processed through the Service. As Controller, Customer is responsible for:

• Determining the purposes and means of processing Personal Data
• Ensuring a lawful basis exists for processing Personal Data (e.g., legitimate interest, consent, or contract performance)
• Obtaining any required consent from Data Subjects, including employees, before their data is processed through the Service
• Providing appropriate notice to Data Subjects about the processing of their Personal Data
• Ensuring that instructions given to the Processor comply with applicable data protection laws
• Responding to Data Subject requests regarding their Personal Data
• Conducting data protection impact assessments where required
• Notifying Supervisory Authorities and Data Subjects of Personal Data Breaches where required

3.2 Processor Responsibilities

Aurora Coach is the Processor of Personal Data processed through the Service. As Processor, Aurora Coach:

• Processes Personal Data only on documented instructions from the Controller, unless required by law
• Ensures that persons authorized to process Personal Data are bound by confidentiality obligations
• Implements appropriate technical and organizational security measures
• Engages Sub-processors only with prior authorization and under written contracts
• Assists the Controller in responding to Data Subject requests
• Assists the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• Deletes or returns Personal Data at the end of the service relationship
• Makes available information necessary to demonstrate compliance with this DPA

4. Processing Details

4.1 Subject Matter and Duration

The Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by law.

4.2 Nature and Purpose of Processing

Personal Data will be processed for the following purposes:

• Providing the AI-powered team coaching Service
• Generating coaching recommendations and insights
• Creating team-level analytics and reports (aggregated, not individually identifying)
• Providing confidential individual coaching interactions
• Customer support and service improvement
• Compliance with legal obligations

4.3 Types of Personal Data

The following categories of Personal Data may be processed:

• Identity and contact information
• Professional and employment information
• Account credentials and authentication data
• Service usage and interaction data
• Technical and device information

4.4 Categories of Data Subjects

Personal Data relates to the following categories of Data Subjects:

• Customer's employees who are authorized users of the Service
• Customer's administrators and account managers
• Other individuals whose data Customer chooses to input into the Service

4.5 Special Categories of Data

The Service is not designed to process special categories of Personal Data (e.g., health data, biometric data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation). Customer agrees not to submit special category data to the Service unless expressly agreed in writing.

5. Processor Obligations

5.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by EU or Member State law
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law
• Process Personal Data only to the extent necessary to provide the Service

5.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data:

• Are bound by confidentiality obligations (contractual or statutory)
• Process Personal Data only as necessary to perform their duties
• Receive appropriate training on data protection requirements

5.3 Records of Processing

The Processor maintains records of processing activities as required under Article 30(2) of the GDPR, including:

• Name and contact details of the Processor and Controllers
• Categories of processing carried out on behalf of each Controller
• Transfers to third countries and documentation of safeguards
• General description of technical and organizational security measures

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors to process Personal Data, subject to the requirements of this Section 6.

6.2 Current Sub-processors

A list of current Sub-processors is available at /subprocessors. By entering into the Agreement, the Controller approves the Sub-processors listed as of the Agreement effective date.

6.3 Sub-processor Requirements

The Processor shall:

• Enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this DPA
• Remain fully liable to the Controller for the performance of Sub-processor obligations
• Conduct appropriate due diligence on Sub-processors' security and privacy practices

6.4 Changes to Sub-processors

The Processor shall notify the Controller at least 30 days in advance before adding or replacing a Sub-processor. The Controller may object to the change by notifying the Processor in writing within 14 days of receiving notice. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Service by providing written notice.

6.5 Third-Party AI Providers

The Processor uses third-party AI providers as Sub-processors to generate coaching recommendations. These providers:

• Process Personal Data solely for real-time service delivery
• Are contractually prohibited from using Personal Data to train or improve their AI models
• Do not retain Personal Data after processing is complete
• Are bound by data processing agreements meeting GDPR requirements

7. International Data Transfers

7.1 Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, the Processor ensures that appropriate safeguards are in place, including:

• Transfers to countries with an adequacy decision from the European Commission
• Standard Contractual Clauses (SCCs) adopted by the European Commission
• The UK International Data Transfer Agreement or Addendum, where applicable
• Other legally recognized transfer mechanisms

7.2 Standard Contractual Clauses

Where transfers rely on Standard Contractual Clauses:

• The SCCs are incorporated by reference into this DPA
• For transfers from the EEA: Commission Implementing Decision (EU) 2021/914 applies
• For transfers from the UK: The UK International Data Transfer Addendum applies
• Module Two (Controller to Processor) applies to transfers of Controller Personal Data to the Processor

7.3 Data Localization

Personal Data is primarily stored and processed within the European Union. Where processing occurs outside the EU (e.g., for AI processing by US-based Sub-processors), appropriate transfer safeguards apply as described above.

8. Data Subject Rights

8.1 Assistance with Requests

Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)
• Rights related to automated decision-making (Article 22 GDPR)

8.2 Request Handling

If the Processor receives a request directly from a Data Subject:

• The Processor shall promptly notify the Controller (unless prohibited by law)
• The Processor shall not respond directly to the Data Subject without Controller authorization, except to acknowledge receipt and direct the Data Subject to the Controller
• The Controller remains responsible for responding to Data Subject requests

8.3 Technical Capabilities

The Processor provides technical capabilities to assist the Controller in fulfilling Data Subject requests, including data export functionality for users and administrative data deletion capabilities for Controllers.

9. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, pursuant to Article 32 of the GDPR.

Details of current security measures are available upon request.

10. Data Breach Notification

10.1 Notification Timing

In the event of a Personal Data Breach affecting Controller's data, the Processor shall notify the Controller within 24 hours of becoming aware of the breach.

10.2 Notification Content

The breach notification shall include, to the extent known:

• Description of the nature of the Personal Data Breach, including categories and approximate number of Data Subjects and records affected
• Name and contact details of the Processor's data protection contact
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate its effects

10.3 Ongoing Cooperation

The Processor shall:

• Provide additional information as it becomes available
• Cooperate with the Controller's investigation of the breach
• Assist the Controller in meeting its breach notification obligations to Supervisory Authorities and Data Subjects
• Take reasonable steps to mitigate the effects of the breach and prevent recurrence

10.4 Controller Obligations

The Controller remains responsible for:

• Determining whether notification to Supervisory Authorities is required (within 72 hours under GDPR Article 33)
• Determining whether notification to Data Subjects is required (under GDPR Article 34)
• Making such notifications where required

11. Audits and Compliance

11.1 Information and Documentation

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and Article 28 of the GDPR.

11.2 Audit Rights

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:

• Reasonable advance notice (at least 30 days, except in case of regulatory requirement or following a breach)
• Audits during normal business hours
• The auditor entering into appropriate confidentiality agreements
• The audit scope being limited to matters relevant to this DPA
• The Controller bearing its own audit costs
• The Processor may charge reasonable fees for personnel time required to support audits beyond one audit per twelve-month period or exceeding eight hours of personnel time per audit

11.3 Third-Party Certifications

The Processor may satisfy audit requirements by providing:

• Sub-processor audit reports and certifications (e.g., SOC 2 Type II, ISO 27001)
• Completed security questionnaires
• Other evidence of compliance with security and privacy obligations

11.4 Supervisory Authority Cooperation

The Processor shall cooperate with Supervisory Authorities in the performance of their tasks, including responding to inquiries and providing access to premises and processing operations where required by law.

12. Term and Termination

12.1 Duration

This DPA remains in effect for the duration of the Agreement and continues until all Personal Data has been deleted or returned as provided herein.

12.2 Data Return and Deletion

Upon termination of the Agreement or upon Controller request:

• The Processor shall return or delete all Personal Data, at the Controller's choice
• Data export shall be provided in a standard, machine-readable format
• Deletion shall be completed within 30 days of termination, unless longer retention is required by law
• The Processor shall certify deletion upon Controller request

12.3 Retention Exceptions

The Processor may retain Personal Data to the extent required by applicable law, provided that:

• The Processor maintains confidentiality of such data
• The Processor processes such data only as necessary to comply with legal obligations
• The Processor deletes such data when no longer legally required

13. Liability

13.1 Liability Allocation

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Agreement.

13.2 GDPR Liability

Nothing in this DPA limits either party's liability to Data Subjects or Supervisory Authorities under applicable data protection law, including the right of Data Subjects to receive compensation under Article 82 of the GDPR.

13.3 Indemnification

Each party shall indemnify the other for damages arising from its breach of this DPA or its obligations under applicable data protection law, subject to the limitations in the Agreement.

14. Contact

14.1 Processor Contact

For questions about this DPA or data protection matters:

• Privacy inquiries: [email protected]
• Legal inquiries: [email protected]

14.2 Supervisory Authority

Aurora Coach's lead Supervisory Authority is:

Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)
Box 8114
104 20 Stockholm, Sweden
www.imy.se