Data Processing Agreement

GDPR-compliant data processing terms for enterprise customers

Last Updated: January 10, 2025 | Version 2.1

Data Processing Agreement Overview

This Data Processing Agreement ("DPA") supplements our Terms of Service and governs the processing of personal data by Adaapt.AI on behalf of enterprise customers in accordance with GDPR, CCPA, and other applicable privacy laws.

Compliance Framework

GDPR Compliant

Full compliance with EU General Data Protection Regulation

CCPA Ready

California Consumer Privacy Act compliance

HIPAA Available

Healthcare data protection via Business Associate Agreement

SOC 2 Type II

Audited security and availability controls

1. Definitions

1.1 Key Terms

  • "Controller": The entity (Customer) that determines the purposes and means of processing personal data
  • "Processor": Adaapt.AI, which processes personal data on behalf of the Controller
  • "Personal Data": Any information relating to an identified or identifiable natural person
  • "Processing": Any operation performed on personal data, including collection, storage, use, disclosure
  • "Sub-processor": Third-party processors engaged by Adaapt.AI to assist in providing services
  • "Data Subject": The individual whose personal data is being processed
  • "Supervisory Authority": Relevant data protection authority in applicable jurisdiction

1.2 Applicable Laws

This DPA applies to processing activities subject to:

  • EU General Data Protection Regulation (GDPR)
  • UK Data Protection Act 2018
  • California Consumer Privacy Act (CCPA)
  • Other applicable regional privacy laws

2. Roles and Responsibilities

2.1 Controller Responsibilities (Customer)

As Data Controller, you are responsible for:

  • Determining the lawful basis for processing
  • Ensuring data subjects' consent where required
  • Providing privacy notices to data subjects
  • Ensuring data accuracy and minimization
  • Handling data subject rights requests
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Notifying supervisory authorities of breaches

2.2 Processor Responsibilities (Adaapt.AI)

As Data Processor, Adaapt.AI will:

  • Process personal data only on documented instructions from the Controller
  • Ensure confidentiality of personal data
  • Implement appropriate technical and organizational measures
  • Assist with data subject rights requests
  • Assist with data protection impact assessments
  • Notify Controller of personal data breaches
  • Delete or return personal data upon termination
  • Maintain records of processing activities

3. Data Processing Details

3.1 Nature and Purpose of Processing

  • AI Analytics: Data analysis, pattern recognition, predictive modeling
  • Workflow Automation: Process optimization, task automation, decision support
  • Integration Services: Data synchronization, system connectivity, API processing
  • Platform Services: User authentication, session management, system administration

3.2 Categories of Data Subjects

  • Employees and personnel of the Controller
  • Customers and clients of the Controller
  • Suppliers and business partners
  • Website visitors and platform users

3.3 Types of Personal Data

  • Identity Data: Names, job titles, employee IDs
  • Contact Data: Email addresses, phone numbers, addresses
  • Professional Data: Employment information, business relationships
  • Technical Data: IP addresses, device identifiers, usage logs
  • Financial Data: Transaction information, billing data (where applicable)

3.4 Sensitive Data

Special Category Data:

Processing of sensitive personal data (health, biometric, genetic data, etc.) requires explicit written agreement and additional safeguards. Contact our legal team for sensitive data processing requirements.

4. Technical and Organizational Measures

4.1 Security Measures

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access, multi-factor authentication, principle of least privilege
  • Network Security: Firewalls, intrusion detection, VPN access for remote operations
  • Infrastructure: SOC 2 Type II certified data centers, redundant systems

4.2 Organizational Measures

  • Staff Training: Regular privacy and security training for all personnel
  • Background Checks: Security screening for employees with data access
  • Confidentiality: Binding confidentiality agreements for all staff
  • Incident Response: 24/7 monitoring and incident response procedures

4.3 Data Location and Transfers

  • Primary Locations: EU and US data centers with adequate protection
  • Transfer Mechanisms: Standard Contractual Clauses (SCCs) for international transfers
  • Data Residency: Customer choice of data processing location where available
  • Backup Locations: Encrypted backups in geographically distributed centers

5. Sub-processors

5.1 Authorized Sub-processors

Adaapt.AI may engage the following categories of sub-processors:

  • Cloud Infrastructure: AWS, Microsoft Azure, Google Cloud Platform
  • Analytics Services: Performance monitoring and analytics providers
  • Support Tools: Customer support and communication platforms
  • Security Services: Cybersecurity and threat detection providers

5.2 Sub-processor Requirements

All sub-processors must:

  • Enter into data processing agreements with equivalent protections
  • Implement appropriate technical and organizational measures
  • Comply with applicable data protection laws
  • Provide evidence of compliance upon request

5.3 Sub-processor Changes

We will provide 30 days' notice of new sub-processors. Customers may object to new sub-processors with legitimate reasons related to data protection compliance.

6. Data Subject Rights

6.1 Rights Support

Adaapt.AI will assist the Controller in responding to data subject rights requests, including:

  • Access: Providing copies of personal data
  • Rectification: Correcting inaccurate personal data
  • Erasure: Deleting personal data upon valid request
  • Portability: Providing data in machine-readable format
  • Restriction: Limiting processing of personal data
  • Objection: Stopping processing for legitimate interests

6.2 Response Procedures

  • Controller forwards data subject requests to Adaapt.AI within 5 business days
  • Adaapt.AI provides requested information within 15 business days
  • Technical assistance provided for complex requests
  • All responses documented for audit purposes

7. Data Breaches

7.1 Breach Notification

Incident Response Timeline:

  • Immediate: Breach containment and initial assessment
  • 24 hours: Initial notification to Controller
  • 72 hours: Detailed breach report provided
  • Ongoing: Regular updates until resolution

7.2 Breach Information

Breach notifications will include:

  • Nature of the breach and data involved
  • Categories and approximate number of affected data subjects
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Recommendations for Controller actions

7.3 Remediation

Upon breach detection, we will:

  • Immediately contain and investigate the incident
  • Implement measures to prevent recurrence
  • Coordinate with law enforcement if required
  • Provide ongoing support for regulatory notifications

8. Data Retention and Deletion

8.1 Retention Periods

  • Active Processing: Duration of service agreement
  • Post-Termination: 30 days retention period (unless otherwise specified)
  • Backup Systems: Up to 90 days in encrypted backup systems
  • Legal Holds: Extended retention for legal or regulatory requirements

8.2 Secure Deletion

Data deletion procedures include:

  • Cryptographic erasure through key destruction
  • Physical destruction of storage media when appropriate
  • Certification of deletion provided upon request
  • Verification of deletion from backup systems

8.3 Data Return

Upon termination, we can provide data in commonly used formats including JSON, CSV, or XML, as specified in the service agreement.

9. Audits and Compliance

9.1 Audit Rights

Controllers may audit Adaapt.AI's compliance through:

  • Documentation Review: Access to relevant compliance documentation
  • Third-party Audits: SOC 2 Type II and ISO 27001 audit reports
  • Questionnaires: Standardized security and privacy questionnaires
  • On-site Audits: Physical audits with reasonable notice (for enterprise customers)

9.2 Compliance Documentation

Available compliance documentation includes:

  • SOC 2 Type II audit reports (annual)
  • ISO 27001 certification
  • Penetration testing reports (summary)
  • Data processing records
  • Security incident reports (where relevant)

10. International Transfers

10.1 Transfer Mechanisms

International data transfers are protected through:

  • Adequacy Decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: EU Commission approved SCCs
  • Binding Corporate Rules: Internal data protection standards
  • Certification Schemes: Recognized privacy certification programs

10.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to ensure adequate protection levels in destination countries, considering:

  • Local laws and government access rights
  • Additional technical and contractual safeguards
  • Practical experience with law enforcement requests
  • Availability of legal remedies for data subjects

Data Protection Office

For questions about this DPA or data processing matters:

Data Protection Officer

Email: dpo@adaapt.ai

Response Time: Within 48 hours

Legal Department

Email: legal@adaapt.ai

For contract amendments

This DPA is automatically incorporated into your service agreement upon execution.