Get started

Data Processing Agreement of Askel.ai

Last updated: December 2024

 

This Data Processing Agreement (“DPA”) is executed and entered into upon entry into the Order referencing the DPA by Askel.ai OÜ (Estonian registry code: 16902242; address: Almare tee 5, Vääna-Jõesuu, 76909 Harku parish, Estonia; “Askel.ai”) and Customer identified in the Order. The DPA is an integral part of the Agreement between Askel.ai and Customer and governs the processing of personal data by Askel.ai on behalf of the Customer.

  1. Definitions
    1. Capitalised terms used but not defined in the DPA will have the meaning set out in the Terms or in the Order.
    2. Except as otherwise provided herein, the terms “personal data”, “data subject”, “processing”, “controller” and “processor” will have the meanings set out in Article 4 of the GDPR.
    3. Applicable Data Protection Law” means the GDPR and other European Union and Member State laws and regulations applicable to the Parties which regulate the processing of personal data of natural persons.
    4. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. Subject-matter
    1. The DPA applies to the processing of personal data as specified in Annex I to the DPA. Annex I specifies the details of the processing operations, in particular the categories of personal data processed and the purposes of processing by Askel.ai on behalf of the Customer. Annex I forms an integral part of the DPA.
    2. The DPA governs the processing of personal data in situations where (i) Customer is the controller and Askel.ai is the processor or (ii) Customer is the processor and Askel.ai is the sub-processor. For the avoidance of doubt, Askel.ai may process certain personal data as an independent data controller. The DPA does not govern the processing of personal data by Askel.ai as an independent controller.
  3. Obligations of customer
    1. Customer must ensure compliance with the requirements of Applicable Data Protection Law in relation to the personal data disclosed to Askel.ai, including (but not limited to) the provision of lawful documented instructions to Askel.ai, the application of a valid legal basis for such disclosures and the provision of all required notices to the data subjects as required under Applicable Data Protection Law.
  4. General obligations of ASKEL.AI
    1. Instructions of the Customer
      1. Askel.ai shall process personal data only on documented instructions from the Customer, unless required to do so by European Union or Member State law to which Askel.ai is subject. In this case, Askel.ai will inform the Customer of that legal requirement before processing, unless the law prohibits such informing on important grounds of public interest. 
      2. The Customer’s instructions on the processing are contained in the DPA, including its Annex I. Any subsequent instructions given by Customer throughout the processing require prior agreement between the Parties.
      3. Askel.ai will immediately inform the Customer if, in Askel.ai’s opinion, the Customer’s instructions infringe the Applicable Data Protection Law.
    2. Security and confidentiality of processing
      1. Askel.ai shall keep personal data confidential and shall not disclose personal data for any purpose other than permitted under the Agreement. Askel.ai ensures that only persons who directly require access to personal data in order to fulfil Askel.ai’s obligation under the Agreement have access to personal data. Askel.ai ensures that all persons authorised to process personal data have concluded a respective confidentiality agreement or are under an appropriate statutory obligation of confidentiality.
      2. During the validity of the DPA, Askel.ai shall implement and maintain appropriate technical and organisational security measures to ensure the level of security appropriate to the risk arising from the processing of personal data under this DPA. At minimum, Askel.ai shall apply technical and organisational security measures specified in Annex I of the DPA.
    3. Askel.ai’s assistance to the Customer
      1. Insofar as this is possible and taking into account the nature of the processing, Askel.ai shall assist the Customer in fulfilling the Customer’s obligations to respond to data subjects’ requests to exercise their rights.
      2. Taking into account the nature of processing and information available to Askel.ai, Askel.ai assists the Customer in ensuring compliance with the obligations related to security of processing, reporting requirements for data breaches, data protection impact assessments and prior consultations referred to in Articles 32 to 36 of the GDPR.
    4. Requests by data subjects or supervisory authorities
      1. If data subjects, competent authorities or any other third parties request information from Askel.ai regarding the processing of personal data within the scope of the DPA, Askel.ai shall refer such request to the Customer, unless Applicable Data Protection Laws stipulate otherwise. All such requests shall be referred by Askel.ai to the Customer by using the contact details specified in the Order. Where necessary, Askel.ai shall assist the Customer in responding to requests from data subjects, competent authorities or any other third parties regarding the processing of personal data within the scope of the DPA.
      2. Unless expressly otherwise agreed between the Parties, Askel.ai may not in any way act on behalf of or as a representative of the Customer when handling requests made by data subjects or supervisory authorities.
  5. Sub-processors
    1. The Customer authorises Askel.ai to engage sub-processors for the processing of personal data. Askel.ai shall ensure that sub-processors are bound by at least equivalent data protection obligations as set out in this DPA and that sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures in a manner that the processing by the sub-processors will meet the requirements of Applicable Data Protection Law. In case the sub-processor fails to fulfil its data protection obligations, Askel.ai will remain fully liable to the Customer for the performance of the sub-processor’s obligations.
    2. The current list of sub-processors used by Askel.ai is available in Annex I of the DPA. By entering into the Agreement, the Customer agrees to the engagement of sub-processors listed at the time of entry into the Agreement. Askel.ai informs the Customer of intended additions or replacements of sub-processors at least 1 week in advance, thereby giving the Customer the opportunity to object to such changes. Any objection of the Customer must be notified to Askel.ai within 1 week of receiving Askel.ai’s notice of the intended addition or replacement of sub-processors. Any objection of the Customer must be reasonably justifiable and based on Applicable Data Protection Law. If the Customer does not object to the intended addition or replacement of sub-processors within 1 week, the Customer shall be deemed to have accepted the intended addition or replacement of sub-processors. In case of a reasonably justifiable and timely objection from the Customer, the Parties shall act in good faith to solve the objection. If the Parties cannot reach a solution and mutual agreement regarding the objection and if the new sub-processor is essential for Askel.ai in order to provide its Services, Askel.ai may terminate the Agreement by giving a 1-week advance notice to the Customer.
  6. International transfers
    1. Any transfer of personal data to a third country or an international organisation by Askel.ai shall be done only on the basis of documented instructions from the Customer or in order to fulfil a specific requirement under European Union or Member State law to which Askel.ai is subject, and shall take place in compliance with Chapter V of the GDPR.
  7. data breaches
    1. In case a data breach occurs when Askel.ai is processing personal data on behalf of the Customer, Askel.ai will, taking into account the nature of processing and the information available to Askel.ai, assist the Customer in ensuring compliance with the Customer’s obligations under Articles 33 and 34 of the GDPR. Further, Askel.ai will notify Customer without undue delay after becoming aware of a data breach affecting personal data processed by Askel.ai on behalf of the Customer. All such notifications shall be referred by Askel.ai to the Customer by using the contact details specified in the Order.
  8. Audits and inspections
    1. At the request of the Customer, Askel.ai shall make available to the Customer all information and shall allow the Customer or an auditor mandated by the Customer to carry out audits or inspections necessary to verify Askel.ai’s compliance with the obligations laid down in the DPA and Applicable Data Protection Laws. It is expressly agreed that this obligation does not include the obligation of Askel.ai to disclose any trade secrets or confidential information of Askel.ai or its sub-processors and other third parties to the extent that this information is not required for the Customer to verify Askel.ai’s compliance with the obligations laid down in the DPA and Applicable Data Protection Laws. If Customer wishes to carry out an audit or inspection with respect to the processing of personal data by Askel.ai, the Customer shall notify Askel.ai of the time and scope of the audit or inspection at least 3 weeks in advance. Any such audits or inspections shall take not take place more than once per calendar year, unless the Customer has reasonable indications of non-compliance on behalf of Askel.ai.
    2. Information disclosed to the Customer or an auditor mandated by the Customer during an audit or inspection shall be confidential unless Askel.ai has made this information publicly available or it can be lawfully retrieved from public sources. Information obtained in the course of an audit or inspection may not be used by the Customer or an auditor mandated by the Customer for any purpose other than performing the audit or inspection or taking measures allowed under the Agreement.
    3. Any audits or inspections shall be carried out during the standard business hours of Askel.ai and in a manner that affects the regular business activities of Askel.ai to the minimal extent possible. The costs of the audit shall be borne by the Customer, and Customer shall pay Askel.ai and its sub-processors reasonable administrative costs and expenses for engaging and complying with any on-site audit, unless such audit shows that Askel.ai is in material breach with its obligations under the DPA and Applicable Data Protection Laws.
  9. Liability
    1. To the extent allowed under Applicable Data Protection Laws, Askel.ai’s liability for any loss, damage or sanction incurred by the Customer as a result of a breach of Askel.ai’s obligations under the DPA or Data Protection Laws shall be limited in accordance with the Terms.
    2. Subject to clause 9.1, if a Party is subject to a damage claim from a data subject or penalties applied by a supervisory authority or courts for the activities of the other Party, the other Party will remedy for such damages.
    3. Subject to clause 9.1, where the Parties are involved in the same processing that results in them being responsible for any damage caused to data subjects by the processing, and where one of the Parties has paid the full compensation for damage suffered, the paying Party shall be entitled to claim back from the other Party involved in the processing the part of compensation corresponding to that other Party’s part of responsibility for the damage.
  10. Term and termination
    1. The DPA becomes effective upon executing the Service Order and remains valid for the duration of the Agreement. The termination of the DPA is subject to the provisions regulating the termination of the Agreement.
    2. Within a reasonable period of time from the termination of the Agreement, at the choice of the Customer, Askel.ai deletes or returns to Customer all personal that Askel.ai processes as a processor, and deletes all existing copies, unless Applicable Data Protection Laws require otherwise.
  11. Miscellaneous
    1. Matters not regulated in the DPA are governed by the Terms or other documents forming part of the Agreement.

Annex 1

Details of processing

  • SUBJECT MATTER OF PROCESSING

Provision of the Services by Askel.ai to the Customer under the Agreement.
  • DURATION OF THE PROCESSING BY ASKEL.AI

During the validity of the Agreement.
  • NATURE AND PURPOSE OF PROCESSING BY ASKEL.AI

The personal data may be processed for the provision of the Services in accordance with the Agreement. The processing entails, without limitation, the collection, organisation, structuring, consultation, combination, storing and/or the adaption of the data with the purpose of conducting automated tasks determined by Customer.

The purpose of processing is the provision of business automation services. Customer shall determine which data points and categories will be analysed by Askel.ai. Customer is responsible for lawfulness of disclosing personal data to Askel.ai, including for the accuracy of the personal data.
  • CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY ASKEL.AI

Customer’s clients, employees and/or Customer’s clients’ representatives, as determined by the Customer.
  • TYPES OF THE PERSONAL DATA PROCESSED BY ASKEL.AI

As determined by Customer. Types of personal data may include, for example the name, identity code, social security number, location, timesheets, compensation etc. 
  • TECHNICAL AND ORGANISATIONAL MEASURES IMPLEMENTED BY ASKEL.AI

Compliance at Askel.ai
At Askel.ai, we take compliance seriously, recognizing its critical importance to our customers and partners. To ensure we meet the highest standards, we engage independent third-party auditors and consultants to validate our practices and obtain external certifications. Reports from these evaluations are available upon request.

GDPR

Askel.ai adheres to the essential requirements of the EU GDPR, embedding data protection principles by design and by default throughout our applications, infrastructure, and organizational processes.

Data Access Control

Access to  customer data within Askel.ai is limited to a select group of authorized personnel, managed through secure interfaces. This restricted access ensures effective customer support, problem resolution, security incident response, and implementation of robust data protection measures.

Authentication

We employ secure authentication mechanisms, including SSO through Google accounts or company email credentials. Automatic session logout is enforced after a predefined period of inactivity to enhance account security.

Encryption

Askel.ai utilizes 256-bit AES encryption to secure data at rest and implement TLS 1.3 protocols to encrypt data in transit, ensuring the integrity and confidentiality of all communications.

Change Management

  • Code Reviews: Every code update—whether a new feature or a bug fix—is reviewed by technical founders, prior to deployment.
  • Security Audits: Code is regularly assessed for security vulnerabilities.
  • Continuous Integration/Delivery: Leveraging Github actions for CI/CD, enabling swift, reliable updates while maintaining the highest standards of quality and security.
  • Comprehensive Testing: All releases are tested before deployment.

Cloud Security

Askel.ai operates on AWS, with data hosted in Ireland, benefiting from AWS’s robust security and compliance infrastructure.

Monitoring and Logging

We maintain detailed logs of user activities and system interactions to facilitate troubleshooting and support. These logs are retained only as long as necessary to fulfill their purpose, in compliance with data minimization principles.

Security Policies

Askel.ai maintains a comprehensive suite of security and privacy policies designed to safeguard customer data and ensure compliance with the EU GDPR, ISO 27001, and other relevant regulations. These policies are shared with all employees during onboarding and are regularly reviewed and updated to reflect evolving best practices..

At Askel.ai, security and compliance are not just commitments – they are the foundation of trust with our customers.
  • SUB-PROCESSORS ENGAGED BY ASKEL.AI

Askel.ai uses the following sub-processors who process personal data on behalf of Askel.ai in the following manner:

  • Amazon Web Services, Inc. – Provides cloud infrastructure, storage, and AI services for natural language processing.
  • Clerk, Inc. – Provides authentication and user management services.
  • Google LLC – Provides productivity and collaboration tools, cloud infrastructure, and AI services for natural language processing.
  • OpenAI Ireland Ltd. – Provides AI services for natural language processing.
  • Anthropic Ireland Ltd. – Provides AI services for natural language processing.
  • Slack Technologies, LLC – Provides an internal collaboration and communication platform.

 

Contact us today to discuss your project and
discover how we can bring your vision to life.