Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreements between Guti Group LLC ("Processor" or "we") and its customers ("Controller" or "you") for the provision of AI automation services (the "Services").

This DPA reflects the parties' agreement with respect to the processing of personal data by Processor on behalf of Controller when providing the Services.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar state, federal, and international laws.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
  • "Processing" means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Sub-processor" means any processor engaged by Processor to process Personal Data on behalf of Controller.

3. Scope and Application

This DPA applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Services.

Controller determines the purposes and means of the Processing of Personal Data. Processor processes Personal Data only on documented instructions from Controller.

4. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do so by law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist Controller in ensuring compliance with the obligations pursuant to Data Protection Laws, taking into account the nature of processing and the information available to Processor.
  • At Controller's choice, delete or return all Personal Data to Controller after the end of the provision of Services, and delete existing copies unless storage is required by law.
  • Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

5. Sub-processors

Controller provides general authorization for Processor to engage Sub-processors for the Processing of Personal Data.

Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Controller the opportunity to object to such changes.

Processor shall ensure that any Sub-processor it engages to provide the Services on its behalf does so only on the basis of a written contract which imposes on the Sub-processor the same data protection obligations as those imposed on Processor under this DPA.

6. Data Subject Rights

Taking into account the nature of the Processing, Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller's obligation to respond to requests for exercising Data Subject rights under applicable Data Protection Laws.

Processor shall promptly notify Controller if it receives a request from a Data Subject regarding their Personal Data. Processor shall not respond to such requests unless instructed to do so by Controller.

7. Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Personal Data processed on behalf of Controller.

The notification shall at minimum:

  • Describe the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
  • Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
  • Describe the likely consequences of the personal data breach.
  • Describe the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects.

8. Data Protection Impact Assessment

Processor shall provide reasonable assistance to Controller with any data protection impact assessments and prior consultations with data protection authorities that Controller is required to conduct under applicable Data Protection Laws.

9. Transfer Mechanisms

Processor may transfer Personal Data to a third country or international organization only if such transfer complies with the requirements of applicable Data Protection Laws.

If Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country or international organization that does not ensure an adequate level of protection as determined by applicable Data Protection Laws, the parties shall implement appropriate safeguards in accordance with applicable Data Protection Laws.

10. Audit Rights

Controller may, upon reasonable notice and during regular business hours, audit Processor's compliance with this DPA, including but not limited to Processor's technical and organizational measures.

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

11. Term and Termination

This DPA shall remain in effect for as long as Processor processes Personal Data on behalf of Controller under the agreements for the provision of the Services.

Upon termination of the agreements for the provision of the Services, Processor shall, at the choice of Controller, delete or return all Personal Data to Controller, and delete existing copies unless storage is required by law.

12. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the State of Texas, without regard to its conflict of laws principles.

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Travis County, Texas.

13. Modifications

This DPA may not be modified except by a written agreement executed by both parties.

14. Contact Information

For any inquiries or notices related to this DPA, please contact:

Guti Group LLC
Austin, TX
Email: dpa@gutigroup.com
Phone: 956-572-1083

Last Updated: May 15, 2025