Data processing agreement
Draft v1.0 · GDPR Art. 28 · Witnium Technologies AB
Roles
For client content processed within a workspace, the customer is the controller and Witnium is the processor. Witnium processes personal data only on documented instructions from the controller.
Subject-matter and duration
Subject-matter: provision of the Witnium Origo platform. Duration: for the term of the underlying subscription, plus the post-termination export window.
Nature and purpose
Storage, structuring, retrieval, AI-assisted review and signing of legal documents provided by the controller, including any personal data those documents contain.
Categories of data subjects
Workspace members, signatories and any natural persons referenced in uploaded documents.
Sub-processors
Witnium uses a defined list of EU-hosted sub-processors for storage, AI inference and electronic signing. The current list is published at /legal/subprocessors. The controller is notified of any change at least 30 days in advance and may object.
Security
Encryption at rest and in transit, strict tenant isolation at the database layer, access on a need-to-know basis, audit logging on all administrative actions, and Witniumchain-anchored audit trails on all workspace events.
International transfers
Client content is stored in the EU. Where any sub-processor processes personal data outside the EU, transfers rely on the EU Standard Contractual Clauses and supplementary measures.
Assistance and breach notification
Witnium assists the controller with data subject requests and notifies the controller without undue delay, and in any event within 72 hours, of any confirmed personal data breach.
This is a placeholder draft. Final DPA will be reviewed by counsel before launch.