Terms of service

Agreement for Aito.ai Online Services

Updated on the 19th of November 2021

This Agreement for Aito.ai Online Services (the “Agreement”) including its appendices listed below constitutes the entire agreement between the Customer or You and Aito Intelligence Oy (”Supplier”, “we”, “our” or “us”), regarding your use of our services specified in the Agreement (the software, and services are collectively referred to as the “Service”). Please read this Agreement carefully. The term “You” shall also include Your employees or other authorized users to the extent applicable and permitted under Your subscription of the Service. This Agreement describes the terms and conditions that apply to your use of the Services.

By accepting this Agreement by means of a click-through and/or by an account registration and/or by accessing or using the Service, You represent and warrant that You have read, understand and agree to be bound by this Agreement.

If you do not understand any of the terms of this Agreement, please contact us support@aito.ai before using the Services.

Any notifications under or in relation to scope, prices, term or termination of this Agreement shall be sent by email to support@aito.ai.

The following appendices forms an inseparable part of and is governed by the terms of this Agreement:

Annex 1: Free Plan and Paid Services
Annex 2: Personal Data Processing Agreement

In the event of any conflicting terms in the Agreement and its appendices, the Agreement shall take precedence over the appendices, except in any matters relating to the processing of personal data, in which case Annex 2 (Personal Data Processing Agreement) shall take precedence.

1. The Service

The Service is a hosted database and machine learning solution that helps users get machine learning predictions fast over API access that users are provided with. The service does not include consultancy or implementation work on behalf of or for the customer. The Supplier shall provide to the customer the necessary API keys and other instructions for operating the environment. You, as our customer, are responsible for the actual data being stored in Aito. This means you need to have the permissions to store and use the data in Aito.

2. Eligibility

The Service is not intended for users that are consumers (being an individual acting primarily for purposes other than a trade, business or profession) and the applicability of consumer protection legislation is therefore excluded. You must be 18 years of age or older to enter into this agreement and use the Service. You represent and warrant that any information You submit is true and accurate and that You are 18 years of age or older and are fully able and competent to enter into, and abide by this Agreement.

3. Customer Responsibilities

The Customer shall notify the Supplier immediately of any unauthorized use of the Service or any other known or suspected breach of security.

4. Grant of Access to the Service

Customer’s group companies have a right to use the Service under and in accordance with this Agreement.

Customer shall not transfer, lease, loan, resell, distribute or otherwise make the Service or materials contained in the Service available in whole or in part in any form whatsoever to third parties. However, the Customer and third parties acting on behalf of the Customer are entitled to use the Service and Supplier material in the Customer’s business.

5. Restrictions of Use

Without limiting the generality of the foregoing, You agree not to:

a) access, monitor, or copy any content or information on the Service using any robot, spider, scraper, or other automated means or any manual process for any purpose without our express written permission;

b) violate the restrictions in any robot exclusion headers on the Service or bypass or circumvent other measures employed to prevent or limit access to the Service;

c) take any action that imposes, or may impose, in our discretion, an unreasonable or disproportionately large load on our infrastructure;

d) deep-link to any portion of the Service for any purpose without our express written permission;

e) “frame”, “mirror,” or otherwise incorporate any part of the Service into any other website without our prior written authorization; or

f) violate any applicable local, provincial, national, or international law or regulation.

We may at any time suspend or terminate your access to the Service if we have reason to believe that you are not complying with this Agreement or you are otherwise abusing the Service.

6. Changes to the Service

The Supplier reserves the right to modify, discontinue, and restrict, temporarily or permanently, all or part of the Service without notice at our sole discretion. Neither we nor our suppliers or licensors will be liable to you or to any third party for any modification, discontinuance, or restriction of the Service.

7. Suspension of the Service

The Supplier shall have the right to prevent Customer’s access to the Service without prior notice, if the Supplier reasonably suspects that the Customer burdens or uses the Service in such a manner as to jeopardize the delivery of the Service to other users.

The Supplier shall also have the right to restrict the Customer’s access to and use of the Service in cases where the Customer’s momentary or long-term use of the Service causes unexpected or unreasonable stress on the Service and its background systems. The Supplier reserves the right to specify such unexpected on unreasonable use but shall base its assessment i.e. on the technical limits outlined this Agreement.

We may at any time suspend or terminate Your access to the Service if we have reason to believe that You are not complying with applicable laws, this Agreement or You are otherwise abusing the Service.

8. Free Plan

If you use the Service under the Sandbox free plan (“Free Plan”) and you want to go over the Free Plan limits, you’ll be required to upgrade your account to, and select and pay for, Paid Services. Paid Services are described in Section 9. The Supplier reserves the right to determine if You are eligible for a Free Plan and to discontinue any Free Plan without notice at its sole discretion. Annex 1 describes the Free Plan limits.

9. Fees and Payment

We will charge fees on a subscription basis (“Paid Services”), as shown to You at time of subscribing and outlined in Annex 1, or as agreed separately with you on an Enterprise Services Agreemeent.

Paid Service might include Service usage limits as well as additional features. The Supplier reserves the right to implement fees or change the fees or features for certain services at any time by providing you notice on the Service and on an email. When you purchase any Paid Services, you authorize the Supplier or its third party payment processors to charge the credit card identified by you (which you represent and warrant that you are authorized to use) all applicable fees for your purchase, including all applicable taxes, and you agree that our payment provider can process and store your credit card information.

If the Supplier does not receive payment from your credit card provider, you agree to pay all amounts due upon demand and the Supplier may suspend your access to the Services until full payment is received or terminate this Agreement. All sales are final and the Supplier will not issue refunds, including for prepaid monthly fees. If you choose an automatic recurring payment and later decide to end your subscription, cancelling the payment is your responsibility. The Supplier does not refund automatic payments not cancelled in time.

10. Subcontractors

The Supplier may engage subcontractors to perform the Service under the Agreement, provided that the Supplier remains fully liable for any actions of such subcontractor, as if the work had been carried out by the Supplier itself. The Supplier shall ensure that its subcontractors comply with the confidentiality provisions specified in the Section 11.

11. Confidentiality

Each party shall keep in confidence all Confidential Information (means any information and material in whatever form disclosed to one party by the other party and either marked as confidential or should be understood to be confidential) and shall not disclose the Confidential Information to any third party or use the Confidential Information for any purpose other than for the purpose of the Agreement.

A receiving party shall have the right to:

a) copy Confidential Information only to the extent necessary for the purpose of the Agreement; and

b) disclose Confidential Information only to those of its employees and subcontractors fulfilling the obligations of the Agreement who need to know the Confidential Information for the purpose of the Agreement.

c) disclose Confidential Information to its own legal and financial advisors provided that such advisors are bound by the confidentiality provisions at least as restrictive as contained in this Section 11.

Notwithstanding the foregoing the confidentiality obligation shall not be applied to any material or information:

a) which is generally available or otherwise public other than by a breach of the Agreement on the part of the receiving party; or

b) which the party has received from a third party without any obligation of confidentiality; or

c) which was in the possession of the receiving party prior to receipt of the same from the other party without any obligation of confidentiality related thereto; or

d) which a party has developed independently without using material or information received from the other party; or

e) which a party shall disclose pursuant to a law, decree, or other order issued by the authorities or judicial order.

Each party shall cease using Confidential Information received from the other party promptly upon termination of the Agreement or when the party no longer needs the Confidential Information in question for the purpose of the Agreement and, unless the parties separately agree on the destruction of such material, return the material in question and all copies thereof. Each party shall, however, be entitled to retain copies required by law or regulations.

Each party warrants the observance and proper performance of this Section 11 by all of its subcontractors and other parties to which Confidential Information has been disclosed.

Each party is entitled to use the professional skills and experience acquired in connection with the Agreement.

The rights and obligations under this Section 11 shall survive the termination or expiration of the Agreement and shall remain in force for a period of 5 years from the Effective Date (means the date when You have accepted to be bound by the Agreement by means of a click-through and/or by an account registration and/or by accessing or using the Service), or if the Confidential Information is disclosed after the Effective Date, for a period of 5 years from the date of disclosure.

12. Publicity

Unless either You provide the Supplier with written notice to the contrary or of any reasonable restrictions or requirements, the Supplier may use Your graphical logo(s) and company name(s) on its website and in marketing materials to represent that You are a customer, in accordance with good marketing practices.

13. Force Majeure Event

Force Majeure Event means any failure by a party to perform its obligations under this Agreement caused by an impediment beyond its control, which it could not have taken into account at the time of the conclusion of this Agreement, and the consequences of which could not reasonably have been avoided or overcome by such party. If not proven otherwise such impediments may include, but are not limited to, acts of government in its sovereign or contractual capacity, fires, disturbance of data networks, floods, epidemics, quarantine restrictions, strikes, lock-outs, industrial disputes, riots, acts of terror or specific threats of terrorist activity, transportation or energy. Strike, lock-out, boycott and other industrial action shall constitute a Force Majeure Event also when the party concerned is the object or a party to such an action.

Neither party shall be liable for delays and damages caused by a Force Majeure Event.

A Force Majeure Event suffered by a subcontractor of a party shall also discharge such a party from liability if subcontracting from another source cannot be made without unreasonable costs or a significant loss of time.

A party shall notify the other party in writing without delay of a Force Majeure Event. The party shall correspondingly notify the other party of the termination of a Force Majeure Event.

14. Intellectual Property Rights

The Intellectual Property Rights (means any and all patents, utility models, designs, copyright, domain names, trademarks, trade names and any other intellectual property rights, whether registered or not and applications for any of the aforementioned respectively as well as any trade secrets) to the Service and any amendments, modifications, new versions thereto shall belong to the Supplier. The product names associated with the Service are service marks and trademarks of the Supplier or third parties, and no right or license is granted to use them. This Agreement does not grant the Customer any rights of ownership in or related to the Service or the Intellectual Property Rights owned by the Supplier. The Customer acknowledges that, except as specifically provided under this Agreement, no other right, title, or interest is granted.

The Intellectual Property Rights and the title to the Customer Data shall belong to the Customer. This Agreement has no effect on the Intellectual Property Rights each party had prior to the Effective Date. This Agreement shall not give a party any direct, indirect or implied right or license to use or otherwise exploit Intellectual Property Rights belonging to the other party.

15. Infringement of Third Party Rights

The Supplier will defend, indemnify and hold harmless Customer, its representatives, subsidiaries, affiliates and customers from and against any costs, damages, expenses, and liabilities (including, but not limited to, reasonable attorneys’ fees) arising out of or in relation to any claims or actions regarding infringement of a third party’s intellectual property rights due to Customer’s use of the Service. The obligation by the Supplier only applies under the condition that the Customer has notified the Supplier in writing of a claim or action within a reasonable time. In case such third party claim is made or is likely to be made, the Supplier is responsible, at its own cost, for obtaining any necessary rights for Customer to continue to use the Service under this Agreement or replace or modify the infringing part of the Service to be non-infringing without decreasing functionality. If all Services provided under this Agreement are affected and terminated, the Agreement shall be considered terminated in its entirety.

The liability of the Supplier for infringement of Intellectual Property Rights shall be limited to this Section 15.

16. Feedback

The Customer may from time to time provide suggestions, comments or feedback (“Feedback”) with respect to the Service or Confidential Information provided originally by the Supplier. The Customer agrees that all Feedback is voluntary and, even if marked as confidential (unless subject to a separate written agreement), will not create a confidentiality obligation for the Supplier. The Supplier will be free to use, disclose, reproduce, license or otherwise distribute such Feedback, without obligation or restriction of any kind with relation to a Party’s Intellectual Property Rights or otherwise. Notwithstanding the above, no right shall be granted to any Intellectual Property Rights that were in existence prior to the Effective Date.

17. Customer Data

The data the Customer stores in the database is Customer’s own, and the Supplier does not process it without explicit request or permission from the Customer. However, the Supplier may process Customer Data (means information or material transferred by the Customer to Service or information or material otherwise provided or made available to the Supplier for Customer’s benefit and for purposes of the Service or other information or material specified as Customer Data by the Parties) for the purposes of the Agreement and provisioning of the Service (e.g. providing customer support). The Supplier shall not log data in the Customer messages, nor gather any statistics of the internals of Customer Data.

The Supplier, however, will monitor the API-usage (quantity of calls, response times, message sizes) in order to guarantee the quality of service for the Customer, as well as to improve the service for the future.

The Customer shall be responsible for Customer Data and for ensuring that the Customer Data does not infringe third party Intellectual Property Rights or violate any legislation in force from time to time. In case of breach of the aforementioned, the Customer will be responsible for, and will indemnify and hold the Supplier harmless from all claims, suits, proceedings, losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) made against or incurred by the Supplier.

The Supplier’s responsibility to retain the Customer Data terminates 60 days from termination or expiration of the Agreement, after which the Supplier shall at its own expense destroy the Customer Data unless the Customer has requested delivery of the Customer Data. However, the Supplier shall be entitled to destroy or retain the Customer Data to the extent required by law or regulation by a competent authority.

18. Term and Termination

This Agreement shall become effective on the Effective Date and shall stay in effect until further notice. Your subscription to the Service will remain in effect and will be renewed automatically at the end of each subscription period unless you terminate your subscription or we terminate it.

Subscription period is displayed to Customer at the time of subscribing to Paid Services. Customer can log in to Aito Console to terminate the subscription at any time, after which the Service ends at the end of the current subscription period.

Separate Enterprise Services Agreemeent may have special adherence terms regarding renewal, pricing and defined advance notice periods for termination.

Either party may terminate the Agreement in writing taking effect immediately (or a certain date indicated in the notice of termination, that must not be later than three (3) months from the notice of termination) if the other party

a) commits a material breach of its obligations under the Agreement and does not remedy such breach within thirty (30) days of receiving notice of breach from the non-breaching party; or

b) enters into bankruptcy, becomes insolvent or makes an assignment for the benefit of creditors.

Upon the termination or expiration of the Agreement, You must immediately stop using the Service.

19. Warranties

TO THE FULL EXTENT PERMITTED BY LAW, THE WARRANTY SET FORTH IN THIS SECTION 19 IS SUPPLIER’S EXCLUSIVE WARRANTY AND IS IN LIEU OF ALL OTHER WARRANTIES, CONDITIONS, UNDERTAKINGS OR TERMS OF ANY KIND, EXPRESS OR IMPLIED, WRITTEN OR ORAL, BY OPERATION OF LAW, ARISING BY STATUTE, COURSE OF DEALING, USAGE OF TRADE OR OTHERWISE, INCLUDING, WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, LACK OF VIRUSES AND BACK DOORS, TITLE, NON-INFRINGEMENT, ACCURACY OR COMPLETENESS OF RESPONSES, RESULTS, AND/OR LACK OF WORKMANLIKE EFFORT.

NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING STATEMENTS REGARDING PERFORMANCE OF THE SERVICE, WHICH IS NOT CONTAINED IN THIS AGREEMENT, WILL BE BINDING ON THE SUPPLIER. THE FOREGOING WARRANTY SPECIFICALLY EXCLUDES THIRD PARTY MODIFICATIONS.

20. Limitation of Liability

The aggregate total liability of a party towards the other party in respect of any cause of action relating to or arising out of this Agreement shall not exceed the amount paid by the Customer under this Agreement during the last 6 months prior to the cause for the claim has arisen.

NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, DAMAGES RESULTING FROM DELAY OF DELIVERY OR FROM LOSS OF PROFITS, DATA, BUSINESS, OR GOODWILL, HOWEVER CAUSED AND ON WHATEVER THEORY, WHETHER BASED ON BREACH OF CONTRACT OR WARRANTY, TORT (INCLUDING NEGLIGENCE), THE FAILURE OR ASSERTED FAILURE OF A PARTY TO PERFORM ITS OBLIGATIONS HEREUNDER, OR OTHERWISE, AND WHETHER OR NOT THE PARTY ALLEGED TO HAVE CAUSED SUCH DAMAGES HAS BEEN ADVISED OR IS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.

Both parties shall be responsible for taking back-up copies of data and data files and for verifying the functionality of such back-up copies. Neither party shall be liable for the loss of, damage to, nor alteration of data or data files of the other party due to any cause and the resulting damages and expenses incurred, such as expenses based on the re-creation of data files. However, in the case of the loss of Customer’s data or data files, the Supplier will give all reasonable support to the Customer restoring the data loss. The Supplier will provide this support without any additional fees or charges.

The limitations of liability shall not apply to:

a) damages caused by willful misconduct or gross negligence; or

b) breach of confidentiality provisions in Section 11; or

c) claims and costs covered by Section 14.

d) damages caused by breach of other party’s intellectual property rights.

21. Assignment

Neither party shall have the right to assign the Agreement or any of its rights or obligations hereunder to any third party without the prior written consent of the other party. Notwithstanding the foregoing, each party may transfer its receivables under this Agreement to a third party.

The Supplier may transfer the Agreement and the rights and obligations hereunder to such a third party to which the business activities related to the Agreement has been transferred.

22. Applicable Law; Dispute Resolution

This Agreement and all matters arising out of or in connection with this Agreement shall be interpreted, construed and governed exclusively in accordance with the laws of Finland without reference to its choice of law rules. The United Nations Convention on Contracts for the International Sale of Goods done at Vienna April 11, 1980 is excluded.

In the event no settlement can be reached by means of negotiations, any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or validity thereof shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitration of the Finnish Central Chamber of Commerce. The arbitration shall take place in Helsinki, Finland. The arbitration shall be conducted, and the arbitration award shall be given in the English language. The parties agree that the arbitration procedure and all thereto related material and information shall be treated as Confidential Information in accordance with Section 11 of this Agreement.

The parties have nevertheless right to claim for outstanding receivables under this Agreement at the courts of the other party’s registered domicile.

23. Other Provisions

Both parties act in their own name and on their own behalf. Neither party has a right to enter into any agreements or other commitments on behalf of the other party. A failure of a party to insist upon the performance of any or more of the terms or conditions of this Agreement or a waiver of any term or condition of this Agreement will not be deemed to be a waiver of any rights or remedies the party may have in subsequent similar situations.

If any provision in this Agreement is found or becomes invalid, unlawful, or unenforceable to any extent, the provision in question will be severed from the remaining provisions of this Agreement, which will continue to be valid and enforceable to the fullest extent permitted by law.

The section headings and titles in this Agreement are for convenience only and have no legal or contractual effect. Any provision in this Agreement that by its nature should survive the termination of Your license to access the Service or any termination of this Agreement (including, without limitation, provisions governing, limitations on liability, disclaimers of warranty, and ownership of intellectual property) will continue to remain in full force and effect after any such termination.


Annex 1: Free Plan and Paid Services

This annex describes the features and fees of Aito self-service plans, at the time of Your subscription start. These terms do not apply in case you have a separate Enterprise Services Agreemeent with us.

Sandbox (Free Plan)Dev (Paid Service)Prod (Paid Service)
Fee per instance / month0 €39 € excl. VAT249 € excl. VAT
API call limit / month2 00010 00050 000
API call burst limit / sec1520 
Storage(1)100MB, not extendable500 MB, not extendable1 GB, extendable at 49€/GB/month excl. VAT
Active server hours / day(2)6 hours12 hours24 hours
Deleted after inactivity7 daysNeverNever
Access to all API endpointsYesYesYes
Slack support(3)YesYesYes
Multiple team membersNoYesYes
Automatic backupsNoNoYes
  1. Storage is the total amount of disk space used for your raw data uploaded to Aito, PLUS the index generated and maintained for that data.
  2. It means the maximum hours your instance is available per every 24h starting from midnight EET (Finnish time) and from your first call in that time window.
  3. Slack community support operates on best-effort basis, during Finnish working hours.

Annex 2: Personal Data Processing Agreement

1. Introduction

This Personal Data Processing Agreement (”DPA”) is an inseparable part of the Agreement between Aito Intelligence Oy (”Aito”) and the Customer.

The agreed Service delivery may include processing of personal data by Aito and its subcontractors, on behalf of the Customer, within the scope described in the Agreement. The purpose of this DPA is to set the terms and conditions governing such processing by Aito on behalf of the Customer in compliance with the requirements set by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation.

Aito may process personal data solely to the extent necessary for the provision of the Services set forth in the Agreement, and may not otherwise process or use personal data for purposes other than those set forth in this DPA or as reasonably instructed by the Customer in writing where such instructions are consistent with the terms of the Agreement. This DPA shall take precedence over conflicting provisions relating to processing of personal data in the Agreement, unless otherwise expressly stated in this DPA.

By accepting the Agreement, Customer enters into this DPA on its own behalf and on behalf of those of the Customer’s group companies that function as a controller with respect to personal data being processed by Aito under this DPA and the Agreement between Aito and the Customer. The Customer and Affiliates are jointly referred to as the “Customer”.

In the event that under the Agreement it is agreed that a cloud based service shall be delivered by a third-party provider (Amazon Web Services, Microsoft, Google or other) the parties acknowledge that any personal data processed within the cloud service shall be exclusively governed by the terms and conditions for the cloud service as stipulated and amended from time to time by the cloud service provider.

The parties shall agree on all additions and amendments to this DPA writing.

2. Definitions

All references to "personal data", "processing", "data subject", “processor”, “controller”, “personal data breach”, “supervisory authority” and other terms defined in the GDPR and not expressly defined herein shall have the same meaning in this DPA as in Article 4 of the GDPR.

3. Data Protection and Processing Personal Data

The Customer or the Customer’s client shall be the controller and the Supplier shall be the processor of the personal data processed in the Service.

The types of personal data and categories of data subjects may include the following:

Categories of Data Subjects

The Customer may submit personal data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)

  • Employees, agents, advisors, freelancers of Customer (who are natural persons)

  • Customer’s Users authorized by Customer to use the Services

Type of Personal Data

The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following types of personal data:

  • Contact details such as name, title, telephone, business address and mobile numbers and email address

  • Employment and human resources details such as name, addresses, contact details, age, details relating to the employment of the data subject

  • Financial and transactional details

  • IT management details such as details of equipment data related to the services provided including technical identifiers, user name, location, contact details, communication data and metadata

  • Security details such as security log information

  • Connection data

  • Localization data

The subject, character and purpose of processing is defined in more detail in the Agreement.

This DPA with the Agreement constitutes the instructions in accordance with which any such data is processed as per the date of entering into this DPA.

The Supplier shall maintain the service description or other record of the processing activities of the service in cases where it is required to do so by the GDPR. The Supplier is entitled to collect anonymous and statistic data of the use of the services pursuant to the Agreement, that does not specify the Customer nor data subjects and uses it for analyzing and developing its services.

4. Responsibilities of the Customer

The Customer is the owner of its personal data and is responsible for the accuracy, legality, integrity and content reliability of such personal data and other controller’s responsibilities as described in the GDPR.

5. Deletion or Returning of Data

Aito has no obligation to store and Aito will not store any of the Customer’s data after the termination subscription of the Service. Aito will, at the Customer’s choice, promptly delete or return all personal data related to you after the end of the provision of the Services relating to processing and delete existing copies unless applicable legislation requires storage of the personal data.

6. Sub-processors

This DPA constitutes a general authorization by the Customer for Aito’s use of sub-processors. Aito shall ensure that sub-processors are bound by a written agreement that require them to provide at least the level of data protection required by Aito under this DPA. Aito shall inform the Customer of changes concerning its sub-processors, including the identity and location of new or replaced sub-processors. A list of sub-processors (including their name, country, processing activities and country/area where processing activities are carried out) is available at Aito’s web pages or other location as designated by Aito from time to time. Aito will notify the Customers by adding the name and above mentioned details of new and replacement sub-processors to the list prior to them starting sub-processing of personal data.

Where a sub-processor fails to fulfil its data protection obligation, Aito shall remain fully liable to the Customer for the performance of that sub-processor’s obligations. If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Aito of such objection in writing within ten (10) days of the notification. In case the Customer objects to the use of a specific sub-processor, the parties shall enter into good faith negotiations on how to resolve the issue. If the parties are unable to reach an agreement concerning the use of a new sub-processor, either party shall, for a justified reason and as a final remedy, to terminate the Agreement with thirty (30) days’ notice, in so far as the change of sub-processor affects the processing of personal data pursuant to the Agreement.

7. Supplier’s Obligation to Provide Assistance

The Supplier shall promptly forward all requests to inspect, rectify, erase or object to the processing of personal data or other requests received from the data subjects, to the Customer. If requested by the Customer, the Supplier shall support the Customer in fulfilling the requests of the data subjects.

The Supplier is obligated, taking into account the nature of the Processing of personal data and the data available, to assist the Customer in ensuring that the Customer complies with its legal obligations. These obligations may include requirements related to data security, notifying of data breaches, data protection impact assessments as well as obligations regarding prior consultations. The Supplier is obligated to assist the Customer only to the extent that applicable legislation obligates the processor of personal data. Unless otherwise agreed, the Supplier is entitled to invoice the expenses incurred from action pursuant to this section 7 according to the Supplier’s valid price list.

The Supplier shall forward all inquiries made by data protection authorities directly to the Customer and shall await further guidance from the Customer. Unless otherwise agreed, the Supplier is not authorized to represent the Customer or act on behalf of the Customer in relation to the authorities supervising the Customer.

8. Processing Taking Place Outside EU/EEA

The Supplier and its sub-processors may process personal data outside the EU/EEA area. When transfer of personal data by Aito to a sub-processor outside the EU/EEA, is permitted as stated in section 6 and this section 8, in case of any transfer Aito shall ensure that transfer is only made to (a) a country deemed by the Commission to have an adequate level of protection, (b) entities having committed to the EU-US Privacy Shield or having entered into the EU Commission standard contractual clauses approved by the European Union concerning the transfer of personal data to outside the EU/EEA or provided other appropriate safeguards as described in Article 46 of the GDPR.

Subject to the above and subject to Aito keeping the Customer informed of any transfer of personal data outside the EU/EEA, the Customer gives its consent to the transfers and authorizes Aito to conclude processor to processor standard contractual clauses based on the European Commission Decision 2021/915 of 4 June 2021 to transfer personal data to processors located outside the EU/EEA.

9. Auditing

Aito shall upon the Customer’s request make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR.

a) The Customer or an auditor authorized by the Customer (however, not a competitor of the Aito) is entitled to audit the activities pursuant to the DPA. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 30 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of Aito or its subcontractors in regard to third parties. The representatives of the Customer and the auditor must sign conventional non-disclosure commitments. The Customer shall be responsible for its own and Aito’s expenses caused by the auditing. If notable defects are perceived during auditing, Aito shall be liable for the costs incurred from remediating said defects.

b) Provided that the parties have an applicable non-disclosure agreement in place, Aito reserves the right to provide the Customer with a copy of a third-party certification or report in lieu of an onsite audit as described in 9.a) above. In the event the customer does not find all reasonably needed info from the report, then 9.a) will apply.

10. Data Security

The Supplier shall implement the appropriate technical and organizational measures to protect the personal data of the controller, taking into account all the risks of processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to personal data that has been transferred, saved or otherwise processed. When organizing the security measures, the technical options and their costs shall be assessed in relation to the special risks of the processing at hand and the sensitivity of the personal data processed.

The Customer shall be obligated to ensure that the Supplier is notified of all the circumstances concerning the personal data the Customer has delivered, such as risk assessments and the processing of special sets of data subjects that affect the technical and organizational measures pursuant to this DPA. The Supplier shall ensure that the personnel of the Supplier or a subcontractor of the Supplier shall abide by the appropriate non-disclosure commitments.

11. Data Breaches

The Supplier must notify the Customer of all personal data breaches without undue delay after receiving information of the breach or after a subcontractor of the Supplier has received information of the breach.

If requested by the Customer, the Supplier shall, without undue delay give the Customer all relevant information concerning the data breach. In so far as the information in question is available to the Supplier, the Supplier shall describe at least the following to the Customer:

(a) the occurred data breach,

(b) if possible, the sets of data subjects and the number thereof, as well as the sets of personal data types and estimated numbers,

(c) a description of the likely consequences caused by the data breach,

and

(d) a description of reparative measures, that the Supplier has implemented or shall implement in order to prevent data breaches in the future, and if necessary, the measures to minimize the harmful effects of the data breach.

The Supplier shall document and report the results of the inquiry and the implemented measures to the Customer.

The Customer shall be liable for the necessary notifications to the data protection authorities.

12. Damages

Aito shall compensate the Customer for damages incurred by the Customer as a result of fault or negligence by Aito, or by a sub-contractor to Aito, in the processing of personal data in breach of the Agreement or this DPA.

The parties’ (including their group companies) liability for damages under the DPA shall be limited in scope and to the double of maximum amounts set out in the respective Agreement, except when limitations of liability are expressly prohibited under the applicable legislation or are otherwise legally invalid or unenforceable. To clarify, indirect damages are excluded.

Both parties are obligated to pay only the part of the administrative fine that corresponds to the liability for damage confirmed in the final decision of a data protection authority or a court of law.

13. Applicable law and dispute resolution

This DPA is interpreted, construed and governed in accordance with the applicable law set out in the Agreement.

Any disputes concerning the interpretation or application of this DPA shall be settled in accordance with the provisions on dispute resolution included in the Agreement.

14. Terms and Termination

This DPA shall become effective simultaneously with the Agreement and shall remain in force during the validity of the Agreement and thereafter for as long as necessary for the finalization of the agreed processing of personal data.