Data Processing Agreement

This Data Processing Agreement was last updated on 10/21/2024

This Data Processing Agreement ("DPA") of Didge NX Inc. (the “Vendor”), together with the Vendor’s public Privacy Policy and Terms of Use, govern access to and use of the Didge Services and related Documentation, and defines how data is collected, processed, stored, and secured, confidentiality terms, along with responsibilities of the Parties. By signing a Statement of Work (the “SOW”) that references this DPA, you (“Customer”) agree to be bound by this DPA, together with the signed SOW.

1. Confidential Information.

(a) From time to time during the Term of the SOW, Customer may disclose (the “Disclosing Party”) to the Vendor (the “Receiving Party”) data and other information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media/in written or electronic form or media, and whether or not marked, designated, or otherwise identified as "confidential" (collectively, "Confidential Information").

(b) Confidential Information does not include information that, at the time of disclosure is: (i) in the public domain; (ii) known to the Vendor at the time of disclosure; (iii) rightfully obtained by the Vendor on a non-confidential basis from a third party; or (iv) independently developed by the Vendor.

2. Customer Data.

(a) “Customer Data” means any and all information and data of the Customer that is provided, uploaded, submitted, or otherwise shared with the Vendor by the Customer for the purposes of the provision of the Services, regardless of the form of such data.

(b) Customer Data also includes data and information of Customer’s clients, owners, representatives, designers, trade contractors, suppliers, and of any other third parties engaged in business dealings with Customer that is provided, uploaded, submitted, or otherwise shared with the Vendor by the Customer or by such third parties in relation to the provision of the Services.

3. Treatment of Confidential Information.

(a) As a condition to its receipt of or access to Confidential Information, the Vendor shall:

(i) not disclose the Customer's Confidential Information to any person or entity, except to the Vendor's employees who have a need to know the Confidential Information for the Vendor to exercise its rights or perform its obligations hereunder;

(ii) except as may be permitted by and subject to its compliance with this DPA, not disclose or permit access to Confidential Information other than to its representatives who: (1) need to know such Confidential Information for purposes of the Vendor's exercise of its rights or performance of its obligations under and in accordance with this DPA and the signed SOW; (2) have been informed of the confidential nature of the Confidential Information and the Vendor's obligations under this section; and (3) are bound by written confidentiality and restricted use obligations at least as protective of the Confidential Information as the terms set forth in this section;

(iii) safeguard the Confidential Information from unauthorized use, access, or disclosure using at least the degree of care it uses to protect its most sensitive information and in no event less than a reasonable degree of care;

(iv) notify the Disclosing Party in writing immediately of any unauthorized disclosure or use of the Disclosing Party's Confidential Information and cooperate with the Disclosing Party to protect the confidentiality and ownership of all Intellectual Property Rights, privacy rights, and other rights therein.

(b) On a Project-by-project basis and subject to any contrary obligations under applicable Law, Vendor shall at Customer's direction within 30 (thirty) days return or destroy and erase from all systems it directly or indirectly uses or controls: (i) all originals and copies of all documents, materials, and other embodiments and expressions in any form or medium that contain Customer Confidential Information, in whole or in part; and/or (ii) solely such specific Customer Confidential Information, database records, or other collections or articles as Customer may request.

(c) Vendor agrees to take security precautions to protect Customer Confidential Information against disclosure or unauthorized use.

(i) Vendor agrees that it shall implement and maintain at all times a written information security program including appropriate policies, procedures, and risk assessments sufficient to ensure the confidentiality, integrity, and availability of Customer Confidential Information to ensure compliance with industry-accepted information security practices. Vendor shall review this written program and measures at least annually.

(ii) Vendor agrees that it has implemented administrative, physical, and technical safeguards to protect Customer Confidential Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices, including the International Organization for Standardization’s standards: ISO/IEC 27001 – Information Security Management Systems – Requirements and ISO/IEC 27002 – Code of Practice for International Security Management; the National Institute of Standards and Technology (NIST) Cybersecurity Framework; or other applicable industry standards for information security .

(iii) Vendor agrees to notify Customer immediately of a potential security breach detection relating to the Customer Confidential Information.

4. Infrastructure Hosting

(i) The Vendor may utilize third-party infrastructure provider, Amazon Web Services (AWS), to host the Services and process Customer Confidential Information.

(ii) The Vendor ensures that any third-party infrastructure provider maintains relevant certifications and compliance, including but not limited to ISO/IEC 27001, SOC 2, GDPR, and other applicable data protection standards. The Vendor also ensures that these providers implement robust physical, technical, and administrative safeguards to protect Customer Confidential Information.

(iii) The Vendor remains fully responsible for ensuring the confidentiality, integrity, and availability of Customer Confidential Information, regardless of the use of third-party hosting services.

(iv) The Vendor ensures that all the data at rest and in transit is encrypted and otherwise protected such that the third-party infrastructure and processing provider does not receive access to the data.

(v) Customer Confidential Information hosted or processed using third-party infrastructure remains subject to the data residency, privacy, and security obligations outlined in this DPA and the Vendor’s Privacy Policy. The Vendor warrants that such processing complies with all applicable laws governing data protection and privacy.

5. Artificial Intelligence and Customer Confidential Information

(i) The Vendor warrants that Customer Confidential Information will not be used for the purposes of training, fine-tuning, or otherwise developing Artificial Intelligence (AI) models.

(ii) The Vendor’s Machine Vision AI models are built and operated by the Vendor. The Vendor warrants that Customer Confidential Information is not shared with any third parties during inference.

(iii) The Vendor confirms that it does not utilize Large Language Models (LLMs) in the provision of the Services.

6. Data Residency

(i) The Vendor ensures that all Customer Data is stored and processed exclusively within the geographic region of the Customer. For deployments within the United States, Customer Data will be hosted and processed in AWS data centers located in the United States.

(ii) The Vendor guarantees that Customer Data will not be transferred outside the Customer’s specified geographic region without prior written consent by the Customer.