Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

• Data Controller: [Customer name and address] — the entity that determines the purposes and means of processing personal data.
• Data Processor: Fenec Labs S.L., Barcelona, Spain — the entity that processes personal data on behalf of the Controller.

Terms used in this DPA carry the meanings given to them in the GDPR (Regulation (EU) 2016/679) and the ePrivacy Directive.

Fenec Labs processes personal data solely to provide the on-premise workplace safety monitoring service described in the Order Form. Processing takes place exclusively on the Customer's own appliance hardware, located at the Customer's premises within the EU/EEA. No personal data leaves the Customer's network as part of ordinary operations.

• Categories of data subjects: Employees, contractors, and visitors captured by cameras within the monitored area.
• Categories of personal data: Video frames; AI-derived bounding boxes and classification labels (PPE status, zone occupancy); pseudonymous worker identifiers; timestamps.
• Special category data:Biometric data may be incidentally captured (faces). NAO's system redacts faces at save time; the Controller is responsible for configuring this feature correctly.
• Duration: For the term of the Master Service Agreement plus the retention period specified in the Order Form.

Fenec Labs shall:

• Process personal data only on documented instructions from the Controller.
• Ensure that persons authorised to process personal data are bound by confidentiality.
• Implement appropriate technical and organisational measures (Art. 32 GDPR). See Security Annex.
• Not engage sub-processors without prior written consent of the Controller. See Sub-processor Annex.
• Assist the Controller in responding to data subject rights requests.
• Assist the Controller with Art. 32–36 obligations (security, DPIA, breach notification).
• Delete or return personal data at end of service.
• Make available all information necessary to demonstrate compliance and allow audits.

Technical and organisational measures will be specified in Annex A by the security team before pilot sign-off.

As an on-premise appliance, the NAO product does not transmit Customer personal data to any sub-processor during normal operations. The only sub-processors engaged relate to this website and are listed on the Subprocessors page.

If the customer opts into optional cloud features (e.g. OTA update checks), additional sub-processors will be disclosed and written consent obtained before activation.

Fenec Labs provides a GDPR erasure endpoint accessible via the operator dashboard. The Controller is responsible for handling data subject requests within the statutory 30-day period; Fenec Labs will action technical erasure within 24 hours of a verified erasure request submitted through the dashboard.

Personal data processed on-appliance does not leave the EEA. Any transfers associated with this website (see Section 5) are covered by SCCs or adequacy decisions as listed on the Subprocessors page.

Audit rights and procedure to be specified by counsel.

This DPA is governed by the laws of Spain and the European Union.