Cairo Network

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Use ("Agreement") between Cairo Technologies AB ("Processor" or "Cairo") and the customer ("Controller" or "you") for the use of the Cairo AI service.

This DPA applies to all processing of personal data by Cairo on behalf of the Controller in connection with the Service, particularly the personal data of the Controller's end-customers.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
"Data Subject" means the individual to whom Personal Data relates (e.g., your customers).
"Sub-processor" means any third party engaged by Cairo to process Personal Data.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.

3. Scope and Roles

3.1 Controller and Processor

For the processing of end-customer Personal Data through the Service:

You (the customer) are the Data Controller, determining the purposes and means of processing.
Cairo is the Data Processor, processing Personal Data only on your behalf and according to your instructions.

3.2 Categories of Data Subjects

Your customers (end-customers)
Individuals who contact your customer support

3.3 Types of Personal Data

Names and contact information (email addresses)
Order and transaction data
Shipping addresses
Communication content (email messages)
Purchase history

3.4 Processing Activities

Reading and analyzing customer support emails
Retrieving order and shipping information
Generating AI-drafted responses
Sending approved or autonomous responses
Storing interaction history for AI improvement

4. Controller Obligations

You, as the Controller, are responsible for:

Ensuring you have a lawful basis to process Personal Data and share it with Cairo
Providing appropriate privacy notices to your customers about your use of AI-assisted customer support
Responding to Data Subject requests (with our assistance as needed)
Ensuring your instructions to Cairo comply with applicable data protection laws
Notifying Cairo promptly of any changes affecting data processing

5. Processor Obligations

Cairo, as the Processor, shall:

5.1 Process Only on Instructions

Process Personal Data only on your documented instructions, including with regard to transfers outside the EU/EEA, unless required by law. The Service configuration and these terms constitute your instructions.

5.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Implement appropriate technical and organizational measures, including:

Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
Access controls with role-based permissions
Regular security testing and vulnerability assessments
Incident detection and response procedures
Business continuity and disaster recovery capabilities
Employee security training

5.4 Sub-processors

Cairo uses sub-processors to provide the Service. By entering into this DPA, you provide general authorization for Cairo to engage sub-processors, subject to:

Maintaining an up-to-date list of sub-processors at cairo.ai/subprocessors
Notifying you of new sub-processors at least 14 days before engagement
Ensuring sub-processors are bound by equivalent data protection obligations
Remaining liable for sub-processor compliance

If you object to a new sub-processor, you may terminate the affected Service within 14 days of notification.

5.5 Data Subject Requests

Assist you in responding to Data Subject requests (access, rectification, erasure, etc.) by:

Providing tools to export or delete data through the Service
Responding to your requests within reasonable timeframes
Notifying you if we receive a request directly from a Data Subject

5.6 Data Breach Notification

Notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data. The notification will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

5.7 Audits

Make available information necessary to demonstrate compliance with this DPA and allow for audits by you or an auditor you mandate, subject to:

Reasonable advance notice (at least 30 days)
Confidentiality obligations
Reasonable scope and timing to minimize disruption

Cairo's SOC 2 report and security certifications may satisfy audit requirements in many cases.

5.8 Deletion

Upon termination or expiry of the Agreement, delete or return all Personal Data (at your choice) within 30 days, unless retention is required by law.

6. International Transfers

Personal Data is primarily processed within the European Economic Area (EEA). Where transfers to third countries occur (e.g., to AI sub-processors in the United States), Cairo ensures appropriate safeguards:

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to third countries
Supplementary measures: Additional technical and organizational measures as needed based on transfer impact assessments
Adequacy decisions: Where applicable, we rely on adequacy decisions by the European Commission

7. Data Isolation

Cairo maintains strict data isolation between customers.

Your Personal Data is logically separated from other customers' data. The AI improvements and patterns learned from your feedback are used exclusively for your account and are never shared with or used to benefit other customers.

8. Duration and Termination

This DPA remains in effect for the duration of the Agreement. Upon termination:

Cairo will cease processing Personal Data except as needed for deletion
Personal Data will be deleted or returned within 30 days
Cairo will provide certification of deletion upon request

9. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Agreement. Cairo shall be liable for damages caused by processing that violates this DPA or GDPR.

10. Changes to This DPA

We may update this DPA to reflect changes in our practices or legal requirements. Material changes will be notified via email at least 30 days before taking effect.

11. Contact

For questions about this DPA or data processing:

Email: privacy@cairo.ai
Address: Cairo Technologies AB, Stockholm, Sweden

Acceptance

This DPA is incorporated into and forms part of the Terms of Use. By using the Cairo AI service and accepting the Terms of Use, you also accept this Data Processing Agreement.

1. Introduction

This DPA applies to all processing of personal data by Cairo on behalf of the Controller in connection with the Service, particularly the personal data of the Controller's end-customers.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
"Data Subject" means the individual to whom Personal Data relates (e.g., your customers).
"Sub-processor" means any third party engaged by Cairo to process Personal Data.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.

3. Scope and Roles

3.1 Controller and Processor

For the processing of end-customer Personal Data through the Service:

You (the customer) are the Data Controller, determining the purposes and means of processing.
Cairo is the Data Processor, processing Personal Data only on your behalf and according to your instructions.

3.2 Categories of Data Subjects

Your customers (end-customers)
Individuals who contact your customer support

3.3 Types of Personal Data

Names and contact information (email addresses)
Order and transaction data
Shipping addresses
Communication content (email messages)
Purchase history

3.4 Processing Activities

Reading and analyzing customer support emails
Retrieving order and shipping information
Generating AI-drafted responses
Sending approved or autonomous responses
Storing interaction history for AI improvement

4. Controller Obligations

You, as the Controller, are responsible for:

Ensuring you have a lawful basis to process Personal Data and share it with Cairo
Providing appropriate privacy notices to your customers about your use of AI-assisted customer support
Responding to Data Subject requests (with our assistance as needed)
Ensuring your instructions to Cairo comply with applicable data protection laws
Notifying Cairo promptly of any changes affecting data processing

5. Processor Obligations

Cairo, as the Processor, shall:

5.1 Process Only on Instructions

5.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Implement appropriate technical and organizational measures, including:

Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
Access controls with role-based permissions
Regular security testing and vulnerability assessments
Incident detection and response procedures
Business continuity and disaster recovery capabilities
Employee security training

5.4 Sub-processors

Cairo uses sub-processors to provide the Service. By entering into this DPA, you provide general authorization for Cairo to engage sub-processors, subject to:

Maintaining an up-to-date list of sub-processors at cairo.ai/subprocessors
Notifying you of new sub-processors at least 14 days before engagement
Ensuring sub-processors are bound by equivalent data protection obligations
Remaining liable for sub-processor compliance

If you object to a new sub-processor, you may terminate the affected Service within 14 days of notification.

5.5 Data Subject Requests

Assist you in responding to Data Subject requests (access, rectification, erasure, etc.) by:

Providing tools to export or delete data through the Service
Responding to your requests within reasonable timeframes
Notifying you if we receive a request directly from a Data Subject

5.6 Data Breach Notification

Notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data. The notification will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

5.7 Audits

Make available information necessary to demonstrate compliance with this DPA and allow for audits by you or an auditor you mandate, subject to:

Reasonable advance notice (at least 30 days)
Confidentiality obligations
Reasonable scope and timing to minimize disruption

Cairo's SOC 2 report and security certifications may satisfy audit requirements in many cases.

5.8 Deletion

Upon termination or expiry of the Agreement, delete or return all Personal Data (at your choice) within 30 days, unless retention is required by law.

6. International Transfers

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to third countries
Supplementary measures: Additional technical and organizational measures as needed based on transfer impact assessments
Adequacy decisions: Where applicable, we rely on adequacy decisions by the European Commission

Data Processing Agreement

1. Introduction

2. Definitions

3. Scope and Roles

3.1 Controller and Processor

3.2 Categories of Data Subjects

3.3 Types of Personal Data

3.4 Processing Activities

4. Controller Obligations

5. Processor Obligations

5.1 Process Only on Instructions

5.2 Confidentiality

5.3 Security Measures

5.4 Sub-processors

5.5 Data Subject Requests

5.6 Data Breach Notification

5.7 Audits

5.8 Deletion

6. International Transfers

7. Data Isolation

8. Duration and Termination

9. Liability

10. Changes to This DPA

11. Contact

Acceptance

Product

Resources

Legal

Connect

Data Processing Agreement

1. Introduction

2. Definitions

3. Scope and Roles

3.1 Controller and Processor

3.2 Categories of Data Subjects

3.3 Types of Personal Data

3.4 Processing Activities

4. Controller Obligations

5. Processor Obligations

5.1 Process Only on Instructions

5.2 Confidentiality

5.3 Security Measures

5.4 Sub-processors

5.5 Data Subject Requests

5.6 Data Breach Notification

5.7 Audits

5.8 Deletion

6. International Transfers

7. Data Isolation

8. Duration and Termination

9. Liability

10. Changes to This DPA

11. Contact

Acceptance

Product

Resources

Legal

Connect