Data Processing Agreement

Last Updated: January 26, 2025

For Enterprise Clients: This Data Processing Agreement (DPA) applies to clients using Agro Glance services where personal data is processed. This DPA supplements our main service agreement and ensures GDPR compliance for EU/UK clients.

1. Definitions and Interpretation

1.1 Definitions

In this Data Processing Agreement, the following terms have the meanings set out below:

"Controller" means the entity that determines the purposes and means of processing Personal Data. In the context of our services, the Client is typically the Controller of field operational data.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Agro Glance acts as a Processor when processing Client field data containing Personal Data.
"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, employee identifiers, or location data of field workers.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means an identifiable natural person whose Personal Data is processed. This may include Client employees, field workers, or other individuals associated with Client operations.
"Sub-processor" means any third party engaged by Agro Glance to process Personal Data on behalf of the Client.
"Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), UK GDPR, and any implementing or supplementary legislation.
"Services" means the tassel detection, field analysis, drone coordination, and related agricultural technology services provided by Agro Glance as described in the service agreement.
"Field Data" means drone imagery, GPS coordinates, detection results, field maps, operational metadata, and related information collected or processed in connection with the Services.

1.2 Interpretation

This DPA forms part of and is incorporated into the service agreement between Agro Glance LLC ("Agro Glance," "Processor") and the Client ("Controller"). In the event of conflict between this DPA and the service agreement, this DPA shall prevail with respect to data processing matters.

2. Scope and Applicability

2.1 Application

This DPA applies when Agro Glance processes Personal Data on behalf of the Client in connection with the Services. The DPA ensures compliance with Data Protection Laws, particularly GDPR requirements for Controller-Processor relationships.

2.2 Role of the Parties

The parties acknowledge and agree that:

The Client is the Controller of Personal Data contained within Field Data and operational information provided to Agro Glance
Agro Glance is the Processor acting on behalf of and under the instructions of the Client
Each party shall comply with its respective obligations under Data Protection Laws

2.3 Data Processing Details

Subject Matter: Provision of tassel detection and field analysis services for hybrid corn seed production operations.

Duration: The term of the service agreement, plus any retention period necessary for legal compliance or as requested by the Client.

Nature and Purpose of Processing: Processing drone imagery and operational data to detect tassels, generate field maps, produce analysis reports, and provide GPS-guided recommendations for detasseling operations.

Types of Personal Data:

Field worker names and identifiers (if provided by Client)
GPS location data of field activities
Operational metadata linking individuals to specific field tasks
Contact information of Client personnel (names, email addresses, phone numbers)

Categories of Data Subjects:

Client employees and contractors
Field workers and detasseling crew members
Site managers and supervisors
Other individuals whose Personal Data is included in Field Data

3. Client Instructions and Processing Obligations

3.1 Processing Instructions

Agro Glance shall process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law.

The initial instructions are set out in this DPA and the service agreement. Any additional or alternative instructions must be provided in writing and agreed upon by both parties.

3.2 Lawfulness of Instructions

The Client warrants that its instructions comply with Data Protection Laws. If Agro Glance believes that any instruction violates Data Protection Laws, it will immediately inform the Client and may suspend execution of the instruction until the Client confirms or modifies it.

3.3 Prohibited Processing

Agro Glance will not:

Process Personal Data for purposes other than those instructed by the Client
Sell, rent, or trade Personal Data to third parties
Use Personal Data for Agro Glance's own marketing purposes without Client consent
Retain Personal Data longer than necessary for the agreed purposes or legal requirements
Transfer Personal Data outside the European Economic Area (EEA) without appropriate safeguards and Client authorization

4. Security Measures

4.1 Technical and Organizational Measures

Agro Glance implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption: Personal Data is encrypted in transit (TLS/SSL) and at rest (AES-256 or equivalent)
Access Controls: Role-based access controls limit access to Personal Data to authorized personnel only
Authentication: Multi-factor authentication for systems processing Personal Data
Logging and Monitoring: System access logs, intrusion detection, and security event monitoring
Data Segregation: Logical separation of Client data to prevent unauthorized cross-client access
Backup and Recovery: Regular encrypted backups with tested disaster recovery procedures
Secure Development: Security-by-design principles in software development and deployment
Vendor Management: Due diligence and contractual protections for Sub-processors

4.2 Security Documentation

Upon reasonable request, Agro Glance will provide the Client with documentation demonstrating compliance with security obligations, including:

Summary of security measures implemented
Relevant security certifications (e.g., SOC 2, ISO 27001) held by Agro Glance or Sub-processors
Results of independent security assessments or penetration tests (subject to confidentiality)

4.3 Personnel

Agro Glance ensures that all personnel authorized to process Personal Data:

Are subject to binding confidentiality obligations
Receive appropriate training on Data Protection Laws and security practices
Process Personal Data only as necessary to perform their duties
Are subject to background checks appropriate to their level of access

5. Sub-processors

5.1 General Authorization

The Client provides general authorization for Agro Glance to engage Sub-processors to assist in delivering the Services, subject to the conditions set out in this Section 5.

5.2 Current Sub-processors

Agro Glance currently uses the following Sub-processors:

Sub-processor	Service Provided	Location
Netlify, Inc.	Website hosting and infrastructure	United States (EU-US Data Privacy Framework)
Cloud Computing Provider	AI processing and data storage for field analysis	EU region data centers (GDPR compliant)
Email Service Provider	Transactional email delivery	EU/US (Standard Contractual Clauses in place)

Note: Specific Sub-processor names and details are provided in the service agreement or upon request to protect commercial confidentiality while ensuring transparency.

5.3 Sub-processor Obligations

Agro Glance ensures that Sub-processors:

Are bound by written agreements imposing data protection obligations no less protective than those in this DPA
Implement appropriate technical and organizational security measures
Process Personal Data only as instructed by Agro Glance (and ultimately by the Client)
Comply with applicable Data Protection Laws

Agro Glance remains fully liable to the Client for the performance of Sub-processors' obligations under this DPA.

5.4 Changes to Sub-processors

Agro Glance will notify the Client of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance by email or through the service dashboard.

If the Client objects to a new Sub-processor on reasonable data protection grounds, the Client must notify Agro Glance in writing within 14 days of notification. The parties will work together in good faith to address the concerns. If no resolution is reached, the Client may terminate the affected Services without penalty.

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

Agro Glance will, taking into account the nature of the processing, assist the Client by implementing appropriate technical and organizational measures to fulfill the Client's obligations to respond to Data Subject requests, including:

Requests for access to Personal Data
Requests for rectification, erasure, or restriction of processing
Requests for data portability
Objections to processing
Requests related to automated decision-making and profiling (if applicable)

6.2 Request Handling Process

If Agro Glance receives a Data Subject request directly:

Agro Glance will promptly notify the Client and forward the request without undue delay
Agro Glance will not respond to the Data Subject directly without the Client's prior written authorization
The Client is responsible for responding to the Data Subject in accordance with Data Protection Laws
Agro Glance will provide reasonable assistance to the Client in fulfilling the request, including providing access to or copies of relevant Personal Data

Agro Glance may charge a reasonable fee for assistance that requires substantial effort beyond normal operations, based on time and resources required.

7. Data Breach Notification

7.1 Breach Notification Obligations

In the event of a Personal Data breach affecting Client data, Agro Glance will:

Immediate Notification: Notify the Client without undue delay and in any event within 24 hours of becoming aware of the breach
Detailed Information: Provide the following information to the extent available:
- Nature of the breach, including categories and approximate numbers of Data Subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Contact point for more information
Ongoing Updates: Provide updates and additional information as it becomes available
Cooperation: Cooperate with the Client and provide reasonable assistance in investigating and remediating the breach

7.2 Notification Method

Breach notifications will be sent to the Client's designated security contact by email and, for high-severity incidents, by phone.

7.3 Breach Documentation

Agro Glance maintains records of all Personal Data breaches, including facts, effects, and remedial actions taken. This documentation is available to the Client and supervisory authorities upon request.

8. Data Protection Impact Assessments and Prior Consultation

Agro Glance will provide reasonable assistance to the Client in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required under Data Protection Laws.

This assistance includes providing information about:

The nature, scope, context, and purposes of processing
Categories of Personal Data and Data Subjects
Security measures implemented by Agro Glance
Sub-processors and data flows
Risks to Data Subject rights and freedoms

The Client is responsible for conducting DPIAs and making any required filings or consultations with authorities. Agro Glance may charge a reasonable fee for extensive assistance beyond providing standard documentation.

9. Data Transfers

9.1 Data Localization

Agro Glance processes Personal Data primarily within the European Economic Area (EEA). Field data is stored in EU-based data centers unless otherwise agreed.

9.2 Transfers Outside the EEA

If Personal Data is transferred to countries outside the EEA that do not provide adequate data protection:

Legal Basis: Transfers are made under an appropriate legal mechanism, including:
- EU-US Data Privacy Framework (for transfers to participating US companies)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (where applicable)
Supplementary Measures: Where required, Agro Glance implements supplementary technical and organizational measures to ensure adequate protection (e.g., encryption, pseudonymization, access controls)
Documentation: Copies of relevant transfer mechanisms are available to the Client upon request

9.3 Client Authorization

By entering into this DPA, the Client authorizes international data transfers necessary to deliver the Services, subject to the safeguards described in this Section 9.

10. Audits and Compliance

10.1 Audit Rights

The Client may audit Agro Glance's compliance with this DPA once per year, or more frequently if required by Data Protection Laws or if there is reasonable suspicion of non-compliance.

10.2 Audit Process

Audits shall be conducted as follows:

The Client provides at least 30 days' advance written notice
Audits are conducted during normal business hours and do not unreasonably interfere with Agro Glance's operations
Audits are limited in scope to data processing activities relevant to the Client
The Client and its auditors are bound by confidentiality obligations
The Client bears all costs of the audit, including any fees charged by Agro Glance for assistance

10.3 Alternative Compliance Verification

Instead of on-site audits, the Client may accept:

Copies of independent third-party audit reports (e.g., SOC 2 Type II)
Security certifications (e.g., ISO 27001)
Completed audit questionnaires
Other documentation demonstrating compliance

Agro Glance will provide such documentation within 30 days of a reasonable request, subject to confidentiality restrictions.

11. Data Retention and Deletion

11.1 Retention Period

Agro Glance retains Personal Data only for as long as necessary to:

Provide the Services as agreed
Comply with legal, tax, accounting, or regulatory obligations
Establish, exercise, or defend legal claims
Support Client requests for historical analysis or quality control

Specific retention periods are defined in the service agreement or upon mutual agreement between the parties.

11.2 Deletion Upon Termination

Upon termination or expiration of the service agreement, or upon Client request, Agro Glance will:

Delete or return all Personal Data to the Client as directed within 30 days
Delete all copies of Personal Data from systems and backups (except where retention is required by law)
Provide written certification of deletion upon request

11.3 Exceptions to Deletion

Agro Glance may retain Personal Data to the extent required by applicable law, regulation, or court order. In such cases, Agro Glance will:

Inform the Client of the legal requirement preventing deletion
Continue to protect the Personal Data in accordance with this DPA
Delete the data once the legal requirement no longer applies

12. Liability and Indemnification

12.1 Liability Allocation

Each party is liable for damages caused by its failure to comply with obligations under Data Protection Laws or this DPA, subject to the limitations set forth in the service agreement.

12.2 Indemnification

Agro Glance will indemnify and hold harmless the Client from claims, fines, or penalties imposed by supervisory authorities or damages awarded to Data Subjects, to the extent such liability arises from Agro Glance's breach of this DPA or violation of Data Protection Laws.

The Client will indemnify Agro Glance to the extent liability arises from:

The Client's instructions that violate Data Protection Laws
The Client's failure to obtain necessary consents or legal bases for processing
The Client's failure to respond appropriately to Data Subject requests

13. Term and Termination

13.1 Term

This DPA takes effect on the date the service agreement is executed and continues in force for the duration of the service agreement and any period during which Agro Glance processes Personal Data on behalf of the Client.

13.2 Survival

The following provisions survive termination or expiration of this DPA:

Confidentiality obligations
Data deletion and return obligations
Liability and indemnification provisions
Audit rights for completed processing activities

14. General Provisions

14.1 Governing Law

This DPA is governed by the laws of Hungary. For Data Protection Law matters, the relevant provisions of GDPR and applicable EU member state laws shall apply.

14.2 Conflict

In the event of conflict between this DPA and the service agreement, this DPA prevails with respect to data processing matters.

14.3 Amendments

Amendments to this DPA require written agreement by both parties, except where changes are required by law or regulatory authority, in which case Agro Glance will notify the Client and implement necessary changes.

14.4 Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions continue in full force and effect. The parties will negotiate in good faith to replace the invalid provision with a valid provision that achieves the same purpose.

15. Contact Information

Data Protection Inquiries

For questions about this Data Processing Agreement or to exercise rights under Data Protection Laws:

Agro Glance LLC 1144 Budapest, Zsivora park 4.
6th floor, Door 166
Hungary

Email: info@agroglance.com
Phone: +36 30 720 8887

We will respond to data protection inquiries within 30 days or as required by applicable Data Protection Laws.

Execution: This Data Processing Agreement is incorporated into and forms part of the service agreement between Agro Glance LLC and the Client. By executing the service agreement, both parties agree to the terms of this DPA.