Data Processing Agreement

How Toqan processes personal data on your behalf as a data processor.

June 1, 2026

Beta Trial Toqan Data Processing Agreement (DPA)

Recitals

  • Controller (Customer) and Processor (Supplier) have entered into the Beta Trial Toqan Terms of Service (“the Agreement”).
  • To the extent that the provision of the Services involves the processing of personal data of end users and/or employees, contractors and affiliates of Customer, the parties enter into this DPA, which is incorporated into the Agreement. Therefore, the acceptance of the Agreement by the Customer is also an acceptance of this DPA by the Customer.

1. Definitions

Terms such as “process/processing”, “data subject”, “(data) processor”, “(data) controller”, “personal data/personal(ly identifiable) information”, “(personal) data breach”, “data protection impact assessment”, etc.; shall be interpreted in accordance with such meaning or the meaning of equivalent terms in Data Protection Laws.

“Data Protection Laws” means in relation to any Personal Data which is processed in the performance of the Agreement, all applicable laws and regulations relating to the processing of data relating to natural persons, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, “GDPR”).

“Effective Date” means the date on which the Customer accepts the Agreement.

“EEA” means the European Economic Area.

“Personal Data” means the personal data as defined under the Agreement, and included under Annex I of this DPA (Details of Processing of Personal Data).

“Services” means the services described in the Agreement.

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to recipients established in third countries, as approved by the European Commission in Implementing Decision 2021/914, or any set of clauses approved by the European Commission which amends, replaces or supersedes these.

“Subprocessor” means any data processor (including any third party and any Processor Affiliate) appointed by Processor to process Personal Data on behalf of the Controller; a list of Sub-processors can be furnished to the Controller on request.

“Supervisory Authority” means any regulatory authority responsible for the enforcement of Data Protection Laws.

2. Processing of the Personal Data

The Parties agree that this DPA and the Agreement constitute Controllers documented instructions regarding Processors processing of personal data under this Agreement, unless processing is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data. The details of the processing operations are specified in Annex I of this DPA (Details of Processing of Personal Data).

3. Processor Personnel

Processor shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the Agreement. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and have undertaken appropriate training.

4. Security

Processor shall implement and maintain appropriate technical and organisational measures to always ensure a level of security of the Personal Data appropriate to the risk and shall take all necessary measures required pursuant to article 32 GDPR and equivalent security requirements resulting from Data Protection Laws, if applicable to the processing. Technical and organisational measures implemented by the Processor are specified in Annex 2 (Technical and Organizational Measures) to this DPA.

5. Subprocessing

As of the Effective Date, the Controller hereby provides a general authorization to Processor to engage the Subprocessors listed in the Sub-processors list to process Personal Data in connection with the Services. The Sub-processors list will be made available to the Controller on request. Processor will notify Controller of any changes to this list via notification within the Services or other reasonable means. The Controller may object to the use of such additional Sub-processor within 30 days of receiving notice of change by contacting the Processor via authorized channels.

With respect to each Subprocessor, Processor shall:

  • On receiving a request from the Controller, provide the Controller with details of the processing to be undertaken by each Subprocessor;
  • enter into a contract which imposes on the Subprocessor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with this Agreement.

6. Data Subject Rights and Law Enforcement Requests

Processor shall promptly, and in any case within five (5) working days, notify the Controller if it receives a request from a data subject whose Personal Data is processed by Processor on behalf of the Controller and shall provide full details of that request. The Processor shall not respond to the request itself, unless specifically authorised do so by the Controller.

Taking into account the nature of the processing, Processor shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject whose Personal Data is processed by Processor under any Data Protection Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this DPA.

The Processor agrees to promptly notify the Controller, to the extent such notification is permissible under applicable laws, if it receives a legally binding request from a public authority, including judicial authorities for the disclosure of Personal Data or if it becomes aware of any direct access by public authorities to such Personal Data.

7. Incident Management

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to comply with the Controller’s obligations under the applicable Data Protection Laws, taking into account the nature of processing and the information available to the Processor. Processor shall promptly notify the Controller upon becoming aware of a personal data breach in relation to the Personal Data, providing the Controller with sufficient information which allows the Controller to meet any obligations to report a personal data breach under the Data Protection Laws.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall, where appropriate, provide reasonable assistance to the Controller with any data protection impact assessments, supervisory authority consultations or similar assessments, only to the extent where such assistance is required under Data Protection Laws.

9. Audit and Inspection

Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller shall give the Processor reasonable prior written notice of any audit or inspection (which shall be no less than thirty (30) days, except where an audit is required by a Supervisory Authority or following a personal data breach, in which case the Controller shall provide as much notice as is reasonably practicable). Audits shall be conducted during normal business hours, with due regard to the Processor’s operations, and shall be limited in scope to the processing of Personal Data under this DPA. The Controller shall ensure that its auditors are bound by appropriate confidentiality obligations. Unless otherwise required by Data Protection Laws or a Supervisory Authority, the Controller shall be entitled to conduct no more than one (1) audit per twelve (12) month period. The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach by the Processor of its obligations under this DPA or Data Protection Laws, in which case the reasonable costs of the audit shall be borne by the Processor.

10. Deletion of Personal Data

Upon termination or expiry of the Agreement, the Processor shall delete all Personal Data processed on behalf of the Controller as part of the Services, unless the Controller, by written notice to the Processor, requests the return of such Personal Data in a commonly used, machine-readable format, in which case the Processor shall promptly return the Personal Data and thereafter delete all remaining copies. This Section 10 is without prejudice to the Processor’s right to process non-personal data related to the use of the Services.

11. International Data Transfers

Any transfer of Personal Data to a non-EEA country (i) by the Processor or (ii) by the Controller to the Processor under the Agreement shall be done only if required for purposes of performance of the Agreement or in order to fulfil a specific requirement under EU or Member State law to which the Processor is subject and shall take place in compliance with all applicable requirements for international data transfers under Data Protection Laws (in particular Chapter V of GDPR), as well as the remainder of this Clause 11. If required, the parties will enter into the appropriate Standard Contractual Clauses (SCC’s) or equivalent international data transfer mechanism, to be incorporated by reference.

In the event the Processor engages a Subprocessor in accordance with Clause 5 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of Personal Data to a non-EEA country, then the Processor and such Subprocessor shall enter into the appropriate Standard Contractual Clauses, or equivalent data transfer mechanism in accordance with Data Protection Laws.

12. Miscellaneous

Subject to section 11.2, the parties agree that this DPA shall terminate automatically upon termination of the Agreement.

Any obligation imposed on Processor under this DPA in relation to the processing of Personal Data shall survive any termination or expiration of this DPA, to the extent any such obligations remain applicable under Data Protection Laws.

In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of the DPA shall prevail insofar as the inconsistency relates to data protection obligations or Personal Data.

The governing law and dispute settlements procedure set out in the Agreement applies mutatis mutandis to this DPA.

Annex 1: Details of Processing of Personal Data

This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the processing of Personal Data

Personal data is processed for the purposes of making the Services available, maintaining or improving it. Personal data will be retained only for as long as necessary to provide the Services under the Agreement, unless a longer retention period is mandated by law, regulation, contract or is necessary for operational purposes.

The nature and purpose of the processing of Personal Data

Personal data is processed for the following purposes:

  • To enable access to the Services for Customer. However, any Customer personal data processed for the sole purposes of managing Supplier relationship with the Customer and to complete any applicable due diligence processes is done so by Supplier in its capacity as a data controller.
  • Allow users to connect third-party applications or services of their choosing and processing of any related content data
  • To improve the Services in the following ways:
    • Maintain context-awareness of the Services, for e.g., the ability to respond to user queries/prompts in the same thread/channel/instance
    • Personalization of product features and components (e.g., through user feedback to Toqan responses, response style and format, organization of user’s workspace, custom Skills deployed by users)
  • Create and maintain agents, which are used to perform specific tasks chosen by the user. In relation to agents, personal data may be processed for the following additional purposes:
    • Connecting agents with third-party data sources as decided by the user, via MCP or API integration, including the processing of related authentication data
    • Adding custom instructions via skills or specific files via direct upload for additional context as decided by the user
    • Creating and maintaining custom applications built by users, which a user can choose to share with others in their organization
    • Please note, personal data will not be used to train any third-party AI models and will not be used in the context of any personalized advertising.

The types of Personal Data to be processed

Personal Data belonging to the employees, contractors or other authorized users of the Controller, as well as customer data of the Controller.

The categories of data subject to whom the Personal Data relates

  • Username, email address, affiliation (employing company)
  • Contents of engagements (prompts) with the Services, including via interaction of the Services with any files, pictures, videos, documents, third-party data sources as decided by the user
  • Usage and performance metrics, including frequency, duration and nature of use of the Services
  • Other types of feedback and details of support queries
  • Authentication data for any applications Customer wishes to integrate with Toqan, for access control purposes
  • Personal data contained within any third-party data sources that a user chooses to integrate with the Services when creating or improving their agents

The following sensitive Data will be processed:

  • The Services are not intended to be used for the processing of sensitive personal data, especially personal data concerning health

Annex 2: Technical and Organisational Measures

General measures:

The Processor must:

  • ensure that the Personal Data can be accessed only by authorized parties for the purposes set forth in Annex 1 (Details of Processing of Personal Data) to this Agreement;
  • protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure;
  • identify vulnerabilities with regard to the processing of Personal Data in systems used to provide Services to the Controller;
  • ensure that all such persons or parties involved in the processing of Personal Data are subject to user authentication and log on processes when accessing the Personal Data.

Specific measures:

Summary of the Technical and Organisational Measures:

  • Identity and access management
  • Anonymization and pseudonymization of data
  • Log management
  • Anti-malware and breach detection tools
  • Data Backup
  • Disaster recovery plans
  • Encryption
  • Firewalls
  • SSO, including multi-Factor Authentication and strong password requirements
  • Regular Software Updates
  • Vulnerability Detection
  • Device Management Tools
  • Secure software development
  • Security awareness
  • Risk assessment