New FIGMA plugin is launched

Data processing agreement

UAB Attention Insight – Data processing agreement

Effective Date: 2017-10-10
Updated at 2025-05-01

This Data Processing Agreement (“Agreement”) is an integral part of the Terms of Use and governs the processing of personal data by Attention Insight, UAB, registration number 304999911, registered address Kareivių str. 19-78, Vilnius, Lithuania (“Processor”) on behalf of the entity or individual that has accepted this Agreement upon creating an account (“Controller”), both together hereinafter referred as the Parties, and separately as the Party.

For the purposes of this Agreement, the Controller refers to the entity or individual that a user (“User”), as explained in the Terms of Use, represents. This includes an agency, business or corporate brand, or the user acting in an individual capacity (such as a solopreneur or freelancer).

By creating an account and using the services provided by the Processor, the Controller agrees to be bound by the terms of this Agreement. This Agreement ensures compliance with applicable data protection laws and sets out the obligations of both Parties regarding the processing of personal data.

  1. SCOPE OF PROCESSOR’S OBLIGATIONS
    • This Agreement provides for obligations of the Processor, which the EU 2016/679 General Data Protection Regulation (“Regulation”) requires to impose upon the data processor, as well as other terms and conditions that the Processor must comply with in order to ensure that the Regulation is properly implemented.
    • This Agreement replaces all previous obligations of Processor to Controller regarding the processing and protection of personal data, if such were established for Processor by other agreements between Processor and Controller.
    • For the avoidance of doubt, Controller is fully responsible for complying with data controller’s obligations under the Regulation. Among others, it is fully responsible for obtaining proper legal bases for data processed by Processor, informing relevant data subjects and others.
    • Processor acts as a data controller only as described in its Privacy Policy.

  2. INSTRUCTIONS FROM CONTROLLER ON DATA PROCESSING
    • Processor shall process the personal data controlled by Controller and entrusted to Processor only on the documented instructions from Controller. Controller’s instructions provided to Processor regarding the subject matter, duration, nature and purpose of the data processing, as well as the types of data subjects and data types are specified in this Agreement (details of the data processing are provided in Annex No. 1 of this Agreement). The functional description of Processor’s conducted operations with Controller controlled data is provided in Terms of Use.
    • If Processor does not have instructions on how to process personal data in a particular situation or if any of the given instructions violate applicable data protection laws, Processor shall inform the Controller in writing without delay.
    • Processor may not comply with Controller’s instructions for processing data in cases where certain data processing operations are required by the EU law or EU Member State law applicable to Processor. In such a case, Processor shall notify Controller about such legal requirement in writing prior to processing the data, unless the applicable law prohibits such information on important grounds of public interest.
    • Processor must immediately inform Controller if, in his opinion, Controller’s instructions violate the Regulation or other applicable data protection provisions of the EU or EU Member State.

  3. PERSONAL DATA CONFIDENTIALITY
    • Processor must ensure that only those persons who require direct access to personal data, controlled by Controller and entrusted to Processor, are authorised to access it in order to fulfil the Processor’s obligations under Terms of Use. Processor ensures that all persons involved in processing of personal data have committed themselves to confidentiality or are under applicable statutory obligation of confidentiality.

  4. SECURITY OF DATA PROCESSING
    • Processor implements the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia as appropriate:
      • the pseudonymisation and encryption of personal data;
      • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
      • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
    • In assessing the appropriate level of security, the account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.
    • Processor ensures that any natural person acting under the authority of Processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by applicable EU or Member State law.
    • The minimum organisational and technical security measures that Processor implements and ensures compliance with are listed in Annex No. 3 of this Agreement.

  5. SUB-PROCESSORS
    • Controller provides a general written authorisation to Processor to engage sub-processors. Current list of sub-processors is included in Annex No. 2 of this Agreement. Processor informs Controller of intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. Processor and Controller will cooperate in order to resolve any objections.
    • For the avoidance of doubt, certain sub-processors are involved only upon active request of the User (e.g., upon choosing to receive recommendations for improvement from AI). Additionally, in Processor’s Attention Insight Platform, there is a possibility to connect ongoing work through plugins such as Photoshop, Figma and others. Processor does not consider providers of such plugins as sub-processors. For data processing performed of these service providers, please see their respective privacy policies and other data protection documentation.
    • Processor may engage only those sub-processors who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
    • Where Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on the sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.
    • Where the sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that other processor’s obligations.

  6. DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
    • Where the processing of Personal Data involves a transfer from the Processor to the Controller outside the European Economic Area established in a third country not recognized by the European Commission as providing an adequate level of protection for personal data, the Parties hereby agree that such transfer shall be governed by the Standard Contractual Clauses set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021, applying Module Four (Processor to Controller). The Parties agree that:
      • Annex No. 1 of this Agreement shall serve as Annex I to the Standard Contractual Clauses, containing the description of the transfer. The Processor acts as a data exporter, and the Controller acts as a data importer;
      • Annex No. 2 of this Agreement defines transfers to sub-processors as required in Annex I to the Standard Contractual Clauses;
      • The State Data Protection Inspectorate of the Republic of Lithuania shall act as the competent supervisory authority under the Annex I.C (Competent Supervisory Authority) to the Standard Contractual Clauses;
      • Annex No. 3 of this Agreement shall serve as Annex II to the Standard Contractual Clauses, outlining the technical and organizational measures implemented by the Processor;
      • Clause 17 (Governing law) of the Standard Contractual Clauses shall be governed by the laws of Lithuania;
      • Clause 18 (Choice of forum and jurisdiction) shall be the courts of Lithuania;
      • Where optional provisions or choices are provided within the Standard Contractual Clauses, the Parties agree to apply only those which are mandatory or necessary for compliance with applicable data protection laws, and any non-mandatory clauses or provisions not required for the specific transfer context shall not apply.
  1. PROCESSOR’S ASSISTANCE TO CONTROLLER
    • Processor assists Controller in fulfilling its legal obligations under the Regulation and other applicable legislation.
    • Processor shall, together with Controller, cooperate with data protection supervisory authority.
    • Processor, taking into account the nature of processing and the information available, assists Controller by employing appropriate technical and organisational measures to the extent possible to fulfil the obligation of Controller to respond to requests of data subjects to exercise their rights under the Regulation (right of access, right to rectification, right to erasure, right to restriction of processing, right to object, right to data portability, where applicable).
    • In case of a personal data breach, Processor notifies Controller without undue delay. Processor, to the commercially reasonable extent, assists Controller in notifying supervisory authority and data subjects.
    • Processor provides Controller with the necessary assistance in conducting personal data impact assessment on data processing operations. When Controller performs prior consultations with the supervisory authority, Processor provides necessary information required for consultations.
    • Processor provides Controller with information necessary to demonstrate that the obligations laid down in this Agreement, the Regulation and other legal acts are being complied with.

  2. RIGHTS OF THE CONTROLLER AND AUDIT
    • Controller may, at its own expense, conduct an audit of Processor’s compliance with this Agreement no more than once per calendar year, unless required by a competent supervisory authority or applicable law. Any audit must be conducted with at least 30 calendar days written notice, during Processor’s normal business hours, and in a manner that minimizes disruption to its operations. Processor may require Controller (or its appointed auditor) to sign a confidentiality agreement before granting access to relevant information. Any findings shall be shared with Processor, and both Parties shall work in good faith to address any identified compliance issues.

  3. CONSEQUENCES OF THE END OF THIS AGREEMENT
    • The provisions of this Agreement apply as long as Processor processes personal data on behalf of Controller and until all the requirements of this Agreement are fulfilled.
    • In case of termination of this Agreement, Processor’s obligations to implement appropriate level of security of the personal data may only terminate after the data is returned to Controller (or other person assigned by Controller), or deleted.
    • At the choice of Controller, Processor deletes or returns all the personal data to Controller (or other person assigned by Controller) after the end of the provision of services relating to processing, and shall delete existing copies unless EU or Member State law requires storage of the personal data.

  4. APPLICABLE LAW AND DISPUTE RESOLUTION
    • This Agreement shall be governed and interpreted in accordance with the laws of the Republic of Lithuania.
    • The Parties agree that the courts of the Republic of Lithuania shall have exclusive jurisdiction to resolve any disputes arising out of this Agreement.

  5. MISCELLANEOUS PROVISIONS
    • Nothing in this Agreement shall in any way reduce the obligations directly applicable to Processor or Controller under the Regulation and the applicable law.
    • Processor’s liability under this Agreement is subject to any limitations of liability if such were provided for in Terms of Use or other agreements between the Parties.
    • This Agreement may be amended, supplemented or terminated only in writing.

ANNEX NO. 1

DATA PROCESSING DESCRIPTION

Subject Matter

Provision of services as described in Terms of Use.

Nature of Processing

Processing activities may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Other details of the functions performed by Processor are described in the Terms of Use.

Purpose of Processing

The purpose of data processing is to provide Controller with Attention Insight Predictive Eyetracking (a service predicting what will draw attention in images and videos), the Attention Insight Platform (a service allowing to store, organize, share, and receive content from multiple sources), and additional features and functionalities as described in the Terms of Use.

Categories of Personal data

●        Content Data – images, videos, and other media uploaded to the Attention Insight Platform for predictive eyetracking analysis and content management, content type (landing, e-commerce, news and media, others), analysis title, project data, analysis type;

●        Analytical Data – attention heatmaps, focus maps, contrast maps, clarity score, focus score, percentage of attention, hotspots and similar insights generated through the predictive eyetracking analysis;

●        Technical and Usage Data – data automatically collected during service usage as necessary for the provision of services under Terms of Use, including IP addresses, device identifiers, browser type, operating system, and interaction logs with the platform;

●        Third-Party Integration Data – data exchanged with external platforms when users connect third-party services to the Attention Insight Platform, e.g., AI-generated suggestions for content improvement.

●        Other Data that may be necessary for the provision of services under Terms of Use.

No sensitive data is intended to be processed under this Agreement.

Categories of Data Subjects

Users; individuals whose images, videos, or other content are analyzed using the predictive eyetracking service, where such content includes identifiable personal data.

Duration of Processing

Data is retained for as long as a User account is active.

Users have the option to set duration for storing images, videos and related analysis data in the Processor’s system, the specified time period schedules automatic removal of each data unit once that period expires. Provided options are: do not delete, 1 day, 1 week, 1 month, 3 months, 6 months, 12 months.

Frequency of the Transfer

Where the transfer as defined in Section 6 of the Agreement takes place, the frequency of the transfer can be both – a one-off or continuous basis depending on the use of the Processor’s services by the Controller.



ANNEX NO. 2

LIST OF SUB-PROCESSORS

Processor uses of the following Sub-Processors:

Company

Address

Purpose

Transfers Outside the European Economic Area

Google Cloud EMEA Limited

Ireland; Velasco Clanwilliam Place Dublin 2

Cloud, identity, corporate email, office suite and website traffic analysis provider

N/A

Slack Technologies Limited

Ireland; 4th Floor, One Park Place Hatch Street Upper Dublin 2

Internal communication tool with notifications related customers activity

N/A

Sentry.io

45 Fremont Street, 8th Floor, San Francisco, CA 94105-2250, USA

Web application error collections

Transfers are performed on the basis of European Commission adequacy decision regarding EU-U.S. Data Privacy Framework.

Intercom R&D Unlimited Company

Ireland; 18-21 St. Stephen’s Green Dublin 2

Customer support chat, communication via email, and knowledge base

N/A

Cloudflare, Inc.

United States; 101 Townsend St., San Francisco, California 94107

Content Delivery Network (CDN) and Web Application Firewall services provider. 

Transfers are performed on the basis of European Commission adequacy decision regarding EU-U.S. Data Privacy Framework.

OpenAI Ireland Ltd

1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

Image visual analysis

N/A

Hotjar Limited

Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141 Malta

Web screen recording

N/A

UserPilot

17350 State Hwy 249, Ste 220 #20190, Houston, TX, USA 77064

User onboarding in the platform

Transfers are performed on the basis of European Commission adequacy decision regarding EU-U.S. Data Privacy Framework.

MessageBird B.V.

Postbus 14674, 1001 LD Amsterdam, the Netherlands

Web application notifications

N/A

Sinch Sweden AB

Sinch Sweden AB, Legal Dept. Lindhagensgatan 112, 112 51 Stockholm, Sweden

Mailgun – sending email notifications

N/A



ANNEX NO. 3

ORGANISATIONAL AND TECHNICAL SECURITY MEASURES

  1. ORGANISATIONAL CONTROLS
    • Personal data security policy. The security of personal data and their processing within the organisation is documented as part of the information security policy, which includes control measures over the confidentiality, integrity and availability of personal data. The personal data security policy shall comply with legal, statutory, regulatory and contractual requirements and shall be reviewed and, where necessary, updated at least once a year.
    • Roles and responsibilities. Roles and responsibilities related to the processing of personal data are clearly defined and allocated in accordance with the personal data security policy. The revocation of staff rights and responsibilities shall be clearly defined through appropriate procedures for the transfer or delegation of roles and responsibilities (internal organisation restructuring or redundancy, change of functions).
    • Access management and rights. The general requirements for access management (procedures for granting/amending/revoking access rights) are documented as part of the personal data security policy. Specific access control rights are assigned to each role in relation to the processing of personal data, based on the principles of “need to know” and/or “need to use”.
    • Resource and asset management. The organisation maintains a register of resources used to process personal data. The register of resources shall include at least the following information: type of IT resource (e.g. service station, computer workstation, virtual machines), location (physical or electronic), external service providers (if used). The management of the resource register is assigned to a specific person. The resource register shall be regularly reviewed and updated.
    • Data Processors. Formal guidelines and procedures for data processors (e.g. contractors or outsourcers) for the processing of personal data shall be defined, documented and agreed prior to the processing of personal data. These guidelines and procedures shall establish the same level of security of personal data (at least the same level) as provided for in the organisation’s security policy. The processor must notify the organisation immediately (preferably within 24 hours) of any personal data breaches identified. There is a clear mandatory information to be provided by the processor to the organisation in the notification and a contact person for personal data security issues. The organisation must obtain documentary evidence from the processor of compliance with the personal data security requirements and obligations.
    • Personal data breaches and security incidents. A security incident response plan, roles and responsibilities, and a contact person are in place to ensure prompt and effective management of incidents involving the security of personal data. The security incident response plan is communicated to the whole organisation. Personal data breaches shall be recorded/documented. They must be reported immediately to the management. Procedures are in place for the notification of personal data breaches to competent authorities and data subjects in accordance with Articles 33 and 34 of the Regulation. The knowledge gained from personal data breaches is used to strengthen and improve personal data security controls.
    • Business continuity. The organisation shall establish basic procedures to be followed in the event of a security incident or personal data breach in order to ensure the necessary continuity and availability of the processing of personal data through IT systems.
    • Transfer of personal data. The organisation shall have in place and apply procedures and measures for the transfer of personal data.

2. PEOPLE CONTROL MEASURES

    • Employment Relations. The employment contract or other document clearly sets out the roles and responsibilities and obligations relating to the organisation’s personal data security policy. There are clear responsibilities and obligations at the end of the employment relationship (e.g. confidentiality; return/destruction of personal data).
    • Staff development. Staff in the organisation understand their responsibilities, the basic procedures for the security of personal data and the basic controls to ensure the security of personal data. The organisation shall ensure that all staff are adequately informed of the security requirements of IT systems relevant to their daily work. Employees involved in the processing of personal data shall be trained on the relevant data security requirements and responsibilities through regular training, awareness-raising events or briefings. The suggested frequency of training is once a year. The organisation shall ensure that staff understand the consequences of a breach of the personal data security policy and the organisation’s disciplinary process in order to ensure that they do not breach the personal data security policy and the subject-specific policies and procedures related to the security of personal data.
    • Staff confidentiality. Roles and responsibilities shall be clearly outlined to the staff member prior to the commencement of their assigned roles and tasks.
    • Remote working. The organisation shall ensure that the organisation’s personal data security policy is adhered to and implemented at the remote working location.
    • Response to information security incidents. Staff are made aware of their responsibility to report information security incidents immediately. Staff shall be aware of the procedure for reporting information security incidents and the contact person to whom the incident should be reported.

 

3. PHYSICAL CONTROLS

    • Physical security. It shall be ensured that personal data processed within the organisation can only be physically accessed in a manner determined and permitted by the organisation. The physical security policy is documented as part of the personal data security policy. Physical protection against unauthorised access of the environment, the premises where the IT systems infrastructure is located, is implemented. It is also ensured that no network devices are left freely accessible and no network cables are left unused.
    • Clean “desk”, “screen” policy. The organisation shall have a clean “desk”, “screen” policy. End devices are secured (e.g. by passwords, PINs, biometrics or other security measures). No personal data is left freely accessible and visible in the workplace.
    • Data destruction, disposal. Before any data medium is removed, all data contained therein shall be destroyed using dedicated software that supports robust data destruction algorithms. If this is not possible (e.g. DVDs), physical destruction of the data medium shall be carried out without the possibility of restoration. Paper and portable data media (e.g. DVDs) on which personal data have been stored shall be destroyed by means of dedicated shredders or other mechanical means.

4. TECHNOLOGICAL CONTROLS

    • Access control and authentication. An access control system is in place and has been implemented, which applies to all users of the IT system. The access control system allows the creation, validation, review and deletion of user accounts. The use of shared user accounts is avoided. Where a shared user account is necessary, it is ensured that all users of the shared account have the same rights and obligations. An authentication mechanism is in place to allow access to the IT system (based on the access control policy). The minimum requirement for a user to access the IT system is a user login and password. The password shall be based on a certain level of complexity. The access control system shall have the ability to detect and deny passwords that do not meet a certain level of complexity. User passwords shall be stored using a hash form.
    • User end devices (computer workstations). Users must not be able to disable or bypass the security settings of IT systems. Antivirus software is installed. Antivirus software databases are updated at least once a day. It is recommended that the databases are updated more frequently depending on the threat level and system security requirements to ensure effective protection against the latest viruses and malware. Users must not have privileged rights to install, remove, or administer unauthorised software. Critical operating system security updates must be installed regularly and immediately.
    • Mobile, portable devices. Procedures for the administration of mobile, portable devices are established and documented, clearly describing the appropriate use of such devices, including personal devices, if the organisation permits their use (BYOD – Bring Your Own Device). Mobile and portable devices to be used to work with information systems shall be registered and authorised before use. Mobile and portable devices shall have a sufficient level of access control procedures in line with other equipment used to process personal data. The management roles and responsibilities for mobile, portable devices are clearly defined. The organisation has the ability to remotely erase personal data on mobile, portable devices whose security has been compromised (e.g. security breaches, loss of reliability). Mobile, portable devices are separated between private and organisational data using secure software containers or different accounts. Mobile, portable devices not in use are physically protected against theft. Two-factor authentication shall be used for access to mobile, portable devices. Personal data stored on the mobile device is encrypted.
    • Security of service stations, databases. Database and application service stations shall be configured to operate under separate accounts with the lowest operating system privileges. The databases and application workstations shall only process personal data which are necessary for the work for which the data processing is intended.
    • Technical logs and monitoring. Technical log records shall be implemented for each IT system used to process personal data. The technical log records shall show all possible information on accesses to personal data (e.g. date, time, review, modification, deletion actions). The recommended retention period is at least 6 months. Technical logs shall be time-stamped and secured against possible damage, falsification or unauthorised access. The timekeeping mechanisms used in IT systems shall be synchronised to a common time reference source.
    • Network and communication security. When access to the IT systems used is via the Internet, an encrypted communication channel, i.e. cryptographic protocols (e.g. TLS/SSL), must be used.
    • Backups. Backup and data recovery procedures shall be defined, documented and clearly linked to roles and responsibilities. Backup media shall be provided with an appropriate level of physical security for the environment, premises, depending on the data being stored. The backup process is monitored to ensure completeness. Full backups of data are made regularly. The recommended frequency of backups is: daily – incremental backup; weekly – full backup.
    • Change management. The organisation shall ensure that all material changes to IT systems are tracked and logged by a specific person (e.g. IT or security officer).
    • Software security. The software used in the information systems (for the processing of personal data) shall comply with software security best practices, security best practices in software development, software development frameworks, standards (e.g. Agile, OWASP, etc.). Specific safety requirements related to the organisation’s operational characteristics are defined in the initial stages of software development. Programming standards and best practices for data security are followed. After software development, testing and verification, the basic safety requirements are met at the start of system installation and operation.