Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Swedish Data Protection Act (2018:218), and any applicable national implementing legislation.
• "Controller", "Processor", "Data Subject", "Personal Data","Processing", "Personal Data Breach" have the meanings given in the GDPR.
• "API Content" means all data, text, prompts, files, images, and other content submitted by Customer to the Services, and any outputs generated by the Services in response.
• "Services" means the AI inference services provided by Juice Factory to Customer under the Principal Agreement.
• "Sub-processor" means any third party engaged by Juice Factory to process Personal Data on behalf of Customer.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for international transfers of personal data approved by the European Commission.

2. Scope and Roles

2.1 Applicability

This DPA applies to all Processing of Personal Data by Juice Factory on behalf of Customer in connection with the Services. It does not apply to data processed by Juice Factory as a controller (such as account information for billing purposes).

2.2 Roles of the Parties

• Customer is the Controller of Personal Data contained in API Content
• Juice Factory is the Processor of such Personal Data, acting only on Customer's documented instructions

2.3 Categories of Data

Personal Data processed under this DPA may include:

• Any Personal Data contained in prompts, inputs, or files submitted to the API
• Any Personal Data in model outputs returned to Customer
• Technical metadata (IP addresses, timestamps, request identifiers)

Note: Customer determines what Personal Data, if any, is submitted to the Services. Juice Factory recommends avoiding submission of Special Categories of Personal Data (Article 9 GDPR) where possible.

2.4 Data Subjects

Data subjects may include Customer's employees, contractors, customers, end users, or any individuals whose Personal Data is contained in API Content, as determined by Customer.

3. Processing Instructions

3.1 Documented Instructions

Juice Factory shall process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law to which Juice Factory is subject. In such case, Juice Factory shall inform Customer of that legal requirement before processing, unless prohibited by law.

3.2 Scope of Instructions

Customer's instructions to Juice Factory are documented in:

• This DPA
• The Principal Agreement and any applicable Order Forms
• Customer's use of the Services (including API calls and configuration settings)
• Any additional written instructions provided by Customer and acknowledged by Juice Factory

3.3 Purpose Limitation

Juice Factory shall process Personal Data solely for the following purposes:

• Providing the Services as requested by Customer
• Processing API requests and returning responses
• Maintaining security, preventing abuse, and troubleshooting
• Complying with legal obligations

Juice Factory does not use Customer's API Content to train, improve, or fine-tune AI models.

4. Confidentiality

Juice Factory shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform the Services.

5. Security Measures

5.1 Technical and Organizational Measures

Juice Factory shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication (API keys, role-based access)
• Network security (firewalls, intrusion detection, DDoS protection)
• Regular security testing and vulnerability assessments
• Incident response procedures
• Employee security training and background checks
• Physical security of data center facilities
• Backup and disaster recovery capabilities

5.2 Ongoing Assessment

Juice Factory shall regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.

6. Sub-processors

6.1 General Authorization

Customer provides general authorization for Juice Factory to engage Sub-processors to process Personal Data in connection with the Services, subject to the conditions in this Section 6.

6.2 Current Sub-processors

As of the date of this DPA, Juice Factory uses the following Sub-processors:

6.3 Changes to Sub-processors

Juice Factory shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors, giving Customer an opportunity to object to such changes. Notification will be provided at least 30 days before the new Sub-processor begins processing Personal Data.

If Customer objects to a new Sub-processor on reasonable grounds related to data protection, the parties shall discuss Customer's concerns in good faith. If no resolution is reached, Customer may terminate the affected Services without penalty.

6.4 Sub-processor Agreements

Juice Factory shall ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. Juice Factory remains fully liable to Customer for the performance of Sub-processors' obligations.

7. Data Subject Rights

7.1 Assistance

Juice Factory shall assist Customer, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

7.2 Customer Tools

Juice Factory provides Customer with self-service tools to manage Personal Data, including:

• Data export functionality (GDPR Article 15/20)
• Conversation and data deletion (GDPR Article 17)
• Account deletion with full data erasure

7.3 Direct Requests

If Juice Factory receives a request from a Data Subject regarding Personal Data processed on behalf of Customer, Juice Factory shall promptly notify Customer and shall not respond to the Data Subject directly unless required by law.

8. Personal Data Breach

8.1 Notification

Juice Factory shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notification shall include:

• Description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
• Name and contact details of the data protection officer or other contact point
• Description of the likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate possible adverse effects

8.2 Assistance

Juice Factory shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

9. Data Location and International Transfers

9.1 Processing Location

Customer's API Content and associated Personal Data are processed and stored in Sweden (EU). All AI inference is performed on Juice Factory's own infrastructure located in Stockholm, Sweden.

9.2 International Transfers

Juice Factory shall not transfer Personal Data outside the European Economic Area (EEA) unless:

• The transfer is to a country with an EU adequacy decision
• Appropriate safeguards are in place (such as Standard Contractual Clauses)
• Customer has given prior written consent

As of the date of this DPA, Juice Factory does not transfer API Content outside the EEA.

10. Audit Rights

10.1 Information and Audit

Juice Factory shall make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

10.2 Audit Procedures

Audits shall be subject to the following conditions:

• Customer shall provide at least 30 days' prior written notice
• Audits shall be conducted during normal business hours with minimal disruption
• Customer shall bear its own costs unless the audit reveals material non-compliance
• Auditors must sign appropriate confidentiality agreements
• Customer may conduct no more than one audit per calendar year unless required by a supervisory authority

10.3 Certifications and Reports

Where available, Juice Factory may provide Customer with relevant audit reports, certifications, or attestations (such as SOC 2 Type II) to satisfy audit requirements.

11. Data Retention and Deletion

11.1 Retention Periods

Juice Factory applies the following retention periods:

• API requests and responses: Not persistently stored (real-time processing only)
• Portal chat conversations: Retained until deleted by user, or 365 days after archival
• Security and audit logs: 90 days
• Usage/billing records: 7 years (legal requirement)

11.2 Deletion on Termination

Upon termination of the Services or upon Customer's request, Juice Factory shall delete or return all Personal Data processed on behalf of Customer, and delete existing copies, unless Applicable Data Protection Law requires retention. Customer may request a data export before termination.

11.3 Certification of Deletion

Upon request, Juice Factory shall provide written confirmation that Personal Data has been deleted in accordance with this Section 11.

12. Data Protection Impact Assessments

Juice Factory shall provide reasonable assistance to Customer, taking into account the nature of processing and information available, in ensuring compliance with Customer's obligations regarding:

• Data protection impact assessments (Article 35 GDPR)
• Prior consultation with supervisory authorities (Article 36 GDPR)

13. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law to the extent such limitation is not permitted by law.

14. Term and Termination

This DPA shall remain in effect for as long as Juice Factory processes Personal Data on behalf of Customer. The provisions of this DPA that by their nature should survive termination shall survive, including Sections 4 (Confidentiality), 8 (Data Breach), 10 (Audit Rights), 11 (Deletion), and 13 (Liability).

15. Amendments

Juice Factory may update this DPA from time to time to reflect changes in Applicable Data Protection Law or our practices. Material changes will be notified to Customer at least 30 days before taking effect. Continued use of the Services after such notice constitutes acceptance of the updated DPA.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with Swedish law. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Stockholm, Sweden.