Data Processing Agreement

Effective Date: January 1, 2025

This Data Processing Agreement ("DPA"), together with our Terms of Service, Privacy Policy, and Acceptable Use Policy, forms part of the Agreement between Choiceform ("we", "us", or "our") and you ("Customer", "you", or "your") regarding the processing of Personal Data in connection with your use of the Atomemo platform.

All capitalized terms not defined herein have the meanings set forth in the Agreement and Applicable Data Protection Laws.

1. Definitions and Interpretation

1.1 Applicable Data Protection Laws means, as applicable:

(a) The General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) The UK Data Protection Act 2018 and UK GDPR; (c) The Swiss Federal Act on Data Protection; (d) The California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); (e) Any other applicable data protection and privacy laws worldwide;

as may be amended, extended, or superseded from time to time.

1.2 Controller means the entity that determines the purposes and means of processing Personal Data. In the context of this DPA, you (the Customer) act as Controller.

1.3 Processor means the entity that processes Personal Data on behalf of the Controller. Choiceform acts as Processor under this DPA.

1.4 Personal Data means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws.

1.5 Data Subject means the identified or identifiable person to whom Personal Data relates.

1.6 Processing means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.7 Sub-processor means any third party appointed by Choiceform to process Personal Data on behalf of the Customer.

1.8 Security Breach means any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data.

1.9 Standard Contractual Clauses or "SCCs" means the European Commission's standard contractual clauses for the transfer of Personal Data to third countries.

2. Scope and Application

2.1 Relationship of the Parties

The parties acknowledge and agree that:

(a) Customer is the Controller of Personal Data processed through Atomemo; (b) Choiceform is the Processor acting on Customer's behalf and under Customer's instructions; (c) This DPA applies only where Choiceform processes Personal Data on Customer's behalf in providing the Atomemo platform.

2.2 Self-Hosted Deployments

For self-hosted Community Edition deployments:

(a) Customer maintains full control over Personal Data storage and processing; (b) This DPA applies only to Personal Data Customer shares with Choiceform (e.g., account information, support requests); (c) Customer is responsible for compliance with Applicable Data Protection Laws for data processed on Customer's infrastructure.

2.3 Customer Responsibilities

Customer represents and warrants that:

(a) It has all necessary legal bases to collect, process, and transfer Personal Data to Choiceform; (b) It has provided all required notices and obtained all necessary consents from Data Subjects; (c) Its instructions to Choiceform comply with Applicable Data Protection Laws; (d) It is responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired.

3. Details of Processing

3.1 Subject Matter and Nature

Choiceform processes Personal Data to provide the Atomemo workflow automation platform, including:

• Workflow creation, execution, and management
• AI agent operations
• Plugin integrations and API connections
• Collaboration features
• Platform analytics and performance monitoring

3.2 Purpose of Processing

Personal Data is processed for the following purposes:

(a) Providing and maintaining the Atomemo platform; (b) Executing workflows and automation tasks as configured by Customer; (c) Enabling AI agent functionality; (d) Processing plugin and third-party service integrations; (e) Providing customer support; (f) Ensuring platform security and preventing abuse; (g) Improving platform functionality (using aggregated, anonymized data).

3.3 Duration of Processing

Choiceform will process Personal Data for the duration of the Agreement, unless otherwise specified. Upon termination, Personal Data will be deleted or returned in accordance with Section 9.

3.4 Categories of Personal Data

Depending on Customer's use of Atomemo, processed Personal Data may include:

Account Data:

• Name, email address, username
• Organization information
• Account preferences and settings

Workflow Data:

• Workflow configurations and scripts
• AI agent definitions and instructions
• Data processed through workflows
• Execution logs and results

Integration Data:

• API credentials and access tokens (encrypted)
• Data retrieved from connected services
• Plugin configurations

Usage Data:

• Platform usage patterns and features accessed
• Performance metrics and error logs
• IP addresses (stored temporarily for security)

Collaboration Data:

• Comments and shared content
• Workspace member information
• Activity logs

3.5 Categories of Data Subjects

Data Subjects may include:

(a) Customer's employees, contractors, and authorized users; (b) End users whose data is processed through Customer's workflows; (c) Individuals whose data is collected via integrated services; (d) Any other individuals whose Personal Data Customer processes using Atomemo.

4. Customer Instructions

4.1 Processing Instructions

Choiceform will process Personal Data only:

(a) As necessary to provide Atomemo in accordance with the Agreement; (b) On Customer's documented instructions; (c) As required by applicable law.

4.2 Instruction Compliance

If Choiceform believes Customer's instructions violate Applicable Data Protection Laws:

(a) Choiceform will inform Customer immediately; (b) Choiceform may suspend execution of the instruction until Customer confirms or modifies it; (c) Choiceform is not required to comply with unlawful instructions.

4.3 Prohibition on Unauthorized Use

Choiceform will not:

(a) Sell Personal Data; (b) Process Personal Data for purposes other than those specified in this DPA; (c) Disclose Personal Data to third parties except as permitted under this DPA; (d) Retain Personal Data longer than necessary or permitted.

5. Security Measures

5.1 Technical and Organizational Measures

Choiceform implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

• Encryption of data in transit (TLS 1.2+)
• Encryption of sensitive data at rest (AES-256)
• Access controls and authentication mechanisms
• Network security and firewalls
• Intrusion detection and prevention systems
• Regular security testing and vulnerability assessments
• Secure credential storage (hashed and encrypted)

Organizational Measures:

• Access restricted to authorized personnel only
• Employee confidentiality obligations
• Security awareness training
• Incident response procedures
• Vendor security assessments
• Regular security policy reviews

5.2 Security Standards

Choiceform maintains security measures that:

(a) Take into account the state of the art and implementation costs; (b) Consider the nature, scope, context, and purposes of processing; (c) Address the risks to Data Subject rights and freedoms; (d) Provide a level of security appropriate to the risk.

5.3 Updates to Security Measures

Choiceform may update security measures from time to time, provided that:

(a) Updates do not result in degradation of security; (b) Updates maintain or enhance the protection level; (c) Updates comply with Applicable Data Protection Laws.

6. Sub-processors

6.1 Authorization

Customer authorizes Choiceform to engage Sub-processors to process Personal Data, subject to the conditions in this Section.

6.2 Current Sub-processors

Choiceform's current Sub-processors are listed at: [Specify URL or reference]

Sub-processors may include providers of:

• Cloud infrastructure and hosting services
• Database and storage services
• Email delivery services
• Analytics and monitoring tools
• Customer support platforms
• Security services

6.3 Sub-processor Requirements

Choiceform ensures that:

(a) Sub-processors are bound by written agreements imposing data protection obligations no less protective than this DPA; (b) Sub-processors implement appropriate technical and organizational measures; (c) Sub-processors comply with Applicable Data Protection Laws; (d) Choiceform remains liable for Sub-processor actions.

6.4 Notice of New Sub-processors

Choiceform will:

(a) Provide at least 30 days' notice before engaging new Sub-processors; (b) Update the Sub-processor list; (c) Allow Customer to object on reasonable data protection grounds.

6.5 Customer Objection

If Customer objects to a new Sub-processor:

(a) Customer must notify Choiceform within 30 days; (b) Parties will work together in good faith to find a resolution; (c) If no resolution is found, Customer may terminate the affected services.

7. Data Subject Rights

7.1 Assistance with Requests

Choiceform will assist Customer in responding to Data Subject requests, including requests to:

(a) Access Personal Data; (b) Rectify inaccurate Personal Data; (c) Erase Personal Data ("right to be forgotten"); (d) Restrict processing; (e) Object to processing; (f) Port data to another controller; (g) Not be subject to automated decision-making.

7.2 Request Handling

If Choiceform receives a Data Subject request directly:

(a) Choiceform will forward it to Customer without undue delay; (b) Choiceform will not respond directly unless required by law; (c) Choiceform will provide reasonable assistance to Customer.

7.3 Technical Assistance

Choiceform will provide Customer with:

(a) Access to tools for exporting Personal Data; (b) Functionality to delete or modify Personal Data; (c) Technical support for fulfilling Data Subject requests; (d) Information about Personal Data processing activities.

8. Data Protection Impact Assessments and Consultations

8.1 DPIA Assistance

Upon Customer's request, Choiceform will provide reasonable assistance with:

(a) Data Protection Impact Assessments (DPIAs); (b) Prior consultations with supervisory authorities; (c) Providing information about processing activities; (d) Assessing risks and mitigation measures.

8.2 Information Provision

Choiceform will provide information necessary for DPIAs, to the extent such information is:

(a) Available to Choiceform; (b) Not already accessible to Customer; (c) Reasonably necessary for the DPIA.

9. Data Retention and Deletion

9.1 Active Service Period

During the term of the Agreement, Choiceform will retain Personal Data as necessary to provide Atomemo.

9.2 Post-Termination

Upon termination or expiration of the Agreement, Choiceform will, at Customer's choice:

(a) Delete all Personal Data within 30 days; or (b) Return Personal Data to Customer in a commonly used format.

9.3 Exceptions

Choiceform may retain Personal Data:

(a) To the extent required by applicable law; (b) In backup systems for up to 90 days; (c) As necessary for dispute resolution or legal proceedings.

9.4 Certification of Deletion

Upon request, Choiceform will provide written certification that Personal Data has been deleted or returned.

10. Security Breaches

10.1 Breach Notification

If Choiceform becomes aware of a Security Breach:

(a) Choiceform will notify Customer without undue delay (within 72 hours when possible); (b) Notification will include available details about the breach; (c) Choiceform will provide updates as investigation progresses.

10.2 Breach Information

Breach notifications will include, to the extent available:

(a) Nature of the breach and categories of data affected; (b) Number and categories of Data Subjects affected; (c) Likely consequences of the breach; (d) Measures taken or proposed to address the breach; (e) Contact point for further information.

10.3 Investigation and Mitigation

Choiceform will:

(a) Investigate the Security Breach promptly; (b) Take reasonable steps to mitigate harm; (c) Cooperate with Customer's investigation; (d) Implement measures to prevent recurrence; (e) Preserve evidence for regulatory or legal purposes.

10.4 Customer Obligations

Customer is responsible for:

(a) Assessing whether to notify Data Subjects; (b) Notifying supervisory authorities as required; (c) Determining additional response measures; (d) Managing communications with affected individuals.

11. International Data Transfers

11.1 Data Storage Locations

Personal Data may be stored and processed in:

(a) Primary data centers: [Specify locations]; (b) Backup facilities: [Specify locations]; (c) Sub-processor locations as listed in the Sub-processor list.

11.2 Transfer Mechanisms

For transfers outside the EEA, UK, or Switzerland, Choiceform relies on:

(a) European Commission adequacy decisions; (b) Standard Contractual Clauses (SCCs); (c) Other lawful transfer mechanisms under Applicable Data Protection Laws.

11.3 Standard Contractual Clauses

Where SCCs apply:

(a) The SCCs are incorporated into and form part of this DPA; (b) Customer is the "data exporter" and Choiceform is the "data importer"; (c) The SCCs take precedence over conflicting provisions in this DPA; (d) Module Two (Controller to Processor) of the EU SCCs applies.

11.4 Additional Safeguards

Choiceform implements supplementary measures to protect transferred data, including:

(a) Strong encryption in transit and at rest; (b) Strict access controls; (c) Contractual commitments with Sub-processors; (d) Regular security audits and assessments.

12. Audits and Compliance

12.1 Audit Rights

Customer may audit Choiceform's compliance with this DPA by:

(a) Reviewing Choiceform's security documentation and certifications; (b) Submitting written questions about data processing practices; (c) Conducting on-site audits (subject to Section 12.2).

12.2 On-Site Audits

For on-site audits:

(a) Customer must provide at least 30 days' written notice; (b) Audits are limited to once per year unless required by supervisory authority; (c) Audits must not unreasonably interfere with Choiceform's operations; (d) Customer must execute Choiceform's standard confidentiality agreement; (e) Customer bears all costs of the audit; (f) Audits must be conducted during business hours.

12.3 Audit Reports

Choiceform may satisfy audit rights by providing:

(a) Third-party audit reports (SOC 2, ISO 27001, etc.); (b) Security certifications and attestations; (c) Written responses to Customer's reasonable questions; (d) Documented evidence of security measures.

12.4 Remediation

If an audit reveals non-compliance:

(a) Choiceform will work with Customer to develop a remediation plan; (b) Choiceform will implement corrective measures within reasonable timeframes; (c) Choiceform will provide updates on remediation progress.

13. Cooperation with Supervisory Authorities

13.1 Regulatory Cooperation

Choiceform will:

(a) Cooperate with supervisory authorities as required by law; (b) Assist Customer in responding to regulatory inquiries; (c) Provide information requested by authorities (where permitted); (d) Notify Customer of regulatory contacts (unless prohibited by law).

13.2 Regulatory Inquiries

If Choiceform receives an inquiry from a supervisory authority:

(a) Choiceform will notify Customer promptly (unless prohibited); (b) Choiceform will not disclose Personal Data without Customer's approval (unless legally required); (c) Customer may choose to respond directly to the authority.

14. Liability and Indemnification

14.1 GDPR Liability

Under GDPR Article 82:

(a) Each party is liable for damages caused by processing that violates GDPR; (b) Choiceform is liable only for damages caused by its failure to comply with GDPR obligations specifically directed at processors; (c) Choiceform is not liable if it proves it is not responsible for the event giving rise to damage.

14.2 Limitation of Liability

Subject to applicable law:

(a) Choiceform's total liability under this DPA is limited as specified in the Terms of Service; (b) Neither party is liable for indirect, consequential, or punitive damages; (c) These limitations do not apply to damages that cannot be limited by law.

14.3 Indemnification

Each party will indemnify the other against third-party claims arising from:

(a) Breach of this DPA by the indemnifying party; (b) Failure to comply with Applicable Data Protection Laws; (c) Negligent or willful misconduct;

provided the indemnified party: (i) promptly notifies the indemnifying party; (ii) provides reasonable cooperation; and (iii) allows the indemnifying party to control defense and settlement.

15. Term and Termination

15.1 Term

This DPA takes effect on the Effective Date and continues until the earlier of:

(a) Termination of the Agreement; (b) Completion of all processing and deletion of Personal Data.

15.2 Effect of Termination

Upon termination:

(a) Processing obligations cease except as necessary for deletion/return; (b) Personal Data deletion/return occurs as specified in Section 9; (c) Confidentiality obligations survive; (d) Provisions intended to survive (including liability, indemnification) remain in effect.

15.3 Survival

The following provisions survive termination:

• Security Breach notifications (if breach occurred during term)
• Audit rights (for audits of the processing period)
• Liability and indemnification
• Confidentiality obligations
• Data deletion certification

16. General Provisions

16.1 Precedence

In case of conflict:

(a) This DPA prevails over the Terms of Service regarding data protection; (b) SCCs prevail over this DPA regarding international transfers; (c) Applicable Data Protection Laws prevail over this DPA where required.

16.2 Amendments

Choiceform may amend this DPA:

(a) To comply with changes in Applicable Data Protection Laws; (b) To reflect changes in processing activities; (c) With 30 days' notice for material changes.

16.3 Severability

If any provision is found invalid or unenforceable:

(a) The provision will be modified to the minimum extent necessary; (b) The remaining provisions remain in full effect; (c) The parties will negotiate a replacement provision if necessary.

16.4 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement regarding data processing between the parties.

16.5 Notices

Notices under this DPA must be sent to:

Choiceform: support@choiceform.app Subject: "DPA Notice"

Customer: The email address associated with Customer's account

---

By using Atomemo, Customer agrees to the terms of this Data Processing Agreement.

© 2024-2025 Choiceform

For questions about this DPA, contact support@choiceform.app with subject line "DPA Inquiry".