Data Processing Addendum
Effective date: 1 June 2025 — Enterprise customers only
This DPA is included automatically in Enterprise subscription agreements. To request a signed copy or custom DPA, email info@panrobotics.xyz.
1. Definitions
- Controller: the Customer entity that determines the purposes and means of processing Personal Data.
- Processor: Pan Robotics Ltd., acting on behalf of the Controller.
- Personal Data: any information relating to identified or identifiable natural persons submitted by the Customer.
- Sub-processor: a third party engaged by the Processor to assist in processing Personal Data.
2. Processing instructions
The Processor shall process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA) unless required by law. The Processor shall inform the Controller if an instruction infringes applicable data protection laws.
3. Security measures
The Processor implements appropriate technical and organisational measures including: TLS encryption in transit, encryption at rest, role-based access control, regular security reviews, and incident response procedures.
4. Sub-processors
The Processor may engage sub-processors listed in the Privacy Policy. The Processor will notify the Controller of any intended changes with at least 10 days' notice, allowing the Controller to object.
5. Data subject rights
The Processor shall provide reasonable assistance to the Controller to fulfil data subject requests (access, erasure, portability) within the timescales required by applicable law.
6. Data transfers
Transfers of Personal Data outside the EEA are covered by Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 where applicable.
7. Breach notification
The Processor shall notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data breach likely to result in a risk to individuals' rights.
8. Deletion on termination
Upon termination of the service agreement, the Processor will delete or return all Personal Data within 30 days, unless retention is required by law.