• Company
  • About
  • Human Intelligence
  • Careers
• Resources
  • Articles
  • Compliance

Request Early Access

• Company
  • About
  • Human Intelligence
  • Careers
• Resources
  • Articles
  • Compliance

Request Early Access

Data Processing Agreement

DATA PROCESSING AGREEMENT

Last updated: March 1, 2025 

This Data Processing Agreement (“DPA”) is incorporated by reference and forms an integral part of the license and/or subscription general terms  Agreement or any other service agreement governing the use of the Autonomy AI ‘s Platform and Services (“Agreement”), entered into between Autonomy AI Ltd. and its affiliates (collectively, “Autonomy AI “) and Customer. Capitalized terms not defined herein have the meanings assigned in the Agreement. Each of Customer and Autonomy AI  may individually be referred to as a “party” and collectively as the “parties.”

WHEREAS, Autonomy AI has developed and operates an innovative cloud-based platform leveraging large language model (LLM)-enabled agents to revolutionize software development by automating FrontEnd development tasks, optimizing workflows, and enhancing code quality (the “Platform” and the “Services,” respectively);

WHEREAS, the Services provided by Autonomy AI may include the Processing of Personal Data (as defined herein) solely on Customer’s behalf and strictly in accordance with the specified purposes and conditions set forth in this Data Processing Agreement (“DPA”);

WHEREAS, the Parties wish to establish this DPA to ensure that all Processing of Personal Data conducted through the Services is performed in full compliance with applicable Data Protection Laws (as defined herein) and consistent with industry-leading data privacy and security practices;

NOW, THEREFORE, the parties hereby agree as follows:

1. DEFINITIONS All capitalized terms used but not defined in this DPA shall have the meanings ascribed under applicable Data Protection Laws or the Agreement. Key definitions include:

“Adequate Country” means a jurisdiction officially recognized by the European Commission, or another applicable competent authority, as providing an adequate level of protection for Personal Data under applicable Data Protection Laws.

US Data Protection Laws” means all applicable privacy and data protection laws within the United States that specifically apply to Autonomy AI ‘s Processing of Personal Data under this Agreement, including, as applicable, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Virginia Consumer Data Protection Act (VCDPA), and any other substantially similar state or federal privacy laws or regulations, in each case solely to the extent such laws apply directly to Autonomy AI  as a Processor providing the Services to Customer under this Agreement.

“Data Protection Laws” means all applicable laws, regulations, directives, and rules concerning data protection, privacy, security, or processing, including, without limitation: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) and any implementing legislation adopted by EU Member States; (b) the Israeli Protection of Privacy Law, 5741-1981 (“IPPL”) and related regulations, orders, or guidelines; (c) the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and any regulations issued thereunder; and (d) any other applicable federal or state laws of the United States addressing privacy, data protection, or cybersecurity, as amended, replaced, or superseded from time to time.

Capitalized terms not otherwise defined herein, including but not limited to “Business,” “Consumer,” “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” “Sensitive Data,” and “Supervisory Authority,” shall have the meanings assigned to them under the applicable Data Protection Laws.

2. RELATIONSHIP OF THE PARTIES

2.1. The Parties acknowledge and agree that, in processing Customer Data under this Agreement, Customer shall act as the Controller, and Autonomy AI shall act solely as the Processor. Autonomy AI shall process Customer Data exclusively in accordance with the Customer’s documented instructions and as expressly set forth herein. The detailed scope, nature, purpose, and duration of processing, along with the categories of Personal Data and Data Subjects involved, are outlined in Annex I.

2.2. Customer shall be solely responsible for ensuring the legality, reliability, and accuracy of Customer Data provided to Autonomy AI, including securing all necessary consents or other lawful grounds for processing. Autonomy AI shall have no liability arising from or relating to Customer’s failure to comply with its obligations under applicable Data Protection Laws.

3. REPRESENTATIONS AND WARRANTIES 

3.1. Customer warrants and represents that it shall comply fully with all applicable Data Protection Laws relating to its collection, use, and processing of Customer Data, including providing lawful and accurate instructions to Autonomy AI and safeguarding Customer Data appropriately. Customer acknowledges that this DPA, along with the Agreement and the utilization of the Services, constitutes Customer’s complete and exclusive instructions for the Processing of Customer Data, subject only to reasonable updates aligned with the nature of the Services.

3.2 Autonomy AI represents and warrants that it shall process Customer Data exclusively as necessary to perform and deliver the Services in accordance with Customer’s documented instructions as set forth in this Agreement and the associated DPA, and in compliance with all applicable Data Protection Laws.

3.3. Autonomy AI further represents that it shall implement reasonable measures to ensure all personnel authorized to process Customer Data are appropriately trained, subject to strict confidentiality obligations, and provided access solely on a need-to-know basis for the performance of their duties relating to the provision of the Services.

3.4. Autonomy AI shall maintain appropriate technical and organizational security measures designed to safeguard Customer Data against unauthorized access, disclosure, alteration, or destruction, consistent with applicable Data Protection Laws and industry standards.

3.5. Autonomy AI may  promptly notify Customer if it reasonably believes that any instruction received from Customer may violate applicable Data Protection Laws, and Autonomy AI reserves the right to suspend Processing activities related to such instructions until the matter is adequately resolved.

3.6. Detailed descriptions of the Processing activities, including purpose, duration, type of Personal Data, and Data Subject categories, are provided in Annex I. 

3.7 Additional specifications regarding U.S. Data Protection Laws are set forth in Annex II.

4. DATA SUBJECT RIGHTS AND COOPERATION 

4.1 Autonomy AI shall promptly notify Customer if it directly receives a request or inquiry from any Data Subject or regulatory authority relating specifically to Customer Data, and Autonomy AI shall reasonably redirect the requesting party to Customer for handling and response. Customer retains sole responsibility for responding to and managing such requests.

4.2 Autonomy AI shall reasonably cooperate with Customer to ensure accuracy of Customer Data, including promptly notifying Customer of any material inaccuracies identified by Autonomy AI during the normal provision of Services. Customer shall be solely responsible for verifying and correcting such inaccuracies.

5. SUB-PROCESSORS 

5.1 Autonomy AI may appoint Sub-Processors and will provide Customer with reasonable advance notice (no less than 30 days) of any intended new Sub-Processors. Customer may object in writing, solely on reasonable and substantiated data protection grounds, within the provided notice period. Upon receipt of a valid objection, the parties shall engage in good-faith discussions to resolve the matter. If resolution is not feasible, Autonomy AI, at its sole discretion, may either refrain from engaging the objected Sub-Processor or permit Customer to terminate the impacted portion of the Services without penalty, subject to Customer’s payment obligations for Services performed up to the termination date.

5.2 Autonomy AI will ensure that all Sub-Processors undertake obligations concerning Customer Data protection substantially similar to those set forth in this Agreement. Autonomy AI shall remain responsible to Customer for the acts and omissions of its Sub-Processors with respect to the protection of Customer Data.

6. SECURITY MEASURES Autonomy AI shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Customer Data against unauthorized or unlawful access, alteration, disclosure, or destruction, consistent with industry standards and practices applicable to similar data processing services. 

7. SECURITY INCIDENTS.

7.1 Autonomy AI shall notify Customer without undue delay upon becoming aware of a confirmed Security Incident involving Customer Data. Notification will include reasonably available details to allow Customer to meet its notification obligations under applicable laws. Autonomy AI will provide timely updates as new information relevant to the Security Incident becomes reasonably available.

7.2 Autonomy AI shall provide commercially reasonable assistance to Customer as required under applicable data protection laws to enable Customer’s compliance obligations concerning the Security Incident.

7.3 Customer acknowledges and agrees that Autonomy AI’s obligation to notify and assist regarding Security Incidents shall not constitute acknowledgment or admission of any fault, liability, or wrongdoing by Autonomy AI, nor shall it obligate Autonomy AI to investigate or resolve incidents beyond the scope of the Services.

7.4 Customer retains sole responsibility for determining whether to notify affected individuals, regulators, or authorities, and for all decisions related to the Security Incident response and mitigation efforts.

8. AUDIT RIGHTS 

8.1 Autonomy AI shall maintain appropriate records of its Processing activities relating to Customer Data in compliance with applicable laws. These records will be made available upon reasonable written request by Customer or relevant supervisory authorities, subject to confidentiality obligations and restrictions required to protect Autonomy AI’s proprietary and confidential information.

8.2 Customer’s audit rights concerning Autonomy AI’s compliance with this Agreement shall primarily be satisfied through the provision of applicable third-party certifications or audit reports (e.g., ISO 27001, SOC2), which Autonomy AI shall make available annually upon request.

8.3 If Customer reasonably believes the provided third-party certifications or reports are insufficient, Customer may request an on-site audit, subject to reasonable prior written notice (no less than 30 days), occurring no more than once per calendar year, during regular business hours, and at Customer’s expense. Such audits shall be strictly limited to verifying compliance with Autonomy AI’s data protection obligations under this Agreement, and must not disrupt Autonomy AI’s operations or compromise the confidentiality of Autonomy AI’s information or systems.

8.4 Prior to conducting any audit, Customer must execute a confidentiality agreement acceptable to Autonomy AI to safeguard confidential and proprietary information disclosed during the audit process.

9. DATA TRANSFERS. 

9.1 Autonomy AI  will transfer Customer Data internationally only in compliance with applicable Data Protection Laws. Customer acknowledges Autonomy AI ’s global operational model and consents to such transfers, subject to Autonomy AI  maintaining appropriate safeguards as outlined in this clause.

9.2 Autonomy AI will transfer Customer Data outside the jurisdiction of its origin (including transfers from the EU, UK, or Switzerland) only if the receiving jurisdiction has been recognized as providing an adequate level of data protection by relevant authorities (“Adequate Country”) or, if not, Autonomy AI  shall implement appropriate safeguards. Such safeguards may include: i. Transferring Customer Data to recipients certified under legally recognized frameworks, including the Data Privacy Framework, or similar mechanisms recognized by applicable authorities as ensuring adequate protection; ii. Transferring Customer Data to recipients that have established Binding Corporate Rules (BCRs) duly authorized under applicable Data Protection Laws; iii. Executing Standard Contractual Clauses (SCCs) approved by relevant data protection authorities in accordance with applicable laws.

9.3 For transfers subject to EU Data Protection Laws, Autonomy AI  will rely upon the European Commission’s Standard Contractual Clauses for data transfers outside the European Economic Area (EEA). The relevant SCCs are hereby incorporated into this Agreement by reference.

9.4 For transfers subject to UK GDPR, Autonomy AI  will apply the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses (collectively, “UK SCCs”). The UK SCCs are incorporated herein by reference, and the required tables within the UK SCCs will be completed consistent with this Agreement, selecting “neither party” in relation to Table 4.

9.5 For transfers subject to the Swiss Federal Act on Data Protection (Swiss DPA), the EU Standard Contractual Clauses will apply, modified as follows: i. References to Regulation (EU) 2016/679 will be interpreted as references to the Swiss DPA; ii. References to “EU,” “Union,” and “Member State law” will be interpreted as references to Swiss law; iii. The “competent supervisory authority” will refer to the Swiss Federal Data Protection and Information Commissioner, and disputes will be subject to the jurisdiction of relevant Swiss courts.

9.2 Autonomy AI shall implement measures designed to protect Customer Data during international transfers, ensuring compliance with applicable legal requirements concerning data protection, privacy, and security. Customer acknowledges that Autonomy AI’s responsibility is strictly limited to employing commercially reasonable efforts to maintain compliance with applicable data transfer mechanisms and that Autonomy AI does not control, and is not liable for, any actions or restrictions imposed by governmental authorities or regulators that may impact international data transfers.

10. TERMINATION 

10.1. Upon termination or expiration of the Agreement, Autonomy AI shall, at Customer’s written request, either delete or return Customer Data in its possession or control, except to the extent Autonomy AI is required by applicable law, regulation, or internal compliance obligations to retain such data.

10.2. Autonomy AI will confirm in writing the completion of data deletion or return upon Customer’s request, provided Customer submits such request within thirty (30) days following termination or expiration.

10.3. Customer acknowledges that Autonomy AI may retain archived copies of Customer Data in accordance with its standard retention practices, subject to ongoing obligations of confidentiality and data security until such retained data is deleted.

10.4. The parties agree to comply with the applicable provisions of this Agreement concerning confidentiality, data protection, and security obligations until all Customer Data is fully deleted or returned.

This DPA supplements the Agreement, and in case of conflict, the Standard Contractual Clauses (if applicable) shall prevail. All other terms and conditions of the Agreement remain effective.

Annexes attached form integral parts of this DPA, specifying compliance with US Data Protection Laws.

Annex I – DETAILS OF PROCESSING

This Annex I describes the details of Processing of Customer Data by Autonomy AI in accordance with applicable Data Protection Laws.

1. Categories of Data Subjects:

• Prospective customers and leads interacting with the Customer’s content and demonstrations delivered via Autonomy AI’s platform.
• Customer’s Authorized Users.

2. Categories of Personal Data:

• Contact information provided or uploaded by Customer or its Authorized Users, including name, email address, phone number, and similar identifying details.
• Telemetry and usage data regarding Data Subjects’ interactions with the Services, such as IP addresses, user identifiers, demo views, duration, frequency, and any interactions or engagements within the platform.

3. Special Categories of Personal Data:

• None.

4. Frequency of Processing:

• Continuous processing throughout the term of the Agreement.

5. Nature of Processing:

• Collection, storage, hosting, recording, analysis, transferring, and optimizing Customer Data necessary for providing the Services.

6. Purpose of Processing:

• To deliver and improve the Services provided under the Agreement, including enabling Customer interactions and engagement analytics.

7. Retention Period:

• Personal Data will be retained for the duration of the Agreement and an additional thirty (30) days post-termination, after which it will be securely deleted, unless otherwise requested by Customer or required by applicable law or regulation.

Annex II

USA ADDENDUM 

This US Addendum (“US Addendum”) supplements the Data Processing Agreement (“DPA”) between Autonomy AI  (“Processor”) and Customer and sets forth additional obligations applicable under US Data Protection Laws. Terms not explicitly defined herein shall have the meanings assigned in the DPA or applicable US Data Protection Laws.

1. Purpose Limitation. Autonomy AI  shall not: (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than as strictly necessary to provide the Services described in the Agreement and DPA; or (iii) combine Personal Data received from Customer with Personal Data from other sources, except as expressly permitted under applicable US Data Protection Laws.
2. Notification Obligations. Autonomy AI  shall promptly inform Customer if Autonomy AI  determines it can no longer comply with its obligations under this US Addendum or applicable US Data Protection Laws. Autonomy AI  shall work cooperatively with Customer to remediate any identified compliance issues.
3. Consumer Rights Support. Autonomy AI  shall provide reasonable assistance to Customer in responding to Consumer requests related specifically to limiting the use of Sensitive Personal Information as required under applicable US Data Protection Laws. Autonomy AI  will ensure, through appropriate agreements, that any authorized subcontractors provide similar reasonable assistance as necessary to fulfill such obligations.
4. Security Measures. Each party shall implement and maintain appropriate technical and organizational measures tailored to the nature, scope, context, and purposes of Processing to ensure a security level appropriate to the identified risks. Autonomy AI ‘s specific technical and organizational security measures are detailed in the DPA. The parties agree that Autonomy AI ’s responsibilities under this provision are strictly limited to those measures outlined explicitly within the DPA. 
5. Audit Rights. In addition to Customer’s audit rights under the DPA, and solely to the extent mandated by US Data Protection Laws, Autonomy AI  may conduct or initiate an independent third-party audit at Autonomy AI ‘s expense, subject to Customer’s prior written consent, which shall not be unreasonably withheld. Autonomy AI  shall provide such third-party auditors with necessary documentation and reasonable cooperation to demonstrate compliance with obligations under applicable US Data Protection Laws. Autonomy AI  reserves the right to limit audit activities to protect Autonomy AI ’s proprietary or confidential information.
6. De-Identified Data Compliance. Both parties agree to adhere to all applicable provisions of US Data Protection Laws relating to the Processing of De-identified Data. Each party acknowledges that it independently assumes responsibility to comply with legal obligations concerning such De-identified Data.
7. No Processing for Consideration. Autonomy AI  expressly acknowledges and confirms that it does not and shall not receive or Process Personal Data as consideration or payment for providing the Services to Customer.
8. Certification and Non-Selling of Data. Autonomy AI  certifies its understanding of applicable requirements, rules, and definitions under relevant US Data Protection Laws and expressly agrees to refrain from Selling any Personal Data Processed under the Agreement and this Addendum.

This US Addendum shall prevail in the event of any conflict with the DPA regarding obligations under US Data Protection Laws.