Definitions.
- Controller
- The Customer, who determines the purposes and means of processing personal data by using the Service.
- Processor
- Tagsight, which processes personal data on behalf of the Controller to provide the Service.
- Sub-processor
- A third party engaged by the Processor to assist in processing personal data.
- Personal Data
- Any information relating to an identified or identifiable natural person.
- Data Subject
- The individual to whom the personal data relates.
- Processing
- Any operation performed on personal data, including collection, storage, use, and deletion.
Scope and roles.
This DPA applies when Tagsight processes personal data on behalf of the Customer in connection with the Service. The Customer is the Controller; Tagsight is the Processor. Processing is limited to what is necessary to provide the instrument extraction Service described in our Terms of Service.
Processing details.
- Subject matter
- Automated extraction of instrument data from P&ID (Piping and Instrumentation Diagram) documents.
- Duration
- For the term of the service agreement between the Customer and Tagsight.
- Nature and purpose
- Processing uploaded engineering drawings to identify and classify instrument tags, generating structured I/O lists for export.
- Types of personal data
- Account information (name, email), uploaded documents (which may contain project metadata), and extraction results.
- Categories of data subjects
- The Customer’s authorized users of the Service.
Processor obligations.
Tagsight shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law.
- Not train any artificial intelligence model on Customer Content.
- Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational security measures as described on the Security page.
- Engage sub-processors only with prior authorization and in accordance with Article 5 of this DPA.
- Assist the Controller with data subject access requests, taking into account the nature of processing.
- Assist the Controller with obligations related to data protection impact assessments and prior consultation with supervisory authorities, where applicable.
- At the Controller’s choice, delete or return all personal data upon termination of the Service, and delete existing copies unless storage is required by applicable law.
- Make available all information necessary to demonstrate compliance with these obligations.
Sub-processors.
Tagsight uses the following categories of sub-processors to provide the Service:
Notification of changes. Tagsight will notify the Controller via email at least 30 days before engaging a new sub-processor. The Controller may object to a new sub-processor within 15 days of notification. If the objection cannot be resolved, either party may terminate the affected Service.
Data breach notification.
In the event of a personal data breach, Tagsight will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:
- The nature of the breach, including categories and approximate number of data subjects and records affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- Contact details for further information.
International transfers.
Where sub-processors are located outside the European Economic Area or the United Kingdom, Tagsight ensures appropriate safeguards are in place, including Standard Contractual Clauses where applicable, in accordance with GDPR Chapter V and PIPEDA requirements for cross-border data transfers.
Audit rights.
The Controller may audit, or appoint a qualified third-party auditor subject to confidentiality obligations, to verify Tagsight’s compliance with this DPA, subject to the following conditions:
- At least 30 days advance written notice.
- During normal business hours.
- No more than once per twelve-month period, unless a data breach has occurred or a supervisory authority requires an audit.
- The Controller bears the costs of the audit.
Term and termination.
This DPA is effective for the duration of the service agreement between the Controller and Tagsight. Upon termination, Tagsight will, at the Controller’s choice, delete or return all personal data within 30 days, except where retention is required by applicable law. Obligations regarding confidentiality and data security survive termination.
Liability.
Liability under this DPA is subject to the limitations set forth in the Terms of Service.
Notices.
Formal notices under this DPA may be sent by email to support@tagsight.io.