Data Processing Agreement (DPA)

1. Parties and definitions

• Customer / Controller: the organisation that signed up for the Service and whose users upload documents and run queries.
• Knowledge / Processor: olyteck, operating under SIRET 993 174 499 00018.

Terms such as "personal data", "processing", "data subject", "controller", "processor", and "sub-processor" have the meanings given to them in the EU GDPR.

2. Subject-matter and purpose

• Subject-matter: retrieval-augmented AI processing of the Customer's documents — ingesting uploaded files, extracting and chunking text, generating semantic embeddings, persisting the chunks and embeddings within the Customer's tenant scope, retrieving the most-relevant chunks in response to user queries, and forwarding them together with the user's prompt to a Large Language Model provider chosen by the Customer's admin. Outputs are returned to the Customer's authorised users via the browser app, the Word and Excel add-ins, or the public agents API.
• Duration: for as long as the Customer's subscription is active, plus the retention windows in §7.
• Nature of the processing: automated ingest, chunking, embedding, storage, retrieval, and AI generation. The Service is a request/response pipeline; it does not perform background scanning of third-party systems.
• Categories of data subjects: (i) the Customer's employees and authorised members who sign in to use the Service; (ii) any individuals whose personal data may appear inside the documents the Customer uploads (e.g. names in contracts, email addresses in policies, signatures in attachments).
• Categories of personal data:
  • Account data: Microsoft Entra OID / TID, work email, display name, workspace role, session timestamps.
  • Customer content: whatever personal data the Customer chooses to include in the documents it uploads and the queries it runs. The Customer determines this scope; we do not inspect uploads for personal-data category beyond what the chunker observes.
  • Operational metadata: per-call audit log (which agent ran, when, how many tokens, latency, success/error), IP addresses for abuse detection.
• Special categories (Art. 9 GDPR) and criminal-conviction data (Art. 10) — the Customer is responsible for not uploading such content unless it has a valid lawful basis. We do not intentionally process these categories.

3. Roles and instructions

olyteck acts as a processor for the Customer's workspace content. The Customer is and remains the controller. olyteck processes personal data only on the Customer's documented instructions, including the act of using the product as described in the public documentation. olyteck will inform the Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member-State data-protection law.

4. Processor obligations (Art. 28(3))

• Process personal data only on documented Customer instructions, including with regard to international transfers (§6).
• Ensure that staff with access are bound by confidentiality.
• Implement the technical and organisational measures described in §5 ("TOMs").
• Engage sub-processors only under §6 and only under contracts that impose data-protection obligations equivalent to those in this DPA.
• Assist the Customer in responding to data-subject requests (Art. 12–22), DPIAs (Art. 35), prior consultations (Art. 36), and security/breach obligations (Art. 32–34) to the extent reasonably possible.
• Notify the Customer without undue delay (and in any case within 72 hours) of becoming aware of any personal-data breach affecting the Customer's data.
• At the Customer's choice, delete or return all personal data at the end of the service, save where Union or Member-State law (e.g. French accounting retention) requires further storage.
• Make available all information necessary to demonstrate compliance and allow for and contribute to audits (§8).

5. Security measures (Art. 32 — TOMs)

• Encrypted transport (TLS 1.2 or higher) for all Customer-facing traffic.
• Encryption at rest for the application database (AES-256 or equivalent provided by the host).
• Microsoft Entra ID (Azure AD) SSO with OIDC + PKCE — no application-managed passwords, no plaintext credentials.
• Principle of least privilege for staff access; state-changing operations are CSRF-protected and audit-logged.
• Session cookies set with the secure, HttpOnly and SameSite attributes and rotated on every privilege change.
• Parameterised SQL throughout — no user-supplied values are concatenated into database queries.
• Strict per-tenant isolation: every record that touches Customer content is bound to the tenant that owns it; every query filters on the session's tenant identifier taken from the server-side session, never from a request body or URL; cross-tenant access attempts return a not-found response rather than a forbidden response, so the very existence of other tenants is not disclosed.
• API keys are stored only as cryptographic hashes (the raw token is shown once at mint and never retrievable thereafter). Per-key controls — request rate limit, monthly token budget, IP allowlist, and origin lock — are enforced on every call, and blocked attempts are recorded in the audit log.
• Outbound calls to LLM sub-processors are made server-side; the Customer’s API key never leaves Knowledge.
• Daily off-site backup of the application database with a 30-day rolling window; backups encrypted at rest; backup-restore drill at least annually.
• Incident-response runbook with a 72-hour Customer-notification target. Security contact: security@olyteck.com.
• Annual review of the TOMs; this DPA’s “Last updated” date reflects the most recent revision.

6. Sub-processors and international transfers

The Customer authorises olyteck to engage the following sub-processors. Each is bound by a written contract imposing data-protection obligations equivalent to those in this DPA. The Sub-processors page is the current, version-dated list — the table below is its summary at the date of this DPA.

Where a sub-processor processes data outside the European Economic Area, transfers rely on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) and, where available, the EU-US Data Privacy Framework, with supplementary technical measures (encryption in transit, server-side request signing, no caching of customer content by intermediate hops).

No AI training on Customer content. The four LLM providers above all publish a "no training on API customer data" stance for the endpoints we use. The full references — links to each provider's policy — are in the Sub-processors page §3.

olyteck will give the Customer at least 30 days' notice before adding or replacing a sub-processor that materially handles Customer personal data. Notice is given by email to the workspace administrator address. The Customer may object on reasonable grounds; if the parties cannot agree on an alternative, the Customer may terminate the affected portion of the Service for cause.

7. Storage location and retention

The application server, database, and ingestion workers run in France (Paris, PAR1) (EU-27). Default retention windows:

• Account / workspace data — for the lifetime of the subscription, plus 30 days after deletion.
• Documents, chunks, embeddings — for the lifetime of the document in the workspace; hard-deleted within 24 hours of removal.
• Conversation history — per-plan, currently 30 days on Free / Starter, 365 days on Pro and Enterprise (negotiable).
• Agent call audit log — 24 months.
• Job history (ingestion, re-embedding) — 90 days completed; failed runs kept indefinitely.
• Application audit log — 24 months.
• Billing records — 10 years (French accounting law).

8. Audit

Once per year and on at least 30 days' written notice, the Customer (or an independent auditor it mandates, subject to confidentiality) may audit olyteck's compliance with this DPA. olyteck may instead provide a summary of an independent third-party audit or security attestation where available. The Customer bears the cost of its own audits unless the audit reveals a material non-compliance, in which case olyteck bears its reasonable costs.

9. Assistance with data-subject requests

Where a data subject contacts the Customer exercising a GDPR right — access, rectification, erasure, restriction, portability, objection, or rights related to automated processing under Art. 22 — and the request concerns data processed through the Service, olyteck will provide reasonable technical assistance to the Customer to enable it to respond within the statutory deadline. Where a data subject contacts olyteck directly, we will redirect them to the Customer.

10. Liability, precedence and termination

The liability cap in the Terms of Service also governs claims under this DPA, except where prohibited by law. This DPA terminates automatically when the underlying service agreement terminates.

Order of precedence. On any conflict between this DPA and the Terms of Service or any other published policy regarding the processing of personal data, this DPA prevails. The order of precedence between this DPA and any signed Order Form / Master Services Agreement is the one set out in Terms of Service §20.

11. Governing law

This DPA is governed by French law. The courts of Paris, France have exclusive jurisdiction, without prejudice to any mandatory consumer-protection rules that may apply.

12. Contact

For DPA questions, counter-signed copies, or breach notifications, email privacy@olyteck.com. Security incidents: security@olyteck.com. Operator: olyteck — SIRET 993 174 499 00018.