Agaton - Policies

---

Data Security Policy

Last Update: 2025/01/23

Table of Contents

1. Introduction
2. Purpose
3. Scope
4. Policy Requirements
   • 4.1 Data Retention Principles
   • 4.2 Policy Requirements
   • 4.3 AI-Specific Data Processing
   • 4.4 Data Usage Consent
   • 4.5 Third-Party Services
   • 4.6 International Data Transfers
5. Data Subject Rights
6. Reporting Requirements
7. Responsibilities
   • 7.1 Data Protection Officer
   • 7.2 Engineering Team
   • 7.3 All Employees & Contractors
8. Enforcement
9. Changes to this Policy

1. Introduction

At Agaton Technologies AB (“Agaton,” “we,” “us,” “our”), we are committed to safeguarding the security and confidentiality of all user data gathered and processed through our proprietary systems. This Data Security Policy outlines our approach to protecting users’ personal information and the measures we take to uphold data privacy. It applies to all employees, contractors, and third parties who handle or have access to data within our systems.

This policy is designed to comply with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) and the EU AI Act. It addresses growing concerns around user privacy and data protection in an increasingly digital world, aiming to maintain customer trust by demonstrating our commitment to data security and privacy.

2. Purpose

The purpose of this policy is to establish guidelines and procedures for securely handling, storing, and transmitting personal data in accordance with GDPR and the EU AI Act. This policy aims to minimize unauthorized access, use, disclosure, alteration, or destruction of personal data and promote a culture of data privacy and security. As both a data controller and processor, we have obligations to implement appropriate technical and organizational measures to ensure data confidentiality, integrity, and availability.

3. Scope

This policy applies to all personal data collected and processed by Agaton, including:

• User account information: Names, email addresses, usernames, passwords, etc.
• Audio recordings and analysis data: Spoken English recordings, feedback, and other data associated with a user’s learning progress.
• Communications data: Support tickets, correspondence, and other interactions between users and Agaton’s platform.
• System and technical data: IP addresses, device information, and logs collected for monitoring and troubleshooting.

In accordance with GDPR requirements, Agaton will only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes of providing our service to users.

4. Policy Requirements

4.1 Data Retention Principles

Agaton adheres to core data protection principles in our handling of personal data. We follow the principles of data minimization by collecting and processing only the minimum amount of personal information required to provide our English learning service to users and operate our business.

We strive to keep personal data accurate and up to date. Individuals can request corrections to inaccurate data. We protect the integrity and confidentiality of personal data through a combination of technical and organizational security controls.

4.2 Policy Requirements

To uphold our data protection principles, we enforce several key requirements:

• Regular reviews of access controls and security policies at least every 6 months.
• Mandatory data privacy and security training for all employees and contractors.
• Encryption of sensitive data both in transit and at rest.
• Strict access control based on the principle of least privilege.

4.3 AI-Specific Data Processing

Agaton uses AI systems to enhance our English learning services. Our AI-related data processing adheres to: a) GDPR requirements b) EU AI Act requirements c) Procedures detailed in our AI Policy

For complete information about AI system operations and governance, please refer to our AI Policy.

4.4 Data Usage Consent

Subscribers have the right to choose whether their anonymized and aggregated data may be used by Agaton for service improvement purposes. Subscribers can opt-in to this data usage and may withdraw their consent at any time by contacting support@agaton.ai. Opting out will not affect the quality of service provided.

4.5 Third-Party Services

Agaton may integrate with Non-Agaton Services at the Subscriber’s request. In such cases:

• Agaton is not responsible for the security or privacy practices of these third-party services.
• Subscribers should review the privacy policies of these services before integration.
• Agaton will only share necessary data with these services as directed by the Subscriber.

4.6 International Data Transfers

As a Sweden-based company serving international users, Agaton may transfer data across borders. We ensure that such transfers comply with GDPR requirements, including:

• Using Standard Contractual Clauses where necessary.
• Ensuring adequate levels of protection for personal data in recipient countries.
• Informing users about potential international transfers of their data.

5. Data Subject Rights

In accordance with GDPR, Agaton respects and facilitates the following rights for data subjects:

• Right to access their personal data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

To exercise these rights, users can contact our Data Protection Officer at dpo@agaton.ai.

6. Reporting Requirements

In the event of a data breach incident, employees, contractors, and third parties must report any actual or suspected data breaches to Agaton’s designated Data Protection Officer (DPO) immediately.

The DPO will evaluate the situation and, if necessary, notify the relevant supervisory authority within 72 hours of becoming aware of the incident. The DPO will also notify affected data subjects if the breach is likely to impact their personal data, again within 72 hours.

7. Responsibilities

7.1 Data Protection Officer

The DPO oversees the implementation of this policy across Agaton, monitors compliance with GDPR and other data privacy regulations, and serves as the point of contact for data subject rights requests.

7.2 Engineering Team

The Engineering team is responsible for the technical implementation of data privacy and security controls, including integrating privacy by design principles into all systems and products.

7.3 All Employees & Contractors

All employees and contractors must comply with this Data Security Policy, attend data privacy training, and report any data incidents or concerns immediately to the DPO.

8. Enforcement

Violations of this policy may result in disciplinary action, up to and including termination of employment or contractual agreements. Serious breaches may lead to legal action and reporting to regulatory authorities.

9. Changes to this Policy

Agaton may modify this Data Security Policy from time to time. Any changes will be posted at https://policies.agaton.ai, with the last updated date clearly indicated. For material changes, Agaton will notify Subscribers via email. Changes will become effective 30 days after posting. Subscribers may terminate their agreement without penalty upon written notice within 10 working days of the effective date of revised terms.

By continuing to use Agaton’s services after the effective date of any changes, users accept and agree to be bound by the modified policy.

For any questions or concerns about this policy, please contact our Data Protection Officer at dpo@agaton.ai.