Boltzbit GenAI Solution Data Processing Agreement

HOW DO WE USE YOUR DATA?

1. When you create an account with us we will collect your name, e-mail address, name of your employer and record your preferences to provide you with our service. We process your data in this way to perform the contract in place between us.
2. When you use our Service we collect information to provide you with the GenAI data extraction and management services as set out below. If you have an account with us, we handle your data in this way to perform the contract in place between us. If you don't have an account with us, we handle your data in this way in accordance with our legitimate interest to arrange meetings for our registered users:

3. When you contact us either by phone, email or via social media we will usually collect your name, gender, contact details, social media handle and any other personal data that forms part of your message to us because it’s in our legitimate interest to make sure we can properly respond to your query.
4. Technical information when you use Generative AI Solution. When you consent to our use of cookies, we collect information about how you use our website. We use this information to improve our website and to better understand how people use it. More detail on the information we collect and how we do this is set out in our cookie policy.

HOW DO WE PROTECT YOUR DATA?

1. Description of Processing. The Services provided by Boltzbit (described in more detail at https://boltzbit.com/flow/terms) comprise of the “Customer Repository” i.e an online area on the Boltzbit platform designated to the Customer where Customer can customise and deploy large language models, datasets, and machine learning applications and related services. To customize customer’s large language models and otherwise make use of the Services within Customer’s Repository, Customer may upload its own Personal Information to the platform hosted by Boltzbit. Boltzbit will use the Personal Information solely for the purpose of delivering the Services as described in the Terms. The categories of individuals and the types of Personal Information are determined by the Customer and depend on the specific information that is uploaded by the Customer to the Customer Repository.
2. Confidentiality. Boltzbit will hold Personal Information and Sensitive Data in strict confidence and impose confidentiality obligations on Boltzbit personnel who will be provided access to, or will otherwise Process, Personal Information, including requiring personnel to protect all Personal Information in accordance with the requirements of this Data Processing Agreement (including during the term of their employment or engagement and thereafter). In addition, Boltzbit will take steps to ensure that any individual acting under its authority who has access to Personal Information does not Process such Personal Information except on instructions of Company, unless such individual is required to do so by a law of the European Union or a Member State.
3. Information Security Program. Boltzbit will implement, maintain, monitor and, where necessary, update a comprehensive written information security program that contains appropriate administrative, technical, and physical safeguards to protect Personal Information against anticipated threats or hazards to its security, confidentiality or integrity. As part of its information security program, Boltzbit will maintain appropriate access controls, including, but not limited to, data encryption for data transit and storage, limiting access to Personal Information and Sensitive Data to the minimum number of Boltzbit personnel who require such access in order to provide the Services to Customer and providing those personnel who have access to Personal Information with appropriate training relating to information security.
4. Security Incidents. Boltzbit will promptly notify Customer if Boltzbit has reason to believe that there has been any accidental or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of, or damage to Personal Information, or any other unauthorized Processing of Personal Information and Sensitive Data (“Security Incident”). In the event of any Security Incident, Boltzbit will cooperate fully with Customer to limit the unauthorized access, disclosure or use of Personal Information, seek the return of any such Personal Information, and assist in providing notice relating to the Security Incident to individuals or third parties if Customer requests.
5. Cross-Border Transfers. In connection with the performance of the Terms, Boltzbit may transfer Personal Information to various locations, which may include locations both inside and outside of the European Economic Area (“EEA”). Boltzbit agrees to execute such transfers only after ensuring that the requirements of Chapter 5 of the GDPR are met. This may include, as applicable, putting in place the 2021 EU Standard Contractual Clauses (Module 2 (Controller to Processor), and/or Module 3 (Processor-to-Subprocessor), (EU) 2021/914, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en).
6. Subcontracting. Boltzbit will not disclose or transfer Personal Information to, or allow access to Personal Information by (each, a “Disclosure”) any third party without Customer’s express prior consent; provided, however, that Boltzbit may Disclose Personal Information to its affiliates and subcontractors for purposes of providing the Services to Customer, subject to the following conditions: (a) Boltzbit will maintain a list of the affiliates and subcontractors to which it makes such Disclosures and will provide this list to Customer upon Customer’s request; (b) Boltzbit will provide Customer at least 30 days’ prior notice of the addition of any affiliate or subcontractor to this list and the opportunity to object to such addition(s); and (c) if Customer makes such an objection on reasonable grounds and Boltzbit is unable to modify the Services to prevent Disclosure of Personal Information to the additional affiliate or subcontractor, Customer will have the right to terminate the relevant Processing. Boltzbit will, prior to any Disclosure, enter into an agreement with such third party that binds the third party to the same obligations and awards Company the same rights contained in this Data Processing Agreement with regard to such third parties. Such agreement will be provided to Customer promptly upon request. Boltzbit will be liable for all actions by such third parties with respect to the Disclosure. 
7. Requests or Complaints from Individuals. Boltzbit will promptly notify Customer, unless specifically prohibited by laws applicable to Boltzbit, if Boltzbit receives: (i) any requests from an individual with respect to Personal Information Processed, including but not limited to opt-out requests, requests for access and/or rectification, erasure, restriction, requests for data portability, and all similar requests; or (ii) any complaint relating to the Processing of Personal Information, including allegations that the Processing infringes on an individual’s rights. Boltzbit will not respond to any such request or complaint unless expressly authorized to do so by Customer. Boltzbit will cooperate with Customer with respect to any action taken relating to an individual’s request or complaint and will seek to implement appropriate processes (including technical and organizational measures) to assist Customer in responding to such requests or complaints. Boltzbit will promptly and securely delete or destroy any Personal Information pertaining to an individual identified by Customer where such information is within Boltzbit’s possession or control. If applicable, Boltzbit will direct any affiliate or subprocessor that Processes Personal Information related to the identified individual to promptly and securely delete or destroy such Personal Information. Boltzbit will confirm to Customer that it has complied with its obligations under this section.
8. Disclosure Requests. If Boltzbit receives any order, demand, warrant, or any other document requesting or purporting to compel the production of Personal Information (including, for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands or other similar processes) (“Disclosure Request”), Boltzbit will immediately notify Customer (except to the extent otherwise required by laws applicable to Boltzbit). If the Disclosure Request is not legally valid and binding, Boltzbit will not respond. If a Disclosure Request is legally valid and binding, Boltzbit will provide Customer at least 48 hours’ notice prior to the required disclosure, so that Customer may, at its own expense, exercise such rights as it may have under applicable law to prevent or limit such disclosure. Notwithstanding the foregoing, Boltzbit will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Personal Information and will cooperate with Customer with respect to any action taken with respect to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Personal Information.
9. Audit. Boltzbit will provide to Customer, its authorized representatives, and such independent inspection body as Customer may appoint, on reasonable notice: (i) access to Boltzbit’s information, processing premises, and records; (ii) reasonable assistance and cooperation of Boltzbit’s relevant staff; and (iii) reasonable facilities at Boltzbit’s premises for the purpose of auditing Boltzbit’s compliance with its obligations under this Data Processing Agreement.
10. Regulatory Investigations. Upon notice to Boltzbit, Boltzbit will assist and support Customer in the event of an investigation by any regulator, including a data protection authority, or similar authority, if and to the extent that such investigation relates to Personal Information handled by Boltzbit on behalf of Customer in accordance with this Data Processing Agreement. Such assistance will be at Customer’s sole expense, except where investigation was required due to Boltzbit’s acts or omissions, in which case such assistance will be at Boltzbit’s sole expense.
11. Return or Disposal. Upon termination or expiration of this Data Processing Agreement for any reason or upon Customer’s request, Boltzbit will immediately cease handling Personal Information and will return in a manner and format reasonably requested by Customer, or, if specifically directed by Customer, will destroy, any or all Personal Information in Boltzbit’s possession, power or control, unless it is required to store the Personal Information under a law of the European Union or a Member State. Upon request, Boltzbit will provide a written certification that Personal Information has been returned or securely destroyed in accordance with this Data Processing Agreement.
12. Other. Boltzbit will provide relevant information and assistance requested by Customer to demonstrate Boltzbit’s compliance with its obligations under this Data Processing Agreement and assist Customer in meeting its obligations under data protection laws regarding: (i) registration and notification; (ii) accountability; (iii) ensuring the security of the Personal Information; and (iv) carrying out privacy and data protection impact assessments and related consultations with data protection authorities. Boltzbit will inform Customer promptly if Boltzbit believes that any instructions of Customer regarding the Processing of Personal Information would violate applicable laws and regulations, including data protection laws, or a change in the applicable laws and regulations is likely to have a substantially adverse effect on its ability to comply with its obligations under this Data Processing Agreement.
13. Adverse Changes. Boltzbit will notify Customer promptly if Boltzbit: (i) has reason to believe that it is unable to comply with any of its obligations under this Data Processing Agreement and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this Data Processing Agreement. In the event that this Data Processing Agreement, or any actions to be taken or contemplated to be taken in performance of this Data Processing Agreement, do not or would not satisfy either party’s obligations under the laws applicable to each party, the parties will negotiate in good faith upon an appropriate amendment to this Data Processing Agreement.

WHERE IS MY DATA STORED?

We store your data securely in private/cloud-based databases based in the UK, fully managed by us to provide best protection. However, if we ever need to transfer your personal information outside of the UK and the EU, we ensure it receives additional protection as required by law. To keep this privacy policy as short and easy to understand as possible, we haven’t set out the specific circumstances when each of these protection measures are used. You can contact us at privacy@boltzbit.com for more detail on this.

HOW LONG DO WE KEEP YOUR DATA FOR?

We will only retain your personal information for as long as we need it unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements. We delete all of your data immediately as requested by you when the service account is terminated.

In some circumstances we may carefully anonymise your personal data and how our site is used, so that it can no longer be associated with you, and we may use this anonymised information indefinitely without notifying you. We use this anonymised information to analyse our business and improve it moving forward.

WHAT ARE MY RIGHTS UNDER DATA PROTECTION LAWS?

You have various other rights under applicable data protection laws, including the right to:

• access your personal data (also known as a “subject access request”);
• correct incomplete or inaccurate data we hold about you;
• ask us to erase the personal data we hold about you;
• ask us to restrict our handling of your personal data;
• ask us to transfer your personal data to a third party;
• object to how we are using your personal data; and
• withdraw your consent to us handling your personal data.

You also have the right to lodge a complaint with us or the Information Commissioner's Office, the supervisory authority for data protection issues in England and Wales. If you are based outside of England and Wales, you can find your relevant supervisory authority here.

Please keep in mind that privacy law is complicated, and these rights will not always be available to you all of the time.