Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms and Conditions and Privacy Policyand forms part of the contract between the customer (“Controller”) and Cogny AB (“Processor”) when Cogny processes personal data on the Controller's behalf in connection with the Cogny service. It is drafted to meet Article 28 of Regulation (EU) 2016/679 (“GDPR”). Where this DPA conflicts with the main Terms, this DPA controls for matters of personal data processing.

1. Parties

• Controller. The customer identified in the order form, offer, or workspace registration that connects data sources to Cogny. The Controller determines the purposes and means of processing.
• Processor. Cogny AB, org. no. 559164-9628, Peter Myndes Backe 16, 118 46 Stockholm, Sweden. Cogny processes personal data only on documented instructions from the Controller.

2. Subject matter, duration, nature and purpose of processing

• Subject matter.Provision of the Cogny service: ingestion, storage, analysis and reporting on the Controller's marketing and analytics data, including AI-generated insights, recommendations and growth tickets.
• Duration. For the term of the underlying subscription, plus a 30-day data export window after termination, plus the deletion windows in § 9.
• Nature of processing. Collection, storage, structuring, consultation, analysis, transmission to AI inference providers, report generation and deletion.
• Purpose. To deliver the Cogny service, generate analytics and recommendations, send transactional and report notifications, and provide support to the Controller.

3. Categories of data subjects and personal data

Categories of data subjects.

• The Controller's authorised users of the Cogny service.
• End users represented in the Controller's connected marketing data sources (for example website visitors and ad-platform audiences), to the extent any personal data is present in that data.

Categories of personal data.

• Authorised users: name, email address, IP address, user-agent, authentication identifiers, audit logs of actions taken in the platform.
• Connected source data: aggregated marketing performance data and any personal data the Controller chooses to connect (for example hashed-email or user-ID fields exported from CRM, ad platforms, or analytics). Cogny does not require personal data to deliver the service; the Controller decides what to connect.
• OAuth tokens and credentialsfor the Controller's connected platforms, stored encrypted in Supabase Vault.

Special-category data (GDPR Art. 9). Cogny does not require, and the Controller agrees not to submit, special-category personal data. Cogny does not process payment-card data; Stripe handles billing directly with the Controller.

4. Controller's instructions and obligations

Cogny processes personal data only on the documented instructions of the Controller. The Controller's instructions are:

• The configuration of the Controller's workspace (connected sources, connected destinations, scheduled prompts, automation guardrails).
• The provisions of the Terms, this DPA, and any executed order form.
• Written support requests through the Controller's authorised users or designated contact.

Cogny will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law. The Controller is responsible for ensuring it has a lawful basis for the processing it instructs and for the accuracy of the data it submits.

5. Confidentiality

Cogny ensures that personnel authorised to process personal data are bound by written confidentiality undertakings or are under an appropriate statutory duty of confidentiality. Access to Controller data is limited to named personnel on a need-to-know basis and is logged.

6. Security of processing (Art. 32)

Cogny implements appropriate technical and organisational measures, including those described on the Security page, which is incorporated by reference. In particular:

• Encryption. TLS 1.2+ in transit; provider-level encryption at rest; Supabase Vault for OAuth tokens and secrets.
• Access control. Row-Level Security (RLS) enforces tenant isolation at the database layer. Application access requires authentication.
• Resilience. Managed EU-region services with automated failover within the region; point-in-time recovery on the primary database.
• Audit logging. Application-layer operations are logged; tokens and credentials are isolated from application logs.
• Secure development. Code review on every change; dependency updates managed continuously.

7. Subprocessors (Art. 28(2) and (4))

The Controller grants Cogny a general written authorisation to engage the subprocessors listed below to deliver the service. The list is maintained here and is part of this DPA:

• Google LLC / Google Cloud EMEA Ltd.— compute (GKE), managed databases, BigQuery, object storage, build and deployment, OAuth identity for Google integrations. Region: europe-west1 (Belgium).
• Supabase, Inc.— managed PostgreSQL, authentication, encrypted secret storage (Vault), point-in-time recovery. Region: AWS eu-north-1 (Stockholm).
• Cloudflare, Inc.— edge CDN, WAF, DDoS mitigation and TLS termination.
• Anthropic PBC— large language model inference for AI reports and chat (Claude). Anthropic does not train models on Customer Content submitted through the API. See § 8 on geographic location.
• OpenAI, L.L.C.— large language model inference for AI reports and chat (GPT models). OpenAI does not train models on Customer Content submitted through the API. See § 8 on geographic location.
• Berget AI— EU-hosted large language model inference (GDPR-compliant EU AI infrastructure). Region: European Union (Sweden).
• Brave Software, Inc.— web search, news, and rank-check data for AI research tools (Brave Search API).
• Stripe Payments Europe, Ltd.— subscription billing and payment processing.
• Resend, Inc.— transactional email delivery (report emails, auth emails).
• Slack Technologies, LLC— internal alerting and, where enabled by the Controller, customer-facing Slack notifications.
• ElevenLabs Inc.— optional text-to-speech for audio summaries; only invoked when the Controller uses audio features.

Cogny will give the Controller at least 30 days' prior written notice before adding, replacing, or materially changing a subprocessor. The Controller may object on reasonable documented grounds related to data protection within that period; if the parties cannot agree on a remedy, the Controller may terminate the affected services with no cancellation penalty. Cogny imposes written data-protection obligations on each subprocessor that are no less protective than this DPA.

8. International transfers (Chapter V)

Personal data at rest is stored in the European Union, primarily in Google Cloud europe-west1 (Belgium) and Supabase on AWS eu-north-1 (Stockholm). Listed exceptions:

• LLM inference (Anthropic, OpenAI).Cogny's Anthropic and OpenAI workspaces are configured with global routing for API inference. Prompts and completions may therefore be processed on Anthropic or OpenAI infrastructure outside the EU, including the United States. Transfers rely on each provider's Data Processing Addendum incorporating the European Commission's Standard Contractual Clauses (Module 3, processor-to-processor) and applicable supplementary measures. Where the Controller requires EU-only inference, Cogny can route to EU-hosted models via Berget AI (European Union, Sweden).
• Cloudflare edge. TLS termination and WAF inspection occur at the Cloudflare edge nearest to the end user. No personal data is persisted at the edge.
• Brave, Stripe, Slack, Resend, ElevenLabs. May process limited operational data (for example search queries, billing, and notifications) outside the EU. Personal-data transfers rely on Standard Contractual Clauses.

Where Cogny acts as data exporter under the SCCs, the SCCs are incorporated into this DPA by reference and apply to the relevant transfer. The Controller authorises Cogny to enter into Standard Contractual Clauses with subprocessors on the Controller's behalf where required.

9. Assistance to the Controller (Art. 28(3)(e), (f))

Cogny will, taking into account the nature of the processing and the information available, assist the Controller by appropriate technical and organisational measures with:

• Data subject requestsunder GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making). The Controller can use the platform's self-serve export and deletion tooling to fulfil most requests; Cogny will assist with requests that cannot be fulfilled through the platform.
• Security obligationsunder Article 32, including by providing the security documentation referenced in § 6.
• Personal-data breach notificationsunder Articles 33 and 34 (see § 10).
• Data-protection impact assessments and prior consultations under Articles 35 and 36, by providing reasonable information about the service.

10. Personal-data breach notification (Art. 33)

Cogny will notify the Controller's designated contact without undue delay, and in any event within 72 hours, after Cogny becomes aware of a personal-data breach affecting the Controller. The notification will include, to the extent known at the time: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed. Updates are provided as material information becomes available.

11. Audit rights (Art. 28(3)(h))

On reasonable prior written notice (no less than 30 days, except where required by a competent authority or following a confirmed personal-data breach), the Controller, or an independent auditor mandated by the Controller and bound by confidentiality, may audit Cogny's compliance with this DPA at the Controller's cost. Audits will not occur more than once in any 12-month period absent a specific incident, must be conducted during business hours, must avoid disrupting Cogny's operations, and must respect the confidentiality of other customers. Cogny may satisfy this obligation by providing existing third-party audit reports, security documentation, and written responses to reasonable questionnaires.

12. Return and deletion of personal data (Art. 28(3)(g))

On termination of the underlying subscription for any reason, or at any time on written request from the Controller:

• For 30 days after the effective date of termination, the Controller may request export of personal data in a commonly-used machine-readable format (CSV, JSON, or SQL dump for raw warehouse data; PDF or Markdown for generated reports).
• After the 30-day export window, Cogny will delete the Controller's personal data from production systems within 30 days, and from backups within the standard backup retention window (up to 90 days). On written request, Cogny will certify completion in writing.
• Cogny may retain personal data to the extent and for as long as required by applicable law, in which case it will continue to protect it under this DPA.

13. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the main Terms and Conditions. Each party is liable for damage caused by processing only where it has not complied with the obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the Controller's lawful instructions, in accordance with Article 82 GDPR.

14. Order of precedence and updates

In case of conflict, this DPA prevails over the main Terms and Conditions for matters of personal-data processing, and the executed order form prevails over both if explicitly addressing the same subject. For Cloud-tier customers in scope of DORA, the DORA Addendumapplies in addition to this DPA. Cogny may update this DPA; material changes will be announced at least 30 days in advance by email to the Controller's billing contact.

15. Governing law

This DPA is governed by Swedish law. Disputes are settled in Stockholm District Court, without prejudice to any mandatory jurisdiction of data-protection supervisory authorities or courts under the GDPR.

16. Contact

Data-protection enquiries, audit requests, or breach notifications: privacy@cogny.com.

Cogny AB, Peter Myndes Backe 16, 118 46 Stockholm, Sweden.