Data Processing Agreement

1. Definitions

• "Controller" means the customer that determines the purposes and means of processing Personal Data.
• "Processor" means AI-DigitalTransform Ltd, which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing, privacy, and use of Personal Data, including the GDPR, UK GDPR, and any applicable national implementing legislation.
• "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of Personal Data to third countries, as applicable.

2. Data Controller

The Controller determines the categories of Personal Data to be processed, the purposes of processing, the data subjects whose data is processed, and the instructions given to the Processor. The Controller represents and warrants that it has a lawful basis for processing Personal Data under applicable Data Protection Laws and is entitled to instruct the Processor as set out in this DPA.

The Controller's contact for data protection matters is the individual or team designated by the Controller as its data protection contact in the Service account settings.

3. Data Processor Obligations

As Processor, AI-DigitalTransform agrees to:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 7 of this DPA.
• Assist the Controller in meeting its obligations regarding data subject rights requests (access, rectification, erasure, restriction, portability, objection) within 5 business days of receiving a request.
• Notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting the Controller's data.
• Delete or return all Personal Data to the Controller at the end of the service relationship, at the Controller's choice, and delete existing copies unless storage is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

4. Sub-processors

The Controller authorizes AI-DigitalTransform to engage sub-processors to assist in the delivery of the Service. AI-DigitalTransform maintains an up-to-date list of sub-processors at autoaimagix.com/legal/sub-processors.

Current authorized sub-processors include:

• Amazon Web Services (AWS): cloud infrastructure and data storage (EU regions).
• Stripe: payment processing (does not process assessment content).
• Postmark: transactional email delivery.
• OpenAI: AI inference for generating assessment insights (data is processed per OpenAI's enterprise data processing terms; no data is used to train OpenAI models).
• Sentry: error monitoring and performance diagnostics (anonymised and sampled).

AI-DigitalTransform will notify the Controller of any intended changes to sub-processors (additions or replacements) with at least 14 days' notice. The Controller may object to such changes in writing within that period; failure to object constitutes acceptance.

AI-DigitalTransform shall impose data protection terms on sub-processors that are at least as protective as those set out in this DPA, and shall remain liable to the Controller for the acts and omissions of sub-processors.

5. International Data Transfers

AI-DigitalTransform stores all Controller Personal Data within the European Economic Area (EEA) by default. Where Personal Data is transferred to sub-processors outside the EEA (for example, for AI inference), such transfers are subject to appropriate safeguards, including:

• European Commission Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable).
• An adequacy decision by the European Commission in respect of the recipient country.

Enterprise customers may request a signed copy of the applicable SCCs by emailing privacy@autoaimagix.com.

6. Data Retention

AI-DigitalTransform retains Personal Data for the duration of the Controller's active subscription. Upon termination or expiry of the subscription:

• A 30-day data export window is provided, during which the Controller may download all Customer Data in JSON or CSV format.
• Following the export window, all Personal Data in Customer Data is deleted from production systems within 30 days.
• Anonymised and aggregated data derived from Customer Data (which cannot be used to identify the Controller or its data subjects) may be retained for platform improvement purposes.
• Backup copies are purged within 90 days of deletion from production systems.
• AI-DigitalTransform may retain Personal Data for longer periods if required by applicable law (for example, financial records).

7. Security Measures

AI-DigitalTransform implements the following technical and organizational security measures to protect Personal Data:

• Encryption: AES-256 encryption at rest for all stored data; TLS 1.3 for all data in transit.
• Access control: role-based access control (RBAC), principle of least privilege, and mandatory multi-factor authentication for all internal system access.
• Network security: VPC isolation, Web Application Firewall (WAF), DDoS mitigation, and intrusion detection systems.
• Vulnerability management: regular third-party penetration testing (at least annually), automated dependency scanning, and a responsible disclosure programme.
• Incident response: documented incident response plan with defined roles, escalation procedures, and post-incident review processes.
• Employee controls: background checks for personnel with access to production systems; mandatory annual security awareness training.
• Compliance: SOC 2 Type II compliance programme with annual audits. Audit reports available to Enterprise customers under NDA.

8. Contact

For questions regarding this DPA or to exercise rights under applicable Data Protection Laws, contact: