Data Processing Addendum (DPA)

1. Introduction

1.1 Neurolabs provides Subscription Services and associated Professional Services (collectively, the Services) to its customers under applicable written terms of service (the Agreement). This Data Processing Addendum (DPA) applies to Customers subject to either:
(a) the Neurolabs Customer Terms (available at www.neurolabs.ai/legal-customer-terms) and associated documents, or
(a) any other written Agreement that incorporates this DPA by reference or attachment
(d) (being the Agreement).

1.2 In connection with the provision of the Services, the parties acknowledge that Neurolabs may process certain Personal Data for which the Customer or a member of its corporate group is a controller (or equivalent role) under applicable Data Protection Laws, acting as a data processor on behalf of the Customer. This DPA sets out the terms and safeguards that apply to such processing.

1.3 This DPA forms part of, and supplements, the Agreement.

1.4 Neurolabs may update this DPA as permitted under the Customer Terms. Customers will be provided with at least twenty-eight (28) days' notice before material changes take effect. This version one (1) of this DPA was most recently updated on May 30, 2025. Historic versions are available on request.

2. Definitions

2.1 This DPA use the following definitions: 

Affiliate means in relation to a party, any present or future company that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, that party.  For the purpose of this definition, “control” (and its variants) means (i) the legal or beneficial ownership of (A) fifty percent (50%) or more of the outstanding voting stock of a corporation, (B) fifty percent (50%) or more of the equity of a limited liability company, partnership, or joint venture or (C) a general partnership interest in a partnership or joint venture; or (ii) the power to exercise a controlling influence over the management or policies of a legal entity; 
Agreement has the meaning given to it in clause 1.1 above;  
Customer Terms has the meaning given to it in clause 1.1 above;  
Customer or Data Exporter means the corporate or enterprise customer that has entered into the Agreement with Neurolabs; 
Customer Data means any data, content, or information—whether structured or unstructured—provided or made available by or on behalf of the Customer to Neurolabs for processing under the Agreement. This includes, but is not limited to, image data, metadata, file uploads, business data, and any Personal Data. Customer Data may or may not include Personal Data as defined under applicable Local Data Protection Laws;
Customer Group means the Customer and any of its Affiliates; 
Data Subject Request means a request from or on behalf of a data subject relating to access to, or rectification, erasure or data portability or withdrawal of consent, or any other rights recognized and granted under Data Protection Laws, in respect of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of its Personal Data;
Adequate Country means a country or territory that is recognized under relevant Local Data Protection Laws as providing sufficient protection for Personal Data;
Data Protection Laws mean the Local Data Protection Laws or any other directly applicable legislation and regulatory requirements force from time to time which applies to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) for the processing of Personal Data by Neurolabs on the Customer’s behalf in connection with the Services; 
Services has the meaning given to it in clause 1.1 above;  
DPTs has the meaning given to it in clause 1.1 above;  
End-User means an organization to whom the Customer or a member of the Customer Group provides services from time to time (i.e., typically the Customer’s customers) and who, or a member of whose End-User Group, is a data controller of Personal Data under Local Data Protection Laws; 
End-User Group means an End User and any of its Affiliates;
Security Measures means those technical and organizational security measures described in Neurolabs’ ISP in respect of Personal Data it processes on behalf of the Customer, as well as any measures it is required to implement by law.
GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679 on the protection of natural persons about the processing of personal data and on the free movement of such data);
Local Data Protection Laws mean all laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”), (ii) the Swiss Federal Act on Data Protection, (iii) the UK Data Protection Act 2018, and (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time;
Neurolabs or Data Importer means the Neurolabs entity that has entered into the Agreement; 
Neurolabs Group means Neurolabs and any of its Affiliates;
Notice means Neurolabs’ Privacy Policy at https://www.neurolabs.ai/privacy-policy;
Personal Data means all data which is defined as ‘personal data’ or Personally Identifiable Information (PII) under Local Data Protection Laws and which is included within the Customer Data provided by the Customer to Neurolabs for processing under the Agreement; processing, the data controller, the data subject, the supervisory authority and the data processor shall have the meanings ascribed to them in relevant Local Data Protection Laws; and 
Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services; 
Sensitive Information means credit or debit card numbers; personal financial account information; national insurance or social security numbers or equivalents; passport numbers; driver’s license numbers or similar identifiers; passwords; details of racial or ethnic origin; physical or mental health condition or information; or other financial or health information, including any information defined under the UK Data Protection Legislation as ‘Sensitive Personal Data’ (or any analogous term which may apply from time to time), or any information subject to the US Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standards, and other regulations, laws or industry standards designed to protect similar information as amended or applicable worldwide from time to time; and 
Standard Contractual Clauses means (i) where the EU GDPR or Swiss Data Protection Laws apply, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries adopted pursuant to or permitted under Article 46 of EU GDPR (EU SCCs); and (ii) where the UK GDPR applies, the international data transfer agreement adopted pursuant to or permitted under Article 46 of the UK GDPR (UK IDTA), provided that, in each case, same complies with the requirements of applicable Data Protection Laws from time to time. 
An entity exercises Control over another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or according to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it according to its constitutional documents or according to a contract; and two entities are treated as being in Common Control if either control the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

3. Status of the parties

3.1 In accordance with the Local Data Protection Laws, the type of Personal Data that the parties expect to be processed under this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects are determined by the Customer as the Controller of such personal data, but the parties acknowledge that such personal data is indicatively described in accordance with the nature of the Services in the Notice and, including for the purposes of the Standard Contractual Clauses, may change if the Notice is updated. The Personal Data should not include any Sensitive Information and Customer is expressly prohibited from uploading such Personal Data using the Services pursuant to the terms of the Agreement.

3.2 Each party warrants concerning Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its subprocessors comply) with the obligations imposed upon them respectively under Data Protection Laws. However, Neurolabs is not responsible for determining the requirements of or compliance with any Data Protection Laws or other laws applicable to Customer, Customer Group or their industry that are not generally applicable to Neurolabs as a service provider and processor of personal data made available to it via the Services. 

3.3 As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer or its End-User(s) acquired Personal Data, and, without limitation, will ensure or procure that the data controller (if different from the Customer) has ensured that it has all necessary appropriate consents and notices in place to enable lawful transfer of any Personal Data provided to Neurolabs, for the duration and purposes of the Agreement, including where applicable that the relevant third parties have been informed of, and (where required under Local Data Protection Laws) have given their consent to, such use, processing, and transfer as required by the Data Protection Legislation.

3.4 Regarding the parties’ rights and obligations under this DPA regarding the Personal Data, the parties with this acknowledge and agree that the Customer or the relevant End-User(s) is/are the data controller, and Neurolabs is the data processor. Accordingly, Neurolabs agrees that it shall process all Personal Data per its obligations under this DPA, and as per the Customer’s lawful written instructions set out in the Agreement and the Customer’s use and configuration of features of the Services. Customer hereby gives Neurolabs permission to use, transfer and process such personal data as set forth in this DPA. 

3.5 Nothing in this DPA shall apply to the Personal Data comprised in the Customer employees names, contact numbers and email addresses with whom Neurolabs is transacting or is required to transact, or who have contacted Neurolabs, which Neurolabs may process as an independent data controller acting in its legitimate interests in compliance with the Local Data Protection Laws as contemplated under the Agreement and the Notice, including, for example, data relating to the Customer’s, Customer’s Group or End Customer or End Customer’s Group employees who have subscribed for marketing communications from Neurolabs (as more particularly outlined in the Notice).  

4. Acceptable usage restrictions

4.1 Concerning all Personal Data, Neurolabs shall:

a) only process Personal Data to provide the Services, and shall act only per (i) this DPA, (ii) the Notice or ISP; and (iii) the Customer’s provision of instructions via configuration tools made available by Neurolabs for the Subscription Services and for incidental business operations. The parties agree that these, together with constitute the “documented instructions” of the Customer as contemplated under certain Local Data Protection Laws, and that, should the Customer require Neurolabs to comply with additional written instructions Neurolabs will do assuming they do not conflict with the DPA, Notice or Local Data Protection Laws, and subject to prior written agreement between Neurolabs and Customer, including agreement on any additional fees payable by Customer for carrying out such instructions; 

b) as soon as reasonably practicable upon becoming aware, inform the Customer if, in Neurolabs’ opinion, any instructions provided by the Customer under clause 4.1(a) infringe the Local Data Protection Laws; 

c) implement appropriate technical and organizational measures to ensure a security level appropriate to the risks presented by Personal Data processing as required by the Local Data Protection Laws. Such efforts include, without limitation, the security measures set out in the ISP from time to time (which shall apply for the purposes of the Standard Contractual Clauses, where applicable). Neurolabs may adapt such measures from time to time, for example, as a result of the development of regulations, technology and other industry considerations, provided that the level of protection afforded to the data shall not be materially reduced without Customer’s written consent. During the term of the Agreement, Customer may request Neurolabs to provide Customer, within a reasonable period of time, with an updated description of the implemented technical and organizational protection measures.

d) take reasonable steps, insofar as they are within its reasonable control, to ensure that only authorized personnel within Neurolabs have direct access to any confidential Personal Data (bearing in mind that Neurolabs cannot control such access on the part of its subprocessors) and that any persons whom it permits to have access to the Personal Data are subject to appropriate obligations of confidentiality, subject to any caveats or exclusions in the Agreement or Notice; 

e) as soon as reasonably practicable upon having reasonable certainty of same (but in no event later than in 72 hours from such point), notify the Customer of any actual or alleged incident of unauthorized or accidental disclosure of or access to any Personal Data by any of Neurolabs’ staff, subprocessors, or any other identified or unidentified third party (a Security Breach); 

f) provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all practical information in Neurolabs’ possession concerning such Security Breach insofar as it reasonably affects the Customer or any End User or member of an End User Group, in each case as soon as reasonably practicable and per the Local Data Protection Laws, including the following to the extent then known: (i) the possible cause of the Security Breach; (ii) the categories and approximate number of Personal Data records involved; (iii) the categories and approximate number of data subjects concerned; (iv) a summary of the possible consequences for the relevant data subjects; (v) an overview of the unauthorized recipients of the Personal Data; and (vi) the measures taken by Neurolabs to mitigate any damage;

g) not make any announcement about a Security Breach (a Breach Notice) referencing the Customer, its Personal Data, or its End-Users without (i) the prior written consent of the Customer (not to be unreasonably withheld or delayed); and (ii) prior written approval by the Customer of the content, media and timing of the Breach Notice insofar as it relates to the Customer, its End-Users or it’s Personal Data; unless required to make a disclosure or announcement by applicable law; this shall not include generic notices about Security Breaches impacting all or a portion of the personal data processed by Neurolabs, to the extent that no reference is made to the Customer, its Personal Data or its End-Users. For clarity, a party’s obligation to report or respond to a Security Breach is not and will not be construed as an acknowledgement by that party of any fault or liability with respect to the Security Breach;

h) promptly (and in any event within ten working days of receipt) notify the Customer if it receives a Data Subject Request. Neurolabs shall not respond to a Data Subject Request without the Customer's prior written consent except, where applicable, to confirm that such request relates to the Customer, to which disclosure the Customer agrees. Upon the Customer's request, Neurolabs shall at no extra charge to the Customer provide reasonable assistance to the Customer or the relevant End-Customer (as the Customer's request shall specify) to facilitate a Data Subject Request (provided that for any unreasonable request Neurolabs shall obtain the Customer’s prior written consent); 

i) per the provisions of the Agreement and Notice, Neurolabs will delete all Personal Data (including copies thereof) processed according to this DPA following termination or expiry of the Agreement; and

j) Neurolabs is not responsible for compliance with Customer’s, End-User’s or their respective Affiliates statutory or legal data retention requirements, but it responsible for the integrity, security, maintenance and retention of the Personal Data stored on its platform as set out in the Agreement and herein; 

k) Unless otherwise agreed in the Agreement, Customer-submitted images comprised in the Customer Data are retained by default for a maximum of ninety (90) days following submission and are then deleted. Neurolabs shall not retain such data beyond twelve (12) months unless expressly authorized in writing by the Customer; and

l) where Customer or Customer’s relevant End-User, or their respective Affiliates (as the Customer’s request may specify) requires reasonable assistance concerning their obligations under Data Protection Laws in respect of (i) undertaking a data protection impact assessment; (ii) notifications to the supervisory authority under Local Data Protection Laws or communications to data subjects by the Customer or the End-Customer in response to any Security Breach; and (iii) the Customer's or its End-Customer(s)' compliance with their respective obligations under the Local Data Protection Laws concerning the security of processing Neurolabs shall provide reasonable cooperation and assistance, insofar as it is within its reasonable control and competence, to that person to comply with their obligations (including any obligation to consult with competent data protection authorities). Neurolabs shall be entitled to invoice Customer on a time and material basis at the Neurolabs’ then current rates for any time expended for any such assistance. 

4.2 Neurolabs has appointed an individual, the Data Privacy Officer, responsible for privacy and data protection matters. The appointed person can be reached at privacy@neurolabs.ai.

4.3 Neurolabs shall provide reasonable assistance to the Customer in respect of Data Subject Requests as follows:
a) Where Personal Data is not made available through self-service tools, Neurolabs shall, without undue delay and within the timeframe specified under applicable Data Protection Laws, either (i) provide Customer with the ability to access, correct, delete, or otherwise fulfil requests from Data Subjects via Neurolabs’ platform; or (ii) provide reasonable assistance as instructed by the Customer.
b) Neurolabs may charge Customer for any such assistance that is materially burdensome or not reasonably expected by Neurolabs as part of the standard Services, provided such charges are pre-agreed with the Customer in writing (for the avoidance of doubt, Neurolabs shall have no obligation to agree to provide such assistance to the extent such charges are not agreed).

5. Customer responsibilities

5.1 Customer shall comply with Data Protection Laws as well as any other Laws applicable to Customer or Customer’s industry. If compliance with any such specific laws requires any actions with regard to data protection on the part of Neurolabs in addition to the obligations set forth in this DPA, such actions will only be taken upon mutual agreement between the Parties. For the avoidance of doubt, where agreed by the Parties, Neurolabs will use commercially reasonable efforts to accommodate additional requirements. In any event, Customer will provide reasonable advance notice of the required actions, cooperate fully with Neurolabs in respect thereof and compensate Neurolabs for any such efforts that require additional services or investment or modifications in the Services, as agreed in advance by the Parties

.5.2 Customer warrants that, where it provides any personal data to Neurolabs for Processing by Neurolabs:
a) it has duly informed the relevant data subjects of their rights and obligations, and in particular has informed them of the possibility of Neurolabs processing their personal data on Customer’s behalf and in accordance with its instructions;
b) it has complied with all applicable Data Protection Laws in the collection and provision to Neurolabs of such personal data and has taken all necessary steps to ensure that Neurolabs can Process such personal data, including by obtaining the data subjects' consent, if required; and
c) the Processing of such personal data in accordance with the instructions of the relevant controller is lawful.

5.3 Customer shall take reasonable steps to keep personal data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.

5.4 If a data subject contacts Neurolabs directly in order to exercise his or her individual rights such as requesting a copy, correction or deletion of his or her data or wanting to restrict or object to the Processing activities, Neurolabs will promptly, and in any event as soon as reasonably practicable upon Neurolabs becoming aware of any such request), direct such data subject to Customer. In support of the above, Neurolabs may provide Customer’s basic contact information to the requestor (but shall not otherwise reply to same), and, to the extent disclosed by the data subject, data subject’s basic contact information and a summary of the request to Customer. Customer shall inform data subjects that they may exercise these rights solely vis-à-vis Customer. Customer agrees to answer to and comply with any such request of a data subject in accordance with applicable Data Protection Laws. 

5.5 With regard to components that Customer provides or controls, including but not limited to workstations connecting to Neurolabs Services, data transfer mechanisms used, and credentials issued to Customer Authorized Users, Customer shall implement and maintain the required technical and organizational measures for data protection. 

5.6 Customer must notify Neurolabs promptly about any possible misuse of its accounts or authentication credentials or any security issue related to its use of the Services.

6. Subprocessing

6.1 The Customer grants a general authorization to Neurolabs to appoint other Neurolabs Group members, third-party hosting services providers and the different categories of service providers named in the Notice and ISP (as amended from time to time) as subprocessors (or authorized receivers for the purposes of the UK IDTA). Neurolabs will notify Customer of any intended changes concerning the addition or replacement of subprocessors via email or by posting updates at www.neurolabs.ai/legal-subprocessors.

6.2 Neurolabs confirms that it has entered or (as the case may be) will join with the third-party processor into a written agreement substantially on that third party's standard terms of business, which shall include an obligation to keep all personal data confidential and process it only in accordance with the purposes for which Neurolabs has instructed them to deliver services, and applicable Local Data Protection Laws. As between the Customer and Neurolabs, Neurolabs shall remain fully liable for all acts or omissions of any third-party processor appointed by it according to this clause.

7. Security measures

Neurolabs implements appropriate technical and organizational measures to protect Customer Data that are aligned with ISO/IEC 27001:2022 standards and is actively working toward certification. These include: 
Encryption of personal data at rest and in transit using industry protocols;
Role-based access controls with least-privilege enforcement; 
Multi-factor authentication for all production systems; and 
Continuous monitoring and incident response processes. 

These measures are further described in Neurolabs' Information Security Policy, as it may be updated from time to time, which is incorporated into this DPA by reference and available at www.neurolabs.ai/legal/isp.

8. Model training and AI processing

8.1 Neurolabs may maintain proprietary base models for tasks such as object localization and OCR. These models may be fine-tuned or calibrated using Customer Data to assist Neurolabs in trying to meet agreed performance requirements, and Customer agrees to grant Neurolabs non-exclusive permission to utilize images to Neurolabs solely and exclusively for such purposes in a secure, privacy-preserving, and non-identifiable manner. This fine-tuning is performed within the scope of each Customer's pipeline and never results in data sharing or model updates that expose other customers' data. This training shall never involve the use of Personal Data and solely relates to product images. The Customer may opt out of such model training by notifying Neurolabs in writing, in which case Neurolabs will ensure the Customer Data is excluded from any shared training pipelines used across customers.

9. Notifications

9.1 Unless legally prohibited from doing so, Neurolabs shall promptly notify Customer if it or any of its subprocessors, with regard to Customer’s Personal Data:
a) receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing by Neurolabs; or 
b) intends to disclose Personal Data to any competent public authority outside the scope of the Services of the Agreement. At the request of Customer, Neurolabs shall provide a copy of the documents delivered to the competent authority to Customer.

9.2 Any notification under this DPA, including a Security Breach notification, will be delivered to one or more of Customer’s contact persons via e-mail. It is Customer’s sole responsibility to timely report any changes in contact information (including “Key Contact” and “Importer Data Subject Contact” as described below) and to ensure Customer’s contact persons maintain accurate contact information.

10. Data transfers

10.1 The Customer acknowledges and agrees that Personal Data may be transferred to, or accessed from, jurisdictions outside the country in which the relevant data subjects reside, including the USA, EU, UK, or other countries where Neurolabs or its authorized subprocessors operate. Such transfers will only be undertaken in compliance with applicable Data Protection Laws.

10.2 Where Personal Data is transferred outside the UK, EU, or other Adequate Country, Neurolabs shall ensure such transfers are subject to a valid transfer mechanism under Data Protection Laws, which may include the Standard Contractual Clauses, or other legally valid instruments. 

10.3 Neurolabs uses region-specific default data tenancy where the Customer has expressed a specific requirement within the Agreement. For example, US Customers may be provisioned on a dedicated US AWS or GCP tenant. Where transfers occur from that region (for example from the EU/UK) to other jurisdictions (including the US), Neurolabs implements appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms to ensure adequate protection (as noted above). By default, data resides in EU / UK based servers. 

10.4 To the extent any processing of Personal Data relating to EU, EEA or UK data subjects by Neurolabs takes place in any country outside the EU, EEA or UK (except if in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing. Neurolabs will comply with the obligations of the ‘data importer’ or ‘importer’ in the relevant Standard Contractual Clauses. The Customer will comply with the duties of the ‘data exporter’ or ‘Exporter’. If there is any direct conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail strictly to the extent of such conflict only. At Customer’s request, where the current Standard Contractual Clauses no longer apply, the parties shall execute new standard contractual clauses for transfers to data processors in third countries adopted according to Article 46, Paragraph 2 (c) or (d) of the GDPR, replacing the then existing Standard Contractual Clauses.

10.5 The Customer acknowledges and accepts that the provision of Services under the Agreement may require personal data processing by subprocessors in countries outside the UK, EU or EEA.

10.6 If, in the performance of this DPA or the Agreement, Neurolabs transfers any Personal Data to a subprocessor located, or permits processing of any Personal Data by a subprocessor outside of the EEA except if in an Adequate Country (without prejudice to clause 4), Neurolabs shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing such as the Standard Contractual Clauses (where applicable) is put in place. Where the transfer would be a restricted transfer but for the Standard Contractual Clauses being put in place, then the Standard Contractual Clauses shall, if they provide a lawful mechanism for such transfer, be deemed incorporated into the Agreement and will apply to such transfer.

10.7 Where the Standard Contractual Clauses are deemed to have been put in place, the following terms shall apply to them (as applicable), in addition to the terms set out elsewhere in this DPA: (i) Neurolabs may appoint subprocessors as set out and subject to the requirements of clause 8.3 of this DPA; (ii) where the EU SCCs apply, they and any connected actions under this DPA or the Agreement shall be governed by the laws of the Republic of Ireland and subject to the exclusive jurisdiction of the courts of the Republic of Ireland; (iii) where the UK IDTA applies, it and any connected actions under this DPA or the Agreement shall be governed by the laws of England; and subject to the exclusive jurisdiction of the courts of England; (iv) where the UK IDTA applies, Neurolabs’ key contact shall be contacted at privacy@neurolabs.ai, and the Customer’s “key contact” and “Importer Data Subject Contact” shall be the person and email address specified in the Customer’s sign up form when subscribing for the Services as part of the Agreement via the Neurolabs website, unless otherwise specified herein; (v) the Standard Contractual Clauses may only be terminated if there is a breach of their terms or the Agreement, following the principles set out in the Agreement, or the parties agree in writing; (vi) where the EU SCCs apply, the relevant parts of the Privacy Notice shall apply as Appendix 1 of the EU SCCs and the relevant parts of the ISP shall apply as Appendix 2 of the Standard Contractual Clauses, and where the UK IDTA applies, the relevant parts of the Privacy Policy and ISP shall populate Tables 1 – 4 of Part 1 of the IDTA (to the extent not already provided for elsewhere in this DPA).

11. General

11.1 This DPA are without prejudice to the parties’ rights and obligations under the Agreement, which shall continue to have full force and effect. Collectively, this DPA (including the Standard Contractual Clauses) and the Agreement constitute the complete agreement and merge all prior discussions and agreements between the parties regarding the Services. In the event of any conflict between the terms of this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Personal Data, but the terms of the Agreement shall otherwise prevail. 

11.2 This DPA contains references to the ISP, Notice and Standard Contractual Clauses, and in the event of any conflict or inconsistency between these various documents, the following order of precedence shall apply: (i) the Standard Contractual Clauses; (ii) this DPA; (iii) the Notice; and (iv) the ISP.

11.3 This DPA apply to the Agreement and remain in force until processing of Personal Data by Neurolabs is no longer required (a) in the framework of or pursuant to the Agreement or (b) for a period after termination of the Agreement or the relevant Services for any reason whatsoever, in accordance with Customer’s explicit instructions or other legally permissible basis.

We help CPG teams see what's really happening on shelf and act on it before it costs them.
Quick links
Execution IntelligenceHow it worksSolutionsWho it's forBlogFAQ's
Company
CareersSign inPrivacy PolicyTerms of service
Ready to see it in action?

Book a walkthrough with our team.

Request a walkthrough
Schedule a call

© 2026 Neurolabs. All rights reserved.

Stay connected:
link
link