Connected Dreams / Origin – Data Processing Agreement (DPA)

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject” have the meanings in the GDPR.

“Customer Content” means content uploaded or created in the Service by Controller or its authorized users.

2. Scope and roles

Controller determines the purposes and means of processing personal data within Customer Content.

Processor processes personal data only on documented instructions from Controller, including to provide the Service and related support.

3. Details of processing

1. Subject matter: provision of a structured authoring, traceability, and publishing SaaS platform.
2. Duration: for the term of the Services, plus the retention period described in Deletion/return
3. Nature of processing: hosting, storage, backup, transmission, display, editing, export, audit logging, and deletion as instructed.
4. Categories of data subjects: Controller’s users, stakeholders, and persons whose data appears in Customer Content.
5. Categories of personal data: account identifiers (e.g., email), workspace roles/permissions, and any personal data included in Customer Content.
6. Special categories: not intended; Controller should avoid unless necessary and lawful.

4. Processor obligations

Processor shall:

1. process personal data only on Controller’s documented instructions;
2. ensure personnel are bound by confidentiality;
3. implement appropriate technical and organizational measures;
4. assist Controller with data subject requests
5. assist with security, breach notification, and DPIA obligations
6. maintain and publish a list of subprocessors
7. delete/return personal data at end of services

5. No secondary use / no AI training

Purpose limitation. Processor will not access, use, or disclose personal data in Customer Content for any purpose other than providing, securing, and maintaining the Service in accordance with Controller’s documented instructions.

No model training. Processor will not use Customer Content (including any personal data within it, prompts, uploads, or generated outputs within Controller’s tenant) to train or improve machine learning or AI models, except on Controller’s documented instruction (for example, an explicit opt-in feature or a separate written agreement).

6. Data subject requests

Processor will, taking into account the nature of processing, assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill requests to exercise data subject rights under the GDPR.

Where a request is made directly to Processor, Processor will (unless legally prohibited) direct the data subject to Controller and notify Controller.

7. Personal data breaches

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Content, and provide available information reasonably required for Controller to meet breach notification obligations.

8. Security measures

Processor implements appropriate measures, including:

1. access control and least privilege for administrative access;
2. encryption in transit (TLS);
3. logical separation between tenants;
4. monitoring and audit logging; and
5. backup and recovery mechanisms for cloud plans (including retention-locked backup archives).

9. Subprocessors

Controller authorizes Processor to engage subprocessors as listed at: https://connecteddreams.com/legal/subprocessors

Processor will impose data protection obligations on subprocessors that are no less protective than this DPA.

Processor will ensure that each Subprocessor is bound by written terms that impose data protection obligations as required by Article 28(4) GDPR, which may include the Subprocessor’s standard online data processing addendum incorporated into the applicable service terms. Processor will remain responsible for the Subprocessor’s performance of those obligations as required by GDPR.

Processor may update subprocessors over time. Material changes will be reflected in the subprocessors list.

10. Deletion/return

Upon termination of the Service, Processor will make Customer Content available for export during the retention period (subject to Service capabilities), and will delete Customer Content after 90 days, unless legally required to retain it.

Cloud backup archives may persist for approximately 3 months due to retention lock, after which they expire per backup lifecycle policies.

11. International transfers

Where processing involves transfers outside the EEA, Processor will ensure appropriate safeguards are in place where required.

12. Third-party authentication chosen by users

If End Users choose to authenticate using a third-party identity provider (such as Google Sign-In), that provider processes personal data under its own terms and policies. In this case, the identity provider is not acting as Processor’s subprocessor for the processing of Customer Content, and Customer acknowledges that End Users may interact directly with the identity provider during authentication. Processor receives only the authentication attributes necessary to provision and secure user accounts.

13. Audits

Upon reasonable written request, Processor will provide information reasonably necessary to demonstrate compliance with this DPA. Where an on-site audit is required, the parties will agree scope, timing, and confidentiality, and Controller will bear reasonable costs unless the audit reveals material non-compliance.

14. Liability

Liability under this DPA follows the limitation of liability in the Terms of Service or the applicable master agreement, unless otherwise required by GDPR or applicable law.

15. Contact

Questions about this DPA: info@connecteddreams.com