pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

This Data Processing Agreement (hereinafter the "DPA") forms an integral part of the General Terms and Conditions (hereinafter the "GTC") for the use of the software and web browser extension (hereinafter the "Service").

Contracting parties

1. Processor: Newt, s.r.o., Company ID No.: 23532947, with its registered office at Křejpského 1529/3, Chodov, 149 00 Prague (hereinafter the "Processor").
2. Controller: The entrepreneur (B2B client) who uses the Service on the basis of the GTC and on whose behalf data analysis is performed through the Service (hereinafter the "Controller").

This DPA is concluded automatically upon the Controller's acceptance of the GTC, provided that the use of the Service involves the processing of personal data of third parties (e.g. the Controller's clients or employees), exclusively in modes where data passes through the Processor's infrastructure. The Processor does not act as a processor of personal data in cases where the Service operates in direct BYOK mode and communicates from the end device directly with a third-party API, because the Processor has no access to such data. If the Controller uses features connected with a user account (e.g. history synchronization, storing custom prompts), this DPA applies to data stored or transmitted through the Processor's infrastructure even in BYOK mode.

1. Subject Matter, Nature and Purpose of Processing

1.1. The Processor undertakes to process personal data for the Controller solely for the purpose of providing the Service under the GTC, in particular for the purposes of technical routing, temporary storage (caching), deduplication of requests, maintaining analysis history in the web interface, handling requests sent via API or MCP-type integrations and sending content for analysis through artificial intelligence APIs.

1.2. Processing is carried out automatically through the Processor's software infrastructure.

2. Types of Personal Data and Categories of Data Subjects

2.1. Categories of data subjects: Persons whose personal data appears in the textual content of websites that the Controller (or its users) submits for analysis through the Service.

2.2. Types of data: Common personal data contained in analyzed texts (e.g. names, contact details, job positions).

2.3. Strict prohibition on sensitive data: In accordance with the GTC, the Controller is strictly prohibited from sending special categories of personal data (Article 9 GDPR), data on criminal convictions, banking secrecy or passwords through the Service. The Processor is not liable for the processing of such data if the Controller submits it in breach of this prohibition.

3. Rights and Obligations of the Processor

3.1. The Processor processes personal data only on the basis of documented instructions from the Controller. The submission of a request to analyze a web page through the Service interface is considered an instruction.

3.2. The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality. The Processor does not proactively monitor content submitted by the Controller.

3.3. After termination of the provision of the Service (termination of the subscription or cancellation of the account), the Processor shall delete all personal data, unless Union or Member State law requires storage of the personal data. Temporary server cache is continuously cleared and overwritten by automated processes. Data permanently stored in account history is deleted when the Controller's account is cancelled or when manually removed by the Controller.

4. Engagement of Other Processors (Subcontractors)

4.1. The Controller grants the Processor general authorization to engage other processors (subcontractors) in the processing. The Processor currently uses the following categories of subcontractors:

• Providers of cloud hosting and infrastructure.
• Providers of generative artificial intelligence and APIs (e.g. OpenAI, Google), unless the Service operates in the Controller's exclusive BYOK mode.

4.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors by updating the Privacy Policy or by notice in the Service interface, thereby giving the Controller the opportunity to object to such changes.

4.3. Transfers outside the EU/EEA and Controller responsibility:

a) Subcontractors of the Processor (including AI integrated by the Processor): For subcontractors selected by the Processor to ensure the operation of the Service and data analysis (in particular cloud hosting providers and AI model providers available directly within Service plans that do not operate in BYOK mode), the Processor ensures that any transfer of personal data to third countries is covered by a valid mechanism under Chapter V GDPR (e.g. the Data Privacy Framework or Standard Contractual Clauses).

b) Direct BYOK mode (Controller's own API key): If the Service is used in direct BYOK mode with the Controller's API key, the AI provider does not act as a subcontractor of the Processor. The data transfer is governed exclusively by the contractual and legal relationship between the Controller and the AI provider selected by the Controller, and the Controller bears sole responsibility for assessing the lawfulness of such transfer.

5. Personal Data Security

5.1. Taking into account the state of the art, implementation costs, and the nature, scope and purposes of processing, the Processor has adopted appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR).

5.2. The measures include in particular encryption of data in transit (HTTPS/TLS), access controls for the infrastructure and server security.

6. Cooperation and Audits

6.1. The Processor shall provide the Controller, to the maximum extent possible, with cooperation through appropriate technical and organizational measures in fulfilling the Controller's obligations to respond to requests for exercising data subjects' rights (e.g. the right to erasure or access).

6.2. The Processor shall notify the Controller without undue delay of any personal data breach as soon as it becomes aware of it.

6.3. The Processor shall provide the Controller with the information necessary to demonstrate that the obligations set out in Article 28 GDPR have been met. The Controller's right to audit shall primarily be exercised by the provision of written information or, where applicable, by presenting security certificates of the Processor or its subcontractors.

7. Final Provisions

7.1. This DPA is concluded for the duration of the subscription or for the period during which the Controller lawfully uses the Service.

7.2. Matters not expressly regulated by this DPA are governed by the GTC and the laws of the Czech Republic. In the event of a conflict between the GTC and this DPA, the provisions of this DPA shall prevail in matters of personal data protection.