Data processing agreement
This template sets out how TOMAR Group s.r.o. (“Processor”) processes personal data on behalf of a customer (“Controller”) when using Pryvan, under Article 28 GDPR.
Template version: May 2026. A countersigned copy is available to customers on request.
1. Subject matter and roles
The Controller determines the purposes and means of processing. The Processor processes personal data only on the Controller's documented instructions, including the use of the Pryvan service.
2. Nature and purpose
Processing covers the hosting and operation of AI models and document handling within Pryvan, for the purpose of providing the service to the Controller.
3. Duration
Processing lasts for the term of the service agreement and any agreed wind-down period.
4. Confidentiality
The Processor ensures that persons authorised to process the data are bound by confidentiality.
5. Security measures
The Processor implements appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit and at rest, access control and logging. Current measures are documented in our technical and organisational measures (TOMs).
6. Sub-processors
The Controller authorises the use of the sub-processors listed in our Trust Center. The Processor informs the Controller of intended changes and gives the opportunity to object.
7. Data subject rights and assistance
The Processor assists the Controller, as far as possible, in responding to data-subject requests and in meeting obligations under Articles 32 to 36 GDPR.
8. Data location and transfers
Personal data is processed within the EU. The Processor does not transfer personal data outside the EU without the Controller's instruction and an appropriate transfer mechanism.
9. Deletion and return
On termination, the Processor deletes or returns personal data at the Controller's choice, unless retention is required by law.
10. Audits
The Processor makes available information necessary to demonstrate compliance and allows for audits as required by Article 28(3)(h) GDPR.