Data Processing Agreement
This document forms part of the HQ Terms of Service.
This data processing agreement (the “DPA”) applies between The Intelligence Company AB (publ), “TIC”, reg. no. 559487-1682 (the “Processor”), and the Customer (the “Controller”), and forms part of the Agreement concerning the Customer’s use of HQ. The DPA governs TIC’s processing of personal data on the Customer’s behalf in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).
In the event of conflict between the DPA and other parts of the Agreement, the DPA prevails in matters concerning the processing of personal data on the Customer’s behalf. Terms not defined here have the same meaning as in the Terms of Service for HQ and in GDPR, respectively.
1 BACKGROUND AND SCOPE
1.1 Within the scope of the Service, TIC processes personal data contained in Customer Content on the Customer’s behalf. For such processing, the Customer is the controller and TIC is the processor.
1.2 This DPA does not cover processing for which TIC is the controller (e.g. account, user, billing, security and usage data under section 13.2 of the Terms of Service). Such processing is governed by TIC’s privacy policy.
1.3 The subject matter, nature, purpose and duration of the processing, the categories of data subjects and the types of personal data are set out in Annex A.
2 TIC’S OBLIGATIONS
2.1 Documented instructions. TIC shall process personal data only on the Customer’s documented instructions, including as regards transfers to a third country, unless required to do otherwise by Union or Swedish law. The Customer’s instructions consist of the Agreement, the Customer’s configuration and use of the Service (including the choice of Models and Integrations) and any further written instructions. TIC shall notify the Customer if TIC considers that an instruction infringes applicable data protection legislation.
2.2 Confidentiality. TIC shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.3 Security. TIC shall implement appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk. The measures are set out in Annex B.
2.4 Assistance. Taking into account the nature of the processing and the information available to TIC, TIC shall reasonably assist the Customer in fulfilling the Customer’s obligations regarding (a) data subjects’ rights under Chapter III GDPR, (b) security under Article 32, (c) notification of personal data breaches under Articles 33-34, and (d) data protection impact assessments and prior consultation under Articles 35-36.
2.5 Personal data breach. TIC shall, without undue delay after becoming aware of a personal data breach relating to the processing, notify the Customer and provide the information the Customer reasonably needs to fulfil its notification obligation.
3 SUB-PROCESSORS
3.1 The Customer grants TIC a general prior authorisation to engage sub-processors for the processing. The sub-processors engaged at the time of entering into the DPA are set out in Annex C and include providers of hosting and Model Serving as well as the Model Providers whose Models are made available through the Platform.
3.2 TIC shall, by contract, impose on each sub-processor data protection obligations that are substantially equivalent to those in this DPA. TIC is liable to the Customer for the processing of sub-processors.
3.3 TIC shall inform the Customer of planned changes regarding the addition or replacement of sub-processors at least thirty (30) days before the change takes effect, thereby giving the Customer the opportunity to object. If, within that time, the Customer raises a well-founded objection that the Parties cannot resolve, the Customer is entitled to terminate the part of the Service affected.
4 TRANSFERS TO THIRD COUNTRIES
4.1 The processing may involve the transfer of personal data to a third country, in particular where a Model Provider or other sub-processor processes personal data outside the EU/EEA. Such transfer takes place only if a valid transfer mechanism under Chapter V GDPR exists, e.g. an adequacy decision or the European Commission’s standard contractual clauses together with the required supplementary safeguards.
5 RETURN AND DELETION
5.1 On expiry of the Service, TIC shall, at the Customer’s choice, delete or return all personal data processed on the Customer’s behalf and delete existing copies, unless Union or Swedish law requires continued storage. The Customer is given the opportunity to export Customer Content in accordance with section 20.4 of the Terms of Service before deletion takes place.
5.2 If the Customer does not provide instructions for deletion or return within thirty (30) days of expiry of the Service, TIC is entitled to delete or irreversibly anonymise the personal data. Personal data is deleted from active systems within approximately thirty (30) days and is phased out of encrypted backups in line with ordinary backup rotation.
5.3 Manual export requiring more than minor effort by TIC may be charged at TIC’s hourly rate from time to time.
6 AUDIT
6.1 TIC shall make available to the Customer the information required to demonstrate compliance with the obligations under Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. An audit shall be notified within a reasonable time, take place during normal business hours and in a manner that does not unreasonably disrupt TIC’s operations. TIC is entitled, in the first instance, to fulfil this obligation by providing relevant documentation and any third-party audits or certifications.
7 LIABILITY
7.1 The Parties’ liability under this DPA is governed by the liability provisions of the Terms of Service (section 18), to the extent permitted under mandatory data protection legislation. The allocation of any administrative fines and compensation to data subjects follows from Articles 82-83 GDPR.
8 ANNEXES
- Annex A - Instructions for the processing
- Annex B - Technical and organisational security measures
- Annex C - Approved sub-processors
Annex A - Instructions for the processing
| Parameter | Description |
|---|---|
| Subject matter | Processing of personal data in Customer Content within the scope of TIC’s provision of HQ. |
| Nature of processing | Collection, storage, structuring, analysis, transfer to Models and Integrations, generation of Output and deletion, all on the Customer’s instruction through the configuration and use of the Service. |
| Purpose | To provide the Service under the Agreement, including the operation of Agents, model calls and customer-built Applications. |
| Duration | For the term and until deletion/return under section 5. |
| Categories of data subjects | Determined by the Customer. May include e.g. the Customer’s employees and Users, the Customer’s customers and contacts, counterparties in connected systems (e.g. CRM) and end users of customer-built Applications. |
| Types of personal data | Determined by the Customer through the Customer Content provided to the Service. The Customer may not provide special categories of personal data (Article 9 GDPR), data relating to criminal offences or other particularly sensitive data, unless expressly agreed in writing with TIC and necessary safeguards implemented, in accordance with section 10.5 of the Terms of Service. |
Annex B - Technical and organisational security measures
TIC applies, among others, the following measures.
- Encryption of personal data in transit (TLS) and at rest.
- Access control on a least-privilege basis, and multi-factor authentication for administrative access.
- Logging and monitoring, and incident response procedures.
- Segregation of customer data (logical separation) in the Platform.
- Procedures for regular testing and evaluation of the effectiveness of the measures.
- TIC is certified under ISO/IEC 27001 (information security management system).
Annex C - Approved sub-processors
Sub-processors are divided into (a) hosting and infrastructure and (b) Model Serving. For category (b), it is the actual access route and region - not the brand of the Model - that determines the processing; see the Models and Integrations Annex.
(a) Hosting and infrastructure
| Sub-processor | Function | Region | Third-country transfer |
|---|---|---|---|
| AWS / Microsoft Azure | Operation, storage and infrastructure for the Platform (the HQ application and Customer Content are stored within the EU/EEA) | EU/EEA | No |
(b) Model Serving
| Sub-processor | Role | Region | Third-country transfer |
|---|---|---|---|
| AWS (Bedrock) | EU-hosted Model Serving - Anthropic models (standard) | EU | No |
| Microsoft (Azure AI Foundry) | EU-hosted Model Serving - OpenAI models (standard) | EU | No |
| Microsoft (Azure AI Foundry) | Model Serving - xAI/Grok (global deployment, US option) | Global/US | Yes - SCC |
| Cerebras | Direct Model Serving (US option; no storage/training) | US | Yes - SCC |
Where a Model is served via AWS Bedrock or Azure AI Foundry in an EU region, Customer Content is processed by AWS and Microsoft respectively within the EU; the underlying model developer (Anthropic and OpenAI respectively) does not obtain access to Customer Content beyond what is required to generate Output. xAI/Grok and Cerebras cannot currently be confirmed to run within the EU and are treated as US options under SCC.