Personal data processing terms

1. INTRODUCTORY PROVISIONS

1.1 The Client and the Provider have entered into an Order (“Agreement”), under which the Provider undertakes to provide the services specified in the Agreement, as agreed between the Client and the Provider. The Agreement also includes terms and conditions governing specific rights and obligations between the Client and the Provider (“Terms”). The Provider delivers services related to the personalized AI Chatbot Kanbu, whose main functionalities include AI-based information retrieval from source data (i.e., files), providing responses in chatbot form, and other features specified in the Agreement (“Kanbu”).

1.2 Scope of Services. Based on the Agreement, services of implementation, customization, personalization, testing, and optimization of Kanbu will be provided, including subsequent technical support agreed under service level agreements forming an annex to the Terms (“SLA”) (all services under the Agreement and SLA hereinafter referred to as the “Services”). The specific scope of the Services results from the concluded Agreement and SLA, or from additional partial orders or instructions from the Client.

1.3 Relationship to Legal Regulations. As the provision of the Services may involve the processing of personal data by the Provider on behalf of the Client, the Provider acts as a data processor vis-à-vis the Client. These personal data processing terms form an integral part of the Agreement pursuant to Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), and pursuant to Act No. 110/2019 Coll., on the Processing of Personal Data.

1.4 Authorization to Process. The Client hereby authorizes the Provider to process personal data of data subjects provided by the Client in connection with the provision of the Services. The Provider shall process personal data only on the basis of documented written instructions of the Client and to the extent necessary for proper performance of the Provider’s obligations under the Agreement.

1.5 Scope. The processing of personal data within the provision of the Services shall be carried out to the extent determined by the Client, based on the Client’s instructions and obligations arising from the Agreement, Terms, and SLA.

1.6 Client Responsibility. The Client is responsible for fulfilling all obligations related to personal data processing, in particular for properly informing data subjects, obtaining consent where required, and handling requests related to the exercise of their rights (such as the right to information, access, rectification, erasure, restriction of processing, objection, etc.). The Provider shall assist the Client in fulfilling these obligations within the scope of these data processing terms (“Processing Terms”).

1.7 These Processing Terms form an integral part of the Agreement and govern the rules for personal data processing by the Provider pursuant to Article 28 GDPR.

2. SUBJECT MATTER OF PROCESSING, CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA

2.1 Subject Matter and Types of Personal Data. The subject matter of processing includes in particular:
a) user data within the Kanbu interface,
b) identification data,
c) contact data,
d) communication records related to the provision of the Services,
e) information related to the provision of Kanbu, including chatbot communication records, logs, and other technical data,
f) information obtained in the course of providing technical support and operating Kanbu and other Services under the SLA (reported incidents and their content),
g) personal data of the Client’s data subjects or the Client’s customers stored in any interface provided within the Services and processed under the Agreement or SLA.

2.2 Categories of Data Subjects:
a) employees and other personnel of the Client,
b) persons performing activities under cooperation agreements for the Client,
c) other users of Kanbu,
d) persons authorized by the Client to communicate with the Provider,
e) customers of the Client and website visitors,
f) other persons whose personal data are provided to the Provider in connection with the Services.

3. NATURE AND PURPOSE OF PROCESSING

3.1 Nature of Processing. The Provider will process personal data electronically and in an automated manner, including storage, backup, access for analytical and implementation purposes, customization of Kanbu, handling Client requests under the SLA, and linking personal data for the purpose of training Kanbu for the Client’s use.

3.2 Automated Decision-Making. The Client declares that Kanbu will not be used for automated decision-making, including profiling. If this changes, the Client undertakes to inform data subjects and independently ensure compliance with GDPR requirements.

3.3 Purpose of Processing. The purpose of processing is the performance of the Agreement and SLA, i.e., the provision of the Services and technical support.

4. DURATION OF PROCESSING

4.1 Processing Duration. Personal data will be processed for the duration of the Agreement or as long as necessary for the provision of the Services. The Provider’s obligations regarding data protection shall apply throughout the term of the Agreement and, where required, after its termination.

5. OTHER OBLIGATIONS OF THE PROVIDER

5.1 The Provider shall:
a) process personal data solely based on documented instructions of the Client;
b) follow the Client’s instructions regarding transfers to third countries unless required by EU or Member State law;
c) ensure confidentiality of authorized personnel;
d) assist the Client in responding to data subject rights requests;
e) assist the Client in ensuring security, breach notification, DPIAs, and prior consultations;
f) delete or return personal data after termination of the Agreement, unless retention is required by law;
g) allow audits under agreed conditions.

5.2 Audits. Audit requests must be sent to info@kanbu.ai. Terms of audits shall be agreed in advance.

5.3 Objections to Auditors. The Provider may object to an auditor who is not sufficiently qualified, independent, or appropriate.

5.4 Data Subject Requests. The Provider shall inform the Client without undue delay, no later than 5 days, of any third-party request concerning personal data.

5.5 Sub-processors. The Client grants general authorization to engage sub-processors, subject to prior notice and objection rights.

5.6 Sub-processor Obligations. Sub-processors must be contractually bound to equivalent data protection obligations.

6. SECURITY OF PERSONAL DATA AND FINAL PROVISIONS

6.1 The Provider implements appropriate technical and organizational measures to prevent unauthorized access, alteration, destruction, or misuse of personal data.

6.2 Security Measures include:
a) pseudonymization and encryption,
b) ensuring confidentiality, integrity, availability, and resilience of systems,
c) backup procedures aligned with the 3-2-1 rule,
d) regular testing and evaluation of security measures.

6.3 Security Incidents. The Provider shall notify the Client of any personal data breach without undue delay, no later than 48 hours.

6.4 Costs. The Provider may charge reasonable costs related to handling requests under these Processing Terms.

6.5 Liability. If the Provider is sanctioned due to unlawful instructions from the Client, the Client shall indemnify the Provider.

6.6 Limitation of Liability. The Provider’s liability shall be limited to 100% of the subscription fee paid for the Services in the preceding month.

6.7 Form. Written form includes electronic communication and email.