This DPA forms part of the Terms of Service between Cognity SIA (“Processor”) and the customer (“Controller”) and applies to processing of personal data under GDPR.
1. Roles
- Controller: the Customer
- Processor: Cognity SIA (Cognity)
2. Subject Matter and Purpose
Processor processes personal data only to provide the Platform and related support, including hosting, forecasting, simulations, reporting, and security.
Core forecasting uses internally hosted XGBoost models. Forecast training and prediction run inside Cognity infrastructure. External AI, if used, is limited to natural-language explanations of already computed forecast outputs.
3. Processor Obligations
- Process personal data only on documented instructions of the Controller.
- Ensure confidentiality of personnel with access to personal data.
- Implement appropriate technical and organizational security measures.
- Assist Controller with data subject requests where applicable.
- Notify Controller of personal data breaches without undue delay (where required).
4. AI Explanation Inputs
For optional forecast explanations, external AI inputs are limited to abstracted or aggregated signals such as grouped feature contributions for pricing, seasonality, trend, and promotion impact. Processor does not send raw sales transactions, supplier lists, customer lists, SKU-level datasets, detailed purchasing plans, or uploaded source files to external AI providers for these explanations.
External AI providers used for explanations must not use submitted customer data for model training.
AI-generated explanations can be disabled for organizations with stricter internal data policies.
5. Subprocessors
Processor may engage subprocessors (e.g., hosting and payment providers) to deliver the Platform. Processor will ensure subprocessors are bound by appropriate data protection obligations.
6. Data Retention and Deletion
Upon termination, Processor will delete or return personal data as requested by the Controller, unless retention is required by law. Default retention for export purposes is up to 30 days.
7. International Transfers
Where personal data is transferred outside the EEA, appropriate safeguards will be used (e.g., Standard Contractual Clauses where applicable).
8. Contact
For DPA requests: info@cognityapp.com